cc/td/doc/product/webscale/webcache/ce23
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Cisco Cache Software, Release 2.3.0 Commands

Cisco Cache Software, Release 2.3.0 Commands

This chapter contains an alphabetical listing of all commands of the Cisco Cache software, Release 2.3.0, for Cisco Content Engines and Cisco Cache Engines. To simplify terminology, both the Cache Engine and the Content Engine are referred to as the "CE."

authentication

To configure Terminal Access Controller Access Control System Plus (TACACS+), use the authentication global configuration command. Use the no form of the command to selectively disable options.

authentication {configuration {local enable | tacacs enable [primary]} | login {local enable | tacacs enable [primary]}}

no authentication {configuration {local enable | tacacs enable [primary]} | login {local enable | tacacs enable [primary]}}

Syntax Description

configuration

Sets authorization mode.

local enable

Enables local database for authorization.

tacacs enable

Enables TACACS+ database for authorization.

primary

(Optional.) Sets TACACS+ server authorization as a primary.

login

Sets authentication mode.

local enable

Enables local database for authentication.

tacacs enable

Enables TACACS+ database for authentication.

primary

(Optional.) Sets TACACS+ server authentication as a primary.

Defaults

Local authentication is enabled and TACACS+ authentication is disabled.

Command Modes

Global configuration

Usage Guidelines

Authentication or login is the action of identifying and validating a user. It verifies a username with the password. Authorization or configuration is the action of determining what a user is allowed to do.

Login and configuration privileges can be maintained in two databases: the local database, which resides on the CE, and the TACACS+ remote database, which resides on a remote server. The user global configuration commands or the Users GUI page provides a way to add, delete, or modify users' names, passwords, and access privileges in the local database. The TACACS+ remote database can also be used to maintain login and configuration privileges for CE administrative users. The tacacs command or the TACACS+ GUI page allows you to configure the network parameters required to access the remote database.

Login and configuration privileges can be obtained from both the local database or the TACACS+ remote database. If both databases are enabled, then both databases are queried; if the user data cannot be found in the first database queried, then the second database is tried. When the primary keyword is entered for TACACS+ login or configuration authentication (authentication login tacacs enable primary, authentication configuration tacacs enable primary), the TACACS+ database is queried first, and the local database is queried second. If TACACS+ is not designated as primary, and both local and TACACS+ are enabled, the local database is queried first. If both local and TACACS+ are disabled (no authentication), the CE verifies that both are disabled and if so, sets the CE to the default state.

By default, local authentication is enabled and TACACS+ authentication is disabled. When the TACACS+ authentication is disabled, the local authentication is automatically enabled.

Examples

This example disables local configuration authentication.

CE(config)# no authentication configuration local Local configuration authentication disabled.
Note   If local authentication is disabled and TACACS+ is not configured properly, future logins may fail.

TACACS+ Statistics

CE# show statistics authentication Authentication Statistics -------------------------------------- Number of Local Authentication: 0 Number of TACACS+ Authentication: 4 Total number of Authentication: 4 Number of Local Authorization: 0 Number of TACACS+ Authorization: 4 Total number of Authorization: 4 CE# show statistics tacacs TACACS+ Statistics ----------------- Number of access requests: 8 Number of access deny responses: 7 Number of access allow responses: 1

Related Commands

show authentication

show statistics authentication

show statistics tacacs

show tacacs

tacacs

autosense

To enable autosense on an interface, use the autosense interface configuration command. To disable this function, use the no form of this command.

autosense

no autosense

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Cisco router Ethernet interfaces do not negotiate duplex settings. If the CE is connected to a router directly with a crossover cable, the CE Ethernet interface has to be manually set to match the router interface settings. Disable autosense before configuring an Ethernet interface. When autosense is on, manual configurations are overridden. You must reboot the CE to start autosensing.

Examples

Console(config-if)# autosense Console(config-if)# no autosense

bandwidth

To configure an interface bandwidth, use the bandwidth interface configuration command. To disable this function, use the no form of this command.

bandwidth mbits

no bandwidth

Syntax Description

mbits

Bandwidth size in megabits per second (10 or 100).

Command Modes

Interface configuration

Usage Guidelines

Use this command to set the bandwidth of an interface to either 10 or 100 megabits.

Examples

Console(config-if)# bandwidth 10 Console(config-if)# no bandwidth

bypass

To enable transparent error handling and dynamic authentication bypass, and to configure static bypass lists, use the bypass command. To disable the bypass feature, use the no form of the command.

bypass {auth-traffic enable | load {enable | in-interval seconds | out-interval seconds | time-interval minutes} | static {clientipaddress {clientipaddress | any-server} | any-client  serveripaddress} | timer minutes}

no bypass {auth-traffic enable | load {enable | in-interval seconds | out-interval seconds | time-interval minutes} | static {clientipaddress {clientipaddress | any-server} | any-client  serveripaddress} | timer minutes}

Syntax Description

auth-traffic

Authenticated traffic bypass configuration.

load

Loads bypass configuration.

enable

Enables load bypass.

in-interval

Time interval that determines the rate of making eligible bypassed buckets active buckets.

out-interval

Time to wait before bypassing another active bucket.

time-interval

Time interval over which a bypassed bucket remains inactive.

seconds

Time in seconds (4-600).

minutes

Time in minutes (1-1440).

static

Adds a static entry to the bypass list.

any-server

Bypasses HTTP traffic from a specified client to any Web server.

any-client

Bypasses HTTP traffic from any client destined to a particular server.

clientipaddress

IP address of the Web client to be bypassed.

serveripaddress

IP address of the Web server to be bypassed.

timer

Sets timer for authentication bypass, in minutes.

Defaults

The default authentication bypass value is 10 minutes. The in-interval default is 60 seconds. The out-interval option default is 4 seconds. The timer-interval option default is 10 minutes.

Command Modes

Global configuration

Usage Guidelines

Bypass features are available only with WCCP Version 2. The CE can only bypass WCCP-redirected traffic, not proxy-style requests.

Authentication Bypass

Some Web sites, because of IP authentication, do not allow the CE to connect directly on behalf of the client. In order to avoid a disruption of service, the CE can use authentication bypass to generate a dynamic access list for these client-server pairs. Authentication bypass triggers are also propagated upstream and downstream in the case of hierarchical caching. When a client/server pair goes into authentication bypass, it is bypassed for a configurable amount of time, set by the timer option (10 minutes by default).

Load Bypass

If a CE becomes overwhelmed with traffic, it can use the load bypass feature to reroute the overload traffic.

When the CE is overloaded and load bypass is enabled, the CE bypasses a bucket. If the load remains too high, another bucket is bypassed, and so on until the CE can handle the load. The time interval between one bucket being bypassed and the next, is set by the out-interval option. The default is 4 seconds.

When the first bucket bypass occurs, a time interval must elapse before the CE begins to again service the bypassed buckets. The duration of this interval is set by the time-interval option. The default is 10 minutes.

When the CE begins to again service the bypassed traffic, it begins with a single bypassed bucket. If the load is serviceable, it picks up another bypassed bucket and so on. The time interval between picking up one bucket and the next is set by the in-interval option. The default is 60 seconds.

Static Bypass

The bypass static command permits traffic from specified sources to bypass the CE. The type of traffic sources are as follows:

Wildcards in either the source or the destination field are not supported.

To clear all static configuration lists, use the no form of the command.

Examples

    Console(config)# bypass static 10.1.17.1 172.10.7.52


    Console(config)# bypass static any-client 172.10.7.52


    Console(config)# bypass static 10.1.17.1 any-server

A static list of source and destination addresses helps to isolate instances of problem-causing clients and servers.

    Console# show bypass list Total number of entries in the bypass list = 5 Client IP Server IP Reason 10.1.17.1 15.1.10.6 Error Handling 10.1.24.1 128.10.2.4 Auth Traffic 10.1.24.2 128.10.2.4 Static Config 10.2.4.5 any-server Static Config any-client 178.10.45.6 Static Config
    Console# show bypass summary Cache Engine will bypass authenticated HTTP traffic. Cache Engine will bypass HTTP traffic if it is overloaded. Total number of entries in the bypass list = 5 Total number of HTTP connections bypassed = 20

Related Commands

show bypass

cache

To synchronize the cache file system (cfs) contents from memory to disk, use the cache sync EXEC command.

cache {clear [force] | reset | sync}

To clear the disk of all cached content, use the cache clear EXEC command.

Syntax Description

clear

Clears the cache.

force

Forcefully deletes all cached objects.

reset

Resets the cache.

sync

Synchronizes the cache.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The cache clear command removes all cached contents from the currently mounted cfs volumes. Objects being read or written are removed when they cease being "busy." The equivalent to this command is the clear cache or cfs clear command.


Caution   This command is irreversible, and all cached content will be erased.

The cache clear force deletes all objects, whether busy or not, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the CE disk when a cache clear force command is executed, the application stops caching that object but still delivers the object from the Web server to the client.

The cache sync command synchronizes the cache file system contents from memory to disk. Although synchronization is performed at regular intervals while the CE is operating, this command can be used to ensure all data is written to disk before you reset or turn off the CE. Synchronization can also be done using the cfs sync command.

Examples

Console# cache clear force

Related Commands

clear cache

cfs clear

cd

To change directory, use the cd EXEC command.

cd directoryname

Syntax Description

directoryname

Name of the directory.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to maneuver between directories and for file management. The directory name becomes the default prefix for all relative paths. Relative paths do not begin with a slash "/". Absolute paths begin with a slash "/".

Examples

Relative path:

Console# cd etc

Absolute path:

Console# cd /local/etc

Related Commands

dir

lls

ls

mkdir

pwd

rmdir

cfs

To manipulate the cache object file system (cfs), use the cfs EXEC command.

cfs {clear volname [force] | format volname | mount volname | reset volname | sync volname | unmount volname}

Syntax Description

clear

Deletes nonbusy objects from the specified cfs volume.

force

Forcibly deletes all objects from the specified cfs volume.

format

Erases and formats or creates a file system for caching.

mount

Mounts a cache file system.

reset

Resets (unmounts-formats-mounts) a cache file system.

sync

Synchronizes a cache file system.

unmount

Unmounts a cache file system.

volname

Volume name (for example, c0t0d0s3).

Defaults

No defaults behavior or values

Command Modes

EXEC

Usage Guidelines

Cache objects retrieved from the Web are saved and manipulated by the CE with the cache file system (cfs) on a cfs partition of the hard disk. This does not affect the dosfs partition, which saves user data, such as syslog. Cache file system objects cannot be displayed and listed like dosfs files and directories, but transaction logs can record object requests handled by the cfs.

The cfs commands are used to manage the cache object file system.

The cfs clear command deletes nonbusy objects from the specified cfs volume. A nonbusy object is an object that is not being accessed (read or written). The cfs clear command (without force) deletes all possible objects without generating a broken GIF or HTML message to the client.

The cfs clear force command deletes all objects, busy or nonbusy, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the CE disk when a cfs clear force command is executed, the application stops caching that object but still delivers the object from the Web server to the client.

The cfs reset command unmounts, formats, and mounts a specified volume. Unmounting a volume can result in broken GIF or HTML messages for objects that are being read from the disk (cache hits) when the command is executed. When a cfs volume is reset, all cfs data on that volume is lost.


Note   The cfs reset command can be invoked on unmounted volumes.

The cfs format command creates the cache file system internal "dbs" for the cfs partition of the disk if the volume is unmounted. It formats the cfs partition to prepare it for a cfs mount. The cfs mount command creates and maps data structures in memory to the cfs partition.


Caution   All cached content is erased with the format command.

The cfs unmount command frees the in-memory data structures that map to the physical (disk) cfs partition.

The cfs sync command synchronizes the cache file system contents from memory to disk. Although synchronization is performed at regular intervals while the CE is running, this command can be used to ensure that all data is written to disk before you reset or turn off the CE. Synchronization can also be done with the cache sync command.

Examples

Console# cfs sync c0t0d0s3

Related Commands

show cfs

cache clear

clear cache

check

To check whether superuser accounts are password-protected, use the check EXEC command.

check superuser passwords

Syntax Description

superuser

Keyword.

passwords

Keyword.

Defaults

By default, superuser accounts are not password-protected.

Command Modes

EXEC

Usage Guidelines

This command displays whether or not the superuser account is password-protected. To configure a superuser password, from global configuration mode, use the user modify command. A superuser is defined as an administrator or user with full read and write privileges to the cache files and utilities.

Examples

Console# check superuser passwords ---------------------------------------------------------------------- All super-user accounts are password protected ----------------------------------------------------------------------

Related Commands

user modify

show user

clear

To clear the HTTP object cache, the hardware interface, statistics, transaction logs, or WCCP settings, use the clear EXEC command.

clear {bypass {all | counters | list} | cache [force] | dns-cache | interface serial number | ldap authcache | logging | statistics {all | authentication | dns-cache | ftp | history | http {all | ims | object | proxy outgoing | requests | response | savings} | https | icp {all | client | cluster | server} | ip | ldap {authcache | server {all | interface | protocol}} | radius-server | rule {action action-type {all | pattern pattern-type | all}} | running | services | tacacs | tcp | transaction-logs | url-filter websense} | transaction-log}

Syntax Description

bypass

Selects bypass clear commands.

all

Clears all bypass counters and lists.

counters

Clears all bypass counters.

list

Clears all bypass lists.

cache

Clears the HTTP object cache.

force

Forcefully deletes all cached objects.

dns-cache

Clears DNS cache.

interface

Clears the hardware interface.

serial

Serial device.

number

Serial interface number (for example, 0).

ldap authcache

Purges all the entries in the LDAP authentication cache.

logging

Clears syslog messages saved in disk file.

statistics

Clears statistics.

all

Clears all statistics.

authentication

Clears authentication statistics.

dns-cache

Clears DNS cache statistics.

ftp

Clears FTP caching statistics.

history

Clears the statistics history.

http

Clears HTTP statistics.

all

Clears all HTTP statistics.

ims

Clears HTTP IMS (if-modified-since) statistics.

object

Clears HTTP object statistics.

proxy outgoing

Clears HTTP outgoing proxy statistics.

requests

Clears HTTP requests statistics.

response

Clears HTTP response statistics.

savings

Clears HTTP savings statistics.

transaction-logs

Clears transaction-log export statistics.

https

Clears HTTPS statistics.

icp

Selects Internet Cache Protocol (ICP) statistics.

all

Clears all ICP statistics.

client

Clears ICP client statistics.

cluster

Clears ICP cluster statistics.

server

Clears ICP server statistics.

ip

Clears IP statistics.

ldap

Selects LDAP statistics.

authcache

Clears LDAP authentication cache statistics.

server

Selects LDAP server statistics.

all

Clears all LDAP statistics.

interface

Clears LDAP interface statistics.

protocol

Clears LDAP protocol statistics.

radius-server

Clears RADIUS statistics.

rule

Selects rule statistics.

action

Clears rule statistics of the specified action.

action-type

Specifies one of the following actions:

  • block

  • no-auth

  • no-cache

  • no-proxy

  • refresh

  • selective-cache

  • use-proxy

See the "rule" section for explanations of actions and patterns.

action-type all

Clears statistics of all the patterns for this action.

action-type pattern

Clears statistics of rules with specified pattern.

pattern-type

Specifies one of the following patterns:

  • domain

  • dst-ip

  • dst-port

  • src-ip

  • url-regex

See the "rule" section for explanations of patterns and actions.

all

Clears all rule statistics.

running

Clears the running statistics.

services

Clears services statistics.

tacacs

Clears TACACS+ statistics.

tcp

Clears TCP statistics.

transaction-logs

Clears transaction log export statistics.

url-filter

Selects URL filtering statistics.

websense

Clears Websense URL filtering statistics.

transaction-log

Archives working transaction log file.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The clear cache command removes all cached contents from the currently mounted cfs volumes. Objects being read or written are removed when they cease being "busy." The equivalent to this command is the cache clear or cfs clear command.


Caution   This command is irreversible and all cached content will be erased.

The clear cache force command deletes all objects, whether busy or not, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the CE disk when a clear cache force command is executed, the application stops caching that object but still delivers the object from the Web server to the client.

The clear interface command clears the statistics presented by the show interfaces command.

The clear statistics command clears all statistical counters from the parameters given. Use this command to monitor fresh statistical data for some or all features without losing cached objects or configurations.

The clear transaction-log command causes the transaction log to be archived immediately to the CE hard disk. This command has the same effect as the transaction-log force archive command.

Examples

To purge all the entries in the LDAP authentication cache, use the clear ldap authcache command.

Console# clear ldap authcache Entries removed from authcache: 1

To clear all rule statistics, use the clear statistics rule all command.

Console# clear statistics rule all

Related Commands

cache clear

cfs clear

show statistics

show interface

show ldap

show rule

show wccp

clock

To set, clear, or save the battery-backed clock functions, use the clock EXEC command.

clock {clear | save | set hh:mm:ss day month year}

Syntax Description

clear

Clears the system clock settings.

save

Saves the system clock settings.

set

Sets the system clock.

hh:mm:ss

Current Universal Coordinated Time (for example, 13:32:00).

day

Day of the month (for example, 1 to 31).

month

Current month (for example, January, February).

year

Current year (for example, 2000).

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

If you have an outside source on your network that provides time services (such as a Network Time Protocol [NTP] server), you do not need to set the system clock manually. When setting the clock, enter the local time. The CE calculates UTC based on the time zone set by the clock timezone global configuration mode command.

Two clocks exist in the system: the software clock and the hardware clock. The software uses the software clock. The hardware clock is used only at bootup to initialize the software clock.

The set keyword sets the software clock.

The save keyword writes the current value of the software clock into the hardware clock. This is used to update the hardware clock with the correct time as maintained by NTP. NTP adjusts only the software clock.

The clear keyword forces the hardware clock to zero (January 1, 1970), which ensures that the time at bootup is the NTP time or an obviously invalid time.

Examples

Console# clock set 13:32:00 01 February 2000

Related Commands Related Commands

clock timezone

show clock detail

clock timezone

To set the time zone for display purposes, use the clock timezone global configuration command. To disable this function, use the no form of this command.

clock timezone {zone hours} [minutes]

no clock timezone

Syntax Description

zone

Name of the time zone to be displayed when standard time is in effect.

hours

Hours offset from Coordinated Universal Time (UTC).

minutes

(Optional.) Minutes offset from UTC.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

To set and display the local and UTC current time of day without an NTP server, use the clock timezone command together with the clock set command.

The clock timezone parameter specifies the difference between UTC and local time, which is set with the clock set command. The UTC and local time are displayed with the show clock detail EXEC command.

Examples

The following example specifies the local time zone as Pacific Standard Time and offsets 8 hours behind UTC:

Console(config)# clock timezone PST -8 Console(config)# no clock timezone

Related Commands Related Commands

clock

show clock detail

configure

To enter global configuration mode, use the configure EXEC command. You must be in global configuration mode to enter global configuration commands.

configure

To exit global configuration mode, use the end, Ctrl-Z, or exit commands.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to enter global configuration mode.

Examples

Console# configure Enter configuration commands, one per line. End with CNTL/Z. Console(config)#

Related Commands Related Commands

show running-config

show startup-config

end

exit

Ctrl-Z

copy

To copy configuration or image data from a source to a destination, use the copy EXEC command.

copy {disk {flash imagename | startup-config filename} | flash {disk imagename} | running-config {disk filename | startup-config | tftp}
| startup-config {disk filename | tftp} | tech-support {disk filename | tftp} | tftp {disk | flash}}

Syntax Description

disk

Copies image or configuration from or to disk.

flash

Copies image from or to Flash memory.

running-config

Copies from current system configuration.

startup-config

Copies from or to startup configuration.

tech-support

Copies system information for technical support.

tftp

Copies image from or to TFTP server.

imagename

Image name (for example, /local/bin).

filename

Filename of configuration.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use the copy running-config startup-config command to save the configuration to NVRAM memory. This command is equivalent to the write command.

The copy flash disk imagename command copies the image from Flash memory to the disk.

The copy disk flash imagename command copies the image from the disk to Flash memory.

The copy tftp flash command copies the image from a TFTP server to Flash memory.

The copy tech-support tftp command copies technical support information to a TFTP server. You are prompted for the server address following this command.

Examples

Console# copy disk flash /local/bin

Related Commands

write

show running-config

show startup-config

cpfile

To copy one filename to another filename, use the cpfile EXEC command.

cpfile oldfilename newfilename

Syntax Description

oldfilename

Name of the old file from which to copy.

newfilename

Name of the new file to copy to.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to copy one filename to another. This command only copies dosfs files.

Examples

Console# cpfile ce500-194616.bin cd500-194618.bin

Related Commands Related Commands

copy

dir

lls

ls

mkfile

rmdir

rmname

cron

To set a cron task, use the cron global configuration command. To disable a cron task, use the no form of this command.

cron {del-tab entryid | file tabfile | save-tab | tab-entry tabentry}

no cron {del-tab entryid | file tabfile | save-tab | tab-entry tabentry}

Syntax Description

del-tab

Deletes tab.

file

Cron tab file.

save-tab

Cron save tab.

tab-entry

Cron tab entry.

entryid

Entry ID (1 to 1,000).

tabfile

Cron tab filename.

tabentry

Cron tab entry line.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

The cron command is used to set up cron tasks.

To view your existing cron configurations, use the show cron command. For example:

Console# show cron ==CRON Configuration== CRON tab file: /local/etc/crontab Legend 1: min hr day-of-mon mon day-of-wk tclsh script-name Legend 2: min hr day-of-mon mon day-of-wk tcl tcl-cmd Sample: 0 5 * * * tclsh /local/test.tcl

Examples

Console(config)# cron sav-tab Console(config)# no cron sav-tab

Syntax Description

show cron

debug

debug

Related Commands

EXEC

Usage Guidelines

We recommend that the debug command be used only at the direction of Cisco Systems technical support personnel.

Related Commands Related Commands

no debug

show debug

undebug

del

To remove a file, use the del EXEC command.

del filename

Syntax Description

filename

Name of the file to delete.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to remove a file from any directory. Note that some files are necessary for proper functionality and should not be removed.

Examples

Console# del /local/tempfile

Related Commands RelatedCommands

cpfile

deltree

mkdir

mkfile

rmdir

deltree

To remove a directory recursively and all files that it contains, use the deltree EXEC command.

deltree directory

Syntax Description

directory

Name of the directory tree to delete.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to remove a directory and all files within the directory from the CE (dosfs file system). Do not remove necessary files or directories, such as log files or directories, for proper functionality. It may not be possible to move a log file to a new directory without losing functionality.

Examples

Console# deltree /local

Related Commands Related Commands

del

dir

To view a long list of files in a directory, use the dir EXEC command.

dir [directory]

Syntax Description

directory

(Optional.) Name of the directory to list.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to view a detailed list of files contained within the working directory, including names, sizes, and time created. The equivalent command is lls.

Examples

Console# dir /local size date time name LongName ------ --------- ----- ----------- --------------- 512 Dec-31-1987 17:02:32 ETC <DIR> etc 512 Dec-31-1987 17:02:32 TFTPBOOT <DIR> tftpboot 512 Dec-31-1987 17:02:32 VAR <DIR> var 512 Jan-07-1988 09:47:52 LIB <DIR> lib 4385154 Apr-22-1999 12:25:36 CE25.PAX ce25.pax 4 DIR(S), 1 FILE(S) 11192642 bytes 2125889536 bytes AVAILABLE ON VOLUME /c0t0d0s1

Related Commands

ls

lls

disable

To turn off privileged EXEC commands, use the disable EXEC command.

disable

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC command

Usage Guidelines

The disable command places you in EXEC mode. To turn privileged EXEC mode back on, use the enable command.

Examples

Console# disable

Related Commands Related Commans

enable

disk

To configure the CE disks, use the disk EXEC command.

disk {erase-all-partitions devname | manufacture devname | partition devname | prepare devname}

Syntax Description

erase-all-partitions

Disk initialization procedure. Erases all partitions
on disk.

manufacture

Reformats all partitions and volumes on a disk.

partition

Partitions the hard disk.

prepare

Partitions and formats volumes on a hard disk.

devname

Specifies the device name of the disk drive with the following syntax:

/cn1tn2dn3

  • n1 is the SCSI controller number. The value of n1 is always zero for CEs.

  • n2 is the target number of the disk drive (0-13). Targets 0 and 1 are the CE internal disk drives.

  • n3 is the logical unit number. The value of n3 is always zero for CE.

The device name is the same as the volume name, but the device name does not include a partition parameter (the "s" number).

Defaults

No default behavior or values

Command Modes

EXEC command

Usage Guidelines

Disk partition allocates portions of a disk for the specified file systems. The partition sizes are not user-configurable. Use the show disks command to obtain the names of installed disks.


Caution   Partitioning a disk destroys all of its contents. After partitioning, each file system must be formatted and mounted before it can be used.

Using the disk prepare command automates the preparation of a disk. This command partitions the disk and then formats and mounts all the partitions.

The disk manufacture command initializes a disk for use by the CE, and must be run on each disk before that disk is used by the CE for the first time. The disk manufacture command needs to be executed only once for each disk.


Note   The disk manufacture command is executed on each internal CE disk by Cisco Systems prior to shipping.

Cisco Storage Array Guidelines

Use the disk manufacture command to partition, format, and mount new disk drives for the Cisco Storage Array. The disk manufacture command erases the master boot record (sector 0) of the disk and sets up the disk to have partitions for the various file systems (that is, dosfs, cfs, bfs). It also formats and mounts the appropriate file system on the volumes.

Target numbers are not statically mapped to a SCSI ID or a slot number. Upon bootup, the CE SCSI driver always scans the SCSI bus in the same direction and assigns logical target numbers to disks in simple numerical sequence according to their order on the SCSI bus. The first disk drive discovered on the SCSI bus is designated target 0; the second target 1; the third target 2; and so on. Targets 0 and 1 are the CE internal disk drives.

Targets 2 through 13 are assigned to Storage Array disk drives. The leftmost hard disk inserted in a Storage Array bus is always target 2. Counting to the right, the next disk is target 3, the next disk is target 4, and so on. There can be empty slots between targets on the same bus, but this is not recommended. In a two-host, split-bus configuration, each bus is counted independently.

For example, in a split-bus, six-disk, fully populated Storage Array, bus 0 disk drive targets are 2, 3, 4, and bus 1 disk drive targets are 2, 3, 4. If the first disk on bus 1 is removed (slot 5 is empty) and the CE rebooted, bus 0 targets are still 2, 3, 4, but bus 1 targets are 2 and 3. The empty disk slot is skipped, and the target count begins with the first detected disk on bus 1.

Once a disk drive has been partitioned and formatted, it can be used in any Storage Array slot, but moving a disk drive from one slot to another makes the data it contains unusable to the CE. Power cycle the CE if the following actions occur while the Storage Array is in operation:

Examples

In the following example, cache1 and cache2 are CE 590 machines running software release 2.2.0. Refer to the Cisco Storage Array Installation and Configuration Guide for further information on configuring the Storage Array.


Note   The larger the storage capacity of the disk drive, the longer the duration of the disk manufacture routine.

In this example, six Storage Array disk drives are initialized in a single-host, joined-bus Storage Array configuration.

cache1# disk manufacture /c0t2d0 cache1# disk manufacture /c0t3d0 cache1# disk manufacture /c0t4d0 cache1# disk manufacture /c0t5d0 cache1# disk manufacture /c0t6d0 cache1# disk manufacture /c0t7d0

In the following example, cache1 is connected to the SCSI 0 connector of the Storage Array and cache2 is connected to the SCSI 1 connector.

The disks of a fully populated six-disk Storage Array are initialized in a two-host, split-bus configuration.

cache1# disk manufacture /c0t2d0 cache1# disk manufacture /c0t3d0 cache1# disk manufacture /c0t4d0 cache2# disk manufacture /c0t2d0 cache2# disk manufacture /c0t3d0 cache2# disk manufacture /c0t4d0

The disk erase-all-partitions command unmounts all the currently mounted file systems on the specified device (disk) and erases all the partitions from the master boot record (sector 0).

To create only a DOS partition on the first disk, enter the following commands:

Console# disk erase-all-partitions Console# disk partition boot

Related Commands

cfs

disk

dosfs

show disk-partitions

show disks

dns-cache

To configure the DNS cache, use the dns-cache global configuration command. To disable the DNS cache, use the no form of this command.

dns-cache size maxsize

no dns-cache size

Syntax Description

size

Sets the DNS cache size.

maxsize

Specifies maximum number of cache records (4096-65536).

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Content size refers to the maximum number of DNS entries to be stored at one time. Domain name resolution requires that at least one DNS name server be configured with the ip name-server command. The DNS cache goes online when the ip name-server command is configured, and goes offline when the last IP name-server configuration is deleted with the no ip name-server ip-address command.

Examples

Console(config)# dns-cache enable Console(config)# dns-cache size 512 Console(config)# no dns-cache enable Console(config)# no dns-cache size

Related Commands Related Comands

ip name-server

clear dns-cache

show dns-cache

dnslookup

show statistics dns-cache

dnslookup

To resolve a host or domain name to an IP address, use the dnslookup EXEC command.

dnslookup {host | domain-name}

Syntax Description

host

Name of host on network.

domain_name

Domain name.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# dnslookup myhost official hostname: myhost.cisco.com address: 172.41.69.11 Console#dnslookup cisco.com official hostname: cisco.com address: 198.133.219.25 Console#dnslookup 41.69.11 official hostname: 41.69.11 address: 41.69.0.11

dosfs

To configure the DOS file system, use the dosfs EXEC command.

dosfs {check volname [force | verbose [force]] | format volname | label volname vol-label | mount volname {rdonly | rdwr} | repair {automatic | interactive} volname [force | verbose [force]] | sync syncdevice | unmount volname}

Syntax Description

check

Checks DOS file system.

volname

Volume name.

force

(Optional.) Forces a check or repair.

verbose

(Optional.) Prints extra messages to screen.

format

Erases and formats a file system on a disk device.

label

Sets a device volume label.

vol-label

Label of volume.

mount

Mounts a disk or volume file system.

rdonly

Mounts volume as read-only.

rdwr

Mounts volume as read-write.

repair

Checks and repairs a uvfat/DOS file system.

automatic

Automatic (not interactive) repair.

interactive

Starts a user-interactive repair.

sync

Synchronizes a disk device.

syncdevice

Absolute device name.

unmount

Unmounts a disk or volume file system.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to format and mount the DOS file systems after partitioning disks. Use this command to repair DOS file systems that are causing errors.

The default configuration has only one DOS file system. This file system is created on the first disk in the system and has a special name "/local." This file system contains various files necessary for correct functioning of the CE.

The dosfs format command formats the dosfs partition to prepare it for a dosfs mount.

The dosfs mount command creates and maps data structures that map to the physical dosfs partition on the disk.

The dosfs unmount command frees the in-memory data structures that map to the physical dosfs partition on the disk.

Examples

Console# dosfs format /local

Related Commands Relatmands

cd

copy

cpfile

del

deltree

dir

ls

mkdir

mkfile

enable

To turn on privileged commands, use the enable EXEC command.

enable

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

To return to privileged EXEC mode from user EXEC mode, use the enable command.

The disable command takes you from privileged EXEC mode back to user EXEC mode.

Examples

Console> enable Console#

Related Commands Related Commands

disable

end

To exit global configuration mode, use the end global configuration command.

end

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Usage Guidelines

Use the end command to exit global configuration mode after completing any changes to the running configuration. To save new configurations to NVRAM, use the write command.

The Ctrl-Z command also exits global configuration mode.

Command Modes

Global configuration

Examples

Console(config)# end Console#

Related Commands Related mands

exit

Ctrl-Z

error-handling

To set error-handling options, use the error-handling global configuration command.

error-handling {reset-connection | send-cache-error | transparent}

Syntax Description

reset-connection

Resets TCP connection without specifying any error.

send-cache-error

Sends CE error.

transparent

Makes the CE transparent to the client.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

With the transparent option enabled, end users can receive browser-generated messages rather than a CE-generated HTML page for errors that the CE encounters while processing a client request or response. Thus, the CE remains transparent (invisible) to the end user.

Transparent error reporting is implemented as follows:

To make the source of the error messages transparent to the user, the client/server pair is added to the bypass list and an HTTP redirect message is sent to the client, requesting the client to redirect the request to the same URL as before. The client, on receiving the redirect message, sends back the request once again. This time, the request is bypassed by the CE because the client/server pair is on the bypass list. The request now goes to the server directly. Since the connection was not accepted by the CE, any timeout error, failure to connect to the server, or mangled response from the server is handled by the browser. Currently all entries on the bypass list are kept for a configurable period of time (for example, 5 minutes).

When an internal failure in the CE occurs while it is processing a request, a reset is sent back to the client and the connection is closed. This is because memory is needed to add the client/server pair to the bypass list. When a browser receives a connection reset, it pops up a "Connection Reset By Peer" alert box.

For all error conditions, the CE sends back a reset and closes the connection. It does not send back any error pages. All errors seen by the clients are in the familiar browser error format.

The CE sends back HTML error pages. When clients are using the CE as an incoming proxy server, they will receive the HTML error pages generated by the clients.

Examples

Console# error-handling transparent

exception debug

We recommend that the exception debug command be used only at the direction of Cisco Systems technical support personnel.

Command Modes

Global configuration

exec-timeout

To configure the length of time that an inactive terminal session window will remain open, use the exec-timeout global configuration command. To disable the exec timeout, use the no form of this command.

exec-timeout timeout

no exec-timeout

Syntax Description

timeout

Timeout in minutes (0 to 44,640).

Defaults

The default is 150 minutes.

Command Modes

Global configuration

Syntax Description Usage Guidlines

Use this command to establish the length of time, in minutes, that an inactive terminal session window will remain open.

Examples

Console(config)# exec-timeout 100 Console(config)# no exec-timeout

exit

To exit any configuration mode or close an active terminal session and terminate an EXEC mode session, use the exit EXEC command.

exit

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC, global, and interface configuration

Usage Guidelines

Use the exit command in global configuration mode to return to EXEC mode. You can also press Ctrl-Z or use the end command from any configuration mode to return to EXEC mode.

Use the exit command in EXEC command mode to close an active terminal session and terminate the EXEC mode session.

Examples

Console# exit

Related Commands Relateands

end

ftp

Use the ftp global configuration command to configure FTP caching services on the CE. Use the no form of the command to selectively disable options.

ftp {age-multiplier directory-listing dl_time file fo_time | max-ttl {days directory-listing dlmax_days file fmax_days | hours directory-listing dlmax_hours file fmax_hours | minutes directory-listing dlmax_ min file fmax_min | seconds directory-listing dlmax_ sec file fmax_sec} | min-ttl min_minutes | object max-size size | proxy {anonymous-pswd passwd | incoming port | outgoing host {hostname | ipaddress} port | reval-each-request {all | directory-listing | none} | serve-ims directory-listing age_percent file age_percent}

no ftp {age-multiplier directory-listing dl_time file fo_time | max-ttl {days directory-listing dlmax_days file fmax_days | hours directory-listing dlmax_hours file fmax_hours | minutes directory-listing dlmax_ min file fmax_min | seconds directory-listing dlmax_ sec file fmax_sec} | min-ttl min_minutes | object max-size size | proxy {anonymous-pswd passwd | incoming port | outgoing host {hostname | ipaddress} port | reval-each-request {all | directory-listing | none} | serve-ims directory-listing age_percent file age_percent}

Syntax Description

age-multiplier

FTP caching heuristic modifiers.

directory-listing

Heuristic modifier for directory listing objects.

dl_time

Expiration time of directory listing objects as a percentage of their age (0-100). The default is 30.

file

Heuristic modifier for file objects.

fo_time

Expiration time of file objects as a percentage of their age (0-100).
The default is 60.

max-ttl

Sets maximum Time To Live for objects in the cache.

days

Sets maximum Time To Live units in days.

directory-listing

Sets maximum Time To Live for directory listing objects in days.

dlmax_days

Specifies maximum Time To Live in days for directory listing objects (1-1825). The default is 7 days.

file

Sets maximum Time To Live for file objects in days.

fmax_days

Specifies the maximum Time To Live in days (1-1825). The default is 3 days.

hours

Sets maximum Time To Live units in hours.

directory-listing

Sets maximum Time To Live for directory listing objects in hours.

dlmax_hours

Specifies maximum Time To Live for directory listing objects in hours (1-43800). The default is 72 hours.

file

Sets maximum Time To Live for file objects in hours.

fmax_hours

Specifies the maximum Time To Live for file objects in hours (1-43800).
The default is 168 hours.

minutes

Sets maximum Time To Live units in minutes.

directory-listing

Sets maximum Time To Live for directory listing objects in minutes.

dlmax_ min

Specifies the maximum Time To Live for directory listing objects in minutes (1-2628000). The default is 4320 minutes.

file

Sets maximum Time To Live for file objects in minutes.

fmax_min

Specifies the maximum Time To Live for file objects in minutes (1-2628000). The default is 10080 minutes.

seconds

Sets maximum Time To Live units in seconds.

directory-listing

Sets maximum Time To Live for directory listing objects in seconds.

dlmax_ sec

Specifies the maximum Time To Live for directory listing objects in seconds (1-157680000). The default is 259200 seconds.

file

Sets maximum Time To Live for file objects in seconds.

fmax_sec

Specifies the maximum Time To Live for file objects in seconds (1-157680000). The default is 604800 seconds.

min-ttl

Sets minimum Time To Live for FTP objects in cache.

min_minutes

Specifies the minimum Time To Live in minutes for FTP objects in cache (0-86400).

object

Sets configuration of FTP objects.

max-size

Sets maximum size of a cachable object.

size

Specifies the maximum size of a cachable object in KB (1-1048576).

proxy

Sets proxy configuration parameters.

anonymous-pswd

Sets anonymous password string (for example, wwwuser@cisco.com).

passwd

Specifies the anonymous password. The default is anonymous@hostname.

incoming

Sets the incoming port for proxy-mode requests.

port

Specifies up to eight ports to listen for requests (1-65535).

outgoing

Sets parameters to direct outgoing FTP requests to another proxy server.

host

Sets outgoing FTP proxy host parameters.

hostname

Specifies the hostname of the outgoing FTP proxy.

ipaddress

Specifies the IP address of the outgoing FTP proxy.

port

Specifies the port of the outgoing FTP proxy (1-65535).

reval-each-request

Sets scope of revalidation for every request.

all

Revalidates all objects on every request.

directory-listing

Revalidates directory listing objects on every request.

none

Does not revalidate for each request.

serve-ims

Sets the handling of "if-modified-since" requests.

directory-listing

Modifies handling of "if-modified-since" requests for directory listing objects.

age_percent

Specifies the percentage of age to serve the object without revalidation (0-100). The default is 50.

file

Modifies handling of if-modified-since requests for file objects.

age_percent

Specifies percentage of age to serve the object without revalidation (0-100). The default is 80.

Defaults

Command Modes

Global configuration

Usage Guidelines

The CE can handle ftp:// style FTP requests over HTTP transport in proxy mode.

When the CE receives an FTP request from the Web client, it first looks in its cache. If the object is not in its cache, it fetches the object from an upstream FTP proxy server (if one is configured), or directly from the origin FTP server.

The CE caches both the FTP file objects and directory listings. The content (directory listings and files) is stored in CFS.

The FTP proxy supports passive and active mode for fetching files and directories. Passive mode is the default. The CE automatically changes to active mode if passive mode is not supported by the FTP server.

The FTP proxy supports anonymous as well as authenticated FTP requests. Only base64 encoding is supported for authentication. The FTP proxy accepts all FTP URL schemes defined in RFC 1738. In the case of a URL in the form ftp://user@site/dir/file, the proxy sends back an authentication failure reply and the browser supplies a popup window for the user to enter login information.

The FTP proxy supports commonly used MIME types, attaches the corresponding header to the client, chooses the appropriate transfer type (binary or ASCII), and enables the browser to open the FTP file with the configured application. For unknown file types, the proxy uses binary transfer as default and instructs the browser to save the download file instead of opening it. The FTP proxy returns a formatted directory listing to the client if the FTP server replies with a known format directory listing. The formatted directory listing has full information about the file or directory and provides the ability for users to choose the download transfer type.

The CE caches FTP traffic only when the client uses the CE as a proxy server for FTP requests. All FTP traffic that was sent directly from the Web client to an FTP server, if transparently intercepted by the CE, is treated as non-HTTP traffic.

The FTP proxy supports up to eight incoming ports. It can share the ports with transparent-mode services and also with the other proxy-mode protocols supported by the CE, such as HTTP and HTTPS. In proxy-mode, the CE accepts and services the FTP requests only on the ports configured for FTP proxy. All the FTP requests on other proxy-mode ports are rejected in accordance with the error-handling settings on the CE.

The CE can apply the rules template to FTP requests based on server name, domain name, server IP address and port, client IP address, and URL.

The CE logs FTP transactions in the transaction log, in accordance with the Squid syntax. When URL tracking is enabled, the CE logs FTP transaction information to the syslog. The syslog entries are prefixed with <ftp>.

Examples

This example configures an incoming FTP proxy on ports 8080, 8081, and 9090. Up to eight incoming proxy ports can be configured on the same command line.

CE(config)# ftp proxy incoming 8080 8081 9090

This example removes one FTP proxy port from the list entered in the previous example. Ports 8080 and 9090 remain FTP proxy ports.

CE(config)# no ftp proxy incoming 8081

This example disables all the FTP proxy ports.

CE(config)# no ftp proxy incoming

This example configures an upstream FTP proxy with the IP address 172.76.76.76 on port 8888.

CE(config)# ftp proxy outgoing host 172.76.76.76 8888

This example specifies an anonymous password string for the CE to use when contacting FTP servers. The default password string is anonymous@hostname.

CE(config)# ftp proxy anonymous-pswd newstring@hostname

This example configures the maximum size in kilobytes of an FTP object that the CE will cache. By default, the maximum size of a cachable object is not limited.

CE(config)# ftp object max-size 15000

This example forces the CE to revalidate all objects for every FTP request.

CE(config)# ftp reval-each-request all

This example configures a maximum Time To Live of 3 days in cache for directory listing objects and file objects.

CE(config)# ftp max-ttl days directory-listing 3 file 3

Related Commands

rule use-proxy

show ftp

fullduplex

To configure an interface for full-duplex operation, use the fullduplex interface configuration command. To disable this function, use the no form of this command.

fullduplex

no fullduplex

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to configure an interface for full-duplex operation. Full-duplex operation allows data to travel in both directions at the same time. A half-duplex setting ensures that data only travels in one direction at any given time. If you encounter excessive collisions or network errors, try configuring the interface for half duplex rather than full duplex.

Examples

Console(config-if)# fullduplex Console(config-if)# no fullduplex

Related Commands Related Commands

halfduplex

gui-server

To specify the number of the CE management graphical user interface (GUI) server port, use the gui-server global configuration command. To disable the GUI server port, use the no form of the command.

gui-server {enable | port port}

no gui-server {enable | port port}

Syntax Description

enable

Enables the graphical user interface.

port

Configures the graphical user interface server port.

port

Port number (1-65535).

Defaults

The default port is 8001.

Command Modes

Global configuration

Examples

The following example enables the CE management GUI on port 8002.

CE(config)# gui-server enable CE(config)# gui-server port 8002

Related Commands

show gui-server

halfduplex

To configure an interface for half-duplex operation, use the halfduplex interface configuration command. To disable this function, use the no form of this command.

halfduplex

no halfduplex

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to configure an interface for half-duplex operation. Full-duplex operation allows data to travel in both directions at the same time. A half-duplex setting ensures that data only travels in one direction at a time. If you encounter collisions or other network errors, try configuring an interface for half duplex rather than full duplex.

Examples

Console(config-if)# halfduplex Console(config-if)# no halfduplex

Related Commands Related Commands

fullduplex

help

To get online help for the command-line interface, use the help EXEC or global configuration command.

help

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC, global configuration

Usage Guidelines

Two styles of help are provided:

Examples

Console# help Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options. Two styles of help are provided: 1. Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible argument. 2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. 'show stat?'.) Console# show stat? statistics Console# show stat ? authentication Authentication Statistics bypass Display Bypass Statistics cfs Display Cache File System statistics dns-cache DNS-Cache Statistics ftp Display FTP caching statistics

hostname

To configure the CE network name, use the hostname global configuration command. To reset the host name to the default setting, use the no form of this command.

hostname name

no hostname

Syntax Description

name

New host name for the CE; the name is case sensitive. The name may be from 1 to 22 alphanumeric characters.

Defaults

The default host name is the CE model number (CE505, CE550, CE560, CE570, CE590, and so forth).

Command Modes

Global configuration

Usage Guidelines

Use this command to configure the host name for the CE. The host name is used for the command prompts and default configuration filenames.

Examples

The following example changes the host name to sandbox:

Console(config)# hostname sandbox sandbox(config)# Console(config)# no hostname CE550(config)#

http

To configure HTTP-related parameters, use the http global configuration command. To disable HTTP related-parameters, use the no form of this command.

http {age-multiplier {text texttime binary bintime} | append {ldap-proxy-auth-header {hostname | ipaddress}| via-header | x-forwarded-for-header} | authenticate-strip-ntlm | cache-authenticated | cache-cookies | cache-miss revalidate | cache-on-abort {enable | max maxthresh | min minthresh | percent percenthresh} | cluster max-delay delayseconds misses totalmisses | l4-switch enable | max-ttl {days text textdays binary bindays | hours text texthours binary binhours | minutes text textminutes binary binminutes | seconds text textseconds binary binseconds} | min-ttl minutes | object {max-size maxsize | url-validation enable} | persistent-connections {enable | max-idle connections | timeout secs [max-idle connections]} | proxy {incoming port | outgoing {host {hostname | ipaddress} port [primary]} | monitor seconds | origin-server} | reval-each-request {all | none | text} | serve-ims text textpercentage binary binpercentage}

no http {age-multiplier {text texttime binary bintime} | append {ldap-proxy-auth-header {hostname | ipaddress}| via-header | x-forwarded-for-header} | authenticate-strip-ntlm | cache-authenticated | cache-cookies | cache-miss revalidate | cache-on-abort {enable | max maxthresh | min minthresh | percent percenthresh} | cluster max-delay delayseconds misses totalmisses | l4-switch enable | max-ttl {days text textdays binary bindays | hours text texthours binary binhours | minutes text textminutes binary binminutes | seconds text textseconds binary binseconds} | min-ttl minutes | object {max-size maxsize | url-validation enable} | persistent-connections {enable | max-idle connections | timeout secs [max-idle connections]} | proxy {incoming port | outgoing {host {hostname | ipaddress} port [primary]} | monitor seconds | origin-server} | reval-each-request {all | none | text} | serve-ims text textpercentage binary binpercentage}

Syntax Description

age-multiplier

HTTP/1.0 caching heuristic modifiers.

text

Heuristic modifier for text object.

texttime

Expiration time of text objects as a percentage of their age (0-100).

binary

Heuristic modifier for binary object.

bintime

Expiration time of binary objects as a percentage of their age (0-100).

append

Configures HTTP headers to be included by CE.

ldap-proxy-auth-header

Forwards "Proxy Authorization" headers in outbound requests.

hostname

Host name of upstream proxy or server that will perform LDAP authentication.

ipaddress

IP address of upstream proxy or server that will perform LDAP authentication.

via-header

Includes "Via" header in responses and replies.

x-forwarded-for-header

Notifies Web server of client's IP address through "X-Forwarded-For" header.

authenticate-strip-ntlm

Strips NT LAN Manager (NTLM) authentication headers.

cache-authenticated

Caches and revalidates authenticated Web objects.

cache-cookies

Caches Web objects with associated cookies.

cache-miss

Configuration for the handling of "no-cache" requests.

retrieve

Retrieves the object from the point of origin.

revalidate

Revalidates the object with the origin before serving.

cache-on-abort

Sets cache-on-abort configuration options.

enable

Enables cache-on-abort feature.

max

Sets maximum threshold.

maxthresh

Value in kilobytes of maximum threshold (1-99999). Default is 256.

min

Sets minimum threshold.

minthresh

Value in kilobytes of minimum threshold (1-99999). Default is 32.

percent

Sets percent threshold.

percenthresh

Percentage value (1-99). Default is 80 percent.

cluster

Sets cache cluster configuration options.

max-delay

Maximum delay to wait for a response.

delayseconds

Maximum delay in seconds (0-10).

misses

Duration of healing mode (misses).

totalmisses

Total number of misses before healing is disabled (0-999).

l4-switch enable

Enables Layer 4 switch redirection.

max-ttl

Maximum Time To Live for objects in the cache.

days

Sets maximum Time To Live for units in days.

hours

Sets maximum Time To Live for units in hours.

minutes

Sets maximum Time To Live for units in minutes.

seconds

Sets maximum Time To Live for units in seconds.

text

Sets maximum Time To Live for text objects.

binary

Sets maximum Time To Live for binary objects.

days

Specifies maximum Time To Live for units in hours.

hours

Specifies maximum Time To Live for units in hours.

minutes

Specifies maximum Time To Live for units in minutes.

seconds

Specifies maximum Time To Live for units in seconds.

min-ttl

Sets minimum time for objects to live.

minutes

Specifies minimum time to live in minutes (0-86400).

object

Sets URL validation and maximum size of HTTP objects.

max-size

Sets the maximum size of a cachable object.

maxsize

Maximum size of a cachable object in kilobytes (1-1048576).

url-validation enable

Enables each HTTP validation request.

persistent-connections

Persistent connections configuration options.

enable

Enables persistent connections.

max-idle

Sets maximum number of idle persistent connections.

connections

Maximum number of idle persistent connections (1-4096).

timeout secs

Persistent connections timeout in seconds (1-86400).

proxy

Configuration parameters for proxy mode.

incoming

Configuration for incoming proxy-mode requests.

port

Port on which to listen for incoming HTTP proxy requests (1-65535). Default is port 8080.

outgoing

Configuration to direct outgoing request to another proxy server.

host

Use outgoing HTTP proxy.

hostname

Hostname of outgoing proxy.

ipaddress

IP address of outgoing proxy.

port

Port number of outgoing proxy (1-65535).

primary

(Optional.) Makes the proxy being configured the primary proxy server.

monitor

Interval at which to monitor the outgoing proxy servers.

seconds

Monitoring interval in seconds (10-300).

origin-server

Use origin server if all proxies are failed.

reval-each-request

Configuration of revalidation for every request.

all

Revalidates all objects on every request.

none

Does not revalidate for each request.

text

Revalidates text objects on every request.

serve-ims

Configuration for the handling of if-modified-since (IMS) requests for text objects.

text

Modifies handling of if-modified-since requests for text objects.

textpercentage

Percentage of age to serve the text object without revalidation (0-100).

binary

Modifies handling of if-modified-since requests for binary objects.

binpercentage

Percentage of age to serve the binary object without revalidation (0-100).

Defaults

See the corresponding syntax description for default values.

Command Modes

Global configuration

Usage Guidelines

Use these commands to configure specific parameters for caching HTTP objects.


Note   Text objects refer to HTML pages. Binary objects refer to all other Web objects (for example, GIFs or JPEGs).

If a cached object's HTTP header does not specify an expiration time, the age-multiplier and max-ttl options provide a means for the CE to age cached objects. The CE's algorithm to calculate an object's cache expiration date is as follows:

Expiration date = (Today's date - Object's last modified date) * Freshness factor

The freshness factor is computed from the text and binary percentage parameters of the age-multiplier command. Valid age-multiplier values are 0 to 100 percent of the object's age. Default values are 30 percent for text and 60 percent for binary objects. After the expiration date, the object is considered stale and subsequent requests result in a fresh retrieval by the CE.

The max-ttl option sets the upper limit on estimated expiration dates. An explicit expiration date in the HTTP header takes precedence over the configurable TTL (Time To Live).

The serve-ims option responds to an if-modified-since request issued from a client browser by serving the object directly from the cache without revalidating with the origin server whether the object is less than the configured percentage of its maximum age.

The cache-cookies option enables the CE to cache binary served with HTTP set-cookies headers and no explicit expiration information.

The cache-authenticated option enables the CE to cache authenticated content. If this command is enabled, the CE will not serve authenticated objects without first revalidating the authentication header attached to the cached object.

The reval-each-request option enables the CE to revalidate all objects requested from the cache, text objects only, or none at all.

The cache-miss revalidate option revalidates a cache-miss request forced by the client (shift-reload). The cache-miss retrieve option forces a new object retrieval.

Use the object max-size option to specify the maximum size in kilobytes of a cachable object. The default is no maximum size for a cachable object. The no form of the command resets the default value.

The cluster option modifies the healing mode parameters. A cluster refers to a group of two or more CEs within a single WCCP Version 2 environment. Healing mode describes the addition of a CE to an existing network, and the resulting "healing" time it takes to fill the cache with content. To disable healing mode, you must set the number of misses to 0.

The proxy mode option enables the CE to operate in environments where WCCP is not enabled, or where client browsers have previously been configured to use a legacy proxy server. You must configure the proxy incoming port to accept proxy-style requests using the proxy incoming port option.

To configure the CE to direct all HTTP miss traffic to a parent cache (without using ICP or WCCP), use the proxy outgoing hostname port option, in which hostname is the system name or IP address of the outgoing proxy server, and port is the port number designated by the outgoing (upstream) server to accept proxy requests.

The cache-on-abort option provides user-defined thresholds to determine whether or not the CE will complete the download of an object when the client has aborted the request. When the download of an object aborts before it is completed, the object is not stored on the CE or counted in the hit-rate statistics. Client abort processing occurs when a client of the CE aborts the download of a cachable object before the download is complete. Typically, a client aborts a download by clicking the Stop icon on the browser, or by closing the browser during a download.

If the cache-on-abort option is enabled and all cache-on-abort thresholds are disabled, then the CE always aborts downloading an object to the cache. If the CE determines that there is another client currently requesting the same object, downloading is not aborted. The CE only applies those thresholds that have been enabled.

Configure the http ldap-proxy-auth-header global configuration option when the CE and an upstream server or proxy is performing LDAP authentication.

To prevent disclosure of a user's proxy authentication credentials to another host, the CE removes the HTTP Proxy-Authorization header from the HTTP request when it forwards the request. With LDAP authentication it is important that upstream proxies share the authentication credentials carried in the header. To prevent the CE from stripping out the HTTP Proxy-Authorization header, enter the
http append ldap-proxy-auth-header global configuration command. The CE will forward the Proxy-Authorization header with credentials to the specified host name or IP address.

HTTP Proxy Failover

The http proxy outgoing option can configure backup proxy servers for the HTTP proxy failover feature. One proxy server functions as the primary proxy server and all requests are redirected to it. If the primary proxy server fails to respond to the HTTP CONNECT, the server is noted as failed and the requests are redirected to the next outgoing proxy server until one of the proxies service the request.

To explicitly designate the primary proxy, use the primary keyword. If several proxies are configured with the primary keyword, the last one configured overrides the others. Failover to a proxy server occurs in the order the proxy servers were configured. In the event that all the configured proxy servers fail, the CE can optionally redirect requests to the origin server if the user enters the http proxy outgoing origin-server option. If the user has configured the origin-server option, the CE directs HTTP requests to the original server specified in the HTTP header. If the option is not enabled, the client receives the error. Response errors and read errors are returned to the client, since it is not possible to detect whether these errors are generated at the origin server or at the proxy. Up to eight outgoing proxy servers can be configured for a single CE.

The state of the proxy servers is maintained by active monitoring, which occurs in the background. The state of the proxy servers can be seen in the CLI and syslog NOTICE messages. This interval is configured with the http proxy outgoing monitor option. This outgoing monitor interval is the frequency with which a single proxy server is polled. Only one proxy server is polled per interval. If more than one proxy server is configured, the delay is in multiple intervals of the monitor value. If one of the proxy servers is unavailable, the polling mechanism waits for the connect timeout before polling the next server.

The configuration specified by the rule command has precedence over any other configured proxy server. If an administrator created a use-proxy rule, the HTTP request is directed only to the proxy specified by the rule. For example:

Requests to the domain "cisco.com" fail over to the backup proxies if ipaddr1 is unavailable. Any other rule that uses ipaddr1 fails over to the backup proxies when ipaddr1 fails. Each request is checked to determine if the protocol supports failover (currently, only HTTP). If so, those requests failover to the list of outgoing proxies configured with the http proxy outgoing host option. In the event that all proxy servers fail, the failover of the rule command sends the request to the origin server if the http proxy outgoing origin-server option is entered.

Requests with destinations included in the proxy-protocols outgoing-proxy exclude list bypass the CE proxy as well as the failover proxies.

When an HTTP request intended for another proxy server is intercepted by the CE in transparent mode, the CE forwards the request to the intended proxy server if the proxy-protocols transparent original-proxy command was entered.

The proxy failover feature currently supports only HTTP, and not HTTPS or FTP.

The persistent-connections enable command enables persistent connections on the CE. To configure the number of seconds the CE should wait for a connection response before it times out, use the timeout option. To set the number of seconds that the CE should allow an idle persistent connection to remain open, use the max-idle option.

The http object url-validation option has a dependency with the ip name-server CLI command. When the ip name-server option is not configured (for example, during transparent proxy), http object url-validation is dynamically turned off. When the ip name-server option is configured, http object url-validation is turned on automatically if and only if it was enabled.


Caution   URL validation is on by default. Cisco Systems strongly recommends that you keep URL validation enabled, because disabling URL validation might make the CE vulnerable to corruption from the HTTP objects in the cache.

Use the exclude list option in the http proxy outgoing global configuration command to specify domains for which the CE will not use an upstream proxy.

Only one domain can be specified per command line. To specify multiple domains for proxy exclusion, iteratively execute the command for each domain. In the following example, cisco.com and the address 10.9.8.7 are proxy-excluded.

Console(config)# http proxy outgoing exclude list cisco.com Console(config)# http proxy outgoing exclude list 10.9.8.7

The maximum number of no-proxy domains is 64. The CE will not use an upstream proxy for any domain that ends with a listed domain name. For example, if you specify cisco.com, the configured outgoing proxy server will be bypassed each time the CE tries to retrieve a Web page from videos.cisco.com, or personals.cisco.com.

For IP addresses, enter the full IP address or use the asterisk "*" as a wildcard for IP address fields as follows:

172.16.1.*

172.16.*.*

172.*.*.*

The syntax 172.16.*.* indicates that all requests to the domain host of 172.16.xxx.xxx will be excluded. Wildcard syntax does not support "0" or "?".

The following forms of wildcard specification are not supported:

172.*.10.2

172.31.1*.8

Examples

In this example, the host 10.1.1.1 on port 8088 is designated the primary proxy server, and host 10.1.1.2 is a backup proxy server.

CE(config)# http proxy outgoing host 10.1.1.1 8088 primary CE(config)# http proxy outgoing host 10.1.1.2 220

In this example, the CE is configured to redirect requests directly to the origin server in the event that all of the proxy servers fail.

CE(config)# http proxy outgoing origin-server

In this example, the CE is configured to monitor the proxy servers every 120 seconds.

CE(config)# http proxy outgoing monitor 120

To disable any of the above, use the no version of the command.

Proxy Failover Show Commands

Console# show http proxy Incoming Proxy-Mode: Servicing Proxy mode HTTP connections on ports: 8080 Outgoing Proxy-Mode: Primary proxy server: 172.69.63.150 port 1 Failed Backup proxy servers: 172.69.236.151 port 8005 172.69.236.152 port 123 172.69.236.153 port 65535 Failed 172.69.236.154 port 10 Proxy monitor interval: 60 seconds Use Origin Server upon Proxy Failure.

Statistics

Console# show statistics http requests Statistics - Requests Total % of Requests --------------------------------------------------- Total Received Requests: 43 - Forced Reloads: 0 0.0 Near Hits: 0 0.0 Server Errors: 0 0.0 URL Blocked: 0 0.0 Sent to Outgoing Proxy: 32 74.4 Failures from Outgoing Proxy: 0 0.0 Excluded from Outgoing Proxy: 11 25.6 ICP Client Hits: 0 0.0 ICP Server Hits: 0 0.0 HTTP 0.9 Requests: 0 0.0 HTTP 1.0 Requests: 43 100.0 HTTP 1.1 Requests: 0 0.0 HTTP Unknown Requests: 0 0.0 Non HTTP Requests: 0 0.0 Non HTTP Responses: 0 0.0 Chunked HTTP Responses: 0 0.0 Flow-controlled HTTP streams: 2 4.7 Http Miss Due To DNS: 0 0.0 Http Deletes Due to DNS: 0 0.0 Objects cached for min ttl: 0 0.0 Console# show statistics http proxy out HTTP Outgoing Proxy Statistics Attempts Failures Successes Cleared ---------------------------------------------------- 10.1.1.1: 0 1 0 0 172.31.227.111: 32 0 0 40 Requests when all proxies were failed: 0 Console(config)# http append ldap-proxy-auth-header ? Hostname or A.B.C.D IP address or hostname of proxy/server to receive proxy-auth headers Console(config)# http append ldap-proxy-auth-header 172.16.1.1 Console(config)# http age-multiplier text 30 bin 60 Console(config)# http reval-each-request text Console(config)# no http age-multiplier text 30 bin 60 Console(config)# no http reval-each-request text

    Console(config)# http cache-on-abort enable
    Console(config)# no http cache-on-abort
    Console(config)# http cache-on-abort min 16
    Console(config)# no http cache-on-abort min
The cache-on-abort max and percent thresholds are configured like the minimum threshold shown in the examples.

Related Commands

ldap

proxy-protocols

rule no-proxy

rule use-proxy

show http

show http proxy

show ldap

show statistics http requests

show statistics http proxy outgoing

https

Use the https global configuration command to configure the CE for HTTPS proxy services.

https {destination-port {allow {port | all} | deny {port | all}} | proxy {incoming port |
outgoing {host hostname | address} port}}

no https {destination-port {allow {port | all} | deny {port | all}} | proxy {incoming port |
outgoing {host hostname | address} port}}

Syntax Description

destination-port

Destination port restrictions proxy.

allow

Allows HTTPS traffic to ports.

port

Port numbers on which to listen for HTTPS requests (1-65535).

all

Listens to all ports from 1 to 65535.

deny

Denies HTTPS traffic to ports.

proxy

Sets configuration parameters for proxy mode.

incoming

Sets configuration for incoming proxy-mode requests.

port

Port numbers on which to listen for HTTPS requests (1-65535).

outgoing

Sets configuration to direct outgoing requests to another proxy server.

host

Uses outgoing HTTPS proxy.

hostname

Hostname of outgoing proxy.

address

IP address of outgoing proxy.

port

Port of outgoing proxy (1-65535).

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

HTTPS Proxy Features Related CLI Commands (Abbreviated Syntax)

Supports proxy on multiple ports (1-8)

https proxy incoming port_1-65535 . . . (up to 8 ports)

Shares proxy ports with transparent services

Configures a WCCP service and an HTTPS incoming proxy on the same port.

Shares proxy ports with other proxy protocol services

https proxy incoming port_1-65535 . . . (up to 8 ports)
wccp service-number . . .
wccp port-list . . .
wccp custom-web-cache . . .

Restricts proxy protocols on specific ports
(up to 8)

https destination-port {allow | deny} port_1-65535 ... (up to 8 ports)

Configures outgoing HTTPS proxy server

proxy-protocols outgoing-proxy exclude . . .
https proxy outgoing host {hostname | ip_address} port_1-65535

Original versus default outgoing HTTPS proxy
decision process

proxy-protocols transparent {default-server | original-proxy}

Uses global exclude lists for HTTPS proxy

proxy-protocols outgoing-proxy exclude . . .

Handles in transparent mode an HTTPS request bound for another proxy host

proxy-protocols transparent {default-server | original-proxy}

The order in which the CLI commands are entered is not important.

The CE with software version 2.2.0 supports HTTPS in the following two scenarios:

In both cases the CE creates a connection to the origin server (directly or through another proxy server) and allows the Web client and origin server to set up an SSL tunnel through the CE.

HTTPS traffic is encrypted and cannot be interpreted by the CE or any other device between the Web client and the origin server. HTTPS objects are not cached.

Because HTTPS does not provide headers used for most rule matching, the CE can only apply rules that are based on server name, domain name, or server IP address and port. See the "rule" section for further information.

The CE as an HTTPS proxy server supports up to eight ports. It can share the ports with transparent-mode services and with HTTP. In proxy mode, the CE accepts and services the HTTPS requests on the ports specified with the https proxy incoming command. All HTTPS requests on other proxy-mode ports are rejected in accordance with the error-handling settings on the CE. In transparent mode, all HTTPS proxy-style requests intended for another HTTPS proxy server are accepted. The CE acts on these transparently received requests in accordance with the proxy-protocols transparent command.

When the CE is configured to use an HTTPS outgoing proxy with the https proxy outgoing host command, all incoming HTTPS requests are directed to this outgoing proxy. The proxy-protocols outgoing-proxy exclude command creates a global proxy exclude list effective for all proxy server protocols including HTTPS. The CE applies the following logic when an outgoing proxy server is configured:

When a CE intercepts a proxy request intended for another proxy server and there is no outgoing proxy configured for HTTPS, and the proxy-protocols transparent default-server command is invoked, the CE addresses the request to the destination server directly and not to the client's intended proxy server.

Statistics Reporting

Only connection statistics are reported. Because requests and responses are sent through the secure tunnel, the CE is not able to identify the number of requests sent, or the number of bytes per request. Thus, the request and transaction per second (TPS) statistics are not available for HTTPS.

Transaction Logging

The CE logs HTTPS transactions in the transaction log in accordance with Squid syntax. One log entry is made for each HTTPS connection, although many transactions are performed per connection. The CE is not aware of objects conveyed through the SSL tunnel, only the HTTPS server name,

Syslog and URL Tracking

When URL tracking is enabled, the CE logs HTTPS transaction information to the syslog file. The syslog entries have the prefix <https>. For HTTPS, there are no "misses" or "hits." Because the CE ignores objects transferred through an SSL tunnel, there is only one URL tracking entry per HTTPS connection (similar to the transaction log).

Examples

In this example, the CE is configured as an HTTPS proxy server, and accepts HTTPS requests on ports 81, 8080, and 8081.

CE(config)# https proxy incoming 81 8080 8081

In this example, the CE is configured to forward HTTPS requests to an outgoing proxy server (10.1.1.1) on port 8880.

CE(config)# https proxy outgoing host 10.1.1.1 8880

In this example, HTTPS destination port connection requests are denied for ports 20, 21, 23, and 119.

CE(config)# https destination-port deny 20 21 23 119

In this example, a domain name is excluded from being forwarded to the outgoing proxy server.

CE(config)# proxy-protocols transparent default-server CE(config)# proxy-protocols outgoing-proxy exclude enable CE(config)# proxy-protocols outgoing-proxy exclude list cruzio.com

Related Commands

proxy-protocols

http proxy

show proxy-protocols

show http proxy

icp

To configure the Internet Cache Protocol (ICP) client and server, use the icp global configuration command. To disable the ICP client and server, use the no form of this command.

icp {client {{add-remote-server {hostname | ipaddress} {parent | sibling} icp-port icpport http-port httpport [restrict domainnames]} | enable | exclude domainnames | max-fail retries | max-wait timeout | modify-remote-server {hostname | ipaddress} {http-port port | icp-port port | parent | restrict domainnames | sibling}} | server {enable | http-port httpport | port icpport | remote-client {hostname | ipaddress} {fetch | no-fetch}}}

no icp {client {{add-remote-server {hostname | ipaddress} {parent | sibling} icp-port icpport http-port httpport [restrict domainnames]} | enable | exclude domainnames | max-fail retries | max-wait timeout | modify-remote-server {hostname | ipaddress} {http-port port | icp-port icpport | parent | restrict domainnames | sibling}} | server {enable | http-port httpport | port icpport | remote-client {hostname | ipaddress} {fetch | no-fetch}}}

Syntax Description l

client

Sets ICP client functionality.

add-remote-server

Adds an ICP client remote server.

hostname

Specifes host name of remote server.

ipaddress

Specifies IP address of remote server.

parent

ICP server acts like a parent.

sibling

ICP server acts like a sibling.

icp-port

ICP port.

icpport

Sends remote requests to this ICP port number (0-65535).

http-port

HTTP port.

httpport

Sends HTTP requests to this port number (0-65535).

restrict

Sets restricted list of domains.

domainnames

Specifes space delimited restricted domain list

enable

Enables the ICP client.

exclude

ICP client local domains that are excluded.

domainnames

Space-delimited local domain list.

max-fail

Maximum number of retries allowed.

retries

Number of retries (0-100).

max-wait

Maximum wait for ICP responses before timeout occurs.

timeout

Timeout period for ICP responses in seconds (0-30).

modify-remote-server

Modifies the ICP client remote server parameters.

hostname

Specifes host name of remote server.

ipaddress

Specifies IP address of remote server.

http-port

HTTP port.

httpport

Sends HTTP requests to this port number (0-65535).

icp-port

ICP port.

icpport

Sends ICP requests to this port number (0-65535).

parent

ICP remote server acts like a parent.

restrict

Sets restricted list of domains.

domainnames

Specifies space-delimited local domain list.

sibling

ICP remote server acts like a sibling.

server

ICP server functionality.

enable

Enables the ICP client.

http-port

HTTP port.

httpport

Sends HTTP requests to this port number (0-65535).

port

ICP server port that listens for ICP requests.

icpport

Sends ICP requests to this port number (0-65535).

remote-client

ICP server remote client.

hostname

Specifes host name of remote client.

ipaddress

Specifies IP address of remote client.

fetch

ICP remote client will fetch cache miss.

no-fetch

ICP remote client will not fetch cache miss.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Use these commands to establish and configure the ICP server and client functionality of the CE. Configurations made without enabling ICP functionality will be stored within the configuration until removed. To enable the ICP server or client functionality, use the icp {server | client} enable command. Be sure to enable the ICP on any other CEs or ICP servers or clients within the ICP environment to ensure proper service. You can monitor the statistical data of the ICP service using the show statistics icp EXEC command.

Examples

Console(config)# icp client enable Icp Client started Console(config)# no icp client enable Icp Client disabled

Related Commands Related Commands

show icp client

show icp server

show statistics icp

inetd

To configure, enable, and disable TCP/IP services, use the inetd global configuration command. To disable TCP/IP services, use the no form of this command.

inetd enable service concurrent_tasks

no inetd enable service concurrent_tasks

Syntax Description

enable

Enables TCP/IP service.

service

Name of the service to be enabled: echo, discard, chargen, TFP, RCP, Telnet, and TFTP.

concurrent_tasks

Maximum number of concurrent sessions supported for the specified service (1-20).

Command Modes

Global configuration

Defaults

echo: Disabled.

discard: Disabled.

chargen: Disabled.

ftp: Five sessions.

rcp: Five sessions.

tftp: Five sessions.

telnet: Three sessions.

Usage Guidelines

Use these commands to configure the parameters of TCP/IP services on the CE. The limit for any service is a maximum of 20 tasks. Use the show inetd command to list current inetd configurations and the number of current tasks running.

Examples

Console(config)# inetd enable ftp 5 Console(config)# no inetd enable ftp

Related Commands Related Comands

show inetd

install

To install a new version of CE software, use the install EXEC command.

install paxfilename

Syntax Description

paxfilename

Name of the .pax file you want to install.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Install and run the .pax file from the /local directory only. When the install command is executed, the .pax file is expanded. The expanded files overwrite the existing files in the CE. The newly installed version takes effect after the system image is reloaded.

Examples

Console# install ce25.pax

Related Commands Related Commands

reload

interface

To configure an Ethernet or SCSI interface, use the interface global configuration command. To disable an Ethernet or SCSI interface, use the no form of this command.

interface ethernet number

no interface ethernet number

Syntax Description

ethernet

Ethernet IEEE 802.3 interface to configure.

number

0 or 1; Ethernet interface number.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Use the interface command to begin interface configuration, such as setting an IP address for an interface, a subnet mask for an interface, broadcast address, or manually setting the speed or duplex mode.

Examples

Console(config)# interface ethernet 0 Console(config-if)# ? Configure Interface commands: autosense Interface autosense bandwidth Interface speed exit Exit from interface mode fullduplex Interface fullduplex halfduplex Interface halfduplex ip Interface Internet Protocol Config commands no Negate a command or set its defaults Console(config-if)# exit Console(config)# Console(config)# no interface ethernet 0

Related Commands Related Commands

show interface

ip

To configure the IP interface, use the ip interface configuration command. To disable this function, use the no form of this command.

ip {address ip-address ip-subnet | broadcast-address ip-address}

no ip {address [ip-address ip-subnet] | broadcast-address}

Syntax Description

address

Sets the IP address of an interface.

broadcast-address

Sets the broadcast address of an interface.

ip-address

IP address.

ip-subnet

IP subnet mask.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to set or change the IP address and subnet mask of the CE (interface ethernet 0). The CE requires a reboot in order for the new IP address to take effect.

Examples

Console(config-if)# ip address 10.10.10.10 255.0.0.0 Console(config-if)# no ip broadcast-address

ip

To configure the IP addresses of the network hosts necessary for network connectivity, use the ip global configuration command.

ip {default-gateway ipaddress | domain-name domainname | name-server ipaddress | route destaddrs netmask gateway}

no ip {default-gateway ipaddress | domain-name domainname | name-server ipaddress | route destaddrs netmask gateway}

Syntax Description

default-gateway

Specifies default gateway (if not routing IP).

ipaddress

IP address of default gateway.

domain-name

Specifies domain name.

domainname

Domain name.

name-server

Specifies address of name server.

ipaddress

IP address of name server.

route

Net route.

destaddrs

Destination route address.

netmask

Netmask.

gateway

Gateway address.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

To define a default gateway, use the ip default-gateway global configuration command. To delete the IP default gateway, use the no form of this command.

The CE uses the default gateway to route IP packets when there is no specific route found to the destination.

To define a default domain name, use the ip domain-name global configuration command. To remove the IP default domain name, use the no form of this command.

The CE appends the configured domain name to any IP host name that does not contain a domain name. The appended name is resolved by the DNS server and then added to the host table. The CE must have at least one domain name server specified for the host name resolution to work correctly. Use the ip name-server hostname command to specify domain name servers.

To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To disable IP name servers, use the no form of this command.

For proper resolution of host name to IP address or IP address to host name, the CE uses DNS servers. Use the ip name-server command to point the CE to a specific DNS server. You can configure up to eight servers.

To configure static IP routing, use the ip route global configuration command. To disable an IP routing, use the no form of this command.

Use the ip route command to add a specific static route for a network host. Any IP packet designated to the specified host uses the configured route.

Examples

Console(config)# ip default-gateway 192.168.7.18 Console(config)# no ip default-gateway Console(config)# ip route 172.16.227.128 ffffff80 172.16.227.250 Console(config)# no ip route 172.16.227.128 ffffff80 172.16.227.250 Console(config)# ip domain-name cisco.com Console(config)# no ip domain-name Console(config)# ip name-server 10.11.12.13 Console(config)# no ip name-server 10.11.12.14

Related Commands

show ip route

ldap

To configure the CE to perform user authentication with a Lightweight Directory Access Protocol (LDAP) server, use the ldap global configuration command.

ldap {authcache {auth-timeout minutes | max-entries entries} | client auth-header {401 | 407} | server {allow-mode | base baseword | filter filterword | host {hostname | hostipaddress} port portnumber | retransmit retries | timeout seconds | user-id-attribute useidword}}

no ldap {authcache {auth-timeout minutes | max-entries entries} | client auth-header {401 | 407} | server {allow-mode | base baseword | filter filterword | host {hostname | hostipaddress} port portnumber | retransmit retries | timeout seconds | user-id-attribute useidword}}

Syntax Description

authcache

Configures LDAP authentication cache parameters.

auth-timeout

Sets the timeout value of records in the authentication cache.

minutes

Specifies length in minutes between the user's last Internet access and the removal of that user's entry from the authorization cache, forcing reauthentication with the LDAP server (30-1440). Default is 480 minutes; minimum is 30 minutes; maximum is 1440 minutes (24 hours).

max-entries

Sets the maximum number of entries in the authentication cache.

entries

Specifies the maximum number of entries in the authentication cache (500-32000).

Default values are as follows:

  • 2000 for the CE505

  • 4000 for the CE550

  • 8000 for the CE570

  • 16000 for the CE590

Minimum is 50 percent of default value, Maximum is 200 percent of default value.

client

Configures LDAP client parameters.

auth-header

Specifies which HTTP header to use for authentication (user ID and password) when the style of the HTTP request indicates that no proxy server is present. Headers can be either HTTP 401 (server authentication) or HTTP 407 (proxy authentication). The default is HTTP 401.

401

Uses HTTP 401 to query users for credentials.

407

Uses HTTP 407 to query users for credentials.

server

Configures LDAP server parameters.

allow-mode

Allows HTTP traffic if the LDAP server does not respond.
The default is enabled.

base

Sets the base distinguished name of the starting point for the search in the LDAP database.

baseword

Specifies the base value. There is no default.

filter

Sets the LDAP filter for the authentication group.

filterword

Specifies text for the LDAP filter. There is no default.

host

Sets host parameters.

hostname

Specifies host name of the LDAP server. Two servers can be named.

hostipaddress

Specifies the IP address of the LDAP server.

port

Sets the TCP port for the LDAP authentication server.

portnumber

Specifies LDAP server port number (1-65535). The default is 389.

retransmit

Sets the number of retries to the active server.

retries

Specifies the number of retries. The default is 3 retries (1-10).

timeout

Sets the time to wait for an LDAP server to reply.

seconds

Specifies the waiting time in seconds (1-100). The default is 5 seconds; minimum is 1 second; maximum is 100 seconds.

user-id-attribute

Sets the user ID attribute on the LDAP server.

useidword

Specifies the value for the user ID attribute (default is "uid").

Defaults

See the corresponding parameter description for default values.

Command Modes

Global configuration

Usage Guidelines

An LDAP-enabled CE authenticates users with an LDAP server. With an HTTP query, the CE obtains a set of credentials from the user (user ID and password) and compares them against those in an LDAP server.

Software version 2.2.0 implements LDAP version 3 and supports all LDAP features except for Secure Authentication and Security Layer (SASL).

When the CE authenticates a user through the LDAP server, a record of that authentication is stored locally in the CE RAM (authentication cache). As long as the authentication entry is kept, subsequent attempts to access restricted Internet content by that user do not require LDAP server lookups.

The ldap authcache max-entries command sets the maximum number of authentication cache entries retained. The default values are as follows:

The ldap authcache auth-timeout command specifies how long an inactive entry can remain in the authentication cache before it is purged. Once a record has been purged, any subsequent access attempt to restricted Internet content requires an LDAP server lookup for reauthentication.

Proxy Mode LDAP Authentication

The events listed below occur when the CE is configured for LDAP authentication and one of the following two scenarios is true:

    1. The CE examines the HTTP headers of the client request to find user information (contained in the Proxy-Authorization header).

    2. If no user information is provided, the CE returns a 407 (Proxy Authorization Required) message to the client.

    3. The client resends the request, including the user information.

    4. The CE searches its authentication cache (based on user ID and password) to see if the client has been previously authenticated.

    5. If a match is found, the request is serviced normally.

    6. If no match is found, the CE sends a request to the LDAP server to find an entry for this client.

    7. If the server finds a match, the CE allows the request to be serviced normally and stores the client's user ID and password in the authentication cache.

    8. If no match is found, the CE again returns a 407 (Proxy Authorization Required) message to the client.

Transparent Mode LDAP Authentication

The events listed below occur when the CE is configured for LDAP authentication and both of the following are true:

    1. The CE searches its authentication cache to see if the user's IP address has been previously authenticated.

    2. If a match is found, the CE allows the request to be serviced normally.

    3. If no match is found in the first step, the CE examines the HTTP headers to find user information (contained in the Authorization header).

    4. If no user information is provided, the CE returns a 401 (Unauthorized) message to the client.

    5. The client resends the request, including the user information.

    6. The CE sends a request to the LDAP server to find an entry for this user.

    7. If the server finds a match, the CE allows the request to be serviced normally and stores the client's IP address in the authentication cache.

    8. If no match is found, the CE again returns a 401 (Unauthorized) message to the client.

In transparent mode, the CE uses the client's IP address as a key for the authentication database.

If you are using LDAP user authentication in transparent mode, we recommend that the AuthTimeout interval configured with the ldap authcache auth-timeout command be short. IP addresses can be reallocated, or different users can access the Internet through an already authenticated device (PC, workstation, and the like). Shorter AuthTimeout values help reduce the possibility that individuals can gain access using previously authenticated devices. When the CE operates in proxy mode, it can authenticate the user with the user ID and password.

Allow Mode

Two LDAP servers can be specified with the ldap server host command to provide redundancy and improved throughput. CE load-balancing schemes distribute the requests to the servers.

If the CE cannot connect to either server, no authentication can take place. When the ldap server allow-mode command is invoked, the client is permitted access to the origin server if the LDAP server does not respond within the timeout interval specified with the ldap server timeout command. If allow mode is off (no ldap server allow-mode), users who have not been previously authenticated are denied access.

Security Options

The CE uses simple (nonencrypted) authentication to communicate with the LDAP server. Future expansion may allow for more security options based on SSL, SASL, or certificate-based authentication.

Domain Exclude

To exclude domains from LDAP authentication, define a no-auth rule. LDAP or Remote Authentication User Dial-in Service (RADIUS) authentication takes place only if the site requested does not match the specified pattern. See the "rule" section for more details.

LDAP and RADIUS Considerations

LDAP authentication can be used with Websense URL filtering, but not with RADIUS authentication. Both LDAP and RADIUS rely on different servers, which may require different user IDs and passwords, making RADIUS and LDAP authentication schemes mutually exclusive. Should both RADIUS and LDAP be configured on the CE at the same time, LDAP authentication is executed, not RADIUS authentication.

Hierarchical Caching

In some cases, users are located at branch offices. A CE (CE1) can reside with them in the branch office. Another CE (CE2) can reside upstream, with an LDAP server available to both CEs for user authentication.


Note   The http append ldap-proxy-auth-header global configuration command must be configured on the downstream CEs to ensure that proxy-authorization information, required by upstream CEs, is not stripped from the HTTP request by the downstream CEs.

If branch office user 1 accesses the Internet, and content is cached at CE1, then this content cannot be served to any other branch office user unless that user is authenticated. CE1 must authenticate the local users.

Assuming that both CE1 and CE2 are connected to the LDAP server and authenticate the users, when branch office user 2 firsts requests Internet content, CE1 responds to the request with an authentication failure response (either HTTP 407 if in proxy mode, or HTTP 401 if in transparent mode). User 2 enters the user ID and password, and the original request is repeated with the credentials included. CE1 contacts the LDAP server to authenticate user 2.

Assuming authentication success, and a cache miss, the request along with the credentials is forwarded to CE2. CE2 also contacts the LDAP server to authenticate user 2. Assuming success, CE2 either serves the request out of its cache or forwards the request to the origin server.

User 2 authentication information is now stored in the authentication cache in both CE1 and CE2. Neither CE1 nor CE2 needs to contact the LDAP server for user 2's subsequent requests (unless user 2's entry expires and is removed from the authentication cache).

This scenario assumes that CE1 and CE2 use the same method for authenticating users. Specifically, both CEs must expect the user credentials (user ID and password) to be encoded in the same way.

Hierarchical Caching in Transparent Mode

When the CE operates in transparent mode, the user's IP address is used as a key to the authentication cache. When user 2 sends a request transparently to CE1, after authentication, CE1 will insert its own IP address as the source for the request. Therefore, CE2 cannot use the source IP address as a key for the authentication cache.

When CE1 inserts its own IP address as the source, it must also insert an X-Forwarded-For header in the request (http append x-forwarded-for-header command). CE2 must first look for an X-Forwarded-For header. If one exists, that IP address must be used to search the authentication cache. Assuming the user is authenticated at CE2, then CE2 must not change the X-Forwarded-For header, just in case there is a transparent CE3 upstream.

In this scenario, if CE1 does not create an X-Forwarded-For header (for example, if it is not a Cisco CE and does not support this header), then authentication on CE2 will not work.

Hierarchical Caching, CE in Transparent Mode with an Upstream Proxy

In a topology with two CEs, assume that CE1 is operating in transparent mode and CE2 is operating in proxy mode, with the browsers of all users pointing to CE2 as a proxy.

Because the browsers are set up to send requests to a proxy, an HTTP 407 message is sent from CE1 back to each user to prompt for credentials. By using the 407 message, the problem of authenticating based on source IP address is avoided. The username and password can be used instead.

This mode provides better security than using the HTTP 401 message. The CE examines the style of the address to determine if there is an upstream proxy. If so, the CE uses an HTTP 407 message to prompt the user for credentials even when operating in transparent mode.

Authentication Cache Size Adjustments

If the authentication cache is not large enough to accommodate all authenticated users at the same time, the CE purges older entries that have not yet timed out.

The CE increments statistics that record these events. The show statistics ldap authcache command displays these statistics. When the authentication cache reaches 100 percent of capacity, a syslog message is generated. If the capacity stays at 100 percent, no new syslog messages are generated.

Another message is generated only if the capacity drops below 85 percent, and then returns to 100 percent. These syslog entries tell the administrator that the authentication cache size limit may need to be increased, assuming that enough system memory is available.

Transaction Logging

Once a user has been authenticated through LDAP, all transaction logs generated by the CE for that user contain user information. If the CE is acting in proxy mode, the user ID is included in the transaction logs. If the CE is acting in transparent mode, the user IP address is included instead.

If the transaction-logs sanitize command is invoked, the user information is suppressed.

Examples

Specify an LDAP server with IP address 1.1.1.1 on port 88.

Console(config)# ldap server host 1.1.1.1 port 88

To delete an LDAP server, use the no ldap server command.

Console(config)# no ldap server host 1.1.1.1

Specify that the CE should use header 407 when asking the end user for authentication credentials (user ID and password).

Console(config)# ldap client auth-header 407

Related Commands

show ldap

show statistics ldap

clear statistics ldap

debug ldap

lls

To view a long list of directory names, use the lls EXEC command.

lls [directory]

Syntax Description

directory

(Optional.) Name of the directory for which you want a long list of files.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

This command provides detailed information about files and subdirectories stored in the present working directory to be viewed (including size, date, time of creation, DOS name, and long name of the file). This information can also be viewed with the dir command.

Examples

Console# lls Console# lls /local size date time name LongName ------- ------- ------ ----------- -------------- 512 Dec-31-1987 17:02:32 ETC <DIR> etc 512 Dec-31-1987 17:02:32 TFTPBOOT <DIR> tftpboot 512 Dec-31-1987 17:02:32 VAR <DIR> var 512 Jan-07-1988 09:47:52 LIB <DIR> lib 4385154 Apr-22-1999 12:25:36 CE25.PAX ce25.pax 4 DIR(S), 3 FILE(S) 11192642 bytes 2125922304 bytes AVAILABLE ON VOLUME /c0t0d0s1

Related Commands Related Cands

dir

ls

logging

To configure system logging, use the logging global configuration command. To disable logging functions, use the no form of this command.

logging {{hostname | ip-address} | console loglevels | disk filename loglevels | event-export events loglevels facility | facility facility | on | recycle size | trap loglevels}

no logging {{hostname | ip-address} | console loglevels | disk filename loglevels | event-export events loglevels facility | facility facility | on | recycle size | trap loglevels}

Syntax Description

hostname

Specifies syslog server host name.

ip-address

Specifies syslog server IP address.

console

Sets console logging level.

Loglevels

Use one of these keywords:

  • alerts

Immediate action needed.

  • critical

Immediate action needed.

  • debugging

Debugging messages.

  • emergencies

System is unusable.

  • errors

Error conditions.

  • informational

Informational messages.

  • notification

Normal but significant conditions.

  • warnings

Warning conditions.

disk

Stores log in a file.

filename

Name of the log file.

event-export

Syslog event export configuration.

Events

Use one of these keywords:

  • critical-events

Exports critical events.

  • notice-events

Exports notice events.

  • url-tracking

Tracks URLs to syslog.

  • warning-events

Exports warning events.

Facility

Use one of these keywords:

  • auth

Authorization system.

  • cron/at

Cron.

  • daemon

System daemons.

  • kernel

Kernel.

  • local0

Local use.

  • local1

Local use.

  • local2

Local use.

  • local3

Local use.

  • local4

Local use.

  • local5

Local use.

  • local6

Local use.

  • local7

Local use.

  • lpr

Line printer system.

  • mail

USENET news.

  • news

Mail system.

  • syslog

Syslog itself.

  • user

User process.

  • uucp

UUCP system.

facility

Facility parameter for syslog messages.

on

Enables logging to all destinations.

recycle

Overwrites syslog.txt when it surpasses the recycle size.

size

Size of syslog file in bytes (1-50000000).

trap

Sets syslog server logging level.

Defaults

Logging: On

Priority of message for console: Warning

Priority of message for file: Debugging

Log file: /local/var/log/syslog.txt

Log file recycle size: 5,000,000 bytes

Command Modes

Global configuration

Usage Guidelines

Use this command to set specific parameters of the system log file. System logging is always enabled internally. The system log file is located on the dosfs partition as /local/var/log/syslog.txt. To configure the CE to send varying levels of event messages to an external syslog host, use the logging hostname command. Logging can be configured to send various levels of messages to the console using the logging console loglevels command. It can also be configured to export event messages using the logging event-export events command.

Examples

Console(config)# logging console warnings Console(config)# no logging console warnings

ls

To view a list of files or subdirectory names within a dosfs directory, use the ls EXEC command.

ls [directory]

Syntax Description

directory

(Optional.) Name of the directory for which you want a list of files.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

To list the filenames and subdirectories within a particular directory, use the ls directory command; to list the filenames and subdirectories of the current working directory, use the ls command. To view the present working directory, use the pwd command.

Examples

Console# ls /local etc tftpboot var lib ce25.pax 2125922304 bytes AVAILABLE ON VOLUME /c0t0d0s1

Related Commands

dir

lls

pwd

mfs

To alter default settings of the memory file system (mfs), use the mfs EXEC command.

mfs {clear [force] | mount [size [objects]] | sync | unmount}

Syntax Description

clear

Deletes all objects from the mfs volume.

force

(Optional.) Forcefully deletes all objects from the memory file system.

mount

Mounts the memory file system.

size

Maximum size of the memory file system in megabytes (1-1000).

objects

(Optional.) Maximum number of objects in the memory file system (1-1000000).

sync

Saves memory file system objects to the cache file system (cfs).

unmount

Unmounts the memory file system.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The memory file system cannot be configured with the GUI.

Examples

The example defines the memory file system to use 1 megabyte of memory and to contain no more than 22222 objects.

CE# mfs mount 1 22222

Related Commands

cfs

show mfs statistics

mkdir

To create a directory, use the mkdir EXEC command.

mkdir directory

Syntax Description

directory

Name of the directory to create.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to create a new directory or subdirectory in the CE file system.

Examples

Console# mkdir /oldpaxfiles

Related Commands

dir

lls

ls

pwd

rmdir

mkfile

To create a new file, use the mkfile EXEC command.

mkfile filename

Syntax Description

filename

Name of the file you want to create.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to create a new file in any directory of the CE.

Examples

Console# mkfile traceinfo

Related Commands

lls

ls

mkdir

no

To negate a command or set its defaults, use the no interface configuration command.

no {autosense | bandwidth | fullduplex | halfduplex | ip}

Syntax Description

autosense

Autosense capability on an interface.

bandwidth

Interface speed.

fullduplex

Full-duplex interface.

halfduplex

Half-duplex interface.

ip

Interface Internet Protocol (IP) configuration commands.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to negate an interface configuration mode command or to set its defaults. See the "Interface Configuration Commands" section of Chapter 1 for syntax options and descriptions.

Examples

Console(config-if)# no autosense

no

To undo a global configuration command or set its defaults, use the no form of a command to undo the original command.

no command

Syntax Description

command

authentication

Configures authentication.

bypass

Configures bypass.

clock

Configures time-of-day clock.

cron

cron commands.

dns-cache

Configures DNS cache.

end

Exit configuration mode.

error-handling

Customizes how CE should handle errors.

exception

Exception handling.

exec-timeout

Configures EXEC timeout.

exit

Exit configuration mode.

ftp

Configures FTP caching related parameters.

gui-server

Configures GUI server.

hostname

Configures the system's network name.

http

Configures HTTP-related parameters.

https

Configures HTTPS-related parameters.

icp

Configures Internet Cache Protocol parameters.

inetd

Configures inetd.

interface

Configures an Ethernet or SCSI interface.

ip

Internet Protocol configuration commands.

ldap

Configures LDAP.

logging

Configures system logging (syslog).

ntp

Configures Network Time Protocol (NTP).

proxy-protocols

Configures proxy protocols-related parameters.

radius-server

Configures RADIUS authentication.

rule

Configures rules.

snmp-server

Configures SNMP.

tacacs

Configures TACACS+ authentication.

tcp

Configures TCP parameters.

terminal

Current Terminal commands.

tftp-server

Configures TFTP server.

transaction-logs

Configures transaction logging.

trusted-host

Configures a trusted host.

url-filter

Configures URL filtering.

wccp

Configures Web Cache Coordination Protocol.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Use the no command to disable functions or negate a command. If you need to negate a specific command, such as the default gateway IP address, you must include the specific string in your command, such as no ip default-gateway ip-address.

Examples

Console(config)# wccp version 2 Console(config)# no wccp version 2

no debug

To disable the debugging functions, use the no debug EXEC command.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

We recommend that the debug commands be used only at the direction of Cisco Systems technical support personnel.

Related Commands

debug

show debug

undebug

ntp

To configure the Network Time Protocol (NTP) and to allow the system clock to be synchronized by a time server, use the ntp server global configuration command. To disable this function, use the no form of this command.

ntp server {hostname | ip-address}

no ntp server {hostname | ip-address}

Syntax Description

hostname

Host name of the time server providing the clock synchronization (maximum of four NTP servers).

ip-address

IP address of the time server providing the clock synchronization (maximum of four NTP servers).

Defaults

The default NTP version number is 3.

Command Modes

Global configuration

Usage Guidelines

Use this command to synchronize the CE clock with the specified server.

Examples

Console(config)# ntp server 172.16.22.44 Console(config)# no ntp server 172.16.22.44

Related Commands

clock

show clock

show ntp

ntpdate

To set the software clock (time and date) using a Network Time Protocol (NTP) server, use the ntpdate EXEC command.

ntpdate {hostname | ip-address}

Syntax Description

hostname

NTP host name.

ip-address

NTP server IP address.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use NTP to find the current time of day and set the CE current time to match. The time must be saved to the hardware clock using the clock save command if it is to be restored after a reload.

Examples

Console# ntpdate 10.11.23.40

Related Commands

clock clear

clock save

clock set

show clock

ping

To send echo packets for diagnosing basic network connectivity on networks, use the ping (packet internet groper) EXEC command.

ping {hostname | ip-address}

Syntax Description

hostname

Host name of system to ping.

ip-address

IP address of system to ping.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

To use this command with the hostname argument, be sure DNS functionality is configured on your CE. To force the timeout of a nonresponsive host, or to eliminate a loop cycle, enter Ctrl-C.

Examples

Console# ping mycacheengine

proxy-protocols

To specify domain names, host names, or IP addresses to be excluded from proxy forwarding, use the proxy-protocols global configuration command.

proxy-protocols {outgoing-proxy exclude {domains-only | enable | list word} | transparent {default-server | original-proxy}}

no proxy-protocols {outgoing-proxy exclude {domains-only | enable | list word} | transparent {default-server | original-proxy}}

Syntax Description

outgoing-proxy exclude

Sets global outgoing proxy exclude criteria.

domains-only

Excludes only the domain names defined by the list option.

enable

Enables global outgoing proxy exceptions.

list

Sets the global outgoing proxy exclude list.

word

Domain names, host names, or IP addresses to be excluded from proxy forwarding.

transparent

Sets transparent mode behavior for proxy requests.

default-server

Uses the CE to go to the origin server or the outgoing proxy,
if configured.

original-proxy

Uses the intended proxy server from the original request.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

When you enter the proxy-protocols transparent default-server global configuration command, the CE forwards intercepted HTTP and HTTPS proxy-style requests to the outgoing HTTP or HTTPS proxy server, if one is configured. If no outgoing proxy server is configured for the protocol, the request is serviced by the CE and the origin server.

The proxy-protocols transparent original-proxy global configuration option specifies that requests sent by a Web client to another proxy server, but intercepted by the CE in transparent mode, be directed back to the intended proxy server.

The proxy-protocols outgoing-proxy exclude global configuration options allow the administator to specify domain names, host names, or IP addresses to be globally excluded from proxy forwarding. Domains are entered as an ASCII string, separated by spaces. The wildcard character * (asterisk) can be used for IP addresses (for instance, 174.12.*.*). Only one exclusion can be entered per command line. Enter successive command lines to specify multiple exclusions.

Examples

The following example configures the CE to forward intercepted HTTPS proxy-style requests to an outgoing proxy server. The domain names cisco.com, cruzio.com, and the IP addresses 174.12.*.* are excluded from proxy forwarding. The show proxy-protocols command verifies the configuration.

CE(config)# https proxy outgoing host 174.10.10.10 266 CE(config)# proxy-protocols transparent default-server CE(config)# proxy-protocols outgoing-proxy exclude enable CE(config)# proxy-protocols outgoing-proxy exclude list cisco.com CE(config)# proxy-protocols outgoing-proxy exclude list 174.12.*.* CE(config)# proxy-protocols outgoing-proxy exclude list cruzio.com CE# show proxy-protocols all Transparent mode forwarding policies: default server Global outgoing proxy exclude list is enabled Global outgoing proxy exclude list: cisco.com cruzio.com 174.12.24.24 Excluding only the domain names on the list is disabled. The following example configures the CE to forward intercepted HTTP proxy-style requests to the intended proxy server. CE(config)# proxy-protocols transparent original-proxy

Related Commands

http proxy outgoing

https proxy outgoing

show proxy-protocols

pwd

To show the current directory, use the pwd EXEC command.

pwd

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Usage Guidelines

Use this command to display the present working directory of the CE.

Examples

Console# pwd

Examples

cd

dir

lls

ls

radius-server

To configure Remote Authentication Dial-in User Services (RADIUS) parameters, use the radius global configuration command. To disable RADIUS authentication parameters, use the no form of this command.

radius-server {auth-timeout value | exclude {enable | list domainlist} | host {hostname | hostipaddr} [auth-port port] | key keyword | retransmit retries | timeout seconds}

no radius-server {auth-timeout value | exclude {enable | list domainlist} | host {hostname | hostipaddr} [auth-port port] | key keyword | retransmit retries | timeout seconds}

Syntax Description

auth-timeout

Configures RADIUS authentication timeout.

value

Authentication timeout value in minutes (1-1440). Default is 20.

exclude

Excludes local domains (selective authentication).

enable

Enables selective authentication feature.

list

Specifies domains to be excluded from RADIUS authentication.

domainlist

Domain name or IP address.

host

Specifies a RADIUS server.

hostname

Host name of RADIUS server.

hostipaddr

IP address of RADIUS server.

auth-port

Specifies UDP port for RADIUS authentication server.
Default is 1645.

port

Port number (1-65535).

key

Encryption key shared with the RADIUS servers.

keyword

Text of shared key (15 characters maximum).

retransmit

Specifies the number of transmission attempts to an active server.

retries

Number of transmission attempts for a transaction (1-100). Default is 3.

timeout

Time to wait for a RADIUS server to reply.

seconds

Wait time in seconds (1-1000). Default is 5 seconds.

Defaults

See the corresponding parameter description for default values.

Command Modes

Global configuration

Usage Guidelines

RADIUS authentication clients reside on Cisco CEs. When enabled, these clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. Selective RADIUS authentication allows users to access intranet servers without requiring authentication, and can limit RADIUS authentication to those users that access external Web servers.

Selective RADIUS Authentication

Users can specify an exclusion list of IP addresses or domain names (in the form mydomain.com) for which the CE will not perform RADIUS authentication. The maximum number of excluded domains is 64. The selective RADIUS authentication feature can be disabled without deleting the domains.

Examples

Console(config)# radius server 172.16.90.121 70 password enable Console(config)# no radius server 172.16.90.121 70 password enable
By default, selective authentication is disabled and the list of excluded domains is empty.

    Console# show radius Radius Authentication is on Timeout = 5 seconds AuthTimeout = 20 minutes Retransmit = 3 Key = **** Servers ------- IP 1.1.1.1, Port = 1645 State: ENABLED Selective Authentication is off.
For IP addresses, enter the full IP address or use the asterisk "*" as a wildcard for IP address fields as follows:

172.16.1.*

172.16.*.*

172.*.*.*

The syntax 172.16.*.* indicates that all requests to the domain host of 172.16.xxx.xxx will be excluded from RADIUS authentication. Wildcard syntax does not support "0" or "?".

The following uses of the "*" wildcard are not supported:

172.*.10.2

172.16.1*.8

    Console(config)# no radius exclude list cisco.com
    Console(config)# no radius exclude enable
Disabling selective authentication does not delete the domains. The configured domains can still be displayed with the show radius command.

reload

To halt and perform a cold restart on your CE, use the reload EXEC command.

reload

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

To reboot the CE, use the reload command. If no configurations are saved to Flash memory, you will be prompted to enter configuration parameters upon restart. Any open connections will be dropped after you issue this command, and the file system will be reformatted upon restart. To save any file system contents to disk from memory before a restart, use the cache sync command.

Examples

Console# reload

Related Commands

cache sync

write

write erase

rename

To rename a file on your CE, use the rename EXEC command.

rename sourcefile destinationfile

Syntax Description

sourcefile

Source file or path name of the file you want to rename.

destinationfile

Destination file or path name of the new file.

Command Modes

EXEC

Usage Guidelines

Use this command to rename any file within the CE.

Examples

Console# rename ce25.pax ce6399.pax

Related Commands

cpfile

rmdir

To delete a directory, use the rmdir EXEC command.

rmdir directory

Syntax Description

directory

Name of the directory you want to delete.

Command Modes

EXEC

Usage Guidelines

Use this command to remove any directory from the CE file system. The rmdir command removes empty directories only.

Examples

Console# rmdir /local/oldpaxfiles

Related Commands

lls

ls

mkdir

rule

Use the rule global configuration command to set the rules by which the CE filters Web traffic.

rule {block options | enable | no-auth options | no-cache options | no-proxy options | refresh options | selective-cache options | use-proxy options}

rule block {domain LINE | dst-ip d_ipaddress d_subnet | dst-port port | src-ip s_ipaddress s_subnet | url-regex LINE}

rule enable

rule no-auth {domain LINE | dst-ip d_ipaddress d_subnet | dst-port port | src-ip s_ipaddress s_subnet | url-regex LINE}

rule no-cache {domain LINE | dst-ip d_ipaddress d_subnet | dst-port port | mime-type LINE | src-ip s_ipaddress s_subnet | url-regex LINE}

rule no-proxy {domain LINE | dst-ip d_ipaddress d_subnet | dst-port port | src-ip s_ipaddress s_subnet | url-regex LINE}

rule refresh {domain LINE | dst-ip d_ipaddress d_subnet | dst-port port | mime-type LINE | src-ip s_ipaddress s_subnet | url-regex LINE}

rule selective-cache {domain LINE | dst-ip d_ipaddress d_subnet | dst-port port | mime-type LINE | src-ip s_ipaddress s_subnet | url-regex LINE}

rule use-proxy {hostname | ipaddress} port {domain LINE | dst-ip d_ipaddress d_subnet | dst-port port | mime-type LINE | src-ip s_ipaddress s_subnet | url-regex LINE}

rule use-proxy {hostname | ipaddress} failover

no rule {block pattern-type pattern | enable | no-auth pattern-type pattern | no-cache pattern-type pattern| no-proxy pattern-type pattern | refresh pattern-type pattern | selective-cache pattern-type pattern | use-proxy {host | ipaddress} port pattern-type pattern}

Syntax Description

enable

Enables rules processing.

block

Action—Blocks the request.

no-auth

Action—Does not authenticate.

no-cache

Action—Does not cache the object.

no-proxy

Action—Does not use any upstream proxy.

refresh

Action—Revalidates the object with the Web server.

selective-cache

Action—Caches this object if permitted by HTTP.

use-proxy

Action—Uses a specific upstream proxy.

hostname

Host name of the specific proxy.

ipaddress

IP address of the specific proxy.

port

Port number of the specific proxy (1-65535).

failover

Specifies use of failover proxy server if host at hostname or ipaddress is unavailable.

domain

Pattern type—Regular expression to match the domain name.

dst-ip

Pattern type—Destination IP address of the request.

d_ipaddress

Destination IP address of the request.

d_subnet

Destination IP subnet mask.

dst-port

Pattern type—Destination port number.

port

Destination port number (1-65535).

mime-type

Pattern type—MIME type to be matched with the Content-Type HTTP header.

src-ip

Pattern type—Source IP address of the request.

s_ipaddress

Source IP address of the request.

s_subnet

Source IP subnet mask.

url-regex

Pattern type—Regular expression to match a substring of the URL.

LINE

Pattern—Regular expression.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

A rule is a pattern and an action. If an HTTP request matches the pattern, the corresponding action is performed on the request.

A pattern defines the limits of an HTTP request; for instance, a pattern may specify that the source IP address fall in the subnet range 172.69.*.*.

An action is something the CE performs when processing an HTTP request, for instance, blocking the request, using an alternative proxy, and so forth.

Rules can be dynamically added, displayed, or deleted from the CE. The rules are preserved across reboots because they are written into persistent storage such as NVRAM. Only the system resources limit the number of rules the CE can support. Because rules consume resources, the more rules there are defined, the more CE performance may be affected.

Actions

The Rules Template feature supports eight actions as follows:

rule use-proxy {hostname | ipaddress} 8081 domain cisco.com

rule use-proxy {hostname | ipaddress} failover

Any rule that uses hostname or ipaddress will failover. Each request is checked to determine if the protocol supports failover (Release 2.3.0 supports only HTTP failover). If so, those requests failover to the outgoing proxies configured with the http proxy outgoing. The rule requests use the http proxy outgoing origin-server option if it is configured.

HTTP failover does not apply if the destination is on the exclude list. When in transparent mode, the setting for original proxy takes precendence.


Note   The commands rule no-proxy and rule use-proxy take precedence over
http proxy outgoing.

Rules are ORed together. Multiple rules may all match a request; then all actions are taken, with precedence among conflicting actions. Each rule contains one pattern; patterns cannot be ANDed together. In future releases, ANDed patterns may be supported.


Note   Because the MIME type exists only in the response, only the actions refresh, no-cache, and selective-cache apply to a rule of MIME type.

It is possible to circumvent some rules. For example, to circumvent a rule with the domain pattern, just enter the Web server's IP address instead of the domain name in the browser. A rule may have unintended effects. For instance, a rule with the domain pattern specified as "ibm" that is intended to match "www.ibm.com" can also match domain names like www.ribman.com.

A src-ip rule may not apply as intended to requests that are received from another proxy because the original client IP address is in an X-fowarded-for header.

Patterns

The Rules template feature supports six types of patterns, with the following names and functions.

For example, the administrator can specify a file extension name by entering "\.jpg$". In regular expression syntax, "\" is the escape character and "\." means to match the period "." character.

When making rules for a URL, specifying the double forward slash "//" is not necessary, and can result in a failure to match. For example, to create a rule for any URL containing a file with a .jpg extension, use the expression ".*\.jpg$" rather than ".*://.*\.jpg.*" because a browser under some conditions can issue the HTTP GET command as GET /mydir/me.jpg rather than
GET http://my.dot.com/mydir/me.jpg.

Examples

Multiple patterns can be input on the same line. If any of them matches the incoming HTTP request, the corresponding action is taken.

Console(config)# rule block domain \.foo.com ? LINE <cr> Console(config)# rule block domain \.foo.com bar.com Console(config)# Console(config)# rule no-cache url-regex \.*cgi-bin.* ? LINE <cr> Console(config)# rule no-cache url-regex \.*cgi-bin.* Console(config)# Console(config)# rule no-cache dst-ip 172.77.120.0 255.255.192.0

Most actions do not have any parameters, as in the preceding examples. One exception is use-proxy, as in the following example.

Console(config)# rule use-proxy ? Hostname or A.B.C.D. IP address of the specific proxy Console(config)# rule use-proxy CE.foo.com ? <1-65535> Port number of the specific proxy Console(config)# rule use-proxy CE.foo.com 8080 ?   domain Regular expression to match with the domain name dst-ip Destination IP address of the request dst-port Destination port number src-ip Source IP address of the request url-regex Regular expression to substring match with the URL Console(config)# rule use-proxy CE.foo.com 8080 url-regex ?  LINE Regular expression to substring match with the URL Console(config)# rule use-proxy CE.foo.com 8080 url-regex .*\.jpg$ ? LINE <cr> Console(config)# rule use-proxy CE.foo.com 8080 url-regex .*\.jpg$ .*\.gif$ .*\.pdf$ Console(config)#

Other branches of the rule command work similarly to the above examples.

To delete rules, use no in front of the rule creation command.

Console(config)#no rule block url-regex .*\.jpg$ .*\.gif$ .*\.pdf$ Console(config)#

Related Commands

bypass static

clear statistics rule

http proxy outgoing

proxy-protocols outgoing exclude

show rule

show statistics rule

url-filter

show arp

To display the Address Resolution Protocol (ARP) table, use the show arp EXEC command.

show arp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show arp LINK LEVEL ARP TABLE destination gateway flags Refcnt Use Interface 171.69.227.129 00:e0:b0:e2:6d:a2 405 1 0 fei0 Console#

show authentication

To display the current Terminal Access Controller Access Control System Plus (TACACS+) current authentication and authorization configuration, use the show authentication command.

show authentication

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show authentication Login Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled (primary) Configuration Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled

show bypass

To display bypass configuration information, use the show bypass EXEC command.

show bypass [list] [statistics {auth-traffic | load}] [summary]

Syntax Description

list

(Optional.) Displays bypass list entries.

statistics

(Optional.) Shows IP bypass statistics.

auth-traffic

Displays authenticated traffic bypass statistics.

load

Displays load bypass statistics.

summary

(Optional.) Displays a summary of bypass information.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show bypass Total number of HTTP connections bypassed = 3 Connections bypassed due to system overload = 0 Connections bypassed due to authentication issues = 3 Connections bypassed to facilitate error transparency = 0 Connections bypassed due to static configuration = 0 Total number of entries in the bypass list = 2 Number of Authentication bypass entries = 0 Number of Error bypass entries = 0 Number of Static Configuration entries = 2 Console# show bypass list Client Server Entry type ------ ------ ---------- 171.11.11.11:0 any-server:0 static-config any-client:0 171.23.23.23:0 static-config

show cfs

To view information about your cache file system, use the show cfs EXEC command.

show cfs {statistics | volumes}

Syntax Description

statistics

Displays the cache file system statistics.

volumes

Displays the cache file system volumes.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show cfs statistics Filesystem Statistics for volume /c0t0d0s3 Status: mounted Data Bytes Max 6815947 KB Data Bytes Used 39 KB ( 0% full) Disk Wraps 0 Inode Hits 0 Inode Misses 0 CFS Read error 0 CFS Write error 0 Inode Load error 0 Attribute Load error 0 CFS Object Truncations 0 Truncated CFS Object Flushes 0 Volume Clears 0 Mount time Thu Mar 2 09:23:46 2000

Filesystem Statistics for volume /c0t1d0s3 Status: mounted Data Bytes Max 6815947 KB Data Bytes Used 9 KB ( 0% full) Disk Wraps 0 Inode Hits 0 Inode Misses 0 CFS Read error 0 CFS Write error 0 Inode Load error 0 Attribute Load error 0 CFS Object Truncations 0 Truncated CFS Object Flushes 0 Volume Clears 0 Mount time Thu Mar 2 09:23:47 2000 Console# Console# show cfs volumes /c0t0d0s3: mounted /c0t1d0s3: mounted

Related Commands

cfs

show disks

show dosfs

show clock

To display the system clock, use the show clock EXEC command.

show clock [detail]

Syntax Description

detail

(Optional.) Displays detailed information; indicates the clock source (NTP) and the current summertime setting (if any).

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show clock Wed Apr 28 20:52:48 1999 GMT Console# show clock detail Tue Jun 1 14:48:18 1999 GMT Tue Jun 1 07:48:18 1999 LocalTime Epoch: 928248498 seconds UTC offset: -25200 seconds (-7 hr 0 min) timezone: PST summerzone: PDT summer offset: 0 minutes daylight: summer

Related Commands

clock clear

clock save

clock set

show cron

To display cron information, use the show cron EXEC command.

show cron

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show cron ==CRON Configuration== CRON tab file: /local/etc/crontab Legend 1: min hr day-of-mon mon day-of-wk tclsh script-name Legend 2: min hr day-of-mon mon day-of-wk tcl tcl-cmd Sample: 0 5 * * * tclsh /local/test.tcl Crontab for user: "root" Id Type Source Entry 1 log_recycle api 0 * * * * tclsh /local/lib/tcl/recycle.tcl 50000 00 /local/var/log/syslog.txt

show debugging

To display the state of each debugging option, use the show debugging EXEC command.

show debugging

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

This command only displays the type of debugging enabled, not the specific subset of the command. For example, it shows that ICP debugging is enabled but does not define whether that debugging is monitoring ICP client or server packet transfer.

Examples

Console# debug icp client trace Console# show debugging icp debugging is on

Related Commands

debug

no debug

undebug

show disk-partitions

To view information about your disk partitions, use the show disk-partitions EXEC command.

show disk-partitions devname

Syntax Description

devname

Device name.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to display partition information about a particular disk. The command show disks displays the names of the disks currently attached to the CE.

Examples

console# show disk-partitions /c0t0d0 Disk size : 17836668 sectors Partition 1: CISCO_UVFAT_1, offset 63 sectors, size 4192902 sectors Partition 2: CISCO_BFS_1, offset 4192975 sectors, size 1024 sectors Partition 3: CISCO_CFS_1, offset 4194009 sectors, size 13642648 sectors Partition 4: UNUSED, offset 0 sectors, size 0 sectors

Related Commands

disk partition

disk prepare

show disks

show disks

To view information about your disks, use the show disks EXEC command.

show disks

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The show disks command displays the names of the disks currently attached to the CE. You can partition a disk using the disk partition command.

Examples

Console# show disks /c0t0d0 (scsi bus 0, unit 0, lun 0) /c0t1d0 (scsi bus 0, unit 1, lun 0)

Related Commands

disk partition

disk prepare

show disk-partitions

show dns-cache

To display DNS cache information, use the show dns-cache EXEC command.

show dns-cache

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show dns-cache DNS cache status : CONFIGURED and ONLINE Max cache size : 16384 Hash table size : 4093

show events

To display a number of system events by category, use the show events EXEC command.

show events number {all | critical | notice | warning}

Syntax Description

number

Number of events to display (1 to 65535).

all

Shows all events.

critical

Shows critical events.

notice

Shows notice events.

warning

Shows warning events.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to show the chosen number of events by category.

Examples

Console# show events 10 notice Notice: Waiting for admin traffic on port 8001 Thu, 01 Mar 2000 00:00:10 GMT Notice: Waiting for Web traffic on port 80 Thu, 01 Mar 2000 00:00:09 GMT Notice: Waiting for Web Proxy traffic on port 8080 Thu, 01 Mar 2000 00:00:10 GMT Notice: Waiting for admin traffic on port 8001 Thu, 01 Mar 2000 00:00:10 GMT Notice: Waiting for Web traffic on port 80 cepro#

show file-descriptors

To display information about the CE file descriptors, use the show file-descriptors EXEC command.

show file-descriptors

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show file-descriptors fd name drv 4 /tyCo/0 1 in out err 9 (socket) 6 10 (socket) 6 11 (socket) 6 12 (socket) 6 15 (socket) 6 18 /pipe/ring 2 19 /pipe/log 2 20 /c0t0d0s1/_uv_acl_.db 3 21 /raw0 5 22 /raw1 5 23 /raw2 5 24 /raw3 5 25 /raw4 5 26 /raw5 5 27 /raw6 5 28 /raw7 5 29 /null 0 36 (socket) 6 37 (socket) 6 38 /local/events.dat 4 39 /local/radius.dat 4 50 (socket) 6

show flash

To display the Flash memory content, such as file code names, version numbers, and sizes, use the
show flash EXEC command.

show flash

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show flash System flash directory: File Length Name/status 1 1198448 system image [655360 read only, 1460592 bytes used, 5944976 available, 8388608 total]

show ftp

To display the configuration of the File Transfer Protocol (FTP) on the CE, use the show ftp command.

show ftp

Syntax Description

The show ftp command has no keywords or options.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show ftp FTP heuristic age-multipliers: directory-listing 30% file 60% Maximum time to live in days : directory-listing 3 file 7 Minimum time to live in minutes: 60 No objects are revalidated on every request. Serve-IMS without revalidation if... Directory listing object is less than 50% of max age File object is less than 80% of max age Incoming Proxy-Mode: Servicing Proxy mode FTP connections on ports: 22 23 88 66 48 488 449 90 Outgoing Proxy-Mode: Not using outgoing proxy mode. Maximum size of a cachable object is unlimited. Console#

Related Commands

ftp

show statistics ftp

show gui-server

To display the current port assignment and operational status of the management interface GUI server, use the show gui-server command.

show gui-server

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show gui-server GUI Server is enabled Listen on port 8001

Related Commands

gui-server

show hardware

To display system hardware status, use the show hardware EXEC command.

show hardware

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show hardware Cisco Cache Engine Copyright (c) 1986-2000 by Cisco Systems, Inc. Image text-base 0x108000, data_base 0x425a5c System restarted by Power Up The system has been up for 19 hours, 43 minutes, 21 seconds. System booted from fei Cisco Cache Engine CE505 with CPU AMD-K6 (model 7) (rev. 0) AuthenticAMD 2 Ethernet/IEEE 802.3 interfaces 1 Console interface. 134213632 bytes of Physical Memory 131072 bytes of ROM memory. 8388608 bytes of flash memory.

Related Commands

show version

show hosts

To view the hosts on your CE, use the show hosts EXEC command.

show hosts

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show hosts Domain name = cisco.com Name Servers: ----------- 10.2.2.3 172.89.2.111 Host Table: hostname inet address aliases -------- ------------ ------- localhost 172.0.1.5 Console 172.89.117.254

show http

To display the HTTP-related caching parameters, use the show http EXEC command.

show http {age-mult | all | append | authenticate-strip-ntlm | cache-authenticated | cache-cookies | cache-miss | cache-on-abort | cluster | object | persistent-connections | proxy | reval-each-request | serve-ims | ttl}

Syntax Description

age-mult

HTTP/1.0 caching heuristic modifiers.

all

All HTTP-related caching parameters.

append

Shows HTTP headers appended by CE.

authenticate-strip-ntlm

Handling of requests with NT LAN Manager (NTLM) authentication headers.

cache-authenticated

Caching of authenticated Web objects.

cache-cookies

Caching of Web objects with associated cookies.

cache-miss

Handling of no-cache requests.

cache-on-abort

Configuration of cache-on-abort parameters.

cluster

Cluster healing configuration.

object

Configuration of HTTP object.

persistent-connections

Persistent connections configuration.

proxy

Proxy mode configuration.

reval-each-request

Configuration of revalidation for every request.

serve-ims

Handling of if-modified-since requests.

ttl

Time To Live for objects in the cache.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show http proxy Incoming Proxy-Mode: Servicing Proxy mode HTTP connections on ports: 8080 Outgoing Proxy-Mode: Primary proxy server: 10.1.1.1 port 1 Failed Backup proxy servers: 172.31.227.111 port 8080 Monitor Interval for Outgoing Proxy Servers is 10 seconds Use of Origin Server upon Proxy Failures is enabled.

show https

To display HTTPS proxy status and port policies, use the show https command.

show https {all | destination-port | proxy}

Syntax Description

all

All HTTPS-related configuration parameters.

destination-port

Destination port restrictions.

proxy

Proxy mode configuration.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show https all Incoming HTTPS proxy: Not servicing incoming proxy mode connections. Outgoing HTTPS proxy: Directing request to proxy server at 1.1.1.1 port 76. Destination port policies: Allow all Allow 111 222 333 Allow 33 44 Deny all Deny 20 Deny 20 21 23 119

Related Commands

proxy-protocols

show statistics https

show icp

To display the ICP client, root, or server information, use the show icp EXEC command.

show icp {client | root | server}

Syntax Description

client

Shows ICP client detailed information.

root

Shows ICP brief client/server information.

server

Shows ICP server detailed information.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show icp client ICP client is disabled max wait for replies = 2 seconds remove from wait list after 20 failures local_domain "google.com,cruzio.com" Number of remote servers = 0

Related Commands

icp client

icp server

show inetd

To display TCP/IP services that include echo, discard, chargen, FTP, RCP, Telnet, and TFTP, use the show inetd EXEC command.

show inetd

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show inetd Inetd task ID: 7fbc400 Inetd running configuration: Service Port Proto Func Max Live Total Acpt Rej Stck Lock echo 7 tcp 1d863c 0 0 0 0 0 2048 0 echo 7 udp 1d86dc 0 0 0 0 0 2048 0 discard 9 tcp 1d875c 0 0 0 0 0 2048 0 discard 9 udp 1d87cc 0 0 0 0 0 2048 0 chargen 19 tcp 1d884c 0 0 0 0 0 2048 0 chargen 19 udp 1d88fc 0 0 0 0 0 2048 0 ftp 21 tcp 2b9df0 10 0 0 0 0 4096 0 rcp 514 tcp 1ec45c 5 0 0 0 0 4096 0 tftp 69 udp 2bdf2c 5 0 0 0 0 12288 0 telnet 23 tcp 2b81f0 3 0 0 0 0 4096 0

Related Commands

inetd

show interface

To display hardware interfaces, use the show interface EXEC command.

show interface {ethernet number | scsi number}

Syntax Description

ethernet

Ethernet interface device.

number

Ethernet interface number.

scsi

SCSI interface device.

number

SCSI interface number.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show interface scsi 0 Max Transfer Size: 16777215 Sync: yes Disconnect: yes Wide: yes Console# show interface ethernet 0 fei (unit number 0): Flags: (0x8063) UP BROADCAST MULTICAST ARP RUNNING Type: ETHERNET_CSMACD Internet address: 172.33.211.222 Broadcast address: 172.33.227.225 Netmask 0xffff0000 Subnetmask 0xffffff80 Ethernet address is 00:50:0f:0d:23:06 Maximum Transfer Unit size: 1500 Address Length: 6 Header Length: 14 Metric: 0 Baudrate: 0 Packets Received: 800 Input Errors: 0 Packets Sent: 567 Output Errors: 0 Collisions: 0 Bytes Received: 52754 Bytes Sent: 46678 Multicast Packets Received: 217 Multicast Packets Sent: 0 Received Packets Dropped: 0 Packets with Unknown Protocol: 0 Last Input/Output (ticks): 92746 Line speed: 100Mbit per sec. Duplex: full (AutoSensed) Hardware statistical counters: Current Total ------- ----- Tx good frames: 60 570 Tx MAXCOL errors: 0 0 Tx LATECOL errors: 0 0 Tx underrun errors: 0 0 Tx lost CRS errors: 0 0 Tx deferred: 0 0 Tx single collisions: 0 0 Tx multiple collisions: 0 0 Tx total collisions: 0 0 Rx good frames: 135 1725 Rx CRC errors: 0 0 Rx alignment errors: 0 0 Rx resource errors: 0 0 Rx overrun errors: 0 0 Rx collision detect errors: 0 0 Rx short frame errors: 0 0 (current values are polled and cleared for each display)

Related Commands

interface

show ip routes

To display the IP routing table, use the show ip routes EXEC command.

show ip routes

Syntax Description

routes

Displays routing table.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show ip routes Destination Mask TOS Gateway Flags RefCnt Use IntFace Proto ---------------------------------------------------------------------------- 0.0.0.0 0.0.0.0 0 172.79.27.12 3 2 983 fei0 1 125.0.0.1 0.0.0.0 0 127.0.0.1 5 0 0 lo 0 0 172.79.22.12 255.255.255.1 172.79.27.200 101 0 0 fei0 0 ----------------------------------------------------------------------------

Related Commands

ip route

no ip route

show ldap

To show LDAP server and authentication cache information, use the show ldap EXEC command.

show ldap {authcache | server}

Syntax Description

authcache

Displays the contents of the CE LDAP authentication cache.

server

Displays LDAP server information.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

To display the contents of the authentication cache, use the show ldap authcache command.

Console# show ldap authcache AuthCache ===================== hash 914 : uid: admin nBkt: 0x0 nLRU: 0x0 pLRU: 0x0 lacc: 964025922 ipAddr: a44247ab keyTp: 1

To display the LDAP configuration options of the CE, use the show ldap server command.

Console# show ldap server LDAP Configuration: ------------------ LDAP Authentication is on Timeout = 5 seconds AuthTimeout = 480 minutes Retransmit = 3 UserID-Attribute = uid Filter = Base = "" AllowMode = ENABLED ---------------------- Servers ------- IP 1.1.1.1, Port = 88, State: ENABLED

Related Commands

clear statistics ldap

ldap

show statistics ldap

show logging

To display the system message log configuration, use the show logging EXEC command.

show logging

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show logging Syslog logging: enabled Console logging: level warning Trap logging: disabled Disk logging: level debug Logging to /local/var/log/syslog.txt, recycle size 5000000 Event export: Critical events are exported to syslog

show memory

To display memory blocks and statistics, use the show memory EXEC command.

show memory [free]

Syntax Description

free

(Optional.) Shows free blocks of memory.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show memory free SUMMARY: status bytes blocks avg block max block ------ --------- -------- ---------- ---------- current free 4374032 12 364502 4359952 alloc 125199608 514 243579 - cumulative alloc 125341720 1336 93818 - Page Freelist Summary: status pagesz pages avg contig pages max contig pages ------ ------ ------- ---------------- ---------------- free 4096 15346 3069 15300

show mfs

Use the show mfs command to display the statistics and status information of the memory file system.

show mfs statistics

Syntax Description

statistics

Displays memory file system statistics.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show mfs statistics Filesystem Statistics for volume MFS Status: mounted Data Bytes Max 0 KB Data Bytes Used 0 KB Inode Hits 0 Inode Misses 0 MFS Read error 0 MFS Write error 0 MFS Object Truncations 0 Volume Clears 0 Volume Syncs 1 Mount time Wed Jul 19 08:56:48 2000

Related Commands

mfs

show cfs statistics

show ntp

To display the Network Time Protocol (NTP) parameters, use the show ntp EXEC command.

show ntp status

Syntax Description

status

NTP status.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show ntp status NTP subsystem ------------- servers:

Related Commands

ntp

clock set

clock timezone

show processes

To display CPU or memory processes, use the show processes EXEC command.

show processes [cpu | memory]

Syntax Description

cpu

(Optional.) CPU utilization.

memory

(Optional.) Memory allocation of information.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show processes cpu Current CPU Percentage = 0 Peak CPU Percentage = 22 Console# show processes memory Pages: page size pages free hiwat lowat total --------- ------- ------ ------ ------ ------- 4096 17720 14839 25103 2091 29535 Type: bytes blocks sizes max byt tot blk pagw --------- ------ ------- -------- ------- ---- unknown 1600 100 0x10 1616 104 0 fcache bufhdr 12800 100 0x80 12800 100 0 fcache buffer 614400 100 0x3000 614400 100 0 fcache IO 0 0 0x80 256 46 0 fcache phys 409984 14 0x12040 409984 14 0 confval 192 3 0x350 960 402 0 task 71280 270 0x210 71808 500 0 stack 1257472 135 0x1f800 1323008 250 0 DB misc 2048 2 0x400 2048 2 0 DB hashtab 1024 1 0x400 1024 1 0 DB open 128 1 0x80 128 1 0 DB bufhead 64 2 0x20 64 2 0 DB cache 8192 2 0x1000 8192 2 0 DB databuf 0 0 0xb0 160 244 0 DB api 32 1 0x60 96 123 0 --More-- Console# show processes NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY ---------- ------------ -------- --- ---------- -------- -------- ------- ----- tExcTask 3ca048 3a71aec 0 PEND 3fa981 3a71a5c 3006b 0 tLogTask 39a21c 3a6f1d4 0 PEND 3fa981 3a6ed3c 0 0 tWdbTask 3c46d4 161a18c 3 PEND 3c5a19 1619878 0 0 tScsiTask 3f5920 15ec514 5 PEND 3c5a19 15ec4b4 0 0 tF2000a 1260e8 7df1c00 25 PEND 3c5a19 7ddaf84 0 0 tF2000b 1260e8 7df1e00 25 PEND 3c5a19 7dc9f84 0 0 tF2001a 1260e8 7dc8e00 25 PEND 3c5a19 7507f84 0 0 tF2001b 1260e8 74f5000 25 PEND 3c5a19 74f6f84 0 0 tNetTask 3b201c 162a578 50 PEND 3c5a19 162a52c 41 0 tWCCP2 34e978 74eb200 60 PEND+T 3c5a19 74e8734 3d0004 27 tHotSpot 34b9b0 749a400 60 DELAY 39b996 74b1fa4 0 64 tDtimer 1214d8 7fb1000 75 DELAY 39b996 7f73fa8 0 7 tTtyUtil 264a18 74f5800 75 PEND 3fa981 74eef80 0 0 tOvrldDaemo281120 74a2400 75 PEND 3c5a19 749cfb0 0 0 tHealSrv 336340 74df000 75 PEND+T 3c5a19 74a870c 3d0004 2224 tCfsC000 244ed4 7dc8c00 98 PEND+T 3c5a19 7d93f58 3d0004 210 tCfsC001 244ed4 74f5400 98 PEND+T 3c5a19 74f3f58 3d0004 266 tCfsV000 224a4c 7dc8200 99 PEND+T 3c5a19 7d82f74 3d0004 150 tCfsT000 224d1c 7dc8400 99 PEND 3c5a19 794cfa4 0 0 --More--

show proxy-protocols

To display current global outgoing proxy exclude status and criteria, use the show proxy-protocols command.

show proxy-protocols {all | outgoing-proxy | transparent}

Syntax Description

all

All proxy protocols-related parameters.

outgoing-proxy

Global outgoing proxy exceptions.

transparent

Transparent mode protocol policies.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show proxy-protocols all Transparent mode forwarding policies: original proxy Global outgoing proxy exclude list is disabled Global outgoing proxy exclude list: cisco.com cruzio.com 174.12.24.24 Excluding only the domain names on the list is disabled

Related Commands

proxy-protocols

show radius-server

To show Remote Authentication Dial-in User Service (RADIUS) information, use the
show radius-server EXEC command.

show radius-server

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show radius-server Radius Configuration: --------------------- Radius Authentication is off This could be because there are no servers or key is NULL Timeout = 5 seconds AuthTimeout = 20 minutes Retransmit = 3 Key = Servers ------- Selective Authentication is on. Local domains to be excluded from Radius Authentication: None

show rule

To display rule definitions and to determine rule processing status, use the show rule command.

show rule {action {action-type {all | pattern pattern-type}} | all}

Syntax Description

action

Specifies which rules to show.

all

Shows all the rules.

Action Type

block

Specifies block rule to show.

no-auth

Shows do-not-authenticate rules.

no-cache

Shows no-cache rules.

no-proxy

Shows no-proxy rules.

refresh

Revalidates the object with the Web server.

selective-cache

Caches this object.

use-proxy

Uses a specific upstream proxy.

Pattern Type

domain

Regular expression to match with the domain name.

dst-ip

Destination IP address of the request.

dst-port

Destination port number.

mime-type

MIME type to be matched with the Content-Type HTTP header.

src-ip

Source IP address of the request.

url-regex

Regular expression to match a substring with the URL.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show rule all Rules Template Configuration ---------------------------- Rule Processing Enabled rule block dst-port 33 rule block domain ethel.com rule no-auth domain giggle.com rule no-cache domain fred.com

To display all the rules, use the show rule command as follows:

Console# show rule ? all show all the rules action show all the rules with the same action Console# show rule action ?   block Block the request no-auth Do not authenticate no-cache Do not cache the object no-proxy Do not use any upstream proxy refresh Revalidate the object with the Web server selective-cache Cache this object use-proxy Use a specific upstream proxy ContentEngine Console# show rule action use-proxy ? all show all the rules pattern show all the rules with a specific type of pattern Console# show rule action use-proxy pattern ?   domain Regular expression to match with the domain name dst-ip Destination IP address of the request dst-port Destination port number src-ip Source IP address of the request url-regex Regular expression to substring match with the URL Console# show rule action use-proxy pattern url-regex Action : use-proxy 171.64.1.2 port 8080 Pattern : url-regex \.jpg$ \.gif$ \.pdf$ ...

Related Commands

rule

show statistics rule

clear statistics rule

show running-config

To display the current running configuration information on the terminal, use the show running-config EXEC command. This command is equivalent to the write terminal command.

show running-config

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command in conjunction with the show startup-config command to compare the information in running memory to the startup configuration used during bootup.

Examples

Console# show running-config Building configuration... Current configuration: ! ! ! group add admin gid 0 group add everyone gid 1000 ! user add admin uid 0 password 1 "ceSzbyeb" capability admin-access user add britta uid 2001 ! ! ! hostname Console ! interface ethernet 0 ip address 172.16.0.0 255.255.255.008 ip broadcast-address 172.16.10.0 exit ! ! interface ethernet 1 exit ip domain-name cisco.com ip route 0.0.0.0 0.0.0.0 172.16.0.3 cron file /local/etc/crontab ! bypass static 171.11.11.11 any-server bypass static any-client 172.16.0.5 http cache-cookies http max-ttl days text 4 binary 3 http cache-authenticated http proxy outgoing exclude enable http proxy outgoing exclude list cisco.com http proxy outgoing exclude list cruzio.com http proxy outgoing host 10.2.2.2 8080 http proxy incoming 8080 icp client exclude google.com,cruzio.com url-filter websense server 172.16.12.0 port 3333 timeout 5 no url-filter websense allowmode wccp router-list 1 10.1.1.1 wccp web-cache router-list-num 1 wccp reverse-proxy router-list-num 1 wccp custom-web-cache router-list-num 1 port 1 hash-destination-ip weight 33 wccp home-router 10.1.1.1 wccp version 1 ! radius-server exclude enable transaction-logs archive files 5 transaction-logs archive interval 600 transaction-logs enable transaction-logs export interval 3600 transaction-logs export enable ! exec-timeout 60 ! end

Related Commands

configure

copy running-config

copy startup-config

write terminal

show services

To display which services are running on which ports, use the show services command.

show services {ports port_number | summary}

Syntax Description

ports

Displays services by port.

port_number

Specifies up to eight port numbers (1-65535).

summary

Displays services summary.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

This example displays a summary of all configured services and their port numbers.

Console# show services summary Service Ports -------------------------------------------------------------------- Web Cache 80 Reverse Proxy 80 Custom Web Cache 473 WCCPv2 Service 90 10 200 3000 8080 8082 40000 HTTP Proxy 8080 GUI Server 8001

This example displays service information by port number.

Console# show services ports Service information by port --------------------------- 8001 Started on Thu Jul 27 09:49:21 2000 Runs 1 service GUI Server 8080 Started on Thu Jul 27 09:49:24 2000 Runs 2 services Proxy Mode : HTTP Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS 80 Started on Thu Jul 27 09:49:24 2000 Runs 2 services Transparent Mode: Web Cache Reverse Proxy Proxy protocols allowed in transparent mode: HTTP HTTPS 473 Started on Thu Jul 27 09:49:24 2000 Runs 1 service Transparent Mode: Custom Web Cache Proxy protocols allowed in transparent mode: HTTP HTTPS 8082 Started on Thu Jul 27 09:49:24 2000 Runs 1 service Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS 10 Started on Thu Jul 27 09:49:24 2000 Runs 1 service Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS 200 Started on Thu Jul 27 09:49:24 2000 Runs 1 service Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS 3000 Started on Thu Jul 27 09:49:24 2000 Runs 1 service Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS 40000 Started on Thu Jul 27 09:49:24 2000 Runs 1 service Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS

This example displays service information for ports 8082 and 8080 only.

Console# show services ports 8082 8080 Service information by port --------------------------- 8082 Started on Thu Jul 27 09:49:24 2000 Runs 1 service Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS 8080 Started on Thu Jul 27 09:49:24 2000 Runs 2 services Proxy Mode : HTTP Transparent Mode: WCCPv2 Service 90 Proxy protocols allowed in transparent mode: HTTP HTTPS

Related Commands

wccp service-number

wccp custom-web-cache

wccp port-list

wccp reverse-proxy

wccp service-number

wccp web-cache

show snmp

To check the status of SNMP communications, use the show snmp EXEC command.

show snmp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

This command provides counter information for SNMP operations.

Examples

Console# show snmp Contact: Mary Brown, system admin, mbrown@acme.com 555-1111 Location: Building 2, 1st floor, Lab 1 37 SNMP packets input 0 Bad SNMP version errors 4 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 24 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 28 Get-next PDUs 0 Set-request PDUs 78 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 24 Response PDUs 13 Trap PDUs

Table 2-1 describes the fields shown in the display.


Table 2-1: show snmp Field Descriptions
Field Description

SNMP packets input

Total number of SNMP packets input.

  Bad SNMP version errors

Number of packets with an invalid SNMP version.

  Unknown community name

Number of SNMP packets with an unknown community name.

  Illegal operation for   community name supplied

Number of packets requesting an operation not allowed for that community.

  Encoding errors

Number of SNMP packets that were improperly encoded.

  Number of requested variables

Number of variables requested by SNMP managers.

  Number of altered variables

Number of variables altered by SNMP managers.

  Get-request PDUs

Number of GET requests received.

  Get-next PDUs

Number of GET-NEXT requests received.

  Set-request PDUs

Number of SET requests received.

SNMP packets output

Total number of SNMP packets sent by the router.

  Too big errors

Number of SNMP packets that were larger than the maximum packet size.

  Maximum packet size

Maximum size of SNMP packets.

  No such name errors

Number of SNMP requests that specified a MIB object that does not exist.

  Bad values errors

Number of SNMP SET requests that specified an invalid value for a MIB object.

  General errors

Number of SNMP SET requests that failed because of some other error. (It was not a No such name error, Bad values error, or any of the other specific errors.)

  Response PDUs

Number of responses sent in reply to requests.

  Trap PDUs

Number of SNMP traps sent.

Related Commands

snmp-server

show stacktrace

To get stack trace information from your CE, use the show stacktrace EXEC command.

show stacktrace {task-ID | exception}

Syntax Description

task-ID

Hexadecimal number without a 0x prefix (0 toFFFFFFFF).

exception

Stack trace on previous exception.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show stacktrace exception

show startup-config

To show the startup configuration, use the show startup-config EXEC command.

show startup-config

Syntax Description

This command has no keywords or arguments.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to display the configuration used during an initial bootup, stored in NVRAM.

Examples

Console# show startup-config Configuration Size 2552 bytes ! ! logging event-export critical-events warning user ! group add admin gid 0 group add everyone gid 1000 group add LocalUsers gid 1004 ! user add admin uid 0 password 1 "ceSzbyeb" capability admin-access user add bwhidney uid 5013 password 1 "bSzyydQbSb" capability admin-access user add name uid 5001 ! ! ! hostname Console ! interface ethernet 0 ip address 172.31.227.250 255.255.255.128 ip broadcast-address 172.31.227.255 exit ! ! interface ethernet 1 exit ! ip default-gateway 172.21.227.129 ip name-server 10.1.2.2 ip name-server 172.21.2.132 ip domain-name cisco.com ip route 0.0.0.0 0.0.0.0 172.31.227.129 cron file /local/etc/crontab clock timezone pst -8 0 ! bypass static 172.11.11.11 any-server bypass static any-client 172.23.23.23 http cache-cookies http max-ttl days text 4 binary 3 http cache-authenticated http proxy outgoing origin-server http proxy incoming 8080 icp client exclude google.com,cruzio.com url-filter websense server 172.22.11.22 port 3333 timeout 5 no url-filter websense allowmode wccp router-list 1 10.1.1.1 wccp router-list 2 10.1.1.1 wccp router-list 3 10.1.1.1 wccp port-list 1 8082 8080 10 200 3000 40000 wccp port-list 2 65222 65333 wccp port-list 3 10 200 3000 40000 wccp web-cache router-list-num 1 wccp reverse-proxy router-list-num 3 wccp custom-web-cache router-list-num 1 port 473 hash-destination-ip wccp service-number 90 router-list-num 1 port-list-num 1 hash-destination-ip wei ght 20 password totot wccp home-router 10.1.1.1 wccp version 2 wccp shutdown max-wait 1 ! radius-server exclude enable authentication login tacacs enable primary authentication login local enable authentication configuration tacacs enable authentication configuration local enable ldap server host 1.1.1.1 port 88 ldap server allow-mode transaction-logs archive files 5 transaction-logs archive interval every-day at 12:00 transaction-logs enable transaction-logs export enable transaction-logs sanitize proxy-protocols transparent original-proxy rule enable rule block dst-port 33 rule block domain ethel.com rule no-auth domain google.com rule no-cache domain fred.com https proxy outgoing host 1.1.1.1 76 https destination-port allow all https destination-port deny 20 21 23 119 ! exec-timeout 60 ! end

Related Commands

configure

copy running-config

show running-config

write terminal

show statistics

To display CE statistics, use the show statistics EXEC command.

show statistics {authentication | bypass [auth-traffic | load | summary] | cfs | dns-cache | ftp | http {ims | object | performance | proxy outgoing | requests | savings | usage} | https | icmp | icp {client | cluster | server} | ip | ldap {authcache | server {interface | protocol}} | mbuf | netstat | radius-server | routing | rule {action {action-type {all | pattern pattern-type}} | all} | services | tcp | tacacs | transaction-logs | udp | url-filter websense}

Syntax Description

authentication

Displays authentication and authorization statistics.

bypass

Displays bypass statistics.

auth-traffic

Displays authenticated traffic bypass statistics.

load

Displays load bypass statistics.

summary

Displays a summary of bypass statistics.

cfs

Displays cache file system statistics.

dns-cache

Displays DNS cache statistics.

ftp

Displays FTP caching statistics.

http

Displays HTTP caching statistics.

ims

Displays HTTP if-modified-since statistics.

object

Displays HTTP object statistics.

performance

Displays HTTP performance statistics.

proxy outgoing

Displays outgoing requests that were directed to another proxy-server.

requests

Displays HTTP requests statistics.

savings

Displays HTTP savings statistics.

usage

Displays HTTP usage statistics.

https

Displays HTTPS statistics.

icmp

Displays ICMP statistics.

icp

Displays ICP caching statistics.

client

Displays ICP client statistics.

cluster

Displays ICP cluster statistics.

server

Displays ICP server statistics.

ip

Displays IP statistics.

ldap

Selects Lightweight Directory Access Protocol (LDAP) statistics.

authcache

Displays LDAP authentication cache statistics.

server

Selects LDAP server statistics.

interface

Displays LDAP interface statistics.

protocol

Displays LDAP protocol response counts.

mbuf

Displays memory buffer statistics.

netstat

Displays Internet socket connections.

radius-server

Displays RADIUS statistics.

routing

Displays routing statistics.

rule

Selects rule statistics.

action

Displays rule statistics of the specified action.

action-type

Specifies one of the following actions:

  • Block

  • No-auth

  • No-cache

  • No-proxy

  • Refresh

  • Selective-cache

  • Use-proxy

See the "rule" section for explanations of actions and patterns.

action-type all

Displays statistics of all the patterns for this action.

action-type pattern

Displays statistics of rules with specified pattern.

pattern-type

Specify one of the following patterns:

  • domain

  • dst-ip

  • dst-port

  • src-ip

  • url-regex

See the "rule" section for explanations of patterns and actions.

all

Displays all rule statistics.

services

Displays services information.

tacacs

Displays TACACS+ statistics.

tcp

Displays TCP statistics.

transaction-logs

Displays transaction-log export statistics.

udp

Displays UDP statistics.

url-filter websense

Displays Websense URL filtering statistics.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

To clear statistics without affecting configurations, use the clear statistics command. This will set all counters to zero.

Examples

Console# show statistics icmp ICMP: 0 call to icmp_error 0 error not generated because old message was icmp Output histogram: echo reply: 37 0 message with bad code fields 0 message < minimum length 0 bad checksum 0 message with bad length Input histogram: destination unreachable: 1091 echo: 37 37 message responses generated

To show LDAP statistics, use the show statistics ldap server protocol command. The output is displayed for each LDAP server. Because of the large number of protocol responses (about 50), only nonzero statistics are displayed.

Console# show stat ldap server protocol LDAP Server --------------------------------- 1.1.1.1 LDAP Success: 2005 LDAP Invalid Syntax: 3 --------------------------------- 100.4.5.6 LDAP Success: 100 LDAP Undefined Type: 9 LDAP Unwilling To Perform: 8

To show statistics about access to the LDAP authentication cache, use the show stat ldap authcache command.

Console# show stat ldap authcache Adds 1308 Deletes 297 Hits 23491 Misses 1598 Current Entries Used 1011 No Avail Entry 0 Avg.Cache Search 1.3 Max Cache Search Miss 3 Max Cache Search Hit 2 Dup Add Attempts 0 Number of Compares 26998 Userid Passwd Too Long 0

The show statistics ldap server interface command shows the LDAP statistics that refer to the interface between the rest of the CE code and the LDAP module. The output is broken down by server.

Console# show stat ldap server interface LDAP Server --------------------------------------- 1.1.1.1 Attempts Successes Fails Connect 0 0 0 Bind 0 0 0 Search 0 0 0 Unknown Password Format: ------------------------------------------ 100.4.5.6 Attempts Successes Fails Connect 0 0 0 Bind 0 0 0 Search 0 0 0 Unknown Password Format: ----------------------------------------

To display all rules, use the show statistics rule all command.

Console# show statistics rule all Rules Template Statistics ------------------------- Rule hit count = 0 Rule: rule block dst-port 33 Rule hit count = 0 Rule: rule block domain sample1.com Rule hit count = 0 Rule: rule no-auth domain sample2.com Rule hit count = 0 Rule: rule no-cache domain .foo.com Console# show statistics rule ? all show all the rules action show all the rules with the same action Console# show statistics rule action ?   block Block the request no-auth Do not authenticate no-cache Do not cache the object no-proxy Do not use any upstream proxy refresh Revalidate the object with the Web server selective-cache Cache this object use-proxy Use a specific upstream proxy Console# show statistics rule action no-cache ? all show all the rules pattern show all the rules with the same type of pattern Console#show statistics rule action no-cache pattern ?   domain Regular expression to match with the domain name dst-ip Destination IP address of the request dst-port Destination port number mime-type MIME type to be matched with the Content-Type src-ip Source IP address of the request url-regex Regular expression to substring match with the URL Console# show statistics rule action no-cache pattern domain Action : no-cache Pattern : domain .foo.com Time executed : 35 12 77 ...

The following example displays FTP statistics.

CE# show statistics ftp FTP Statistics -------------- FTP requests Received = 9 FTP Hits Requests Percentage Number of hits = 2 22.2 % Bytes = 13542 22.0 % FTP Misses Requests Percentage Number of misses = 7 77.8 % Bytes = 47946 78.0 % Requests sent to Outgoing Proxy = 7 Requests sent to origin ftp server = 0 FTP error count = 0

Related Commands

clear statistics

show tacacs

To display the settings for the Terminal Access Controller Access Control System Plus (TACACS+) server, use the show tacacs EXEC command.

show tacacs

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show tacacs Login Authentication for Console/Telnet Session: enabled (primary) Configuration Authentication for Console/Telnet Session: enabled (primary) TACACS Configuration: --------------------- Key = Timeout = 10 seconds Retransmit = 2 times Server Status --------------------- ------ 171.69.236.175 primary 171.69.227.254

You can also display login and configuration authentications using the show authentication command.

CE# show authentication Login Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled (primary) Configuration Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled (primary)

Related Commands

authentication

show authentication

tacacs

show tcp

To display TCP configuration information, use the show tcp EXEC command.

show tcp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show tcp ==TCP Configuration== TCP keepalive timeout 300 sec TCP keepalive probe count 4 TCP keepalive probe interval 75 sec TCP server R/W timeout 120 sec TCP client R/W timeout 120 sec TCP server send buffer 8 k TCP server receive buffer 32 k TCP client send buffer 32 k TCP client receive buffer 8 k TCP Listen Queue 200 TCP init ssthresh 65536 TCP cwnd base 2 TCP server max segment size 1432 TCP server satellite (RFC1323) disabled TCP client max segment size 1432 TCP client satellite (RFC1323) disabled TCP retransmit drop threshold 1

show tech-support

To view information necessary for Cisco's Technical Assistance Center (TAC) to assist you, use the show tech-support EXEC command.

show tech-support [page]

Syntax Description

page

(Optional.) Pages through output.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to view system information necessary for TAC to assist you with your CE. This is a long display. You can manage the output using the terminal length command.

Examples

Console# show tech-support ---------------------show hardware--------------------- Cisco Cache Engine Copyright (c) 1986-1999 by Cisco Systems, Inc. Software Release: CE ver 2.09 (Build: #17 03/02/00) Compiled: 06:19:45 Mar 2 2000 by morlee Image text-base 0x108000, data_base 0x392064 System restarted by Reload The system has been up for 3 hours, 12 minutes, 23 seconds. System booted from "flash" Cisco Cache Engine CE505 with CPU AMD-K6 (model 7) (rev. 0) AuthenticAMD 2 Ethernet/IEEE 802.3 interfaces 1 Console interface. 134213632 bytes of Physical Memory 131072 bytes of ROM memory. 8388608 bytes of flash memory. ---More---

show tftp-server

To display configured TFTP directories, use the show tftp-server EXEC command.

show tftp-server

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console#show tftp-server == TFTPD Directory List == /local/public

show transaction-logging

To show the transaction log summaries or to show transaction log settings, use the show transaction-logging EXEC command.

show transaction-logging [entries number]

Syntax Description

entries

(Optional.) Displays the last number of entries to the working log file.

number

Number of most recent entries to display (1-256).

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use the show transaction-logging command to display the current settings for the transaction logging feature.

Use the show transaction-logging entries number command to display the last entries to the working log files. Transaction logging must be enabled in order for the show transaction-logging entries command to work.

Examples

Console# show transaction-logging Transaction Logs: Logging is enabled. End user identity is hidden. (sanitized) File markers are disabled Archive interval: every-day at 12:00 Maximum Number of Archived Files: 5 Exporting files to servers is enabled. Export interval: every-day every 1 hour Working Log file - size: 0 age: 18449 Archive Log file - celog_171.69.227.250_20000802_120000.txt size: 0

show trusted-hosts

To display the name of the CE trusted hosts, use the show trusted-hosts EXEC command.

show trusted-hosts

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show trusted-hosts Trusted Host checking: ON 111.333.123.2/C_Medici 333.222.111.1/Procrustes

show url-filter

To display URL filter information, use the show url-filter EXEC command.

show url-filter [statistics websense]

Syntax Description

statistics websense

(Optional.) Displays Websense URL filtering statistics.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show url-filter Websense URL Filtering Lookup enabled Websense Server = 171.22.11.22 Server Port = 3333 Server Timeout = 5 Allowmode is not enabled. Console# show url-filter statistics websense Websense URL Filtering Statistics: Lookup requests transmitted = 0 Lookup responses received = 0 Requests BLOCKed by Websense = 0 Requests OKed by Websense = 0

show user

To display user information for a particular user, use the show user EXEC command.

show user {uid number | username name}

Syntax Description

uid

User ID keyword.

number

User ID number (0-2147483647).

username

Displays information for a user.

name

Username.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console#show user username bwhidney Username : bwhidney Uid : 5013 Number of Groups : 1 Primary Group : everyone (1000) Password : bSzyydQbSb Comment : HomeDir : /local Capability : admin-access

Related Commands

show groups

show users

show users

To display all users, use the show users EXEC command.

show users

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show users There are 2 user(s) UID USERNAME 0 admin 5013 bwhidney

Related Commands

show groups

show user

show version

To display the current software on your CE, use the show version EXEC command.

show version

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show version Cisco Cache Engine Copyright (c) 1986-2000 by Cisco Systems, Inc. Software Release: CE ver 2.28 (Build: #7 07/21/00) Compiled: 18:04:21 Jul 21 2000 by morlee Image text-base 0x108000, data_base 0x4317dc System restarted by Power Up The system has been up for 6 days, 7 hours, 20 minutes, 12 seconds. System booted from "flash"

show wccp

To display WCCP information, use the show wccp EXEC command.

show wccp {cache-engines | flows {custom-web-cache | reverse-proxy | web-cache} routers | services | slowstart {custom-web-cache | reverse-proxy | web-cache}| status}

Syntax Description

cache-engines

Shows WCCP CE information.

flows

Shows WCCP packet flow count by bucket.

custom-web-cache

Custom web caching service.

reverse-proxy

Reverse proxy web caching service.

web-cache

Standard web caching service.

routers

Shows WCCP router list.

services

Show WCCP services configured.

slowstart

Show WCCP slow start state for the selected service.

status

Shows which version of WCCP is enabled and running.

Defaults

No default behavior or values

Command Modes

EXEC

Examples

Console# show wccp routers Routers Seeing this Cache Engine Router Id Sent To 0.0.0.0 10.1.1.1 Routers not Seeing this Cache Engine 10.1.1.1 Routers Notified of but not Configured -NONE- Multicast Addresses Configured -NONE- Router Information for Service: Reverse-Proxy Routers Seeing this Cache Engine Router Id Sent To 0.0.0.0 10.1.1.1 Routers not Seeing this Cache Engine 10.1.1.1 Routers Notified of but not Configured -NONE- Multicast Addresses Configured -NONE-

snmp-server community

To enable the SNMP agent and set up the community access string to permit access to the SNMP agent, use the snmp-server community global configuration command. Use the no form of this command to disable the SNMP agent and to remove the previously configured community string.

snmp-server community string

no snmp-server community

Syntax Description

string

Community string that acts like a password and permits access to the SNMP agent.

Defaults

The SNMP agent is disabled and a community string is not configured.

When configured, an SNMP community string by default permits read-only access to all objects.

Command Modes

Global configuration

Examples

The following example enables the SNMP agent and assigns the community string comaccess to SNMP:

Console(config)# snmp-server community comaccess

The following example disables the SNMP agent and removes the previously defined community string.

Console(config)# no snmp-server community

Related Commands

show snmp

snmp-server contact

To set the system contact (sysContact) string, use the snmp-server contact global configuration command. Use the no form of this command to remove the system contact information.

snmp-server contact line

no snmp-server contact

Syntax Description

contact

Text for MIB object sysContact.

line

Identification of the contact person for this managed node.

Defaults

No system contact string is set.

Command Modes

Global configuration

Usage Guidelines

The system contact string is the value stored in the MIB-II system group sysContact object.

Examples

The following example is a system contact string.

Console# snmp-server contact Dial System Operator at beeper # 27345 Console# no snmp-server contact

Related Commands

snmp-server location

show snmp

snmp-server enable traps

To enable the Content Engine to send SNMP traps, use the snmp-server enable traps global configuration command. Use the no form of this command to disable all SNMP traps or only SNMP authentication traps.

snmp-server enable traps [snmp authentication]

no snmp-server enable traps [snmp authentication]

Syntax Description

snmp authentication

(Optional.) Enables sending the MIB-II SNMP authentication trap.

Defaults

This command is disabled by default. No traps are enabled.

Command Modes

Global configuration

Usage Guidelines

If you do not enter an snmp-server enable traps command, no traps are sent. In order to configure traps, you must enter the snmp-server enable traps command.

The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP traps. To send traps, you must configure at least one snmp-server host command.

For a host to receive a trap, both the snmp-server enable traps command and the snmp-server host command for that host must be enabled.

In addition, SNMP must be enabled with the snmp-server community command.

To disable the sending of the MIB-II SNMP authentication trap, you must enter the command
no snmp-server enable traps snmp authentication.

Examples

The following example enables the router to send all traps to the host 172.31.2.160 using the community string public.

Console(config)# snmp-server enable traps Console(config)# snmp-server host 172.31.2.160 public Console(config)# no snmp-server enable traps

Related Commands

snmp-server host

snmp-server community

snmp-server host

To specify the recipient of an SNMP trap operation, use the snmp-server host global configuration command. Use the no form of this command to remove the specified host.

snmp-server host {hostname | ip-address} communitystring

no snmp-server host {hostname | ip-address} communitystring

Syntax Description

hostname

Host name of SNMP trap host.

ip-address

IP address of SNMP trap host.

communitystring

Password-like community string sent with the trap operation.

Defaults

This command is disabled by default. No traps are sent.

The version of the SNMP protocol used to send the traps is SNMPv1.

Command Modes

Global configuration

Usage Guidelines

If you do not enter an snmp-server host command, no traps are sent. To configure the CE to send SNMP traps, you must enter at least one snmp-server host command. To enable multiple hosts, you must issue a separate snmp-server host command for each host. The maximum number of snmp-server host commands is four.

When multiple snmp-server host commands are given for the same host, the community string in the last command is used.

The snmp-server host command is used in conjunction with the snmp-server enable traps command to enable SNMP traps.

In addition, SNMP must be enabled with the snmp-server community command.

The MIB is located in the /local/lib/gui/snmp directory of the CE as the file CISCO-CACHEENGINE-MIB.my.

Examples

The following example sends the SNMP traps defined in RFC 1157 to the host specified by the IP address 172.16.2.160. The community string is comaccess.

Console(config)# snmp-server enable traps Console(config)# snmp-server host 172.16.2.160 comaccess

The following example removes the host 172.16.2.160 from the SNMP trap recipient list.

Console(config)# no snmp-server host 172.16.2.160

Related Commands

snmp-server enable traps

snmp-server community

snmp-server location

To set the SNMP system location string, use the snmp-server location global configuration command. Use the no form of this command to remove the location string.

snmp-server location line

no snmp-server location

Syntax Description

line

String that describes the physical location of this node.

Defaults

No system location string is set.

Command Modes

Global configuration

Usage Guidelines

The system location string is the value stored in the MIB-II system group system location object.

You can see the system location string with the show snmp EXEC command.

Examples

The following example is a system location string.

Console(config)# snmp-server location Building 3/Room 214

Related Commands

show snmp

snmp-server contact

tacacs

To configure Terminal Access Controller Access Control System Plus (TACACS+) server-related parameters, use the tacacs global configuration command.

tacacs {key keyword | retransmit retries | server {hostname | ipaddress} [primary] | timeout seconds}

Syntax Description

key

Sets security word.

keyword

Specifies keyword. An empty string is the default.

retransmit

Sets number of times requests are retransmitted to a server.

retries

Specifies number of attempts allowed (1-10). The default is two retry attempts.

server

Sets a server address.

hostname

Specifies host name of TACACS+ server.

ipaddress

Specifies IP address of TACACS+ server.

primary

Sets server as primary.

timeout

Sets number of seconds to wait before a request to a server is timed out.

seconds

Specifies the timeout in seconds (1-255). The default is 5 seconds.

Defaults

An empty keyword string is the default. The default timeout time is 5 seconds. The default number of retry attempts is two.

Command Modes

Global configuration

Usage Guidelines

A TACACS+ server must be configured before you enable TACACS+ authentication on the CE. The CE can be configured to use the local password authentication if the TACACS+ password authentication fails. See the "authentication" section for more information.

Use the tacacs key command to specify the TACACS+ key, used to encrypt the packets transmitted to the server. This key must be the same as the one specified on the server daemon. The maximum number of characters in the key should not exceed 99 printable ASCII characters (except tabs). An empty key string is the default. All leading spaces are ignored; spaces within and at the end of the key string are not ignored. Double quotes are not required even if there are spaces in the key, unless the quotes themselves are part of the key.

One primary and two backup TACACS+ servers can be configured; authentication is attempted on the primary server first, then on the others in the order in which they were configured. The primary server is the first server configured unless another is explicitly specified as primary with the tacacs server hostname primary command.

The tacacs timeout is the number of seconds the CE waits before declaring a timeout on a request to a particular TACACS+ server. The range is from 1-255 seconds with 5 seconds as the default. The number of times the CE repeats a retry-timeout cycle before trying the next TACACS+ server is specified by the tacacs retransmit command. The default is two retry attempts.

Three unsuccessful login attempts are permitted. TACACS+ logins may appear to take more time than local logins depending on the number of TACACS+ servers and the configured timeout and retry values.

Examples

This example configures the key used in encrypting packets.

CE(config)# tacacs key bronzemonkey789

This example configures the host named rasputin as the primary TACACS+ server.

CE(config)# tacacs server rasputin primary

This example sets the timeout interval for the TACACS+ server.

CE(config)# tacacs timeout 10

This example sets the number of times authentication requests are retried (retransmitted) after a timeout.

CE(config)# tacacs retransmit 5

Related Commands

authentication

show authentication

show statistics authentication

show statistics tacacs

show tacacs

tclsh

The tclsh command is for Cisco Systems internal use only.

tcp

To configure TCP parameters, use the tcp global configuration command. To disable TCP parameters, use the no form of this command.

tcp {client-mss maxsegsize | client-receive-buffer kbytes | client-rw-timeout seconds | client-satellite | client-send-buffer kbytes | cwnd-base factor | init-ssthresh value | keepalive-probe-cnt count | keepalive-probe-interval seconds | keepalive-timeout seconds | listen-queue length | server-mss maxsegsize | server-receive-buffer kbytes | server-rw-timeout seconds | server-satellite | server-send-buffer kbytes}

no tcp {client-mss maxsegsize | client-receive-buffer kbytes | client-rw-timeout seconds | client-satellite | client-send-buffer kbytes | cwnd-base factor | init-ssthresh value | keepalive-probe-cnt count | keepalive-probe-interval seconds | keepalive-timeout seconds | listen-queue length | server-mss maxsegsize | server-receive-buffer kbytes | server-rw-timeout seconds | server-satellite | server-send-buffer kbytes}

Syntax Description

client-mss

Sets client TCP maximum segment size.

maxsegsize

Maximum segment size in bytes (512-1460).

client-receive-buffer

Sets client receive buffer size.

kbytes

Receive buffer size in kilobytes (1-1024).

client-rw-timeout

Sets client connection's read/write timeout.

seconds

Timeout in seconds (1-3600).

client-satellite

Client TCP compliance to RFC 1323 standard.

client-send-buffer

Client connection's send buffer size.

kbytes

Send buffer size in kilobytes (8-1024).

cwnd-base

Sets TCP cwnd base factor.

factor

Factor value (1-16).

init-ssthresh

Sets TCP initial smooth threshold.

value

Threshold value (2920-1073741824).

keepalive-probe-cnt

Sets TCP keepalive probe counts.

count

Number of probe counts (1-10).

keepalive-probe-interval

TCP keepalive probe interval.

seconds

Keepalive probe interval in seconds (1-300).

keepalive-timeout

TCP keepalive timeout.

seconds

Keepalive timeout in seconds (1 to 3600).

listen-queue

Maximum size of TCP listen queue.

length

Listen queue length in kilobytes (1-1000).

server-receive-buffer

Server connection receive buffer size.

kbytes

Receive buffer size in kilobytes (1-1024).

server-rw-timeout

Server connection read/write timeout.

seconds

Read/write timeout in seconds (1-3600).

server-satellite

Server TCP compliance to RFC 1323 standard.

server-send-buffer

Server connection send buffer size.

kbytes

Buffer size in kilobytes (1-1024).

Defaults

tcp client-receive-buffer: 8 kilobytes

tcp client-rw-timeout: 30 seconds

tcp client-send-buffer: 8 kilobytes

tcp keepalive-probe-cnt: 4

tcp keepalive-probe-interval: 75 seconds

tcp keepalive-timeout: 300 seconds

tcp server-receive-buffer: 8 kilobytes

tcp server-rw-timeout: 120 seconds

tcp server-send-buffer: 8 kilobytes

Usage Guidelines

In nearly all environments, the default TCP setting is adequate. If you modify the listen-queue settings, reboot the CE to effect the changes.

Command Modes

Global configuration

Examples

Console(config)# tcp client-receive-buffer 100 Console(config)# no tcp client-receive-buffer 100

Related Commands

show tcp

terminal

To display the current console debug command output, use the terminal EXEC command

terminal monitor

Syntax Description

monitor

Monitors debug command output on the console.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

This command allows a Telnet session to display the output of the debug commands that appear on the console. The monitoring continues until the Telnet session is terminated.

Examples

Console# terminal monitor

terminal

To set the number of lines displayed in the console window, use the terminal global configuration command. To set the default value, use the no form of the command.

terminal length lines

no terminal length

Syntax Description

length

Sets the number of lines displayed by the terminal screen.

lines

Number of lines on the screen displayed before pausing (0 to 512). Enter 0 for no pausing.

Defaults

Default is 24 lines.

Command Modes

Global configuration

Usage Guidelines

When 0 is entered as the lines parameter, output to the screen does not pause. For all non-zero values of lines, the -More- prompt is displayed when the number of output lines match the specified lines number. The -More- prompt is considered a line of output. To view the next screen, press the Spacebar. To view one line at a time, press the Enter key. To exit the show command output, press the Esc key or any other keystroke.

Examples

The following example sets the number of lines to display to 20:

Console(config)# terminal length 20 The following example sets the number of lines to the default of 24: Console(config)# no terminal length The following example configures the terminal for no pausing: Console(config)# terminal length 0

Related Commands

All show commands.

tftp-server

To set the TFTP server directory, use the tftp-server global configuration command.

tftp-server dir directory

no tftp-server dir directory

Syntax Description

dir

Sets TFTP server directory

directory

Specifies the path name of TFTP server.

Defaults

No default behavior or values

Command Modes

Global configuration

Examples

Console(config)# tftp-server dir /mypath

transaction-log force

To force the immediate creation of a transaction log, use the transaction-log force EXEC command.

transaction-log force {archive | export}

Syntax Description

archive

Forces the archive of the working.log file.

export

Forces the archived files to be exported to a server.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The transaction-log force archive command causes the transaction log to be archived immediately to the CE hard disk. This command has the same effect as the clear transaction-log command.

The transaction-log force export command causes the transaction log to be exported immediately to an FTP server designated by the transaction-logs export ftp-server command.

The force commands do not change the configured schedule for archive or export of transaction log files. If a scheduled archive or export job is in progress when a corresponding force command is entered, an error message is displayed. If a force command is in progress when an archive or export job is scheduled to run, the scheduled job runs when the force command is complete.

Examples

Console# transaction-log force archive Starting transaction-log force archive command Completed transaction-log force archive command

Related Commands

transaction-logs

clear statistics transaction-logs

clear transaction-log

show statistics transaction-logs

show transaction-logging

transaction-logs

To enable transaction logs, use the transaction-logs global configuration command. To disable transaction logs, use the no form of this command.

transaction-logs {archive {files maxnumfiles | interval {seconds | every-day {at time | every hour} | every-hour {at minute | every interval} | every-week [on days [at time]]} | enable | export {enable | ftp-server {hostname | servipaddrs} login passw directory} | interval {minutes | every-day {at time | every hour} | every-hour {at minute | every interval} | every-week [on days [at time]]}}} | file-marker | sanitize}

no transaction-logs

Syntax Description

archive

Configures archive parameters.

files

Saves archive log files to disk.

maxnumfiles

Maximum number of archive files to save on disk (1-10). The default is 1.

interval

Determines how frequently the archive file is to be saved.

seconds

Time interval in seconds (120-86400). The default is 86,400 seconds (1 day).

every-day

Archives using frequencies of 1 day or less.

at time

Specifies the time of day at which to archive in hours and minutes (hh:mm).

every hour

Interval in hours (1, 2, 3, 4, 6, 8, 12, or 24).

every-hour

Archives using frequencies of 1 hour or less.

at minute

Specifies the minute alignment for the hourly archive (0-59).

every interval

Interval in minutes (2, 10, 15, 20, 30).

every-week

Archives one or more times a week.

on days

(Optional.) Archives one or more days of the week (mon, tue, wed, thu, fri, sat, sun).

at time

(Optional.) Specifies the time of day at which to archive in hours and minutes (hh:mm).

enable

Enables transaction log feature.

export

Configures file export parameters.

enable

Enables the exporting of log files at the specified interval.

ftp-server

Sets FTP server to receive exported archived files.

hostname

Host name of target FTP server.

servipaddrs

IP address of target FTP server.

login

User login to target FTP server.

passw

User password to target FTP server.

directory

Target directory for exported files on FTP server.

interval

Transfers files to the FTP server after this interval.

minutes

Export time interval in minutes (1-10,080). The default is 60 minutes.

every-day

Exports using frequencies of 1 day or less.

at time

Specifies the time at which to export each day in hours and minutes (hh.mm).

every hour

Interval in hours (1, 2, 3, 4, 6, 8, 12, or 24).

every-hour

Exports using frequencies of 1 hour or less.

at minute

Specifies the minute alignment for the hourly archive (0-59).

every interval

Interval in minutes (2, 10, 15, 20, or 30).

every-week

Exports one or more times a week.

on days

(Optional.) Exports on one or more days of the week (mon, tue, wed, thu, fri, sat, sun).

at time

(Optional.) Specifies the time of day at which to export in hours and minutes (hh:mm).

file-marker

Adds statements to translog indicating the file begin and end.

sanitize

Writes user IP addresses in log file as 0.0.0.0.

Defaults

The default for maximum number of archive files is 1. The default frequency for archiving files is 1 day. The default export time interval is 60 minutes.

Command Modes

Global configuration

Usage Guidelines

Enable transaction log recording with the transaction-logs enable command. When enabled, daemons create a working.log file in the /local/var/log/translog/ dosfs directory.

After an interval specified by the transaction-logs archive interval command, the working.log file is renamed and copied as an archive file to the dosfs directory with the path /local/var/log/translog/archive/data. A new working.log file is then created and the process repeats. The CE default archive interval is 86,400 seconds, or one day.

Use the transaction-logs archive files command to specify how many archive files to store on disk. When the maximum number of files has been created, the next archive file overwrites the oldest stored file.

The transaction log archive and export functions are configured with the following commands:

The following limitations apply:

If the transaction-logs export interval is configured to a larger value than the archive interval, the administrator must ensure that there are enough archive files.

Transaction Log Archive File-Naming Convention

The archive transaction log file is named as follows:

celog_10.1.118.5_20001028_235959.txt

Table 2-2 describes the name elements.


Table 2-2: Description of Archive Log Name Elements

celog_10.1.118.5

IP address of the CE creating the archive file.

19991228

Date archive file was created (yyyy/mm/dd).

235959

Time archive file was created (hh/mm/ss).

The transaction logs export feature does not create the legacy archive files named archive.log. Legacy archive files must be manually deleted or copied from the CE hard disk.

Exporting Transaction Logs to External FTP Servers

The transaction-logs export ftp-server option can support up to four FTP servers. To export transaction logs, you must first enable the feature and configure the export interval. The following information is required for each target server:

The CE translates the host name with a DNS lookup and then stores the IP address.

Use a fully qualified path or a relative path for the user login. The user must have write permission to the directory.

Use the no form of the transaction-logs export enable command to disable the entire transaction logs feature while retaining the rest of the configuration.

Restarting Export After Receiving a Permanent Error from the External FTP Server

When an FTP server returns a permanent error to the CE, the archive transaction logs are no longer exported to that server. You must reenter the CE transaction log export parameters to clear the error condition. The show statistics transaction-logs command displays the current state of transaction log export readiness.

A permanent error (Permanent Negative Completion Reply, RFC 959) occurs when the FTP command to the server cannot be accepted, and the action did not take place. Permanent errors can be caused by invalid user logins, invalid user passwords, and attempts to access directories with insufficient permissions.

In the following example, an invalid user login parameter was included in the transaction-logs export ftp-server command. The show statistics transaction-logs command shows that the CE failed to export archive files.

Console# show statistics transaction-logs Server:176.79.23.12 Export stopped due to permanent error received from FTP. Attempts:1 Successes:0 Open Failures:0 Put Failures:0 Other Transport Errors: Authentication Failures:1 Permanent Directory Failures:0 Permanent Put Failures:0 Previous Permanent Ftp Errors:0

To restart the export of archive transaction logs, the transaction-logs export ftp-server parameters must be reentered:

Console(config)# transaction-logs export ftp-server 10.1.1.1 goodlogin pass /etc/webcache

Use the sanitized option to disguise the IP address and usernames of clients in the transaction log file. The default is not sanitized. A sanitized transaction log disguises the network identity of a client by changing the IP address in the transaction logs to 0.0.0.0. The no form disables the sanitize feature.

Examples

In this example, an FTP server is configured.

Console(config)# transaction-logs export ftp-server 10.1.1.1 mylogin mypasswd /tmp/local/webcache Console(config)# transaction-logs export ftp-server myhostname mylogin mypasswd /tmp/local/webcache

To delete an FTP server, use the no form of the command.

Console(config)# no transaction-logs export ftp-server myhostname Console(config)# no transaction-logs export ftp-server 10.1.1.1

Use the no form of the command to disable the entire transaction log export feature while retaining the rest of the configuration.

Console(config)# no transaction-logs export enable
Note   The default is export disabled; the interval default is 1 hour. There are no defaults for the FTP server configuration.

To change a username, password, or directory, reenter the entire line.

Console(config)# transaction-logs export ftp-server 10.1.1.1 mynewname mynewpass /tmp/local/webcache

The show transaction-logging command displays information on exported log files.

Console# show transaction-logging Transaction Logs: Logging is enabled End user identity is visible. Current Archive Interval: 86400 sec. Maximum Number of Archived Files: 6 Exporting files to servers is enabled. Current export retry interval: 100 minutes. Working Log file - size: 8650 age: 4885 Archive Log file: celog_10.1.118.5_19991228_235959.txt - size: 10340 File export feature is enabled ftp-server username directory 1.1.1.1 mynewname /tmp/local/webcache 2.2.2.2 erasmus /tmp/translogfiles
Note   For security reasons, passwords are never displayed.

The export option has been added to the show statistics transaction-logs command to display the status of logging attempts to export servers.

Console# show statistics transaction-logs Transaction Logs: Logging is enabled. End user identity is visible. Current Archive Interval: 120 seconds. Maximum Number of Archived Files: 10 Exporting files to servers is enabled. Export retry interval:1 minutes. Working Log file - size:0 age:45 No Archive Log file found ftp-server username directory 152.59.21.110 zpajanos ~zp/201/translog/logfiles 152.59.33.33 zpajanos ~zp/outputfiles 1.1.1.1 my my

Configuring Intervals Between 1 Day and 1 Hour

The interval can be set for once a day with a specific timestamp. It can also be set for frequencies of hours; these frequencies align with midnight. For example, every 4 hours means archiving occurs at 0000, 0400, 0800, 1200, 1600, and so forth. It is not possible to archive at 0030, 0430, 0830, and so forth.

cepro(config)# transaction-logs archive interval every-day ? at Specify the time at which to archive each day every Specify the interval in hours. It will align with midnight cepro(config)# transaction-logs archive interval every-day at ? hh:mm Time of day at which to archive (hh:mm) cepro(config)# transaction-logs archive interval every-day every ? <1-24> Interval in hours: {1, 2, 3, 4, 6, 8, 12 or 24}

Scheduling Intervals of 1 Hour or Less

The interval can be set for once an hour with a minute alignment. It can also be set for frequencies of less than an hour; these frequencies will align with the top of the hour. That is, every 5 minutes means archiving will occur at 1700, 1705, and 1710.

cepro(config)# transaction-logs archive interval every-hour ?   at Specify the time at which to archive each day every Specify interval in minutes. It will align with top of the hour cepro(config)# transaction-logs archive interval every-hour at ? <0-59> Specify the minute alignment for the hourly archive

Scheduling Weekly Intervals

The interval can be set for once a week or multiple times within the week. For example, it is possible to archive "every Sunday at 0630" or "every Monday, Wednesday, and Friday at 1900." Administrators can select as many days as they wish, including all 7 days. Note that is it not possible to schedule the interval for different times on different days.

cepro(config)# transaction-logs archive interval every-week ?   on Day of the week <cr> cepro(config)# transaction-logs archive interval every-week on ?   DAY Day of week to archive cepro(config)# transaction-logs archive interval every-week on Monday ?   DAY Day of week to archive at Specify the time of day at which to archive <cr> cepro(config)# transaction-logs archive interval every-week on Monday Friday at ?   hh:mm Time of day at which to archive (hh:mm)

Related Commands Related Commands

clear transaction-log

show transaction-logging

show statistics transaction-logs

transaction-log force

trusted-host

To enable trusted hosts on your CE, use the trusted-host global configuration command. To disable trusted hosts, use the no form of this command.

trusted-host {hostname | ip-address | domain-lookup}

no trusted-host {domain-lookup}

Syntax Description

hostname

Host name of trusted host.

ip-address

IP address of trusted host.

domain-lookup

Trusted host checking.

Defaults

No default behavior or values

Command Modes

Global configuration

Defaults

No trusted hosts is the default.

Syntax Description

To allow reception of files (for example, rcp) from specified hosts, these hosts must be identified using the trusted-host hostname command. You must first enable this feature with the trusted-host domain-lookup command.

Examples

Console(config)# trusted-host domain-lookup Console(config)# trusted-host 172.31.90.33 Console(config)# no trusted-host domain-lookup

Related Commands

show trusted-hosts

type

To display a file, use the type EXEC command.

type filename

Syntax Description

filename

Name of file.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to display the contents of a file within any CE file directory. This command may be used to monitor features such as transaction logging or system logging (syslog), or to manage files such as badurl.lst for URL filtering.

Examples

Console# type badurl.lst

Related Commands

cpfile

dir

lls

ls

mkfile

undebug

To disable debugging functions, use the undebug EXEC command. Also see the debug EXEC command.

Command Modes

EXEC

Defaults

No default behavior or values

Usage Guidelines

We recommend that debug commands be used only at the direction of Cisco Systems technical support personnel.

Related Commands

debug

no debug

show debug

url-filter

To enable URL blocking, use the url-filter global configuration command. To disable URL blocking, use the no form of this command.

url-filter {bad-sites-block [custom-message] | good-sites-allow [custom-message] | websense {allowmode enable | server {hostname | ipaddrs} [port port] [timeout seconds]}}

no url-filter {bad-sites-block [custom-message] | good-sites-allow [custom-message] | websense {allowmode enable | server {hostname | ipaddrs} [port port] [timeout seconds]}}

Syntax Description

bad-sites-block

Blocks access to sites listed in badurl.lst file.

custom-message

(Optional.) Displays customized URL blocking message from block.html file.

good-sites-allow

Allows access only to sites listed in goodurl.lst file.

websense

Uses Websense Enterprise server to govern URL access.

allowmode

Allows HTTP traffic if Websense server does not respond.

enable

Enables allowmode.

server

Configures Websense server host name or IP address.

hostname

Host name of Websense server.

ipaddrs

IP address of Websense server.

port

(Optional.) Sets the Websense server port number.

port

(Optional.) Port on which to send the Websense requests (1-65535). Default is 15868.

timeout

(Optional.) Specifies the time to wait for a response from the Websense server.

seconds

(Optional.) Timeout value in seconds (1-120). Default is 20 seconds.

Defaults

Default Websense server port is 15868. Default Websense server request timeout is 20 seconds.

Command Modes

Global configuration

Usage Guidelines

The CE can control client access to Web sites as follows:

Only one form of URL filtering can be active at a time.

URL Filtering with URL Lists

The url-filter bad-sites-block command causes the CE to block a client request for a URL if the URL is listed in an administrator-created plain text file named badurl.lst copied to the /local/etc dosfs directory of the CE.

The url-filter good-sites-allow command causes the CE to fulfill a client request only if the requested URL is listed in an administrator-created plain text file named goodurl.lst copied to the /local/etc dosfs directory of the CE.

The list of URLs in the goodurl.lst and badurl.lst text files must be written in the form www.domain.com and delimited with carriage returns.

Use the no form of the command to disable blocking or Websense permission requests (for example, no url-filter bad-sites-block).

Custom Blocking Messages

When the CE blocks a URL, it returns a blocking message to the client. A customized message can be returned by including the custom-message option (for example, url-filter good-sites-allow custom-message).

The custom message must be an administrator-created HTML page named block.html copied to the /local/etc dosfs directory. Copy all embedded graphics associated with the custom message HTML page to the /local/lib/gui/pub directory and reference the image from the custom message HTML page with a fully qualified path name. If the custom-message option is enabled but the block.html file is not in the /local/etc directory, the CE returns a "file not found" message to the client upon blocking.

The following is an example of the block.html file:

<HTML> <HEAD> <TITLE> URL Blocked </TITLE> </HEAD> <BODY> The site you are trying to view is blocked. Please contact your system administrator if you need to unblock this site
<IMG_SRC = /local/lib/gui/pub/stop.gif width=492 height=94 border=0> </BODY> </HTML>

Tips You can cut and paste sample files from the .PDF or HTML versions of this publication.

To disable the custom-message option without disabling URL filtering, enter the URL filtering command without the custom-message option (for example, url-filter good-sites-allow).

URL Filtering with the Websense Enterprise Server

The CE can use a Websense Enterprise server as a filtering engine and enforce the filtering policy configured on the Websense server. Refer to the Websense documentation for further information on Websense filtering policies.

To enable Websense URL filtering on the CE, specify the Websense server IP address or host name. The timeout option sets the maximum amount of time that the CE will wait for a Websense response. The timeout default is 20 seconds. The port option specifies the port number on which the server will intercept requests from the CE (the default port is 15868). Use the no url-filter websense server command to disable Websense URL filtering.

The url-filter websense allowmode enable command permits the CE to fulfill the client request after a Websense server timeout. Use the no form of the command to disable Websense allowmode.

The Websense server returns its own blocking message.


Note   To use Websense URL filtering with a cluster of CEs, make sure to configure the url-filter websense server command on each CE in the cluster to ensure that all traffic is filtered.

Examples

To block listed URLs and return a custom message, enter:

Console# url-filter bad-sites-block custom-message Console# url-filter good-sites-allow custom-message

To turn off the customized URL blocking message but still block listed URLs, enter:

Console# url-filter bad-sites-block Console# url-filter good-sites-allow

To disable URL blocking, use the no form of this command:

Console(config)# no url-filter bad-sites-block Console(config)# no url-filter good-sites-allow

To configure a CE to use Websense URL filtering with a 4-second timeout, enter:

Console# url-filter websense server 172.16.11.22 timeout 4

Related Commands

show url-filter

show url-filter statistics websense

user

To configure user accounts on your CE, use the user global configuration command.

user {add | delete | modify}

user add username [password [ 0 | 1] password] [capability [admin-access | ftp-access | http-access | telnet-access]] [uid userid]

user delete {username username | uid userid}

user modify {uid number | username name}{[add-capability [admin-access | ftp-access | http-access | telnet-access]] | [del-capability [admin-access | ftp-access | http-access | telnet-access]] | [password [ 0 | 1] password]}

Syntax Description

add

Creates a new user account on the CE.

delete

Removes the specified user account from CE.

modify

Changes the user information.

username

CE login name for the user.

password

(Optional.) See password options.

capability

(Optional.) See capability options. Adds capability to a new user. Use with add keyword.

add-capability

(Optional.) See capability options.

uid

Assigns a user ID.

userid

Range of administrator-assigned user ID numbers (2001-2147483647).

add-capability

(Optional.) Adds capability to an existing user. Use with modify keyword. See capability options.

del-capability

(Optional.) Deletes capability of an existing user. Use with modify keyword. See capability options.

Defaults

No default behavior or values

Capability Options

admin-access

Grants all possible access to the CE.

ftp-access

Grants FTP access to the CE. FTP access includes HTTP access.

http-access

Grants HTTP access to the CE.

telnet-access

Grants Telnet access to the CE. Telnet access includes FTP and HTTP access.



Password Options

password

Sets a password for the specified user.

0

Specifies that a clear-text password will follow (default).

1

Specifies that a type 1 encrypted password will follow.

password

Password for the specified user. For no password, omit this option. Password must be a string of 4 to 128 characters in length. Passwords of one to three characters are rejected.



Command Modes

Global configuration

Defaults

The default users are admin and anonymous.The default password option is 0.

Usage Guidelines

The user command creates, modifies, and deletes CE user accounts. Up to 50 user accounts can be added to the CE. Only administrator access capability permits a user to write to the CE. The admin user account is included by default.

The user identification number (UID) 0 is reserved for the user "admin" and cannot be assigned to another user. The user ID numbers 2001 to 2147483647 can be assigned manually by the administrator. The CE assigns a UID number from 1 through 2000 if a UID is not assigned by the administrator.

In summary, ID numbers 1 to 2000 are assigned by the CE; 2001 to 2147483647 can be assigned by the administrator. User accounts with ID numbers 1 to 2147483647 can be modified or deleted, and the show users command displays ID numbers 0 through 2147483647.

Examples

Console(config)# user add dilbert Operation successful Console(config)# user add bwhidney password 0 dzgchenpa capability ftp Operation successful Console(config)# user modify user bwhidney add admin-access Operation successful Console(config)# show users There are 4 user(s) UID USERNAME 0 admin 1002 anonymous 5013 bwhidney 5014 dilbert Console(config)# user delete uid 5014 Operation successful

Related Commands Related Commands

show user

show users

wccp custom-web-cache

To enable the CE to accept redirected HTTP traffic on a port other than 80, use the wccp custom-web-cache command. To disable custom Web caching, use the no form of this command.

wccp custom-web-cache router-list-num num port port [[hash-destination-ip] [hash-destination-port] [hash-source-ip] [hash-source-port] [l2-redirect] [password passw] [weight percentage]]

no wccp custom-web-cache router-list-num num port port [[hash-destination-ip] [hash-destination-port] [hash-source-ip] [hash-source-port] [l2-redirect] [password passw] [weight percentage]]

Syntax Description

router-list-num

Router list number.

num

Router list number (1-8).

port

Specifies port number.

port

Port number range (1-65535).

hash-destination-ip

(Optional.) Load-balancing hash - destination IP (default).

hash-destination-port

(Optional.) Load-balancing hash - destination port.

hash-source-ip

(Optional.) Load-balancing hash - source IP.

hash-source-port

(Optional.) Load-balancing hash - source port.

l2-redirect

(Optional.) WCCP forwarding encapsulation method.

password

(Optional.) Specifies authentication password.

passw

Password.

weight

(Optional.) Sets weight percentage for load balancing (0-100).

percentage

Percentage value (0-100).

Defaults

Command Modes

Global configuration

Usage Guidelines

The wccp custom-web-cache command can configure the CE to automatically establish WCCP Version  2 redirection services with a Cisco router on a user-specified port number and then perform transparent Web caching for all HTTP requests over that port while port 80 transparent Web caching continues without interruption. For custom Web caching, service 98 must be enabled on the routers. WCCP Version 1 does not support custom Web caching.

Transparent caching on ports other than port 80 can be performed by the CE in environments where WCCP is not enabled or where client browsers have previously been configured to use a legacy proxy server. See the http proxy global configuration command for further information.

The weight parameter represents a percentage of load redirected to the CE cluster (for example, a CE with a weight of 30 receives 30 percent of the total load). If the total of all weight parameters in the CE cluster exceeds 100, the percentage load for each CE is recalculated as the percentage that its weight parameter represents of the combined total.

To use the l2-redirect hashing option, the CE must be directly connected at Layer 2 to a switch or router that supports accelerated hardware switching.

Examples

Starting custom web caching on interface 3 of a WCCP Version 2-enabled router:

router(config): ip wccp 98 [Output not shown] router(config-if): ip interface 3 router(config-if): ip web-cache 98 redirect out [Output not shown]

On the CE:

CE(config)# wccp custom-web-cache router-list-num 5 port 82 weight 30 password Allied hash-destination-ip hash-source-port CE(config)# no wccp custom-web-cache CE(config)# http proxy outgoing ans.allied.com 82 no-local-domain CE# sh running-config Building configuration... Current configuration: ! .... ! http proxy outgoing 192.168.200.68 82 no-local-domain ! wccp router-list 5 10.1.1.1 wccp custom-web-cache router-list 5 port 82 weight 30 password Allied hash-destination-ip hash-source-port wccp home-router 10.1.1.2 wccp version 2 ! end

Related Commands

wccp web-cache

http proxy incoming

http proxy outgoing

wccp flow-redirect

To enable WCCP flow redirection, use the flow-redirect enable global configuration command. To disable flow redirection, use the no form of the command.

wccp flow-redirect enable

no wccp flow-redirect enable

Syntax Description

enable

Enables flow redirection.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

This command works with WCCP Version 2 only. The flow protection feature is designed to keep the TCP flow intact and to not overwhelm CEs when they come up or are reassigned new traffic. This feature also has a slow start mechanism where the CEs try to take a load appropriate for their capacity.

Examples

Console# wccp flow-redirect enable

Related Commands

wccp slow-start enable

wccp home-router

To configure a WCCP Version 1 router IP address, use the wccp home-router global configuration command. To disable this function, use the no form of this command.

wccp home-router ip-address

no wccp home-router ip-address

Syntax Description

ip-address

Home router IP address.

Defaults

No default behavior or values

Command Modes

Global configuration

Defaults

Disabled.

Usage Guidelines

To use WCCP Version 1 with the CE, you must also point the CE to a designated home router. Use the wccp home-router ip-address command to do this. This may also be the address of the IP default gateway.

Make sure that WCCP Version 1 is enabled on the router.

Examples

Console(config)# wccp home-router 172.16.65.243 Console(config)# no wccp home-router 172.16.65.243

Related Commands

show wccp routes

wccp version 1

wccp port-list

To associate ports with specific WCCP dynamic services, use the wccp port-list global configuration command.

wccp port-list listnum portnum

no wccp port-list listnum portnum

Syntax Description

listnum

Port list number (1-8).

portnum

Port number. Up to eight ports per list number are allowed (1-65535).

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Up to eight port numbers can be included in a single port list. The port list is referenced by the
wccp service-number command that configures a specific WCCP dynamic service (90-97) to operate on those ports included in the port list.

Examples

In the following example, ports 10, 200, 3000, 110, 220, 330, 440, and 40000 are included in port list 3.

Console(config)# wccp port-list 3 10 200 3000 110 220 330 440 40000

Related Commands

wccp service-number

wccp reverse-proxy

To enable WCCP Version 2 reverse proxy service, use the wccp reverse-proxy global configuration command. To disable this function, use the no form of this command.

wccp reverse-proxy router-list-num number [l2-redirect] [password key] [weight percentage]

no wccp reverse-proxy

Syntax Description

router-list-num

Router list number.

number

Router list number range (1-8).

l2-redirect

(Optional.) WCCP Version forwarding encapsulation method.

password

(Optional.) WCCP services authentication password (key) set on router.

key

(Optional.) Password character string.

weight

(Optional.) Sets a load-balancing parameter.

percentage

Percentage of the load that the CE shares with the other CEs (1-100).

Defaults

Disabled.

Command Modes

Global configuration

Usage Guidelines

This command applies only to WCCP Version 2.

You must configure the wccp router list command before you use this command. The routers in the list must have WCCP reverse proxy service enabled (service 99). Refer to the Cisco Cache Software Configuration Guide for further information on configuring the router.

By default, the router does load balancing across the various CEs in a cluster based on the destination IP address (for example, Web server IP address). When WCCP reverse proxy is enabled, the router does load balancing in a cluster based on the source IP address (for example, the client browser IP address).

To enable the use of a password for a secure reverse proxy cache within a cluster, use the password key command to be sure to enable all other CEs and routers within the cluster with the same password.

The weight parameter represents a percentage of the total load redirected to the CE in a cluster (for example, a CE with a weight of 30 receives 30 percent of the total load). If the total of all weight parameters in a CE cluster exceeds 100, the percentage load for each CE is recalculated as the percentage that its weight parameter represents of the combined total.

To use the l2-redirect hashing option, the CE must be directly connected at Layer 2 to a switch or router that supports accelerated hardware switching.

Examples

Console(config)# wccp reverse-proxy router-list-num 8 password mykey weight 100 Console(config)# no wccp reverse-proxy

Related Commands

show wccp cache-engines

show wccp services

wccp router-list

wccp version 2

wccp router-list

To configure a router list for WCCP Version 2, use the wccp router-list global configuration command. To disable this function, use the no form of this command.

wccp router-list number ip-address

no wccp router-list number ip-address

Syntax Description

number

Router list number (1-8).

ip-address

IP address of router to add to list.

Command Modes

Global configuration

Defaults

Disabled.

Usage Guidelines

Use this command to configure various router lists for use with WCCP Version 2 services. For example, you can specify one router list for WCCP Version 2 web-cache service and another list for reverse-proxy at the same time without having to reconfigure groups of routers or caches. You can add up to eight router lists and up to six IP addresses per list.

Examples

Console(config)# wccp router-list 7 172.31.68.98 Console(config)# no wccp router-list 7 172.31.68.98

Related Commands

wccp reverse-proxy

wccp web-cache

wccp version 2

wccp service-number

To enable up to eight dynamic WCCP redirection services on the CE, use the wccp service-number command. The services must also be configured on the router running WCCP Version 2.

wccp service-number servnumber router-list-number routnumber port-list-number plistnumber
[hash-destination-ip] [hash-destination-port] [hash-source-ip] [hash-source-port] [l2-redirect] [password passw] [weight percentage]

no wccp service-number servnumber

Syntax Description

service-number

Specifies the dynamic WCCP Version 2
service number.

servnumber

WCCP Version 2 service number (90-97).

router-list-number

Specifies the router list number.

routnumber

Router list number (1-8).

port-list-number

Specifies the port list number.

plistnumber

Port list number (1-8).

hash-destination-ip

(Optional.) Load-balancing hash—destination IP (default).

hash-destination-port

(Optional.) Load-balancing hash—destination port.

hash-source-ip

(Optional.) Load-balancing hash—source IP.

hash-source-port

(Optional.) Load-balancing hash—source port.

l2-redirect

(Optional.) WCCP Version 2 forwarding encapsulation method.

password

(Optional.) Specifies authentication password.

passw

Password.

weight

(Optional.) Sets weight percentage for load balancing (0-100).

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Proxy Mode

The CE supports up to eight incoming ports for HTTPS and eight incoming ports for HTTP. The incoming proxy ports can be the same ports that are used by the transparent-mode services. The incoming proxy ports can be changed without stopping any WCCP services running on the CE or on other CEs in the farm.

The CE parses requests received on a port to determine the protocol to be serviced. If the CE is not configured to support a received protocol, the proxy server returns an error. For example, if port 8080 is configured to run an HTTP and HTTPS proxy service, a File Transfer Protocol (FTP) request coming to this port is rejected.

Some TCP ports are reserved for system or network services (for example, the CE FTP server and GUI) and cannot be used for proxying services in transparent mode or in proxy mode. If more than eight ports are required, the administrator can configure multiple custom WCCP services. Intercepted HTTP and HTTPS requests addressed to other proxy servers (received on transparent-mode ports) are serviced according to the proxy-protocols transparent command parameters.

Transparent Mode

The wccp service-number command can enable up to eight WCCP redirection services on a CE, provided that the services are also configured on the router. There are eight new dynamic WCCP services (90 to 97).

Each wccp service-number command specifies a router list, single port list (containing up to eight ports), hash parameters, password, and weight. With eight custom services using a maximum number of eight ports each, the maximum number of ports that can be specified for transparent redirection is 64.

The legacy custom Web cache and reverse proxy services (service numbers 98 and 99) can be configured with only one port each. If only one legacy service is configured, the total maximum number of transparent redirection ports is 57. If both legacy services are configured, the maximum port total is 50.

All ports receiving HTTP that are configured as members of the same WCCP service share the following characteristics:

With CEs in a farm, the following restrictions apply:

The CE WCCP implementation currently allows global settings that apply to all WCCP services, such as healing parameters, slow start, and others. The multiple service model does not change that, and the settings in question remain global for the whole WCCP system.

Modifying Configurations

For proxy-mode and transparent-mode commands, issuing a new command replaces the old one.

In proxy mode, a no command that specifies the protocol and no ports disables the service for that protocol. To add or remove ports in proxy mode, issue a new command that specifies all the ports to be used. Ports can also be removed by a no command with a list of ports to remove. A no command that specifies only some of the configured ports removes these ports from the list, and the service continues to run on the remaining ports. For example, if HTTPS is received on 8080, 8081, and 82, the
no https proxy incoming 8081 command disables port 8081 but permits the HTTPS proxy service to continue on ports 8080 and 82.

In transparent mode, to add or remove ports for a WCCP service, modify the port list or create a new port list for the WCCP service.

In transparent mode, a no command that specifies the WCCP service number disables the service.

To use the l2-redirect hashing option, the CE must be directly connected at Layer 2 to a switch or router that supports accelerated hardware switching.

Examples

In the following example, WCCP dynamic service 90 is configured with router list 1, and port list 1. Port 8080 is the only element in port list 1.

CE(config)# wccp 90 router-list-num 1 port-list-number 1 hash-source-ip hash-destination-port CE(config)# wccp port-list 1 8080

In this example, the CE is configured to accept HTTP and HTTPS proxy requests on ports 81, 8080, and 8081:

CE(config)# http proxy incoming 81 8080 8081 CE(config)# https proxy incoming 81 8080 8081

Related Commands

https proxy incoming

http proxy incoming

proxy-protocols

show https proxy

show http proxy

show services

show wccp services

wccp shutdown

To set the maximum time interval over which the CE will perform a clean shutdown, use the wccp shutdown global configuration command.

wccp shutdown max-wait seconds

Syntax Description

max-wait

Sets the clean shutdown time interval.

seconds

Time in seconds (0-86400). The default is 120 seconds.

Defaults

120 seconds

Command Modes

Global configuration

Usage Guidelines

To prevent broken TCP connections, the CE performs a clean shutdown of WCCP after a reload or wccp version command is issued. The CE does not reboot until either all connections have been serviced or the configured max-wait interval has elapsed.

During a clean shutdown, the CE continues to service the flows it is handling but starts to bypass new flows. When the number of flows goes down to zero, the CE takes itself out of the cluster by having its buckets reassigned to other CEs by the lead CE. TCP connections can still be broken if the CE crashes or is rebooted without WCCP being cleanly shut down. The clean shutdown can be aborted while in progress.

Examples

Console(config)# wccp shutdown max-wait 4999

Related Commands

wccp version

wccp slow-start

wccp flow-redirect

wccp slow-start

To enable the CE slow start capability, use the wccp slow-start enable global configuration command. To disable slow start capability, use the no form of this command.

wccp slow-start enable

no wccp slow-start enable

Syntax Description

enable

Enable WCCP slow start.

Defaults

The default is slow start enabled.

Command Modes

Global configuration

Usage Guidelines

Within a cluster of CEs, TCP connections are redirected to other CEs as units are added or removed. A CE can be overloaded if it is too quickly reassigned new traffic or introduced abruptly into a fat pipe.

WCCP slow start performs the following tasks to prevent a CE from being overwhelmed when it comes online or is reassigned new traffic:

Slow start is applicable only in the following cases:

In all other cases slow start is not necessary and all the CEs can be assigned their share of the buckets right away.

Examples

Console# wccp slow-start enable Console# no wccp slow-start enable

Related Commands

wccp flow-redirect

wccp shutdown

wccp version

To specify the version of WCCP that the CE should use, enter the wccp version global configuration command. Use the no form of the command to disable the currently running version.

wccp version {1 | 2}

no wccp version {1 | 2}

Syntax Description

1

WCCP Version 1.

2

WCCP Version 2.

Defaults

Version 1

Command Modes

Global configuration

Usage Guidelines

Both WCCP versions allow transparent caching of Web content. For a detailed description of both versions, refer to the Cisco Cache Software Configuration Guide. It is necessary to disable WCCP Version 1 before enabling WCCP Version 2, and vice versa. Be sure the routers used in the WCCP environment are running a software version that supports the WCCP version configured on the CE.

To prevent broken TCP connections, the CE performs a clean shutdown of WCCP after a reload or wccp version command is executed. See the wccp shutdown global configuration command for an explanation of a clean shutdown.

Examples

Console(config)# no wccp version 1 Console(config)# wccp version 2

Related Commands

wccp home-router

wccp shutdown

wccp web-cache

To instruct the router to run the Web cache service with WCCP Version 2, use the wccp web-cache global configuration command. To disable this function, use the no form of this command.

wccp web-cache router-list-num number [l2-redirect] [password key] [weight percentage]

no wccp web-cache

Syntax Description

route-list-num

Specifies router list number.

number

Router list number (1-8).

l2-redirect

WCCP Version 2 forwarding encapsulation method.

password

(Optional.) Authentication password (key) set by the router.

key

Password string for the router.

weight

(Optional.) Sets weight percentage.

percentage

Weight of load that the CE carries as compared to other CEs (1-100).

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Use this command to enable Web cache service with WCCP Version 2. With Web cache service, the router balances the traffic load within a CE cluster based on the destination IP address (for example, Web server IP address).

You must set the wccp router-list command before you use this command.

Both weight and password are optional and may be used together or separately.

To enable the use of a password for a secure Web cache cluster, use the password key option and be sure to enable all other CEs and routers within the cluster with the same password.

The weight parameter represents a percentage of the total load redirected to the CE (for example, a CE with a weight of 30 receives 30 percent of the total load). If the total of all weight parameters in a CE cluster exceeds 100, the percentage load for each CE is recalculated as the percentage that its weight parameter represents of the combined total.

Examples

Console(config)# wccp web-cache router-list-num 1 Console(config)# no wccp web-cache

Related Commands

show wccp cache-engines

show wccp routers

show wccp status

wccp version 2

whoami

To display the current user's name, use the whoami EXEC command.

whoami

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to display the current user's username and user identification number.

Examples

Console# whoami admin

Related Commands

pwd

write

To write running configurations to memory or to a terminal session, use the write EXEC command.

write [erase | memory | terminal]

Syntax Description

erase

(Optional.) Erases startup configuration from NVRAM.

memory

(Optional.) Writes the configuration to NVRAM. This is the default.

terminal

(Optional.) Writes the configuration to a terminal session.

Defaults

No default behavior or values

Command Modes

EXEC

Defaults

The configuration is written to NVRAM by default.

Usage Guidelines

Use this command to either save running configurations to NVRAM or to erase memory configurations. Following a write erase command, no configuration is held in memory, and a prompt for configuration specifics occurs after you reboot the CE.

Use the write terminal command to display the current running configuration in the terminal session window. The equivalent command is show running-config.

Examples

Console# write

Related Commands

copy running-config startup-config

show running-config


hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue Jun 5 22:06:08 PDT 2001
All contents are Copyright © 1992--2001 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.