Cisco OL-7029-01 User Manual

Download

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

Software Release 2.1(1) May, 2005

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: OL-7029-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Preface xi

Audience xi

Organization xi

Conventions xii

Preface

This preface describes the audience, organization, and conventions of this publication, and provides information on how to obtain related documentation.

This guide contains the commands available for use with the Cisco Content Switching Module with SSL (CSM-S). Use this guide with the Catalyst 6500 Series Switch Content Switching Module with SSL

Installation Note and the Catalyst 6500 Series Switch Content Switching Module with SSL Installation and Configuration Note.

Audience

This publication is for experienced network administrators who are responsible for configuring and maintaining Catalyst 6500 series switches and network managers who perform any of the following tasks:

Organization

This publication is organized as follows:

Chapter Title Description

Chapter 1 Using Content Switching

Chapter 2 Content Switching Module with

Chapter 3 Commands Specific to the

Appendix A Acronyms Lists the acronyms used in this command

• Managing network security

• Configuring firewalls

• Managing default and static routes and TCP and UDP services

Introduces you to the CSM commands,

Module Commands

SSL Commands

Content Switching Module with SSL

access modes, and common port and protocol numbers.

Provides detailed descriptions of all CSM commands in an alphabetical listing.

Provides detailed descriptions of all SSL commands used by the CSMS in an alphabetical listing.

reference.

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

Conventions

This document uses the following conventions:

Convention Description

boldface font Commands, command options, and keywords are in

boldface.

italic font Arguments for which you supply values are in italics.

[ ] Elements in square brackets are optional. Default responses

to system prompts are in square brackets.

{ x | y | z } Alternative keywords are grouped in braces and separated by

vertical bars. Braces can also be used to group keywords and/or aguments; for example, {interface interface type}.

[ x | y | z ] Optional alternative keywords are grouped in brackets and

separated by vertical bars.

string A nonquoted set of characters. Do not use quotation marks

around the string or the string will include the quotation marks.

screen font Terminal sessions and information the system displays are in

screen font.

boldface screen

font

italic screen

font

^ The symbol ^ represents the key labeled Control—for

< > Nonprinting characters, such as passwords are in angle

!, # An exclamation point (!) or a pound sign (#) at the beginning

Information you must enter is in boldface screen font.

Arguments in the screen display for which you supply values are in

italic screen

font.

example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

brackets.

of a line of code indicates a comment line.

Preface

xii

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in

the publication.

Cautions use the following conventions:

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage or loss of data.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Preface

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

xiii

Documentation Feedback

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Preface

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

xiv

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Preface

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

• Emergencies— security-alert@cisco.com

• Nonemergencies —psirt@cisco.com

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive

information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

Obtaining Technical Assistance

http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

OL-7029-01

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

Obtaining Technical Assistance

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product

Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID

or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

Preface

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

xvi

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Preface

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit

Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

xvii

Obtaining Additional Publications and Information

Preface

xviii

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

CHAPTER

Using Content Switching Module Commands

This chapter describes how to use the CSM and CSM-S commands and contains the following sections:

• Using the CSM and CSM-S Commands, page 1-1

• Command Modes, page 1-2

Note Except where specifically differentiated, the term “Content Switching Module” and its acronym “CSM”

includes both the Content Switching Module and the Content Switching Module with SSL.

The term “Content Switching Module with SSL” and its acronym “CSM-S” are used only where the information presented is specific to the CSMS.

The term SSL daughter card an SSL termination dauthter card for the CSM that accelerates Secure Socket Layer (SSL) transactions.

Using the CSM and CSM-S Commands

This section provides a brief introduction to using commands and where to go for more information on configuring and using your CSM or CSM-S.

You will use these commands for basic tasks:

Command Task

write memory Saving the configuration

write terminal Viewing the configuration

logging buffered debugging Accumulating system log (syslog) messages

show logging Viewing system log (syslog) messages

clear logging Clearing the message buffer

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

1-1

Command Modes

Chapter 1 Using Content Switching Module Commands

With the command-line interface (CLI), you can do the following tasks:

• Check the syntax before entering a command.

Enter a command and press the ? key to view a quick summary, or precede a command with the help command (help aaa, for example).

• Abbreviate commands.

You can use the config t command to start configuration mode, the write t command statement to list the configuration, and the write m commmand to write to Flash memory. In most commands, the show command can be abbreviated as sh. This feature is called command completion.

• Review possible port and protocol numbers at the following Internet Assigned Numbers Authority

(IANA) websites:

http://www.iana.org/assignments/port-numbers http://www.iana.org/assignments/protocol-numbers

• Create your configuration in a text editor, and then cut and paste it into the configuration.

You can paste in a line at a time or the whole configuration. Always check your configuration after pasting large blocks of text to be sure that all of the text was copied.

For information about how to build your CSM and CSM-S configuration, refer to the Catalyst 6500

Series Content Switching Module Installation and Configuration Note and Catalyst 6500 Series Switch Content Switching Module with SSL Installation and Configuration Note.

CSM and CSM-S technical documentation is located online at the following websites:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csms

Command Modes

The CSM and CSM-S contain a command set based on Cisco IOS technologies and provides configurable command privilege modes based on the following command modes:

Note When using these modules on a switch running the Catalyst operating system and Cisco IOS, you must

session to the Mutilayer Switch Feature Card (MSFC) for the router prompt.

• Unprivileged mode

The unprivileged mode allows you to view CSM settings. The unprivileged mode prompt appears as follows when you first access the CSM:

Router>

• Privileged mode

Any unprivileged mode command will work in privileged mode. Use the enable command to start the privileged mode from the unprivileged mode as follows:

Router> enable Password: Router

1-2

The # prompt is displayed.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 1 Using Content Switching Module Commands

Use the exit or end commands to exit privileged mode and return to unprivileged mode as follows:

Router# exit

Logoff

Type help or '?' for a list of available commands. Router>

Use the disable command to exit privileged mode and return to unprivileged mode as follows:

Router# disable Router>

• Configuration mode

The configuration mode allows you to change the configuration. All privileged, unprivileged, and configuration commands are available in this mode. Use the configure terminal command to start the configuration mode as follows:

Router# configure terminal Router(config)#

Use the exit or end commands to exit configuration mode and return to privileged mode as follows:

Router(config)# end Router#

Regular Expressions

Use the disable command to exit configuration mode and return to unprivileged mode as follows:

Router(config)# disable Router>

• Submodes

When you are in a submode, the prompt changes to:

Router(config-submode_name)#

Regular Expressions

Regular expressions used in commands are based on the UNIX filename specification. You will use regular expressions in these commands:

• match protocol http cookie (cookie map submode), page -25

• match protocol http header (header map submode), page -30

• match protocol http url (URL map submode), page -34

Expression Meaning

“*” Zero or more characters

“?” Exactly one character—the [Ctrl + V] key combination must be entered

“\” Escaped character

“|” Or

Bracketed range (for example, [0–9]) Matching any single character from the range

Leading ^ in a range Do not match any in the range

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

1-3

Chapter 1 Using Content Switching Module Commands

Regular Expressions

Expression Meaning

“.\a” Alert (ASCII 7)

“.\b” Backspace (ASCII 80

“.\f” Form-feed (ASCII 12)

“.\n” Newline (ASCII 10)

“.\r” Carriage return (ASCII 13)

“.\t” Tab (ASCII 9)

“.\v” Vertical tab (ASCII 11)

“.\0” Null (ASCII 0)

“.\\” Backslash

“.\x##” Any ASCII character as specified in two-digit hexadecimal notation

1-4

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

CHAPTER

Content Switching Module with SSL Commands

This chapter contains an alphabetical listing of the commands necessary to configure the CSM-S. These commands are unique to server load-balancing (SLB) and Layer 3 switching.

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-1

arp

Chapter 2 Content Switching Module with SSL Commands

To configure a static ARP entry, use the arp command. To remove the static ARP entry from the configuration, use the no form of this command.

arp ip_address mac-address vlan id

no arp ip_address

Syntax Description

Defaults This command has no default settings.

Command Modes CSM configuration submode

Command History

Examples This example shows how to configure a static ARP entry:

ip_address IP address that you want associate with the ARP entry.

mac-address MAC address of the host.

vlan id Identifies the VLAN.

Release Modification

CSM release 3.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Router(config-module-csm)# arp 1.1.1.1 0123.4567.89ab vlan 3

2-2

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

capp udp

To enter the Content Application Peering Protocol (CAPP) User Datagram Protocol (UDP) configuration submode, and then enable the CAPP, use the capp udp command. To remove the CAPP UDP configuration, use the no form of this command.

capp udp

no capp udp

Syntax Description This command has no arguments or keywords.

Defaults This command has no default settings.

Command Modes CSM configuration submode

capp udp

Command History

Release Modification

CSM release 2.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines The CSM implements only the agent side of the CAPP, not the content router functionality. This feature

provides Global Server Load Balancing (GSLB) when you use the CSM with a Content Services Switch (CSS), which provides the content router function.

When you enter the CAPP UDP submode, the following commands are available:

• default—Sets a command to its default.

• exit—Saves changes and exits from the subcommand mode; see the “agent (DFP submode)”

command section.

• no—Negates a command or sets the specified command to its defaults.

• options—Sets optional parameters for a specified IP address. see the “options (CAPP UDP

submode)” command section.

• port—Configures the CAPP port. Range is from 1 to 65535. Default is 5002, see the “port (CAPP

UDP submode)” command section.

• secure—Enables encryption, see the “secure (CAPP UDP submode)” command section.

Examples This example shows how to initiate CAPP UDP agent configuration mode and set the CAPP port:

Cat6k-2(config-module-csm)# capp udp Cat6k-2(config-slb-capp-udp)# port 5002

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-3

capp udp

Related Commands port (CAPP UDP submode)

Chapter 2 Content Switching Module with SSL Commands

2-4

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

options (CAPP UDP submode)

To assign session options to an IP address, use the options command in the CAPP UDP submode. To remove the options for the specified address from the configuration, use the no form of this command.

options ip_address encryption MD5 secret

no options ip_address

options (CAPP UDP submode)

Syntax Description

Defaults This command has no default settings.

Command Modes CSM CAPP UDP submode

Command History

Usage Guidelines The CSM applies encryption to packets sent to this destination address or when the CSM receives

ip_address IP address that you want associate with this group of options.

encryption MD5 Specifies MD5 authentication.

secret The string used in encryption and decryption of the MD5 hashing

method. Enter an unquoted text string with a maximum of 31 characters.

Release Modification

CSM release 2.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

datagrams with a matching source IP address.

You can set the IP address to 0.0.0.0 to apply encryption to all incoming and outbound datagrams that are not specifically configured. The 0.0.0.0 IP address allows you to set a global security configuration that can be applied to an arbitrary number of peers.

Examples This example shows the application of a specific option set to 10.6.3.21 and a global option set to all

other IP addresses. The CSM encrypts datagrams received from 10.6.3.21 and transmitted to 10.6.3.21 with encryption code mySecret. All other datagrams, received or transmitted, are assigned to the default encryption secret anotherSecret.

Cat6k-2(config-slb-capp-udp)# options 10.6.3.21 encryption MD5 mySecret Cat6k-2(config-slb-capp-udp)# options 0.0.0.0 encryption MD5 anotherSecret

Related Commands capp udp

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-5

port (CAPP UDP submode)

To set the port number for CAPP UDP connections, use the port command in the CAPP UDP submode. To remove the port from the configuration, use the no form of this command.

port port_num

no port

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults The no form of this command sets the port to 5002.

Command Modes CSM CAPP UDP submode

Command History

Examples This example shows how to set the port for CAPP connections:

Related Commands capp udp

port_num Specifies the UDP port number. Enter a value of 1 to 65535.

Release Modification

CSM release 2.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-capp-udp)# 50

2-6

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

secure (CAPP UDP submode)

To enable or disable the encryption requirement for inbound CAPP datagrams, use the secure command in the CAPP UDP submode. This command prevents unauthorized messages from entering the CSM. To remove the encryption requirement from the configuration, use the no form of this command.

secure

no secure

Syntax Description This command has no arguments or keywords.

Defaults This command has no default settings.

Command Modes CSM CAPP UDP submode

secure (CAPP UDP submode)

Command History

Usage Guidelines Use the capp udp secure command with the capp udp options command to specify which secure

Examples This example shows how to allow only incoming traffic from 10.6.3.21 encrypted with the encryption

Related Commands capp udp

Release Modification

CSM release 2.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

messages are accepted. If you use this command without the capp udp options command, the CSM drops all incoming data.

code mySecret:

Cat6k-2(config-slb-capp-udp)# secure Cat6k-2(config-slb-capp-udp)# options 10.6.3.21 encryption md5 mySecret

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-7

clear module csm

To force the active CSM to become the standby module, use the clear module csm command.

clear module csm [slot | all] arp-cache ip-address connections [real | vserver] counters ft active

linecard-configuration sticky [1-255 | all]

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes Privileged

slot (Optional) Specifies the CSM location in the switch. Range is from 1

to 9.

all (Optional) Applies to all online CSM modules.

arp-cache ip-address Clears the SLB ARP cache.

connections Specifies connections.

real (Optional) Clears SLB connections for the real servers.

vserver (Optional) Clears SLB connections for a virtual server.

counters Clears SLB statistics.

ft active Clears the CSM fault tolerance state to force a failover.

linecard-configuration Clears the configuration database stored in the SLB linecard

sticky Specifies sticky.

1-255 (Optional) Clears the designated sticky group; range is from 1 to 255.

all (Optional) Clears all sticky entries from the sticky database.

Command History

Usage Guidelines When a connection is closed, a reset (RST) is sent to both the client and the server. Counters reset all

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-8

Release Modification

CSM release 3.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

the CSM statistics information, except for the show mod csm X tech-support counters, which are reset any time that you run the show command. The linecard-configuration command forces a soft-reset of the CSM, which erases all existing connections and run-time information. The CSM then reloads its configuration from Cisco IOS. This process takes about 3 seconds.

The ft active command is used to force the active CSM to the failover state. Fault tolerance preempt must not be enabled.

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

dfp

To enter the Dynamic Feedback Protocol (DFP) submode, and then configure DFP, use the dfp command. To remove the DFP configuration, use the no form of this command.

dfp [password password [timeout]]

no dfp [password password]

dfp

Syntax Description

Defaults Timeout value is 180 seconds.

Command Modes Module CSM configuration submode

Command History

Usage Guidelines The timeout option allows you to change the password without stopping messages between the DFP

password (Optional) Specifies a password for MD5 authentication.

password (Optional) Password value for MD5 authentication. This password

must be the same on all DFP manager devices. The password can contain 1–64 characters. Valid characters are: a–z, A–Z, 0–9, @, #, $.

timeout (Optional) Delay period, in seconds, during which both the old

password and the new password are accepted; the range is from 0 to

65535.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

agent and its manager.

During a timeout, the agent sends packets with the old password (or null, if there is no old password), and receives packets with either the old or new password. After a timeout expires, the agent sends and receives packets with only the new password; received packets that use the old password are discarded.

If you are changing the password for an entire load-balanced environment, set a longer timeout. The extended timeout allows enough time for you to update the password on all agents and servers before the timeout expires. The embedded timeout also prevents mismatches between agents and servers that have the new password and agents and servers that have the old password.

Examples This example shows how to initiate DFP agent configuration mode, configure DFP, set the password to

flounder, and configure a 60-second timeout:

Cat6k-2(config-module-csm)# dfp password flounder 60 Cat6k-2(config-slb-dfp)#

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-9

dfp

Related Commands show module csm dfp

Chapter 2 Content Switching Module with SSL Commands

2-10

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

agent (DFP submode)

To configure the DFP agent to which the CSM is going to communicate, use the agent command in the SLB DFP submode. To remove the agent configuration, use the no form of this command.

agent ip-address port [keepalive-timeout [retry-count [retry-interval]]]

no agent ip-address port

agent (DFP submode)

Syntax Description

Defaults Keepalive timeout is 0 (no keepalive message).

Command Modes SLB DFP configuration submode

Command History

ip-address IP address of the DFP agent.

port Port number of the DFP agent.

keepalive-timeout (Optional) Time period in seconds between keepalive messages; the

range is from 1 to 65535.

retry-count (Optional) Number of consecutive connection attempts or invalid

DFP reports received before tearing down the connections and marking the agent as failed; the range is from 0 to 65535.

retry-interval (Optional) Interval between retries; the range is from 1 to 65535.

Retry count is 0 seconds (0 seconds allows infinite retries).

Retry interval is 180 seconds.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Examples This example shows how to initiate the DFP agent, configure a 350-second timeout, and configure the

number of retries to 270:

Cat6k-2(config-slb-dfp)# agent 111.101.90.10 2 350 270

Related Commands dfp

manager (DFP submode) show module csm dfp

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-11

manager (DFP submode)

To set the port where an external DFP can connect to the CSM, use the manager command in SLB DFP submode. To remove the manager configuration, use the no form of this command.

manager port

no manager

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes SLB DFP configuration submode

Command History

Usage Guidelines This command enables the CSM to listen to DFP connections from an external DFP manager.

Examples This example shows how to set the DFP manager port:

port Port number.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-dfp)# manager 4

Related Commands agent (DFP submode)

dfp show module csm dfp

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-12

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

exit

To log out of the system or to leave a subcommand mode, use the exit command.

exit

Syntax Description This command has no arguments or keywords.

Defaults This command has no default settings.

Command Modes Command mode

Usage Guidelines To leave a subcommand mode, use the exit command. The exit command saves any changes before

leaving the submode.

Examples This example shows how to log out of the CSM:

Cat6k-2(config-module-csm)# exit Cat6k-2(config)#

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-13

ft group

Chapter 2 Content Switching Module with SSL Commands

To enter the fault tolerant submode, and then configure fault tolerance on the CSM, use the ft group command. To remove the fault-tolerant configuration, use the no form of this command.

ft group group-id vlan vlan number

no ft group

Syntax Description

group-id ID of the fault-tolerant group. Both CSMs must have the same group

ID. Range is from 1 to 254.

vlan vlan number Specifies the VLAN over which heartbeat messages are sent by

VLAN number. Both CSMs must have the same VLAN ID. The range is from 2 to 4095.

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines A fault-tolerant group is comprised of two Catalyst 6500 series switches each containing a CSM

configured for fault-tolerant operation. Each fault-tolerant group appears to network devices as a single device. A network may have more than one fault-tolerant group.

When you enter the fault tolerance group submode, the following commands are available:

2-14

• default—Sets a command to its default.

• exit—Saves changes and exits from the subcommand mode; see the “agent (DFP submode)”

command section.

• failover—Saves changes and exits from the subcommand mode; see the “failover (fault tolerant

submode)” command section.

• heartbeat-time—Saves changes and exits from the subcommand mode; see the “heartbeat-time

(fault tolerant submode)” command section.

• no—Negates a command or sets the specified command to its defaults.

• preempt—Sets optional parameters for a specified IP address. See the “preempt (fault tolerant

submode)” command section.

• priority—Configures the CAPP port. Range is from 1 to 65535; default is 5002. See the “priority

(fault tolerant submode)” command section.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

ft group

Examples This example shows how to configure a fault-tolerant group named 123 on VLAN 5 and set the failover

time to 3 seconds:

Cat6k-2(config-module-csm)# ft group 123 vlan 5 Cat6k-2(config-slb-ft)# failover 3

Related Commands failover (fault tolerant submode)

heartbeat-time (fault tolerant submode) preempt (fault tolerant submode) priority (fault tolerant submode) show module csm ft

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-15

failover (fault tolerant submode)

To set the time for a standby CSM to wait before becoming an active CSM, use the failover command in the SLB fault-tolerant configuration submode. To remove the failover configuration, use the no form of this command.

failover failover-time

no failover

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults Failover time is 3 seconds.

Command Modes SLB fault-tolerant configuration submode

Command History

Examples This example shows how to set a failover period of 6 seconds:

Related Commands ft group

failover-time Amount of time the CSM must wait after the last heartbeat message

is received before assuming the other CSM is not operating; the range is from 1 to 65535.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-ft)# failover 6

show module csm ft

2-16

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

heartbeat-time (fault tolerant submode)

To set the time interval between heartbeat messages that are transmitted by the CSM, use the heartbeat-time command in the SLB fault-tolerant configuration submode. To restore the default heartbeat interval, use the no form of this command.

heartbeat-time heartbeat-time

no heartbeat-time

heartbeat-time (fault tolerant submode)

Syntax Description

Defaults Heartbeat time is 1 second.

Command Modes SLB fault-tolerant configuration submode

Command History

Examples This example shows how to set the heartbeat time to 2 seconds:

Related Commands ft group

heartbeat-time Time interval between heartbeat transmissions in seconds; the range

is from 1 to 65535.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-ft)# heartbeat-time 2

show module csm ft

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-17

preempt (fault tolerant submode)

To allow a higher priority CSM to take control of a fault-tolerant group when it comes online, use the preempt command in the SLB fault-tolerant configuration submode. To restore the preempt default value, use the no form of this command.

preempt

no preempt

Syntax Description This command has no arguments or keywords.

Defaults The default value is that preempt is disabled.

Command Modes Privileged

Chapter 2 Content Switching Module with SSL Commands

Command History

Usage Guidelines When you enable preempt, the higher priority CSM preempts the other CSM in the fault-tolerant group

Note You must set both members of the fault-tolerant CSM pair to preempt for this feature to work.

Examples This example shows how to set the fault-tolerance mode to preempt:

Related Commands ft group

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

when the higher priority CSM comes online. When you enable no preempt, the current primary CSM remains the primary CSM when the next CSM comes online.

Cat6k-2(config-slb-ft)# preempt

show module csm ft

2-18

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

priority (fault tolerant submode)

To set the priority of the CSM, use the priority command in the SLB fault-tolerant configuration submode. To restore the priority default value, use the no form of this command.

priority value [alt value]

no priority

priority (fault tolerant submode)

Syntax Description

Defaults Value is 10.

Command Modes SLB fault-tolerant configuration submode

Command History

Usage Guidelines The CSM with the largest priority value is the primary CSM in the fault-tolerant pair when the modules

alt (Optional) Configures the alternate priority value for the standby

CSM.

value (Optional) Priority of a CSM; the range is from 1 to 254.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM release 4.2(1) Adds the alt keyword to specify an alternate value that is sent to the

standby CSM.

are both operating.

Examples This example shows how to set the priority value to 12:

Cat6k-2(config-slb-ft)# priority 12

Related Commands ft group

preempt (fault tolerant submode) show module csm ft

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-19

track (fault tolerant submode)

To set the fault-tolerant tracking for the gateway, HSRP group, or interface of the CSM, use the track command in the SLB fault-tolerant configuration submode.

track {gateway ip_addr | group group_number | interface {async | ctunnel | dialer | fastethernet |

gigabitethernet} | mode {all | any}}

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults The default setting for mode is any.

Command Modes SLB fault-tolerant configuration submode

Command History

Usage Guidelines The CSM with the largest priority value is the primary CSM in the fault-tolerant pair when the modules

gateway ip_addr Configures a gateway or host for tracking.

group group_number Configures an HSRP group for tracking.

interface async | ctunnel | dialer | fastethernet | gigabitethernet

mode all | any Configures tracking mode for all devices or any device.

Release Modification

CSM release 4.2(1) This command was introduced.

are both operating.

Configures an interface for tracking. The interfaces can be asynchronous, tunnel, dialer, fast Ethernet, or Gigabit Ethernet.

Examples This example shows how to set tracking mode for all devices:

Cat6k-2(config-slb-ft)# track mode all

Related Commands ft group

preempt (fault tolerant submode) show module csm ft

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-20

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

hw-module csm standby config-sync

To synchronize the configuration between the active CSM and standby CSM, enter the hw-module csm standby config-sync command on the active CSM:

hw-module csm slot standby config-sync

hw-module csm standby config-sync

Syntax Description

slot Specifies the slot of the active CSM.

Defaults Route processor mode.

Command Modes Global configuration

Command History

Release Modification

CSM release 4.2(1) This command was introduced.

Usage Guidelines You can synchronize the configurations between the active and standby CSMs in a single chassis or in

separate chassis.

Enter this command after you have configured both the active and standby CSMs for synchronization. Enter this command every time you want to synchronize the configuration.

Synchronization happens over the fault-tolerant VLAN. Since traffic over the fault-tolerant VLAN uses broadcast packets, we recommend that you remove all devices from the fault-tolerant VLAN except those that are necessary for communication between the active and standby CSMs.

If you do not enter the alt standby_ip_address command on the active CSM before you synchronize the configuration, the VLAN IP addresses on the backup CSM will be removed.

Examples This example shows how to synchronize the configuration between the active and standby CSMs:

Router# hw-module csm 5 standby config-sync %CSM_SLB-6-REDUNDANCY_INFO:Module 5 FT info:Active:Bulk sync started %CSM_SLB-6-REDUNDANCY_INFO:Module 5 FT info:Active:Manual bulk sync completed

Related Commands ft group

ip address (VLAN submode) priority (fault tolerant submode)

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-21

ip slb mode

Chapter 2 Content Switching Module with SSL Commands

To operate as a CSM load-balancing device instead of a Cisco IOS server load balancing (SLB) device, use the ip slb mode command to configure the switch. To remove the mode configuration, use the no form of this command.

ip slb mode {csm | rp}

no ip slb mode

Syntax Description

Defaults Route processor mode

Command Modes Global configuration

Command History

Usage Guidelines We recommend that you use the rp mode for all configurations. The rp mode allows you to configure

csm Keyword to select the CSM load-balancing mode that allows you to

configure a single CSM only and prohibits the use of Cisco IOS SLB on the Catalyst 6500 series switch.

rp Keyword to select the route processor Cisco IOS SLB mode and

enable module CSM commands for configuring multiple CSMs.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM release 2.1(1) This command now enables module csm commands for the rp mode.

CSM-S release 1.1(1) This command was introduced.

both the switch and the CSM or other modules without changing modes.

2-22

Note You need to reboot the switch to change the mode.

This command allows you to change from the Cisco IOS SLB mode to the CSM load-balancing mode.

Note Specifying the no ip slb mode command is the same as specifying the rp mode.

Note In csm mode, all ip slb commands apply to a CSM module; Cisco IOS SLB is not available. In rp mode

(the default), ip slb commands apply to Cisco IOS SLB. The module csm commands are available to configure multiple CSMs.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

Examples This example shows how to configure the CSM load-balancing mode:

Cat6k-2(config)# ip slb mode csm

Related Commands module csm

show ip slb mode

ip slb mode

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-23

map cookie

Chapter 2 Content Switching Module with SSL Commands

To create a cookie map, and then enter the cookie map configuration submode for specifying cookie match rules, use the map cookie command. To remove the cookie maps from the configuration, use the

no form of this command.

map cookie-map-name cookie

no map cookie-map-name

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Examples This example shows how to create a cookie map:

Related Commands cookie-map (policy submode)

cookie-map-name Cookie map instance; the character string is limited to 15 characters.

cookie Enters the cookie map submode.

Release Modification

CSM release 1.1(1) This command was introduced.

Cat6k-2(config-module-csm)# map upnready cookie

match protocol http cookie (cookie map submode) show module csm map

2-24

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

match protocol http cookie (cookie map submode)

To add cookies to a cookie map, use the match protocol http cookie command in SLB cookie map configuration submode. Multiple match rules can be added to a cookie map. To remove the cookie map name from the cookie map, use the no form of this command.

match protocol http cookie cookie-name cookie-value cookie-value-expression

no match protocol http cookie cookie-name cookie-value cookie-value-expression

Syntax Description

Defaults This command has no default settings.

Command Modes SLB cookie map configuration submode

Command History

Usage Guidelines Cookie regular expressions (see “Regular Expressions” section on page 2-3) are based on the UNIX

cookie-name Cookie name; the range is from 1 to 63 characters.

cookie-value

cookie-value-expression

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

filename specification. URL expressions are stored in a cookie map in the form cookie-name = cookie-value-expression. Cookie expressions allow spaces if they are escaped or quoted. You must match all cookies in the cookie map.

Specifies a cookie value expression; the range is from 1 to 255 characters.

Examples This example shows how to add cookies to a cookie map:

Cat6k-2(config-slb-map-cookie)# match protocol http cookie albert cookie-value 4*

Related Commands cookie-map (policy submode)

map cookie show module csm map

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-25

map dns

Chapter 2 Content Switching Module with SSL Commands

To enter the SLB DNS map mode and configure a DNS map, use the map dns command. To remove the DNS map from the configuration, use the no form of this command.

map dns-map-name dns

no map dns-map-name dns

Syntax Description

dns-map-name Name of an SLB DNS map; the character string range is from 1 to

15 characters.

Defaults This command has no default settings.

Command Modes SLB DNS map configuration submode

Command History

Release Modification

CSM release 3.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines Any match of a DNS regular expression in the DNS map results in a successful match. A maximum of

1023 DNS domains can be configured to a map.

Examples This example shows how to group DNS domains:

Cat6k-2(config-module-csm)# map m1 dns Cat6k-2(config-slb-map-dns)# exit Cat6k-2(config)

Related Commands match protocol dns domain (DNS map submode)

show module csm map

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-26

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

match protocol dns domain (DNS map submode)

To add a DNS domain to a DNS map, use the match protocol dns domain command in the SLB DNS map configuration submode. To remove the DNS domain from the URL map, use the no form of this command.

match protocol dns domain name

no match protocol dns domain name

Syntax Description

Defaults This command has no default settings.

Command Modes SLB DNS map configuration submode

Command History

Examples This example shows how to add domains to a DNS map:

Related Commands map dns

name Names the DNS domain being mapped.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM release 4.1(1) HTTP method parsing support was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-map-dns)# match protocol dns domain cisco.com

show module csm map

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-27

map header

Chapter 2 Content Switching Module with SSL Commands

To create a map group for specifying HTTP headers, and then enter the header map configuration submode, use the map header command. To remove the HTTP header group from the configuration, use the no form of this command.

map name header

no map name

Syntax Description

name Map instance; the character string is from 1 to 15 characters.

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Release Modification

CSM release 2.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Examples This example shows how to group HTTP headers and associate them with a content switching policy:

Cat6k-2(config-module-csm)# map upnready header Cat6k-2(config-slb-map-header)# match protocol http header Accept header-value *jpeg* Cat6k-2(config-slb-map-header)# match protocol http header User-Agent header-value *NT* Cat6k-2(config-slb-map-header)# match protocol http header Host header-value

www.myhome.com Cat6k-2(config-slb-map-header)# exit

Related Commands header-map (policy submode)

insert protocol http header (header map submode) match protocol http header (header map submode) show module csm map

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-28

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

insert protocol http header (header map submode)

To insert header fields and values into an HTTP request, use the insert protocol http header command in SLB header map configuration submode. To remove the header insert item from the header map, use the no form of this command.

insert protocol http header name header-value value

no insert protocol http header name

Syntax Description

Defaults This command has no default settings.

Command Modes SLB header map configuration submode

Command History

Usage Guidelines You can also use the %is and %id special parameters for header values. The %is value inserts the source

name Literal name of the generic field in the HTTP header. The name is a

string with a range from 1 to 63 characters.

header-value value Specifies the literal header value string to insert in the request.

Release Modification

CSM release 3.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

IP into the HTTP header, and the %id value inserts the destination IP into the header. You can only specify each special parameter once per header map.

Examples This example shows how to specify header fields and values to search upon a request:

Cat6k-2(config-slb-map-header)# insert protocol http header client header-value %is

Related Commands header-map (policy submode)

map header show module csm map

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-29

Chapter 2 Content Switching Module with SSL Commands

match protocol http header (header map submode)

To specify header fields and values for the CSM to search for when receiving a request, use the match protocol http header command in SLB header map configuration submode. Multiple match rules can

be added to a header map. To remove the header match rule from the header map, use the no form of this command.

match protocol http header field header-value expression

no match protocol http header field

Syntax Description

Defaults This command has no default settings.

Command Modes SLB header map configuration submode

Command History

Usage Guidelines There are predefined fields, for example, Accept-Language, User-Agent, or Host.

field Literal name of the generic field in the HTTP header. The range is

from 1 to 63 characters.

header-value expression Specifies the header value expression string to compare against the

value in the specified field; the range is from 1 to 127 characters.

Release Modification

CSM release 2.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Header regular expressions (see “Regular Expressions” section on page 2-3) are based on the UNIX filename specification. URL expressions are stored in a header map in the form header-name = expression. Header expressions allow spaces if they are escaped or quoted. All headers in the header map must be matched.

Examples This example shows how to specify header fields and values to search upon a request:

Cat6k-2(config-slb-map-header)# match protocol http header Host header-value XYZ

Related Commands header-map (policy submode)

insert protocol http header (header map submode) map header show module csm map

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-30

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

map retcode

To enable return code checking, and then enter the return code map submode, use the map retcode command. To remove the return code checking from the configuration, use the no form of this command.

map name retcode

no map name

map retcode

Syntax Description

Defaults This command has no default settings.

Command Modes CSM module submode

Command History

Examples This example shows how to enable return error code checking:

Related Commands cookie-map (policy submode)

name Return error code map instance; the character string is limited to 15

characters.

retcode Keyword to enter the return error code map submode.

Release Modification

CSM release 2.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-module-csm)# map upnready retcode

match protocol http cookie (cookie map submode) show module csm map

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-31

Chapter 2 Content Switching Module with SSL Commands

match protocol http retcode (return code map submode)

To specify return code thresholds, count and log return codes, and send syslog messages for return code events received from the servers, use the match protocol http retcode command in SLB return code map configuration submode. To remove the return code thresholds, use the no form of this command.

match protocol http retcode min max action {count | log | remove} threshold [reset seconds]

no match protocol http retcode min max

Syntax Description

Defaults This command has no default settings.

Command Modes SLB return code map configuration submode

Command History

min max Minimum and maximum range of return codes used to perform a

count, log, or remove action.

action count Increments the statistics of the number of occurrences of return codes

received.

action log Specifies where syslog messages are sent when a threshold is

reached.

action remove Specifies where the syslog messages are sent when a threshold is

reached and the server is removed from service.

threshold The number of return occurrences before the log or remove action is

taken.

reset seconds (Optional) Number of seconds to wait before the processing can

resume.

Release Modification

CSM release 2.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines The threshold and reset values are not configurable for the count action. These commands only are

available for the log and remove actions.

Examples This example shows how to specify return codes values to search for in an HTTP request:

Cat6k-2(config-slb-map-retcode)# match protocol http retcode 30 50 action log 400 reset 30

Related Commands map retcode (SLB policy configuration submode)

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-32

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

map url

To enter the SLB URL map mode and configure a URL map, use the map url command. To remove the URL map from the configuration, use the no form of this command.

map url-map-name url

no map url-map-name

map url

Syntax Description

url-map-name Name of an SLB URL map; the character string range is from 1 to

15 characters.

Defaults This command has no default settings.

Command Modes SLB URL map configuration submode

Command History

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines Any match of a URL regular expression in the URL map results in a successful match. A maximum of

1023 URLs can be configured to a map.

Examples This example shows how to group URLs and associate them with a content switching policy:

Cat6k-2(config-module-csm)# map m1 url Cat6k-2(config-slb-map-url)# match protocol http url /index.html Cat6k-2(config-slb-map-url)# match protocol http url /stocks/csco/ Cat6k-2(config-slb-map-url)# match protocol http url *gif Cat6k-2(config-slb-map-url)# match protocol http url /st* Cat6k-2(config-slb-map-url)# exit Cat6k-2(config)

Related Commands match protocol http url (URL map submode)

show module csm map url-map (policy submode)

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-33

Chapter 2 Content Switching Module with SSL Commands

match protocol http url (URL map submode)

To add a URL regular expression to a URL map, use the match protocol http url command in the SLB URL map configuration submode. Multiple match rules can be added to a URL map. To remove the URL regular expression from the URL map, use the no form of this command.

match protocol http [method method-expression] url url-expression

no match protocol http [method method-expression] url url-expression

Syntax Description

Defaults This command has no default settings.

Command Modes SLB URL map configuration submode

Command History

Usage Guidelines URL regular expressions (see “Regular Expressions” section on page 2-3) are based on the UNIX

method method-expression (Optional) Specifies the method to match.

url-expression Specifies the regular expression range; the range is from 1 to 255

characters.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM release 4.1(1) HTTP method parsing support was introduced.

CSM-S release 1.1(1) This command was introduced.

filename specification. URL expressions are stored in a cookie map in the form urln. URL expressions do not allow spaces and only one of the URLs in the map must be matched

The method expression can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a string you specify that must be matched exactly (PROTOPLASM).

Examples This example shows how to add URL expressions to a URL map:

Cat6k-2(config-slb-map-url)# match protocol http url html

Related Commands map url

show module csm map url-map (policy submode)

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-34

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

module csm

To allow the association of load-balancing commands to a specific CSM module, and then enter the CSM module configuration submode for the specified slot, use the module csm command. To remove the module csm configuration, use the no form of this command.

Note The module ContentSwitching Module slot command is the full syntax; the module csm slot command

is a valid shortcut.

module csm slot-number

no module csm slot-number

module csm

Syntax Description

slot-number Slot number where the CSM resides.

Defaults This command has no default settings.

Command Modes Global configuration submode

Command History

Release Modification

CSM release 2.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines If you want to use the multiple module configuration, you must change the ip slb mode command to rp.

An existing CSM configuration is migrated to the new configuration when you change the mode from csm to rp. The default mode is rp, which allows multiple CSM support and allows the Catalyst operating system and Cisco IOS software to run on the same switch.

Migrating from a multiple module configuration to a single module configuration is supported. Migrating the Cisco IOS SLB configuration to the CSM configuration is not supported.

To remove connections to a real server, use the clear module csm X connnection command.

The CSM had its own ARP cache, which was populated with ARP entries through ARP learning. The addition of the arp option allows you to statically configure ARP entries.

Examples This example shows how to configure a CSM:

Cat6k-2(config)# module csm 5 Cat6k-2(config-module-csm)# vserver VS1

Related Commands ip slb mode

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-35

natpool (module CSM submode)

To configure source NAT and create a client address pool, use the natpool command in module CSM configuration submode. To remove a natpool configuration, use the no form of this command.

natpool pool-name start-ip end-ip [netmask netmask | prefix-length leading_1_bits]

no natpool pool-name

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Usage Guidelines If you want to use client NAT, you must create at least one client address pool.

pool-name Name of a client address pool; the character string is from 1 to

15 characters.

start-ip end-ip Specifies the starting and ending IP address that define the range of

addresses in the address pool.

netmask netmask (Optional) Mask for the associated IP subnet.

prefix-length leading_1_bits (Optional) Mask for the associated IP subnet.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

A maximum of 255 NAT pool addresses are available for any CSM.

Examples This example shows how to configure a pool of addresses with the name web-clients, an IP address

range from 128.3.0.1 through 128.3.0.254, and a subnet mask of 255.255.0.0:

Cat6k-2(config-module-csm)# natpool web-clients 128.3.0.1 128.3.0.254 netmask 255.255.0.0

Related Commands nat client (serverfarm submode)

show module csm natpool

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-36

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

variable (module CSM submode)

To specify the environmental variables in the configuration, use the variable command. To remove a environmental variables from the configuration, use the no form of this command.

variable name value

no variable name

variable (module CSM submode)

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Usage Guidelines This table lists the environmental values used by the CSM.

Name Default Valid Values Description

ARP_INTERVAL 300 Integer (15 to 31536000) Time (in seconds) between ARP

ARP_LEARNED_INTERVAL 14400 Integer (60 to 31536000) Time (in seconds) between ARP

ARP_GRATUITOUS_INTERVAL 15 Integer (10 to 31536000) Time (in seconds) between

ARP_RATE 10 Integer (1 to 60) Seconds between ARP retries.

ARP_REPLY_FOR_NO_INSERVICE_VIP 0 0 Integer (0 to 1).

ARP_RETRIES 3 Integer (2 to 15) Count of ARP attempts before

ARP_LEARN_MODE 1 Integer (0 to 1) Indicates whether the CSM learns

name Specifies a name string for the variable.

value Specifies a value string for the variable.

Release Modification

CSM release 4.2(1) Added MAX_VSERVERS_PER_VIP; increased

ROUTE_UNKNOWN_FLOW_PKTS value to 2 for SYN packets.

CSM release 4.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

requests for configured hosts.

requests for learned hosts.

gratuitous ARP requests.

flagging a host as down.

MAC addresses on responses only (0) or all traffic (1).

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-37

Chapter 2 Content Switching Module with SSL Commands

variable (module CSM submode)

Name Default Valid Values Description

ADVERTISE_RHI_FREQ 10 Integer (1 to 65535) Frequency (in seconds) that the

CSM uses to check for RHI updates.

AGGREGATE_BACKUP_SF_STATE_TO_VS 0 Integer (0 to 1) Specifies whether to include the

operational state of a backup server farm into the state of a virtual server.

COOKIE_INSERT_EXPIRATION_DATE Fri, 1

Jan 2010 01:01:50 GMT

DEST_UNREACHABLE_MASK 65535 Integer (0 to 65535) Bitmask defining which ICMP

FT_FLOW_REFRESH_INT 60 Integer (1 to 65535) Interval for the FT slow path flow

HTTP_CASE_SENSITIVE_MATCHING 1 Integer (0 to 1) Specifies whether the URL (cookie,

HTTP_URL_COOKIE_DELIMITERS /?&#+ String (1 to 64 chars) Configures the list of delimiter

INFINITE_IDLE_TIME_MAXCONNS 1024 0 to 1 - max conns value Configures the idle time maximum

MAX_PARSE_LEN_MULTIPLIER 1 Integer (1 to 16) Multiplies the configured

MAX_VSERVERS_PER_VIP 10 Integer (7 to 10) Specifies the maximum number of

MAX_PARSE_LEN_MULTIPLIER 1 Integer (1 to 16) Multiplies the configured

NAT_CLIENT_HASH_SOURCE_PORT 0 Integer (0 to 1) Specifies whether to use the source

ROUTE_UNKNOWN_FLOW_PKTS 0 Integer (0 to 2) Specifies whether to route SYN or

NO_RESET_UNIDIRECTIONAL_FLOWS 0 Integer (0 to 1) Specifies, if set, that unidirectional

SWITCHOVER_RP_ACTION 0 Integer (0 to 1) Specifies whether to recover (0) or

String (2 to 63 chars) Configures the expiration time and

date for the HTTP cookie inserted by the CSM.

destination unreachable codes are to be forwarded.

refresh in seconds.

header) matching and sticky are to be case sensitive.

characters for cookies in the URL string.

connections.

max-parse-len by this amount.

virual servers that have the same VIP. The values are specified as powers of 2 (for example, 2^7=128, 2^10=1024).

max-parse-len by this amount.

port to select the client NAT IP address.

non-SYN packets that do not match any existing flows.

flows do not be reset when timed out.

halt/reboot (1) after a supervisor engine RP switchover occurs.

2-38

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

variable (module CSM submode)

Name Default Valid Values Description

SWITCHOVER_SP_ACTION 0 Integer (0 to 1) Specifies whether to recover (0) or

halt/reboot (1) after a supervisor engine SP switchover occurs.

SYN_COOKIE_INTERVAL 3 Integer (1 to 60) Specifies the interval (in seconds),

at which a new syn-cookie key is generated.

SYN_COOKIE_THRESHOLD 5000 Integer (0 to 1048576) Specifies the threshold (in number

of pending sessions) at which syn-cookie is engaged.

TCP_MSS_OPTION 1460 Integer (1 to 65535) Specifies the maximum segment

size (MSS) value sent by CSM for Layer 7 processing.

TCP_WND_SIZE_OPTION 8192 Integer (1 to 65535) Specifies the window size value

sent by CSM for Layer 7 processing.

VSERVER_ICMP_ALWAYS_RESPOND false String (1 to 5 chars) If the response is “true,” the CSM

responds to ICMP probes regardless of virtual server state.

XML_CONFIG_AUTH_TYPE Basic String (5 to 6 chars) Specifies the HTTP authentication

type for xml-config: Basic or Digest.

Examples This example shows how to enable the environmental variables configuration:

Router(config-module-csm)# variable ARP_RATE 20

Related Commands module csm

show module csm variable

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-39

owner

Chapter 2 Content Switching Module with SSL Commands

To configure an owner object, use the owner command in module CSM configuration submode. To remove an owner configuration, use the no form of this command.

owner name

no owner

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Usage Guidelines You can define more than one virtual server to the same owner, associate multiple servers to an owner,

Examples This example shows how to configure an owner object:

name Name of the object owner.

Release Modification

CSM release 4.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

and apply a connection watermark. After the sum of the number of open connections to all virtual servers in a particular owner reaches the VIP connection watermark level for that owner, new connections to any of these virtual servers are rejected by the CSM.

Cat6k-2(config-module-csm)# owner sequel

Related Commands billing-info (owner submode)

contact-info (owner submode) maxconns (owner submode)

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-40

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

billing-info (owner submode)

To configure billing information for an owner object, use the billing-info command in the owner configuration submode. To remove billing information from the configuration, use the no form of this command.

billing-info billing-address-information

no billing-info

billing-info (owner submode)

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Examples This example shows how to configure an owner object:

Related Commands contact-info (owner submode)

billing-address-information Specifies the owner’s billing address.

Release Modification

CSM release 3.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-owner)# billing-info 300 cordera avenue

owner

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-41

contact-info (owner submode)

To configure an e-mail address for an owner object, use the contact-info command in owner configuration submode. To remove the contact information from the owner configuration, use the no form of this command.

contact-info string

no contact-info

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Examples This example shows how to configure an owner object:

Related Commands billing-info (owner submode)

string The owner’s information.

Release Modification

CSM release 3.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-owner)# contact-info shaggy@angel.net

owner

2-42

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

maxconns (owner submode)

To configure the maximum number of concurrent connections allowed for an owner object, use the

maxconns command in owner configuration submode. To remove the maximum connections from the owner configuration, use the no form of this command.

maxconns number

no maxconns

maxconns (owner submode)

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Usage Guidelines When the maximum number of connections is reached, the connections are reset and the CSM does not

Examples This example shows how to configure an owner object:

number The number of maximum connections to the owner object.

Release Modification

CSM release 3.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

accept further connections.

Cat6k-2(config-owner)# maxconns 300

Related Commands billing-info (owner submode)

contact-info (owner submode) owner

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-43

policy

Chapter 2 Content Switching Module with SSL Commands

To configure policies, associate attributes to a policy, and then enter the policy configuration submode, use the policy command. In this submode, you can configure the policy attributes. The policy is associated with a virtual server in virtual server submode. To remove a policy, use the no form of this command.

policy policy-name

no policy policy-name

Syntax Description

policy-name Name of an SLB policy instance; the character string is limited to

15 characters.

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines Policies establish rules for balancing connections to servers. They can contain URL maps, cookie maps,

header maps, client groups, sticky groups, DSCP values, and server farms. The order in which policies are linked to a virtual server determines the precedence of the policy. When two or more policies match a requested URL, the policy with the highest precedence is selected.

Note All policies should be configured with a server farm.

Examples This example shows how to configure a policy named policy_content:

Cat6k-2(config-module-csm)# policy policy_content Cat6k-2(config-slb-policy)# serverfarm new_serverfarm Cat6k-2(config-slb-policy)# url-map url_map_1 Cat6k-2(config-slb-policy)# exit

Related Commands show module csm owner

slb-policy policy-name [priority priority_value]

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-44

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

client-group (policy submode)

To associate an access list with a policy, use the client-group command in SLB policy configuration submode. To remove an access list from a policy, use the no form of this command.

client-group {1–99 | std-access-list-name}

no client-group

client-group (policy submode)

Syntax Description

Defaults This command has no default settings.

Command Modes SLB policy configuration submode

Command History

Usage Guidelines Only client groups that you create with the ip access-list standard command can be associated with an

Examples This example shows how to configure a client group:

1–99 Standard IP access list number.

std-access-list-name Standard access list name.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

SLB policy. You can only associate one client group with a given SLB policy.

Cat6k-2(config-slb-policy)# client-group 44 Cat6k-2(config-slb-policy)# exit

Related Commands ip access-list standard

policy show module csm owner

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-45

cookie-map (policy submode)

To associate a list of cookies with a policy, use the cookie-map command in SLB policy configuration submode. To remove a cookie map, use the no form of this command.

cookie-map cookie-map-name

no cookie-map

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

cookie-map-name Name of the cookie list associated with a policy.

Defaults This command has no default settings.

Command Modes SLB policy configuration submode

Command History

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines You can associate only one cookie map with a policy. To configure cookie maps, use the map cookie

command. The cookie map name must match the name specified in the map cookie command.

Examples This example shows how to configure a cookie-based SLB policy named policy_content:

Cat6k-2(config-module-csm)# policy policy_content Cat6k-2(config-slb-policy)# serverfarm new_serverfarm Cat6k-2(config-slb-policy)# cookie-map cookie-map-1 Cat6k-2(config-slb-policy)# exit Cat6k-2(config)

Related Commands map cookie

policy show module csm owner

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-46

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

header-map (policy submode)

To specify the HTTP header criteria to include in a policy, use the header-map command in SLB policy configuration submode. To remove a header map, use the no form of this command.

Note If any HTTP header information is matched, the policy rule is satisfied.

header-map name

no header-map

header-map (policy submode)

Syntax Description

name Name of the previously configured HTTP header expression group.

Defaults This command has no default settings.

Command Modes SLB policy configuration submode

Command History

Release Modification

CSM release 2.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines Only one header map can be associated with a policy. The header map name must match the name

specified in the map header command.

Examples This example shows how to configure a header-based policy named policy_content:

Cat6k-2(config-module-csm)# policy policy_content Cat6k-2(config-slb-policy)# serverfarm new_serverfarm Cat6k-2(config-slb-policy)# header-map header-map-1 Cat6k-2(config-slb-policy)# exit

Related Commands map header

policy show module csm owner

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-47

nat client (policy submode)

To specify a set of client NAT pool addresses that should be used to perform the NAT function on clients connecting to this policy, use the nat client command in SLB serverfarm configuration submode. To remove the NAT pool from the configuration, use the no form of this command.

nat client {client-pool-name | static}

no nat client

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes SLB policy configuration submode

Command History

Usage Guidelines Use this command to enable client NAT. If client NAT is configured, the client address and port number

client-pool-name Client pool name.

static Enables static NAT.

Release Modification

CSM release 4.2(1) This command was introduced.

in load-balanced packets are replaced with an IP address and port number from the specified client NAT pool. This client pool name must match the pool name entered from a previous natpool command.

If both the serverfarm and the policy are configured with client NAT, the policy takes precedence over the server farm.

Examples This example shows how to specify NAT on the client:

Cat6k-2(config-slb-policy)# nat client whishers

Related Commands natpool (module CSM submode)

script task show module csm policy

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-48

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

serverfarm (policy submode)

To associate a server farm with a policy, use the serverfarm command in the SLB policy configuration submode. To remove the server farm from the policy, use the no form of this command.

serverfarm primary-serverfarm [backup sorry-serverfarm [sticky] [threshold {inservice

real_value}[sticky][outservice real_value]]

no serverfarm

serverfarm (policy submode)

Syntax Description

Defaults This command has no default settings.

Command Modes SLB policy configuration submode

Command History

primary-serverfarm Character string used to identify the server farm.

backup sorry-serverfarm (Optional) Sets the sorry server farm name to the backup server farm.

sticky (Optional) Enables stickiness to the backup server.

threshold (Optional) Configures the server farm health threshold.

inservice real_value (Optional) Specifies the number of active real servers required for the

server farm to be activated.

outservice real_value (Optional) Specifies the minimum number of active real servers

required to remain as healthy. The outservice real_value must be lower than the inservice real_value.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM release 3.1(1) The sorry server (backup server) option was added to this command.

CSM release 4.2(1) The threshold inservice real_value and outservice real_value

options were added to this command.

Usage Guidelines Use the serverfarm command to configure the server farm. Only one server farm can be configured per

policy. The server farm name must match the name specified in the serverfarm module CSM configuration submode command. By default, the sticky option does not apply to the backup server farm. To remove the backup server farm, you can either use the serverfarm command without the backup option or use the no serverfarm command.

The backup sorry-serverfarm [sticky] value defines whether the sticky group applied to the primary server farm is also applied for the backup server farm. If you do not specify stickiness for the primary server farm, then stickiness also is not applied to the backup server farm.

For example, if you have a sticky group configured for a policy, the primary server farm in this policy becomes sticky. The client will be stuck to the configured real server in the primary server farm. When all of the real servers in the primary server farm fail, new requests from this client are sent to the backup server farm.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-49

Chapter 2 Content Switching Module with SSL Commands

serverfarm (policy submode)

When the real server in the primary server farm is operational, the following actions result:

• The existing connections to the backup real server continue to be serviced by the backup real server.

• The new requests from the client are sent to the backup real server if the sticky option is enabled for

the backup server farm.

• The new requests return to the primary real server if the sticky option is not used on the backup

server farm.

Examples This example shows how to associate a server farm named central with a policy:

Cat6k-2(config-module-csm)# policy policy Cat6k-2(config-slb-policy)# serverfarm central backup domino sticky

Related Commands policy

serverfarm (virtual server submode) show module csm owner

2-50

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

set ip dscp (policy submode)

To mark packets that match the policy with a DSCP value, use the set ip dscp command in the SLB policy configuration submode. To stop marking packets, use the no form of this command.

set ip dscp dscp-value

no set ip dscp

set ip dscp (policy submode)

Syntax Description

Defaults The default is that the CSM does not store DSCP values.

Command Modes SLB policy configuration submode

Command History

Examples This example shows how to mark packets to match a policy named policy_content:

Related Commands policy

dscp-value The range is from 0 to 63.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-module-csm)# policy policy_content Cat6k-2(config-slb-policy)# set ip dscp 22

show module csm owner

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-51

sticky-group (policy submode)

To associate a sticky group and the sticky group attributes to the policy, use the sticky-group command in the SLB policy configuration submode. To remove the sticky group from the policy, use the no form of this command.

sticky-group group-id

no sticky-group

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults The default is 0, which means that no connections are sticky.

Command Modes SLB policy configuration submode

Command History

Usage Guidelines The group-id value must match the ID specified in the sticky command; the range is from 1 to 255.

Examples This example shows how to configure a sticky group:

group-id ID of the sticky group to be associated with a policy.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-module-csm)# policy policy1 Cat6k-2(config-slb-policy)# sticky-group 5

Related Commands policy

show module csm owner show module csm sticky sticky

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-52

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

url-map (policy submode)

To associate a list of URLs with the policy, use the url-map command in SLB policy configuration submode. To remove the URL map from the policy, use the no form of this command.

url-map url-map-name

no url-map

url-map (policy submode)

Syntax Description

Defaults The default is no URL map.

Command Modes SLB policy configuration submode

Command History

Usage Guidelines Only one URL map can be associated with a policy. To configure URL maps, use the map url command.

Examples This example shows how to associate a list of URLs with a policy named assembly:

url-map-name Name of the URL list to be associated with a policy.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-module-csm)# policy policy Cat6k-2(config-slb-policy)# url-map assembly

Related Commands map url

policy show module csm owner

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-53

probe

Chapter 2 Content Switching Module with SSL Commands

To configure a probe and probe type for health monitoring, and then enter the probe configuration submode, use the probe command. To remove a probe from the configuration, use the no form of this command.

probe probe-name {http | icmp | telnet | tcp | ftp | smtp | dns | udp | script}

no probe probe-name

Syntax Description

Defaults This command has no default settings.

Command Modes Module CSM configuration submode

Command History

probe-name Name of the probe; the character string is limited to 15 characters.

http Creates an HTTP probe with a default configuration.

icmp Creates an ICMP probe with a default configuration.

telnet Creates a Telnet probe with a default configuration.

tcp Creates a TCP probe with a default configuration.

ftp Creates an FTP probe with a default configuration.

smtp Creates an SMTP probe with a default configuration.

dns Creates a DNS probe with a default configuration.

udp Creates a UPD probe with a default configuration.

script Creates a script probe with a default configuration.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines A probe can be assigned to a server farm in serverfarm submode. The UDP probe requires ICMP because

otherwise the UDP probe will be unable to detect when a server has gone down or has been disconnected. You must associate UDP to the supervisor engine and then configure ICMP.

Because the UDP probe is a raw UDP probe, the CSM uses a single byte in the payload for probe responses. The CSM does not expect any meaningful response from the UDP application. The CSM uses the ICMP unreachable message to determine if the UDP application is not reachable. If there is no ICMP unreachable message in the receive timeout, then the CSM assumes that the probe is operating correctly.

If the IP interface of the real server is down or disconnected, the UDP probe does not know that the UDP application is unreachable. You must configure the ICMP probe in addition to the UDP probe for any server.

The CSM uses the DNS probe as the high-level UDP application. You also can use a TCL script to configure this probe.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-54

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

When configuring Global Server Load Balancing (GSLB) type probes, the port submode command is not used to specify which destination UDP port to query. Use the CSM environment variable GSLB_KALAP_UDP_PORT instead. The default is port 5002.

To specify probe frequency and the number of retries for KAL-AP, ICMP, HTTP, and DNS probes when associated with a GSLB server farm environment, the following variables must be used instead of the probe configuration submode commands:

GSLB_KALAP_PROBE_FREQ 10 GSLB_KALAP_PROBE_RETRIES 3 GSLB_ICMP_PROBE_FREQ 10 GSLB_ICMP_PROBE_RETRIES 3 GSLB_HTTP_PROBE_FREQ 10 GSLB_HTTP_PROBE_RETRIES 2 GSLB_DNS_PROBE_FREQ 10 GSLB_DNS_PROBE_RETRIES 3

Examples This example shows how to configure an HTTP probe named TREADER:

Cat6k-2(config-module-csm)# probe TREADER http

probe

Related Commands probe

show module csm probe

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-55

address (probe submode)

To specify a destination IP address for health monitoring, use the address command in SLB probe configuration submode. To remove the address, use the no form of this command.

address ip-address [routed]

no address ip-address

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes SLB probe configuration submode

Command History

Usage Guidelines Multiple addresses can be configured for a DNS probe. For an ICMP probe, you can configure one

ip-address Specifies the real server’s destination IP address.

routed (Optional) Specifies that the probe is routed according to the CSM

routing table.

Release Modification

CSM release 2.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

address. Allows the probes to cross the firewall to check the link to the host on the other side. ICMP is the only probe that supports the address parameter without the routed option, which is used for firewall load balancing.

Examples This example shows how to configure an IP address of the real server:

Cat6k-2(config-slb-probe-icmp)# address 101.23.45.36

Related Commands probe

show module csm probe

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-56

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

credentials (probe submode)

To configure basic authentication values for an HTTP probe, use the credentials command in the SLB HTTP probe configuration submode. To remove the credentials configuration, use the no form of this command.

credentials username [password]

no credentials

credentials (probe submode)

Syntax Description

Defaults This command has no default settings.

Command Modes SLB HTTP probe configuration submode

Command History

Usage Guidelines This command is for HTTP probes.

Examples This example shows how to configure authentication for an HTTP probe:

username Name that appears in the HTTP header.

password (Optional) Password that appears in the HTTP header.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-probe-http)# credentials seamless abercrombie

Related Commands probe

show module csm probe

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-57

description (serverfarm submode)

To add a description for the server farm, use the description command in the SLB probe configuration submode. To remove the description, use the no form of this command.

description line

no description

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes SLB VLAN configuration submode

Command History

Usage Guidelines

Examples This example shows how to add a description:

Related Commands

line Description text.

Release Modification

CSM release 4.2(1) This command was introduced.

Cat6k-2(config-slb-probe-http)# description Backup Server Farm

2-58

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

expect status (probe submode)

To configure a status code for the probe, use the expect status command in the SLB HTTP/FTP/Telnet/SMTP probe configuration submode. To remove the status code from the configuration, use the no form of this command.

expect status min-number [max-number]

no expect status min-number [max-number]

expect status (probe submode)

Syntax Description

min-number Single status code if the max-number value is not specified.

max-number (Optional) Maximum status code in a range.

Defaults The default range is 0 to 999 (any response from the server is valid).

Command Modes SLB HTTP/FTP/Telnet/SMTP probe configuration submode

Command History

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines This command is for HTTP, FTP, Telnet, and SMTP probes. You can specify multiple status code ranges

with this command by entering one command at a time. If you specify the max-number value, this number is used as the minimum status code of a range. If you specify no maximum number, this command uses a single number (min-number). If you specify both min-number and max-number values, this command uses the range between the numbers.

Both the minimum number and the maximum number can be any number between 0 and 999 as long as the maximum number is not lower than the minimum number.

OL-7029-01

For example:

expect status 5 is the same as expect status 5 5

expect status 0

expect status 900 999 specifies a range of 900 to 999.

specifies a range of 0 to 4

You can specify many expected status ranges.

Note When you remove the expect status, you cannot set the range of numbers to 0 or as a range of numbers

that includes the values you set for the expect status. The expect status state becomes invalid and does not restore the default range of 0 through 999. To remove the expect status, remove each set of numbers using the no expect status command. For example, enter the no expect status 0 3 command and then enter the no expect status 34 99 command.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-59

Chapter 2 Content Switching Module with SSL Commands

expect status (probe submode)

Examples This example shows how to configure an HTTP probe with multiple status code ranges:

Cat6k-2(config-slb-probe-http)# expect status 34 99 Cat6k-2(config-slb-probe-http)# expect status 0 33 Cat6k-2(config-slb-probe-http)#

Related Commands probe

show module csm probe

2-60

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

failed (probe submode)

To set the time to wait before probing a failed server, use the failed command in the SLB probe configuration submode. To reset the time to wait before probing a failed server to default, use the no form of this command.

failed failed-interval

no failed

failed (probe submode)

Syntax Description

Defaults The default value for the failed interval is 300 seconds.

Command Modes SLB probe configuration submode

Command History

Usage Guidelines This command is used for all probe types.

Examples This example shows how to configure a failed server probe for 200 seconds:

failed-interval Specifies the interval in seconds before the probe retires a failed

server; the range is from 2 to 65535.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-probe-http)# failed 200

Related Commands probe

show module csm probe

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-61

header (probe submode)

To configure a header field for the HTTP probe, use the header command in the SLB HTTP probe configuration submode. To remove the header field configuration, use the no form of this command.

header field-name [field-value]

no header field-name

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes SLB HTTP probe configuration submode

Command History

Usage Guidelines You can configure multiple headers for each HTTP probe. The length of the field-name value plus the

Examples This example shows how to configure a header field for the HTTP probe:

field-name Name for the header being defined.

field-value (Optional) Content for the header.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

length of the field-value value plus 4 (for “:”, space, and CRLF) cannot exceed 255 characters. This command is for HTTP probes.

Cat6k-2(config-slb-probe-http)# header abacadabra

Related Commands probe

show module csm probe

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-62

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

interval (probe submode)

To set the time interval between probes, use the interval command in the SLB probe configuration submode. To reset the time interval between probes to default, use the no form of this command.

interval seconds

no interval

interval (probe submode)

Syntax Description

Defaults The default value for the interval between probes is 120 seconds.

Command Modes SLB probe configuration submode

Command History

Usage Guidelines This command is used for all probe types.

Examples This example shows how to configure a probe interval of 150 seconds:

seconds Number of seconds to wait between probes from the end of the

previous probe to the beginning of the next probe; the range is from 2 to 65535.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-probe-http)# interval 150

Related Commands probe

show module csm probe

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-63

name (probe submode)

To configure a domain name for the DNS probe, use the name command in the SLB DNS probe configuration submode. To remove the name from the configuration, use the no form of this command.

name domain-name

no name

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults This command has no default settings.

Command Modes SLB DNS probe configuration submode

Command History

Examples This example shows how to specify the probe name that is resolved by the DNS server:

Related Commands probe

domain-name Domain name that the probe sends to the DNS server.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-probe-dns)# name astro

show module csm probe

2-64

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

open (probe submode)

To set the time to wait for a TCP connection, use the open command in the SLB HTTP/TCP/FTP/Telnet/SMTP probe configuration submode. To reset the time to wait for a TCP connection to default, use the no form of this command.

open open-timeout

no open

open (probe submode)

Syntax Description

Defaults The default value for the open timeout is 10 seconds.

Command Modes SLB HTTP/TCP/FTP/Telnet/SMTP probe configuration submode

Command History

Usage Guidelines This command is not used for any non-TCP probes, such as ICMP or DNS.

Note There are two different timeout values: open and receive. The open timeout specifies how many seconds

open-timeout Maximum number of seconds to wait for the TCP connection; the

range is from 1 to 65535.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

to wait for the connection to open (that is, how many seconds to wait for SYN ACK after sending SYN). The receive timeout specifies how many seconds to wait for data to be received (that is, how many seconds to wait for an HTTP reply after sending a GET/HHEAD request). Because TCP probes close as soon as they open without sending any data, the receive timeout is not used.

Examples This example shows how to configure a time to wait for a TCP connection of 5 seconds:

Cat6k-2(config-slb-probe-http)# open 5

Related Commands probe

show module csm probe

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-65

port (probe submode)

To configure an optional port for the DNS probe, use the port command in the SLB probe configuration submode. To remove the port from the configuration, use the no form of this command.

port port-number

no port

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults The default value for the port number is 0.

Command Modes This command is available in all SLB probe configuration submodes except ICMP.

Command History

Usage Guidelines When the port of a health probe is specified as 0, the health probe uses the configured port number from

port-number Sets the port number.

Release Modification

CSM release 3.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

the real server (if a real server is configured) or the configured port number from the virtual server (if a virtual server is configured and no port is configured for the real server). The default port value is 0. For the ICMP probes, where there is no port number, the port value is ignored. The port command is available for all probe types except ICMP.

Examples This example shows how to specify the port for the DNS server:

Cat6k-2(config-slb-probe-dns)# port 63

Related Commands probe

show module csm probe

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-66

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

receive (probe submode)

To set the time to wait for a reply from a server, use the receive command in the SLB probe configuration submode. To reset the time to wait for a reply from a server to default, use the no form of this command.

receive receive-timeout

no receive

receive (probe submode)

Syntax Description

Defaults The default value for a receive timeout is 10 seconds.

Command Modes SLB probe configuration submode

Command History

Usage Guidelines This command is available for all probe types except TCP.

Note There are two different timeout values: open and receive. The open timeout specifies how many seconds

receive-timeout Number of seconds to wait for reply from a server; the range is from

1 to 65535.

Release Modification

CSM release 1.1(1) This command was introduced.

Examples This example shows how to configure a time to wait for a reply from a server to 5 seconds:

Cat6k-2(config-slb-probe-http)# receive 5

Related Commands probe

show module csm probe

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-67

recover (probe submode)

To set the number of consecutive responses that are sent before marking a failed server as healthy, use the recover command.

recover recover_value

no recover

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults The default value is 1.

Command Modes SLB probe configuration submode

Command History

Usage Guidelines This command is available for all probe types.

Examples This example shows how to configure a time to wait for a reply from a server to 5 seconds:

Related Commands probe

recover_value Number of consecutive responses sent; the range is from 1 to 65535.

Release Modification

CSM release 4.2(1) This command was introduced.

Router(config-slb-probe-http)# recover 5

show module csm probe

2-68

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

request (probe submode)

To configure the request method used by the HTTP probe, use the request command in the SLB HTTP probe configuration submode. To remove the request method from the configuration, use the no form of this command.

request [method {get | head}] [url path]

no request [method {get | head}] [url path]

request (probe submode)

Syntax Description

Defaults The default path is /.

Command Modes SLB HTTP probe configuration submode

Command History

Usage Guidelines The CSM supports only the get and head request methods. This command is for HTTP probes.

method get (Optional) Configures a method for the probe request and directs the

server to get this page.

method head (Optional) Configures a method for the probe request and directs and

directs the server to get only the header for this page.

url path (Optional) A character string up to 255 characters specifying the

URL path.

The default method is the get option.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Examples This example shows how to configure a request method for the probe configuration:

Cat6k-2(config-slb-probe-http)# request method head

Related Commands probe

show module csm probe

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-69

retries (probe submode)

To set the number of failed probes that are allowed before marking the server failed, use the retries command in the SLB probe configuration submode. To reset the number of failed probes allowed before marking a server as failed to default, use the no form of this command.

retries retry-count

no retries

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults The default value for retries is 3.

Command Modes SLB probe configuration submode

Command History

Usage Guidelines This command is used for all probe types.

Note Set retries to 2 or more. If retries are set to 1, a single dropped probe packet will bring down the server.

retry-count Number of probes to wait before marking a server as failed; the range

is from 0 to 65535.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

A setting of 0 places no limit on the number of probes that are sent. Retries are sent until the system reboots.

Examples This example shows how to configure a retry count of 3:

Cat6k-2(config-slb-probe-http)# retries 3

Related Commands probe

show module csm probe

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-70

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

script (probe submode)

To create a script for a probe, use the script command.

script script_name

script (probe submode)

Syntax Description

script_name Specifies a probe script.

Defaults This command has no default settings.

Command Modes SLB probe script configuration submode

Command History

Release Modification

CSM release 3.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines The script name should match a script in a configured script file.

Examples This example shows how to create a script probe:

Cat6k-2(config-module-csm)# ip slb script file tftp://192.168.10.102/csmScripts Cat6k-2(config-probe-script)# script echoProbe.tcl Cat6k-2(config-probe-script)# interval 10 Cat6k-2(config-probe-script)# retries 1 Cat6k-2(config-probe-script)# failed 30

Related Commands failed (probe submode)

interval (probe submode) open (probe submode) probe receive (probe submode) retries (probe submode) script file show module csm probe

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-71

real

Chapter 2 Content Switching Module with SSL Commands

To identify a real server that is a member of the server farm, and then enter the real server configuration submode, use the real command in the SLB serverfarm configuration submode. To remove the real server from the configuration, use the no form of this command.

real ip-address [port] [local]

no real ip-address [port]

Syntax Description

Defaults The default is no port translation for the real server.

Command Modes SLB serverfarm configuration submode

Command History

Usage Guidelines The IP address that you supply provides a load-balancing target for the CSM. This target can be any IP

ip-address Real server IP address.

port (Optional) Port translation for the real server; the range is from 1 to

65535.

local (Optional) Specifies that the real server is the SSL daughter card.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM release 4.1(3) The local keyword was added to support the SSL daughter card.

CSM-S release 1.1(1) This command was introduced and the local keyword was added.

addressable object. For example, the IP addressable object may be a real server, a firewall, or an alias IP address of another CSM.

2-72

You can configure a real server as follows:

• no inservice—Using the no inservice command in the real server submode, the CSM is specified

as out of service. There is no sticky and no new connections being applied.

Note If you specify no inservice, the CSM does not remove open connections. If you want to

remove open connections. you must perform that task manually using the clear module csm slot conn command.

• inservice—Using the inservice command in the real server submode, the CSM is specified as in

service. Sticky is allowed and new connections to the module can be made.

• inservice standby—Specifies that when in standby mode, the real server only accepts connections

when the primary real server has failed.

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

Examples This example shows how to identify a real server and enter the real server submode:

Cat6k-2(config-slb-sfarm)# real 102.43.55.60 Cat6k-2(config-slb-real)#

Related Commands inservice (real server submode)

script task show module csm real show module csm serverfarm

real

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-73

backup real (real server submode)

To apply new connections to real servers when a primary server is down, use the backup real command in the SLB real server configuration submode. To remove a real server from service, use the no form of this command.

backup real {ip | name name} [port]

no backup real

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

ip Specifies the backup server’s IP address.

name name Specifies the real server name.

port (Optional) Specifies the port where the backup real server is located.

Defaults This command has no default settings.

Command Modes SLB real server configuration submode

Command History

Release Modification

CSM release 3.2(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines A weight of 0 is now allowed for graceful shutdown of existing connections. The backup real command

can be used in these situations where a server farm is specified:

• Directly under a virtual server.

• In a policy and then associated to a virtual server.

Examples This example shows how to enable a real server:

Cat6k-2(config-slb-real)# backup real 10.2.2.1 3 Cat6k-2(config-slb-real)#

Related Commands failaction (serverfarm submode)

real (static NAT submode) show module csm real

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-74

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

health probe (real server submode)

To configure a probe for the real server, use the health probe command in the SLB real server configuration submode. To remove the probe from the configuration, use the no form of this command.

health probe probe-name tag string

no health probe

health probe (real server submode)

Syntax Description

Defaults This command has no default values.

Command Modes SLB real server configuration submode

Command History

Examples This example shows how to configure a probe for a server:

probe-name Names the probe.

tag Specifies a tag for the probe.

string Specifies a string to identify the probe.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

Cat6k-2(config-slb-sfarm)# real 102.2.2.1 Cat6k-2(config-slb-real)# health probe mission tag 12345678

Related Commands real

show module csm real

OL-7029-01

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-75

inservice (real server submode)

To enable the real servers, use the inservice command in the SLB real server configuration submode. To remove a real server from service, use the no form of this command.

inservice [standby]

no inservice

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

standby (Optional) Specifies that when in standby mode, the real server only

accepts connections when the primary real server has failed.

Defaults The real server is not in service.

Command Modes SLB real server configuration submode

Command History

Release Modification

CSM release 1.1(1) This command was introduced.

CSM release 3.2(1) This command was modified for firewall load-balancing (FWLB)

reassignment.

CSM-S release 1.1(1) This command was introduced.

Usage Guidelines When you specify the no inservice command, the CSM will not remove open connections. To remove

open connections, you must remove them using the clear module csm slot connection command.

The CSM performs graceful server shutdown when a real server is taken out of service when you enter the no inservice command. This command stops all new sessions from being load balanced to the specified real server while allowing existing sessions to complete or time out. New sessions are load balanced to other servers in the server farm for that virtual server.

This example shows how to remove a real server from service:

Router(config-slb-real)# no inservice

Examples This example shows how to enable a real server:

Cat6k-2(config-slb-sfarm)# real 10.2.2.1 Cat6k-2(config-slb-real)# inservice

Related Commands real

show module csm real

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-76

OL-7029-01

Chapter 2 Content Switching Module with SSL Commands

maxconns (real server submode)

To limit the number of active connections to the real server, use the maxconns command in the SLB real server configuration submode. To change the maximum number of connections to its default value, use the no form of this command.

maxconns max-conns

no maxconns

maxconns (real server submode)

Syntax Description

Defaults The default value is the maximum value or infinite (not monitored).

Command Modes SLB real server configuration submode

Command History

Usage Guidelines When you specify the minconns command, you must also specify the maxconns command. In all

max-conns Maximum number of active connections on the real server at any

time; the range is from 1 to 4294967295.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

releases, when the MINCONNS value is set, once a real server has reached the maximum connections (MAXCONNS) state, no additional session is balanced to it until the number of open sessions to that real server falls below MINCONNS.

Examples This example shows how to limit the connections to a real server:

Cat6k-2(config-slb-sfarm)# real 10.2.2.1 Cat6k-2(config-slb-real)# maxconns 4000

Related Commands minconns (real server submode)

real show module csm real

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

2-77

minconns (real server submode)

To establish a minimum connection threshold for the real server, use the minconns command in the SLB real server configuration submode. To change the minimum number of connections to the default value, use the no form of this command.

minconns min-cons

no minconns

Chapter 2 Content Switching Module with SSL Commands

Syntax Description

Defaults The default value is the set minumum number of connections.

Command Modes SLB real server configuration submode

Command History

Usage Guidelines When the threshold of the maxconns command is exceeded, the CSM stops sending connections until

min-cons Minimum number of connections allowed on the real server; the

range is from 0 to 4294967295.

Release Modification

CSM release 1.1(1) This command was introduced.

CSM-S release 1.1(1) This command was introduced.

the number of connections falls below the minconns command threshold. This value must be lower than the maximum number of connections configured by the maxconns command. When you specify the minconns command, you must also specify the maxconns command.

In all releases, when the MINCONNS value is set, once a real server has reached the maximum connections (MAXCONNS) state, no additional session is balanced to it until the number of open sessions to that real server falls below MINCONNS.

Examples This example shows how to establish a minimum connection threshold for a server:

Cat6k-2(config-slb-sfarm)# real 102.2.2.1 Cat6k-2(config-slb-real)# minconns 4000

Related Commands maxconns (real server submode)

real show module csm real

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

2-78

OL-7029-01

Cisco OL-7029-01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

CONTENTS

Preface

Audience

Organization

Conventions

Related Documentation

Obtaining Documentation

Cisco.com

Documentation DVD

Documentation Feedback

Ordering Documentation

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

Using Content Switching Module Commands

Using the CSM and CSM-S Commands

Command Modes

Regular Expressions

Content Switching Module with SSL Commands

capp udp

options (CAPP UDP submode)

port (CAPP UDP submode)

secure (CAPP UDP submode)

clear module csm

agent (DFP submode)

manager (DFP submode)

exit

ft group

failover (fault tolerant submode)

heartbeat-time (fault tolerant submode)

preempt (fault tolerant submode)

priority (fault tolerant submode)

track (fault tolerant submode)

hw-module csm standby config-sync

ip slb mode

map cookie

match protocol http cookie (cookie map submode)

map dns

match protocol dns domain (DNS map submode)

map header

insert protocol http header (header map submode)

match protocol http header (header map submode)

map retcode

match protocol http retcode (return code map submode)

map url

match protocol http url (URL map submode)

module csm

natpool (module CSM submode)

variable (module CSM submode)

owner

billing-info (owner submode)

contact-info (owner submode)

maxconns (owner submode)

policy

client-group (policy submode)

cookie-map (policy submode)

header-map (policy submode)

nat client (policy submode)

serverfarm (policy submode)

set ip dscp (policy submode)

sticky-group (policy submode)

url-map (policy submode)

probe

address (probe submode)

credentials (probe submode)

description (serverfarm submode)

expect status (probe submode)

failed (probe submode)

header (probe submode)

interval (probe submode)

name (probe submode)

open (probe submode)