Catalyst 6500 Series Switch Content
Switching Module with SSL Command
Reference
Software Release 2.1(1)
May, 2005
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-7029-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
match protocol http header (header map submode)2-30
map retcode2-31
match protocol http retcode (return code map submode)2-32
map url2-33
match protocol http url (URL map submode)2-34
module csm2-35
natpool (module CSM submode)2-36
variable (module CSM submode)2-37
owner2-40
billing-info (owner submode)2-41
contact-info (owner submode)2-42
maxconns (owner submode)2-43
policy2-44
client-group (policy submode)2-45
iv
cookie-map (policy submode)2-46
header-map (policy submode)2-47
nat client (policy submode)2-48
serverfarm (policy submode)2-49
set ip dscp (policy submode)2-51
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
sticky-group (policy submode)2-52
url-map (policy submode)2-53
probe2-54
address (probe submode)2-56
credentials (probe submode)2-57
description (serverfarm submode)2-58
expect status (probe submode)2-59
failed (probe submode)2-61
header (probe submode)2-62
interval (probe submode)2-63
name (probe submode)2-64
open (probe submode)2-65
port (probe submode)2-66
Contents
receive (probe submode)2-67
recover (probe submode)2-68
request (probe submode)2-69
retries (probe submode)2-70
script (probe submode)2-71
real2-72
backup real (real server submode)2-74
health probe (real server submode)2-75
inservice (real server submode)2-76
maxconns (real server submode)2-77
minconns (real server submode)2-78
redirect-vserver (real server submode)2-79
weight (real server submode)2-80
redirect-vserver2-81
advertise (redirect virtual server submode)2-82
client (redirect virtual server submode)2-83
idle (redirect virtual server submode)2-84
OL-7029-01
inservice (redirect virtual server submode)2-85
replicate csrp (redirect virtual server submode)2-86
ssl (redirect virtual server submode)2-87
virtual (redirect virtual server submode)2-88
vlan (redirect virtual server submode)2-89
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
v
Contents
webhost backup (redirect virtual server submode)2-90
webhost relocation (redirect virtual server submode)2-91
reverse-sticky2-92
script file2-93
script task2-95
serverfarm2-96
bindid (serverfarm submode)2-97
description (serverfarm submode)2-98
failaction (serverfarm submode)2-99
health (serverfarm submode)2-100
nat client (serverfarm submode)2-101
nat server (serverfarm submode)2-102
predictor (serverfarm submode)2-103
probe (serverfarm submode)2-106
retcode-map (serverfarm submode)2-107
show module csm2-108
show module csm arp2-109
show module csm capp2-110
show module csm conns2-112
show module csm dfp2-114
show module csm ft2-116
show module csm map2-117
show module csm memory2-119
show module csm natpool2-120
show module csm owner2-121
show module csm policy2-122
show module csm probe2-123
show module csm probe script2-125
show module csm pvlan2-126
show module csm real2-127
vi
show module csm real retcode2-129
show module csm script2-130
show module csm script task2-131
show module csm serverfarm2-132
show module csm static2-134
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
show module csm static server2-135
show module csm stats2-137
show module csm status2-139
show module csm sticky2-140
show module csm tech-script2-142
show module csm tech-support2-143
show modulecsmvariable2-146
show module csm vlan2-148
show module csm vserver redirect2-150
show module csm xml stats2-152
snmp enable traps slb ft2-153
static2-154
real (static NAT submode)2-155
Contents
sticky2-156
cookie offset (sticky submode)2-158
cookie secondary (sticky submode)2-159
header (sticky submode)2-160
static (sticky submode)2-161
vserver2-162
advertise (virtual server submode)2-163
client (virtual server submode)2-164
description (virtual server submode)2-165
domain (virtual server submode)2-166
idle (virtual server submode)2-167
inservice (virtual server submode)2-168
owner (virtual server submode)2-169
parse-length (virtual server submode)2-170
pending (virtual server submode)2-171
persistent rebalance (virtual server submode)2-172
replicate csrp (virtual server submode)2-173
OL-7029-01
reverse-sticky (virtual server submode)2-174
serverfarm (virtual server submode)2-175
slb-policy (virtual server submode)2-177
ssl-sticky (virtual server submode)2-178
status-tracking (virtual server submode)2-179
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
vii
Contents
sticky (virtual server submode)2-180
unidirectional (virtual server submode)2-182
url-hash (virtual server submode)2-183
virtual (virtual server submode)2-184
vlan (virtual server submode)2-187
vlan2-188
alias (VLAN submode)2-189
description (VLAN submode)2-191
gateway (VLAN submode)2-192
ip address (VLAN submode)2-193
route (VLAN submode)2-194
xml-config2-195
client-group (XML submode)2-196
CHAPTER
credentials (XML submode)2-197
inservice (XML submode)2-198
port (XML submode)2-199
vlan (XML submode)2-200
3Commands Specific to the Content Switching Module with SSL3-1
clear ssl-proxy conn3-5
clear ssl-proxy session3-6
clear ssl-proxy stats3-7
crypto ca export pem3-8
crypto ca import pem3-10
crypto ca export pkcs123-12
crypto ca import pkcs123-14
crypto key export rsa pem3-16
crypto key import rsa pem3-18
debug ssl-proxy3-20
do3-23
viii
show ssl-proxy admin-info3-24
show ssl-proxy buffers3-25
show ssl-proxy certificate-history3-26
show ssl-proxy conn3-29
show ssl-proxy crash-info3-32
show ssl-proxy mac address3-34
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
show ssl-proxy natpool3-35
show ssl-proxy policy3-36
show ssl-proxy service3-38
show ssl-proxy stats3-40
show ssl-proxy status3-43
show ssl-proxy version3-45
show ssl-proxy vlan3-46
show ssl-proxy vts3-47
snmp-server enable3-48
ssl-proxy crypto selftest3-49
ssl-proxy mac address3-50
ssl-proxy natpool3-51
ssl-proxy pki3-52
Contents
ssl-proxy policy http-header3-54
ssl-proxy policy ssl3-56
ssl-proxy policy tcp3-60
ssl-proxy policy url-rewrite3-63
ssl-proxy pool ca3-65
ssl-proxy service3-66
ssl-proxy service client3-70
ssl-proxy ssl ratelimit3-73
ssl-proxy vlan3-74
standby authentication3-78
standby delay minimum reload3-79
standby ip3-81
standby mac-address3-83
standby mac-refresh3-85
standby name3-86
standby preempt3-87
standby priority3-89
OL-7029-01
standby redirects3-91
standby timers3-93
standby track3-95
standby use-bia3-97
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
ix
Contents
APPENDIX
I
NDEX
AAcronymsA-1
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
x
OL-7029-01
Preface
This preface describes the audience, organization, and conventions of this publication, and provides
information on how to obtain related documentation.
This guide contains the commands available for use with the Cisco Content Switching Module with SSL
(CSM-S). Use this guide with the Catalyst 6500 Series Switch Content Switching Module with SSL
Installation Note and the Catalyst 6500 Series Switch Content Switching Module with SSL Installation
and Configuration Note.
Audience
This publication is for experienced network administrators who are responsible for configuring and
maintaining Catalyst 6500 series switches and network managers who perform any of the following
tasks:
Organization
This publication is organized as follows:
ChapterTitleDescription
Chapter 1Using Content Switching
Chapter 2Content Switching Module with
Chapter 3Commands Specific to the
Appendix AAcronymsLists the acronyms used in this command
• Managing network security
• Configuring firewalls
• Managing default and static routes and TCP and UDP services
Introduces you to the CSM commands,
Module Commands
SSL Commands
Content Switching Module with
SSL
access modes, and common port and
protocol numbers.
Provides detailed descriptions of all CSM
commands in an alphabetical listing.
Provides detailed descriptions of all SSL
commands used by the CSMS in an
alphabetical listing.
reference.
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xi
Conventions
Conventions
This document uses the following conventions:
ConventionDescription
boldface fontCommands, command options, and keywords are in
boldface.
italic fontArguments for which you supply values are in italics.
[ ]Elements in square brackets are optional. Default responses
to system prompts are in square brackets.
{ x | y | z }Alternative keywords are grouped in braces and separated by
vertical bars. Braces can also be used to group keywords
and/or aguments; for example, {interface interface type}.
[ x | y | z ]Optional alternative keywords are grouped in brackets and
separated by vertical bars.
stringA nonquoted set of characters. Do not use quotation marks
around the string or the string will include the quotation
marks.
screen fontTerminal sessions and information the system displays are in
screen font.
boldface screen
font
italic screen
font
^The symbol ^ represents the key labeled Control—for
< >Nonprinting characters, such as passwords are in angle
!, #An exclamation point (!) or a pound sign (#) at the beginning
Information you must enter is in boldface screen font.
Arguments in the screen display for which you supply values
are in
italic screen
font.
example, the key combination ^D in a screen display means
hold down the Control key while you press the D key.
brackets.
of a line of code indicates a comment line.
Preface
xii
Notes use the following conventions:
NoteMeans reader take note. Notes contain helpful suggestions or references to material not covered in
the publication.
Cautions use the following conventions:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Preface
Related Documentation
For more detailed installation and configuration information for the Content Switching Module with
SSL, refer to the following publications:
• Release Notes for the Catalyst 6500 Series Switch Content Switching Module with SSL
• Catalyst 6500 Series Switch Content Switching Module with SSL Installation Note
• Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
• Regulatory Compliance and Safety Information for the Catalyst 6500 Series Switches
For more detailed installation and configuration information for SSL services, refer to the following
publications:
• Release Notes for Catalyst 6500 Series SSL Services Module Software Release 2.x
• Catalyst 6500 Series Switch SSL Services Module Installation and Verification Note
• Catalyst 6500 Series Switch SSL Services Module Command Reference
• Catalyst 6500 Series Switch SSL Services Module System Messages
Use this document in conjunction with the CSM documentation available online at the following site:
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
Cisco documentation and additional literature are available in a Documentation DVD package, which
may have shipped with your product. The Documentation DVD is updated regularly and may be more
current than printed documentation. The Documentation DVD package is available as a single unit.
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xiii
Documentation Feedback
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product
number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
• Report security vulnerabilities in Cisco products.
• Obtain assistance with security incidents that involve Cisco products.
• Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Preface
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:
• Emergencies— security-alert@cisco.com
• Nonemergencies —psirt@cisco.com
TipWe encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one that has the most recent creation date in this public key server list:
In an emergency, you can also reach PSIRT by telephone:
• 1 877 228-7302
• 1 408 525-6532
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical
Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical
Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service
contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and
resolving technical issues with Cisco products and technologies. The website is available 24 hours a day,
365 days a year, at this URL:
OL-7029-01
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xv
Obtaining Technical Assistance
NoteUse the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support
Website by clicking the Tools & Resources link under Documentation & Tools.Choose Cisco Product
Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product
Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID
or model name; by tree view; or for certain products, by copying and pasting show command output.
Search results show an illustration of your product with the serial number label location highlighted.
Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
Preface
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
xvi
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Preface
Obtaining Additional Publications and Information
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit
Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xvii
Obtaining Additional Publications and Information
Preface
xviii
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
CHAPTER
1
Using Content Switching Module Commands
This chapter describes how to use the CSM and CSM-S commands and contains the following sections:
• Using the CSM and CSM-S Commands, page 1-1
• Command Modes, page 1-2
NoteExcept where specifically differentiated, the term “Content Switching Module” and its acronym “CSM”
includes both the Content Switching Module and the Content Switching Module with SSL.
The term “Content Switching Module with SSL” and its acronym “CSM-S” are used only where the
information presented is specific to the CSMS.
The term SSL daughter card an SSL termination dauthter card for the CSM that accelerates Secure
Socket Layer (SSL) transactions.
Using the CSM and CSM-S Commands
This section provides a brief introduction to using commands and where to go for more information on
configuring and using your CSM or CSM-S.
You will use these commands for basic tasks:
CommandTask
write memorySaving the configuration
write terminalViewing the configuration
logging buffered debuggingAccumulating system log (syslog) messages
show loggingViewing system log (syslog) messages
clear loggingClearing the message buffer
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
1-1
Command Modes
Chapter 1 Using Content Switching Module Commands
With the command-line interface (CLI), you can do the following tasks:
• Check the syntax before entering a command.
Enter a command and press the ? key to view a quick summary, or precede a command with the help
command (help aaa, for example).
• Abbreviate commands.
You can use the config t command to start configuration mode, the write t command statement to
list the configuration, and the write m commmand to write to Flash memory. In most commands,
the show command can be abbreviated as sh. This feature is called command completion.
• Review possible port and protocol numbers at the following Internet Assigned Numbers Authority
• Create your configuration in a text editor, and then cut and paste it into the configuration.
You can paste in a line at a time or the whole configuration. Always check your configuration after
pasting large blocks of text to be sure that all of the text was copied.
For information about how to build your CSM and CSM-S configuration, refer to the Catalyst 6500
Series Content Switching Module Installation and Configuration Note and Catalyst 6500 Series Switch
Content Switching Module with SSL Installation and Configuration Note.
CSM and CSM-S technical documentation is located online at the following websites:
The CSM and CSM-S contain a command set based on Cisco IOS technologies and provides
configurable command privilege modes based on the following command modes:
NoteWhen using these modules on a switch running the Catalyst operating system and Cisco IOS, you must
session to the Mutilayer Switch Feature Card (MSFC) for the router prompt.
• Unprivileged mode
The unprivileged mode allows you to view CSM settings. The unprivileged mode prompt appears
as follows when you first access the CSM:
Router>
• Privileged mode
Any unprivileged mode command will work in privileged mode. Use the enable command to start
the privileged mode from the unprivileged mode as follows:
Router> enable
Password:
Router
1-2
The # prompt is displayed.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 1 Using Content Switching Module Commands
Use the exit or end commands to exit privileged mode and return to unprivileged mode as follows:
Router# exit
Logoff
Type help or '?' for a list of available commands.
Router>
Use the disable command to exit privileged mode and return to unprivileged mode as follows:
Router# disable
Router>
• Configuration mode
The configuration mode allows you to change the configuration. All privileged, unprivileged, and
configuration commands are available in this mode. Use the configure terminal command to start
the configuration mode as follows:
Router# configure terminal
Router(config)#
Use the exit or end commands to exit configuration mode and return to privileged mode as follows:
Router(config)# end
Router#
Regular Expressions
Use the disable command to exit configuration mode and return to unprivileged mode as follows:
Router(config)# disable
Router>
• Submodes
When you are in a submode, the prompt changes to:
Router(config-submode_name)#
Regular Expressions
Regular expressions used in commands are based on the UNIX filename specification. You will use
regular expressions in these commands:
• match protocol http cookie (cookie map submode), page -25
• match protocol http header (header map submode), page -30
• match protocol http url (URL map submode), page -34
ExpressionMeaning
“*” Zero or more characters
“?”Exactly one character—the [Ctrl + V] key combination must be entered
“\” Escaped character
“|”Or
Bracketed range (for example, [0–9]) Matching any single character from the range
Leading ^ in a rangeDo not match any in the range
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
1-3
Chapter 1 Using Content Switching Module Commands
Regular Expressions
ExpressionMeaning
“.\a” Alert (ASCII 7)
“.\b” Backspace (ASCII 80
“.\f” Form-feed (ASCII 12)
“.\n” Newline (ASCII 10)
“.\r” Carriage return (ASCII 13)
“.\t” Tab (ASCII 9)
“.\v” Vertical tab (ASCII 11)
“.\0” Null (ASCII 0)
“.\\”Backslash
“.\x##” Any ASCII character as specified in two-digit hexadecimal notation
1-4
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
CHAPTER
2
Content Switching Module with SSL Commands
This chapter contains an alphabetical listing of the commands necessary to configure the CSM-S. These
commands are unique to server load-balancing (SLB) and Layer 3 switching.
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-1
arp
arp
Chapter 2 Content Switching Module with SSL Commands
To configure a static ARP entry, use the arp command. To remove the static ARP entry from the
configuration, use the no form of this command.
arp ip_addressmac-address vlan id
no arp ip_address
Syntax Description
DefaultsThis command has no default settings.
Command ModesCSM configuration submode
Command History
ExamplesThis example shows how to configure a static ARP entry:
ip_addressIP address that you want associate with the ARP entry.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
capp udp
To enter the Content Application Peering Protocol (CAPP) User Datagram Protocol (UDP)
configuration submode, and then enable the CAPP, use the capp udp command. To remove the CAPP
UDP configuration, use the no form of this command.
capp udp
no capp udp
Syntax DescriptionThis command has no arguments or keywords.
DefaultsThis command has no default settings.
Command ModesCSM configuration submode
capp udp
Command History
ReleaseModification
CSM release 2.2(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesThe CSM implements only the agent side of the CAPP, not the content router functionality. This feature
provides Global Server Load Balancing (GSLB) when you use the CSM with a Content Services Switch
(CSS), which provides the content router function.
When you enter the CAPP UDP submode, the following commands are available:
• default—Sets a command to its default.
• exit—Saves changes and exits from the subcommand mode; see the “agent (DFP submode)”
command section.
• no—Negates a command or sets the specified command to its defaults.
• options—Sets optional parameters for a specified IP address. see the “options (CAPP UDP
submode)” command section.
• port—Configures the CAPP port. Range is from 1 to 65535. Default is 5002, see the “port (CAPP
UDP submode)” command section.
• secure—Enables encryption, see the “secure (CAPP UDP submode)” command section.
ExamplesThis example shows how to initiate CAPP UDP agent configuration mode and set the CAPP port:
Cat6k-2(config-module-csm)# capp udp
Cat6k-2(config-slb-capp-udp)# port 5002
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-3
capp udp
Related Commandsport (CAPP UDP submode)
Chapter 2 Content Switching Module with SSL Commands
2-4
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
options (CAPP UDP submode)
To assign session options to an IP address, use the options command in the CAPP UDP submode. To
remove the options for the specified address from the configuration, use the no form of this command.
options ip_address encryption MD5 secret
no options ip_address
options (CAPP UDP submode)
Syntax Description
DefaultsThis command has no default settings.
Command ModesCSM CAPP UDP submode
Command History
Usage GuidelinesThe CSM applies encryption to packets sent to this destination address or when the CSM receives
ip_addressIP address that you want associate with this group of options.
encryption MD5Specifies MD5 authentication.
secretThe string used in encryption and decryption of the MD5 hashing
method. Enter an unquoted text string with a maximum of 31
characters.
ReleaseModification
CSM release 2.2(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
datagrams with a matching source IP address.
You can set the IP address to 0.0.0.0 to apply encryption to all incoming and outbound datagrams that
are not specifically configured. The 0.0.0.0 IP address allows you to set a global security configuration
that can be applied to an arbitrary number of peers.
ExamplesThis example shows the application of a specific option set to 10.6.3.21 and a global option set to all
other IP addresses. The CSM encrypts datagrams received from 10.6.3.21 and transmitted to 10.6.3.21
with encryption code mySecret. All other datagrams, received or transmitted, are assigned to the default
encryption secret anotherSecret.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-5
port (CAPP UDP submode)
port (CAPP UDP submode)
To set the port number for CAPP UDP connections, use the port command in the CAPP UDP submode.
To remove the port from the configuration, use the no form of this command.
port port_num
no port
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThe no form of this command sets the port to 5002.
Command ModesCSM CAPP UDP submode
Command History
ExamplesThis example shows how to set the port for CAPP connections:
Related Commandscapp udp
port_numSpecifies the UDP port number. Enter a value of 1 to 65535.
ReleaseModification
CSM release 2.2(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-capp-udp)# 50
2-6
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
secure (CAPP UDP submode)
To enable or disable the encryption requirement for inbound CAPP datagrams, use the secure command
in the CAPP UDP submode. This command prevents unauthorized messages from entering the CSM. To
remove the encryption requirement from the configuration, use the no form of this command.
secure
no secure
Syntax DescriptionThis command has no arguments or keywords.
DefaultsThis command has no default settings.
Command ModesCSM CAPP UDP submode
secure (CAPP UDP submode)
Command History
Usage GuidelinesUse the capp udp secure command with the capp udp options command to specify which secure
ExamplesThis example shows how to allow only incoming traffic from 10.6.3.21 encrypted with the encryption
Related Commandscapp udp
ReleaseModification
CSM release 2.2(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
messages are accepted. If you use this command without the capp udp options command, the CSM
drops all incoming data.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-7
clear module csm
clear module csm
To force the active CSM to become the standby module, use the clear module csm command.
clear module csm [slot | all] arp-cache ip-address connections [real | vserver] counters ft active
linecard-configuration sticky [1-255 | all]
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesPrivileged
slot(Optional) Specifies the CSM location in the switch. Range is from 1
to 9.
all (Optional) Applies to all online CSM modules.
arp-cache ip-addressClears the SLB ARP cache.
connectionsSpecifies connections.
real(Optional) Clears SLB connections for the real servers.
vserver(Optional) Clears SLB connections for a virtual server.
countersClears SLB statistics.
ft activeClears the CSM fault tolerance state to force a failover.
linecard-configuration Clears the configuration database stored in the SLB linecard
sticky Specifies sticky.
1-255 (Optional) Clears the designated sticky group; range is from 1 to 255.
all(Optional) Clears all sticky entries from the sticky database.
Command History
Usage GuidelinesWhen a connection is closed, a reset (RST) is sent to both the client and the server. Counters reset all
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-8
ReleaseModification
CSM release 3.2(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
the CSM statistics information, except for the show mod csm X tech-support counters, which are reset
any time that you run the show command. The linecard-configuration command forces a soft-reset of
the CSM, which erases all existing connections and run-time information. The CSM then reloads its
configuration from Cisco IOS. This process takes about 3 seconds.
The ft active command is used to force the active CSM to the failover state. Fault tolerance preempt
must not be enabled.
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
dfp
To enter the Dynamic Feedback Protocol (DFP) submode, and then configure DFP, use the dfp
command. To remove the DFP configuration, use the no form of this command.
dfp [password password [timeout]]
no dfp [password password]
dfp
Syntax Description
DefaultsTimeout value is 180 seconds.
Command ModesModule CSM configuration submode
Command History
Usage GuidelinesThe timeout option allows you to change the password without stopping messages between the DFP
password(Optional) Specifies a password for MD5 authentication.
password(Optional) Password value for MD5 authentication. This password
must be the same on all DFP manager devices. The password can
contain 1–64 characters. Valid characters are: a–z, A–Z, 0–9, @, #, $.
timeout(Optional) Delay period, in seconds, during which both the old
password and the new password are accepted; the range is from 0 to
65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
agent and its manager.
During a timeout, the agent sends packets with the old password (or null, if there is no old password),
and receives packets with either the old or new password. After a timeout expires, the agent sends and
receives packets with only the new password; received packets that use the old password are discarded.
If you are changing the password for an entire load-balanced environment, set a longer timeout. The
extended timeout allows enough time for you to update the password on all agents and servers before
the timeout expires. The embedded timeout also prevents mismatches between agents and servers that
have the new password and agents and servers that have the old password.
ExamplesThis example shows how to initiate DFP agent configuration mode, configure DFP, set the password to
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-9
dfp
Related Commandsshow module csm dfp
Chapter 2 Content Switching Module with SSL Commands
2-10
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
agent (DFP submode)
To configure the DFP agent to which the CSM is going to communicate, use the agent command in the
SLB DFP submode. To remove the agent configuration, use the no form of this command.
agent ip-address port [keepalive-timeout [retry-count [retry-interval]]]
no agent ip-address port
agent (DFP submode)
Syntax Description
DefaultsKeepalive timeout is 0 (no keepalive message).
Command ModesSLB DFP configuration submode
Command History
ip-addressIP address of the DFP agent.
portPort number of the DFP agent.
keepalive-timeout(Optional) Time period in seconds between keepalive messages; the
range is from 1 to 65535.
retry-count(Optional) Number of consecutive connection attempts or invalid
DFP reports received before tearing down the connections and
marking the agent as failed; the range is from 0 to 65535.
retry-interval(Optional) Interval between retries; the range is from 1 to 65535.
Retry count is 0 seconds (0 seconds allows infinite retries).
Retry interval is 180 seconds.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
ExamplesThis example shows how to initiate the DFP agent, configure a 350-second timeout, and configure the
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-11
manager (DFP submode)
manager (DFP submode)
To set the port where an external DFP can connect to the CSM, use the manager command in SLB DFP
submode. To remove the manager configuration, use the no form of this command.
manager port
no manager
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB DFP configuration submode
Command History
Usage GuidelinesThis command enables the CSM to listen to DFP connections from an external DFP manager.
ExamplesThis example shows how to set the DFP manager port:
portPort number.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-dfp)# manager 4
Related Commandsagent (DFP submode)
dfp
show module csm dfp
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-12
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
exit
exit
To log out of the system or to leave a subcommand mode, use the exit command.
exit
Syntax DescriptionThis command has no arguments or keywords.
DefaultsThis command has no default settings.
Command ModesCommand mode
Usage GuidelinesTo leave a subcommand mode, use the exit command. The exit command saves any changes before
leaving the submode.
ExamplesThis example shows how to log out of the CSM:
Cat6k-2(config-module-csm)# exit
Cat6k-2(config)#
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-13
ft group
ft group
Chapter 2 Content Switching Module with SSL Commands
To enter the fault tolerant submode, and then configure fault tolerance on the CSM, use the ft group
command. To remove the fault-tolerant configuration, use the no form of this command.
ft group group-id vlan vlan number
no ft group
Syntax Description
group-idID of the fault-tolerant group. Both CSMs must have the same group
ID. Range is from 1 to 254.
vlan vlan numberSpecifies the VLAN over which heartbeat messages are sent by
VLAN number. Both CSMs must have the same VLAN ID. The
range is from 2 to 4095.
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesA fault-tolerant group is comprised of two Catalyst 6500 series switches each containing a CSM
configured for fault-tolerant operation. Each fault-tolerant group appears to network devices as a single
device. A network may have more than one fault-tolerant group.
When you enter the fault tolerance group submode, the following commands are available:
2-14
• default—Sets a command to its default.
• exit—Saves changes and exits from the subcommand mode; see the “agent (DFP submode)”
command section.
• failover—Saves changes and exits from the subcommand mode; see the “failover (fault tolerant
submode)” command section.
• heartbeat-time—Saves changes and exits from the subcommand mode; see the “heartbeat-time
(fault tolerant submode)” command section.
• no—Negates a command or sets the specified command to its defaults.
• preempt—Sets optional parameters for a specified IP address. See the “preempt (fault tolerant
submode)” command section.
• priority—Configures the CAPP port. Range is from 1 to 65535; default is 5002. See the “priority
(fault tolerant submode)” command section.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
ft group
ExamplesThis example shows how to configure a fault-tolerant group named 123 on VLAN 5 and set the failover
time to 3 seconds:
Cat6k-2(config-module-csm)# ft group 123 vlan 5
Cat6k-2(config-slb-ft)# failover 3
Related Commandsfailover (fault tolerant submode)
heartbeat-time (fault tolerant submode)
preempt (fault tolerant submode)
priority (fault tolerant submode)
show module csm ft
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-15
failover (fault tolerant submode)
failover (fault tolerant submode)
To set the time for a standby CSM to wait before becoming an active CSM, use the failover command
in the SLB fault-tolerant configuration submode. To remove the failover configuration, use the no form
of this command.
failover failover-time
no failover
Chapter 2 Content Switching Module with SSL Commands
ExamplesThis example shows how to set a failover period of 6 seconds:
Related Commandsft group
failover-timeAmount of time the CSM must wait after the last heartbeat message
is received before assuming the other CSM is not operating; the range
is from 1 to 65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-ft)# failover 6
show module csm ft
2-16
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
heartbeat-time (fault tolerant submode)
To set the time interval between heartbeat messages that are transmitted by the CSM, use the
heartbeat-time command in the SLB fault-tolerant configuration submode. To restore the default
heartbeat interval, use the no form of this command.
ExamplesThis example shows how to set the heartbeat time to 2 seconds:
Related Commandsft group
heartbeat-timeTime interval between heartbeat transmissions in seconds; the range
is from 1 to 65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-ft)# heartbeat-time 2
show module csm ft
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-17
preempt (fault tolerant submode)
preempt (fault tolerant submode)
To allow a higher priority CSM to take control of a fault-tolerant group when it comes online, use the
preempt command in the SLB fault-tolerant configuration submode. To restore the preempt default
value, use the no form of this command.
preempt
no preempt
Syntax DescriptionThis command has no arguments or keywords.
DefaultsThe default value is that preempt is disabled.
Command ModesPrivileged
Chapter 2 Content Switching Module with SSL Commands
Command History
Usage GuidelinesWhen you enable preempt, the higher priority CSM preempts the other CSM in the fault-tolerant group
NoteYou must set both members of the fault-tolerant CSM pair to preempt for this feature to work.
ExamplesThis example shows how to set the fault-tolerance mode to preempt:
Related Commandsft group
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
when the higher priority CSM comes online. When you enable no preempt, the current primary CSM
remains the primary CSM when the next CSM comes online.
Cat6k-2(config-slb-ft)# preempt
show module csm ft
2-18
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
priority (fault tolerant submode)
To set the priority of the CSM, use the priority command in the SLB fault-tolerant configuration
submode. To restore the priority default value, use the no form of this command.
Usage GuidelinesThe CSM with the largest priority value is the primary CSM in the fault-tolerant pair when the modules
alt(Optional) Configures the alternate priority value for the standby
CSM.
value(Optional) Priority of a CSM; the range is from 1 to 254.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM release 4.2(1)Adds the alt keyword to specify an alternate value that is sent to the
standby CSM.
are both operating.
ExamplesThis example shows how to set the priority value to 12:
Cat6k-2(config-slb-ft)# priority 12
Related Commandsft group
preempt (fault tolerant submode)
show module csm ft
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-19
track (fault tolerant submode)
track (fault tolerant submode)
To set the fault-tolerant tracking for the gateway, HSRP group, or interface of the CSM, use the track
command in the SLB fault-tolerant configuration submode.
mode all | anyConfigures tracking mode for all devices or any device.
ReleaseModification
CSM release 4.2(1)This command was introduced.
are both operating.
Configures an interface for tracking. The interfaces can be
asynchronous, tunnel, dialer, fast Ethernet, or Gigabit Ethernet.
ExamplesThis example shows how to set tracking mode for all devices:
Cat6k-2(config-slb-ft)# track mode all
Related Commandsft group
preempt (fault tolerant submode)
show module csm ft
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-20
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
hw-module csm standby config-sync
To synchronize the configuration between the active CSM and standby CSM, enter the hw-module csm
standby config-sync command on the active CSM:
hw-module csm slot standby config-sync
hw-module csm standby config-sync
Syntax Description
slotSpecifies the slot of the active CSM.
DefaultsRoute processor mode.
Command ModesGlobal configuration
Command History
ReleaseModification
CSM release 4.2(1)This command was introduced.
Usage GuidelinesYou can synchronize the configurations between the active and standby CSMs in a single chassis or in
separate chassis.
Enter this command after you have configured both the active and standby CSMs for synchronization.
Enter this command every time you want to synchronize the configuration.
Synchronization happens over the fault-tolerant VLAN. Since traffic over the fault-tolerant VLAN uses
broadcast packets, we recommend that you remove all devices from the fault-tolerant VLAN except
those that are necessary for communication between the active and standby CSMs.
If you do not enter the alt standby_ip_address command on the active CSM before you synchronize the
configuration, the VLAN IP addresses on the backup CSM will be removed.
ExamplesThis example shows how to synchronize the configuration between the active and standby CSMs:
Router# hw-module csm 5 standby config-sync
%CSM_SLB-6-REDUNDANCY_INFO:Module 5 FT info:Active:Bulk sync started
%CSM_SLB-6-REDUNDANCY_INFO:Module 5 FT info:Active:Manual bulk sync completed
Related Commandsft group
ip address (VLAN submode)
priority (fault tolerant submode)
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-21
ip slb mode
ip slb mode
Chapter 2 Content Switching Module with SSL Commands
To operate as a CSM load-balancing device instead of a Cisco IOS server load balancing (SLB) device,
use the ip slb mode command to configure the switch. To remove the mode configuration, use the no
form of this command.
ip slb mode {csm | rp}
no ip slb mode
Syntax Description
DefaultsRoute processor mode
Command ModesGlobal configuration
Command History
Usage GuidelinesWe recommend that you use the rp mode for all configurations. The rp mode allows you to configure
csmKeyword to select the CSM load-balancing mode that allows you to
configure a single CSM only and prohibits the use of Cisco IOS SLB
on the Catalyst 6500 series switch.
rpKeyword to select the route processor Cisco IOS SLB mode and
enable module CSM commands for configuring multiple CSMs.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM release 2.1(1)This command now enables module csm commands for the rp mode.
CSM-S release 1.1(1)This command was introduced.
both the switch and the CSM or other modules without changing modes.
2-22
NoteYou need to reboot the switch to change the mode.
This command allows you to change from the Cisco IOS SLB mode to the CSM load-balancing mode.
NoteSpecifying the no ip slb mode command is the same as specifying the rp mode.
NoteIn csm mode, all ip slb commands apply to a CSM module; Cisco IOS SLB is not available. In rp mode
(the default), ip slb commands apply to Cisco IOS SLB. The module csm commands are available to
configure multiple CSMs.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
ExamplesThis example shows how to configure the CSM load-balancing mode:
Cat6k-2(config)# ip slb mode csm
Related Commandsmodule csm
show ip slb mode
ip slb mode
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-23
map cookie
map cookie
Chapter 2 Content Switching Module with SSL Commands
To create a cookie map, and then enter the cookie map configuration submode for specifying cookie
match rules, use the map cookie command. To remove the cookie maps from the configuration, use the
no form of this command.
map cookie-map-name cookie
no map cookie-map-name
Syntax Description
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
ExamplesThis example shows how to create a cookie map:
Related Commandscookie-map (policy submode)
cookie-map-nameCookie map instance; the character string is limited to 15 characters.
cookieEnters the cookie map submode.
ReleaseModification
CSM release 1.1(1)This command was introduced.
Cat6k-2(config-module-csm)# map upnready cookie
match protocol http cookie (cookie map submode)
show module csm map
2-24
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
22
Chapter 2 Content Switching Module with SSL Commands
match protocol http cookie (cookie map submode)
match protocol http cookie (cookie map submode)
To add cookies to a cookie map, use the match protocol http cookie command in SLB cookie map
configuration submode. Multiple match rules can be added to a cookie map. To remove the cookie map
name from the cookie map, use the no form of this command.
match protocol http cookie cookie-name cookie-value cookie-value-expression
no match protocol http cookie cookie-name cookie-value cookie-value-expression
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB cookie map configuration submode
Command History
Usage GuidelinesCookie regular expressions (see “Regular Expressions” section on page 2-3) are based on the UNIX
cookie-name Cookie name; the range is from 1 to 63 characters.
cookie-value
cookie-value-expression
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
filename specification. URL expressions are stored in a cookie map in the form cookie-name =
cookie-value-expression. Cookie expressions allow spaces if they are escaped or quoted. You must
match all cookies in the cookie map.
Specifies a cookie value expression; the range is from 1 to 255
characters.
ExamplesThis example shows how to add cookies to a cookie map:
Cat6k-2(config-slb-map-cookie)# match protocol http cookie albert cookie-value 4*
Related Commandscookie-map (policy submode)
map cookie
show module csm map
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-25
map dns
map dns
Chapter 2 Content Switching Module with SSL Commands
To enter the SLB DNS map mode and configure a DNS map, use the map dns command. To remove the
DNS map from the configuration, use the no form of this command.
map dns-map-name dns
no map dns-map-name dns
Syntax Description
dns-map-nameName of an SLB DNS map; the character string range is from 1 to
15 characters.
DefaultsThis command has no default settings.
Command ModesSLB DNS map configuration submode
Command History
ReleaseModification
CSM release 3.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesAny match of a DNS regular expression in the DNS map results in a successful match. A maximum of
1023 DNS domains can be configured to a map.
ExamplesThis example shows how to group DNS domains:
Cat6k-2(config-module-csm)# map m1 dns
Cat6k-2(config-slb-map-dns)# exit
Cat6k-2(config)
Related Commandsmatch protocol dns domain (DNS map submode)
show module csm map
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-26
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
match protocol dns domain (DNS map submode)
match protocol dns domain (DNS map submode)
To add a DNS domain to a DNS map, use the match protocol dns domain command in the SLB DNS
map configuration submode. To remove the DNS domain from the URL map, use the no form of this
command.
match protocol dns domain name
no match protocol dns domain name
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB DNS map configuration submode
Command History
ExamplesThis example shows how to add domains to a DNS map:
Related Commandsmap dns
nameNames the DNS domain being mapped.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM release 4.1(1)HTTP method parsing support was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-map-dns)# match protocol dns domain cisco.com
show module csm map
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-27
map header
map header
Chapter 2 Content Switching Module with SSL Commands
To create a map group for specifying HTTP headers, and then enter the header map configuration
submode, use the map header command. To remove the HTTP header group from the configuration,
use the no form of this command.
map name header
no map name
Syntax Description
nameMap instance; the character string is from 1 to 15 characters.
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
ReleaseModification
CSM release 2.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
ExamplesThis example shows how to group HTTP headers and associate them with a content switching policy:
Cat6k-2(config-module-csm)# map upnready header
Cat6k-2(config-slb-map-header)# match protocol http header Accept header-value *jpeg*
Cat6k-2(config-slb-map-header)# match protocol http header User-Agent header-value *NT*
Cat6k-2(config-slb-map-header)# match protocol http header Host header-value
insert protocol http header (header map submode)
match protocol http header (header map submode)
show module csm map
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-28
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
insert protocol http header (header map submode)
insert protocol http header (header map submode)
To insert header fields and values into an HTTP request, use the insert protocol http header command
in SLB header map configuration submode. To remove the header insert item from the header map, use
the no form of this command.
insert protocol http header name header-value value
no insert protocol http header name
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB header map configuration submode
Command History
Usage GuidelinesYou can also use the %is and %id special parameters for header values. The %is value inserts the source
nameLiteral name of the generic field in the HTTP header. The name is a
string with a range from 1 to 63 characters.
header-value valueSpecifies the literal header value string to insert in the request.
ReleaseModification
CSM release 3.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
IP into the HTTP header, and the %id value inserts the destination IP into the header. You can only
specify each special parameter once per header map.
ExamplesThis example shows how to specify header fields and values to search upon a request:
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-29
Chapter 2 Content Switching Module with SSL Commands
match protocol http header (header map submode)
match protocol http header (header map submode)
To specify header fields and values for the CSM to search for when receiving a request, use the match
protocol http header command in SLB header map configuration submode. Multiple match rules can
be added to a header map. To remove the header match rule from the header map, use the no form of this
command.
match protocol http header field header-value expression
no match protocol http header field
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB header map configuration submode
Command History
Usage GuidelinesThere are predefined fields, for example, Accept-Language, User-Agent, or Host.
fieldLiteral name of the generic field in the HTTP header. The range is
from 1 to 63 characters.
header-value expressionSpecifies the header value expression string to compare against the
value in the specified field; the range is from 1 to 127 characters.
ReleaseModification
CSM release 2.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Header regular expressions (see “Regular Expressions” section on page 2-3) are based on the UNIX
filename specification. URL expressions are stored in a header map in the form header-name =
expression. Header expressions allow spaces if they are escaped or quoted. All headers in the header map
must be matched.
ExamplesThis example shows how to specify header fields and values to search upon a request:
Cat6k-2(config-slb-map-header)# match protocol http header Host header-value XYZ
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-30
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
map retcode
To enable return code checking, and then enter the return code map submode, use the map retcode
command. To remove the return code checking from the configuration, use the no form of this command.
map name retcode
no map name
map retcode
Syntax Description
DefaultsThis command has no default settings.
Command ModesCSM module submode
Command History
ExamplesThis example shows how to enable return error code checking:
Related Commandscookie-map (policy submode)
nameReturn error code map instance; the character string is limited to 15
characters.
retcodeKeyword to enter the return error code map submode.
ReleaseModification
CSM release 2.2(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-module-csm)# map upnready retcode
match protocol http cookie (cookie map submode)
show module csm map
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-31
Chapter 2 Content Switching Module with SSL Commands
match protocol http retcode (return code map submode)
match protocol http retcode (return code map submode)
To specify return code thresholds, count and log return codes, and send syslog messages for return code
events received from the servers, use the match protocol http retcode command in SLB return code
map configuration submode. To remove the return code thresholds, use the no form of this command.
match protocol http retcode min max action {count | log | remove} threshold [reset seconds]
Related Commandsmap retcode (SLB policy configuration submode)
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-32
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
map url
To enter the SLB URL map mode and configure a URL map, use the map url command. To remove the
URL map from the configuration, use the no form of this command.
map url-map-name url
no map url-map-name
map url
Syntax Description
url-map-nameName of an SLB URL map; the character string range is from 1 to
15 characters.
DefaultsThis command has no default settings.
Command ModesSLB URL map configuration submode
Command History
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesAny match of a URL regular expression in the URL map results in a successful match. A maximum of
1023 URLs can be configured to a map.
ExamplesThis example shows how to group URLs and associate them with a content switching policy:
Cat6k-2(config-module-csm)# map m1 url
Cat6k-2(config-slb-map-url)# match protocol http url /index.html
Cat6k-2(config-slb-map-url)# match protocol http url /stocks/csco/
Cat6k-2(config-slb-map-url)# match protocol http url *gif
Cat6k-2(config-slb-map-url)# match protocol http url /st*
Cat6k-2(config-slb-map-url)# exit
Cat6k-2(config)
Related Commandsmatch protocol http url (URL map submode)
show module csm map
url-map (policy submode)
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-33
Chapter 2 Content Switching Module with SSL Commands
match protocol http url (URL map submode)
match protocol http url (URL map submode)
To add a URL regular expression to a URL map, use the match protocol http url command in the SLB
URL map configuration submode. Multiple match rules can be added to a URL map. To remove the URL
regular expression from the URL map, use the no form of this command.
match protocol http [method method-expression] url url-expression
no match protocol http [method method-expression] url url-expression
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB URL map configuration submode
Command History
Usage GuidelinesURL regular expressions (see “Regular Expressions” section on page 2-3) are based on the UNIX
method method-expression(Optional) Specifies the method to match.
url-expressionSpecifies the regular expression range; the range is from 1 to 255
characters.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM release 4.1(1)HTTP method parsing support was introduced.
CSM-S release 1.1(1)This command was introduced.
filename specification. URL expressions are stored in a cookie map in the form urln. URL expressions
do not allow spaces and only one of the URLs in the map must be matched
The method expression can either be one of the standard HTTP 1.1 method names (OPTIONS, GET,
HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a string you specify that must be matched
exactly (PROTOPLASM).
ExamplesThis example shows how to add URL expressions to a URL map:
Cat6k-2(config-slb-map-url)# match protocol http url html
Related Commandsmap url
show module csm map
url-map (policy submode)
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-34
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
module csm
To allow the association of load-balancing commands to a specific CSM module, and then enter the CSM
module configuration submode for the specified slot, use the module csm command. To remove the module csm configuration, use the no form of this command.
NoteThe module ContentSwitching Moduleslot command is the full syntax; the module csm slot command
is a valid shortcut.
module csm slot-number
no module csm slot-number
module csm
Syntax Description
slot-numberSlot number where the CSM resides.
DefaultsThis command has no default settings.
Command ModesGlobal configuration submode
Command History
ReleaseModification
CSM release 2.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesIf you want to use the multiple module configuration, you must change the ip slb mode command to rp.
An existing CSM configuration is migrated to the new configuration when you change the mode from
csm to rp. The default mode is rp, which allows multiple CSM support and allows the Catalyst operating
system and Cisco IOS software to run on the same switch.
Migrating from a multiple module configuration to a single module configuration is supported.
Migrating the Cisco IOS SLB configuration to the CSM configuration is not supported.
To remove connections to a real server, use the clear module csm X connnection command.
The CSM had its own ARP cache, which was populated with ARP entries through ARP learning. The
addition of the arp option allows you to statically configure ARP entries.
ExamplesThis example shows how to configure a CSM:
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-35
natpool (module CSM submode)
natpool (module CSM submode)
To configure source NAT and create a client address pool, use the natpool command in module CSM
configuration submode. To remove a natpool configuration, use the no form of this command.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-36
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
variable (module CSM submode)
To specify the environmental variables in the configuration, use the variable command. To remove a
environmental variables from the configuration, use the no form of this command.
variable name value
no variable name
variable (module CSM submode)
Syntax Description
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
Usage GuidelinesThis table lists the environmental values used by the CSM.
NameDefaultValid ValuesDescription
ARP_INTERVAL300Integer (15 to 31536000)Time (in seconds) between ARP
ARP_LEARNED_INTERVAL14400Integer (60 to 31536000)Time (in seconds) between ARP
ARP_GRATUITOUS_INTERVAL15Integer (10 to 31536000)Time (in seconds) between
ARP_RATE10Integer (1 to 60)Seconds between ARP retries.
ARP_REPLY_FOR_NO_INSERVICE_VIP00Integer (0 to 1).
ARP_RETRIES3Integer (2 to 15)Count of ARP attempts before
ARP_LEARN_MODE 1Integer (0 to 1)Indicates whether the CSM learns
ROUTE_UNKNOWN_FLOW_PKTS value to 2 for SYN packets.
CSM release 4.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
requests for configured hosts.
requests for learned hosts.
gratuitous ARP requests.
flagging a host as down.
MAC addresses on responses only
(0) or all traffic (1).
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-37
Chapter 2 Content Switching Module with SSL Commands
variable (module CSM submode)
NameDefaultValid ValuesDescription
ADVERTISE_RHI_FREQ10Integer (1 to 65535)Frequency (in seconds) that the
CSM uses to check for RHI
updates.
AGGREGATE_BACKUP_SF_STATE_TO_VS 0Integer (0 to 1)Specifies whether to include the
operational state of a backup server
farm into the state of a virtual
server.
COOKIE_INSERT_EXPIRATION_DATEFri, 1
Jan 2010
01:01:50
GMT
DEST_UNREACHABLE_MASK65535Integer (0 to 65535)Bitmask defining which ICMP
FT_FLOW_REFRESH_INT 60Integer (1 to 65535)Interval for the FT slow path flow
HTTP_CASE_SENSITIVE_MATCHING1Integer (0 to 1)Specifies whether the URL (cookie,
HTTP_URL_COOKIE_DELIMITERS/?&#+String (1 to 64 chars)Configures the list of delimiter
INFINITE_IDLE_TIME_MAXCONNS10240 to 1 - max conns valueConfigures the idle time maximum
MAX_PARSE_LEN_MULTIPLIER1Integer (1 to 16)Multiplies the configured
MAX_VSERVERS_PER_VIP 10Integer (7 to 10)Specifies the maximum number of
MAX_PARSE_LEN_MULTIPLIER1Integer (1 to 16)Multiplies the configured
NAT_CLIENT_HASH_SOURCE_PORT0Integer (0 to 1)Specifies whether to use the source
ROUTE_UNKNOWN_FLOW_PKTS0Integer (0 to 2) Specifies whether to route SYN or
NO_RESET_UNIDIRECTIONAL_FLOWS0Integer (0 to 1)Specifies, if set, that unidirectional
SWITCHOVER_RP_ACTION0Integer (0 to 1)Specifies whether to recover (0) or
String (2 to 63 chars)Configures the expiration time and
date for the HTTP cookie inserted
by the CSM.
destination unreachable codes are
to be forwarded.
refresh in seconds.
header) matching and sticky are to
be case sensitive.
characters for cookies in the URL
string.
connections.
max-parse-len by this amount.
virual servers that have the same
VIP. The values are specified as
powers of 2 (for example, 2^7=128,
2^10=1024).
max-parse-len by this amount.
port to select the client NAT IP
address.
non-SYN packets that do not match
any existing flows.
flows do not be reset when timed
out.
halt/reboot (1) after a supervisor
engine RP switchover occurs.
2-38
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
variable (module CSM submode)
NameDefaultValid ValuesDescription
SWITCHOVER_SP_ACTION0Integer (0 to 1)Specifies whether to recover (0) or
halt/reboot (1) after a supervisor
engine SP switchover occurs.
SYN_COOKIE_INTERVAL3Integer (1 to 60)Specifies the interval (in seconds),
at which a new syn-cookie key is
generated.
SYN_COOKIE_THRESHOLD5000Integer (0 to 1048576)Specifies the threshold (in number
of pending sessions) at which
syn-cookie is engaged.
TCP_MSS_OPTION1460Integer (1 to 65535)Specifies the maximum segment
size (MSS) value sent by CSM for
Layer 7 processing.
TCP_WND_SIZE_OPTION 8192Integer (1 to 65535)Specifies the window size value
sent by CSM for Layer 7
processing.
VSERVER_ICMP_ALWAYS_RESPONDfalseString (1 to 5 chars)If the response is “true,” the CSM
responds to ICMP probes
regardless of virtual server state.
XML_CONFIG_AUTH_TYPEBasicString (5 to 6 chars)Specifies the HTTP authentication
type for xml-config: Basic or
Digest.
ExamplesThis example shows how to enable the environmental variables configuration:
Router(config-module-csm)# variable ARP_RATE 20
Related Commandsmodule csm
show module csm variable
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-39
owner
owner
Chapter 2 Content Switching Module with SSL Commands
To configure an owner object, use the owner command in module CSM configuration submode. To
remove an owner configuration, use the no form of this command.
owner name
no owner
Syntax Description
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
Usage GuidelinesYou can define more than one virtual server to the same owner, associate multiple servers to an owner,
ExamplesThis example shows how to configure an owner object:
nameName of the object owner.
ReleaseModification
CSM release 4.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
and apply a connection watermark. After the sum of the number of open connections to all virtual servers
in a particular owner reaches the VIP connection watermark level for that owner, new connections to
any of these virtual servers are rejected by the CSM.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-40
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
billing-info (owner submode)
To configure billing information for an owner object, use the billing-info command in the owner
configuration submode. To remove billing information from the configuration, use the no form of this
command.
billing-info billing-address-information
no billing-info
billing-info (owner submode)
Syntax Description
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
ExamplesThis example shows how to configure an owner object:
Related Commandscontact-info (owner submode)
billing-address-informationSpecifies the owner’s billing address.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-41
contact-info (owner submode)
contact-info (owner submode)
To configure an e-mail address for an owner object, use the contact-info command in owner configuration
submode. To remove the contact information from the owner configuration, use the no form of this
command.
contact-info string
no contact-info
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
ExamplesThis example shows how to configure an owner object:
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
maxconns (owner submode)
To configure the maximum number of concurrent connections allowed for an owner object, use the
maxconns command in owner configuration submode. To remove the maximum connections from the
owner configuration, use the no form of this command.
maxconns number
no maxconns
maxconns (owner submode)
Syntax Description
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
Usage GuidelinesWhen the maximum number of connections is reached, the connections are reset and the CSM does not
ExamplesThis example shows how to configure an owner object:
numberThe number of maximum connections to the owner object.
ReleaseModification
CSM release 3.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
accept further connections.
Cat6k-2(config-owner)# maxconns 300
Related Commandsbilling-info (owner submode)
contact-info (owner submode)
owner
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-43
policy
policy
Chapter 2 Content Switching Module with SSL Commands
To configure policies, associate attributes to a policy, and then enter the policy configuration submode, use
the policy command. In this submode, you can configure the policy attributes. The policy is associated with
a virtual server in virtual server submode. To remove a policy, use the no form of this command.
policy policy-name
no policy policy-name
Syntax Description
policy-nameName of an SLB policy instance; the character string is limited to
15 characters.
DefaultsThis command has no default settings.
Command ModesModule CSM configuration submode
Command History
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesPolicies establish rules for balancing connections to servers. They can contain URL maps, cookie maps,
header maps, client groups, sticky groups, DSCP values, and server farms. The order in which policies
are linked to a virtual server determines the precedence of the policy. When two or more policies match
a requested URL, the policy with the highest precedence is selected.
NoteAll policies should be configured with a server farm.
ExamplesThis example shows how to configure a policy named policy_content:
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-44
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
client-group (policy submode)
To associate an access list with a policy, use the client-group command in SLB policy configuration
submode. To remove an access list from a policy, use the no form of this command.
client-group {1–99 | std-access-list-name}
no client-group
client-group (policy submode)
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB policy configuration submode
Command History
Usage GuidelinesOnly client groups that you create with the ip access-list standard command can be associated with an
ExamplesThis example shows how to configure a client group:
1–99Standard IP access list number.
std-access-list-nameStandard access list name.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
SLB policy. You can only associate one client group with a given SLB policy.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-45
cookie-map (policy submode)
cookie-map (policy submode)
To associate a list of cookies with a policy, use the cookie-map command in SLB policy configuration
submode. To remove a cookie map, use the no form of this command.
cookie-map cookie-map-name
no cookie-map
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
cookie-map-nameName of the cookie list associated with a policy.
DefaultsThis command has no default settings.
Command ModesSLB policy configuration submode
Command History
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesYou can associate only one cookie map with a policy. To configure cookie maps, use the map cookie
command. The cookie map name must match the name specified in the map cookie command.
ExamplesThis example shows how to configure a cookie-based SLB policy named policy_content:
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-46
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
header-map (policy submode)
To specify the HTTP header criteria to include in a policy, use the header-map command in SLB policy
configuration submode. To remove a header map, use the no form of this command.
NoteIf any HTTP header information is matched, the policy rule is satisfied.
header-map name
no header-map
header-map (policy submode)
Syntax Description
nameName of the previously configured HTTP header expression group.
DefaultsThis command has no default settings.
Command ModesSLB policy configuration submode
Command History
ReleaseModification
CSM release 2.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesOnly one header map can be associated with a policy. The header map name must match the name
specified in the map header command.
ExamplesThis example shows how to configure a header-based policy named policy_content:
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-47
nat client (policy submode)
nat client (policy submode)
To specify a set of client NAT pool addresses that should be used to perform the NAT function on clients
connecting to this policy, use the nat client command in SLB serverfarm configuration submode. To
remove the NAT pool from the configuration, use the no form of this command.
nat client {client-pool-name | static}
no nat client
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB policy configuration submode
Command History
Usage GuidelinesUse this command to enable client NAT. If client NAT is configured, the client address and port number
client-pool-nameClient pool name.
staticEnables static NAT.
ReleaseModification
CSM release 4.2(1)This command was introduced.
in load-balanced packets are replaced with an IP address and port number from the specified client NAT
pool. This client pool name must match the pool name entered from a previous natpool command.
If both the serverfarm and the policy are configured with client NAT, the policy takes precedence over
the server farm.
ExamplesThis example shows how to specify NAT on the client:
Cat6k-2(config-slb-policy)# nat client whishers
Related Commandsnatpool (module CSM submode)
script task
show module csm policy
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-48
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
serverfarm (policy submode)
To associate a server farm with a policy, use the serverfarm command in the SLB policy configuration
submode. To remove the server farm from the policy, use the no form of this command.
primary-serverfarmCharacter string used to identify the server farm.
backup sorry-serverfarm(Optional) Sets the sorry server farm name to the backup server farm.
sticky(Optional) Enables stickiness to the backup server.
threshold(Optional) Configures the server farm health threshold.
inservice real_value(Optional) Specifies the number of active real servers required for the
server farm to be activated.
outservice real_value(Optional) Specifies the minimum number of active real servers
required to remain as healthy. The outservice real_value must be
lower than the inservice real_value.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM release 3.1(1)The sorry server (backup server) option was added to this command.
CSM release 4.2(1)The threshold inservice real_value and outservice real_value
options were added to this command.
Usage GuidelinesUse the serverfarm command to configure the server farm. Only one server farm can be configured per
policy. The server farm name must match the name specified in the serverfarm module CSM
configuration submode command. By default, the sticky option does not apply to the backup server farm.
To remove the backup server farm, you can either use the serverfarm command without the backup
option or use the no serverfarm command.
The backupsorry-serverfarm [sticky] value defines whether the sticky group applied to the primary
server farm is also applied for the backup server farm. If you do not specify stickiness for the primary
server farm, then stickiness also is not applied to the backup server farm.
For example, if you have a sticky group configured for a policy, the primary server farm in this policy
becomes sticky. The client will be stuck to the configured real server in the primary server farm. When
all of the real servers in the primary server farm fail, new requests from this client are sent to the backup
server farm.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-49
Chapter 2 Content Switching Module with SSL Commands
serverfarm (policy submode)
When the real server in the primary server farm is operational, the following actions result:
• The existing connections to the backup real server continue to be serviced by the backup real server.
• The new requests from the client are sent to the backup real server if the sticky option is enabled for
the backup server farm.
• The new requests return to the primary real server if the sticky option is not used on the backup
server farm.
ExamplesThis example shows how to associate a server farm named central with a policy:
Cat6k-2(config-module-csm)# policy policy
Cat6k-2(config-slb-policy)# serverfarm central backup domino sticky
Related Commandspolicy
serverfarm (virtual server submode)
show module csm owner
2-50
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
set ip dscp (policy submode)
To mark packets that match the policy with a DSCP value, use the set ip dscp command in the SLB policy
configuration submode. To stop marking packets, use the no form of this command.
set ip dscp dscp-value
no set ip dscp
set ip dscp (policy submode)
Syntax Description
DefaultsThe default is that the CSM does not store DSCP values.
Command ModesSLB policy configuration submode
Command History
ExamplesThis example shows how to mark packets to match a policy named policy_content:
Related Commandspolicy
dscp-valueThe range is from 0 to 63.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-module-csm)# policy policy_content
Cat6k-2(config-slb-policy)# set ip dscp 22
show module csm owner
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-51
sticky-group (policy submode)
sticky-group (policy submode)
To associate a sticky group and the sticky group attributes to the policy, use the sticky-group command in
the SLB policy configuration submode. To remove the sticky group from the policy, use the no form of
this command.
sticky-group group-id
no sticky-group
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThe default is 0, which means that no connections are sticky.
Command ModesSLB policy configuration submode
Command History
Usage GuidelinesThe group-id value must match the ID specified in the sticky command; the range is from 1 to 255.
ExamplesThis example shows how to configure a sticky group:
group-idID of the sticky group to be associated with a policy.
show module csm owner
show module csm sticky
sticky
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-52
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
url-map (policy submode)
To associate a list of URLs with the policy, use the url-map command in SLB policy configuration
submode. To remove the URL map from the policy, use the no form of this command.
url-map url-map-name
no url-map
url-map (policy submode)
Syntax Description
DefaultsThe default is no URL map.
Command ModesSLB policy configuration submode
Command History
Usage GuidelinesOnly one URL map can be associated with a policy. To configure URL maps, use the map url command.
ExamplesThis example shows how to associate a list of URLs with a policy named assembly:
url-map-nameName of the URL list to be associated with a policy.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-53
probe
probe
Chapter 2 Content Switching Module with SSL Commands
To configure a probe and probe type for health monitoring, and then enter the probe configuration
submode, use the probe command. To remove a probe from the configuration, use the no form of this
command.
probe-nameName of the probe; the character string is limited to 15 characters.
httpCreates an HTTP probe with a default configuration.
icmpCreates an ICMP probe with a default configuration.
telnetCreates a Telnet probe with a default configuration.
tcpCreates a TCP probe with a default configuration.
ftpCreates an FTP probe with a default configuration.
smtpCreates an SMTP probe with a default configuration.
dnsCreates a DNS probe with a default configuration.
udpCreates a UPD probe with a default configuration.
scriptCreates a script probe with a default configuration.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesA probe can be assigned to a server farm in serverfarm submode. The UDP probe requires ICMP because
otherwise the UDP probe will be unable to detect when a server has gone down or has been disconnected.
You must associate UDP to the supervisor engine and then configure ICMP.
Because the UDP probe is a raw UDP probe, the CSM uses a single byte in the payload for probe
responses. The CSM does not expect any meaningful response from the UDP application. The CSM uses
the ICMP unreachable message to determine if the UDP application is not reachable. If there is no ICMP
unreachable message in the receive timeout, then the CSM assumes that the probe is operating correctly.
If the IP interface of the real server is down or disconnected, the UDP probe does not know that the UDP
application is unreachable. You must configure the ICMP probe in addition to the UDP probe for any
server.
The CSM uses the DNS probe as the high-level UDP application. You also can use a TCL script to
configure this probe.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-54
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
When configuring Global Server Load Balancing (GSLB) type probes, the port submode command is
not used to specify which destination UDP port to query. Use the CSM environment variable
GSLB_KALAP_UDP_PORT instead. The default is port 5002.
To specify probe frequency and the number of retries for KAL-AP, ICMP, HTTP, and DNS probes when
associated with a GSLB server farm environment, the following variables must be used instead of the
probe configuration submode commands:
ExamplesThis example shows how to configure an HTTP probe named TREADER:
Cat6k-2(config-module-csm)# probe TREADER http
probe
Related Commandsprobe
show module csm probe
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-55
address (probe submode)
address (probe submode)
To specify a destination IP address for health monitoring, use the address command in SLB probe
configuration submode. To remove the address, use the no form of this command.
address ip-address [routed]
no address ip-address
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB probe configuration submode
Command History
Usage GuidelinesMultiple addresses can be configured for a DNS probe. For an ICMP probe, you can configure one
ip-addressSpecifies the real server’s destination IP address.
routed(Optional) Specifies that the probe is routed according to the CSM
routing table.
ReleaseModification
CSM release 2.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
address. Allows the probes to cross the firewall to check the link to the host on the other side. ICMP is
the only probe that supports the address parameter without the routed option, which is used for firewall
load balancing.
ExamplesThis example shows how to configure an IP address of the real server:
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-56
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
credentials (probe submode)
To configure basic authentication values for an HTTP probe, use the credentials command in the SLB
HTTP probe configuration submode. To remove the credentials configuration, use the no form of this
command.
credentials username [password]
no credentials
credentials (probe submode)
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB HTTP probe configuration submode
Command History
Usage GuidelinesThis command is for HTTP probes.
ExamplesThis example shows how to configure authentication for an HTTP probe:
usernameName that appears in the HTTP header.
password(Optional) Password that appears in the HTTP header.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-57
description (serverfarm submode)
description (serverfarm submode)
To add a description for the server farm, use the description command in the SLB probe configuration
submode. To remove the description, use the no form of this command.
description line
no description
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB VLAN configuration submode
Command History
Usage Guidelines
ExamplesThis example shows how to add a description:
Related Commands
lineDescription text.
ReleaseModification
CSM release 4.2(1)This command was introduced.
Cat6k-2(config-slb-probe-http)# description Backup Server Farm
2-58
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
expect status (probe submode)
To configure a status code for the probe, use the expect status command in the SLB
HTTP/FTP/Telnet/SMTP probe configuration submode. To remove the status code from the
configuration, use the no form of this command.
expect status min-number [max-number]
no expect status min-number [max-number]
expect status (probe submode)
Syntax Description
min-numberSingle status code if the max-number value is not specified.
max-number(Optional) Maximum status code in a range.
DefaultsThe defaultrange is 0 to 999 (any response from the server is valid).
Usage GuidelinesThis command is for HTTP, FTP, Telnet, and SMTP probes. You can specify multiple status code ranges
with this command by entering one command at a time. If you specify the max-number value, this
number is used as the minimum status code of a range. If you specify no maximum number, this
command uses a single number (min-number). If you specify both min-number and max-number values,
this command uses the range between the numbers.
Both the minimum number and the maximum number can be any number between 0 and 999 as long as
the maximum number is not lower than the minimum number.
OL-7029-01
For example:
expect status 5 is the same as expect status 5 5
expect status 0
expect status 900 999 specifies a range of 900 to 999.
specifies a range of 0 to 4
You can specify many expected status ranges.
NoteWhen you remove the expect status, you cannot set the range of numbers to 0 or as a range of numbers
that includes the values you set for the expect status. The expect status state becomes invalid and does
not restore the default range of 0 through 999. To remove the expect status, remove each set of numbers
using the no expect status command. For example, enter the no expect status 0 3 command and then
enter the no expect status 34 99 command.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-59
Chapter 2 Content Switching Module with SSL Commands
expect status (probe submode)
ExamplesThis example shows how to configure an HTTP probe with multiple status code ranges:
Cat6k-2(config-slb-probe-http)# expect status 34 99
Cat6k-2(config-slb-probe-http)# expect status 0 33
Cat6k-2(config-slb-probe-http)#
Related Commandsprobe
show module csm probe
2-60
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
failed (probe submode)
To set the time to wait before probing a failed server, use the failed command in the SLB probe
configuration submode. To reset the time to wait before probing a failed server to default, use the no
form of this command.
failed failed-interval
no failed
failed (probe submode)
Syntax Description
DefaultsThe default value for the failed interval is 300 seconds.
Command ModesSLB probe configuration submode
Command History
Usage GuidelinesThis command is used for all probe types.
ExamplesThis example shows how to configure a failed server probe for 200 seconds:
failed-intervalSpecifies the interval in seconds before the probe retires a failed
server; the range is from 2 to 65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-probe-http)# failed 200
Related Commandsprobe
show module csm probe
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-61
header (probe submode)
header (probe submode)
To configure a header field for the HTTP probe, use the header command in the SLB HTTP probe
configuration submode. To remove the header field configuration, use the no form of this command.
header field-name [field-value]
no header field-name
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB HTTP probe configuration submode
Command History
Usage GuidelinesYou can configure multiple headers for each HTTP probe. The length of the field-name value plus the
ExamplesThis example shows how to configure a header field for the HTTP probe:
field-nameName for the header being defined.
field-value(Optional) Content for the header.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
length of the field-value value plus 4 (for “:”, space, and CRLF) cannot exceed 255 characters. This
command is for HTTP probes.
Cat6k-2(config-slb-probe-http)# header abacadabra
Related Commandsprobe
show module csm probe
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-62
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
interval (probe submode)
To set the time interval between probes, use the interval command in the SLB probe configuration
submode. To reset the time interval between probes to default, use the no form of this command.
interval seconds
no interval
interval (probe submode)
Syntax Description
DefaultsThe default value for the interval between probes is 120 seconds.
Command ModesSLB probe configuration submode
Command History
Usage GuidelinesThis command is used for all probe types.
ExamplesThis example shows how to configure a probe interval of 150 seconds:
secondsNumber of seconds to wait between probes from the end of the
previous probe to the beginning of the next probe; the range is from
2 to 65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-probe-http)# interval 150
Related Commandsprobe
show module csm probe
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-63
name (probe submode)
name (probe submode)
To configure a domain name for the DNS probe, use the name command in the SLB DNS probe
configuration submode. To remove the name from the configuration, use the no form of this command.
name domain-name
no name
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThis command has no default settings.
Command ModesSLB DNS probe configuration submode
Command History
ExamplesThis example shows how to specify the probe name that is resolved by the DNS server:
Related Commandsprobe
domain-nameDomain name that the probe sends to the DNS server.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-probe-dns)# name astro
show module csm probe
2-64
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
open (probe submode)
To set the time to wait for a TCP connection, use the open command in the SLB
HTTP/TCP/FTP/Telnet/SMTP probe configuration submode. To reset the time to wait for a TCP
connection to default, use the no form of this command.
open open-timeout
no open
open (probe submode)
Syntax Description
DefaultsThe default value for the open timeout is 10 seconds.
Usage GuidelinesThis command is not used for any non-TCP probes, such as ICMP or DNS.
NoteThere are two different timeout values: open and receive. The open timeout specifies how many seconds
open-timeoutMaximum number of seconds to wait for the TCP connection; the
range is from 1 to 65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
to wait for the connection to open (that is, how many seconds to wait for SYN ACK after sending SYN).
The receive timeout specifies how many seconds to wait for data to be received (that is, how many
seconds to wait for an HTTP reply after sending a GET/HHEAD request). Because TCP probes close as
soon as they open without sending any data, the receive timeout is not used.
ExamplesThis example shows how to configure a time to wait for a TCP connection of 5 seconds:
Cat6k-2(config-slb-probe-http)# open 5
Related Commandsprobe
show module csm probe
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-65
port (probe submode)
port (probe submode)
To configure an optional port for the DNS probe, use the port command in the SLB probe configuration
submode. To remove the port from the configuration, use the no form of this command.
port port-number
no port
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThe default value for the port number is 0.
Command ModesThis command is available in all SLB probe configuration submodes except ICMP.
Command History
Usage GuidelinesWhen the port of a health probe is specified as 0, the health probe uses the configured port number from
port-numberSets the port number.
ReleaseModification
CSM release 3.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
the real server (if a real server is configured) or the configured port number from the virtual server (if a
virtual server is configured and no port is configured for the real server). The default port value is 0. For
the ICMP probes, where there is no port number, the port value is ignored. The port command is
available for all probe types except ICMP.
ExamplesThis example shows how to specify the port for the DNS server:
Cat6k-2(config-slb-probe-dns)# port 63
Related Commandsprobe
show module csm probe
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-66
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
receive (probe submode)
To set the time to wait for a reply from a server, use the receive command in the SLB probe configuration
submode. To reset the time to wait for a reply from a server to default, use the no form of this command.
receive receive-timeout
no receive
receive (probe submode)
Syntax Description
DefaultsThe default value for a receive timeout is 10 seconds.
Command ModesSLB probe configuration submode
Command History
Usage GuidelinesThis command is available for all probe types except TCP.
NoteThere are two different timeout values: open and receive. The open timeout specifies how many seconds
receive-timeoutNumber of seconds to wait for reply from a server; the range is from
1 to 65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
to wait for the connection to open (that is, how many seconds to wait for SYN ACK after sending SYN).
The receive timeout specifies how many seconds to wait for data to be received (that is, how many
seconds to wait for an HTTP reply after sending a GET/HHEAD request). Because TCP probes close as
soon as they open without sending any data, the receive timeout is not used.
ExamplesThis example shows how to configure a time to wait for a reply from a server to 5 seconds:
Cat6k-2(config-slb-probe-http)# receive 5
Related Commandsprobe
show module csm probe
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-67
recover (probe submode)
recover (probe submode)
To set the number of consecutive responses that are sent before marking a failed server as healthy, use
the recover command.
recover recover_value
no recover
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThe default value is 1.
Command ModesSLB probe configuration submode
Command History
Usage GuidelinesThis command is available for all probe types.
ExamplesThis example shows how to configure a time to wait for a reply from a server to 5 seconds:
Related Commandsprobe
recover_valueNumber of consecutive responses sent; the range is from 1 to 65535.
ReleaseModification
CSM release 4.2(1)This command was introduced.
Router(config-slb-probe-http)# recover 5
show module csm probe
2-68
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
request (probe submode)
To configure the request method used by the HTTP probe, use the request command in the SLB HTTP
probe configuration submode. To remove the request method from the configuration, use the no form of
this command.
request [method {get | head}] [url path]
no request [method {get | head}] [url path]
request (probe submode)
Syntax Description
DefaultsThe default path is /.
Command ModesSLB HTTP probe configuration submode
Command History
Usage GuidelinesThe CSM supports only the get and head request methods. This command is for HTTP probes.
method get (Optional) Configures a method for the probe request and directs the
server to get this page.
method head(Optional) Configures a method for the probe request and directs and
directs the server to get only the header for this page.
url path(Optional) A character string up to 255 characters specifying the
URL path.
The default method is the get option.
ReleaseModification
CSM release 1.1(1) This command was introduced.
CSM-S release 1.1(1)This command was introduced.
ExamplesThis example shows how to configure a request method for the probe configuration:
Cat6k-2(config-slb-probe-http)# request method head
Related Commandsprobe
show module csm probe
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-69
retries (probe submode)
retries (probe submode)
To set the number of failed probes that are allowed before marking the server failed, use the retries
command in the SLB probe configuration submode. To reset the number of failed probes allowed before
marking a server as failed to default, use the no form of this command.
retries retry-count
no retries
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThe default value for retries is 3.
Command ModesSLB probe configuration submode
Command History
Usage GuidelinesThis command is used for all probe types.
NoteSet retries to 2 or more. If retries are set to 1, a single dropped probe packet will bring down the server.
retry-countNumber of probes to wait before marking a server as failed; the range
is from 0 to 65535.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
A setting of 0 places no limit on the number of probes that are sent. Retries are sent until the system
reboots.
ExamplesThis example shows how to configure a retry count of 3:
Cat6k-2(config-slb-probe-http)# retries 3
Related Commandsprobe
show module csm probe
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-70
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
script (probe submode)
To create a script for a probe, use the script command.
interval (probe submode)
open (probe submode)
probe
receive (probe submode)
retries (probe submode)
script file
show module csm probe
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-71
real
real
Chapter 2 Content Switching Module with SSL Commands
To identify a real server that is a member of the server farm, and then enter the real server configuration
submode, use the real command in the SLB serverfarm configuration submode. To remove the real
server from the configuration, use the no form of this command.
real ip-address [port] [local]
no real ip-address [port]
Syntax Description
DefaultsThe default is no port translation for the real server.
Command ModesSLB serverfarm configuration submode
Command History
Usage GuidelinesThe IP address that you supply provides a load-balancing target for the CSM. This target can be any IP
ip-addressReal server IP address.
port(Optional) Port translation for the real server; the range is from 1 to
65535.
local(Optional) Specifies that the real server is the SSL daughter card.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM release 4.1(3)The local keyword was added to support the SSL daughter card.
CSM-S release 1.1(1)This command was introduced and the local keyword was added.
addressable object. For example, the IP addressable object may be a real server, a firewall, or an alias
IP address of another CSM.
2-72
You can configure a real server as follows:
• no inservice—Using the no inservice command in the real server submode, the CSM is specified
as out of service. There is no sticky and no new connections being applied.
NoteIf you specify no inservice, the CSM does not remove open connections. If you want to
remove open connections. you must perform that task manually using the clear module csm slot conn command.
• inservice—Using the inservice command in the real server submode, the CSM is specified as in
service. Sticky is allowed and new connections to the module can be made.
• inservice standby—Specifies that when in standby mode, the real server only accepts connections
when the primary real server has failed.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
ExamplesThis example shows how to identify a real server and enter the real server submode:
Cat6k-2(config-slb-sfarm)# real 102.43.55.60
Cat6k-2(config-slb-real)#
Related Commandsinservice (real server submode)
script task
show module csm real
show module csm serverfarm
real
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-73
backup real (real server submode)
backup real (real server submode)
To apply new connections to real servers when a primary server is down, use the backup real command in
the SLB real server configuration submode. To remove a real server from service, use the no form of
this command.
backup real {ip | name name} [port]
no backup real
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
ipSpecifies the backup server’s IP address.
name nameSpecifies the real server name.
port(Optional) Specifies the port where the backup real server is located.
DefaultsThis command has no default settings.
Command ModesSLB real server configuration submode
Command History
ReleaseModification
CSM release 3.2(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesA weight of 0 is now allowed for graceful shutdown of existing connections. The backup real command
can be used in these situations where a server farm is specified:
• Directly under a virtual server.
• In a policy and then associated to a virtual server.
ExamplesThis example shows how to enable a real server:
Cat6k-2(config-slb-real)# backup real 10.2.2.1 3
Cat6k-2(config-slb-real)#
Related Commandsfailaction (serverfarm submode)
real (static NAT submode)
show module csm real
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-74
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
health probe (real server submode)
To configure a probe for the real server, use the health probe command in the SLB real server
configuration submode. To remove the probe from the configuration, use the no form of this command.
health probe probe-name tag string
no health probe
health probe (real server submode)
Syntax Description
DefaultsThis command has no default values.
Command ModesSLB real server configuration submode
Command History
ExamplesThis example shows how to configure a probe for a server:
probe-nameNames the probe.
tagSpecifies a tag for the probe.
stringSpecifies a string to identify the probe.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
Cat6k-2(config-slb-sfarm)# real 102.2.2.1
Cat6k-2(config-slb-real)# healthprobe mission tag 12345678
Related Commandsreal
show module csm real
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-75
inservice (real server submode)
inservice (real server submode)
To enable the real servers, use the inservice command in the SLB real server configuration submode. To
remove a real server from service, use the no form of this command.
inservice [standby]
no inservice
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
standby(Optional) Specifies that when in standby mode, the real server only
accepts connections when the primary real server has failed.
DefaultsThe real server is not in service.
Command ModesSLB real server configuration submode
Command History
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM release 3.2(1)This command was modified for firewall load-balancing (FWLB)
reassignment.
CSM-S release 1.1(1)This command was introduced.
Usage GuidelinesWhen you specify the no inservice command, the CSM will not remove open connections. To remove
open connections, you must remove them using the clear module csmslot connection command.
The CSM performs graceful server shutdown when a real server is taken out of service when you enter
the no inservice command. This command stops all new sessions from being load balanced to the
specified real server while allowing existing sessions to complete or time out. New sessions are load
balanced to other servers in the server farm for that virtual server.
This example shows how to remove a real server from service:
Router(config-slb-real)# no inservice
ExamplesThis example shows how to enable a real server:
Cat6k-2(config-slb-sfarm)# real 10.2.2.1
Cat6k-2(config-slb-real)# inservice
Related Commandsreal
show module csm real
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-76
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
maxconns (real server submode)
To limit the number of active connections to the real server, use the maxconns command in the SLB real
server configuration submode. To change the maximum number of connections to its default value, use
the no form of this command.
maxconns max-conns
no maxconns
maxconns (real server submode)
Syntax Description
DefaultsThe default value is the maximum value or infinite (not monitored).
Command ModesSLB real server configuration submode
Command History
Usage GuidelinesWhen you specify the minconns command, you must also specify the maxconns command. In all
max-connsMaximum number of active connections on the real server at any
time; the range is from 1 to 4294967295.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
releases, when the MINCONNS value is set, once a real server has reached the maximum connections
(MAXCONNS) state, no additional session is balanced to it until the number of open sessions to that
real server falls below MINCONNS.
ExamplesThis example shows how to limit the connections to a real server:
Cat6k-2(config-slb-sfarm)# real 10.2.2.1
Cat6k-2(config-slb-real)# maxconns 4000
Related Commandsminconns (real server submode)
real
show module csm real
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-77
minconns (real server submode)
minconns (real server submode)
To establish a minimum connection threshold for the real server, use the minconns command in the SLB
real server configuration submode. To change the minimum number of connections to the default value,
use the no form of this command.
minconns min-cons
no minconns
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
DefaultsThe default value is the set minumum number of connections.
Command ModesSLB real server configuration submode
Command History
Usage GuidelinesWhen the threshold of the maxconns command is exceeded, the CSM stops sending connections until
min-consMinimum number of connections allowed on the real server; the
range is from 0 to 4294967295.
ReleaseModification
CSM release 1.1(1)This command was introduced.
CSM-S release 1.1(1)This command was introduced.
the number of connections falls below the minconns command threshold. This value must be lower than
the maximum number of connections configured by the maxconns command. When you specify the
minconns command, you must also specify the maxconns command.
In all releases, when the MINCONNS value is set, once a real server has reached the maximum
connections (MAXCONNS) state, no additional session is balanced to it until the number of open
sessions to that real server falls below MINCONNS.
ExamplesThis example shows how to establish a minimum connection threshold for a server:
Cat6k-2(config-slb-sfarm)# real 102.2.2.1
Cat6k-2(config-slb-real)# minconns 4000
Related Commandsmaxconns (real server submode)
real
show module csm real
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-78
OL-7029-01
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.