Table of Contents

alias
authentication
autosense
bandwidth
boomerang
boomerang send-packet
bypass
cache
cd
cfs
check
clear
clock
clock timezone
configure
content-server
copy
cpfile
cron
debug
del
deltree
dir
disable
disk
dns-cache
dns-ttl
dnslookup
dosfs
enable
end
error-handling
exception debug
exec-timeout
exit
ftp
fullduplex
gui-server
halfduplex
help
hostname
http
https
icp
inetd
install
interface
ip
ip
ip-ttl
key
ldap
lls
logging
ls
mfs
mkdir
mkfile
no
no
no
no debug
ntp
ntpdate
ping
proxy-protocols
pwd
radius-server
reload
rename
rmdir
rule
show arp
show authentication
show boomerang
show bypass
show cfs
show clock
show cron
show debugging
show disk-partitions
show disks
show dns-cache
show events
show file-descriptors
show flash
show ftp
show gui-server
show hardware
show hosts
show http
show https
show icp
show inetd
show interface
show ip routes
show ldap
show logging
show memory
show mfs
show ntp
show processes
show proxy-protocols
show radius-server
show rule
show running-config
show services
show snmp
show stacktrace
show startup-config
show statistics
show tacacs
show tcp
show tech-support
show tftp-server
show transaction-logging
show trusted-hosts
show url-filter
show user
show users
show version
show wccp
snmp-server community
snmp-server contact
snmp-server enable traps
snmp-server host
snmp-server location
tacacs
tclsh
tcp
terminal
terminal
tftp-server
transaction-log force
transaction-logs
trusted-host
type
undebug
url-filter
user
wccp custom-web-cache
wccp flow-redirect
wccp home-router
wccp port-list
wccp reverse-proxy
wccp router-list
wccp service-number
wccp shutdown
wccp slow-start
wccp version
wccp web-cache
whoami
write

Cisco Cache Software, Release 2.5.0 Commands

This chapter contains an alphabetical listing of all commands of the Cisco Cache software, Release 2.5.0, for Cisco Content Engines and Cisco Cache Engines. To simplify terminology, both the Cache Engine and the Content Engine are referred to as the "CE."

alias

To establish alternative domain names, use the alias command in domain configuration mode.

Syntax Description

Defaults

No default behaviors or values

Command Modes

Domain configuration

Usage Guidelines

If you are using the CE as a content routing agent, you can use this command on both the Content Router and the CE to establish an alternative name for a domain.

Examples

In the following example, assume you are configuring a domain named www.foobar.com. Here, it is given the alias www.foobar.net on the Content Router:

When configuring www.foobar.com on the agent, enter the alias on the CE:

authentication

To configure Terminal Access Controller Access Control System Plus (TACACS+), use the authentication global configuration command. Use the no form of the command to selectively disable options.

Syntax Description

Defaults

Local authentication is enabled and TACACS+ authentication is disabled.

Command Modes

Global configuration

Usage Guidelines

Authentication or login is the action of identifying and validating a user. It verifies a username with the password. Authorization or configuration is the action of determining what a user is allowed to do.

Login and configuration privileges can be maintained in two databases: the local database, which resides on the CE, and the TACACS+ remote database, which resides on a remote server. The user global configuration commands or the Users graphical user interface (GUI) page provides a way to add, delete, or modify users' names, passwords, and access privileges in the local database. The TACACS+ remote database can also be used to maintain login and configuration privileges for CE administrative users. The tacacs command or the TACACS+ GUI page allows you to configure the network parameters required to access the remote database.

Login and configuration privileges can be obtained from either the local database or the TACACS+ remote database. If both databases are enabled, then both databases are queried; if the user data cannot be found in the first database queried, then the second database is tried. When the primary keyword is entered for TACACS+ login or configuration authentication (authentication login tacacs enable primary, authentication configuration tacacs enable primary), the TACACS+ database is queried first, and the local database is queried second. If TACACS+ is not designated as primary, and both the local and the TACACS+ databases are enabled, the local database is queried first. If both the local and the TACACS+ databases are disabled (no authentication), the CE verifies that both are disabled and if so, sets the CE to the default state.

By default, local authentication is enabled and TACACS+ authentication is disabled. When the TACACS+ authentication is disabled, the local authentication is automatically enabled.

Examples

This example disables local configuration authentication.

Note   If local authentication is disabled and TACACS+ is not configured properly, future logins may fail.

TACACS+ Statistics

CE# show statistics authentication Authentication Statistics -------------------------------------- Number of Local Authentication: 0 Number of TACACS+ Authentication: 4 Total number of Authentication: 4 Number of Local Authorization: 0 Number of TACACS+ Authorization: 4 Total number of Authorization: 4 CE# show statistics tacacs TACACS+ Statistics ----------------- Number of access requests: 8 Number of access deny responses: 7 Number of access allow responses: 1

Related Commands

show authentication

show statistics authentication

show statistics tacacs

show tacacs

tacacs

autosense

To enable autosense on an interface, use the autosense interface configuration command. To disable this function, use the no form of this command.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Cisco router Ethernet interfaces do not negotiate duplex settings. If the CE is connected to a router directly with a crossover cable, the CE Ethernet interface has to be manually set to match the router interface settings. Disable autosense before configuring an Ethernet interface. When autosense is on, manual configurations are overridden. You must reboot the CE to start autosensing.

Examples

bandwidth

To configure an interface bandwidth, use the bandwidth interface configuration command. To disable this function, use the no form of this command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to set the bandwidth of an interface to either 10 or 100 megabits.

Examples

boomerang

To enable boomerang content routing on the CE and to enter domain configuration mode, use the boomerang global configuration command.

Syntax Description

Defaults

No default behaviors or values

Command Modes

Global configuration

Usage Guidelines

Use the boomerang dns enable command to enable content routing software on a CE that you want to configure as a content routing agent. Use the boomerang dns domain command to configure the CE as a content routing agent for a specified domain and to enter domain configuration mode.

Caution   A Content Engine running Release 2.5 cannot be used for transparent caching if it has been configured as a content routing agent. Therefore, if you want to use a CE for transparent caching, make sure that none of the boomerang commands are enabled on the CE.

Examples

boomerang send-packet

To send test packets to determine whether or not a destination accepts boomerang-altered source IP addresses, use the boomerang send-packet EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Some networks may have filters that prevent the transmission of packets with source addresses outside the address space of the network. If you are using the CE as a content routing agent, such filters could inhibit the content routing process. To determine whether such filters exist, use a sniffer and the boomerang send-packet command to send a packet with a source address outside the subnet on which the CE resides. The sniffer should be set up to monitor traffic on the network of the destination site to which the packet is sent. If the sniffer detects this packet, you know that the destination can accept boomerang-altered source IP addresses.

Examples

bypass

To enable transparent error handling and dynamic authentication bypass, and to configure static bypass lists, use the bypass command. To disable the bypass feature, use the no form of the command.

Syntax Description

Defaults

The default authentication bypass value is 10 minutes. The in-interval default is 60 seconds. The out-interval option default is 4 seconds. The timer-interval option default is 10 minutes.

Command Modes

Global configuration

Usage Guidelines

Bypass features are available only with WCCP Version 2. The CE can only bypass WCCP-redirected traffic, not proxy-style requests.

Authentication Bypass

Some web sites, because of IP authentication, do not allow the CE to connect directly on behalf of the client. In order to avoid a disruption of service, the CE can use authentication bypass to generate a dynamic access list for these client-server pairs. Authentication bypass triggers are also propagated upstream and downstream in the case of hierarchical caching. When a client/server pair goes into authentication bypass, it is bypassed for a configurable amount of time, set by the timer option (10 minutes by default).

Load Bypass

If a CE becomes overwhelmed with traffic, it can use the load bypass feature to reroute the overload traffic.

When the CE is overloaded and load bypass is enabled, the CE bypasses a bucket. If the load remains too high, another bucket is bypassed, and so on until the CE can handle the load. The time interval between one bucket being bypassed and the next, is set by the out-interval option. The default is 4 seconds.

When the first bucket bypass occurs, a time interval must elapse before the CE begins to again service the bypassed buckets. The duration of this interval is set by the time-interval option. The default is 10 minutes.

When the CE begins to again service the bypassed traffic, it begins with a single bypassed bucket. If the load is serviceable, it picks up another bypassed bucket and so on. The time interval between picking up one bucket and the next is set by the in-interval option. The default is 60 seconds.

Static Bypass

The bypass static command permits traffic from specified sources to bypass the CE. The type of traffic sources are as follows:

• Specific web client to a specific web server

• Specific web client to any web server

• Any web client to a specific web server

Wildcards in either the source or the destination field are not supported.

To clear all static configuration lists, use the no form of the command.

Examples

• To force HTTP traffic from a specified client to a specified server to bypass the CE, enter:

Console(config)# bypass static 10.1.17.1 172.10.7.52

• To force all HTTP traffic destined to a specified server to bypass the CE, enter:

Console(config)# bypass static any-client 172.10.7.52

• To force all HTTP traffic from a specified client to any web server to bypass the CE, enter:

Console(config)# bypass static 10.1.17.1 any-server

A static list of source and destination addresses helps to isolate instances of problem-causing clients and servers.

• To display static configuration list items, use the show bypass list command.

Console# show bypass list Total number of entries in the bypass list = 5 Client IP Server IP Reason 10.1.17.1 15.1.10.6 Error Handling 10.1.24.1 128.10.2.4 Auth Traffic 10.1.24.2 128.10.2.4 Static Config 10.2.4.5 any-server Static Config any-client 178.10.45.6 Static Config

• The total number of entries in the bypass list is reported by the show bypass summary command.

Console# show bypass summary Cache Engine will bypass authenticated HTTP traffic. Cache Engine will bypass HTTP traffic if it is overloaded. Total number of entries in the bypass list = 5 Total number of HTTP connections bypassed = 20

Related Commands

show bypass

cache

To synchronize the cache file system (cfs) contents from memory to disk, use the cache sync EXEC command.

To clear the disk of all cached content, use the cache clear EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The cache clear command removes all cached contents from the currently mounted cfs volumes. Objects being read or written are removed when they cease being "busy." The equivalent to this command is the clear cache or cfs clear command.

Caution   This command is irreversible, and all cached content will be erased.

The cache clear force deletes all objects, whether busy or not, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the CE disk when a cache clear force command is executed, the application stops caching that object but still delivers the object from the web server to the client.

The cache sync command synchronizes the cache file system contents from memory to disk. Although synchronization is performed at regular intervals while the CE is operating, this command can be used to ensure all data is written to disk before you reset or turn off the CE. Synchronization can also be done using the cfs sync command.

Examples

Related Commands

clear cache

cfs clear

cd

To change directory, use the cd EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to maneuver between directories and for file management. The directory name becomes the default prefix for all relative paths. Relative paths do not begin with a slash "/". Absolute paths begin with a slash "/".

Examples

Relative path:

Absolute path:

Related Commands

dir

lls

ls

mkdir

pwd

rmdir

cfs

To manipulate the cache object file system (cfs), use the cfs EXEC command.

Syntax Description

Defaults

No defaults behavior or values

Command Modes

EXEC

Usage Guidelines

Cache objects retrieved from the web are saved and manipulated by the CE with the cache file system (cfs) on a cfs partition of the hard disk. This does not affect the dosfs partition, which saves user data, such as syslog. Cache file system objects cannot be displayed and listed like dosfs files and directories, but transaction logs can record object requests handled by the cfs.

The cfs commands are used to manage the cache object file system.

The cfs clear command deletes nonbusy objects from the specified cfs volume. A nonbusy object is an object that is not being accessed (read or written). The cfs clear command (without force) deletes all possible objects without generating a broken GIF or HTML message to the client.

The cfs clear force command deletes all objects, busy or nonbusy, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the CE disk when a cfs clear force command is executed, the application stops caching that object but still delivers the object from the web server to the client.

The cfs reset command unmounts, formats, and mounts a specified volume. Unmounting a volume can result in broken GIF or HTML messages for objects that are being read from the disk (cache hits) when the command is executed. When a cfs volume is reset, all cfs data on that volume is lost.

---

Note   The cfs reset command can be invoked on unmounted volumes.

---

The cfs format command creates the cache file system internal "dbs" for the cfs partition of the disk if the volume is unmounted. It formats the cfs partition to prepare it for a cfs mount. The cfs mount command creates and maps data structures in memory to the cfs partition.

Caution   All cached content is erased with the format command.

The cfs unmount command frees the in-memory data structures that map to the physical (disk) cfs partition.

The cfs sync command synchronizes the cache file system contents from memory to disk. Although synchronization is performed at regular intervals while the CE is running, this command can be used to ensure that all data is written to disk before you reset or turn off the CE. Synchronization can also be done with the cache sync command.

Examples

Related Commands

show cfs

cache clear

clear cache

check

To check whether superuser accounts are password-protected, use the check EXEC command.

Syntax Description

Defaults

By default, superuser accounts are not password-protected.

Command Modes

EXEC

Usage Guidelines

This command displays whether or not the superuser account is password-protected. To configure a superuser password, from global configuration mode, use the user modify command. A superuser is defined as an administrator or user with full read and write privileges to the cache files and utilities.

Examples

Related Commands

user modify

show user

clear

To clear the HTTP object cache, the hardware interface, statistics, transaction logs, or WCCP settings, use the clear EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The clear cache command removes all cached contents from the currently mounted cfs volumes. Objects being read or written are removed when they cease being "busy." The equivalent to this command is the cache clear or cfs clear command.

Caution   This command is irreversible and all cached content will be erased.

The clear cache force command deletes all objects, whether busy or not, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the CE disk when a clear cache force command is executed, the application stops caching that object but still delivers the object from the web server to the client.

The clear interface command clears the statistics presented by the show interfaces command.

The clear statistics command clears all statistical counters from the parameters given. Use this command to monitor fresh statistical data for some or all features without losing cached objects or configurations.

The clear transaction-log command causes the transaction log to be archived immediately to the CE hard disk. This command has the same effect as the transaction-log force archive command.

Examples

To purge all the entries in the LDAP authentication cache, use the clear ldap authcache command.

To clear all rule statistics, use the clear statistics rule all command.

Related Commands

cache clear

cfs clear

show statistics

show interface

show ldap

show rule

show wccp

clock

To set, clear, or save the battery-backed clock functions, use the clock EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

If you have an outside source on your network that provides time services (such as a Network Time Protocol [NTP] server), you do not need to set the system clock manually. When setting the clock, enter the local time. The CE calculates UTC based on the time zone set by the clock timezone global configuration mode command.

Two clocks exist in the system: the software clock and the hardware clock. The software uses the software clock. The hardware clock is used only at bootup to initialize the software clock.

The set keyword sets the software clock.

The save keyword writes the current value of the software clock into the hardware clock. This is used to update the hardware clock with the correct time as maintained by NTP. NTP adjusts only the software clock.

The clear keyword forces the hardware clock to zero (January 1, 1970), which ensures that the time at bootup is the NTP time or an obviously invalid time.

Examples

Related Commands Related Commands

clock timezone

show clock detail

clock timezone

To set the time zone for display purposes, use the clock timezone global configuration command. To disable this function, use the no form of this command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

To set and display the local and UTC current time of day without an NTP server, use the clock timezone command together with the clock set command.

The clock timezone parameter specifies the difference between UTC and local time, which is set with the clock set command. The UTC and local time are displayed with the show clock detail EXEC command.

Examples

The following example specifies the local time zone as Pacific Standard Time and offsets 8 hours behind UTC:

Related Commands Related Commands

clock

show clock detail

configure

To enter global configuration mode, use the configure EXEC command. You must be in global configuration mode to enter global configuration commands.

To exit global configuration mode, use the end, Ctrl-Z, or exit commands.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to enter global configuration mode.

Examples

Related Commands Related Commands

show running-config

show startup-config

end

exit

content-server

To configure the address of a content server co-located with a CE, use the content-server domain configuration command.

Syntax Description

Defaults

If no filename is included in the command, the probe consists only of trying to connect to port 80.

Command Modes

Domain configuration

Usage Guidelines

On a CE configured as a content routing agent, use this command to specify an external content source. The CE needs to return the address of the content appliance or switch that is serving the content.

The CE probes the content server periodically to ensure that it is active. The probe is an HTTP GET request for the configured filename. A response of "200 OK" indicates the content server is active.

Examples

copy

To copy configuration or image data from a source to a destination, use the copy EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use the copy running-config startup-config command to save the configuration to NVRAM memory. This command is equivalent to the write command.

The copy flash disk imagename command copies the image from Flash memory to the disk.

The copy disk flash imagename command copies the image from the disk to Flash memory.

The copy tftp flash command copies the image from a TFTP server to Flash memory.

The copy tech-support tftp command copies technical support information to a TFTP server. You are prompted for the server address following this command.

Examples

Related Commands

write

show running-config

show startup-config

cpfile

To copy one filename to another filename, use the cpfile EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to copy one filename to another. This command only copies dosfs files.

Examples

Related Commands Related Commands

copy

dir

lls

ls

mkfile

rmdir

rmname

cron

To set a cron task, use the cron global configuration command. To disable a cron task, use the no form of this command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

The cron command is used to set up cron tasks.

To view your existing cron configurations, use the show cron command. For example:

Examples

Related Commands

show cron

debug

Command Modes

EXEC

Usage Guidelines

We recommend that the debug command be used only at the direction of Cisco Systems technical support personnel.

Related Commands Related Commands

no debug

show debug

undebug

del

To remove a file, use the del EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to remove a file from any directory. Note that some files are necessary for proper functionality and should not be removed.

Examples

Related Commands RelatedCommands

cpfile

deltree

mkdir

mkfile

rmdir

deltree

To remove a directory recursively and all files that it contains, use the deltree EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to remove a directory and all files within the directory from the CE (dosfs file system). Do not remove necessary files or directories, such as log files or directories, for proper functionality. It may not be possible to move a log file to a new directory without losing functionality.

Examples

Related Commands Related Commands

del

dir

To view a long list of files in a directory, use the dir EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to view a detailed list of files contained within the working directory, including names, sizes, and time created. The equivalent command is lls.

Examples

Related Commands

ls

lls

disable

To turn off privileged EXEC commands, use the disable EXEC command.

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Usage Guidelines

The disable command places you in EXEC mode. To turn privileged EXEC mode back on, use the enable command.

Examples

Related Commands Related Commans

enable

disk

To configure the CE disks, use the disk EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC command

Usage Guidelines

Disk partition allocates portions of a disk for the specified file systems. The partition sizes are not user-configurable. Use the show disks command to obtain the names of installed disks.

Caution   Partitioning a disk destroys all of its contents. After partitioning, each file system must be formatted and mounted before it can be used.

Using the disk prepare command automates the preparation of a disk. This command partitions the disk and then formats and mounts all the partitions.

The disk manufacture command initializes a disk for use by the CE, and must be run on each disk before that disk is used by the CE for the first time. The disk manufacture command needs to be executed only once for each disk.

---

Note   The disk manufacture command is executed on each internal CE disk by Cisco Systems prior to shipping.

---

Cisco Storage Array Guidelines

Use the disk manufacture command to partition, format, and mount new disk drives for the Cisco Storage Array. The disk manufacture command erases the master boot record (sector 0) of the disk and sets up the disk to have partitions for the various file systems (that is, dosfs, cfs, boot file system [bfs]). It also formats and mounts the appropriate file system on the volumes.

Target numbers are not statically mapped to a SCSI ID or a slot number. Upon bootup, the CE SCSI driver always scans the SCSI bus in the same direction and assigns logical target numbers to disks in simple numerical sequence according to their order on the SCSI bus. The first disk drive discovered on the SCSI bus is designated target 0; the second target 1; the third target 2; and so on. Targets 0 and 1 are the CE internal disk drives.

Targets 2 through 13 are assigned to Storage Array disk drives. The leftmost hard disk inserted in a Storage Array bus is always target 2. Counting to the right, the next disk is target 3, the next disk is target 4, and so on. There can be empty slots between targets on the same bus, but this is not recommended. In a two-host, split-bus configuration, each bus is counted independently.

For example, in a split-bus, six-disk, fully populated Storage Array, bus 0 disk drive targets are 2, 3, 4, and bus 1 disk drive targets are 2, 3, 4. If the first disk on bus 1 is removed (slot 5 is empty) and the CE rebooted, bus 0 targets are still 2, 3, 4, but bus 1 targets are 2 and 3. The empty disk slot is skipped, and the target count begins with the first detected disk on bus 1.

Once a disk drive has been partitioned and formatted, it can be used in any Storage Array slot, but moving a disk drive from one slot to another makes the data it contains unusable to the CE. Power cycle the CE if the following actions occur while the Storage Array is in operation:

• A disk is moved from one slot to another.

• A disk is removed, or removed and reinserted.

Examples

In the following example, cache1 and cache2 are CE 590 machines running software release 2.2.0. Refer to the Cisco Storage Array Installation and Configuration Guide for further information on configuring the Storage Array.

---

Note   The larger the storage capacity of the disk drive, the longer the duration of the disk manufacture routine.

---

In this example, six Storage Array disk drives are initialized in a single-host, joined-bus Storage Array configuration.

In the following example, cache1 is connected to the SCSI 0 connector of the Storage Array and cache2 is connected to the SCSI 1 connector.

The disks of a fully populated six-disk Storage Array are initialized in a two-host, split-bus configuration.

The disk erase-all-partitions command unmounts all the currently mounted file systems on the specified device (disk) and erases all the partitions from the master boot record (sector 0).

To create only a DOS partition on the first disk, enter the following commands:

Related Commands

cfs

disk

dosfs

show disk-partitions

show disks

dns-cache

To configure the DNS cache, use the dns-cache global configuration command. To disable the DNS cache, use the no form of this command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Content size refers to the maximum number of DNS entries to be stored at one time. Domain name resolution requires that at least one DNS name server be configured with the ip name-server command. The DNS cache goes online when the ip name-server command is configured, and goes offline when the last IP name-server configuration is deleted with the no ip name-server ip-address command.

Examples

Related Commands Related Comands

ip name-server

clear dns-cache

show dns-cache

dnslookup

show statistics dns-cache

dns-ttl

To specify the DNS Time To Live (TTL) value contained in a content routing agent DNS response, use the dns-ttl command in domain configuration mode.

Syntax Description

Defaults

The default number of seconds to live is 20.

Command Modes

Domain configuration

Usage Guidelines

If you are using the CE as a content routing agent, use this command to specify the DNS TTL value contained in the DNS response generated by the agent. In general, a lower DNS TTL value ensures more recent content, whereas a higher DNS TTL value reduces the Content Router load.

The higher the DNS TTL value, the less the load on the Content Router. A lower value means an increased Content Router load, but also means that the addresses of CEs that won DNS races are used for a shorter amount of time in the annealing process. (Refer to Chapter 1 of the Cisco Content Routing Software Configuration Guide and Command Reference for an explanation of the DNS race and the simulated annealing process.) For example, if the DNS TTL is set at 60 seconds, a DNS server returns to the Content Router to look up a domain name no more than once a minute. In other words, the name server uses the winning CE address for 60 seconds before consulting the Content Router again.

A dns-ttl command entered on a CE overrides a dns-ttl command entered on the Content Router.

Examples

dnslookup

To resolve a host or domain name to an IP address, use the dnslookup EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Examples

dosfs

To configure the DOS file system, use the dosfs EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to format and mount the DOS file systems after partitioning disks. Use this command to repair DOS file systems that are causing errors.

The default configuration has only one DOS file system. This file system is created on the first disk in the system and has a special name "/local." This file system contains various files necessary for correct functioning of the CE.

The dosfs format command formats the dosfs partition to prepare it for a dosfs mount.

The dosfs mount command creates and maps data structures that map to the physical dosfs partition on the disk.

The dosfs unmount command frees the in-memory data structures that map to the physical dosfs partition on the disk.

Examples

Related Commands Relatmands

cd

copy

cpfile

del

deltree

dir

ls

mkdir

mkfile

enable

To turn on privileged commands, use the enable EXEC command.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

To return to privileged EXEC mode from user EXEC mode, use the enable command.

The disable command takes you from privileged EXEC mode back to user EXEC mode.

Examples

Related Commands Related Commands

disable

end

To exit global configuration mode, use the end global configuration command.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Usage Guidelines

Use the end command to exit global configuration mode after completing any changes to the running configuration. To save new configurations to NVRAM, use the write command.

The Ctrl-Z command also exits global configuration mode.

Command Modes

Global configuration

Examples

Related Commands Related mands

exit

error-handling

To set error-handling options, use the error-handling global configuration command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

With the transparent option enabled, end users can receive browser-generated messages rather than a CE-generated HTML page for errors that the CE encounters while processing a client request or response. Thus, the CE remains transparent (invisible) to the end user.

Transparent error reporting is implemented as follows:

• CE running WCCP Version 2

To make the source of the error messages transparent to the user, the client/server pair is added to the bypass list and an HTTP redirect message is sent to the client, requesting the client to redirect the request to the same URL as before. The client, on receiving the redirect message, sends back the request once again. This time, the request is bypassed by the CE because the client/server pair is on the bypass list. The request now goes to the server directly. Since the connection was not accepted by the CE, any timeout error, failure to connect to the server, or mangled response from the server is handled by the browser. Currently all entries on the bypass list are kept for a configurable period of time (for example, 5 minutes).

When an internal failure in the CE occurs while it is processing a request, a reset is sent back to the client and the connection is closed. This is because memory is needed to add the client/server pair to the bypass list. When a browser receives a connection reset, it pops up a "Connection Reset By Peer" alert box.

• CE running WCCP Version 1

For all error conditions, the CE sends back a reset and closes the connection. It does not send back any error pages. All errors seen by the clients are in the familiar browser error format.

• CE acting as an incoming proxy server

The CE sends back HTML error pages. When clients are using the CE as an incoming proxy server, they will receive the HTML error pages generated by the clients.

Examples

exception debug

We recommend that the exception debug command be used only at the direction of Cisco Systems technical support personnel.

Command Modes

Global configuration

exec-timeout

To configure the length of time that an inactive terminal session window will remain open, use the exec-timeout global configuration command. To disable the exec timeout, use the no form of this command.

Syntax Description

Defaults

The default is 150 minutes.

Command Modes

Global configuration

Usage Guidelines

Use this command to establish the length of time, in minutes, that an inactive terminal session window will remain open.

Examples

exit

To exit any configuration mode or close an active terminal session and terminate an EXEC mode session, use the exit EXEC command.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC, global configuration, and interface configuration

Usage Guidelines

Use the exit command in global configuration mode to return to EXEC mode. You can also press Ctrl-Z or use the end command from any configuration mode to return to EXEC mode.

Use the exit command in EXEC command mode to close an active terminal session and terminate the EXEC mode session.

Examples

Related Commands Relateands

end

ftp

Use the ftp global configuration command to configure FTP caching services on the CE. Use the no form of the command to selectively disable options.

Syntax Description

Defaults

• dl_time is 30 percent.

• fo_time is 60 percent.

• dlmax_days is 7 days.

• fmax_days is 3 days.

• dlmax_hours is 72 hours.

• fmax_hours is 168 hours.

• dlmax_min is 4320 minutes.

• fmax_min is 10080 minutes.

• dlmax_sec is 259200 seconds.

• fmax_sec is 604800 seconds.

• min_minutes is 86400 minutes.

• directory-listing age_percent is 50 percent.

• file age_percent is 80 percent.

Command Modes

Global configuration

Usage Guidelines

The CE can handle ftp:// style FTP requests over HTTP transport in proxy mode.

When the CE receives an FTP request from the web client, it first looks in its cache. If the object is not in its cache, it fetches the object from an upstream FTP proxy server (if one is configured), or directly from the origin FTP server.

The CE caches both the FTP file objects and directory listings. The content (directory listings and files) is stored in the cfs.

The FTP proxy supports passive and active mode for fetching files and directories. Passive mode is the default. The CE automatically changes to active mode if passive mode is not supported by the FTP server.

The FTP proxy supports anonymous as well as authenticated FTP requests. Only base64 encoding is supported for authentication. The FTP proxy accepts all FTP URL schemes defined in RFC 1738. In the case of a URL in the form ftp://user@site/dir/file, the proxy sends back an authentication failure reply and the browser supplies a popup window for the user to enter login information.

The FTP proxy supports commonly used MIME types, attaches the corresponding header to the client, chooses the appropriate transfer type (binary or ASCII), and enables the browser to open the FTP file with the configured application. For unknown file types, the proxy uses binary transfer as the default and instructs the browser to save the download file instead of opening it. The FTP proxy returns a formatted directory listing to the client if the FTP server replies with a known format directory listing. The formatted directory listing has full information about the file or directory and provides the ability for users to choose the download transfer type.

The CE caches FTP traffic only when the client uses the CE as a proxy server for FTP requests. All FTP traffic that was sent directly from the web client to an FTP server, if transparently intercepted by the CE, is treated as non-HTTP traffic.

The FTP proxy supports up to eight incoming ports. It can share the ports with transparent-mode services and also with the other proxy-mode protocols supported by the CE, such as HTTP and HTTPS. In proxy-mode, the CE accepts and services the FTP requests only on the ports configured for FTP proxy. All the FTP requests on other proxy-mode ports are rejected in accordance with the error-handling settings on the CE.

The CE can apply the rules template to FTP requests based on server name, domain name, server IP address and port, client IP address, and URL.

The CE logs FTP transactions in the transaction log, in accordance with the Squid syntax. When URL tracking is enabled, the CE logs FTP transaction information to the syslog. The syslog entries are prefixed with <ftp>.

Examples

This example configures an incoming FTP proxy on ports 8080, 8081, and 9090. Up to eight incoming proxy ports can be configured on the same command line.

This example removes one FTP proxy port from the list entered in the previous example. Ports 8080 and 9090 remain FTP proxy ports.

This example disables all the FTP proxy ports.

This example configures an upstream FTP proxy with the IP address 172.76.76.76 on port 8888.

This example specifies an anonymous password string for the CE to use when contacting FTP servers. The default password string is anonymous@hostname.

This example configures the maximum size in kilobytes of an FTP object that the CE will cache. By default, the maximum size of a cachable object is not limited.

This example forces the CE to revalidate all objects for every FTP request.

This example configures a maximum Time To Live of 3 days in cache for directory listing objects and file objects.

Related Commands

rule use-proxy

show ftp

fullduplex

To configure an interface for full-duplex operation, use the fullduplex interface configuration command. To disable this function, use the no form of this command.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to configure an interface for full-duplex operation. Full-duplex operation allows data to travel in both directions at the same time. A half-duplex setting ensures that data only travels in one direction at any given time. If you encounter excessive collisions or network errors, try configuring the interface for half duplex rather than full duplex.

Examples

Related Commands Related Commands

halfduplex

gui-server

To specify the number of the CE management graphical user interface (GUI) server port, use the gui-server global configuration command. To disable the GUI server port, use the no form of the command.

Syntax Description

Defaults

The default port is 8001.

Command Modes

Global configuration

Usage Guidelines

To find out how to access the CE management GUI, refer to the "Logging On to the Management Interface" section in Chapter 1 of the Cache Software Configuration Guide.

Examples

The following example enables the CE management GUI on port 8002.

Related Commands

show gui-server

halfduplex

To configure an interface for half-duplex operation, use the halfduplex interface configuration command. To disable this function, use the no form of this command.

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to configure an interface for half-duplex operation. Full-duplex operation allows data to travel in both directions at the same time. A half-duplex setting ensures that data only travels in one direction at a time. If you encounter collisions or other network errors, try configuring an interface for half duplex rather than full duplex.

Examples

Related Commands Related Commands

fullduplex

help

To access online help for the command-line interface, use the help EXEC or global configuration command.

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC, global configuration

Usage Guidelines

Two styles of help are provided:

• Full help is available when you are ready to enter a command argument (for example, show ?) and describes each possible argument.

• Partial help is provided when you enter an abbreviated command and you want to know what arguments match the input (for example, show stat?).

Examples

hostname

To configure the CE network name, use the hostname global configuration command. To reset the host name to the default setting, use the no form of this command.

Syntax Description

Defaults

The default host name is the CE model number (CE505, CE550, CE560, CE570, CE590, and so forth).

Command Modes

Global configuration

Usage Guidelines

Use this command to configure the host name for the CE. The host name is used for the command prompts and default configuration filenames.

Examples

The following example changes the host name to sandbox:

http

To configure HTTP-related parameters, use the http global configuration command. To disable HTTP related-parameters, use the no form of this command.

Syntax Description

Defaults

• age-multiplier texttime: 30 percent of the object's age

• age-multiplier bintime: 60 percent of the object's age

• maxthresh: 256 kilobytes

• minthresh: 32 kilobytes

• percenthresh: 80 percent

• port: port 8080

• object max-size: no maximum size

• url-validation: enabled

Command Modes

Global configuration

Usage Guidelines

Use these commands to configure specific parameters for caching HTTP objects.

---

Note   Text objects refer to HTML pages. Binary objects refer to all other web objects (for example, GIFs or JPEGs).

---

If a cached object's HTTP header does not specify an expiration time, the age-multiplier and max-ttl options provide a means for the CE to age cached objects. The CE's algorithm to calculate an object's cache expiration date is as follows:

Expiration date = (Today's date - Object's last modified date) * Freshness factor

The freshness factor is computed from the text and binary percentage parameters of the age-multiplier command. Valid age-multiplier values are 0 to 100 percent of the object's age. Default values are 30 percent for text and 60 percent for binary objects. After the expiration date, the object is considered stale, and subsequent requests result in a fresh retrieval by the CE.

The max-ttl option sets the upper limit on estimated expiration dates. An explicit expiration date in the HTTP header takes precedence over the configurable TTL (Time To Live).

The serve-ims option responds to an if-modified-since request issued from a client browser by serving the object directly from the cache without revalidating with the origin server whether the object is less than the configured percentage of its maximum age.

The cache-cookies option enables the CE to cache binary objects served with HTTP set-cookies headers and no explicit expiration information.

The cache-authenticated option enables the CE to cache authenticated content. If this command is enabled, the CE will not serve authenticated objects without first revalidating the authentication header attached to the cached object.

The reval-each-request option enables the CE to revalidate all objects requested from the cache, text objects only, or none at all.

The cache-miss revalidate option revalidates a cache-miss request forced by the client (shift-reload).

Use the object max-size option to specify the maximum size in kilobytes of a cachable object. The default is no maximum size for a cachable object. The no form of the command resets the default value.

The cluster option modifies the healing mode parameters. A cluster refers to a group of two or more CEs within a single WCCP Version 2 environment. Healing mode describes the addition of a CE to an existing network, and the resulting "healing" time it takes to fill the cache with content. To disable healing mode, you must set the number of misses to 0.

The proxy mode option enables the CE to operate in environments where WCCP is not enabled, or where client browsers have previously been configured to use a legacy proxy server. You must configure the proxy incoming port to accept proxy-style requests using the proxy incoming port option.

To configure the CE to direct all HTTP miss traffic to a parent cache (without using ICP or WCCP), use the proxy outgoing host hostname port option, in which hostname is the system name or IP address of the outgoing proxy server, and port is the port number designated by the outgoing (upstream) server to accept proxy requests.

The cache-on-abort option provides user-defined thresholds to determine whether or not the CE will complete the download of an object when the client has aborted the request. When the download of an object aborts before it is completed, the object is not stored on the CE or counted in the hit-rate statistics. Client abort processing occurs when a client of the CE aborts the download of a cachable object before the download is complete. Typically, a client aborts a download by clicking the Stop icon on the browser, or by closing the browser during a download.

If the cache-on-abort option is enabled and all cache-on-abort thresholds are disabled, then the CE always aborts downloading an object to the cache. If the CE determines that there is another client currently requesting the same object, downloading is not aborted. The CE only applies those thresholds that have been enabled.

Configure the http ldap-proxy-auth-header global configuration option when the CE and an upstream server or proxy are performing LDAP authentication.

To prevent disclosure of a user's proxy authentication credentials to another host, the CE removes the HTTP Proxy-Authorization header from the HTTP request when it forwards the request. With LDAP authentication it is important that upstream proxies share the authentication credentials carried in the header. To prevent the CE from stripping out the HTTP Proxy-Authorization header, enter the
http append ldap-proxy-auth-header global configuration command. The CE forwards the Proxy-Authorization header with credentials to the specified host name or IP address

HTTP Proxy Failover

The http proxy outgoing option can configure backup proxy servers for the HTTP proxy failover feature. One proxy server functions as the primary proxy server and all requests are redirected to it. If the primary proxy server fails to respond to the HTTP CONNECT request, the server is noted as failed and the requests are redirected to the next outgoing proxy server until one of the proxies service the request.

To explicitly designate the primary proxy, use the primary keyword. If several proxies are configured with the primary keyword, the last one configured overrides the others. Failover to a proxy server occurs in the order the proxy servers were configured. In the event that all the configured proxy servers fail, the CE can optionally redirect requests to the origin server if the user enters the http proxy outgoing origin-server option. If the user has configured the origin-server option, the CE directs HTTP requests to the original server specified in the HTTP header. If the option is not enabled, the client receives the error. Response errors and read errors are returned to the client, since it is not possible to detect whether these errors are generated at the origin server or at the proxy. Up to eight outgoing proxy servers can be configured for a single CE.

The state of the proxy servers is maintained by active monitoring, which occurs in the background. The state of the proxy servers can be seen in the CLI and syslog NOTICE messages. This interval is configured with the http proxy outgoing monitor option. This outgoing monitor interval is the frequency with which a single proxy server is polled. Only one proxy server is polled per interval. If more than one proxy server is configured, the delay is in multiple intervals of the monitor value. If one of the proxy servers is unavailable, the polling mechanism waits for the connect timeout before polling the next server.

The configuration specified by the rule command has precedence over any other configured proxy server. If an administrator created a use-proxy rule, the HTTP request is directed only to the proxy specified by the rule. For example:

• rule use-proxy ipaddr1 port_number domain cisco.com

• rule use-proxy ipaddr1 failover

Requests to the domain "cisco.com" fail over to the backup proxies if ipaddr1 is unavailable. Any other rule that uses ipaddr1 fails over to the backup proxies when ipaddr1 fails. Each request is checked to determine if the protocol supports failover (currently, only HTTP). If so, those requests fail over to the list of outgoing proxies configured with the http proxy outgoing host option. In the event that all proxy servers fail, the failover of the rule command sends the request to the origin server if the http proxy outgoing origin-server option is entered.

Requests with destinations included in the proxy-protocols outgoing-proxy exclude list bypass the CE proxy as well as the failover proxies.

When an HTTP request intended for another proxy server is intercepted by the CE in transparent mode, the CE forwards the request to the intended proxy server if the proxy-protocols transparent original-proxy command was entered.

The proxy failover feature currently supports only HTTP, and not HTTPS or FTP.

The persistent-connections enable command enables persistent connections on the CE. To configure the number of seconds the CE should wait for a connection response before it times out, use the timeout option. To set the number of seconds that the CE should allow an idle persistent connection to remain open, use the max-idle option.

The http object url-validation option has a dependency with the ip name-server CLI command. When the ip name-server option is not configured (for example, during transparent proxy), http object url-validation is dynamically turned off. When the ip name-server option is configured, http object url-validation is turned on automatically if and only if it was enabled.

---

Caution   URL validation is on by default. We strongly recommend that you keep URL validation enabled, because disabling URL validation might make the CE vulnerable to corruption from the HTTP objects in the cache.

---

Examples

In this example, the host 10.1.1.1 on port 8088 is designated the primary proxy server, and host 10.1.1.2 is a backup proxy server.

CE(config)# http proxy outgoing host 10.1.1.1 8088 primary CE(config)# http proxy outgoing host 10.1.1.2 220

In this example, the CE is configured to redirect requests directly to the origin server in the event that all of the proxy servers fail.

CE(config)# http proxy outgoing origin-server

In this example, the CE is configured to monitor the proxy servers every 120 seconds.

CE(config)# http proxy outgoing monitor 120

To disable any of the above, use the no version of the command.

Proxy Failover Show Commands

Console# show http proxy Incoming Proxy-Mode: Servicing Proxy mode HTTP connections on ports: 8080 Outgoing Proxy-Mode: Primary proxy server: 172.69.63.150 port 1 Failed Backup proxy servers: 172.69.236.151 port 8005 172.69.236.152 port 123 172.69.236.153 port 65535 Failed 172.69.236.154 port 10 Proxy monitor interval: 60 seconds Use Origin Server upon Proxy Failure.

Statistics

Console# show statistics http requests Statistics - Requests Total % of Requests --------------------------------------------------- Total Received Requests: 43 - Forced Reloads: 0 0.0 Near Hits: 0 0.0 Server Errors: 0 0.0 URL Blocked: 0 0.0 Sent to Outgoing Proxy: 32 74.4 Failures from Outgoing Proxy: 0 0.0 Excluded from Outgoing Proxy: 11 25.6 ICP Client Hits: 0 0.0 ICP Server Hits: 0 0.0 HTTP 0.9 Requests: 0 0.0 HTTP 1.0 Requests: 43 100.0 HTTP 1.1 Requests: 0 0.0 HTTP Unknown Requests: 0 0.0 Non HTTP Requests: 0 0.0 Non HTTP Responses: 0 0.0 Chunked HTTP Responses: 0 0.0 Flow-controlled HTTP streams: 2 4.7 Http Miss Due To DNS: 0 0.0 Http Deletes Due to DNS: 0 0.0 Objects cached for min ttl: 0 0.0 Console# show statistics http proxy out HTTP Outgoing Proxy Statistics Attempts Failures Successes Cleared ---------------------------------------------------- 10.1.1.1: 0 1 0 0 172.31.227.111: 32 0 0 40 Requests when all proxies were failed: 0 Console(config)# http append ldap-proxy-auth-header ? Hostname or A.B.C.D IP address or hostname of proxy/server to receive proxy-auth headers Console(config)# http append ldap-proxy-auth-header 172.16.1.1 Console(config)# http age-multiplier text 30 bin 60 Console(config)# http reval-each-request text Console(config)# no http age-multiplier text 30 bin 60 Console(config)# no http reval-each-request text

• With the default configuration (all cache-on-abort thresholds disabled), configure client abort processing to always abort downloading an object to the cache:

Console(config)# http cache-on-abort enable

• Configure the CE to always continue downloading an object to the cache (this is the default configuration):

Console(config)# no http cache-on-abort

• Configure the CE to use the default minimum threshold when the cache-on-abort option has been enabled, and set the threshold to 16 kilobytes:

Console(config)# http cache-on-abort min 16

• Configure the CE to not consider the minimum threshold:

Console(config)# no http cache-on-abort min

The cache-on-abort max and percent thresholds are configured like the minimum threshold shown in the examples.

Related Commands

ldap

proxy-protocols

rule no-proxy

rule use-proxy

show http

show http proxy

show ldap

show statistics http requests

show statistics http proxy outgoing

https

Use the https global configuration command to configure the CE for HTTPS proxy services.

Syntax Description

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

The order in which the CLI commands are entered is not important.

The CE supports HTTPS in the following two scenarios:

• The CE receives an HTTPS request sent by a web client configured to use the CE as an HTTPS
  proxy server.

• The CE in transparent mode intercepts a request sent by a web client to another HTTPS
  proxy server.

In both cases the CE creates a connection to the origin server (directly or through another proxy server) and allows the web client and origin server to set up an SSL tunnel through the CE.

HTTPS traffic is encrypted and cannot be interpreted by the CE or any other device between the web client and the origin server. HTTPS objects are not cached.

Because HTTPS does not provide headers used for most rule matching, the CE can only apply rules that are based on server name, domain name, or server IP address and port. See the "rule" section for further information.

The CE as an HTTPS proxy server supports up to eight ports. It can share the ports with transparent-mode services and with HTTP. In proxy mode, the CE accepts and services the HTTPS requests on the ports specified with the https proxy incoming command. All HTTPS requests on other proxy-mode ports are rejected in accordance with the error-handling settings on the CE. In transparent mode, all HTTPS proxy-style requests intended for another HTTPS proxy server are accepted. The CE acts on these transparently received requests in accordance with the proxy-protocols transparent command.

When the CE is configured to use an HTTPS outgoing proxy with the https proxy outgoing host command, all incoming HTTPS requests are directed to this outgoing proxy. The proxy-protocols outgoing-proxy exclude command creates a global proxy exclude list effective for all proxy server protocols including HTTPS. The CE applies the following logic when an outgoing proxy server is configured:

• If the destination server is in the global exclude list, then go directly to the destination server.

• If the destination server is not in the global exclude list, the request is HTTP, and the destination server is in the HTTP exclude list; go directly to the destination server.

• If the destination server is not in the global exclude list or in the HTTP exclude list, then go to the outgoing proxy server.

When a CE intercepts a proxy request intended for another proxy server and there is no outgoing proxy configured for HTTPS, and the proxy-protocols transparent default-server command is invoked, the CE addresses the request to the destination server directly and not to the client's intended proxy server.

Statistics Reporting

Only connection statistics are reported. Because requests and responses are sent through the secure tunnel, the CE is not able to identify the number of requests sent, or the number of bytes per request. Thus, the request and transaction per second (TPS) statistics are not available for HTTPS.

Transaction Logging

The CE logs HTTPS transactions in the transaction log in accordance with Squid syntax. One log entry is made for each HTTPS connection, although many transactions are performed per connection. The CE is not aware of objects conveyed through the SSL tunnel, only the HTTPS server name.

Syslog and URL Tracking

When URL tracking is enabled, the CE logs HTTPS transaction information to the syslog file. The syslog entries have the prefix <https>. For HTTPS, there are no "misses" or "hits." Because the CE ignores objects transferred through an SSL tunnel, there is only one URL tracking entry per HTTPS connection (similar to the transaction log).

Examples

In this example, the CE is configured as an HTTPS proxy server, and accepts HTTPS requests on ports 81, 8080, and 8081.

In this example, the CE is configured to forward HTTPS requests to an outgoing proxy server (10.1.1.1) on port 8880.

In this example, HTTPS destination port connection requests are denied for ports 20, 21, 23, and 119.

In this example, a domain name is excluded from being forwarded to the outgoing proxy server.

Related Commands

proxy-protocols

http proxy

show proxy-protocols

show http proxy

icp

To configure the Internet Cache Protocol (ICP) client and server, use the icp global configuration command. To disable the ICP client and server, use the no form of this command.

Syntax Description l

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Use these commands to establish and configure the ICP server and client functionality of the CE. Configurations made without enabling ICP functionality will be stored within the configuration until removed. To enable the ICP server or client functionality, use the icp {server | client} enable command. Be sure to enable the ICP on any other CEs or ICP servers or clients within the ICP environment to ensure proper service. You can monitor the statistical data of the ICP service using the show statistics icp EXEC command.

Examples

Related Commands Related Commands

show icp client

show icp server

show statistics icp

inetd

To configure, enable, and disable TCP/IP services, use the inetd global configuration command. To disable TCP/IP services, use the no form of this command.

Syntax Description

Command Modes

Global configuration

Defaults

echo: Disabled.

discard: Disabled.

chargen: Disabled.

ftp: Five sessions.

rcp: Five sessions.

tftp: Five sessions.

telnet: Three sessions.

Usage Guidelines

Use these commands to configure the parameters of TCP/IP services on the CE. The limit for any service is a maximum of 20 tasks. Use the show inetd command to list current inetd configurations and the number of current tasks running.

Examples

Related Commands Related Comands

show inetd

install

To install a new version of CE software, use the install EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Install and run the .pax file from the /local directory only. When the install command is executed, the .pax file is expanded. The expanded files overwrite the existing files in the CE. The newly installed version takes effect after the system image is reloaded.

Examples

Related Commands Related Commands

reload

interface

To configure an Ethernet interface, use the interface global configuration command. To disable an Ethernet interface, use the no form of this command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Use the interface command to begin interface configuration, such as setting an IP address for an interface, a subnet mask for an interface, broadcast address, or manually setting the speed or duplex mode.

Examples

Related Commands Related Commands

show interface

ip

To configure the IP interface, use the ip interface configuration command. To disable this function, use the no form of this command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Interface configuration

Usage Guidelines

Use this command to set or change the IP address and subnet mask of the CE (interface ethernet 0). The CE requires a reboot in order for the new IP address to take effect.

Examples

ip

To configure the IP addresses of the network hosts necessary for network connectivity, use the ip global configuration command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

To define a default gateway, use the ip default-gateway global configuration command. To delete the IP default gateway, use the no form of this command.

The CE uses the default gateway to route IP packets when there is no specific route found to the destination.

To define a default domain name, use the ip domain-name global configuration command. To remove the IP default domain name, use the no form of this command.

The CE appends the configured domain name to any IP host name that does not contain a domain name. The appended name is resolved by the DNS server and then added to the host table. The CE must have at least one domain name server specified for the host name resolution to work correctly. Use the ip name-server hostname command to specify domain name servers.

To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To disable IP name servers, use the no form of this command.

For proper resolution of host name to IP address or IP address to host name, the CE uses DNS servers. Use the ip name-server command to point the CE to a specific DNS server. You can configure up to eight servers.

To configure static IP routing, use the ip route global configuration command. To disable an IP routing, use the no form of this command.

Use the ip route command to add a specific static route for a network host. Any IP packet designated to the specified host uses the configured route.

Examples

Related Commands

show ip route

ip-ttl

To specify the IP Time To Live (TTL) value contained in the content routing agent's DNS response, use the ip-ttl command in domain configuration mode.

Syntax Description

Defaults

The default is 255 hops.

Command Modes

Domain configuration

Usage Guidelines

If you are using the CE as a content routing agent, use this command to set the IP TTL artificially low in order to restrict the number of hops that agent DNS responses can travel.

---

Note   An ip-ttl command entered on an agent overrides an ip-ttl command entered on the Content Router.

---

Examples

key

To specify the keyword that is used to encrypt packets sent between the Content Router and CEs, use the key domain configuration command.

Syntax Description

Defaults

No default behavior or values

Command Modes

Domain configuration

Usage Guidelines

If you are configuring the CE as a content routing agent, use this command to specify the same shared keyword on the Content Router and each CE. You can use a unique keyword for each domain.

Examples

ldap

To configure the CE to perform user authentication with a Lightweight Directory Access Protocol (LDAP) server, use the ldap global configuration command.

Syntax Description

Defaults

• auth-timeout minutes: 480

• max-entries entries: 2000 for the CE505; 4000 for the CE5; 8000 for the CE570; 16000 for the CE590

• auth-header: HTTP 401

• allow-mode: enabled

• portnumber: 389

• retransmit retries: 3

• timeout seconds: 5

• useidword: uid

Usage Guidelines

An LDAP-enabled CE authenticates users with an LDAP server. With an HTTP query, the CE obtains a set of credentials from the user (user ID and password) and compares them against those in an LDAP server.

All LDAP version 3 features are supported except for Secure Authentication and Security Layer (SASL).

When the CE authenticates a user through the LDAP server, a record of that authentication is stored locally in the CE RAM (authentication cache). As long as the authentication entry is kept, subsequent attempts to access restricted Internet content by that user do not require LDAP server lookups.

The ldap authcache max-entries command sets the maximum number of authentication cache entries retained. The default values are as follows:

• CE505—2,000 entries (128 MB total system memory)

• CE550—4,000 entries (256 MB total system memory)

• CE570—6,000 entries (384 MB total system memory)

• CE590—16,000 entries (1 GB total system memory)

The ldap authcache auth-timeout command specifies how long an inactive entry can remain in the authentication cache before it is purged. Once a record has been purged, any subsequent access attempt to restricted Internet content requires an LDAP server lookup for reauthentication.

Proxy Mode LDAP Authentication

The events listed below occur when the CE is configured for LDAP authentication and one of the following two scenarios is true:

• The CE receives a proxy-style request from a client.

• The CE receives a transparent (WCCP-style) request from a client and the CE ldap client auth-header command parameter is set to 407 (because there is an upstream proxy).

1. The CE examines the HTTP headers of the client request to find user information (contained in the Proxy-Authorization header).

2. If no user information is provided, the CE returns a 407 (Proxy Authorization Required) message to the client.

3. The client resends the request, including the user information.

4. The CE searches its authentication cache (based on user ID and password) to see if the client has been previously authenticated.

5. If a match is found, the request is serviced normally.

6. If no match is found, the CE sends a request to the LDAP server to find an entry for this client.

7. If the server finds a match, the CE allows the request to be serviced normally and stores the client's user ID and password in the authentication cache.

8. If no match is found, the CE again returns a 407 (Proxy Authorization Required) message to the client.

Transparent Mode LDAP Authentication

The events listed below occur when the CE is configured for LDAP authentication and both of the following are true:

• The CE receives a redirected request from a client.

• The ldap client auth-header configuration parameter is set to 401 (because there is no upstream proxy).

1. The CE searches its authentication cache to see if the user's IP address has been previously authenticated.

2. If a match is found, the CE allows the request to be serviced normally.

3. If no match is found in the first step, the CE examines the HTTP headers to find user information (contained in the Authorization header).

4. If no user information is provided, the CE returns a 401 (Unauthorized) message to the client.

5. The client resends the request, including the user information.

6. The CE sends a request to the LDAP server to find an entry for this user.

7. If the server finds a match, the CE allows the request to be serviced normally and stores the client's IP address in the authentication cache.

8. If no match is found, the CE again returns a 401 (Unauthorized) message to the client.

In transparent mode, the CE uses the client's IP address as a key for the authentication database.

If you are using LDAP user authentication in transparent mode, we recommend that the AuthTimeout interval configured with the ldap authcache auth-timeout command be short. IP addresses can be reallocated, or different users can access the Internet through an already authenticated device (PC, workstation, and the like). Shorter AuthTimeout values help reduce the possibility that individuals can gain access using previously authenticated devices. When the CE operates in proxy mode, it can authenticate the user with the user ID and password.

Allow Mode

Two LDAP servers can be specified with the ldap server host command to provide redundancy and improved throughput. CE load-balancing schemes distribute the requests to the servers.

If the CE cannot connect to either server, no authentication can take place. When the ldap server allow-mode command is invoked, the client is permitted access to the origin server if the LDAP server does not respond within the timeout interval specified with the ldap server timeout command. If allow mode is off (no ldap server allow-mode), users who have not been previously authenticated are denied access.

Security Options

The CE uses simple (nonencrypted) authentication to communicate with the LDAP server. Future expansion may allow for more security options based on SSL, SASL, or certificate-based authentication.

Domain Exclude

To exclude domains from LDAP authentication, define a no-auth rule. LDAP or Remote Authentication User Dial-in Service (RADIUS) authentication takes place only if the site requested does not match the specified pattern. See the "rule" section for more details.

LDAP and RADIUS Considerations

LDAP authentication can be used with Websense URL filtering, but not with RADIUS authentication. Both LDAP and RADIUS rely on different servers, which may require different user IDs and passwords, making RADIUS and LDAP authentication schemes mutually exclusive. Should both RADIUS and LDAP be configured on the CE at the same time, LDAP authentication is executed, not RADIUS authentication.

Hierarchical Caching

In some cases, users are located at branch offices. A CE (CE1) can reside with them in the branch office. Another CE (CE2) can reside upstream, with an LDAP server available to both CEs for user authentication.

---

Note   The http append ldap-proxy-auth-header global configuration command must be configured on the downstream CEs to ensure that proxy-authorization information, required by upstream CEs, is not stripped from the HTTP request by the downstream CEs.

---

If branch office user 1 accesses the Internet, and content is cached at CE1, then this content cannot be served to any other branch office user unless that user is authenticated. CE1 must authenticate the local users.

Assuming that both CE1 and CE2 are connected to the LDAP server and authenticate the users, when branch office user 2 firsts requests Internet content, CE1 responds to the request with an authentication failure response (either HTTP 407 if in proxy mode, or HTTP 401 if in transparent mode). User 2 enters the user ID and password, and the original request is repeated with the credentials included. CE1 contacts the LDAP server to authenticate user 2.

Assuming authentication success, and a cache miss, the request along with the credentials is forwarded to CE2. CE2 also contacts the LDAP server to authenticate user 2. Assuming success, CE2 either serves the request out of its cache or forwards the request to the origin server.

User 2 authentication information is now stored in the authentication cache in both CE1 and CE2. Neither CE1 nor CE2 needs to contact the LDAP server for user 2's subsequent requests (unless user 2's entry expires and is removed from the authentication cache).

This scenario assumes that CE1 and CE2 use the same method for authenticating users. Specifically, both CEs must expect the user credentials (user ID and password) to be encoded in the same way.

Hierarchical Caching in Transparent Mode

When the CE operates in transparent mode, the user's IP address is used as a key to the authentication cache. When user 2 sends a request transparently to CE1, after authentication, CE1 will insert its own IP address as the source for the request. Therefore, CE2 cannot use the source IP address as a key for the authentication cache.

When CE1 inserts its own IP address as the source, it must also insert an X-Forwarded-For header in the request (http append x-forwarded-for-header command). CE2 must first look for an X-Forwarded-For header. If one exists, that IP address must be used to search the authentication cache. Assuming the user is authenticated at CE2, then CE2 must not change the X-Forwarded-For header, just in case there is a transparent CE3 upstream.

In this scenario, if CE1 does not create an X-Forwarded-For header (for example, if it is not a Cisco CE and does not support this header), then authentication on CE2 will not work.

Hierarchical Caching, CE in Transparent Mode with an Upstream Proxy

In a topology with two CEs, assume that CE1 is operating in transparent mode and CE2 is operating in proxy mode, with the browsers of all users pointing to CE2 as a proxy.

Because the browsers are set up to send requests to a proxy, an HTTP 407 message is sent from CE1 back to each user to prompt for credentials. By using the 407 message, the problem of authenticating based on source IP address is avoided. The username and password can be used instead.

This mode provides better security than using the HTTP 401 message. The CE examines the style of the address to determine if there is an upstream proxy. If there is, the CE uses an HTTP 407 message to prompt the user for credentials even when operating in transparent mode.

Authentication Cache Size Adjustments

If the authentication cache is not large enough to accommodate all authenticated users at the same time, the CE purges older entries that have not yet timed out.

The CE increments statistics that record these events. The show statistics ldap authcache command displays these statistics. When the authentication cache reaches 100 percent of capacity, a syslog message is generated. If the capacity stays at 100 percent, no new syslog messages are generated.

Another message is generated only if the capacity drops below 85 percent, and then returns to 100 percent. These syslog entries tell the administrator that the authentication cache size limit may need to be increased, assuming that enough system memory is available.

Transaction Logging

Once a user has been authenticated through LDAP, all transaction logs generated by the CE for that user contain user information. If the CE is acting in proxy mode, the user ID is included in the transaction logs. If the CE is acting in transparent mode, the user IP address is included instead.

If the transaction-logs sanitize command is invoked, the user information is suppressed.

Examples

Specify an LDAP server with IP address 10.1.1.1 on port 88.

To delete an LDAP server, use the no ldap server command.

Specify that the CE should use header 407 when asking the end user for authentication credentials (user ID and password).

Related Commands

show ldap

show statistics ldap

clear statistics ldap

debug ldap

lls

To view a long list of directory names, use the lls EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

This command provides detailed information about files and subdirectories stored in the present working directory to be viewed (including size, date, time of creation, DOS name, and long name of the file). This information can also be viewed with the dir command.

Examples

Related Commands Related Cands

dir

ls

logging

To configure system logging, use the logging global configuration command. To disable logging functions, use the no form of this command.

Syntax Description

Defaults

Logging: On

Priority of message for console: Warning

Priority of message for file: Debugging

Log file: /local/var/log/syslog.txt

Log file recycle size: 5,000,000 bytes

Command Modes

Global configuration

Usage Guidelines

Use this command to set specific parameters of the system log file. System logging is always enabled internally. The system log file is located on the dosfs partition as /local/var/log/syslog.txt. To configure the CE to send varying levels of event messages to an external syslog host, use the logging hostname command. Logging can be configured to send various levels of messages to the console using the logging console loglevels command. It can also be configured to export event messages using the logging event-export events command.

Examples

ls

To view a list of files or subdirectory names within a dosfs directory, use the ls EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

To list the filenames and subdirectories within a particular directory, use the ls directory command; to list the filenames and subdirectories of the current working directory, use the ls command. To view the present working directory, use the pwd command.

Examples

Related Commands

dir

lls

pwd

mfs

To alter default settings of the memory file system (mfs), use the mfs EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

The memory file system cannot be configured with the GUI.

Examples

The example defines the memory file system to use 1 megabyte of memory and to contain no more than 22222 objects.

Related Commands

cfs

show mfs statistics

mkdir

To create a directory, use the mkdir EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to create a new directory or subdirectory in the CE file system.

Examples

Related Commands

dir

lls

ls

pwd

rmdir

mkfile

To create a new file, use the mkfile EXEC command.

Syntax Description

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to create a new file in any directory of the CE.

Examples

Related Commands

lls

ls

mkdir

no

To negate a command or set its defaults, use the no interface configuration command.

Syntax Description

Defaults

No default behavior or values

Command Modes