-
Cisco ACNS Software Command Reference, Release 5.5
-
Index
-
Preface
-
Command Line Interface Command Summary
-
Cisco ACNS Software Commands - aaa accounting to clear
-
Cisco ACNS Software Commands - clock to hostname
-
Cisco ACNS Software Commands - http to ldap
-
Cisco ACNS Software Commands - less to rtsp (global config)
-
Cisco ACNS Software Commands - rtsp to show hardware
-
Cisco ACNS Software Commands - show hosts to show statistics content-distribution-network
-
Cisco ACNS Software Commands - show statistics content-routing to show statistics tvout
-
Cisco ACNS Software Commands - show statistics udp to tacacs
-
Cisco ACNS Software Commands - tcp to wccp router-list
-
Cisco ACNS Software Commands - wccp rtsp to write
-
Appendix A: Acronyms
-
Appendix B: Standard Time Zones
-
Feedback
Table Of Contents
acquirer (global configuration)
bandwidth (global configuration)
bandwidth (interface configuration)
Cisco ACNS Software Commands
This chapter contains an alphabetical listing of all the commands in the Cisco ACNS 5.x software. The ACNS software CLI is organized into the following command modes:
•
EXEC mode—For setting, viewing, and testing system operations. It is divided into two access levels, user and privileged. To use the privileged access level, enter the enable command at the user access level prompt and then enter the privileged EXEC password when you see the password prompt.
•
•
•
See Chapter 1, "Command-Line Interface Command Summary," for a complete discussion of using CLI command modes.
Table 2-1 summarizes the ACNS commands and indicates the command mode for each command. The commands used to access configuration modes are marked with a footnote in Table 2-1. The same command may have different effects when entered in a different command mode, and for this reason, they are listed and documented separately. In Table 2-1, when the first occurrence is entered in EXEC mode, the second occurrence is entered in global configuration mode. When the first occurrence is entered in global configuration mode, the second occurrence is entered in interface configuration mode.
The ACNS software device mode determines whether the ACNS device is functioning as a Content Engine, Content Distribution Manager, Content Router, or IP/TV Program Manager. The commands available from a specific CLI mode are determined by the ACNS device mode in effect. Table 2-1 also indicates the device mode for each command. All indicates that the command is available for every device mode.
Note
Note
1 Commands used to access configuration modes.
aaa accounting
To configure authentication, authorization, and accounting (AAA), use the aaa accounting global configuration command. To remove individual options, use the no form of this command.
aaa accounting {commands {0 | 15} default {start-stop | stop-only | wait-start} tacacs | exec default {start-stop | stop-only | wait-start} tacacs | system default {start-stop | stop-only} tacacs}
no aaa accounting {commands {0 | 15} default {start-stop | stop-only | wait-start} tacacs | exec default {start-stop | stop-only | wait-start} tacacs | system default {start-stop | stop-only} tacacs}
Syntax Description
Defaults
AAA accounting is disabled by default.
Command Modes
global configuration
Usage Guidelines
The AAA accounting feature enables you to track the activities of an administrative user, services that users access, and the amount of network resources they consume (for example, connection time or the bytes transferred). You can use the AAA accounting feature to track user activity for billing, auditing, reporting, or security purposes. The ACNS 5.2 software and later releases use TACACS+ to implement AAA accounting; RADIUS is not currently supported. When AAA accounting is enabled, the Content Engine reports user activity to the TACACS+ security server in the form of accounting records. This data can then be analyzed for network management, client billing, and auditing.
In the ACNS 5.2 software and later releases, you can activate accounting for the following types of events:
•
WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#EventTime#TaskId#Timezone#Service•
WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#EventTime#TaskId#Timezone#Service#PrivilegeLevel#CLICommand•
WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#EventTime#TaskId#Timezone#SystemService#SystemAccountingEvent#EventReasonThe ACNS 5.2 software and later releases support only the default accounting list.
Caution
Warning: The device may become non-responsive if it cannot contact a configured TACACS+ server.
The administrator is asked to confirm the configuration in an indefinite loop until the administrator enters "yes" to the following prompt:
Are you sure you want to proceed? [yes]
Examples
The following example configures TACACS+ on the Content Engine and also specifies that a start accounting notice should be sent at the beginning of the process and a stop accounting notice at the end of the process, and the requested user process should begin regardless of whether the start accounting notice was received by the accounting server:
ContentEngine(config)# tacacs key abcContentEngine(config)# tacacs server 172.16.50.1 primaryContentEngine(config)# aaa accounting system default start-stop tacacsContentEngine# show aaa accountingAccounting Type Record event(s) Protocol----------------------------------------------------------------Exec shell unknown unknownCommand level 0 unknown unknownCommand level 15 unknown unknownSystem start-stop TACACS+The following example shows that the Content Engine is set to record all user EXEC sessions. The command also specifies that a stop accounting notice should be sent to the TACACS+ server at the end of the session.
ContentEngine(config)# aaa accounting exec default stop-only tacacsThe following example shows that the Content Engine is set to record all CLI commands executed by a normal user. The command also specifies that a stop accounting notice should be sent to the TACACS+ server at the end of each CLI command executed by a normal user.
ContentEngine(config)# aaa accounting commands 0 default stop-only tacacsThe following example shows that the Content Engine is set to record all CLI commands executed by an administrative user. The command also specifies that a start accounting notice should be sent to the TACACS+ server at the beginning of the process and a stop accounting notice at the end of the process. The CLI command executed by the administrative user does not proceed until the start accounting notice has been acknowledged.
ContentEngine(config)# aaa accounting commands 15 default wait-start tacacsThe following example shows the EXEC shell accounting report that is available on the TACACS+ server:
Wed Apr 14 11:19:19 2004 172.16.0.0 super10 pts/0 172.31.0.0 startstart_time=1081919558 task_id=3028 timezone=PST service=shellWed Apr 14 11:19:23 2004 172.16.0.0 super10 pts/0 172.31.0.0stop stop_time=1081919562 task_id=3028 timezone=PST service=shellWed Apr 14 11:22:13 2004 172.16.0.0 normal20 pts/0 via5.abc.com startstart_time=1081919732 task_id=3048 timezone=PST service=shellWed Apr 14 11:22:16 2004 172.16.0.0 normal20 pts/0 via5.abc.com stopstop_time=1081919735 task_id=3048 timezone=PST service=shellWed Apr 14 11:25:29 2004 172.16.0.0 admin ftp via5.abc.com start start_time=1081919928task_id=3069 timezone=PST service=shellWed Apr 14 11:25:33 2004 172.16.0.0 admin ftp via5.abc.com stop stop_time=1081919931task_id=3069 timezone=PST service=shellThe following example shows the system accounting report that is available on the TACACS+ server:
Wed Apr 14 08:37:14 2004 172.16.0.0 unknown unknown 0.0.0.0 start start_time=1081909831task_id=2725 timezone=PST service=system event=sys_acct reason=reloadWed Apr 14 10:19:18 2004 172.16.0.0 admin ttyS0 0.0.0.0 stop stop_time=1081915955task_id=5358 timezone=PST service=system event=sys_acct reason=shutdownThe following example shows the command accounting report that is available on the TACACS+ server:
Wed Apr 14 12:35:38 2004 172.16.0.0 admin ttyS0 0.0.0.0 start start_time=1081924137task_id=3511 timezone=PST service=shell -lvl=0 cmd=logging console enableWed Apr 14 12:35:39 2004 172.16.0.0 admin ttyS0 0.0.0.0 stop stop_time=1081924137task_id=3511 timezone=PST service=shell priv-lvl=0 cmd=logging console enableIn addition to command accounting, the Content Engine records any executed CLI command in the system log (syslog). The message format is as follows:
ce_syslog(LOG_INFO, CESM_PARSER, PARSER_ALL, CESM_350232,"CLI_LOG %s: %s \n", __FUNCTION__, pd->command_line);Related Commands
debug aaa accounting
show aaa accountingaccess-lists
To configure access control list entries, use the access-lists global configuration command. To remove access control list entries, use the no form of this command.
access-lists {300 {deny groupname {any [position number] | groupname [position number]}} | {permit groupname {any [position number] | groupname [position number]}} | enable}
no access-lists {300 {deny groupname {any [position number] | groupname [position number]}}| {permit groupname {any [position number] | groupname [position number]}} | enable}
Syntax Description
Defaults
No default behaviors or values
Command Modes
global configuration
Usage Guidelines
In the ACNS 5.x software, you can configure group authorization using an access control list (ACL) only after a user has been authenticated against an NTLM or LDAP HTTP-request authentication server. The use of this list configures a group privilege when members of the group are accessing content provided by the Content Engine. You can use the ACL to allow the users who belong to certain groups or to prevent them from viewing specific content. This authorization feature offers more granular access control by specifying that access is only allowed to specific groups.
Use the access-lists enable global configuration command to enable the use of the ACL.
Use the access-lists 300 command to permit or deny a group from accessing the Internet using the Content Engine. For instance, use the access-lists 300 deny groupname marketing command to prevent any user from the marketing group from accessing content through the Content Engine.
At least one login authentication method, such as local, TACACS+, or RADIUS, must be enabled.
Note
In the ACNS 5.x software, the access control list contains the following feature enhancements and limitations:
•
•
•
•
Note
•
•
For Windows-based user groups, you must append the domain name in front of the group name in the form domain\group as follows:
•
•
Examples
The following example shows how to display the configuration of the access control list by using the show access-lists 300 command:
ContentEngine# show access-lists 300Access Control List Configuration---------------------------------Access Control List is enabledGroupname-based List (300)1. permit groupname techpubs2. permit groupname acme13. permit groupname engineering4. permit groupname sales5. permit groupname marketing6. deny groupname anyThe following example shows how to display statistical information for the access control list by using the show statistics access-lists 300 command:
ContentEngine# show statistics access-lists 300Access Control Lists Statistics-----------------------------------------Groupname and username-based List (300)Number of requests: 1Number of deny responses: 0Number of permit responses: 1The following example shows how to reset the statistical information for the access control list by using the clear statistics access-lists 300 command:
ContentEngine# clear statistics access-lists 300ContentEngine(config)# access-lists 300 permit groupname acme1 position 2Related Commands
show access-lists 300
show statistics access-list 300acquirer (EXEC)
To start or stop content acquisition on a specified acquirer channel, use the acquirer EXEC command. You can also use this command to verify and correct the Last-Modified-Time attribute in content acquired using the ACNS software before Release 5.0.3.
acquirer {check-time-for-old-content [channel-id channel-num | channel-name channel-name] [correct [channel-id channel-num | channel-name channel-name]] | start-channel {channel-id channel-num | channel-name channel-name} | stop-channel {channel-id channel-num | channel-name channel-name} | test-url url [use-http-proxy url | use-ntlm-domain domain-name | use-smb-options smb-options]}
Syntax Description
Defaults
If you do not specify the channel, this command applies to all channels assigned to the root Content Engine.
Command Modes
EXEC
Usage Guidelines
The acquirer is a software agent that gathers channel content before it is distributed to the receiver Content Engines in an ACNS network. The acquirer maintains a task list, which it updates after receiving a notification of changes in its channel configuration.
In the ACNS software Release 5.0.1 and earlier releases, the acquirer stored the Last-Modified-Time attribute in the local time format. As a result, content acquired using Release 5.0.1 or earlier software has a Last-Modified-Time attribute that is incorrect if used with later versions of the ACNS software, which use GMT format. Content downloaded after you upgrade to Release 5.0.3 and later releases has a Last-Modified-Time attribute in the correct GMT format.
When using Release 5.0.3 and later releases, you must correct the Last-Modified-Time attributes for content acquired with earlier releases by entering the following command from the privileged EXEC prompt:
acquirer check-time-for-old-content correct [channel-id channel-num channel-name channel-name]
This command changes the Last-Modified-Time attributes for content in all channels assigned to the root Content Engine unless you specify the channel ID or name.
Content Engines running ACNS software, Release 5.0.3 and later releases identify changes in the Last-Modified-Time attribute and download content only when changes have occurred.
Use the acquirer start-channel command to immediately start acquisition tasks for the selected channel. Use the acquirer stop-channel command to immediately stop all acquisition tasks for the selected channel.
Use the acquirer test-url url EXEC command to test whether a URL is accessible or not. The actual content is dumped into the path /dev/null.
Examples
The following example shows how the acquirer starts acquiring content on channel 86:
ContentEngine# acquirer start-channel channel-id 86ContentEngine# acquirer start-channel channel-name corporateThe following example shows how the acquirer stops acquiring content on channel 86:
ContentEngine# acquirer stop-channel channel-id 86ContentEngine# acquirer stop-channel channel-name corporateThe following example shows how the acquirer test-url command is used to test a URL:
ContentEngine# acquirer test-url http://172.16.150.26--05:16:41-- http://10.107.150.26=> `/dev/null'Connecting to 10.107.150.26:80... connected.HTTP request sent, awaiting response... 200 OKLength: 1,722 [text/html]100%[====================================>] 1,722 1.64M/s ETA 00:0002:45:40 (1.64 MB/s) - `/dev/null' saved [1722/1722]Related Commands
show acquirer
show statistics acquireracquirer (global configuration)
To provide authentication when the acquirer obtains content through a proxy server, use the acquirer global configuration command. To disable acquirer proxy authentication, use the no form of this command.
acquirer proxy authentication {outgoing {hostname | ip-address} port-num | transparent} username [ntlm domain [basic-auth-disable] | password password [ntlm domain [basic-auth-disable]]]
no acquirer proxy authentication {outgoing {hostname | ip-address} port-num | transparent} username [ntlm domain [basic-auth-disable] | password password [ntlm domain [basic-auth-disable]]]
Syntax Description
Defaults
No default behaviors or values
Command Modes
global configuration
Usage Guidelines
Use the acquirer proxy authentication outgoing global configuration command to configure authentication when you enable content acquisition through a proxy server. You must first configure the proxy host and the port using the http proxy outgoing host global configuration command. The maximum number of outgoing proxies allowed is eight. When you remove an outgoing proxy using the no http outgoing proxy command, the authentication information associated with that proxy is automatically removed.
Use the acquirer proxy authentication transparent command for transparent caches in the ACNS network that require authentication.
The acquirer supports a proxy with basic or NTLM authentication. Content acquisition through a proxy server is supported only for HTTP and not for HTTPS or FTP. Also, authentication is only supported for a single proxy server in a chain, so if multiple proxy servers in a chain require authentication, the request will fail.
Acquisition through a proxy server can be configured when the root Content Engine cannot directly access the origin server because the origin server is set up to allow access only by a specified proxy server. When a proxy server is configured for root Content Engine content acquisition, the acquirer contacts the proxy server instead of the origin server, and all requests to that origin server go through the proxy server.
Note
If a transparent WCCP proxy is used, you do not need to configure a proxy for content acquisition. In such cases, HTTP requests from the acquirer are redirected to the WCCP proxy by a router. However, when you do not have a router to redirect HTTP requests to the proxy server, you must configure the Content Engine to use the proxy server.
There are three ways to configure the proxy server: through the Content Distribution Manager GUI, through the Content Engine CLI, or through the manifest file. If you need to configure the Content Engine to use the proxy for both caching and pre-positioned content, use the CLI to configure the proxy. The CLI command is a global configuration command that configures the entire Content Engine to use the proxy. If only the acquirer portion of the Content Engine needs to use the proxy for acquiring the pre-positioned content, use the manifest file or specify the outgoing proxy. When you configure the proxy server in the manifest file, you are configuring the acquirer to use the proxy to fetch the content for a particular channel.
Note
You can also configure a proxy for fetching the manifest file by using the Content Distribution Manager GUI (the Creating New Channel or Modifying Channel window). When you configure a proxy server in the Content Distribution Manager GUI, the proxy configuration is valid only for acquiring the manifest file itself and not for acquiring the channel content. Requests for the manifest file go through the proxy server, and requests for the content go directly to the origin server.
Tip
Examples
The following example shows the authentication configuration for a nontransparent proxy server with NTLM authentication:
ContentEngine# acquirer proxy authentication outgoing 192.168.1.1 8080 myname password password ntlm mydomain basic-auth-disableThe following example shows the authentication configuration for a transparent proxy server with basic authentication:
ContentEngine# acquirer proxy authentication transparent 192.168.1.1 8080 mynameRelated Commands
http proxy outgoing
show acquireracquisition-distribution
To start or stop the content acquisition and distribution process, use the acquisition-distribution EXEC command.
acquisition-distribution {database-cleanup {start | stop} | start | stop}
Syntax Description
Defaults
No default behaviors or values
Command Modes
EXEC
Usage Guidelines
When you use the acquisition-distribution database-cleanup command, the acquisition and distribution database is checked to ensure that all pre-positioned content is available in cdnfs. If any pre-positioned content is found to be missing from cdnfs, the content is replicated to all Content Engines in the ACNS network. Root Content Engines assigned to a channel acquire the content directly from the origin server and replicate the content through the channel either by unicast or multicast transmission to other Content Engines in the channel. Receiver Content Engines obtain the content from forwarder Content Engines either by unicast or multicast. In the case of a disk00 failure when the database is stored on disk00 in an internal file system (/state), the recovery of the acquisition and distribution database is done automatically. You should run the acquisition and distribution database cleanup if a failure occurs or if you have to replace a disk drive other than disk00.
Examples
The following example starts the acquisition and distribution database cleanup process:
ContentEngine# acquisition-distribution database-cleanup startThe following example starts the acquisition and distribution process:
ContentEngine# acquisition-distribution startThe following example stops the acquisition and distribution process:
ContentEngine# acquisition-distribution stopRelated Commands
cdnfs cleanup
show acquirer
show distributionalarm overload-detect
To detect alarm overload situations, use the alarm overload-detect global configuration command. To disable alarm overload detection, use the no form of this command.
alarm overload-detect {clear 1-999 [raise 10-1000] | enable | raise 10-1000 [clear 1-999]}
no alarm overload-detect {clear 1-999 [raise 10-1000] | enable | raise 10-1000 [clear 1-999]}
Syntax Description
Defaults
raise: 10 alarms per second
clear: 1 alarm per second
Command Modes
global configuration
Usage Guidelines
When multiple applications running on a Content Engine experience problems at the same time, numerous alarms are set off simultaneously, and the Content Engine may stop responding. In the ACNS 5.2 software and later releases, you can use the alarm overload-detect global configuration command to set an overload limit for the incoming alarms from the node health manager. If the number of alarms exceeds the maximum number of alarms allowed, the Content Engine enters an alarm overload state until the number of alarms drops down to the number defined in the clear option.
When the Content Engine is in the alarm overload state, the following events occur:
•
•
•
•
Note
Examples
The following example enables the detection of alarm overload:
CONTENTENGINE(config)# alarm overload-detect enableThe following example sets the threshold for triggering the alarm overload at 100 alarms per second:
CONTENTENGINE(config)# alarm overload-detect raise 100The following example sets the level for clearing the alarm overload at 10 alarms per second:
CONTENTENGINE(config)# alarm overload-detect clear 10Related Commands
show alarms
show alarm statusasset
To set the tag name for the asset tag string, use the asset global configuration command. To remove the asset tag name, use the no form of this command.
asset tag name
no asset tag name
Syntax Description
Defaults
No default behaviors or values
Command Modes
global configuration
Examples
The following example shows how to configure a tag name for the asset tag string:
ContentEngine(config)# asset tag entitymibauthentication
To specify authentication and authorization methods, use the authentication global configuration command. To selectively disable options, use the no form of this command.
authentication {configuration {local | radius | tacacs} enable [primary | secondary | tertiary] | fail-over server-unreachable | login {local | radius | tacacs} enable [primary | secondary | tertiary]}
no authentication {configuration {local | radius | tacacs} enable [primary | secondary | tertiary] | fail-over server-unreachable | login {local | radius | tacacs} enable [primary | secondary | tertiary]}
Syntax Description
Defaults
The local authentication method is enabled by default.
Command Modes
global configuration
Usage Guidelines
Authentication, also referred to as login, is the act of verifying usernames and passwords. Authorization is the action of determining what a user is allowed to do. It permits or denies privileges for authenticated users in the network. For example, if you log in to a Content Engine with a superuser administrator account (for example, the predefined admin account), you have the highest level of access privileges and can perform any administrative task such as the following:
•
•
•
Generally, authentication precedes authorization in a network.
The authentication command configures both the authentication and authorization methods that govern login and configuration access to the Content Engine. Login and configuration privileges can be maintained in three different databases in the ACNS 5.x software: the local database, TACACS+ database, and RADIUS database. If all databases are enabled, then all three databases are queried. If the user data cannot be found in the first database queried, then the second and third databases are queried.
When an administrator can log in to the Content Engine through the console or the Content Engine GUI, the Content Engine checks the specified authentication database to verify the user's username and password to process these administrative login requests and to determine the access rights that this particular administrator should be granted during this login session. When the Content Engine receives an administrative login request, the Content Engine can check its local database or a remote third-party database (the TACACS+ database or the RADIUS database) to verify the username with the password and to determine the access privileges of the administrator.
When defining or modifying the authentication configuration method for a Content Engine, follow these guidelines:•
•
–
–
–
•
–
–
•
•
•
The authentication login command determines whether the user has any level of permission to access the Content Engine. The authentication configuration command authorizes the user with privileged access (configuration access) to the Content Engine.
The authentication login local and the authentication configuration local commands use a local database for authentication and authorization.
The authentication login tacacs and authentication configuration tacacs commands use a remote TACACS+ server to determine the level of user access.
The TACACS+ database validates users before they gain access to a Content Engine. TACACS+ is derived from the United States Department of Defense (RFC 1492) and is used by Cisco Systems as an additional control of nonprivileged and privileged mode access. The ACNS 5.3 software release and later releases support TACACS+ only and not TACACS or Extended TACACS.
To configure TACACS+, use the authentication and tacacs commands. To enable TACACS+, use the tacacs enable command.
For more information on TACACS+ authentication, see the "tacacs" section on page -761.
The authentication login radius and authentication configuration radius commands use a remote RADIUS server to determine the level of user access.
By default, the local method is enabled, with TACACS+ and RADIUS both disabled for login and configuration. Whenever TACACS+ and RADIUS are disabled, local is automatically enabled. TACACS+, RADIUS, and local methods can be enabled at the same time. The primary option specifies the first method to attempt for both login and configuration; the secondary option specifies the method to use if the primary method fails. The tertiary option specifies the method to use if both primary and secondary methods fail. If all methods of an authentication login or authentication configuration command are configured as primary, or all as secondary or tertiary, local is attempted first, then TACACS+, and then RADIUS.
Note
You must use the radius-server global configuration command to configure a RADIUS server for the RADIUS authentication and authorization method. For information about configuring a RADIUS server, see the "Specifying RADIUS Authentication and Authorization Settings" section.Default Administrative Login Authentication and Authorization Configuration
By default, the Content Engine uses the local database to obtain login authentication and authorization privileges for administrative users.
Note
Table 2-2 lists the default configuration for administrative login authentication and authorization.
Enforcing Authentication with the Primary Method
The authentication fail-over server-unreachable global configuration command allows you to specify that failover to the secondary authentication method should occur only if the primary authentication server is unreachable. This feature ensures that users gain access to the Content Engine using the local database only when nonlocal authentication servers (TACACS+ or RADIUS) are unreachable. For example, when a TACACS+ server is enabled for authentication with user authentication failover configured and the user tries to log in to the Content Engine using an account defined in the local database, login fails. Login succeeds only when the TACACS+ server is unreachable.
Server Redundancy
You can specify authentication servers with the corresponding authentication server (NTLM, LDAP, or RADIUS) host command options, or in the case of TACACS+ servers, with the server hostname command option, to configure additional servers. These additional servers provide authentication redundancy and improved throughput, especially when Content Engine load-balancing schemes distribute the requests evenly between the servers. If the Content Engine cannot connect to any of the authentication servers, no authentication takes place and users who have not been previously authenticated are denied access.
Login Authentication and Authorization Through the Local Database
Local authentication and authorization use locally configured login and passwords to authenticate administrative login attempts. The login and passwords are local to each Content Engine and are not mapped to individual usernames.
By default, local login authentication is enabled first. You can disable local login authentication only after enabling one or more of the other administrative login authentication methods. However, when local login authentication is disabled, if you disable all other administrative login authentication methods, local login authentication is reenabled automatically.
Specifying RADIUS Authentication and Authorization Settings
RADIUS authentication clients reside on the Content Engine running the ACNS 5.x software. When enabled, these clients send authentication requests to a central (remote) RADIUS server, which contains login authentication and network service access information.
To configure RADIUS authentication on a Content Engine, you must configure a set of RADIUS authentication server settings on the Content Engine. You can use the Content Engine GUI or the CLI to configure this set of RADIUS authentication server settings for a Content Engine.
Table 2-3 describes the RADIUS authentication settings.
After configuring these RADIUS authentication settings on the Content Engine, you can enable RADIUS login authentication and authorization on the Content Engine.
Specifying TACACS+ Authentication and Authorization Settings
TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or an entity. TACACS+ is an enhanced version of TACACS, a UDP-based access-control protocol specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication.
When a user requests restricted services, TACACS+ encrypts the user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another. A TACACS+ configuration can use any or all of the three services.
When the TACACS+ server receives a packet, it does the following:
•
•
You can configure a TACACS+ key on the client and server. If you configure a key on the Content Engine, it must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key, packets are not encrypted.
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time.
In order to configure TACACS+ authentication on Content Engines, you must configure a set of TACACS+ authentication settings on the Content Engine. You can use the Content Engine CLI or GUI to configure this set of TACACS+ authentication settings for a Content Engine.
Table 2-4 describes the TACACS+ authentication settings.
Note
TACACS+ Enable Password Attribute
The ACNS software CLI EXEC mode is used for setting, viewing, and testing system operations. It is divided into two access levels, user and privileged. To access privileged-level EXEC mode, enter the enable EXEC command at the user access level prompt and specify a privileged EXEC password (superuser or admin-equivalent password) when prompted for a password.
In TACACS+, an enable password feature allows an administrator to define a different enable password per administrative-level user. If an administrative-level user logs in to the Content Engine with a normal-level user account (privilege level of 0) instead of an admin or admin-equivalent user account (privilege level of 15), that user must enter the admin password in order to access privileged-level EXEC mode. This requirement applies even if these ACNS users are using TACACS+ for login authentication.
ContentEngine> enablePassword:
Examples
The following example enables local and TACACS+ authentication and authorization, setting TACACS+ as the first method used and local as the secondary method to use if TACACS+ fails:
ContentEngine(config)# authentication login tacacs enable primaryContentEngine(config)# authentication login local enable secondaryContentEngine(config)# authentication configuration local enable secondaryContentEngine(config)# authentication configuration tacacs enable primaryThe following example shows the output of the show authentication user command:
ContentEngine# show authentication userLogin Authentication: Console/Telnet Session----------------------------- -----------------------local enabled (secondary)radius disabledtacacs enabled (primary)Configuration Authentication: Console/Telnet Session----------------------------- -----------------------local enabled (secondary)radius disabledtacacs enabled (primary)Configuration Authentication: Console/Telnet Session----------------------------- -----------------------local enabled (secondary)radius enabled (tertiary)tacacs enabled (primary)The following example shows the output of the show statistics authentication command:
ContentEngine# show statistics authenticationAuthentication Statistics--------------------------------------Number of access requests: 37Number of access deny responses: 14Number of access allow responses: 23The following example enables local, TACACS+, and RADIUS authentication and authorization, setting TACACS+ as the first method used, local as the secondary method if the TACACS+ method fails, and RADIUS as the tertiary method to use if both local and TACACS+ fail:
ContentEngine(config)# authentication login tacacs enable primaryContentEngine(config)# authentication login local enable secondaryContentEngine(config)# authentication login radius enable tertiaryContentEngine(config)# authentication configuration tacacs enable primaryContentEngine(config)# authentication configuration local enable secondaryContentEngine(config)# authentication configuration radius enable tertiaryRelated Commands
ntlm
radius-server
show authentication
show statistics authentication
tacacs
usernameauto-register
To enable discovery of a Fast Ethernet or Gigabit Ethernet Content Engine or Content Router and its automatic registration with the Content Distribution Manager through Dynamic Host Configuration Protocol (DHCP), use the auto-register global configuration command. To disable this function, use the no form of this command.
auto-register enable [FastEthernet slot/port | GigabitEthernet slot/port]
no auto-register enable [FastEthernet slot/port | GigabitEthernet slot/port]
Syntax Description
Defaults
Automatic registration using DHCP is enabled by default.
Command Modes
global configuration
Usage Guidelines
The auto-register enable command allows a Fast Ethernet or Gigabit Ethernet Content Engine or Content Router to discover the hostname of the Content Distribution Manager through DHCP and to automatically register the device with the Content Distribution Manager. Discovery and registration occur at bootup.
To assign a static IP address using the interface GigabitEthernet slot/port command, the automatic registration of devices through DHCP must be disabled by using the no auto-register enable command, because automatic registration through DHCP is enabled by default.
For autoregistration to work, you must have a DHCP server that is configured with the hostname of the Content Distribution Manager and that is capable of handling vendor class option 43.
Note
The DHCP server needs to send the vendor class option (option 43) information to the ACNS network device in the format for encapsulated vendor-specific options as provided in RFC 2132. The relevant section of RFC 2132, Section 8.4, is reproduced here as follows:
You should encode the encapsulated vendor-specific options field as a sequence of code/length/value fields of syntax identical to that of the DHCP options field with the following exceptions:
1.
2.
3.
In accordance with the RFC standard, the DHCP server needs to send the Content Distribution Manager hostname information in code/length/value format (code and length are single octets). The code for the Content Distribution Manager hostname is 0x01. DHCP server management and configuration are not within the scope of the autoregistration feature.
The ACNS network device sends CISCOCDN as the vendor class identifier in option 60 to facilitate device groupings by customers.
Autoregistration DHCP also requires that the following options are present in the DHCP server's offer to be considered valid:
•
•
•
•
•
Interface-level DHCP requires only subnet-mask (option 1) and routers (option 3) for an offer to be considered valid; domain-name (option 15), domain-name-servers (option 6), and host-name (option 12) are optional. All of the above options, with the exception of domain-name-servers (option 6), replace the existing configuration on the system. The domain-name-servers option is added to the existing list of name servers with the restriction of a maximum of eight name servers.
Autoregistration is enabled by default on the first interface of the device. The first interface depends on the Content Engine model as follows:
•
•
If you do not have a DHCP server, the device is unable to complete autoregistration and eventually times out. You can disable autoregistration at any time after the device has booted and proceed with manual setup and registration.
Examples
The following example enables autoregistration on GigabitEthernet port 2/0:
ContentEngine(config)# auto-register enable GigabitEthernet 2/0The following example enables autoregistration on FastEthernet port 0/1:
ContentEngine(config)# auto-register enable FastEthernet 0/1The following example disables autoregistration on all configured interfaces:
ContentEngine(config)# no auto-register enableRelated Commands
show auto-registration
show running-config
show startup-configautosense
To enable autosense on an interface, use the autosense interface configuration command. To disable this function, use the no form of this command.
autosense
no autosense
Syntax Description
This command has no arguments or keywords.
Defaults
Autosense is enabled by default.
Command Modes
interface configuration
Usage Guidelines
Cisco router Ethernet interfaces do not negotiate duplex settings. If the Content Engine is connected to a router directly with a crossover cable, the Content Engine interface must be manually set to match the router interface settings. Disable autosense before configuring an Ethernet interface. When autosense is on, manual configurations are overridden. You must reboot the Content Engine to start autosensing.
Configuring an interface for autosensing causes the full-duplex or half-duplex operation to be disabled. Conversely, configuring an interface for a full-duplex or half-duplex operation causes autosensing to be disabled.
When you set the Cache Engine Ethernet interface speed or duplex function using the half-duplex, full-duplex, or bandwidth commands, you should turn off the corresponding Ethernet switch port autosense function and manually set the duplex function and speed. If you turn off the Ethernet switch port autosense function, you have to manually set the Content Engine Ethernet interface duplex function and speed to match the Ethernet switch port settings. The Content Engine Ethernet interface autosense command will only erase manually set configurations.
Examples
The following example enables autosense on FastEthernet port 0/1:
CONTENTENGINE(config)# interface FastEthernet 0/1CONTENTENGINE(config-if)# autosenseThe following example disables autosense on FastEthernet port 0/1:
CONTENTENGINE(config)# interface FastEthernet 0/1CONTENTENGINE(config-if)# no autosenseRelated Commands
interface
show interface
show running-config
show startup-configbandwidth (global configuration)
To set an allowable bandwidth usage limit and its duration for Cisco Streaming Engine, RealProxy, RealServer, and WMT streaming media, use the bandwidth global configuration command. To remove individual options, use the no form of this command.
bandwidth {advanced config-file filename-path | {{cisco-streaming-engine kbits | http kbits | real-proxy {incoming | outgoing} kbits | real-server kbits | wmt {incoming | outgoing} kbits} {default | max-bandwidth | start-time weekday time end-time weekday time}}}
no bandwidth {advanced config-file | {{cisco-streaming-engine kbits | http kbits | real-proxy {incoming | outgoing} kbits | real-server kbits | wmt {incoming | outgoing} kbits} {default | max-bandwidth | start-time weekday time end-time weekday time}}}
Syntax Description
advanced
Configures the subnet-based WMT outgoing bandwidth. For more information, see the "Configuring Subnet-Based Outgoing Bandwidth" section.
config-file
Specifies the path of the advanced bandwidth configuration file.
filename-path
Name of the advanced bandwidth configuration file saved in the /local1 sysfs directory on the Content Engine.
cisco-streaming-engine
Configures the duration of allowable bandwidth settings for the Cisco Streaming Engine.
kbits
Bandwidth size for the Cisco Streaming Engine in kilobits per second (kbps) (0-2147483647).
http
Configures the pace and rate for pre-positioned HTTP traffic.
kbits
Bandwidth size for HTTP in kilobits per second (kbps) (0-2000000).
real-proxy
Configures the duration of allowable bandwidth settings for RealProxy.
incoming
Configures the duration of allowable incoming bandwidth settings for RealProxy.
outgoing
Configures the duration of allowable outgoing bandwidth settings for RealProxy.
kbits
Bandwidth size for RealProxy in kilobits per second (kbps) (0-2147483647).
real-server
Configures the duration of allowable bandwidth settings for RealServer.
kbits
Bandwidth size for RealServer in kilobits per second (kbps) (0-2147483647).
wmt
Configures the duration of allowable bandwidth settings for WMT. For more information, see the "Configuring Incoming and Outgoing WMT Bandwidth" section.
incoming
Configures the duration of allowable incoming bandwidth settings for WMT.
outgoing
Configures the duration of allowable outgoing bandwidth settings for WMT.
kbits
Bandwidth size for WMT in kilobits per second (kbps) (0-2147483647).
default
Sets the default value for the bandwidth if this value is not configured.
max-bandwidth
Sets the value for the maximum bandwidth configured.
start-time
Sets the starting day of the week and time (hh:mm) for the permitted bandwidth usage.
weekday
Day of the week to start:
Friday
Monday
Saturday
Sunday
Thursday
Tuesday
Wednesdaytime
Time of the day to start, in hours and minutes (hh:mm).
end-time
Sets the ending day of the week and time for the permitted bandwidth usage.
weekday
Day of the week to end.
Defaults
No default behavior or values
Command Modes
global configuration
Usage Guidelines
With the various types of traffic originating from a device, every type of traffic, such as streaming media, HTTP, and metadata, consumes network resources. Use the bandwidth command to limit the amount of network bandwidth used by the Cisco Streaming Engine, RealNetworks, and WMT streaming media.
The content services bandwidth includes the bandwidth allocation for WMT, RealProxy, RealServer, and Cisco Streaming Engine services. WMT bandwidth settings apply to WMT streaming of live, cached, and pre-positioned content. RealServer bandwidth settings apply to RealMedia streaming of pre-positioned and live content that has been specified in the manifest file for a channel. RealProxy bandwidth settings apply to RealMedia streaming of cached and live content that has not been specified in the manifest file for a channel. Cisco Streaming Engine bandwidth settings apply to the standard RTSP server streaming of pre-positioned content only.
For each type of bandwidth, you can specify the amount of bandwidth to be used for a particular time period. This type is called scheduled bandwidth. The default bandwidth is the amount of bandwidth associated with each content service type when there is no scheduled bandwidth. In centrally managed deployments (the Content Engines are registered with a Content Distribution Manager), if a Content Engine is assigned to a device group and no default bandwidth has been configured for the Content Engine itself, the device group default bandwidth settings are applied. However, if the default bandwidth has been configured for the Content Engine, then that setting overrides the device group settings. If the Content Engine is a member of multiple device groups, the most recently updated default bandwidth settings are applied.
The maximum bandwidth specifies the upper limit for the allowable bandwidth. The total bandwidth configured for all content services must not exceed the bandwidth limits specified for any Content Engine platform model in the ACNS network. In addition, the license keys configured for WMT further restrict the maximum bandwidth available for each Content Engine model.
Configuring Incoming and Outgoing WMT Bandwidth
The bandwidth between the WMT proxy server (the Content Engine) and the WMT client is called the WMT outgoing bandwidth.
The bandwidth between the WMT proxy and the origin streaming server is called the incoming bandwidth. Because the bandwidth from the edge to the outside IP WAN is limited, you must specify a per session limit (the maximum bit rate per request) for each service that is running on the Content Engine and that consumes the incoming bandwidth (for example, the WMT streaming service), and an aggregate limit (the maximum incoming bandwidth.) You need to control the outgoing bandwidth based on the WMT license that is configured on the Content Engine.
The bandwidth wmt outgoing and bandwidth incoming global configuration commands enable you to specify a WMT incoming and an outgoing bandwidth as follows:
•
If the specified outgoing bandwidth is above the limit specified by the WMT license, then a warning message displays. However, the specified outgoing bandwidth setting is applied to the Content Engine because the outgoing bandwidth may be configured before the WMT licenses are enabled or an enabled WMT license could be changed to a higher value at a later time.
•
The incoming bandwidth applies to the following:
–
–
–
With the ACNS 5.x software, you can also configure a maximum bandwidth for the preloading process using the pre-load max-bandwidth global configuration command.
Configuring Subnet-Based Outgoing Bandwidth
In the ACNS 5.3 software release, the ability to configure IP subnet-based bandwidth control for WMT requests was added. This feature allows you to specify the maximum bandwidth consumption for specific client IP subnets (the aggregate bandwidth for the subnet). This bandwidth control feature is supported for WMT streaming through the following protocols: Windows Media 9 RTSP and HTTP.
You specify the rules for limiting the subnet-based outgoing bandwidth in an XML configuration file. This configuration file is called the advanced bandwidth configuration file. For example, if you have three subnets (Subnet A that is the parent subnet, and Subnet B and C that are within Subnet A) and you have specified three subnet-based bandwidth rules as follows:
•
•
•
Then, even though the total allowed bandwidth of Subnet B and C is 12000 kbps (as defined by Rule B and C in the configuration file), the total bandwidth does not exceed 10000 kbps because of Rule A.
The following is an example of the format of the advanced bandwidth configuration file. It also shows the required order of the lines in the advanced bandwidth configuration file.
XML Configuration File Format:<?xml version="1.0"?><BandwidthSpec><BandwidthRule><ClientNetwork>10.77.140.133/32</ClientNetwork><description>(Apply to PC jdoe-w2k)</description><Allow limit="3000" service="wmt"/></BandwidthRule><BandwidthRule><description>Comment (Apply to PCs in subnet 10.77.140.x)</description><Allow limit="50000" service="wmt"/><ClientNetwork>10.77.140.0/24</ClientNetwork></BandwidthRule><BandwidthRule><Allow limit="1400" service="wmt"/><ClientNetwork>10.1.1.1/32</ClientNetwork></BandwidthRule><BandwidthRule><ClientNetwork>10.0.18.0/24</ClientNetwork><description>(Apply to my PC)</description><Allow limit="700" service="wmt" /></BandwidthRule><BandwidthRule><ClientNetwork>10.0.19.0/24</ClientNetwork><description>(Apply to my PC)</description><Allow limit="700" service="wmt" /></BandwidthRule><BandwidthRule><ClientNetwork>10.0.20.0/24</ClientNetwork><description>(Apply to my PC)</description><Allow limit="700" service="wmt" /></BandwidthRule><BandwidthRule><ClientNetwork>10.0.21.0/24</ClientNetwork><description>(Apply to my PC)</description><Allow limit="700" service="wmt" /></BandwidthRule><Default limit="3000" service="wmt" /></BandwidthSpec>where
•
•
•
•
•
Note
You use the bandwidth advanced config-file filename-path global configuration command to specify the path of the advanced bandwidth configuration file. Use the complete pathname when you specify the path of the bandwidth configuration file. You use FTP to download this configuration file to the Content Engine so that the file is available in the local sysfs partition on the Content Engine.
Examples
The following example limits the RealProxy bandwidth to 1000 kbps from 8:00 a.m. to 6:00 p.m on Mondays through Fridays:
ContentEngine(config)# bandwidth allow 1000 real-proxy start-time monday 8:00 end-time friday 18:00
Tip
The following example specifies the path of the advanced bandwidth configuration file new_file.xml that resides in the /local1 directory on the Content Engine:
ContentEngine(config)# bandwidth advanced config-file /local1/new_file.xmlThe following example configures the default bandwidth for pre-positioned HTTP traffic as 2000 kbps:
CONTENTENGINE(config)# bandwidth http 2000 defaultThe following example configures the maximum bandwidth for the Cisco Streaming Engine as 56000 kbps:
CONTENTENGINE(config)# bandwidth cisco-streaming-engine 56000 max-bandwidthRelated Commands
bandwidth (interface configuration)
interface
show bandwidth
show interface
show running-config
show startup-config
show statistics bandwidthbandwidth (interface configuration)
To configure an interface bandwidth, use the bandwidth interface configuration command. To restore default values, use the no form of this command.
bandwidth {10 | 100 | 1000}
no bandwidth {10 | 100 | 1000}
Syntax Description
Defaults
No default behaviors or values
Command Modes
interface configuration
Usage Guidelines
To configure an interface bandwidth on a Content Engine, use the bandwidth interface configuration command. The bandwidth is specified in megabits per second (Mbps). The 1000 Mbps option is not available on all ports and is the same as enabling autosense on the interface. On a Content Engine CE-7320 model that has an optical Gigabit Ethernet interface, you cannot change the speed of this interface. Therefore, Gigabit Ethernet interfaces only run at 1000 Mbps for a CE-7320. For newer models of the Content Engine (for example, the CE-510, CE-565, CE-7305, CE-7325, and CE-7326) that have a Gigabit Ethernet interface over copper, this restriction does not apply; you can configure these Gigabit Ethernet interfaces to run at 10, 100, or 1000 Mbps. On these newer Content Engine models, the 1000-Mbps setting implies autosense (for example, you cannot configure the Gigabit Ethernet interface to run at 1000 Mbps and half duplex). The ACNS 5.x software automatically enables autosense if the speed is set to 1000 Mbps.
In the ACNS 5.3 software and later releases, you can configure the Gigabit Ethernet interface settings (autosense, bandwidth, and duplex settings) if the Gigabit-over-copper-interface is up or down. If the interface is up, it will apply the specific interface settings. If the interface is down, the specified settings are stored and then applied when the interface is brought up. For example, you can specify any of the following commands for a Gigabit-over-copper-interface, which is currently down, and have these settings automatically applied when the interface is brought up:
ContentEngine(config-if)# bandwidth 10ContentEngine(config-if)# bandwidth 100ContentEngine(config-if)# bandwidth 1000ContentEngine(config-if)# autosenseContentEngine(config-if)# half-duplexContentEngine(config-if)# full-duplex
Note
You cannot configure the Gigabit Ethernet interface settings on an optical Gigabit Ethernet interface (for example, if the Content Engine is a CE-7320 model).
Examples
The following example shows how to set an interface bandwidth to 10 Mbps:
ContentEngine(config-if)# bandwidth 10The following example shows how to restore default bandwidth values on an interface:
ContentEngine(config-if)# no bandwidthRelated Commands
interface
banner
To configure the EXEC, login, and message-of-the-day (MOTD) banners, use the banner global configuration command. To disable the banner feature, use the no form of this command.
banner {enable | exec {message line | message_text} | login {message line | message_text} | motd {message line | message_text}}
no banner {enable | exec [message] | login [message] | motd [message]}
Syntax Description
Defaults
Banner support is disabled by default
Command Modes
global configuration
Usage Guidelines
In the ACNS 5.3 software and later releases, you can configure the following three types of banners in any ACNS software device mode:
•
•
•
Note
After you configure the banners, enter the banner enable global configuration command to enable banner support on the Content Engine. Enter the show banner EXEC command to display information about the configured banners.
Note
Examples
The following example shows how to enable banner support on the Content Engine:
ContentEngine (config)# banner enableThe following example shows how to use the banner motd message global configuration command to configure the MOTD banner. In this example, the MOTD message consists of a single line of text.
ContentEngine(config)# banner motd message This is an ACNS 5.3 deviceThe following example shows how to use the banner motd message global command to configure a MOTD message that is longer than a single line. In this case, the Content Engine translates the \n portion of the message to a new line when the MOTD message is displayed to the user.
ContentEngine (config)# banner motd message "This is the motd message. \nThis is an ACNS 5.3 device\n"The following example shows how to use the banner login message global configuration command to configure a MOTD message that is longer than a single line. In this case, Content Engine A translates the \n portion of the message to a new line in the login message that is displayed to the user.
ContentEngine(config)# banner login message "This is login banner. \nUse your password to login\n"The following example shows how to use the banner exec global configuration command to configure an interactive banner. The banner exec command is similar to the banner motd message commands except that for the banner exec command, the banner content is obtained from the command line input that the user enters after being prompted for the input.
CONTENTENGINE(config)# banner execPlease type your MOTD messages below and end it with '.' at beginning of line:(plain text only, no longer than 980 bytes including newline)This is the EXEC banner.\nUse your ACNS username and password to log in to this Content Engine.\n.Message has 99 characters.CONTENTENGINE(config)#Assume that a Content Engine has been configured with the MOTD, login, and EXEC banners as shown in the previous examples. When a user uses an SSH session to log in to the Content Engine, the user will see a login session that includes a MOTD banner and a login banner that asks the user to enter a login password as follows:
This is the motd banner.This is an ACNS 5.3 deviceThis is login banner.Use your password to login.Cisco Content Engineadmin@ce's password:After the user enters a valid login password, the EXEC banner is displayed, and the user is asked to enter the ACNS username and password as follows:
Last login: Fri Oct 1 14:54:03 2004 from clientSystem Initialization Finished.This is the EXEC banner.Use your ACNS username and password to log in to this Content Engine.After the user enters a valid ACNS username and password, the Content Engine CLI is displayed. The CLI prompt varies depending on the privilege level of the login account. In the following example, because the user entered a username and password that had administrative privileges (privilege level of 15), the EXEC mode CLI prompt is displayed:
ContentEngine#Related Commands
show banner
bitrate
To configure the maximum pacing bit rate for large files sent using the HTTP protocol and to separately configure WMT bit-rate settings, use the bitrate global configuration command. To remove the bit-rate settings, use the no form of this command.
bitrate {http default bitrate | wmt {incoming bitrate | outgoing bitrate}}
no bitrate {http default bitrate | wmt {incoming | outgoing}}
Syntax Description
Defaults
http bitrate: 1500 kbps
wmt incoming bitrate: 0 (no limit)
wmt outgoing bitrate: 0 (no limit)
Command Modes
global configuration
Usage Guidelines
The ACNS 5.x software includes the Windows Media Technologies (WMT) proxy, which has the ability to cache on-demand media files when the user requests these files for the first time. All subsequent requests for the same file are served by the WMT proxy using the RTSP protocol. The WMT proxy can also live-split a broadcast, which causes only a single unicast stream to be requested from the origin server in response to multiple client requests for the stream.
The bit rate between the proxy and the origin server is called the incoming bit rate. Use the bitrate command to limit the maximum bit rate per session for large files delivered using either the HTTP or the RTSP protocol. The bitrate wmt incoming and bitrate wmt outgoing global configuration commands enable you to specify a WMT incoming and outgoing WMT per session bit rate as follows:
•
•
The outgoing bandwidth applies to the following:
–
–
Note
Variable WMT Bit Rates
A content provider can create streaming media files at different bit rates to ensure that different clients who have different connections—for example, modem, DSL, or LAN—can choose a particular bit rate. The WMT caching proxy can cache multiple bit-rate files or variable bit-rate (VBR) files, and based on the bit rate specified by the client, it serves the appropriate stream. Another advantage of creating variable bit-rate files is that you only need to specify a single URL for the delivery of streaming media.
Note
Examples
The following example shows how to configure an incoming bit rate for a file sent over HTTP:
ContentEngine(config)# bitrate http default 100The following example shows how to configure an incoming bit rate for a file sent using WMT. Use the show wmt command to verify that the incoming bit rate has been modified.
ContentEngine(config)# bitrate wmt incoming 300000ContentEngine(config)# exitContentEngine# show wmt--------- WMT Server Configurations -----------------WMT golden license key installedWMT outgoing bandwidth limit enforced: 250000 Kbits/secWMT end user license agreement acceptedWMT is enabledWMT disallowed client protocols: noneWMT outgoing bandwidth configured is 250000 Kbits/secWMT incoming bandwidth configured is 250000 Kbits/secWMT max sessions configured: 3568WMT max sessions platform limit: 3568WMT max sessions enforced: 3568 sessionsWMT max outgoing bit rate allowed per stream has no limitWMT max incoming bit rate allowed per stream has no limitWMT cache is enabledWMT cache max-obj-size: 1024 MBWMT debug level: 0WMT L4 switch is not enabledWMT debug client ip not setWMT debug server ip not setWMT/REAL cache space partition: wmt 70%, real 30%WMT Stripping ? from Live URL is not enabledWMT accelerate live-split is enabledWMT accelerate proxy-cache is enabledWMT accelerate VOD is enabledWMT fast-start is enabledWMT fast-start max. bandwidth per player is 3500 (Kbps)WMT fast-cache is enabledWMT fast-cache acceleration factor is 5WMT maximum data packet MTU (TCP) enforced is 1472 bytesWMT maximum data packet MTU (UDP) is 1500 bytesWMT client idle timeout is 60 secondsWMT forward logs is enabledWMT server inactivity-timeout is 65535WMT Transaction Log format is Windows Media Services 9.0 logging and CE specificinformationRTSP Gateway incoming port 554RTSP Gateway L4-switch not enabledRTSP Gateway Transparent Interception (WCCP):Configured on port: 554--------- WMT HTTP Configurations -------------------WMT http extensions allowed:asf none nsc wma wmv nsclog--------- WMT Proxy Configurations ------------------Outgoing Proxy-Mode:--------------------MMS-over-HTTP Proxy-Mode:is not configured.RTSP Proxy-Mode:is not configured.ContentEngine#Related Commands
show http all
show wmtbypass
To enable transparent error handling and dynamic authentication bypass, and to configure static bypass lists, use the bypass global configuration command. To disable the bypass feature, use the no form of this command.
bypass {auth-traffic enable | gateway ipaddress | load {enable | in-interval seconds | out-interval seconds | time-interval minutes} | static {clientip | any-client} {serverip | any-server} | timer minutes}
no bypass {auth-traffic enable | gateway ipaddress | load {enable | in-interval seconds | out-interval seconds | time-interval minutes} | static {clientip {serverip | any-server} | any-client serverip} | timer}
Syntax Description
Defaults
bypass timer: 20 minutes
in-interval: 60 seconds
out-interval: 4 seconds
time-interval: 10 minutes
Command Modes
global configuration
Usage Guidelines
Bypass refers to a method that the Content Engine can use to handle various error responses (including authentication failure) from an origin server. When the Content Engine receives an error response from an origin server, it adds an entry for the server to its bypass list. When it receives subsequent requests for content residing on the bypassed server, it redirects packets to the bypass gateway. If no bypass gateway is configured, then the packets are returned to the redirecting Layer 4 switch.
If both WCCP Version 2 and a Layer 4 switch are configured, then requests redirected to the Content Engine by WCCP are bypassed to the redirecting WCCP Version 2-enabled router. Requests redirected to the Content Engine by the Layer 4 switch are redirected to the bypass gateway. The Content Engine can differentiate between requests arriving as a result of WCCP and as a result of the Layer 4 switch.
Bypass features can be used with a WCCP Version 2-enabled router or with a Layer 4 switch, such as the Cisco Content Switching Module or Cisco Content Services switch. The Content Engine cannot set up a bypass for proxy-style requests.
Using a Bypass Gateway
To enable bypass of HTTP requests with a Layer 4 switch, use the http l4-switch enable command. To identify the router to which the Content Engine will direct responses when errors are received from the origin server, use the bypass gateway command. Replace ipaddress with the IP address of a router that is a Layer 2 neighbor of the Content Engine.
With RealMedia RTSP transparent redirection, a Layer 4 switch redirects RealMedia requests to the Content Engine (acting as a transparent proxy server). RTSP transparent redirection is used to support RealMedia transparent caching on a standalone Content Engine. To enable transparent redirection of RTSP requests through Layer 4 switching, enter the rtsp L4-switch enable global configuration command. After you enter the command, a message appears indicating that Layer 4 switching for RTSP has been enabled on the Content Engine:
ContentEngine(config)# rtsp L4-switch enableTurn on l4 switchAuthentication Traffic Bypass
Some websites, because of IP authentication, do not allow the Content Engine to connect directly on behalf of the client. To preserve transparency and to avoid a disruption of service, the Content Engine can use authentication traffic bypass to automatically generate a dynamic access list for these client/server pairs. Authentication bypass triggers are also propagated upstream and downstream in the case of hierarchical caching. When a client/server pair goes into authentication bypass, it is bypassed for an amount of time set by the bypass timer command (20 minutes by default).
Dynamic Traffic Bypass
The following two scenarios describe typical dynamic traffic bypass situations:
Scenario 1—Dynamic Bypass upon Receiving a Web Server Error
A user issues an HTTP request from a web browser. The request is transparently intercepted and redirected to the Content Engine. The Content Engine accepts the incoming TCP connection from the web browser, determines that the request is for an object not in storage (cache miss), issues a request for the object from the origin web server, but receives some kind of error (for instance, a protocol or authentication error) from the web server.
The Content Engine has already accepted the TCP connection from the web browser and the three-way TCP handshake has taken place. The Content Engine detects that the transaction with the web server is failed but does not know the cause (the origin web server is performing authentication based on user source IP address, incompatibility between the TCP stacks, and so forth).
By default, if the Content Engine receives an error from the origin server, the Content Engine sends a 200 OK response back to the browser with instructions to refresh the URL as follows:
HTTP/1.0 200 OKCache-Control; no-cacheConnection: CloseThis refresh instruction causes the client to send the request again. On the connection retry, the Content Engine does not accept the connection. It passes the request back to the WCCP-enabled router or switch unintercepted. The router then sends the flow toward the origin web server directly from the web browser, which bypasses the Content Engine.
Scenario 2—Dynamic Bypass upon Receiving an Unsupported Protocol
When the Content Engine receives non-HTTP requests over TCP port 80, the Content Engine issues a retry response, closes the connection, and does not accept subsequent connections in the same manner as in scenario 1.
Note
These two scenarios implement the WCCP return-path functionality in WCCP, which is a mechanism that allows a Content Engine to return traffic to the WCCP-enabled router or switch, telling the router or switch to forward the packets as if the Content Engine was not present.
Typically, approximately 3 percent of all HTTP traffic flows have some kind of failure condition. These failed flows are automatically retried using authentication bypass or dynamic client bypass, demonstrating that the failure conditions were preexisting and not due to the deployment of transparent caching.
Overload Bypass
If a Content Engine becomes overwhelmed with traffic, it can use the bypass load feature to reroute the overload traffic.
When the Content Engine is overloaded and the bypass load command is enabled, the Content Engine bypasses a bucket. If the load remains too high, another bucket is bypassed, and so on until the Content Engine can handle the load. The time interval between one bucket being bypassed and the next is set by the out-interval option. The default is 4 seconds.
When the first bucket bypass occurs, a time interval must elapse before the Content Engine begins to again service the bypassed buckets. The duration of this interval is set by the time-interval option. The default is 10 minutes.
When the Content Engine begins to service the bypassed traffic again, it begins with a single bypassed bucket. If the load is serviceable, the Content Engine picks up another bypassed bucket, and so on. The time interval between picking up one bucket and the next is set by the in-interval option. The default is 60 seconds.
Static Bypass
The bypass static command permits traffic from specified sources to bypass the Content Engine. The types of traffic sources are as follows:
•
•
•
Wildcards in either the source or the destination field are not supported.
To clear all static configuration lists, use the no form of the command.
Note
Examples
The following example forces HTTP traffic from a specified client to a specified server to bypass the Content Engine:
ContentEngine(config)# bypass static 10.1.17.1 172.16.7.52The following example forces all HTTP traffic destined to a specified server to bypass the Content Engine:
ContentEngine(config)# bypass static any-client 172.16.7.52The following example forces all HTTP traffic from a specified client to any web server to bypass the Content Engine:
ContentEngine(config)# bypass static 10.1.17.1 any-serverThe following example forces all authenticated HTTP traffic to bypass the Content Engine for 24 hours:
ContentEngine(config)# bypass auth-traffic enableContentEngine(config)# bypass timer 1440A static list of source and destination addresses helps to isolate instances of problem-causing clients and servers. You can display the list as follows:
•
ContentEngine# show bypass listClient Server Entry type------ ------ ----------10.1.17.1:0 172.16.7.52:0 static-configany-client:0 172.16.7.52:0 static-config10.1.17.2:0 any-server:0 static-config•
Total number of HTTP connections bypassed = 0Connections bypassed due to system overload = 0Connections bypassed due to authentication issues = 0Connections bypassed due to facilitate error transparency = 0Connections bypassed due to static configuration = 0Total number of entries in the bypass list = 3Number of Authentication bypass entries = 0Number of Error bypass entries = 0Number of Static Configuration entries = 3Related Commands
clear bypass
http l4-switch
rtsp l4-switch
rule
show bypass
show statistics bypasscache
To perform cache-related actions, use the cache EXEC command.
cache {clear [force] | reset | synchronize}
To clear the disk of all cached content, use the cache clear EXEC command.
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
The cache clear command removes all cached contents from the currently mounted cfs volumes. Objects being read or written are removed when they stop being busy. The equivalent to this command is the clear cache or cfs clear command.
Caution
The cache clear force deletes all cfs objects, whether busy or not, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the Content Engine disk when a cache clear force command is executed, the application stops caching that object but still delivers the object from the web server to the client.
The cache synchronize command synchronizes the cache file system and the media file system contents from memory to disk. Although synchronization is performed at regular intervals while the Content Engine is operating, this command can be used to ensure that all data is written to disk before you reset or turn off the Content Engine. Synchronization can also be done using the cfs sync and mediafs sync commands.
Examples
The following example forces deletion of all cached objects:
ContentEngine# cache clear forceRelated Commands
cfs
clear cachecd
To change from one directory to another directory, use the cd EXEC command.
cd directoryname
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
Use this command to maneuver between directories and for file management. The directory name becomes the default prefix for all relative paths. Relative paths do not begin with a slash (/). Absolute paths begin with a slash (/).
Examples
The following example shows how to use a relative path:
ContentEngine(config)# cd local1The following example shows how to use an absolute path:
ContentEngine(config)# cd /local1Related Commands
deltree
dir
lls
ls
mkdir
pwdcdm
To configure the Content Distribution Manager IP address to be used for the Content Engines or Content Routers, or to configure the role and GUI parameters on a Content Distribution Manager device, use the cdm global configuration command. To negate these actions, use the no form of this command.
cdm {ip {hostname | ip-address | role {primary | standby} | ui port port-num}
no cdm {ip | role {primary | standby} | ui port}
Syntax Description
Defaults
No default behavior or values
Command Modes
global configuration
Usage Guidelines
In the ACNS 5.3 software release and later releases, you can use the cdm ui port global configuration command to change the Content Distribution Manager GUI port from the standard number 8443 as follows:
ContentDistributionManager(config)# cdm ui port 35535
Note
The cdm ip command associates the device with the Content Distribution Manager so that the device can be approved as a part of the network.
After the device is configured with the Content Distribution Manager IP address, it presents a self-signed security certificate and other essential information, such as its IP address or hostname, disk space allocation, and so forth, to the Content Distribution Manager.
Configuring Devices Inside a NAT
In an ACNS network, there are two methods for a device registered with the Content Distribution Manager (Content Engines, Content Routers, or standby Content Distribution Manager) to obtain configuration information from the primary Content Distribution Manager. The primary method is for the device to periodically poll the primary Content Distribution Manager on port 443 to request a configuration update. You cannot configure this port number. The backup method is when the Content Distribution Manager pushes configuration updates to a registered device as soon as possible by issuing a notification to the registered device on port 443. This method allows changes to take effect in a timelier manner. You cannot configure this port number even when the backup method is being used. ACNS networks do not work reliably if devices registered with the Content Distribution Manager are unable to poll the Content Distribution Manager for configuration updates. Similarly, when a receiver Content Engine requests content and content metadata from a forwarder Content Engine, it contacts the forwarder Content Engine on port 443.
All the above methods become complex in the presence of Network Address Translation (NAT) firewalls. When a device (Content Engines at the edge of the network, Content Routers, and primary or standby Content Distribution Managers) is inside a NAT firewall, those devices that are inside the same NAT use one IP address (the inside local IP address) to access the device and those devices that are outside the NAT use a different IP address (the inside global IP address) to access the device. A centrally managed device advertises only its inside local IP address to the Content Distribution Manager. All other devices inside the NAT use the inside local IP address to contact the centrally managed device that resides inside the NAT. A device that is not inside the same NAT as the centrally managed device is not able to contact it without special configuration.
If the primary Content Distribution Manager is inside a NAT, you can allow a device outside the NAT to poll it for getUpdate requests by configuring a static translation (inside global IP address) for the Content Distribution Manager's inside local IP address on its NAT, and using this address, rather than the Content Distribution Manager's inside local IP address, in the cdm ip ip-address global configuration command when you register the device to the Content Distribution Manager. If a Content Engine or Content Router is inside a NAT and the Content Distribution Manager is outside the NAT, you can allow the Content Engine or Content Router to poll for getUpdate requests by configuring a static translation (inside global IP address) for the Content Engine or Content Router's inside local address on its NAT and specifying this address in the Use IP Address field under the NAT Configuration heading in the Device Activation window.
Note
Standby Content Distribution Managers
The Cisco ACNS software implements a standby Content Distribution Manager. This process allows you to maintain a copy of the ACNS network configuration. If the primary Content Distribution Manager fails, the standby can be used to replace the primary.
For interoperability, when a standby Content Distribution Manager is used, it must be at the same software version as the primary Content Distribution Manager in order to maintain the full Content Distribution Manager configuration. Otherwise, the standby Content Distribution Manager detects this status and does not process any configuration updates that it receives from the primary Content Distribution Manager until the problem is corrected.
Note
Switching a Content Distribution Manager from Warm Standby to Primary
If your primary Content Distribution Manager becomes inoperable for some reason, you can manually reconfigure one of your warm standby Content Distribution Managers to be the primary Content Distribution Manager. Configure the new role by using the global configuration cdm role primary command as follows:
DeviceName# configureDeviceName(config)# cdm role primaryThis command changes the role from standby to primary and restarts the management service to recognize the change.
Note
If you switch a warm standby Content Distribution Manager to primary while your primary Content Distribution Manager is still online and active, both Content Distribution Managers detect each other, automatically shut themselves down, and disable management services. The Content Distribution Managers are switched to halted, which is automatically saved in flash memory.
For more information on how to return halted Content Distribution Managers to an online status, see the Cisco ACNS Software Configuration Guide for Centrally Managed Deployments.
Examples
The following example configures an IP address and a primary role for a Content Distribution Manager:
ContentDstributionManager(config)# cdm ip 10.1.1.1ContentDstributionManager(config)# cdm role primaryThe following example configures a new GUI port to access the Content Distribution Manager GUI:
ContentDstributionManager(config)# cdm ui port 8550The following example configures the Content Distribution Manager as the standby Content Distribution Manager:
CDM(config)# cdm role standbySwitching CDM to standby will cause all configuration settings made on this CDMto be lost.Please confirm you want to continue [no]?yesRestarting CMS servicesThe following example configures the standby Content Distribution Manager with the IP address of the primary Content Distribution Manager by using the cdm ip ip-address global configuration command. This command associates the device with the primary Content Distribution Manager so that it can be approved as a part of the network.
CDM-4630# cdm ip 10.1.1.1cdnfs
To manage the ACNS network file system (cdnfs), use the cdnfs EXEC command.
cdnfs {browse | cleanup {info | start | stop} | delete-unused-ecdnfs-files | lookup url}
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
The ACNS network file systems (cdnfs) stores the pre-positioned ACNS network content to be delivered by all supported protocols. You can configure the cdnfs size of each Content Engine using the disk configure command.
The cdnfs cleanup command cleans up the content of deleted channels from the acquisition and distribution database. In certain cases, the acquirer is not notified by the Centralized Management System (CMS) about deleted channels, and it fails to clear all unified name space (UNS) content. In such cases, the cdnfs cleanup EXEC command can be used to clean up all UNS content associated with deleted channels.
Note
The cdnfs browse command is an interactive command and has the following subcommands used to view ACNS network files and directories:
ContentEngine# cdnfs browse------ CDNFS interactive browsing ------dir, ls: list directory contentscd,chdir: change current working directoryinfo: display attributes of a filemore: page through a filecat: display a fileexit,quit: quit CDNFS browse shell/>dirwww.gidtest.com//>cd www.gidtest.com/www.gidtest.com/>dir764 Bytes index.html/www.gidtest.com/>info index.htmlCDNFS File Attributes:Status 3 (Ready)File Size 764 BytesStart Time nullEnd Time nullLast-modified Time Sun Sep 9 01:46:40 2001Internal path to data file: /disk06-00/d/www.gidtest.com/05/05d201b7ca6fdd41d491eaec7cfc6f14.0.data.htmlnote: data file actual last-modified time: Tue Feb 15 00:47:35 2005/www.gidtest.com/>Because the cdnfs is empty in this example, the ls command does not show any results. Typically, if the cdnfs contained information, it would list the websites as directories, and file attributes and content could be viewed using these subcommands.
The cdnfs cleanup command synchronizes the state of the acquisition and distribution database with the content stored on the cdnfs. You should use this command after replacing a failed disk drive.
Use the cdnfs delete-unused-ecdnfs-files command to delete the previous version of the data files from previously released ACNS software ecdnfs files.
Note
Note
Use the cdnfs lookup command to look up and, if present, obtain information on a specified URL in the cdnfs.
Examples
The following example shows how to delete previous versions of the E-CDN application legacy files:
ContentEngine# delete-unused-ecdnfs-filesThe following example shows the result of a lookup on a live streaming file. Typically, the File Size field is larger than zero. The Live Stream Route... information appears only for live streaming entries.
ContentEngine# cdnfs lookup rtsp://10.107.192.3/SoccerCDNFS File Attributes:Status 3 (Ready)File Size 0 BytesStart Time nullEnd Time nullAllowed Playback via HTTP WMTcdn_uns_id d2CkEFiNwwaVNx+qI9KLeQ..channelId 131no_redirect_to_origin 1wmt-live 1Live Stream Route for WMT Media stream is :-->Next Hop = 10.1.21.6-->Next Hop = 10.107.150.203-->Last Hop = 10.107.192.3The Status field is displayed as Ready if the pre-positioned content is available on cdnfs, regardless of whether the content is available during playback or not.
The following example shows the output of the cdnfs cleanup info command:
ContentEngine# cdnfs cleanup infoGathering cleanup information. This may take some time....(Use Ctrl+C or 'cdnfs cleanup stop' to interrupt)..............................Summary of garbage resource entries found-------------------------------------------Number of entries : 605Size of entries (KB) : 60820911Related Commands
show cdnfs
show statistics cdnfscdp (global configuration)
To configure Cisco Discovery Protocol (CDP) options, use the cdp global configuration command. To disable CDP on all interfaces, use the no form of this command.
cdp {enable | holdtime seconds | timer seconds}
no cdp {enable | holdtime seconds | timer seconds}
Syntax Description
Defaults
CDP is enabled by default.
holdtime: 180 seconds
timer: 60 seconds
Command Modes
global configuration
Usage Guidelines
When enabled with the cdp enable command, CDP obtains protocol addresses of neighboring devices and discovers the platform of those devices. It also shows information about the interfaces used by your router. CDP is media- and protocol-independent and runs on Cisco-manufactured equipment.
Use of SNMP with the CDP Management Information Base (MIB) allows network management applications to learn the device type and the SNMP agent address of neighboring devices and to send SNMP queries to those devices. CDP uses the CISCO-CDP-MIB.
Each device configured for CDP sends periodic messages, known as advertisements, to a multicast address. The cdp timer seconds command specifies the rate at which CDP packets are sent. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain Time-To-Live or hold-time information. To set the hold time, use the cdp holdtime seconds command to specify the period of time in seconds that a receiver is to keep CDP packets. Each device also listens to the periodic CDP messages sent by others to learn about neighboring devices.
Examples
The following example shows that three command lines are entered in sequence. CDP is first enabled, the hold time is set to 10 seconds for keeping CDP packets, and then the rate at which CDP packets are sent (15 seconds) is set.
ContentEngine(config)# cdp enableContentEngine(config)# cdp holdtime 10ContentEngine(config)# cdp timer 15Related Commands
cdp (interface configuration)
clear cdp counters
clear cdp table
show cdpcdp (interface configuration)
To enable Cisco Discovery Protocol (CDP) on an interface, use the cdp interface configuration command. To disable CDP on an interface, use the no form of this command.
cdp enable
no cdp enable
Syntax Description
Defaults
No default behavior or values
Command Modes
interface configuration
Usage Guidelines
Using the cdp enable command in global configuration mode enables CDP globally on all the interfaces. If you want to control CDP behavior per interface, then use the cdp enable command in interface configuration mode. Note that the interface level control overrides the global control.
If CDP has been enabled on all interfaces, by default, you can use the no cdp enable command in interface configuration mode to disable CDP on a particular interface.
Examples
The following example enables CDP on FastEthernet interface (slot 1/port 1):
ContentEngine# configureContentEngine(config)# interface FastEthernet 1/1ContentEngine(config-if)# cdp enable
Note
CONTENTENGINE(config-if)# cdp enableCannot enable CDP on this interface, CDP Global is disabledRelated Commands
cdp (global configuration)
interface
show cdp
show interface
show running-config
show startup-configcfs
To configure the cache file system (cfs) of the Content Engine, use the cfs EXEC command. To remove the cfs settings, use the no form of this command.
cfs {clear partition [force] | format partition | mount partition | reset partition | sync partition | unmount partition}
no cfs {clear partition [force] | format partition | mount partition | reset partition | sync partition | unmount partition}
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
Cache objects retrieved from the web are saved and manipulated with the cache file system (cfs) on a cfs partition of the hard disk. This process does not affect the sysfs, swfs, or mediafs partitions. The cfs commands are used to manage the cache object file system.
The cfs clear command deletes the nonbusy objects from the specified cfs volume. A nonbusy object is an object that is not being accessed (read or written). The cfs clear command (without force) deletes all possible objects without generating a broken GIF or HTML message to the client.
The cfs clear force command deletes all objects, busy or nonbusy, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the Content Engine disk when a cfs clear force command is executed, the application stops caching that object but still delivers the object from the web server to the client.
The cfs reset command unmounts, formats, and mounts a specified volume. Unmounting a volume can result in broken GIF or HTML messages for objects that are being read from the disk (cache hits) when the command is executed. When a cfs volume is reset, all cfs data on that volume is lost.
Note
The cfs format command creates the cache file system internal dbs for the cfs partition of the disk if the volume is unmounted. It formats the cfs partition to prepare it for a cfs mount. The cfs mount command creates and maps data structures in memory to the cfs partition.
Caution
The cfs unmount command frees the in-memory data structures that map to the physical (disk) cfs partition.
The cfs sync command synchronizes the cache file system contents from the memory to the disk. Although synchronization is performed at regular intervals while the Content Engine is running, this command can be used to ensure that all data is written to disk before you reset or turn off the Content Engine. Synchronization can also be done with the cache synchronize command.
Examples
The following example synchronizes the cache file system contents from the memory to disk05:
ContentEngine# cfs sync disk05Related Commands
cache clear
clear cache
show cfschannel
To assign, create, delete, add, modify, or otherwise configure a channel, use the channel EXEC command. This command is available on Content Distribution Manager devices only.
channel assign site-name channel-name {channel-root root-ce-name | content-engine {all | ce-name} | device-group {all | devicegroup-name}}
channel create site-name channel-name [description channel-desc] [multicast-enabled] [priority {high | low | normal}] [skip-encryption] [weak-certificate]
channel delete site-name {all | channel-name}
channel manifest-add site-name channel-name manifest-url disk-quota check-manifest-interval [password password username username]
channel manifest-fetch site-name channel-name
channel manifest-modify site-name channel-name [disk-quota disk-quota] [manifest-url url] [password password] [time-to-live check-manifest-interval] [username username]
channel modify site-name channel-name [description channel-desc] [multicast {disable | enable}] [new-channel-name channel-name] [priority {high | low | normal}] [skip-encryption {disable | enable}] [weak-certificate {disable | enable}]
channel un-assign site-name channel-name {content-engine {all | ce-name} | device-group {all | devicegroup-name}}
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
Channels map the content from a website to the devices in your ACNS network. Before you can create a channel, you must first create a directory of content providers and provide URLs to their websites. Content Engines in the same location can be assigned to different channels.
A website is a collection of content objects from a single origin server. Websites can be classified as either routable or nonroutable. Routable websites are controlled and operated by the enterprise corporation where the content is owned. Routable website domain names are fully qualified domain names (FQDNs) that are recognizable to Content Routers. Routable websites support all ACNS software routing and edge intercept mechanisms: WCCP interception, proxy configuration, and simplified hybrid routing. Nonroutable websites are not controlled or operated by the enterprise corporation, and the content is not owned by the enterprise. For example, www.cnn.com or www.yahoo.com are nonroutable websites. Nonroutable websites support WCCP interception and proxy configuration only.
Note
When configuring a channel in the Content Distribution Manager GUI, the administrator specifies a list of Content Engines that belong to the channel and which replicate the content of the channel and a root Content Engine to acquire the content from the origin server and publish it.
For any given channel, there is only one publisher of content (the root Content Engine) and multiple receivers of that content (the Content Engines that are assigned to that channel). The location that contains the root Content Engine for a given channel is called the root location. A channel can have only one configured root Content Engine. Other Content Engines in the root location can act as backup publishers, if the configured root Content Engine fails.
Disk Quota
The channel quota is disk quota or maximum content storage size in MB for pre-positioning content for this channel. When configuring the channel quota, follow these guidelines:
•
•
Because of the overhead, the amount of disk space used by a file is always larger than the size of the file itself. To figure the amount of disk space needed for a file, follow these steps:
a.
(File size in KB / 4096) rounded up to the next integer value = Total number of blocks per file
b.
Total blocks per file * 4096 = Total disk usage in bytes
c.
Total disk usage in bytes + (4096 bytes * 4) = Disk usage per file
Also, because the software attempts to reserve enough space for other minor internal system functions, it is helpful to configure your channel quotas (and pre-positioned disk space) with a modest amount (perhaps 10 percent) of extra space beyond the total disk space consumed.
Channel quota in kilobytes = (Total disk usage in kilobytes) + (0.1 * Total disk usage in kilobytes)
Distribution Priority
The distribution priority setting determines the priority of content acquisition and distribution. You configure this setting using the priority keyword. The distribution priority values are high (750), normal (500), or low (250).
The priority of content acquisition also depends on the origin server. Requests from different origin servers are processed in parallel. Requests from the same origin server are processed sequentially by their overall priority.
Content Priority
A priority can be assigned to content objects to define their order of importance. The ACNS software determines the order of processing from the level of priority of the content. The higher the content priority, the sooner the acquisition of content from the origin server and the sooner the content is distributed to the Content Engines.
Every content object acquired by running a crawler job has the same priority.
Three factors combine to determine content priority:
•
•
•
To calculate the content priority, use one of the following formulas:
If there is a priority value for this content specified (either by using the priority keyword or in the manifest file priority attribute), use the following formula:
content priority = channel priority * 10000 + item priority
where the item priority can be any integer and is unrestricted.
Note
If an object does not have a priority value specified in the manifest file priority attribute, use the following formula:
content priority = channel priority * 10000 + 10000 - item index
where the item index is the order in which the content is listed in the manifest file.
Note
Weak Certificate Verification
You can enable weak certificate verification for the manifest file. This setting is applicable when the manifest file is fetched using the HTTPS protocol.
Note
When you specify weak authentication within the manifest file by setting the sslAuthType attribute as weak, and if certain errors occur during certificate verification by the acquirer module, the content from that site will continue to be acquired. Possible errors are as follows:
•
•
•
•
•
•
•
•
•
•
•
Configuring Channel Options for Content Replication
The channel configuration offers various transmission options for replicating content; a channel can be configured for multicast and unicast (multicast with failover to unicast) or for unicast-only transmission.
When a channel is configured for multicast and unicast by specifying the multicast-enabled option, the receiver Content Engine uses unicast to download the content only after all carousel passes have been exhausted and after the preconfigured multicast transmission fails. In a multicast cloud configuration that uses a backup sender, when the channel is enabled for multicast and unicast, the failover to unicast occurs when the current active multicast sender has exhausted all the carousel passes for the file.
If the administrator wants the Content Engines to fall back to unicast (for example, with a multitier unicast deployment using a terrestrial multicast medium), the multicast cloud should be configured for a low number of carousel passes (such as 1, 2, or 3).
Designating the Root Content Engine
A root Content Engine is used to acquire content for a channel. A channel can have only one root Content Engine. We recommend that you choose a root Content Engine that has enough bandwidth to access the content at the origin server.
The root Content Engine is the one Content Engine that is authorized to go directly to the origin web server for content. The root Content Engine then publishes the content to other Content Engines in the channel. You must designate a root Content Engine for content distribution to take place.
To designate one Content Engine to be the root Content Engine for a channel, use the channel assign site-name channel-name channel-root root-ce-name command.
Note
Adding and Removing Content Engines from Channels
To add a Content Engine to a channel, use the channel assign site-name channel-name content-engine ce-name command.
To perform a bulk addition of all Content Engines in various locations to the channel, use the channel assign site-name channel-name content-engine all command.
To remove a Content Engine from a channel, use the channel un-assign site-name channel-name content-engine ce-name.
If the Content Engine that you removed was the root Content Engine, and if there is at least one Content Engine still assigned to the channel, you must designate a new root Content Engine.
To perform a bulk removal of all Content Engines from the selected channel, use the channel un-assign site-name channel-name content-engine all command.
Adding and Removing Device Groups from Channels
Device groups are assigned to channels using the channel EXEC command. Whenever a channel is created and additional device groups are added, or a channel assignment to the device group changes, devices in the group are notified of their assignment to the associated channel.
A many-to-many relationship exists between the device groups and the channels. A channel can have multiple device groups and device groups can belong to multiple channels.
You must have assigned Content Engines to a device group before you assign a device group to a channel.
To add a device group to a channel, use the channel assign site-name channel-name device-group ce-name command.
To perform a bulk addition of all device groups in various locations to the channel, use the channel assign site-name channel-name device-group all command.
To remove a device group from a channel, use the channel un-assign site-name channel-name device-group ce-name.
Note
To perform a bulk removal of all device groups from the selected channel, use the channel un-assign site-name channel-name device-group all command.
Manifest Files
The Cisco ACNS 5.x software manages the acquisition and distribution of the pre-positioned content through an Extensible Markup Language (XML)-based reference file called the manifest file. The manifest file lists the content that is to be used to populate Content Engines registered on a Cisco ACNS network. There should be one manifest file per channel.
The manifest file is placed on an origin server and identified by a unique URL. The location of the manifest file is specified when you enter the manifest file URL using the channel manifest-add command. The pre-positioned content is not stored on the Content Distribution Manager but is fetched from origin servers and distributed to Content Engines by a Content Engine that is a root Content Engine for the channel.
The Content Distribution Manager disseminates the manifest file URL to each of the root Content Engines on the ACNS network. The root Content Engine then parses the file and checks for any new or different information. After the root Content Engine determines what content is new, it fetches only that new content from the specified pre-positioned or live content from one or more origin servers.
The manifest file has the following features:
•
•
Content acquisition and distribution can be controlled by setting prescheduled content availability dates and times. Two content acquisition methods can be configured within the manifest file. The first method specifies the acquisition of a single <item>. The second method specifies the content acquisition by crawling a website or FTP server with the <crawler> feature. Either of these two methods can schedule when the acquisition is to start and how often its content is to be checked for freshness.
If a proxy server is configured, requests to fetch the manifest file from the origin server will go through the proxy server. The proxy configuration applies only to manifest files and not to the content acquisition. To configure proxy server information for content acquisition, use the acquirer proxy authentication global configuration command.
Use the ttl option in the channel manifest-add command or the time-to-live ttl option in the channel manifest-modify command to specify the Time To Live in minutes of the pre-positioned content retrieved by the manifest file. Beyond the time interval specified by the TTL, the ACNS software checks to see if the manifest file has been updated, and the updated manifest file is downloaded and reparsed. Also, regardless of whether the manifest file has been updated, all content in the channel is rechecked and the updated content is downloaded. Use the url option in the channel manifest-add and channel manifest-modify commands to specify the address of the manifest file for the channel. The manifest URL must be a well-formed URL. If the protocol (FTP, HTTP, or HTTPS) for the URL is not specified, HTTP is used. If you do not specify a manifest file URL, this channel will have no content. For more information on protocols that are used by the ACNS software to acquire content, see the following sections.
Using HTTP and HTTPS
Any standard web server supports the HTTP and HTTPS protocols. You can set up your web server as an origin server for the pre-positioned content intended for the ACNS network by moving the content over to the web server or by configuring the web server to access the desired content. The following two web servers are the most popular:
•
•
For the HTTP and HTTPS protocols, the content can be fetched as single content items by using the <item> tag in the manifest file, or the content can be fetched by using the crawling feature to crawl web server directories. The crawler crawls the folder hierarchy rather than parsing the HTML file. Therefore, if you want to use the crawl feature, you must enable directory indexing and make sure that the directory does not contain index.html, default.html, or home.html files.
Tip
Using FTP
The root Content Engine acquirer supports acquiring files from FTP servers. When you use FTP, the content can be acquired as single content items by using the <item> tag in the manifest file, or the content can be fetched by using the crawling feature to crawl the FTP server directories. In FTP acquisition, the crawler crawls the folder hierarchy rather than parsing the HTML file. The following popular FTP servers are supported:
•
•
•
•
Other supported Windows FTP servers are as follows:
•
•
•
•
You can use other FTP servers, as long as the following FTP commands are supported:
•
•
•
•
•
Secure FTP
The acquirer currently does not support secure FTP.
Examples
The following example creates a channel se1, configures it for multicast and unicast, and enables weak certificate verification for the manifest file:
ContentDistributionManager# channel create southeast se1 description salesoffice multicast-enabled weak-certificateThe following example assigns a root Content Engine to the channel se1:
ContentDistributionManager# channel assign southeast se1 channel-root salesThe following example shows the message that appears if there is no root Content Engine when you assign a Content Engine to the channel:
CDM# channel assign Website1 sample_channel content-engine CONTENTENGINEConstraint: A root CE must be assigned for the channel.The following example shows the message that appears if you unassign a root Content Engine from a channel that has been assigned with other Content Engines:
Mgt-CDM-507# channel un-assign agasweb2 dfg content-engine BACKUP-SENDER-53Constraint: Cannot delete the root CE since there are other CE(s) assigned to the channel. Select another root CE for the channel first, then do the deletion.The following example displays the command output when you assign a root Content Engine to the channel:
CDM# channel assign Website1 sample_channel channel-root CONTENTENGINEOperation completed successfullyThe following example assigns a Content Engine CE507 to the channel sample_channel:
CDM# channel assign Website1 sample_channel content-engine CE507Operation completed successfullyThe following example assigns all Content Engines in the ACNS network to the channel sample_channel:
CDM# channel assign Website1 sample_channel content-engine allOperation completed successfullyCDM#The following example unassigns a Content Engine CE507 to the channel sample_channel:
CDM# channel un-assign Website1 sample_channel content-engine CE507Operation completed successfullyThe following example unassigns all Content Engines in the ACNS network to the channel sample_channel:
CDM# channel un-assign Website1 sample_channel content-engine allOperation completed successfullyThe following example shows the message that appears in the output of the command when you assign a device group to a channel before assigning Content Engines to the device group:
CDM# channel assign Website1 sample_channel device-group DG1Constraint: Cannot assign an empty device group to a channel.The following example assigns a device group DG2 to the channel sample_channel:
CDM# channel assign Website1 sample_channel device-group DG2Operation completed successfullyThe following example assigns all device groups in the ACNS network to the channel sample_channel:
CDM# channel assign Website1 sample_channel device-group allOperation completed successfullyCDM#The following example unassigns a device group DG1 to the channel sample_channel:
CDM# channel un-assign Website1 sample_channel device-group DG1Operation completed successfullyThe following example assigns all device groups in the ACNS network to the channel sample_channel:
CDM# channel un-assign Website1 sample_channel device-group allOperation completed successfullychannel-group
To add the current interface to an EtherChannel group, use the channel-group interface configuration command. To remove the interface from an EtherChannel group, use the no form of this command.
channel-group {1 | 2}
no channel-group {1 | 2}
Syntax Description
Defaults
No default behavior or values
Command Modes
interface configuration
Usage Guidelines
EtherChannel provides incremental trunk speeds between Fast Ethernet and Gigabit Ethernet or even at speeds greater than Gigabit Ethernet. EtherChannel combines multiple Fast Ethernet interfaces up to 400 Mbps or Gigabit Ethernet interfaces up to 2 Gbps. EtherChannel provides fault-tolerant, high-speed links between switches, routers, and servers.
EtherChannel for the ACNS 5.x software supports grouping of up to four same-speed network interfaces into one virtual interface. This grouping allows the addition or removal of a virtual interface that consists of two, three, or four Fast Ethernet or two Gigabit Ethernet interfaces; interoperability with Cisco routers, switches, and other networking devices or hosts supporting EtherChannel; and automatic failure detection and recovery based on each interface's current link status.
Use the channel-group command to add and remove the port-channel group ID number. The ID number is either 1 or 2. The channel-group and ip address commands add a physical Fast Ethernet port to a previously created Fast EtherChannel. The channel number is the same as the channel number specified when the port-channel interface command is used to create either a Fast Ethernet or a Gigabit Ethernet channel.
Note
Examples
The following example adds an interface to a channel group:
ContentEngine# configContentEngine(config)# interface fastEthernet 0/3ContentEngine(config-if)# no ip addressContentEngine(config-if)# channel-group 1ContentEngine(config-if)# exitThe following example removes the group ID number from a channel group:
ContentEngine(config)# interface fastEthernet 0/3ContentEngine(config-if)# no channel-group 1ContentEngine(config-if)# exitRelated Commands
interface
port-channel
show interface
show running-config
show startup-configclear
To clear the HTTP object cache, the hardware interface, statistics, archive working transaction logs, and other settings, use the clear EXEC command.
clear bypass {counters | list}
clear cache [all | dns [domain domainname | hostname hostname] | http [url url] | media-real | wmt]
clear cdp {counters | table}
clear ip access-list counters [acl-num | acl-name]
clear logging
clear statistics {access-lists 300 | all | authentication | bandwidth advanced errors | cifs-server | content-routing | distribution {all | mcast-data-receiver | mcast-data-sender | metadata-receiver | metadata-sender | unicast-data-receiver | unicast-data-sender} | dns-cache | ftp-native | ftp-over-http | history | http {all | cluster | ims | monitor [url url] | object | outgoing | proxy outgoing | requests | response | savings} | http-authcache | https [requests] | icap | icmp | icp {all | client | server} | ip | ldap | ntlm | pac-file-server | pre-load | radius | rtsp {proxy media-real | server cisco-streaming-engine} | rule {action action-type | all | rtsp} | running | tacacs | tcp | tftp | transaction-logs | tvout | udp | url-filter {http {local-list | N2H2 | websense} | rtsp local-list | wmt local-list} | wmt}
clear transaction-log
clear users {administrative | request-authenticated}
clear wmt {incoming | outgoing | stream-id 1-999999}
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
The clear cache command removes all cached contents from the currently mounted cfs volumes. Objects being read or written are removed when they stop being busy. The equivalent to this command is the cache clear or cfs clear command.
Caution
The clear cache force command deletes all objects, whether busy or not, and may generate broken GIF or HTML messages for objects that were being read from the disk when the command was executed. If an object is being written to the Content Engine disk when a clear cache force command is executed, the application stops caching that object but still delivers the object from the web server to the client.
The clear logging command removes all current entries from the syslog.txt file, but does not make an archive of the file. It puts a "Syslog cleared" message in the syslog.txt file to indicate that the syslog has been cleared, as shown in the following example:
Feb 14 12:17:18 ContentEngine# exec_clear_logging:Syslog clearedThe clear statistics command clears all statistical counters from the parameters given. Use this command to monitor fresh statistical data for some or all features without losing cached objects or configurations.
The clear transaction-log command causes the transaction log to be archived immediately to the Content Engine hard disk. This command has the same effect as the transaction-log force archive command.
The clear users administrative command clears the connections for all administrative users who are authenticated through a remote login service, such as TACACS. This command does not affect an administrative user who is authenticated through the local database.
Examples
The following example shows that the clear bypass list option purges all the entries in the bypass list:
ContentEngine# clear bypass listThe following example shows that the clear transaction-log option forces the working transaction log file to be archived:
ContentEngine# clear transaction-logThe following example shows that the clear statistics http cluster command resets the healing mode statistics:
ContentEngine(config)# clear statistics http clusterRelated Commands
cache clear
cfs clear
show interface
show statistics
show wccp
