Cisco OL-7029-01 User Manual
Catalyst 6500 Series Switch Content
Switching Module with SSL Command
Reference
Software Release 2.1(1)
May, 2005
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-7029-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
©2005, Cisco Systems, Inc. All rights reserved.
Preface xi
Audience xi
Organization xi
Conventions xii
Related Documentation xiii
Obtaining Documentation xiii
Cisco.com xiii
Documentation DVD xiii
Ordering Documentation xiv
Documentation Feedback xiv
Cisco Product Security Overview xiv
Reporting Security Problems in Cisco Products xv
CONTENTS
CHAPTER
CHAPTER
Obtaining Technical Assistance xv
Cisco Technical Support Website xv
Submitting a Service Request xvi
Definitions of Service Request Severity xvi
Obtaining Additional Publications and Information xvii
1 Using Content Switching Module Commands 1-1
Using the CSM and CSM-S Commands 1-1
Command Modes 1-2
Regular Expressions 1-3
2 Content Switching Module with SSL Commands 2-1
arp 2-2
capp udp 2-3
options (CAPP UDP submode) 2-5
port (CAPP UDP submode) 2-6
secure (CAPP UDP submode) 2-7
OL-7029-01
clear module csm 2-8
dfp 2-9
agent (DFP submode) 2-11
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
iii
Contents
manager (DFP submode) 2-12
exit 2-13
ft group 2-14
failover (fault tolerant submode) 2-16
heartbeat-time (fault tolerant submode) 2-17
preempt (fault tolerant submode) 2-18
priority (fault tolerant submode) 2-19
track (fault tolerant submode) 2-20
hw-module csm standby config-sync 2-21
ip slb mode 2-22
map cookie 2-24
match protocol http cookie (cookie map submode) 2-25
map dns 2-26
match protocol dns domain (DNS map submode) 2-27
map header 2-28
insert protocol http header (header map submode) 2-29
match protocol http header (header map submode) 2-30
map retcode 2-31
match protocol http retcode (return code map submode) 2-32
map url 2-33
match protocol http url (URL map submode) 2-34
module csm 2-35
natpool (module CSM submode) 2-36
variable (module CSM submode) 2-37
owner 2-40
billing-info (owner submode) 2-41
contact-info (owner submode) 2-42
maxconns (owner submode) 2-43
policy 2-44
client-group (policy submode) 2-45
iv
cookie-map (policy submode) 2-46
header-map (policy submode) 2-47
nat client (policy submode) 2-48
serverfarm (policy submode) 2-49
set ip dscp (policy submode) 2-51
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
sticky-group (policy submode) 2-52
url-map (policy submode) 2-53
probe 2-54
address (probe submode) 2-56
credentials (probe submode) 2-57
description (serverfarm submode) 2-58
expect status (probe submode) 2-59
failed (probe submode) 2-61
header (probe submode) 2-62
interval (probe submode) 2-63
name (probe submode) 2-64
open (probe submode) 2-65
port (probe submode) 2-66
Contents
receive (probe submode) 2-67
recover (probe submode) 2-68
request (probe submode) 2-69
retries (probe submode) 2-70
script (probe submode) 2-71
real 2-72
backup real (real server submode) 2-74
health probe (real server submode) 2-75
inservice (real server submode) 2-76
maxconns (real server submode) 2-77
minconns (real server submode) 2-78
redirect-vserver (real server submode) 2-79
weight (real server submode) 2-80
redirect-vserver 2-81
advertise (redirect virtual server submode) 2-82
client (redirect virtual server submode) 2-83
idle (redirect virtual server submode) 2-84
OL-7029-01
inservice (redirect virtual server submode) 2-85
replicate csrp (redirect virtual server submode) 2-86
ssl (redirect virtual server submode) 2-87
virtual (redirect virtual server submode) 2-88
vlan (redirect virtual server submode) 2-89
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
v
Contents
webhost backup (redirect virtual server submode) 2-90
webhost relocation (redirect virtual server submode) 2-91
reverse-sticky 2-92
script file 2-93
script task 2-95
serverfarm 2-96
bindid (serverfarm submode) 2-97
description (serverfarm submode) 2-98
failaction (serverfarm submode) 2-99
health (serverfarm submode) 2-100
nat client (serverfarm submode) 2-101
nat server (serverfarm submode) 2-102
predictor (serverfarm submode) 2-103
probe (serverfarm submode) 2-106
retcode-map (serverfarm submode) 2-107
show module csm 2-108
show module csm arp 2-109
show module csm capp 2-110
show module csm conns 2-112
show module csm dfp 2-114
show module csm ft 2-116
show module csm map 2-117
show module csm memory 2-119
show module csm natpool 2-120
show module csm owner 2-121
show module csm policy 2-122
show module csm probe 2-123
show module csm probe script 2-125
show module csm pvlan 2-126
show module csm real 2-127
vi
show module csm real retcode 2-129
show module csm script 2-130
show module csm script task 2-131
show module csm serverfarm 2-132
show module csm static 2-134
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
show module csm static server 2-135
show module csm stats 2-137
show module csm status 2-139
show module csm sticky 2-140
show module csm tech-script 2-142
show module csm tech-support 2-143
show module csm variable 2-146
show module csm vlan 2-148
show module csm vserver redirect 2-150
show module csm xml stats 2-152
snmp enable traps slb ft 2-153
static 2-154
real (static NAT submode) 2-155
Contents
sticky 2-156
cookie offset (sticky submode) 2-158
cookie secondary (sticky submode) 2-159
header (sticky submode) 2-160
static (sticky submode) 2-161
vserver 2-162
advertise (virtual server submode) 2-163
client (virtual server submode) 2-164
description (virtual server submode) 2-165
domain (virtual server submode) 2-166
idle (virtual server submode) 2-167
inservice (virtual server submode) 2-168
owner (virtual server submode) 2-169
parse-length (virtual server submode) 2-170
pending (virtual server submode) 2-171
persistent rebalance (virtual server submode) 2-172
replicate csrp (virtual server submode) 2-173
OL-7029-01
reverse-sticky (virtual server submode) 2-174
serverfarm (virtual server submode) 2-175
slb-policy (virtual server submode) 2-177
ssl-sticky (virtual server submode) 2-178
status-tracking (virtual server submode) 2-179
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
vii
Contents
sticky (virtual server submode) 2-180
unidirectional (virtual server submode) 2-182
url-hash (virtual server submode) 2-183
virtual (virtual server submode) 2-184
vlan (virtual server submode) 2-187
vlan 2-188
alias (VLAN submode) 2-189
description (VLAN submode) 2-191
gateway (VLAN submode) 2-192
ip address (VLAN submode) 2-193
route (VLAN submode) 2-194
xml-config 2-195
client-group (XML submode) 2-196
CHAPTER
credentials (XML submode) 2-197
inservice (XML submode) 2-198
port (XML submode) 2-199
vlan (XML submode) 2-200
3 Commands Specific to the Content Switching Module with SSL 3-1
clear ssl-proxy conn 3-5
clear ssl-proxy session 3-6
clear ssl-proxy stats 3-7
crypto ca export pem 3-8
crypto ca import pem 3-10
crypto ca export pkcs12 3-12
crypto ca import pkcs12 3-14
crypto key export rsa pem 3-16
crypto key import rsa pem 3-18
debug ssl-proxy 3-20
do 3-23
viii
show ssl-proxy admin-info 3-24
show ssl-proxy buffers 3-25
show ssl-proxy certificate-history 3-26
show ssl-proxy conn 3-29
show ssl-proxy crash-info 3-32
show ssl-proxy mac address 3-34
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
show ssl-proxy natpool 3-35
show ssl-proxy policy 3-36
show ssl-proxy service 3-38
show ssl-proxy stats 3-40
show ssl-proxy status 3-43
show ssl-proxy version 3-45
show ssl-proxy vlan 3-46
show ssl-proxy vts 3-47
snmp-server enable 3-48
ssl-proxy crypto selftest 3-49
ssl-proxy mac address 3-50
ssl-proxy natpool 3-51
ssl-proxy pki 3-52
Contents
ssl-proxy policy http-header 3-54
ssl-proxy policy ssl 3-56
ssl-proxy policy tcp 3-60
ssl-proxy policy url-rewrite 3-63
ssl-proxy pool ca 3-65
ssl-proxy service 3-66
ssl-proxy service client 3-70
ssl-proxy ssl ratelimit 3-73
ssl-proxy vlan 3-74
standby authentication 3-78
standby delay minimum reload 3-79
standby ip 3-81
standby mac-address 3-83
standby mac-refresh 3-85
standby name 3-86
standby preempt 3-87
standby priority 3-89
OL-7029-01
standby redirects 3-91
standby timers 3-93
standby track 3-95
standby use-bia 3-97
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
ix
Contents
APPENDIX
I
NDEX
A Acronyms A-1
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
x
OL-7029-01
Preface
This preface describes the audience, organization, and conventions of this publication, and provides
information on how to obtain related documentation.
This guide contains the commands available for use with the Cisco Content Switching Module with SSL
(CSM-S). Use this guide with the Catalyst 6500 Series Switch Content Switching Module with SSL
Installation Note and the Catalyst 6500 Series Switch Content Switching Module with SSL Installation
and Configuration Note.
Audience
This publication is for experienced network administrators who are responsible for configuring and
maintaining Catalyst 6500 series switches and network managers who perform any of the following
tasks:
Organization
This publication is organized as follows:
Chapter Title Description
Chapter 1 Using Content Switching
Chapter 2 Content Switching Module with
Chapter 3 Commands Specific to the
Appendix A Acronyms Lists the acronyms used in this command
• Managing network security
• Configuring firewalls
• Managing default and static routes and TCP and UDP services
Introduces you to the CSM commands,
Module Commands
SSL Commands
Content Switching Module with
SSL
access modes, and common port and
protocol numbers.
Provides detailed descriptions of all CSM
commands in an alphabetical listing.
Provides detailed descriptions of all SSL
commands used by the CSMS in an
alphabetical listing.
reference.
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xi
Conventions
Conventions
This document uses the following conventions:
Convention Description
boldface font Commands, command options, and keywords are in
boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional. Default responses
to system prompts are in square brackets.
{ x | y | z } Alternative keywords are grouped in braces and separated by
vertical bars. Braces can also be used to group keywords
and/or aguments; for example, {interface interface type}.
[ x | y | z ] Optional alternative keywords are grouped in brackets and
separated by vertical bars.
string A nonquoted set of characters. Do not use quotation marks
around the string or the string will include the quotation
marks.
screen font Terminal sessions and information the system displays are in
screen font.
boldface screen
font
italic screen
font
^ The symbol ^ represents the key labeled Control—for
< > Nonprinting characters, such as passwords are in angle
!, # An exclamation point (!) or a pound sign (#) at the beginning
Information you must enter is in boldface screen font.
Arguments in the screen display for which you supply values
are in
italic screen
font.
example, the key combination ^D in a screen display means
hold down the Control key while you press the D key.
brackets.
of a line of code indicates a comment line.
Preface
xii
Notes use the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in
the publication.
Cautions use the following conventions:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Preface
Related Documentation
For more detailed installation and configuration information for the Content Switching Module with
SSL, refer to the following publications:
• Release Notes for the Catalyst 6500 Series Switch Content Switching Module with SSL
• Catalyst 6500 Series Switch Content Switching Module with SSL Installation Note
• Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
• Regulatory Compliance and Safety Information for the Catalyst 6500 Series Switches
For more detailed installation and configuration information for SSL services, refer to the following
publications:
• Release Notes for Catalyst 6500 Series SSL Services Module Software Release 2.x
• Catalyst 6500 Series Switch SSL Services Module Installation and Verification Note
• Catalyst 6500 Series Switch SSL Services Module Command Reference
• Catalyst 6500 Series Switch SSL Services Module System Messages
Use this document in conjunction with the CSM documentation available online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm_3_3 /index.htm
Related Documentation
Cisco provides CSM technical tips at the following site:
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps780/index.html
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which
may have shipped with your product. The Documentation DVD is updated regularly and may be more
current than printed documentation. The Documentation DVD package is available as a single unit.
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xiii
Documentation Feedback
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product
number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Preface
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in
North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
xiv
• Report security vulnerabilities in Cisco products.
• Obtain assistance with security incidents that involve Cisco products.
• Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Preface
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:
• Emergencies— security-alert@cisco.com
• Nonemergencies —psirt@cisco.com
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one that has the most recent creation date in this public key server list:
Obtaining Technical Assistance
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:
• 1 877 228-7302
• 1 408 525-6532
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical
Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical
Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service
contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and
resolving technical issues with Cisco products and technologies. The website is available 24 hours a day,
365 days a year, at this URL:
OL-7029-01
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xv
Obtaining Technical Assistance
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support
Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product
Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product
Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID
or model name; by tree view; or for certain products, by copying and pasting show command output.
Search results show an illustration of your product with the serial number label location highlighted.
Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
Preface
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
xvi
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Preface
Obtaining Additional Publications and Information
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit
Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
xvii
Obtaining Additional Publications and Information
Preface
xviii
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
CHAPTER
1
Using Content Switching Module Commands
This chapter describes how to use the CSM and CSM-S commands and contains the following sections:
• Using the CSM and CSM-S Commands, page 1-1
• Command Modes, page 1-2
Note Except where specifically differentiated, the term “Content Switching Module” and its acronym “CSM”
includes both the Content Switching Module and the Content Switching Module with SSL.
The term “Content Switching Module with SSL” and its acronym “CSM-S” are used only where the
information presented is specific to the CSMS.
The term SSL daughter card an SSL termination dauthter card for the CSM that accelerates Secure
Socket Layer (SSL) transactions.
Using the CSM and CSM-S Commands
This section provides a brief introduction to using commands and where to go for more information on
configuring and using your CSM or CSM-S.
You will use these commands for basic tasks:
Command Task
write memory Saving the configuration
write terminal Viewing the configuration
logging buffered debugging Accumulating system log (syslog) messages
show logging Viewing system log (syslog) messages
clear logging Clearing the message buffer
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
1-1
Command Modes
Chapter 1 Using Content Switching Module Commands
With the command-line interface (CLI), you can do the following tasks:
• Check the syntax before entering a command.
Enter a command and press the ? key to view a quick summary, or precede a command with the help
command (help aaa, for example).
• Abbreviate commands.
You can use the config t command to start configuration mode, the write t command statement to
list the configuration, and the write m commmand to write to Flash memory. In most commands,
the show command can be abbreviated as sh. This feature is called command completion.
• Review possible port and protocol numbers at the following Internet Assigned Numbers Authority
(IANA) websites:
http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/protocol-numbers
• Create your configuration in a text editor, and then cut and paste it into the configuration.
You can paste in a line at a time or the whole configuration. Always check your configuration after
pasting large blocks of text to be sure that all of the text was copied.
For information about how to build your CSM and CSM-S configuration, refer to the Catalyst 6500
Series Content Switching Module Installation and Configuration Note and Catalyst 6500 Series Switch
Content Switching Module with SSL Installation and Configuration Note.
CSM and CSM-S technical documentation is located online at the following websites:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csms
Command Modes
The CSM and CSM-S contain a command set based on Cisco IOS technologies and provides
configurable command privilege modes based on the following command modes:
Note When using these modules on a switch running the Catalyst operating system and Cisco IOS, you must
session to the Mutilayer Switch Feature Card (MSFC) for the router prompt.
• Unprivileged mode
The unprivileged mode allows you to view CSM settings. The unprivileged mode prompt appears
as follows when you first access the CSM:
Router>
• Privileged mode
Any unprivileged mode command will work in privileged mode. Use the enable command to start
the privileged mode from the unprivileged mode as follows:
Router> enable
Password:
Router
1-2
The # prompt is displayed.
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 1 Using Content Switching Module Commands
Use the exit or end commands to exit privileged mode and return to unprivileged mode as follows:
Router# exit
Logoff
Type help or '?' for a list of available commands.
Router>
Use the disable command to exit privileged mode and return to unprivileged mode as follows:
Router# disable
Router>
• Configuration mode
The configuration mode allows you to change the configuration. All privileged, unprivileged, and
configuration commands are available in this mode. Use the configure terminal command to start
the configuration mode as follows:
Router# configure terminal
Router(config)#
Use the exit or end commands to exit configuration mode and return to privileged mode as follows:
Router(config)# end
Router#
Regular Expressions
Use the disable command to exit configuration mode and return to unprivileged mode as follows:
Router(config)# disable
Router>
• Submodes
When you are in a submode, the prompt changes to:
Router(config-submode_name)#
Regular Expressions
Regular expressions used in commands are based on the UNIX filename specification. You will use
regular expressions in these commands:
• match protocol http cookie (cookie map submode), page -25
• match protocol http header (header map submode), page -30
• match protocol http url (URL map submode), page -34
Expression Meaning
“*” Zero or more characters
“?” Exactly one character—the [Ctrl + V] key combination must be entered
“\” Escaped character
“|” Or
Bracketed range (for example, [0–9]) Matching any single character from the range
Leading ^ in a range Do not match any in the range
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
1-3
Chapter 1 Using Content Switching Module Commands
Regular Expressions
Expression Meaning
“.\a” Alert (ASCII 7)
“.\b” Backspace (ASCII 80
“.\f” Form-feed (ASCII 12)
“.\n” Newline (ASCII 10)
“.\r” Carriage return (ASCII 13)
“.\t” Tab (ASCII 9)
“.\v” Vertical tab (ASCII 11)
“.\0” Null (ASCII 0)
“.\\” Backslash
“.\x##” Any ASCII character as specified in two-digit hexadecimal notation
1-4
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
CHAPTER
2
Content Switching Module with SSL Commands
This chapter contains an alphabetical listing of the commands necessary to configure the CSM-S. These
commands are unique to server load-balancing (SLB) and Layer 3 switching.
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-1
arp
arp
Chapter 2 Content Switching Module with SSL Commands
To configure a static ARP entry, use the arp command. To remove the static ARP entry from the
configuration, use the no form of this command.
arp ip_address mac-address vlan id
no arp ip_address
Syntax Description
Defaults This command has no default settings.
Command Modes CSM configuration submode
Command History
Examples This example shows how to configure a static ARP entry:
ip_address IP address that you want associate with the ARP entry.
mac-address MAC address of the host.
vlan id Identifies the VLAN.
Release Modification
CSM release 3.2(1) This command was introduced.
CSM-S release 1.1(1) This command was introduced.
Router(config-module-csm)# arp 1.1.1.1 0123.4567.89ab vlan 3
2-2
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
capp udp
To enter the Content Application Peering Protocol (CAPP) User Datagram Protocol (UDP)
configuration submode, and then enable the CAPP, use the capp udp command. To remove the CAPP
UDP configuration, use the no form of this command.
capp udp
no capp udp
Syntax Description This command has no arguments or keywords.
Defaults This command has no default settings.
Command Modes CSM configuration submode
capp udp
Command History
Release Modification
CSM release 2.2(1) This command was introduced.
CSM-S release 1.1(1) This command was introduced.
Usage Guidelines The CSM implements only the agent side of the CAPP, not the content router functionality. This feature
provides Global Server Load Balancing (GSLB) when you use the CSM with a Content Services Switch
(CSS), which provides the content router function.
When you enter the CAPP UDP submode, the following commands are available:
• default—Sets a command to its default.
• exit—Saves changes and exits from the subcommand mode; see the “agent (DFP submode)”
command section.
• no—Negates a command or sets the specified command to its defaults.
• options—Sets optional parameters for a specified IP address. see the “options (CAPP UDP
submode)” command section.
• port—Configures the CAPP port. Range is from 1 to 65535. Default is 5002, see the “port (CAPP
UDP submode)” command section.
• secure—Enables encryption, see the “secure (CAPP UDP submode)” command section.
Examples This example shows how to initiate CAPP UDP agent configuration mode and set the CAPP port:
Cat6k-2(config-module-csm)# capp udp
Cat6k-2(config-slb-capp-udp)# port 5002
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-3
capp udp
Related Commands port (CAPP UDP submode)
Chapter 2 Content Switching Module with SSL Commands
2-4
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
options (CAPP UDP submode)
To assign session options to an IP address, use the options command in the CAPP UDP submode. To
remove the options for the specified address from the configuration, use the no form of this command.
options ip_address encryption MD5 secret
no options ip_address
options (CAPP UDP submode)
Syntax Description
Defaults This command has no default settings.
Command Modes CSM CAPP UDP submode
Command History
Usage Guidelines The CSM applies encryption to packets sent to this destination address or when the CSM receives
ip_address IP address that you want associate with this group of options.
encryption MD5 Specifies MD5 authentication.
secret The string used in encryption and decryption of the MD5 hashing
method. Enter an unquoted text string with a maximum of 31
characters.
Release Modification
CSM release 2.2(1) This command was introduced.
CSM-S release 1.1(1) This command was introduced.
datagrams with a matching source IP address.
You can set the IP address to 0.0.0.0 to apply encryption to all incoming and outbound datagrams that
are not specifically configured. The 0.0.0.0 IP address allows you to set a global security configuration
that can be applied to an arbitrary number of peers.
Examples This example shows the application of a specific option set to 10.6.3.21 and a global option set to all
other IP addresses. The CSM encrypts datagrams received from 10.6.3.21 and transmitted to 10.6.3.21
with encryption code mySecret. All other datagrams, received or transmitted, are assigned to the default
encryption secret anotherSecret.
Cat6k-2(config-slb-capp-udp)# options 10.6.3.21 encryption MD5 mySecret
Cat6k-2(config-slb-capp-udp)# options 0.0.0.0 encryption MD5 anotherSecret
Related Commands capp udp
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
2-5
port (CAPP UDP submode)
port (CAPP UDP submode)
To set the port number for CAPP UDP connections, use the port command in the CAPP UDP submode.
To remove the port from the configuration, use the no form of this command.
port port_num
no port
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
Defaults The no form of this command sets the port to 5002.
Command Modes CSM CAPP UDP submode
Command History
Examples This example shows how to set the port for CAPP connections:
Related Commands capp udp
port_num Specifies the UDP port number. Enter a value of 1 to 65535.
Release Modification
CSM release 2.2(1) This command was introduced.
CSM-S release 1.1(1) This command was introduced.
Cat6k-2(config-slb-capp-udp)# 50
2-6
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
OL-7029-01
Chapter 2 Content Switching Module with SSL Commands
secure (CAPP UDP submode)
To enable or disable the encryption requirement for inbound CAPP datagrams, use the secure command
in the CAPP UDP submode. This command prevents unauthorized messages from entering the CSM. To
remove the encryption requirement from the configuration, use the no form of this command.
secure
no secure
Syntax Description This command has no arguments or keywords.
Defaults This command has no default settings.
Command Modes CSM CAPP UDP submode
secure (CAPP UDP submode)
Command History
Usage Guidelines Use the capp udp secure command with the capp udp options command to specify which secure
Examples This example shows how to allow only incoming traffic from 10.6.3.21 encrypted with the encryption
Related Commands capp udp
Release Modification
CSM release 2.2(1) This command was introduced.
CSM-S release 1.1(1) This command was introduced.
messages are accepted. If you use this command without the capp udp options command, the CSM
drops all incoming data.
code mySecret:
Cat6k-2(config-slb-capp-udp)# secure
Cat6k-2(config-slb-capp-udp)# options 10.6.3.21 encryption md5 mySecret
OL-7029-01
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-7
clear module csm
clear module csm
To force the active CSM to become the standby module, use the clear module csm command.
clear module csm [slot | all] arp-cache ip-address connections [real | vserver] counters ft active
linecard-configuration sticky [1-255 | all]
Chapter 2 Content Switching Module with SSL Commands
Syntax Description
Defaults This command has no default settings.
Command Modes Privileged
slot (Optional) Specifies the CSM location in the switch. Range is from 1
to 9.
all (Optional) Applies to all online CSM modules.
arp-cache ip-address Clears the SLB ARP cache.
connections Specifies connections.
real (Optional) Clears SLB connections for the real servers.
vserver (Optional) Clears SLB connections for a virtual server.
counters Clears SLB statistics.
ft active Clears the CSM fault tolerance state to force a failover.
linecard-configuration Clears the configuration database stored in the SLB linecard
sticky Specifies sticky.
1-255 (Optional) Clears the designated sticky group; range is from 1 to 255.
all (Optional) Clears all sticky entries from the sticky database.
Command History
Usage Guidelines When a connection is closed, a reset (RST) is sent to both the client and the server. Counters reset all
Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference
2-8
Release Modification
CSM release 3.2(1) This command was introduced.
CSM-S release 1.1(1) This command was introduced.
the CSM statistics information, except for the show mod csm X tech-support counters, which are reset
any time that you run the show command. The linecard-configuration command forces a soft-reset of
the CSM, which erases all existing connections and run-time information. The CSM then reloads its
configuration from Cisco IOS. This process takes about 3 seconds.
The ft active command is used to force the active CSM to the failover state. Fault tolerance preempt
must not be enabled.
OL-7029-01
Loading...