Specifications | Cisco Systems 6500 Switch User Manual

Catalyst 6500 Series Switch
SSL Services Module Command Reference
Release 3.1
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-9105-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel,
EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,
RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or
its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0601R)
Catalyst 6500 Series Switch SSL Services Module Command Reference
© 2006 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface
vii
Audience
vii
Organization
vii
Related Documentation
Conventions
vii
viii
Obtaining Documentation ix
Cisco.com ix
Product Documentation DVD
Ordering Documentation x
Documentation Feedback
ix
x
Cisco Product Security Overview x
Reporting Security Problems in Cisco Products
xi
Obtaining Technical Assistance xi
Cisco Technical Support & Documentation Website
Submitting a Service Request xii
Definitions of Service Request Severity xii
Obtaining Additional Publications and Information
CHAPTER
1
Command-Line Interface
Getting Help
xi
xiii
1-1
1-1
How to Find Command Options
1-2
Understanding Command Modes 1-5
Cisco IOS User Interface 1-5
Using the No and Default Forms of Commands
1-6
Using the CLI String Search 1-7
Regular Expressions 1-7
Alternation 1-10
Anchoring 1-10
Parentheses for Recall 1-11
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
iii
Contents
CHAPTER
2
Commands for the Catalyst 6500 Series Switch SSL Services Module
clear ssl-proxy conn
2-2
clear ssl-proxy content
2-3
clear ssl-proxy session
2-4
clear ssl-proxy stats
2-5
crypto pki export pem
2-7
crypto pki import pem
2-9
crypto pki export pkcs12
2-11
crypto pki import pkcs12
2-13
crypto key decrypt rsa
2-15
crypto key encrypt rsa
2-16
crypto key export rsa pem
2-17
crypto key import rsa pem
2-19
crypto key lock rsa
2-21
crypto key unlock rsa
debug ssl-proxy
do
2-1
2-22
2-23
2-26
interface ssl-proxy
natpool
2-27
2-30
policy health-probe tcp
policy http-header
policy ssl
2-39
policy tcp
2-45
policy url-rewrite
pool ca
2-51
service
2-52
service client
2-31
2-34
2-49
2-56
show interfaces ssl-proxy
show ssl-proxy buffers
2-59
2-60
show ssl-proxy certificate-history
show ssl-proxy conn
2-64
show ssl-proxy context
2-67
show ssl-proxy crash-info
2-68
show ssl-proxy mac address
show ssl-proxy natpool
2-61
2-70
2-71
Catalyst 6500 Series Switch SSL Services Module Command Reference
iv
OL-9105-01
Contents
show ssl-proxy policy
2-72
show ssl-proxy service
2-75
show ssl-proxy stats
2-77
show ssl-proxy status
2-82
show ssl-proxy version
2-84
show ssl-proxy vlan
2-85
snmp-server enable
2-86
ssl-proxy context
2-87
ssl-proxy crypto selftest
2-89
ssl-proxy mac address
ssl-proxy pki
2-90
2-91
ssl-proxy crypto key unlock rsa
ssl-proxy ip-frag-ttl
2-94
ssl-proxy ssl ratelimit
2-95
standby authentication
2-96
standby delay minimum reload
standby ip
2-93
2-97
2-99
standby mac-address
standby mac-refresh
standby name
standby priority
2-105
2-107
standby redirects
standby track
2-103
2-104
standby preempt
standby timers
2-101
2-109
2-111
2-113
standby use-bia
2-115
standby version
2-116
APPENDIX
A
Acronyms
APPENDIX
B
Acknowledgments for Open-Source Software
A-1
B-1
INDEX
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
v
Contents
Catalyst 6500 Series Switch SSL Services Module Command Reference
vi
OL-9105-01
Preface
This preface describes the audience, organization, and conventions of this publication, and provides
information on how to obtain related documentation.
Audience
This publication is for experienced network administrators who are responsible for configuring and
maintaining Catalyst 6500 series switches.
Organization
This publication is organized as follows:
Chapter
Title
Description
Chapter 1
Command-Line Interface
Describes the Catalyst 6500 series switch
CLI.
Chapter 2
Commands for the Catalyst 6500 Lists alphabetically and provides detailed
information for commands specific to the
Series Switch SSL Services
Module
Catalyst 6500 series switch SSL Services
Module.
Appendix A
Acronyms
Defines the acronyms used in this
publication.
Related Documentation
The Catalyst 6500 series switch Cisco IOS documentation set includes these documents:
•
Release Notes for Catalyst 6500 Series Switch SSL Services Module Release 3.x
•
Catalyst 6500 Series Switch SSL Services Module Configuration Note
•
Catalyst 6500 Series Switch SSL Services Module System Message Guide
•
Catalyst 6500 Series Switch SSL Services Module Installation and Verification Note
•
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
vii
Preface
Conventions
The Cisco IOS documentation set includes these documents:
•
Configuration Fundamentals Configuration Guide
•
Command Reference
For information about MIBs, refer to this URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Conventions
This document uses the following conventions:
Convention
Description
boldface font
Commands, command options, and keywords are in boldface.
italic font
Arguments for which you supply values are in italics.
[ ]
Elements in square brackets are optional.
{x|y|z}
Alternative keywords are grouped in braces and separated by vertical
bars. Braces can also be used to group keywords and/or aguments; for
example, {interface interface type}.
[x|y|z]
Optional alternative keywords are grouped in brackets and separated by
vertical bars.
string
A nonquoted set of characters. Do not use quotation marks around the
string or the string will include the quotation marks.
screen
font
boldface screen
Terminal sessions and information the system displays are in screen font.
Information you must enter is in boldface
screen
font.
font
italic screen font
Arguments for which you supply values are in italic screen font.
^
The symbol ^ represents the key labeled Control—for example, the key
combination ^D in a screen display means hold down the Control key
while you press the D key.
< >
Nonprinting characters, such as passwords are in angle brackets.
[ ]
Default responses to system prompts are in square brackets.
!, #
An exclamation point (!) or a pound sign (#) at the beginning of a line of
code indicates a comment line.
Catalyst 6500 Series Switch SSL Services Module Command Reference
viii
OL-9105-01
Preface
Obtaining Documentation
Notes use the following conventions:
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in
the publication.
Cautions use the following conventions:
Caution
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
Cisco documentation and additional literature are available in the Product Documentation DVD
package, which may have shipped with your product. The Product Documentation DVD is updated
regularly and may be more current than printed documentation.
The Product Documentation DVD is a comprehensive library of technical product documentation on
portable media. The DVD enables you to access multiple versions of hardware and software installation,
configuration, and command guides for Cisco products and to view technical documentation in HTML.
With the DVD, you have access to the same documentation that is found on the Cisco website without
being connected to the Internet. Certain products also have .pdf versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com
users (Cisco direct customers) can order a Product Documentation DVD (product number
DOC-DOCDVD=) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
ix
Preface
Documentation Feedback
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•
Report security vulnerabilities in Cisco products.
•
Obtain assistance with security incidents that involve Cisco products.
•
Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Catalyst 6500 Series Switch SSL Services Module Command Reference
x
OL-9105-01
Preface
Obtaining Technical Assistance
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:
•
Emergencies — security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.
•
Nonemergencies — psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
Tip
•
1 877 228-7302
•
1 408 525-6532
We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco
Technical Support & Documentation website on Cisco.com features extensive online support resources.
In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC)
engineers provide telephone support. If you do not have a valid Cisco service contract, contact your
reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and technologies. The website is
available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user
ID and password. If you have a valid service contract but do not have a user ID or password, you can
register at this URL:
http://tools.cisco.com/RPF/register/register.do
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
xi
Preface
Obtaining Technical Assistance
Note
Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose
Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by
product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.
Catalyst 6500 Series Switch SSL Services Module Command Reference
xii
OL-9105-01
Preface
Obtaining Additional Publications and Information
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
•
Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo
merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•
Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
•
Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
•
iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
•
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•
Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
•
Networking Professionals Connection is an interactive website for networking professionals to
share questions, suggestions, and information about networking products and technologies with
Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
•
World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
xiii
Preface
Obtaining Additional Publications and Information
Catalyst 6500 Series Switch SSL Services Module Command Reference
xiv
OL-9105-01
C H A P T E R
1
Command-Line Interface
This chapter provides information for understanding and using the Catalyst 6500 series switch SSL
Services Module software using the command-line interface (CLI). The CLI for the Catalyst 6500 series
switch SSL Services Module is based on the Cisco IOS CLI. For information about Cisco IOS
commands that are not contained in this publication, refer to the current Cisco IOS documentation
including:
•
Cisco IOS Release 12.2 Configuration Fundamentals Configuration Guide
•
Cisco IOS Release 12.2 Command Reference
This chapter includes the following sections:
•
Getting Help, page 1-1
•
How to Find Command Options, page 1-2
•
Understanding Command Modes, page 1-5
•
Using the No and Default Forms of Commands, page 1-6
•
Using the CLI String Search, page 1-7
Getting Help
To obtain a list of commands that are available for each command mode, enter a question mark (?) at the
system prompt. You also can obtain a list of any command’s associated keywords and arguments with
the context-sensitive help feature.
Table 1-1 lists commands that you can enter to get help that is specific to a command mode, a command,
a keyword, or an argument.
Table 1-1
Getting Help
Command
Purpose
abbreviated-command-entry?
Obtain a list of commands that begin with a
particular character string. (Do not leave a space
between the command and question mark.)
abbreviated-command-entry<Tab>
Complete a partial command name.
?
List all commands available for a particular
command mode.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
1-1
Chapter 1
Command-Line Interface
How to Find Command Options
Table 1-1
Getting Help (continued)
Command
Purpose
command ?
List a command’s associated keywords. Leave a
space between the command and question mark.
command keyword ?
List a keyword’s associated arguments. Leave a
space between the keyword and question mark.
This example shows how to obtain a list of commands that begin with a particular character string or
complete a partial command name:
ssl-proxy# tu?
tunnel
simpson1-2# tu
This example shows how to list all commands available for a particular command mode:
ssl-proxy(config)# ?
Configure commands:
aaa
access-list
alias
arp
async-bootp
banner
boot
bridge
buffers
cdp
class-map
Authentication, Authorization and
Accountin
Add an access list entry
Create command alias
Set a static ARP entry
Modify system bootp parameters
Define a login banner
Modify system boot parameters
Bridge Group.
Adjust system buffer pool parameters
Global CDP configuration subcommands
Configure QoS Class Map
.
.
.
Output is truncated.
This example shows how to list a keyword’s associated arguments:
ssl-proxy(config-if)# channel-group 1 mode ?
auto
Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on
Enable Etherchannel only
ssl-proxy(config-if)#
How to Find Command Options
This section provides an example of how to display syntax for a command. The syntax can consist of
optional or required keywords. To display keywords for a command, enter a question mark (?) at the
configuration prompt or after entering part of a command followed by a space. The Catalyst 6500 series
SSL Services Module software displays a list of available keywords along with a brief description of the
keywords. For example, if you are in global configuration mode and want to see all the keywords for the
ssl-proxy command, you enter ssl-proxy ?.
Catalyst 6500 Series Switch SSL Services Module Command Reference
1-2
OL-9105-01
Chapter 1
Command-Line Interface
How to Find Command Options
Table 1-2 shows examples of how you can use the question mark (?) to assist you in entering commands.
Table 1-2
How to Find Command Options
Command
Comment
ssl-proxy> enable
Password: <password>
ssl-proxy#
Enter the enable command and
password to access privileged EXEC
commands.
You are in privileged EXEC mode
when the prompt changes to
ssl-proxy#.
ssl-proxy# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ssl-proxy(config)#
Enter global configuration mode.
You are in global configuration mode
when the prompt changes to
ssl-proxy(config)#.
ssl-proxy(config)# crypto ca trustpoint trustpoint-label
ssl-proxy(ca-trustpoint)#
Enter the configuration submode.
You are in the configuration submode
when the prompt displays the
submode, for example:
ssl-proxy(ca-trustpoint)#.
ssl-proxy(config)# interface type mod/port
ssl-proxy(config-if)#
From the global configuration mode,
you can also enter the interface
configuration mode by entering the
interface global configuration
command.
You are in interface configuration
mode when the prompt changes to
ssl-proxy(config-if)#.
ssl-proxy(config-if)# channel-group ?
group channel-group of the interface
ssl-proxy(config-if)#channel-group
Enter the command that you want to
configure for the controller. In this
example, the channel-group
command is used.
Enter a ? to display what you must
enter next on the command line. In
this example, you must enter the
group keyword.
Because a <cr> is not displayed, it
indicates that you must enter more
information to complete the
command.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
1-3
Chapter 1
Command-Line Interface
How to Find Command Options
Table 1-2
How to Find Command Options (continued)
Command
Comment
ssl-proxy(config-if)# channel-group group ?
<1-256> Channel group number
After you enter the group keyword,
enter a ? to display what you must
enter next on the command line. In
this example, you must enter a channel
group number from 1 to 256.
ssl-proxy(config-if)#channel-group group
Because a <cr> is not displayed, it
indicates that you must enter more
information to complete the
command.
ssl-proxy(config-if)# channel-group 1 ?
mode Etherchannel Mode of the interface
ssl-proxy(config-if)#
After you enter the channel group
number, enter a ? to display what you
must enter next on the command line.
In this example, you must enter the
mode keyword.
Because a <cr> is not displayed, it
indicates that you must enter more
information to complete the
command.
ssl-proxy(config-if)# channel-group 1 mode ?
auto
Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on
Enable Etherchannel only
ssl-proxy(config-if)#
After you enter the mode keyword,
enter a ? to display what you must
enter next on the command line. In
this example, you must enter the auto,
desirable, or on keyword.
Because a <cr> is not displayed, it
indicates that you must enter more
information to complete the
command.
ssl-proxy(config-if)# channel-group 1 mode auto ?
<cr>
ssl-proxy(config-if)#
In this example, the auto keyword is
entered. After you enter the auto
keyword, enter a ? to display what you
must enter next on the command line.
Because a <cr> is displayed, it
indicates that you can press Return to
complete the command. If additional
keywords are listed, you can enter
more keywords or press Return to
complete the command.
ssl-proxy(config-if)# channel-group 1 mode auto
ssl-proxy(config-if)#
In this example, press Return to
complete the command.
Catalyst 6500 Series Switch SSL Services Module Command Reference
1-4
OL-9105-01
Chapter 1
Command-Line Interface
Understanding Command Modes
Understanding Command Modes
This section contains descriptions of the command modes for the Cisco IOS user interface.
Cisco IOS User Interface
The Cisco IOS user interface is divided into many different modes. The commands that are available to
you depend on which mode you are currently in. You can obtain a list of commands that are available
for each command mode by entering a question mark (?) at the system prompt.
When you start a session on the Catalyst 6500 series switch, you begin in user mode, often called EXEC
mode. Only a limited subset of the commands are available in EXEC mode. In order to have access to
all commands, you must enter privileged EXEC mode. Normally, you must enter a password to enter
privileged EXEC mode. From privileged EXEC mode, you can enter any EXEC command or enter global
configuration mode. Most EXEC commands are one-time commands, such as show commands, which
show the current status of a given item, and clear commands, which clear counters or interfaces. The
EXEC commands are not saved across reboots of the Catalyst 6500 series switch.
The configuration modes allow you to make changes to the running configuration. If you later save the
configuration, these commands are stored across Catalyst 6500 series switch reboots. In order to get to
the various configuration modes, you must start at global configuration mode where you can enter
interface configuration mode, subinterface configuration mode, and a variety of protocol-specific modes.
ROM-monitor mode is a separate mode that is used when the Catalyst 6500 series switch cannot boot
properly. If your Catalyst 6500 series switch or access server does not find a valid system image when
it is booting, or if its configuration file is corrupted at startup, the system might enter ROM-monitor
mode.
Table 1-3 provides a summary of the main command modes.
Table 1-3
Summary of Main Command Modes
Command
Mode
Access Method
Prompt
Exit Method
User EXEC
Log in.
ssl-proxy>
Use the logout command.
Privileged
EXEC
From user EXEC mode,
enter the enable EXEC
command.
ssl-proxy#
To exit to user EXEC mode, enter the disable
command.
From privileged EXEC
mode, enter the
configure terminal
privileged EXEC
command.
ssl-proxy(config)#
From global
configuration mode,
enter a submode
command.
ssl-proxy(config-submode)#
Global
configuration
Global
configuration
submode
To enter global configuration mode, enter the
configure terminal privileged EXEC
command.
To exit to privileged EXEC mode, enter the exit
or end command or press Ctrl-Z.
To enter interface configuration mode, enter an
interface configuration command.
To exit to global configuration submode, enter
the exit command.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
1-5
Chapter 1
Command-Line Interface
Using the No and Default Forms of Commands
Table 1-3
Summary of Main Command Modes (continued)
Command
Mode
Interface
configuration
Access Method
Prompt
Exit Method
From global
configuration mode,
enter by specifying an
interface with an
interface command.
ssl-proxy(config-if)#
To exit to global configuration mode, enter the
exit command.
To exit to privileged EXEC mode, enter the exit
command or press Ctrl-Z.
To enter subinterface configuration mode,
specify a subinterface with the interface
command.
Subinterface
configuration
ROM monitor
From interface
configuration mode,
specify a subinterface
with an interface
command.
ssl-proxy(config-subinterf
ace)#
From privileged EXEC
mode, enter the reload
EXEC command. Press
the Break key during the
first 60 seconds while the
system is booting.
Rommon>
To exit to global configuration mode, enter the
exit command.
To enter privileged EXEC mode, enter the end
command or press Ctrl-Z.
To exit ROM-monitor mode, you must reload
the image by entering the boot command. If you
use the boot command without specifying a file
or any other boot instructions, the system boots
from the default Flash image (the first image in
onboard Flash memory). Otherwise, you can
instruct the system to boot from a specific Flash
image (using the boot system flash filename
command).
For more information on command modes, refer to the “Using the Command Line Interface” chapter of
the Configuration Fundamentals Configuration Guide.
Note
You can issue EXEC-level Cisco IOS commands (such as show, clear, and debug commands) from
within global configuration mode or other modes by issuing the do command followed by the EXEC
command. See the do command for information on how to use this command.
Using the No and Default Forms of Commands
Almost every configuration command has a no form. In general, enter the no form to disable a function.
Use the command without the keyword no to reenable a disabled function or to enable a function that is
disabled by default. For example, IP routing is enabled by default. To disable IP routing, specify the
no ip routing command and specify the ip routing command to reenable it. This publication provides
the complete syntax for the configuration commands and describes what the no form of a command does.
Configuration commands can have a default form. The default form of a command returns the command
setting to its default. Most commands are disabled by default, so the default form is the same as the no
form. However, some commands are enabled by default and have variables set to certain default values.
In these cases, the default form of the command enables the command and sets variables to their default
values. This publication describes what the default form of a command does if the command is not the
same as the no form.
Catalyst 6500 Series Switch SSL Services Module Command Reference
1-6
OL-9105-01
Chapter 1
Command-Line Interface
Using the CLI String Search
Using the CLI String Search
The pattern in the command output is referred to as a string. The CLI string search feature allows you to
search or filter any show or more command output and allows you to search and filter at --More-prompts. This feature is useful when you need to sort though large amounts of output, or if you want to
exclude output that you do not need to see.
With the search function, you can begin unfiltered output at the first line that contains a regular
expression that you specify. You can then specify a maximum of one filter per command or start a new
search from the --More-- prompt.
A regular expression is a pattern (a phrase, number, or more complex pattern) that software uses to match
against show or more command output. Regular expressions are case sensitive and allow for complex
matching requirements. Examples of simple regular expressions are Serial, misses, and 138. Examples
of complex regular expressions are 00210..., ( is ), and [Oo]utput.
You can perform three types of filtering:
•
Use the begin keyword to begin output with the line that contains a specified regular expression.
•
Use the include keyword to include output lines that contain a specified regular expression.
•
Use the exclude keyword to exclude output lines that contain a specified regular expression.
You can then search this filtered output at the --More-- prompts.
Note
The CLI string search function does not allow you to search or filter backward through previous output;
filtering cannot be specified using HTTP access to the CLI.
Regular Expressions
A regular expression can be a single character that matches the same single character in the command
output or multiple characters that match the same multiple characters in the command output. This
section describes how to create both single-character patterns and multiple-character patterns and how
to create more complex regular expressions using multipliers, alternation, anchoring, and parentheses.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single character in the
command output. You can use any letter (A-Z, a-z) or digit (0-9) as a single-character pattern. You can
also use other keyboard characters (such as ! or ~) as single-character patterns, but certain keyboard
characters have special meaning when used in regular expressions. Table 1-4 lists the keyboard
characters with special meaning.
Table 1-4
Characters with Special Meaning
Character
Special Meaning
.
Matches any single character, including white space.
*
Matches 0 or more sequences of the pattern.
+
Matches 1 or more sequences of the pattern.
?
Matches 0 or 1 occurrences of the pattern.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
1-7
Chapter 1
Command-Line Interface
Using the CLI String Search
Table 1-4
Characters with Special Meaning (continued)
Character
Special Meaning
^
Matches the beginning of the string.
$
Matches the end of the string.
_ (underscore)
Matches a comma (,), left brace ({), right brace (}), left parenthesis ( ( ),
right parenthesis ( ) ), the beginning of the string, the end of the string, or a
space.
To enter these special characters as single-character patterns, remove the special meaning by preceding
each character with a backslash (\). These examples are single-character patterns matching a dollar sign,
an underscore, and a plus sign, respectively.
\$ \_ \+
You can specify a range of single-character patterns to match against command output. For example, you
can create a regular expression that matches a string containing one of the following letters: a, e, i, o, or
u. One and only one of these characters must exist in the string for pattern matching to succeed. To
specify a range of single-character patterns, enclose the single-character patterns in square brackets
([ ]). For example,
[aeiou]
matches any one of the five vowels of the lowercase alphabet, while
[abcdABCD]
matches any one of the first four letters of the lower- or uppercase alphabet.
You can simplify ranges by entering only the end points of the range separated by a dash (-). Simplify
the previous range as follows:
[a-dA-D]
To add a dash as a single-character pattern in your range, include another dash and precede it with a
backslash:
[a-dA-D\-]
You can also include a right square bracket (]) as a single-character pattern in your range. To do so, enter
the following:
[a-dA-D\-\]]
The previous example matches any one of the first four letters of the lower- or uppercase alphabet, a
dash, or a right square bracket.
You can reverse the matching of the range by including a caret (^) at the start of the range. This example
matches any letter except the ones listed:
[^a-dqsv]
This example matches anything except a right square bracket (]) or the letter d:
[^\]d]
Catalyst 6500 Series Switch SSL Services Module Command Reference
1-8
OL-9105-01
Chapter 1
Command-Line Interface
Using the CLI String Search
Multiple-Character Patterns
When creating regular expressions, you can also specify a pattern containing multiple characters. You
create multiple-character regular expressions by joining letters, digits, or keyboard characters that do not
have special meaning. For example, a4% is a multiple-character regular expression. Put a backslash in
front of the keyboard characters that have special meaning when you want to remove their special
meaning.
With multiple-character patterns, order is important. The regular expression a4% matches the character a
followed by a 4 followed by a % sign. If the string does not have a4%, in that order, pattern matching
fails. This multiple-character regular expression
a.
uses the special meaning of the period character to match the letter a followed by any single character.
With this example, the strings ab, a!, or a2 are all valid matches for the regular expression.
You can remove the special meaning of the period character by putting a backslash in front of it. In the
following expression
a\.
only the string a. matches this regular expression.
You can create a multiple-character regular expression containing all letters, all digits, all keyboard
characters, or a combination of letters, digits, and other keyboard characters. These examples are all
valid regular expressions:
telebit 3107 v32bis
Multipliers
You can create more complex regular expressions to match multiple occurrences of a specified regular
expression by using some special characters with your single- and multiple-character patterns. Table 1-5
lists the special characters that specify “multiples” of a regular expression.
Table 1-5
Special Characters Used as Multipliers
Character
Description
*
Matches 0 or more single- or multiple-character patterns.
+
Matches 1 or more single- or multiple-character patterns.
?
Matches 0 or 1 occurrences of the single- or multiple-character patterns.
This example matches any number of occurrences of the letter a, including none:
a*
This pattern requires that at least one letter a in the string is matched:
a+
This pattern matches the string bb or bab:
ba?b
This string matches any number of asterisks (*):
\**
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
1-9
Chapter 1
Command-Line Interface
Using the CLI String Search
To use multipliers with multiple-character patterns, you enclose the pattern in parentheses. In the
following example, the pattern matches any number of the multiple-character string ab:
(ab)*
As a more complex example, this pattern matches one or more instances of alphanumeric pairs (but not
none; that is, an empty string is not a match):
([A-Za-z][0-9])+
The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested constructs
are matched from outside to inside. Concatenated constructs are matched beginning at the left side of the
construct. The regular expression matches A9b3, but not 9Ab3 because the letters are specified before
the numbers.
Alternation
Alternation allows you to specify alternative patterns to match against a string. You separate the
alternative patterns with a vertical bar (|). Exactly one of the alternatives can match the string. For
example, the regular expression
codex | telebit
matches the string codex or the string telebit, but not both codex and telebit.
Anchoring
You can match a regular expression pattern against the beginning or the end of the string. That is, you
can specify that the beginning or end of a string contains a specific pattern. You “anchor” these regular
expressions to a portion of the string using the special characters shown in Table 1-6.
Table 1-6
Special Characters Used for Anchoring
Character
Description
^
Matches the beginning of the string.
$
Matches the end of the string.
This regular expression matches a string only if the string starts with abcd:
^abcd
In contrast, this expression is in a range that matches any single letter, as long as it is not the letters a, b,
c, or d:
[^abcd]
With this example, the regular expression matches a string that ends with .12:
$\.12
Contrast these anchoring characters with the special character underscore (_). The underscore matches
the beginning of a string (^), the end of a string ($), parentheses ( ), space ( ), braces { }, comma (,), or
underscore (_). With the underscore character, you can specify that a pattern exist anywhere in the string.
Catalyst 6500 Series Switch SSL Services Module Command Reference
1-10
OL-9105-01
Chapter 1
Command-Line Interface
Using the CLI String Search
For example,
_1300_
matches any string that has 1300 somewhere in the string. The string’s 1300 can be preceded by or end
with a space, brace, comma, or underscore. For example,
{1300_
matches the regular expression, but 21300 and 13000 do not.
Using the underscore character, you can replace long regular expression lists, such as the following:
^1300$ ^1300(space) (space)1300 {1300, ,1300, {1300} ,1300, (1300
with
_1300_
Parentheses for Recall
As shown in the “Multipliers” section on page 1-9, you use parentheses with multiple-character regular
expressions to multiply the occurrence of a pattern. You can also use parentheses around a single- or
multiple-character pattern to remember a pattern for use elsewhere in the regular expression.
To create a regular expression that recalls a previous pattern, you use parentheses to indicate a
remembered specific pattern and a backslash (\) followed by an integer to reuse the remembered pattern.
The integer specifies the occurrence of the parentheses in the regular expression pattern. If you have
more than one remembered pattern in your regular expression, then \1 indicates the first remembered
pattern, \2 indicates the second remembered pattern, and so on.
This regular expression uses parentheses for recall:
a(.)bc(.)\1\2
This regular expression matches an a followed by any character (call it character 1), followed by bc,
followed by any character (character 2), followed by character 1 again, and then followed by character 2
again. The regular expression can match aZbcTZT. The software remembers that character 1 is Z and
character 2 is T and then uses Z and T again later in the regular expression.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
1-11
Chapter 1
Command-Line Interface
Using the CLI String Search
Catalyst 6500 Series Switch SSL Services Module Command Reference
1-12
OL-9105-01
C H A P T E R
2
Commands for the Catalyst 6500 Series Switch
SSL Services Module
This chapter contains an alphabetical listing of commands for the Catalyst 6500 series switch SSL
Services Module.
For additional SSL Services Module information, refer to the following documentation:
•
Catalyst 6500 Series Switch SSL Services Module Configuration Note
•
Catalyst 6500 Series Switch SSL Services Module System Message Guide
•
Catalyst 6500 Series Switch SSL Services Module Installation and Verification Note
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-1
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
clear ssl-proxy conn
clear ssl-proxy conn
To clear all TCP connections on the entire system, use the clear ssl-proxy conn command.
clear ssl-proxy conn [context name [module [module]]][service name [context name [module
[module]]]]
Syntax Description
context name
(Optional) Clears the connections for a specific context.
module module
(Optional) Clears the connections for the specified module type.
The available options for the module variable are as follows:
service name
•
all—All CPUs
•
fdu—FDU CPU
•
ssl1—SSL1 CPU
•
tcp1—TCP1 CPU
•
tcp2—TCP2 CPU
(Optional) Clears the connections for the specified service.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
This command was changed to add the following keywords:
Examples
•
context name
•
module module
This example shows how to clear the connections for the specified service:
ssl-proxy# clear ssl-proxy conn service S6
This example shows how to clear all TCP connections on the entire system:
ssl-proxy# clear ssl-proxy conn
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-2
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
clear ssl-proxy content
clear ssl-proxy content
To clear all TCP connections on the entire system, use the clear ssl-proxy conn command.
clear ssl-proxy content {all | rewrite | scanning} [module [module]]
Syntax Description
all
Clears all content statistics.
scanning
Clears scanning statistics.
rewrite
Clears rewriting statistics.
module module
(Optional) Clears statistics for the specified module type.
The available options for the module variable are as follows:
•
all—All CPUs
•
fdu—FDU CPU
•
ssl1—SSL1 CPU
•
tcp1—TCP1 CPU
•
tcp2—TCP2 CPU
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Usage Guidelines
To reset all the content statistics that the SSL Services Module maintains, use the clear ssl-proxy
content all command.
Examples
This example shows how to clear all of the content statistics:
ssl-proxy# clear ssl-proxy content all
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-3
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
clear ssl-proxy session
clear ssl-proxy session
To clear all entries from the session cache, use the clear ssl-proxy session command.
clear ssl-proxy session [service [name] [context name [module [module]]]]
Syntax Description
context name
(Optional) Clears the session cache for a specific context.
module module
(Optional) Clears session cache for the specified module type.
The available options for the module variable are as follows:
service name
•
all—All CPUs
•
fdu—FDU CPU
•
ssl1—SSL1 CPU
•
tcp1—TCP1 CPU
•
tcp2—TCP2 CPU
(Optional) Clears the session cache for the specified service.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
SSL Services Module
Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
This command was changed to add the following keywords:
•
context name
•
module module
Usage Guidelines
To clear all entries from the session cache for all services, use the clear ssl-proxy session command
without options.
Examples
This example shows how to clear the entries from the session cache for the specified service on the SSL
Services Module:
ssl-proxy# clear ssl-proxy session service S6
This example shows how to clear all entries in the session cache that are maintained on the SSL Services
Module:
ssl-proxy# clear ssl-proxy session
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-4
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
clear ssl-proxy stats
clear ssl-proxy stats
To reset the statistics counters that are maintained in the different system components on the SSL
Services Module, use the clear ssl-proxy stats command.
clear ssl-proxy stats [context [name] | crypto | fdu | hdr | ipc | module [module] | pki | service |
ssl | tcp | url]
Syntax Description
context
(Optional) Clears statistics information about the context.
name
(Optional) Specifies the name of the context.
crypto
(Optional) Clears statistics information about the crypto.
fdu
(Optional) Clears statistics information about the FDU.
hdr
(Optional) Clears statistics information about HTTP header insertion.
ipc
(Optional) Clears statistics information about the inter-process communications
(IPC).
module module
(Optional) Clears statistics information about the specified module type.
The available options for the module variable are as follows:
•
all—All CPUs
•
fdu—FDU CPU
•
ssl1—SSL1 CPU
•
tcp1—TCP1 CPU
•
tcp2—TCP2 CPU
pki
(Optional) Clears information about the public key infrastruture (PKI).
service name
(Optional) Clears statistics information for a specific service.
ssl
(Optional) Clears statistics information about the SSL.
tcp
(Optional) Clears statistics information about the TCP.
url
(Optional) Clears statistics information about URL rewrite.
Defaults
This command has no default settings.
Command Modes
EXEC
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-5
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
clear ssl-proxy stats
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
This command was changed to add the following keywords:
•
context name
•
hdr
•
module module
•
url
Usage Guidelines
To reset all the statistics counters that the SSL Services Module maintains, use the clear ssl-proxy stats
command without options.
Examples
This example shows how to reset the statistics counters that are maintained in the different system
components on the SSL Services Module:
ssl-proxy#
ssl-proxy#
ssl-proxy#
ssl-proxy#
clear
clear
clear
clear
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
stats
stats
stats
stats
crypto
ipc
pki
service S6
This example shows how to clear all the statistic counters that the SSL Services Module maintains:
ssl-proxy# clear ssl-proxy stats
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-6
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki export pem
crypto pki export pem
To export privacy-enhanced mail (PEM) files from the SSL Services Module, use the crypto pki export
pem command.
crypto pki export trustpoint_label pem {terminal {des | 3des} {url url}} pass_phrase
Syntax Description
trustpoint-label
Name of the trustpoint.
terminal
Displays the request on the terminal.
des
Specifies the 56-bit DES-CBC encryption algorithm.
3des
Specifies the 168-bit DES (3DES) encryption algorithm.
url url
Specifies the URL location. Valid values are as follows:
pass-phrase
•
ftp:—Exports to the FTP: file system
•
null:—Exports to the NULL: file system
•
nvram:—Exports to the NVRAM: file system
•
rcp:—Exports to the RCP: file system
•
scp:—Exports to the SCP: file system
•
system:—Exports to the system: file system
•
tftp:—Exports to the TFTP: file system
Pass phrase that is used to protect the private key.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module
Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The syntax for this command changed from crypto ca to crypto pki.
Usage Guidelines
The pass_phrase can be any phrase including spaces and punctuation except for the question mark (?),
which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key
when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
A key that is marked as unexportable cannot be exported.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-7
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki export pem
You can change the default file extensions when prompted. The default file extensions are as follows:
Note
Examples
•
public key (.pub)
•
private key (.prv)
•
certificate (.crt)
•
CA certificate (.ca)
•
signature key (-sign)
•
encryption key (-encr)
In SSL software release 1.2, only the private key (.prv), the server certificate (.crt), and the issuer CA
certificate (.ca) of the server certificate are exported. To export the whole certificate chain, including all
the CA certificates, use a PKCS12 file instead of PEM files.
This example shows how to export a PEM-formatted file on the SSL Services Module:
ssl-proxy(config)# crypto ca export TP5 pem url
% Exporting CA certificate...
Address or name of remote host [10.1.1.1]?
Destination filename [tp99.ca]?
% File 'tp99.ca' already exists.
% Do you really want to overwrite it? [yes/no]:
!Writing file to tftp://10.1.1.1/tp99.ca!
% Key name: key1
Usage: General Purpose Key
% Exporting private key...
Address or name of remote host [10.1.1.1]?
Destination filename [tp99.prv]?
% File 'tp99.prv' already exists.
% Do you really want to overwrite it? [yes/no]:
!Writing file to tftp://10.1.1.1/tp99.prv!
% Exporting router certificate...
Address or name of remote host [10.1.1.1]?
Destination filename [tp99.crt]?
% File 'tp99.crt' already exists.
% Do you really want to overwrite it? [yes/no]:
!Writing file to tftp://10.1.1.1/tp99.crt!
tftp://10.1.1.1/tp99 3des password
yes
yes
yes
ssl-proxy(config)#
Related Commands
crypto pki import pem
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-8
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki import pem
crypto pki import pem
To import a PEM-formatted file to the SSL Services Module, use the crypto pki import pem command.
crypto pki import trustpoint_label pem [exportable] {terminal | url url | usage-keys}
pass_phrase
Syntax Description
trustpoint-label
Name of the trustpoint.
exportable
(Optional) Specifies the key that can be exported.
terminal
Displays the request on the terminal.
url url
Specifies the URL location. Valid values are as follows:
•
ftp:—Exports to the FTP: file system
•
null:—Exports to the null: file system
•
nvram:—Exports to the NVRAM: file system
•
rcp:—Exports to the RCP: file system
•
scp:—Exports to the SCP: file system
•
system:—Exports to the system: file system
•
tftp:—Exports to the TFTP: file system
pass_phrase
Pass phrase.
usage-keys
Specifies that two special-usage key pairs should be generated, instead of
one general-purpose key pair.
Defaults
This command has no default settings.
Command History
Global configuration
Command History
Release
Modification
SSL Services Module
Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The syntax for this command changed from crypto ca to crypto pki.
Usage Guidelines
You will receive an error if you enter the pass phrase incorrectly. The pass_phrase can be any phrase
including spaces and punctuation except for the question mark (?), which has a special meaning to the
Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key
when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
When importing RSA keys, you can use a public key or its corresponding certificate.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-9
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki import pem
The crypto pki import pem command imports only the private key (.prv), the server certificate (.crt),
and the issuer CA certificate (.ca). If you have more than one level of CA in the certificate chain, you
need to import the root and subordinate CA certificates before this command is issued for authentication.
Use cut-and-paste or TFTP to import the root and subordinate CA certificates.
Examples
This example shows how to import a PEM-formatted file from the SSL Services Module:
ssl-proxy(config)# crypto pki import TP5 pem url tftp://10.1.1.1/TP5 password
% Importing CA certificate...
Address or name of remote host [10.1.1.1]?
Destination filename [TP5.ca]?
Reading file from tftp://10.1.1.1/TP5.ca
Loading TP5.ca from 10.1.1.1 (via Ethernet0/0.168): !
[OK - 1976 bytes]
% Importing private key PEM file...
Address or name of remote host [10.1.1.1]?
Destination filename [TP5.prv]?
Reading file from tftp://10.1.1.1/TP5.prv
Loading TP5.prv from 10.1.1.1 (via Ethernet0/0.168): !
[OK - 963 bytes]
% Importing certificate PEM file...
Address or name of remote host [10.1.1.1]?
Destination filename [TP5.crt]?
Reading file from tftp://10.1.1.1/TP5.crt
Loading TP5.crt from 10.1.1.1 (via Ethernet0/0.168): !
[OK - 1692 bytes]
% PEM files import succeeded.
ssl-proxy(config)# end
ssl-proxy#
*Apr 11 15:11:29.901: %SYS-5-CONFIG_I: Configured from console by console
Related Commands
crypto pki export pem
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-10
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki export pkcs12
crypto pki export pkcs12
To export a PKCS12 file from the SSL Services Module, use the crypto pki export pkcs12 command.
crypto pki export trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
trustpoint_label
Specifies the trustpoint label.
file_system
Specifies the file system. Valid values are scp:, ftp:, nvram:, rcp:, and tftp:
pkcs12_filename
(Optional) Specifies the name of the PKCS12 file to import.
pass_phrase
Specifies the pass phrase of the PKCS12 file.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The syntax for this command changed from crypto ca to crypto pki.
Usage Guidelines
Imported key pairs cannot be exported.
If you are using SSH, we recommend using SCP (secure file transfer) when exporting a PKCS12 file.
SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default
filename is the trustpoint_label) or enter the filename. For the ftp: or tftp: value, include the full path
in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported
in the PKCS12 file.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-11
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki export pkcs12
Examples
This example shows how to export a PKCS12 file using SCP:
ssl-proxy(config)# crypto pki export TP1 pkcs12 scp: sky is blue
Address or name of remote host []? 10.1.1.1
Destination username [ssl-proxy]? admin-1
Destination filename [TP1]? TP1.p12
Password:
Writing TP1.p12 Writing pkcs12 file to scp://admin-1@10.1.1.1/TP1.p12
Password:
!
CRYPTO_PKI:Exported PKCS12 file successfully.
ssl-proxy(config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-12
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki import pkcs12
crypto pki import pkcs12
To import a PKCS12 file to the SSL Services Module, use the crypto pki import pkcs12 command.
crypto pki import trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
trustpoint_label
file_system
Specifies the trustpoint label.
Specifies the file system. Valid values are as follows:
•
ftp:—Imports from the FTP: file system
•
nvram:—Imports from the NVRAM: file system
•
rcp:—Imports from the RCP: file system
•
scp:—Imports from the SCP: file system
tftp:—Imports from the TFTP: file system
(Optional) Specifies the name of the PKCS12 file to import.
Specifies the pass phrase of the PKCS12 file.
•
pkcs12_filename
pass_phrase
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The syntax for this command changed from crypto ca to crypto pki.
Usage Guidelines
If you are using SSH, we recommend using SCP (secure file transfer) when importing a PKCS12 file.
SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default
filename is the trustpoint_label) or to enter the filename. For the ftp: or tftp: value, include the full path
in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported
in the PKCS12 file.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-13
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto pki import pkcs12
Examples
This example shows how to import a PKCS12 file using SCP:
ssl-proxy(config)# crypto pki import TP2 pkcs12 scp: sky is blue
Address or name of remote host []? 10.1.1.1
Source username [ssl-proxy]? admin-1
Source filename [TP2]? /users/admin-1/pkcs12/TP2.p12
Password:password
Sending file modes:C0644 4379 TP2.p12
!
ssl-proxy(config)#
*Aug 22 12:30:00.531:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.
ssl-proxy(config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-14
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key decrypt rsa
crypto key decrypt rsa
To delete the encrypted key and leave only the unencrypted key, use the crypto key decrypt rsa
command.
crypto key decrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
(Optional) Writes the configuration to the startup configuration.
name key-name
(Optional) Name of the key.
passphrase passphrase Pass phrase.
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Usage Guidelines
Entering the write keyword immediately saves the unencrypted key to NVRAM. If you do not enter the
write keyword, you must manually write the configuration to NVRAM; otherwise, the key remains
encrypted the next time that the router is reloaded.
Examples
This example shows how to display the administration VLAN and related IP and gateway addresses:
ssl-proxy(config)# crypto key decrypt rsa name pki1-72a.cisco.com passphrase cisco1234
WARNING: Configuration with decrypted key not saved.
Please save it manually as soon as possible to
save decrypted key
ssl-proxy(config)# end
ssl-proxy# show crypto key mypubkey rsa
Key name: pki1-72a.cisco.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381
...
% Key pair was generated at: 15:42:15 PST Jun
ssl-proxy#
Related Commands
crypto key encrypt rsa
crypto key lock rsa
crypto key unlock rsa
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-15
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key encrypt rsa
crypto key encrypt rsa
To encrypt the RSA keys, use the crypto key encrypt rsa command.
crypto key encrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
(Optional) Writes the configuration to the startup configuration.
name key-name
(Optional) Name of the key.
passphrase passphrase Pass phrase.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Usage Guidelines
After you enter this command, the router can continue to use the key; the key remains unlocked.
If you do not enter the write keyword, you must manually write the configuration to NVRAM;
otherwise, the encrypted key will be lost the next time that the router is reloaded.
Examples
This example shows how to encrypt the RSA key “pki1-72a.cisco.com.” Enter the show crypto key
mypubkey rsa command to verify that the RSA key is encrypted (protected) and unlocked.
ssl-proxy(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234
ssl-proxy(config)# exit
ssl-proxy# show crypto key mypubkey rsa
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
...
% Key pair was generated at:00:15:32 GMT Jun 25 2003
ssl-proxy#
Related Commands
crypto key decrypt rsa
crypto key lock rsa
crypto key unlock rsa
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-16
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key export rsa pem
crypto key export rsa pem
To export a PEM-formatted RSA key to the SSL Services Module, use the crypto key export rsa pem
command.
crypto key export rsa keylabel pem {terminal | url url} {{3des | des} [exportable] pass_phrase}
Syntax Description
keylabel
Name of the key.
terminal
Displays the request on the terminal.
url url
Specifies the URL location. Valid values are as follows:
•
ftp:—Exports to the FTP: file system
•
null:—Exports to the null: file system
•
nvram:—Exports to the NVRAM: file system
•
rcp:—Exports to the RCP: file system
•
scp:—Exports to the SCP: file system
•
system:—Exports to the system: file system
•
tftp:—Exports to the TFTP: file system
3des
Specifies the 168-bit DES (3DES) encryption algorithm.
des
Specifies the 56-bit DES-CBC encryption algorithm.
exportable
(Optional) Specifies that the key can be exported.
pass_phrase
Pass phrase.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module
Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except for the question mark (?),
which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key
when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-17
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key export rsa pem
Examples
This example shows how to export a key from the SSL Services Module:
ssl-proxy(config)# crypto key export rsa test-keys pem url scp: 3des password
% Key name:test-keys
Usage:General Purpose Key
Exporting public key...
Address or name of remote host []? 7.0.0.7
Destination username [ssl-proxy]? lab
Destination filename [test-keys.pub]?
Password:
Writing test-keys.pub Writing file to scp://lab@7.0.0.7/test-keys.pub
Password:
!
Exporting private key...
Address or name of remote host []? 7.0.0.7
Destination username [ssl-proxy]? lab
Destination filename [test-keys.prv]?
Password:
Writing test-keys.prv Writing file to scp://lab@7.0.0.7/test-keys.prv
Password:
ssl-proxy(config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-18
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key import rsa pem
crypto key import rsa pem
To import a PEM-formatted RSA key from an external system, use the crypto key import rsa pem
command.
crypto key import rsa keylabel pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
keylabel
Name of the key.
usage-keys
(Optional) Specifies that two special-usage key pairs should be generated,
instead of one general-purpose key pair.
terminal
Displays the request on the terminal.
url url
Specifies the URL location. Valid values are as follows:
•
ftp:—Imports from the FTP: file system
•
null:—Imports from the null: file system
•
nvram:—Imports from the NVRAM: file system
•
rcp:—Imports from the RCP: file system
•
scp:—Imports from the SCP: file system
•
system:—Imports from the system: file system
•
tftp:—Imports from the TFTP: file system
exportable
(Optional) Specifies that the key can be exported.
passphrase
Pass phrase.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module
Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except for the question mark (?),
which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key
when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-19
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key import rsa pem
Examples
This example shows how to import a PEM-formatted RSA key from an external system and export the
PEM-formatted RSA key to the SSL Services Module:
ssl-proxy(config)# crypto key import rsa newkeys pem url scp: password
% Importing public key or certificate PEM file...
Address or name of remote host []? 7.0.0.7
Source username [ssl-proxy]? lab
Source filename [newkeys.pub]? test-keys.pub
Password:
Sending file modes:C0644 272 test-keys.pub
Reading file from scp://lab@7.0.0.7/test-keys.pub!
% Importing private key PEM file...
Address or name of remote host []? 7.0.0.7
Source username [ssl-proxy]? lab
Source filename [newkeys.prv]? test-keys.prv
Password:
Sending file modes:C0644 963 test-keys.prv
Reading file from scp://lab@7.0.0.7/test-keys.prv!% Key pair import succeeded.
ssl-proxy(config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-20
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key lock rsa
crypto key lock rsa
To lock the encrypted private key, use the crypto key lock rsa command.
crypto key lock rsa [name key-name] passphrase passphrase
Syntax Description
name key-name
passphrase passphrase
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Usage Guidelines
(Optional) Name of the key.
Pass phrase.
After the key is locked, it cannot be used to authenticate the router to a peer device. This behavior
disables any IPsec or SSL connections that use the locked key.
Any existing IPsec tunnels created on the basis of the locked key will be closed.
If all RSA keys are locked, SSH will automatically be disabled.
Examples
This example shows how to lock the key “pki1-72a.cisco.com.” Enter the show crypto key mypubkey
rsa command to verify that the key is protected (encrypted) and locked.
ssl-proxy# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234
ssl-proxy# show crypto key mypubkey rsa
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and LOCKED. ***
Key is exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC
...
% Key pair was generated at: 16:00:11 PST Feb 28 2002
ssl-proxy#
Related Commands
crypto key decrypt rsa
crypto key encrypt rsa
crypto key unlock rsa
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-21
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
crypto key unlock rsa
crypto key unlock rsa
To unlock the encrypted private key, use the crypto key unlock rsa command.
crypto key unlock rsa [name key-name] passphrase passphrase
Syntax Description
name key-name
(Optional) Name of the key.
passphrase passphrase Pass phrase.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Examples
This example shows how to lock the key “pki1-72a.cisco.com.” Enter the show crypto key mypubkey
rsa command to verify that the key is protected (encrypted) and locked.
ssl-proxy# crypto key unlock rsa name pki1-72a.cisco.com passphrase cisco1234
...
*Jun 18 00:26:08.275: %STE-5-UPDOWN: ssl-proxy service vip1 changed state to UP
...
ssl-proxy# show crypto key mypubkey rsa
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC
...
% Key pair was generated at: 16:00:11 PST Feb 28 2002
ssl-proxy#
Related Commands
crypto key decrypt rsa
crypto key encrypt rsa
crypto key lock rsa
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-22
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
debug ssl-proxy
debug ssl-proxy
To turn on the debug flags in different system components, use the debug ssl-proxy command. Use the
no form of this command to turn off the debug flags.
debug ssl-proxy {app | content [type] | fdu [type] | flash [module [module]] | health-probe | ipc |
pki [type] | ssl [type] | tcp [type] | vlan}
Syntax Description
app
Turns on App debugging.
content type
Turns on content debugging; (optional) type valid values are detail, error,
ipc, module module, rewriting, and scanning. See the “Usage Guidelines”
section for additional information.
fdu type
Turns on FDU debugging; (optional) type valid values are cli, hash, ipc, and
trace. See the “Usage Guidelines” section for additional information.
flash
Turns on Flash debugging.
module module
Specifies the module to be debugged.
The available options for the module variable are as follows:
•
fdu—FDU CPU
•
ssl1—SSL1 CPU
•
tcp1—TCP1 CPU
health-probe
Turns on health probe debugging.
ipc
Turns on IPC debugging.
pki type
Turns on PKI debugging; (optional) type valid values are cert, events,
history, ipc, and key. See the “Usage Guidelines” section for additional
information.
ssl type
Turns on SSL debugging; (optional) type valid values are alert, error,
handshake, and pkt. See the “Usage Guidelines” section for additional
information.
tcp type
Turns on TCP debugging; (optional) type valid values are event, packet,
state, and timers. See the “Usage Guidelines” section for additional
information.
vlan
Turns on VLAN debugging.
Defaults
This command has no default settings.
Command Modes
EXEC
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-23
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
debug ssl-proxy
Command History
Usage Guidelines
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
This command was changed to add the following keywords:
•
content type
•
flash
•
health-probe
•
module module
•
vlan
The content type includes the following values:
•
detail—content detail
•
error—content error
•
ipc—content ipc
•
module module—module to be debugged; module includes the following values:
– fdu—fdu cpu
– ssl1—ssl1 cpu
– tcp1—tcp1 cpu
•
rewriting—content rewriting
•
scanning—content scanning
The fdu type includes the following values:
•
cli—Debugs the FDU CLI.
•
hash—Debugs the FDU hash.
•
ipc —Debugs the FDU IPC.
•
trace—Debugs the FDU trace.
The pki type includes the following values:
•
certs—Debugs the certificate management.
•
events—Debugs events.
•
history—Debugs the certificate history.
•
ipc—Debugs the IPC messages and buffers.
•
key—Debugs key management.
The ssl type includes the following values:
•
alert—Debugs the SSL alert events.
•
error—Debugs the SSL error events.
•
handshake—Debugs the SSL handshake events.
•
pkt—Debugs the received and transmitted SSL packets.
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-24
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
debug ssl-proxy
Note
Use the TCP debug commands only to troubleshoot basic connectivity issues under little or no load
conditions (for instance, when no connection is being established to the virtual server or real server).
If you run TCP debug commands, the TCP module displays large amounts of debug information on the
console, which can significantly slow down module performance. Slow module performance can lead to
delayed processing of TCP connection timers, packets, and state transitions.
The tcp type includes the following values:
Examples
•
events—Debugs the TCP events.
•
pkt—Debugs the received and transmitted TCP packets.
•
state—Debugs the TCP states.
•
timers—Debugs the TCP timers.
This example shows how to turn on App debugging:
ssl-proxy# debug ssl-proxy app
ssl-proxy#
This example shows how to turn on FDU debugging:
ssl-proxy# debug ssl-proxy fdu
ssl-proxy#
This example shows how to turn on IPC debugging:
ssl-proxy# debug ssl-proxy ipc
ssl-proxy#
This example shows how to turn on PKI debugging:
ssl-proxy# debug ssl-proxy pki
ssl-proxy#
This example shows how to turn on SSL debugging:
ssl-proxy# debug ssl-proxy ssl
ssl-proxy#
This example shows how to turn on TCP debugging:
ssl-proxy# debug ssl-proxy tcp
ssl-proxy#
This example shows how to turn off TCP debugging:
ssl-proxy# no debug ssl-proxy tcp
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-25
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
do
do
To execute EXEC-level commands from global configuration mode or other configuration modes or
submodes, use the do command.
do command
Syntax Description
command
Defaults
This command has no default settings.
Command Modes
Global configuration or any other configuration mode or submode from which you are executing the
EXEC-level command.
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
EXEC-level command to be executed.
Usage Guidelines
Caution
Do not enter the do command in EXEC mode. Interruption of service may occur.
You cannot use the do command to execute the configure terminal command because entering the
configure terminal command changes the mode to configuration mode.
You cannot use the do command to execute the copy or write command in the global configuration or
any other configuration mode or submode.
Examples
This example shows how to execute the EXEC-level show interfaces command from within global
configuration mode:
ssl-proxy(config)# do show interfaces serial 3/0
Serial3/0 is up, line protocol is up
Hardware is M8T-RS232
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
Last input never, output 1d17h, output hang never
Last clearing of "show interface" counters never
.
.
.
ssl-proxy(config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-26
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
interface ssl-proxy
interface ssl-proxy
To enter the subinterface configuration submode, use the interface ssl-proxy command. In interface
configuration submode, you can configure a subinterface for the SSL Services Module.
Note
The ssl-proxy0 interface is enabled by default and should not be shut down or otherwise configured.
interface 0.subinterface-number
Syntax Description
subinterface-number
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Subinterface ID; valid values are from 0 to 4294967295.
This command replaces the ssl-proxy vlan command.
Usage Guidelines
Note
When you upgrade to SSL software release 3.x from SSL software release 2.x or 1.x, the VLAN
configuration is converted automatically to an subinterface configuration. For example, ssl-proxy vlan 3
is converted to interface ssl-proxy0.3.
The ssl-proxy0 interface is enabled by default and should not be shut down or otherwise configured.
Table 2-1 lists the commands that are available in subinterface configuration submode.
Table 2-1
Subinterface Configuration Submode Command Descriptions
Syntax
Description
default
Sets a command to its defaults.
description
Allows you to enter a description for the subinterface.
encapsulation dot1q vlan_ID [native]
Sets the encapsulation type for the interface. Enter the native keyword to
make this a native VLAN.
exit
Exits from the subinterface configuration submode.
ip address ipaddress subnet [secondary]
Configures the subinterface with an IP address and a subnet mask. Enter the
secondary keywork to make this IP address a secondary address.
no
Negates a command or sets its defaults.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-27
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
interface ssl-proxy
Table 2-1
Subinterface Configuration Submode Command Descriptions (continued)
Syntax
Description
[no] shutdown
Shuts down the subinterface. Use the no form of this command to put the
subinterface in service.
standby [group-number] {authentication
Configures redundancy on the subinterface. See the following commands for
text string} | {delay minimum [min-delay]
valid values:
reload [reload-delay]} | {ip [ip-address
• standby authentication
[secondary]]} | {mac-address mac-address}
• standby delay minimum reload
| {mac-refresh seconds} | {name
group-name} | {preempt [delay{minimum
• standby ip
delay | reload delay | sync delay}]} |
• standby mac-address
{priority priority} | {redirects [enable |
disable] [timers advertisement holddown]
• standby mac-refresh
[unknown]} | {timers [msec] hellotime
• standby name
[msec] holdtime} | {track object-number
• standby preempt
[decrement priority]} | [version {1 | 2}]
timeout absolute minutes seconds
•
standby priority
•
standby redirects
•
standby timers
•
standby track
•
standby use-bia
•
standby version
Sets the session timeout values for this interface. Valid values for minutes are
from 0 to 71582787 minutes. Valid values for seconds are from 0 to 59
seconds.
The valid values for configuring HSRP are as follows:
•
group-number—(Optional) Group number on the interface for which HSRP is being activated; valid
values are from 0 to 255 for HSRP version 1; valid values are from 0 to 4095 for HSRP version 2.
See the “standby version” section on page 2-116 for information about changing the HSRP version.
If you do not specify a group-number, group 0 is used.
•
ip ip-addr—Specifies the IP address of the HSRP interface.
•
priority priority— Specifies the priority for the HSRP interface. Increase the priority of at least one
interface in the HSRP group. The interface with the highest priority becomes active for that HSRP
group.
•
prempt —Enables preemption. When you enable preemption, if the local router has a hot standby
priority that is higher than the current active router, the local router attempts to assume control as
the active router. If you do not configure preemption, the local router assumes control as the active
router only if it receives information indicating that no router is in the active state (acting as the
designated router).
•
delay—(Optional) Specifies the preemption delay. When a router first comes up, it does not have a
complete routing table. If it is configured to preempt, it becomes the active router but cannot provide
adequate routing services. You can configure a delay before the preempting router actually preempts
the currently active router.
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-28
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
interface ssl-proxy
•
type time—Specifies the preemption type and delay; valid values are as follows:
– minimum time—Specifies the minimum delay period in delay seconds; valid values are from 0
to 3600 seconds (1 hour).
– reload time—Specifies the preemption delay after a reload only.
– sync time—Specifies the maximum synchronization period in delay seconds.
•
timers [msec] hellotime holdtime—Configures the time between hello packets and the time before
other routers declare the active hot standby or standby router to be down; valid values are as follows:
– msec—(Optional) Interval in milliseconds. Millisecond timers allow for faster failover.
– hellotime—Hello interval (in seconds); valid values are from 1 to 254 seconds. If you specify
the msec keyword, the hello interval is in milliseconds; valid values are from 15 to
999 milliseconds. The default is 3 seconds.
– holdtime—Time (in seconds) before the active or standby router is declared to be down; valid
values are from x to 255; x is the hellotime plus 50 milliseconds and is rounded up to the nearest
1 second. If you specify the msec keyword, the holdtime is in milliseconds; valid values are
from y to 3000 milliseconds; y is greater than or equal to 3 times the hellotime and is not less
than 50 milliseconds. The default is 10 seconds.
Examples
This example shows how to enter the subinterface configuration submode:
ssl-proxy (config)# interface ssl-proxy 0.6
ssl-proxy (config-subif)#
This example shows how to configure the specified subinterface with an IP address and subnet mask:
ssl-proxy (config-subif)# ip address 208.59.100.18 255.0.0.0
ssl-proxy (config-subif)#
This example shows how to configure the HSRP on the SSL module:
ssl-proxy(config)# interface ssl-proxy 0.100
ssl-proxy(config-subif)# ip address 10.1.0.20 255.255.255.0
ssl-proxy(config-subif)# standby 1 ip 10.1.0.21
ssl-proxy(config-subif)# standby 1 priority 110
ssl-proxy(config-subif)# standby 1 preempt
ssl-proxy(config-subif)# standby 2 ip 10.1.0.22
ssl-proxy(config-subif)# standby 2 priority 100
ssl-proxy(config-subif)# standby 2 preempt
ssl-proxy(config-subif)# end
ssl-proxy#
Related Commands
show interfaces ssl-proxy
show ssl-proxy vlan
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-29
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
natpool
natpool
To define a pool of IP addresses, which the SSL Services Module uses for implementing the client NAT,
use the natpool command.
natpool nat-pool-name start_ip_addr end_ip_addr netmask netmask
Syntax Description
nat-pool-name
NAT pool name.
start-ip-addr
First IP address in the pool.
end-ip-addr
Last IP address in the pool.
netmask netmask
Specifies the netmask address.
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Release
Modification
Support for this command was introduced on the Catalyst 6500 series
Cisco IOS Release
switches.
12.1(13)E and
SSL Services Module
Release 1.1(1)
SSL Services Module The natpool command (entered in context subcommand mode) replaces
Release 3.1(1)
the ssl-proxy natpool command (entered in global subcommand mode).
Examples
This example shows how to define a pool of IP addresses:
ssl-proxy(config)# ssl-proxy context Example
ssl-proxy (config-context)# natpool NP2 207.59.10.01 207.59.10.08 netmask 255.0.0.0
ssl-proxy (config-context)#
Related Commands
show ssl-proxy natpool
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-30
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy health-probe tcp
policy health-probe tcp
To enter the TCP health probe configuration submode, use the policy health-probe command. In TCP
health probe configuration submode, you can define the TCP health probe policy that is applied.
policy health-probe tcp policy-name
Syntax Description
policy-name
Defaults
The defaults are as follows:
TCP health probe policy name.
•
failed-interval is 60 seconds.
•
interval is 30 seconds.
•
maximum-retry is 0.
•
open-timeout is 80 seconds.
•
port is the port of the server IP address that you configured in the SSL server proxy service.
Command Modes
Context subcommand mode
Command History
Release
Modification
SSL Services Module Support for this command was introduced on the Catalyst 6500 series
Release 3.1(1)
SSL Services Module.
Usage Guidelines
Table 2-2
Table 2-9 lists the commands that are available in TCP health probe policy configuration submode.
TCP Health Probe Submode Command Descriptions
Syntax
Description
interval seconds
(Optional) Allows you to set the interval between probes in seconds (from
the end of the previous probe to the beginning of the next probe) when the
server is healthy. The default is 30 seconds. The valid range is from 30 to
300 seconds.
failed-interval seconds
(Optional) Allows you to set the time between health checks after the
service has been marked as failed. The default is 60 seconds. The valid
range is from 30 to 3600 seconds.
maximum-retry retries
(Optional) Sets the number of failed probes that are allowed before
marking the service as failed. The default is 0 retries. The valid range is
from 1 to 5 retries.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-31
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy health-probe tcp
Table 2-2
TCP Health Probe Submode Command Descriptions (continued)
Syntax
Description
open-timeout seconds
(Optional) Allows you to set the maximum time to wait to establish a TCP
connection. The default is 80 seconds. The valid range is from 70 to 120
seconds.
port port_number
(Optional) Allows you to configure an optional port for the health probe.
Valid values are from 1 to 65535.
By default, the TCP health probe uses the server IP address and port for
the SSL server proxy service. Enter the port command to specify a
different port for the health probe.
If you configured the SSL server proxy service with no nat server, the
TCP health probe uses the virtual IP address that you configured on the
SSL server proxy service instead of the server IP address.
Note
TCP health probe is not supported when you configure a wildcard
proxy and no nat server on the SSL server proxy service.
See the “service” section on page 2-52 for information on configuring the
SSL server proxy service.
Examples
This example shows how to configure TCP health probe to check whether service at port 80 is up and
running on server IP address 19.0.0.1:
ssl-proxy(config)# ssl-proxy context ssl
ssl-proxy(config-context)# service ssl-1
ssl-proxy(config-ctx-ssl-proxy)# virtual ipddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# end
ssl-proxy#
This example shows the state of the SSL proxy service when the health probe has failed:
Note
The proxy service is down until service at port 81 is up and running again.
ssl-proxy# show ssl-proxy service ssl-1 context ssl
Service id: 0, bound_service_id: 256
Virtual IP: 7.100.100.180, port: 443
Server IP: 19.0.0.1, port: 81
TCP Health Probe Policy: probe1
rsa-general-purpose certificate trustpoint: cert1024
Certificate chain for new connections:
Certificate:
Key Label: cert1024.key, 1024-bit, exportable
Key Timestamp: 05:18:23 UTC Dec 30 2005
Serial Number: 12F332E200000000000D
Root CA Certificate:
Serial Number: 6522F512C30E078447D8AFC35567B101
Certificate chain complete
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-32
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy health-probe tcp
Context name: ssl
Context Id : 1
Admin Status: up
Operation Status: down
Proxy status: Health Probe Failed
This example shows how to configure TCP health probe to check whether service at port 81 is up and
running on server IP address 19.0.0.1:
ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# 81
Warning: Port in the service ssloffload configuration (80) differs from the port in the
health probe configuration (81)
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)#
This example shows how to configure TCP health probe to check whether service at port 80 is up and
running on virtual IP address 7.100.100.180:
ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)#
This example shows how to configure TCP health probe to check whether service at port 444 is up and
running on virtual IP address 7.100.100.180:
ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# 444
ssl-proxy(config-ctx-tcp-probe)# exit
Warning: Port in the service ssloffload configuration (80) differs from the port in the
health probe configuration (444)
ssl-proxy(config-context)#
Related Commands
show ssl-proxy policy
show ssl-proxy service
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-33
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy http-header
policy http-header
To enter the HTTP header insertion configuration submode, use the policy http-header command.
policy http-header http-header-policy-name
Syntax Description
http-header-policy-name
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Release
HTTP header policy name.
Modification
SSL Services Module Support for this command was introduced on the Catalyst 6500 series
Release 2.1(1)
switches.
SSL Services Module The policy http-header command (entered in context subcommand
Release 3.1(1)
mode) replaces the ssl-proxy policy http-header command (entered in
global subcommand mode).
This command was changed to add the following submode commands:
Usage Guidelines
•
client-cert pem
•
alias
In HTTP header insertion configuration submode, you can define the HTTP header insertion content
policy that is applied to the payload.
HTTP header insertion allows you to insert additional HTTP headers to indicate to the real server that
the connection is actually an SSL connection. These headers allow server applications to collect correct
information for each SSL session and/or client.
You can insert these header types:
•
Client Certificate—Client certificate header insertion allows the back-end server to see the attributes
of the client certificate that the SSL module has authenticated and approved. When you specify
client-cert, the SSL module passes the following headers to the back-end server:
Field To Insert
Description
ClientCert-Valid
Certificate validity state
ClientCert-Error
Error conditions
ClientCert-Fingerprint
Hash output
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-34
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy http-header
Field To Insert
Description
ClientCert-Subject-CN
X.509 subject’s common name
ClientCert-Issuer-CN
X.509 certificate issuer’s common name
ClientCert-Certificate-Version
X.509 certificate version
ClientCert-Serial-Number
Certificate serial number
ClientCert-Data-Signature-Algorithm
X.509 hashing and encryption method
ClientCert-Subject
X.509 subject’s distinguished name
ClientCert-Issuer
X.509 certificate issuer’s distinguished name
ClientCert-Not-Before
Certificate is not valid before this date
ClientCert-Not-After
Certificate is not valid after this date
ClientCert-Public-Key-Algorithm
The algorithm used for the public key
ClientCert-RSA-Public-Key-Size
Size of the RSA public key
ClientCert-RSA-Modulus-Size
Size of the RSA private key
ClientCert-RSA-Modulus
RSA modulus
ClientCert-RSA-Exponent
The public RSA exponent
ClientCert-X509v3-Authority-Key-Identifier
X.509 authority key identifier
ClientCert-X509v3-Basic-Constraints
X.509 basic constraints
ClientCert-X509v3-Key-Usage
X.509 key usage
ClientCert-X509v3-Subject-Alternative-Name
X.509 subject alternative name
ClientCert-X509v3-CRL-Distribution-Points
X.509 CRL distribution points
ClientCert-X509v3-Authority-Information-Access
X.509 authority information access
ClientCert-Signature-Algorithm
Certificate signature algorithm
ClientCert-Signature
Certificate signature
•
Client Certificate in PEM format—When you specify client-cert pem, the SSL module sends the
entire client certificate in PEM format.
•
Client IP and Port Address—Network address translation (NAT) removes the client IP address and
port information. When you specify client-ip-port, the SSL module inserts the client IP address and
information about the client port into the HTTP header, allowing the server to see the client IP
address and port.
•
Custom—When you specify custom custom-string, the SSL module inserts the user-defined header
into the HTTP header.
•
Prefix—When you specify prefix prefix-string, the SSL module adds the specified prefix into the
HTTP header to enable the server to identify that the connections are coming from the SSL module,
not from other appliances.
•
Header alias—Some applications use different names for the standard header. You can create an
alias for the standard name of the header so that the same value is passed using the aliased name
instead of the standard name that the SSL Services Module sends. If you have specified a prefix for
header insertion, the prefix is also applied to the aliased name.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-35
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy http-header
•
SSL Session—Session headers, including the session ID, are used to cache client certificates that
are based on the session ID. The session headers are also cached on a session basis if the server
wants to track connections that are based on a particular cipher suite. When you specify session, the
SSL Services Module passes information specific to an SSL connection to the back-end server in
the form of the following session headers.
Field to insert
Description
Session-Id
The SSL session ID
Session-Cipher-Name
The symmetric cipher suite
Session-Cipher-Key-Size
The symmetric cipher key size
Session-Cipher-Use-Size
The symmetric cipher use size
Session-Step-Up
TRUE if the server presented a stepup certificate
and the client renegotiated the cipher; otherwise
FALSE
Session-Initial-Cipher-Name
If Session-Step-Up is TRUE, the initially
negotiated cipher name
Session-Initial-Cipher-Key-Size
If Session-Step-Up is TRUE, the initially
negotiated cipher’s key size
Session-Initial-Cipher-Use-Size
If Session-Step-Up is TRUE, the initially
negotiated cipher’s use size
Table 2-3 lists the commands available in HTTP header insertion configuration submode.
Table 2-3
HTTP Header Insertion Configuration Submode Command Descriptions
Syntax
Description
alias user-defined-name
standard-name
Specifies the alias name of the header.
client-cert [pem]
Note
You can configure only one alias per standard name. You cannot
configure the same alias name for multiple standard names.
Allows the back-end server to see the attributes of the client certificate
that the SSL module has authenticated and approved.
Note
You can insert the headers listed below by entering the
client-cert command, or you can send the entire client
certificate in PEM format by entering the client-cert pem
command.
Note
The client certificate headers, or the client certificate in PEM
format, are inserted only if the policy’s service is configured for
client authentication. The root CA and intermediate CA
certificates will not be inserted the when client certificate is
inserted in the HTTP header.
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-36
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy http-header
Table 2-3
Examples
HTTP Header Insertion Configuration Submode Command Descriptions (continued)
Syntax
Description
client-ip-port
Inserts the client IP address and information about the client port into
the HTTP header, allowing the server to see the client IP address and
port.
custom custom-string
Inserts the custom-string header into the HTTP header.
prefix
Adds the prefix-string to the HTTP header to enable the server to
identify the connections that come from the SSL module, not from other
appliances
session
Passes information that is specific to an SSL connection to the back-end
server as session headers.
This example shows how to enter the HTTP header insertion configuration submode:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# policy http-header test1
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to allow the back-end server to see the attributes of the client certificate that
the SSL module has authenticated and approved:
ssl-proxy(config-ctx-http-header-policy)# client-cert
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to insert the client IP address and information about the client port into the
HTTP header, allowing the server to see the client IP address and port:
ssl-proxy(config-ctx-http-header-policy)# client-ip-port
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to insert the custom-string header into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# custom "SOFTWARE VERSION:3.1(1)"
ssl-proxy(config-ctx-http-header-policy)# custom "module:SSL MODULE - CATALYST 6500"
ssl-proxy(config-ctx-http-header-policy)# custom
type-of-proxy:server_proxy_1024_bit_key_size
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to add the prefix-string into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOAD
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to pass information that is specific to an SSL connection to the back-end server
as session headers:
ssl-proxy(config-ctx-http-header-policy)# session
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to create a header alias for the standard “session-cipher-name” header:
ssl-proxy(config-ctx-http-header-policy)# alias My-Session-Cipher session-cipher-name
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-37
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy http-header
In addition to the standard HTTP headers, the following header information is inserted:
Note
The alias name (My-Session-Cipher) is used instead of the standard name (session-cipher-name).
SSL-OFFLOAD-Client-IP:7.100.100.1
SSL-OFFLOAD-Client-Port:59008
SSL-OFFLOAD-SOFTWARE VERSION:3.1(1)
SSL-OFFLOAD-module:SSL MODULE - CATALYST 6500
SSL-OFFLOAD-type-of-proxy:server_proxy_1024_bit_key_size
SSL-OFFLOAD-Session-Id:33:FF:2C:2D:25:15:3C:50:56:AB:FA:5A:81:0A:EC:E9:00:00:0A:03:00:60:
2F:30:9C:2F:CD:56:2B:91:F2:FF
SSL-OFFLOAD-My-Session-Cipher:RC4-SHA
SSL-OFFLOAD-Session-Cipher-Key-Size:128
SSL-OFFLOAD-Session-Cipher-Use-Size:128
SSL-OFFLOAD-Session-Step-Up:FALSE
SSL-OFFLOAD-Session-Initial-Cipher-Key-Size:
SSL-OFFLOAD-Session-Initial-Cipher-Name:
SSL-OFFLOAD-Session-Initial-Cipher-Use-Size:
SSL-OFFLOAD-ClientCert-Valid:1
SSL-OFFLOAD-ClientCert-Error:none
SSL-OFFLOAD-ClientCert-Fingerprint:1B:11:0F:E8:20:3F:6C:23:12:9C:76:C0:C1:C2:CC:85
SSL-OFFLOAD-ClientCert-Subject-CN:a
SSL-OFFLOAD-ClientCert-Issuer-CN:Certificate Manager
SSL-OFFLOAD-ClientCert-Certificate-Version:3
SSL-OFFLOAD-ClientCert-Serial-Number:0F:E5
SSL-OFFLOAD-ClientCert-Data-Signature-Algorithm:sha1WithRSAEncryption
SSL-OFFLOAD-ClientCert-Subject:OID.1.2.840.113549.1.9.2 = ste2-server.cisco.com +
OID.2.5.4.5 = B0FFF22E, CN = a, O = Cisco
SSL-OFFLOAD-ClientCert-Issuer:CN = Certificate Manager, OU = HSS, O = Cisco, L = San Jose,
ST = California, C = US
SSL-OFFLOAD-ClientCert-Not-Before:22:29:26 UTC Jul 30 2003
SSL-OFFLOAD-ClientCert-Not-After:07:00:00 UTC Apr 27 2006
SSL-OFFLOAD-ClientCert-Public-Key-Algorithm:rsaEncryption
SSL-OFFLOAD-ClientCert-RSA-Public-Key-Size:1024 bit
SSL-OFFLOAD-ClientCert-RSA-Modulus-Size:1024 bit
SSL-OFFLOAD-ClientCert-RSA-Modulus:B3:32:3C:5E:C9:D1:CC:76:FF:81:F6:F7:97:58:91:4D:B2:0E:
C1:3A:7B:62:63:BD:5D:F6:5F:68:F0:7D:AC:C6:72:F5:72:46:7E:FD:38:D3:A2:E1:03:8B:EC:F7:C9:9A:
80:C7:37:DA:F3:BE:1F:F4:5B:59:BD:52:72:94:EE:46:F5:29:A4:B3:9B:2E:4C:69:D0:11:59:F7:68:3A:
D9:6E:ED:6D:54:4E:B5:A7:89:B9:45:9E:66:0B:90:0B:B1:BD:F4:C8:15:12:CD:85:13:B2:0B:FE:7E:8D:
F0:D7:4A:98:BB:08:88:6E:CC:49:60:37:22:74:4D:73:1E:96:58:91
SSL-OFFLOAD-ClientCert-RSA-Exponent:00:01:00:01
SSL-OFFLOAD-ClientCert-X509v3-Authority-Key-Identifier:keyid=EE:EF:5B:BD:4D:CD:F5:6B:60:
9D:CF:46:C2:EA:25:7B:22:A5:08:00
SSL-OFFLOAD-ClientCert-X509v3-Basic-Constraints:
SSL-OFFLOAD-ClientCert-Signature-Algorithm:sha1WithRSAEncryption
SSL-OFFLOAD-ClientCert-Signature:87:09:C1:F8:86:C1:15:C5:57:18:8E:B3:0D:62:E1:0F:6F:D4:9D:
75:DA:5D:53:E2:C6:0B:73:99:61:BE:B0:F6:19:83:F2:E5:48:1B:D2:6C:92:83:66:B3:63:A6:58:B4:5C:
0E:5D:1B:60:F9:86:AF:B3:93:07:77:16:74:4B:C5
SSL-OFFLOAD-ClientCert-X509v3-Subject-Alternative-Name:
ipAddress=192.168.1.100,rfc822Name=my@other.com
SSL-OFFLOAD-ClientCert-X509v3-Key-Usage: Digital Signature,Non-Repudiation,Key
Encipherment,
Data Encipherment,Key Agreement,Key Cert Sign,CRL Signature,Encipher Only,Decipher Only
SSL-OFFLOAD-ClientCert-X509v3-Authority-Information-Access: Access Method=OCSP,Access
Location=http://ocsp.my.host/"
SSL-OFFLOAD-ClientCert-X509v3-CRL-Distribution-Points: http://myhost.com/myca.crl
Related Commands
show ssl-proxy policy
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-38
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
policy ssl
To enter the SSL-policy configuration submode, use the policy ssl command. In the SSL-policy
configuration submode, you can define the SSL policy for one or more SSL-proxy services.
policy ssl ssl-policy-name
Syntax Description
ssl-policy-name
Defaults
The defaults are as follows:
SSL policy name.
•
cipher is all-strong.
•
close-protocol is disabled.
•
session-caching is enabled.
•
version is all.
•
session-cache size size is 262143 entries.
•
timeout session timeout is 0 seconds.
•
timeout handshake timeout is 0 seconds.
•
cert-req empty is disabled.
•
tls-rollback is disabled.
•
renegotiation is disabled.
Command Modes
Context subcommand mode
Command History
Release
Modification
Support for this command was introduced on the Catalyst 6500 series
Cisco IOS Release
switches.
12.1(13)E and
SSL Services Module
Release 1.1(1)
SSL Services Module This command was changed to add the following subcommands:
Release 1.2(1)
• session-cache size size
•
timeout session timeout [absolute]
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-39
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
Release
Modification
SSL Services Module This command was changed to add the following subcommands:
Release 2.1(5)
• cert-req empty
•
tls-rollback [current | any]
SSL Services Module The policy ssl command (entered in context subcommand mode) replaces
Release 3.1(1)
the ssl-proxy policy ssl command (entered in global subcommand mode).
This command was changed to add the following submode commands:
Usage Guidelines
•
cipher rsa-exp-with-des40-cbc-sha
•
cipher rsa-exp-with-rc4-40-md5
•
cipher rsa-exp1024-with-des-cbc-sha
•
cipher rsa-exp1024-with-rc4-56-md5
•
cipher rsa-exp1024-with-rc4-56-sha
•
cipher rsa-with-null-md5
•
renegotiation volume
•
renegotiation interval
•
renegotiation wait-time
•
renegotiation optional
Each SSL-policy configuration submode command is entered on its own line.
Table 2-4 lists the commands available in SSL-policy configuration submode.
Table 2-4
SSL-Policy Configuration Submode Command Descriptions
Syntax
Description
cert-req empty
Allows you to specify that the SSL Services Module backend service always
returns the certificate associated with the trustpoint and does not look for a
CA-name match.
cipher-suite {all | all-export | all-strong |
rsa-exp-with-des40-cbc-sha |
rsa-exp-with-rc4-40-md5 |
rsa-exp1024-with-des-cbc-sha |
rsa-exp1024-with-rc4-56-md5 |
rsa-exp1024-with-rc4-56-sha |
rsa-with-3des-ede-cbc-sha |
rsa-with-des-cbc-sha | rsa-with-null-md5 |
rsa-with-rc4-128-md5 |
rsa-with-rc4-128-sha}
Allows you to configure a list of cipher-suites acceptable to the proxy-server.
[no] close-protocol {strict | none}
Allows you to configure the SSL close-protocol behavior. Use the no form
of this command to disable close protocol.
default {cipher | close-protocol |
session-cache | version}
Sets a command to its default settings.
exit
Exits from SSL-policy configuration submode.
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-40
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
Table 2-4
SSL-Policy Configuration Submode Command Descriptions (continued)
Syntax
Description
help
Provides a description of the interactive help system.
renegotiation volume size
Allows you to enable autorenegotiation and specifies the data volume size
(in kilobytes).
When the encrypted or decrypted data amount exceeds this size, the SSL
Services Module sends a renegotiation request. This setting is disabled by
default. The valid range is from 1024 to 1073741824 kilobytes.
renegotiation interval time
Allows you to enable autorenegotiation and specifies the interval (in
seconds).
After the set interval, the SSL Services Module sends an renegotiation
request. This setting is disabled by default. The valid range is from 60 to
86400 seconds.
renegotiation wait-time time
(Optional) When you enable autorenegotiation, this command specifies the
amount of time (in seconds) that the SSL Services Module waits for the peer
to respond to the renegotiation request. The default is 100 seconds. The valid
range is from 10 to 300 seconds.
renegotiation optional
(Optional) When you enable autorenegotiation, the SSL Services Module
allows the session to continue if the peer does not respond to the
renegotiation request after timeout. This setting is disabled by default and
the session is disconnected after timeout.
[no] session-cache
Allows you to enable the session-caching feature. Use the no form of this
command to disable session caching.
session-cache size size
Specifies the maximum number of session entries to be allocated for a given
service; valid values are from 1 to 262143 entries.
timeout handshake timeout
Allows you to configure how long the module keeps the connection in the
handshake phase; valid values are from 0 to 65535 seconds.
timeout session timeout [absolute]
Allows you to configure the session timeout. The syntax description is as
follows:
•
timeout—Session timeout; valid values are from 0 to 72000 seconds.
•
absolute—(Optional) The session entry is not removed until the
configured timeout has completed.
tls-rollback [current | any]
Allows you to specify if the SSL protocol version number in the TLS/SSL
premaster secret message is either the maximum version or the negotiated
version (current) or if the version is not checked (any).
version {all | ssl3 | tls1}
Allows you to set the version of SSL to one of the following:
•
all—Both SSL3 and TLS1 versions are used.
•
ssl3—SSL version 3 is used.
•
tls1—TLS version 1 is used.
You can define the SSL policy templates using the policy ssl ssl-policy-name command and associate a
SSL policy with a particular proxy server using the proxy server configuration CLI. The SSL policy
template allows you to define various parameters that are associated with the SSL handshake stack.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-41
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
When you enter the close-notify strict command, the SSL Services Module sends a close-notify alert
message to the SSL peer, and the SSL Services Module expects a close-notify alert message from the
SSL peer. If the SSL Services Module does not receive a close-notify alert, SSL resumption is not
allowed for that session.
When you enter the close-notify none command, the SSL Services Module does not send a close-notify
alert message to the SSL peer, and the SSL Services Module does not expect a close-notify alert message
from the SSL peer. The SSL Services Module preserves the session information so that SSL resumption
can be used for future SSL connections.
When close-notify is disabled (default), the SSL Services Module sends a close-notify alert message to
the SSL peer; however, the SSL peer does not expect a close-notify alert before removing the session.
Whether the SSL peer sends the close-notify alert or not, the session information is preserved allowing
session resumption for future SSL connections.
The cipher-suite names follow the same convention as the existing SSL stacks.
The cipher-suites that are acceptable to the proxy-server are as follows:
•
all-export—All export ciphers
•
all-strong—All strong ciphers (default)
•
all—All supported ciphers
•
RSA-WITH-3DES-EDE-CBC-SHA—RSA with 3des-sha
•
RSA-WITH-DES-CBC-SHA—RSA with des-sha
•
RSA-WITH-RC4-128-MD5—RSA with rc4-md5
•
RSA-WITH-RC4-128-SHA—RSA with rc4-sha
•
RSA-EXP-WITH-DES40-CBC-SHA—RSA export with des40-sha
•
RSA-EXP-WITH-RC4-40-MD5—RSA export with rc4-md5
•
RSA-EXP1024-WITH-DES-CBC-SHA—RSA export1024 with des-sha
•
RSA-EXP1024-WITH-RC4-56-MD5—RSA export1024 with rc4-md5
•
RSA-EXP1024-WITH-RC4-56-SHA—RSA export1024 with rc4-sha
•
RSA-WITH-NULL-MD5—RSA with null-md5
If you enter the timeout session timeout absolute command, the session entry is kept in the session
cache for the configured timeout before it is cleaned up. If the session cache is full, the timers are active
for all the entries, the absolute keyword is configured, and all further new sessions are rejected.
If you enter the timeout session timeout command without the absolute keyword, the specified timeout
is treated as the maximum timeout and a best-effort attempt is made to keep the session entry in the
session cache. If the session cache runs out of session entries, the session entry that is currently being
used is removed for incoming new connections.
When you enter the cert-req empty command, the SSL Services Module back-end service always
returns the certificate associated with the trustpoint and does not look for a CA-name match. By default,
the SSL Services Module always looks for a CA-name match before returning the certificate. If the SSL
server does not include a CA-name list in the certificate request during client authentication, the
handshake fails.
By default, the SSL Services Module uses the maximum supported SSL protocol version (SSL2.0,
SSL3.0, or TLS1.0) in the ClientHello message. Enter the tls-rollback [current | any] command if the
SSL client uses the negotiated version instead of the maximum supported version (as specified in the
ClientHello message).
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-42
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
When you enter the tls-rollback current command, the SSL protocol version can be either the maximum
supported version or the negotiated version.
When you enter the tls-rollback any command, the SSL protocol version is not checked at all.
Examples
This example shows how to enter the SSL-policy configuration submode:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# policy ssl sslpl1
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to define the cipher suites that are supported for the SSL-policy:
ssl-proxy (config-ctx-ssl-policy)# cipher RSA_WITH_3DES_EDE_CBC_SHA
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to enable the SSL-session closing protocol and configure the strict closing
protocol behavior:
ssl-proxy (config-ctx-ssl-policy)# close-protocol strict
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to disable the SSL-session closing protocol:
ssl-proxy (config-ctx-ssl-policy)# no close-protocol
ssl-proxy (config-ctx-ssl-policy)#
These examples shows how to set a given command to its default setting:
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
(config-ctx-ssl-policy)#
(config-ctx-ssl-policy)#
(config-ctx-ssl-policy)#
(config-ctx-ssl-policy)#
(config-ctx-ssl-policy)#
default
default
default
default
cipher
close-protocol
session-cache
version
This example shows how to enable a session cache:
ssl-proxy (config-ctx-ssl-policy)# session-cache
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to disable a session cache:
ssl-proxy (config-ctx-ssl-policy)# no session-cache
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to set the maximum number of session entries to be allocated for a given
service:
ssl-proxy (config-ctx-ssl-policy)# session-cache size 22000
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to configure the session timeout to absolute:
ssl-proxy (config-ctx-ssl-policy)# timeout session 30000 absolute
ssl-proxy (config-ctx-ssl-policy)#
These examples show how to enable the support of different SSL versions:
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
(config-ctx-ssl-policy)# version all
(config-ctx-ssl-policy)# version ssl3
(config-ctx-ssl-policy)# version tls1
(config-ctx-ssl-policy)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-43
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
Related Commands
show ssl-proxy stats
show ssl-proxy stats ssl
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-44
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy tcp
policy tcp
To enter the proxy policy TCP configuration submode, use the policy tcp command. In proxy-policy
TCP configuration submode, you can define the TCP policy templates.
policy tcp tcp-policy-name
Syntax Description
tcp-policy-name
Defaults
The defaults are as follows:
TCP policy name.
•
buffer-share rx is 32768 bytes.
•
buffer-share tx is 32768 bytes.
•
delayed-ack-threshold is 2.
•
delayed-ack-timeout is 200 seconds.
•
mss is 1460 bytes.
•
nagle is enabled.
•
timeout syn is 75 seconds.
•
timeout reassembly is 60 seconds.
•
timeout inactivity is 600 seconds.
•
timeout fin-wait is 600 seconds.
•
tos carryover is disabled.
Command Modes
Context subcommand mode
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 1.2(1)
This command was changed to add the timeout reassembly time
subcommand.
SSL Services Module
Release 2.1(4)
This command was changed to add the tos carryover subcommand.
SSL Services Module
Release 3.1(1)
The policy tcp command (entered in context subcommand mode)
replaces the ssl-proxy policy tcp command (entered in global
subcommand mode).
This command was changed to add the following submode commands:
•
forced-ack
•
nagle
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-45
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy tcp
Usage Guidelines
After you define the TCP policy, you can associate the TCP policy with a proxy server using the
proxy-policy TCP configuration submode commands.
Each proxy-policy TCP configuration submode command is entered on its own line.
Table 2-5 lists the commands that are available in proxy-policy TCP configuration submode.
Table 2-5
Proxy-policy TCP Configuration Submode Command Descriptions
Syntax
Description
[no] buffer-share rx buffer-limit-in-bytes
Allows you to configure the maximum size of the receive buffer share per
connection; valid values are from 8192 to 262144. Use the no form of this
command to return to the default setting.
[no] buffer-share tx buffer-limit-in-bytes
Allows you to configure the maximum size of the transmit buffer share per
connection; valid values are from 8192 to 262144. Use the no form of this
command to return to the default setting.
default
Sets a command to its default settings.
delayed-ack-threshold delay
Allows you to configure the delayed ACK threshold. The default is 2. The
valid range is from 1 to 10.
delayed-ack-timeout timer
Allows you to configure the delayed ACK timeout. The default is 200
seconds. The valid range is from 50 to 500 seconds.
exit
Exits from proxy-service configuration submode.
forced-ack
Allows you to enable the forced-ACK algorithm.
help
Provides a description of the interactive help system.
[no] mss max-segment-size-in-bytes
Allows you to configure the maximum segment size that the connection
identifies in the generated SYN packet; valid values are from 64 to 1460.
Use the no form of this command to return to the default setting.
[no] nagle
Allows you to enable or disable the Nagle algorithm. Nagle is enabled by
default.
[no] timeout fin-wait timeout-in-seconds
Allows you to configure the FIN wait timeout; valid values are from 75 to
600 seconds. Use the no form of this command to return to the default
setting.
[no] timeout inactivity timeout-in-seconds
Allows you to configure the inactivity timeout; valid values are from 0 to
960 seconds. This command allows you to set the aging timeout for an idle
connection and helps protect the connection resources. Use the no form of
this command to return to the default setting.
[no] timeout syn timeout-in-seconds
Allows you to configure the connection establishment timeout; valid values
are from 5 to 75 seconds. Use the no form of this command to return to the
default setting.
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-46
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy tcp
Table 2-5
Proxy-policy TCP Configuration Submode Command Descriptions (continued)
Syntax
Description
[no] timeout reassembly time
Allows you to configure the amount of time in seconds before the
reassembly queue is cleared; valid values are from 0 to 960 seconds
(0 = disabled). If the transaction is not complete within the specified time,
the reassembly queue is cleared and the connection is dropped. Use the no
form of this command to return to the default setting.
[no] tos carryover
Forwards the type of service (ToS) value to all packets within a flow.
Usage Guidelines
Note
If the policy is configured as a server TCP policy, the ToS value is
sent from the server to the client. If the policy is configured as a
virtual policy, the ToS value is sent from the client to the server.
Note
The ToS value needs to be learned before it can be propagated. For
example, when a ToS value is configured to be propagated from the
server to client connection, the server connection must be
established before the value is learned and propagated. Therefore,
some of the initial packets will not carry the ToS value.
TCP commands that you enter on the SSL Services Module can apply either globally or to a particular
proxy server.
You can configure a different maximum segment size for the client side and the server side of the proxy
server.
The TCP policy template allows you to define parameters that are associated with the TCP stack.
You can either enter the no form of the command or use the default keyword to return to the default
setting.
Examples
This example shows how to enter the proxy-policy TCP configuration submode:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# ssl-proxy policy tcp tcppl1
ssl-proxy(config-ctx-tcp-policy)#
These examples show how to set a given command to its default value:
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
(config-ctx-tcp-policy)#
(config-ctx-tcp-policy)#
(config-ctx-tcp-policy)#
(config-ctx-tcp-policy)#
(config-ctx-tcp-policy)#
(config-ctx-tcp-policy)#
(config-ctx-tcp-policy)#
default
default
default
default
default
default
timeout fin-wait
inactivity-timeout
buffer-share rx
buffer-share tx
mss
timeout syn
This example shows how to define the FIN-wait timeout in seconds:
ssl-proxy (config-ctx-tcp-policy)# timeout fin-wait 200
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the inactivity timeout in seconds:
ssl-proxy (config-ctx-tcp-policy)# timeout inactivity 300
ssl-proxy (config-ctx-tcp-policy)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-47
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy tcp
This example shows how to define the maximum size for the receive buffer configuration:
ssl-proxy (config-ctx-tcp-policy)# buffer-share rx 16384
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the maximum size for the transmit buffer configuration:
ssl-proxy (config-ctx-tcp-policy)# buffer-share tx 13444
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the maximum size for the TCP segment:
ssl-proxy (config-ctx-tcp-policy)# mss 1460
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the initial connection (SYN)-timeout value:
ssl-proxy (config-ctx-tcp-policy)# timeout syn 5
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the reassembly-timeout value:
ssl-proxy (config-ctx-tcp-policy)# timeout reassembly 120
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to carryover the ToS value to all packets within a flow:
ssl-proxy (config-ctx-tcp-policy)# tos carryover
ssl-proxy (config-ctx-tcp-policy)#
Related Commands
show ssl-proxy policy
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-48
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy url-rewrite
policy url-rewrite
To enter the URL rewrite configuration submode, use the policy url-rewrite command. In URL rewrite
configuration submode, you can define the URL-rewrite content policy that is applied to the payload.
policy url-rewrite url-rewrite-policy-name
Syntax Description
url-rewrite-policy-name
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Release
URL rewrite policy name.
Modification
SSL Services Module Support for this command was introduced on the Catalyst 6500 series
Release 2.1(1)
switches.
SSL Services Module The policy url-rewrite command (entered in context subcommand mode)
Release 3.1(1)
replaces the ssl-proxy policy url-rewrite command (entered in global
subcommand mode).
Usage Guidelines
URL rewrite allows you to rewrite redirection links only.
A URL rewrite policy consists of up to 32 rewrite rules for each SSL proxy service.
Table 2-6 lists the commands that are available in proxy-policy configuration submode.
Table 2-6
Proxy-policy Configuration Submode Command Descriptions
default
Sets a command to its default settings.
exit
Exits from proxy-policy configuration submode.
help
Provides a description of the interactive help system.
[no] url url-string [clearport port-number |
sslport port-number]
Allows you to configure the URL string to be rewritten. Use the no form of
this command to remove the policy.
url-string—Specifies the host portion of the URL link to be rewritten; it can have a maximum of
251 characters. You can use the asterisk (*) wildcard only as a prefix or a suffix of a hostname in a
rewrite rule. For example, you can use the hostname in one of the following ways:
•
www.cisco.com
•
*.cisco.com
•
wwwin.cisco.*
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-49
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
policy url-rewrite
clearport port-number—(Optional) Specifies the port portion of the URL link that is to be rewritten;
valid values are from 1 to 65535.
sslport port-number—(Optional) Specifies the port portion of the URL link that is to be written; valid
values are from 1 to 65535.
Enter the no form of the command to remove the policy.
Examples
This example shows how to enter the URL rewrite configuration submode for the test1 policy:
ssl-proxy(config)# ssl-pro context s1
ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1
ssl-proxy(config-ctx-url-rewrite-policy#
This example shows how to define the URL rewrite policy for the test1 policy:
ssl-proxy(config)# ssl-pro context s1
ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1
ssl-proxy(config-ctx-url-rewrite-policy# www.cisco.com clearport 80 sslport 443
redirectonly
ssl-proxy(config-ctx-url-rewrite-policy#
This example shows how to delete the URL rewrite policy for the test1 policy:
ssl-proxy(config)# ssl-pro context s1
ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1
ssl-proxy(config-ctx-url-rewrite-policy# no www.cisco.com clearport 80 sslport 443
redirectonly
ssl-proxy(config-ctx-url-rewrite-policy#
Related Commands
show ssl-proxy policy
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-50
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
pool ca
pool ca
To enter the certificate authority pool configuration submode, use the pool ca command. In the
certificate authority pool configuration submode, you can configure a certificate authority pool, which
lists the CAs that the module can trust.
pool ca ca-pool-name
Syntax Description
ca-pool-name
Defaults
This command has no arguments or keywords.
Command Modes
Context subcommand mode
Command History
Release
Certificate authority pool name.
Modification
SSL Services Module Support for this command was introduced on the Catalyst 6500 series
Release 2.1(1)
switches.
SSL Services Module The pool ca command (entered in context subcommand mode) replaces
Release 3.1(1)
the ssl-proxy pool ca command (entered in global subcommand mode).
Usage Guidelines
Enter each certificate-authority pool configuration submode command on its own line.
Table 2-7 lists the commands that are available in certificate-authority pool configuration submode.
Table 2-7
Proxy-policy TCP Configuration Submode Command Descriptions
Syntax
Description
ca
Configures a certificate authority. The available subcommand is as follows:
trustpoint ca-trustpoint-name—Configures a certificate-authority trustpoint.
Use the no form of this command to return to the default setting.
Examples
default
Sets a command to its default settings.
exit
Exits from proxy-service configuration submode.
help
Allows you to configure the connection-establishment timeout; valid values are
from 5 to 75 seconds. Use the no form of this command to return to the default
setting.
This example shows how to add a certificate-authority trustpoint to a pool:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# pool ca test1
ssl-proxy(config-ctx-ca-pool)# ca trustpoint test20
ssl-proxy(config-ctx-ca-pool)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-51
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
service
service
To enter the proxy-service configuration submode, use the service command.
service ssl-proxy-name [client]
Syntax Description
ssl-proxy-name
SSL proxy name.
client
(Optional) Allows you to configure the SSL-client proxy services. See the
service client command.
Defaults
Server NAT is enabled, and client NAT is disabled.
Command Modes
Context subcommand mode
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 2.1(1)
This command was changed to add the following submode commands:
SSL Services Module
Release 3.1(1)
•
authenticate
•
policy urlrewrite policy-name
•
trusted-ca ca-pool-name
•
sslv2—See the server ipaddr subcommand.
The service command (entered in context subcommand mode) replaces
the ssl-proxy service command (entered in global subcommand mode).
This command was changed to add the following submode commands:
Usage Guidelines
•
policy health-probe tcp policy-name
•
policy http-header policy-name
You cannot use the same service_name for both the server proxy service and the client proxy service.
In proxy-service configuration submode, you can configure the virtual IP address and port that is
associated with the proxy service and the associated target IP address and port. You can also define TCP
and SSL policies for both the client side (beginning with the virtual keyword) and the server side of the
proxy (beginning with the server keyword).
In client proxy-service configuration submode, you specify that the proxy service accept clear-text
traffic, encrypt it into SSL traffic, and forward it to the back-end SSL server.
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-52
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
service
In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the
SSL-client-proxy configuration, except for the following:
•
You must configure a certificate for the SSL-server-proxy but you do not have to configure a
certificate for the SSL-client-proxy. If you configure a certificate for the SSL-client-proxy, that
certificate is sent in response to the certificate request message that is sent by the server during the
client-authentication phase of the handshake protocol.
•
The SSL policy is attached to the virtual subcommand for the SSL server proxy service; whereas,
the SSL policy is attached to the server subcommand for the SSL client proxy service.
Enter each proxy-service or proxy-client configuration submode command on its own line.
Table 2-8 lists the commands that are available in proxy-service or proxy-client configuration submode.
Table 2-8
Proxy-service Configuration Submode Command Descriptions
Syntax
Description
authenticate verify {all | signature-only}
Configures the method for certificate verification. You can specify the
following:
certificate rsa general-purpose trustpoint
trustpoint-name
•
all—Verifies CRLs and signature authority.
•
signature-only—Verifies the signature only.
Configures the certificate with RSA general-purpose keys and associates a
trustpoint to the certificate.
default {certificate | inservice | nat | server | Sets a command to its default settings.
virtual}
description
Allows you to enter a description for proxy service.
exit
Exits from proxy-service or proxy-client configuration submode.
help
Provides a description of the interactive help system.
inservice
Declares a proxy server or client as administratively up.
nat {server | client}{natpool-name}
Specifies the usage of either server NAT or client NAT for the server-side
connection that is opened by the SSL Services Module.
policy health-probe tcp policy-name
Applies a TCP health probe policy to a proxy server.
policy http-header policy-name
Applies an HTTP header insertion policy to a proxy server.
policy urlrewrite policy-name
Applies a URL rewrite policy to a proxy server.
server ipaddr ip-addr protocol protocol
port portno [sslv2]
Defines the IP address of the target server for the proxy server. You can also
specify the port number and the transport protocol. The target IP address can
be a virtual IP address of an SLB device or a real IP address of a web server.
The sslv2 keyword specifies the server that is used for handling SSL version 2
traffic.
server policy tcp
server-side-tcp-policy-name
Applies a TCP policy to the server side of a proxy server. You can specify the
port number and the transport protocol.
trusted-ca ca-pool-name
Applies a trusted certificate authenticate configuration to a proxy server.
virtual ipaddr ip-addr protocol protocol
port portno [secondary]
Defines the virtual IP address of the virtual server to which the STE is
proxying. You can also specify the port number and the transport protocol.
The valid values for protocol are tcp; valid values for portno is from 1 to
65535. The secondary keyword (optional) prevents the STE from replying to
the ARP request coming to the virtual IP address.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-53
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
service
Table 2-8
Proxy-service Configuration Submode Command Descriptions (continued)
Syntax
Description
virtual policy ssl ssl-policy-name
Applies an SSL policy with the client side of a proxy server.
virtual policy tcp
client-side-tcp-policy-name
Applies a TCP policy to the client side of a proxy server.
vlan vlan
Virtual Service VLAN configuration
Both secured and bridge mode between the Content Switching Module (CSM) and the SSL Services
Module is supported.
Use the secondary keyword (optional) for bridge-mode topology.
Examples
This example shows how to enter the proxy-service configuration submode:
ssl-proxy (config)# ssl-proxy context s1
ssl-proxy (config-context)# service S6
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the method for certificate verification:
ssl-proxy (config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the certificate for the specified SSL-proxy services:
ssl-proxy (config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint tp1
ssl-proxy (config-ctx-ssl-proxy)#
These examples show how to set a specified command to its default value:
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
default
default
default
default
default
certificate
inservice
nat
server
virtual
This example shows how to apply a trusted-certificate authenticate configuration to a proxy server:
ssl-proxy (config-ctx-ssl-proxy)# trusted-ca test1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a virtual IP address for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual ipaddr 207.59.100.20 protocol tcp port 443
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the SSL policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy ssl sslpl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the TCP policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-54
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
service
This example shows how to configure a clear-text web server for the SSL Services Module to forward
the decrypted traffic:
ssl-proxy (config-ctx-ssl-proxy)# server ipaddr 207.50.0.50 protocol tcp port 80
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a TCP policy for the given clear-text web server:
ssl-proxy (config-ctx-ssl-proxy)# server policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a NAT pool for the client address that is used in the server
connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat client NP1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to enable a NAT server address for the server connection of the specified
service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat server
ssl-proxy (config-ctx-ssl-proxy)#
Related Commands
show ssl-proxy service
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-55
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
service client
service client
To enter the client proxy-service configuration submode, use the service client command.
service ssl-proxy-name client
Syntax Description
ssl-proxy-name
Defaults
Client NAT is disabled.
Command Modes
Context subcommand mode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The service client command (entered in context subcommand mode)
replaces the ssl-proxy service client command (entered in global
subcommand mode).
SSL proxy service name.
This command was changed to add the following submode commands:
Usage Guidelines
•
policy health-probe tcp
•
policy http-header
You cannot use the same service_name for both the server proxy service and the client proxy service.
In client proxy-service configuration submode, you specify that the proxy service accept clear-text
traffic, encrypt it into SSL traffic, and forward it to the back-end SSL server.
In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the
SSL-client-proxy configuration, except for the following:
•
You must configure a certificate for the SSL-server-proxy but you do not have to configure a
certificate for the SSL-client-proxy. If you configure a certificate for the SSL-client-proxy, that
certificate is sent in response to the certificate request message that is sent by the server during the
client-authentication phase of the handshake protocol.
•
The SSL policy is attached to the virtual subcommand for the SSL server proxy service; whereas,
the SSL policy is attached to the server subcommand for the SSL client proxy service.
Each proxy-service or proxy-client configuration submode command is entered on its own line.
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-56
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
service client
Table 2-9 lists the commands that are available in proxy-client configuration submode.
Table 2-9
Proxy-client Configuration Submode Command Descriptions
Syntax
Description
certificate rsa general-purpose trustpoint
trustpoint-name
Configures the certificate with RSA general-purpose keys and associates a
trustpoint to the certificate.
default {certificate | inservice | nat | server | Sets a command to its default settings.
virtual}
description
Allows you to enter a description for the proxy service.
exit
Exits from proxy-client configuration submode.
help
Provides a description of the interactive help system.
inservice
Declares a proxy client as administratively up.
nat {server | client natpool-name}
Specifies the usage of either server NAT or client NAT for the server-side
connection that is opened by the SSL Services Module.
policy health-probe tcp policy-name
Applies a TCP health probe policy to a proxy server.
policy http-header policy-name
Applies an HTTP header insertion policy to a proxy server.
policy urlrewrite policy-name
Applies a URL rewrite policy to the proxy server.
server ipaddr ip-addr protocol protocol
port portno [sslv2]
Defines the IP address of the target server for the proxy server. You can also
specify the port number and the transport protocol. The target IP address can
be a virtual IP address of an SLB device or a real IP address of a web server.
The sslv2 keyword enables SSL version 2.
server policy tcp
server-side-tcp-policy-name
Applies a TCP policy to the server side of a proxy server. You can specify the
port number and the transport protocol.
virtual ipaddr ip-addr protocol protocol
port portno [secondary]
Defines the IP address of the target server for the proxy server. You can also
specify the port number and the transport protocol. The target IP address can
be a virtual IP address of an SLB device or a real IP address of a web server.
virtual policy ssl ssl-policy-name
Applies an SSL policy with the client side of a proxy server.
virtual policy tcp
client-side-tcp-policy-name
Applies a TCP policy to the client side of a proxy server.
vlan vlan
Virtual Service VLAN configuration.
Both secured mode and bridge mode between the Content Switching Module (CSM) and the SSL
Services Module are supported.
Use the secondary keyword (optional) for the bridge-mode topology.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-57
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
service client
Examples
This example shows how to enter the client proxy-service configuration submode:
ssl-proxy (config)# ssl-proxy context s1
ssl-proxy (config-context)# service S7 client
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the certificate for the specified SSL-proxy services:
ssl-proxy (config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint tp1
ssl-proxy (config-ctx-ssl-proxy)#
These examples show how to set a specified command to its default value:
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
ssl-proxy
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
(config-ctx-ssl-proxy)#
default
default
default
default
default
certificate
inservice
nat
server
virtual
This example shows how to configure a virtual IP address for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual ipaddr 207.59.100.20 protocol tcp port 443
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the SSL policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy ssl sslpl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the TCP policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a clear-text web server for the SSL Services Module to forward
the decrypted traffic:
ssl-proxy (config-ctx-ssl-proxy)# server ipaddr 207.50.0.50 protocol tcp port 80
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a TCP policy for the given clear-text web server:
ssl-proxy (config-ctx-ssl-proxy)# server policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a NAT pool for the client address that is used in the server
connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat client NP1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to enable a NAT server address for the server connection of the specified
service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat server
ssl-proxy (config-ctx-ssl-proxy)#
Related Commands
show ssl-proxy service
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-58
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show interfaces ssl-proxy
show interfaces ssl-proxy
To display information about the configured subinterfaces, use the show interfaces ssl-proxy command.
show interfaces ssl-proxy 0.subinterface
Syntax Description
subinterface-number
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Examples
Subinterface ID; valid values are from 0 to 4294967295.
This example shows how to display information about the configured subinterfaces:
ssl-proxy# show ionterfaces 0.3
SSL-Proxy0.3 is up, line protocol is up
Hardware is STE interface, address is 0001.6445.c744 (bia 00e0.14c1.30e9)
Internet address is 10.10.0.16/8
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 3.
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters never
ssl-proxy#
Related Commands
policy tcp
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-59
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy buffers
show ssl-proxy buffers
To display information about TCP buffer usage, use the show ssl-proxy buffers command.
show ssl-proxy buffers
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Examples
This example shows how to display the buffer usage and other information in the TCP subsystem:
ssl-proxy# show ssl-proxy buffers
Buffers info for TCP module 1
TCP data buffers used 2817 limit 88064
TCP ingress buffer pool size 44032 egress buffer pool size 44032
TCP ingress data buffers min-thresh 5636096 max-thresh 9017344
TCP ingress data buffers used Current 0 Max 0
TCP ingress buffer RED shift 9 max drop prob 10
Conns consuming ingress data buffers 0
Buffers with App 0
TCP egress data buffers used Current 0 Max 0
Conns consuming egress data buffers 0
In-sequence queue bufs 0 OOO bufs 0
Per-flow avg qlen 0 Global avg qlen 0
ssl-proxy#
Related Commands
policy tcp
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-60
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy certificate-history
show ssl-proxy certificate-history
To display information about the event history of the certificate, use the show ssl-proxy
certificate-history command.
show ssl-proxy certificate-history [service [name]]
Syntax Description
service name
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Usage Guidelines
Displays all certificate records of a proxy service and (optionally) for a
specific proxy service.
The show ssl-proxy certificate-history command displays these records:
•
Service name
•
Key pair name
•
Generation or import time
•
Trustpoint name
•
Certificate subject name
•
Certificate issuer name
•
Serial number
•
Date
A syslog message is generated for each record. The oldest records are deleted after the limit of
512 records is reached.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-61
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy certificate-history
Examples
This example shows how to display the event history of all the certificate processing:
ssl-proxy# show ssl-proxy certificate-history
Record 1, Timestamp:00:00:51, 16:36:34 UTC Oct 31 2002
Installed Server Certificate, Index 5
Proxy Service:s1, Trust Point:t3
Key Pair Name:k3, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:12:27:58 UTC Oct 30 2002
Subject Name:OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com,
OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:5D3D1931000100000D99
Validity Start Time:21:58:12 UTC Oct 30 2002
End Time:22:08:12 UTC Oct 30 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 2, Timestamp:00:01:06, 16:36:49 UTC Oct 31 2002
Installed Server Certificate, Index 6
Proxy Service:s5, Trust Point:t10
Key Pair Name:k10, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:07:56:43 UTC Oct 11 2002
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:24BC81B7000100000D85
Validity Start Time:22:38:00 UTC Oct 19 2002
End Time:22:48:00 UTC Oct 19 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002
Installed Server Certificate, Index 7
Proxy Service:s6, Trust Point:t10
Key Pair Name:k10, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:07:56:43 UTC Oct 11 2002
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:24BC81B7000100000D85
Validity Start Time:22:38:00 UTC Oct 19 2002
End Time:22:48:00 UTC Oct 19 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002
Deleted Server Certificate, Index 0
Proxy Service:s6, Trust Point:t6
Key Pair Name:k6, Key Usage:RSA General Purpose, Not Exportable
Time of Key Generation:00:28:28 UTC Mar 1 1993
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:5CB5CFD6000100000D97
Validity Start Time:19:30:26 UTC Oct 30 2002
End Time:19:40:26 UTC Oct 30 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
% Total number of certificate history records displayed = 4
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-62
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy certificate-history
This example shows how to display the certificate record for a specific proxy service:
ssl-proxy# show ssl-proxy certificate-history service s6
Record 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002
Installed Server Certificate, Index 7
Proxy Service:s6, Trust Point:t10
Key Pair Name:k10, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:07:56:43 UTC Oct 11 2002
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:24BC81B7000100000D85
Validity Start Time:22:38:00 UTC Oct 19 2002
End Time:22:48:00 UTC Oct 19 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002
Deleted Server Certificate, Index 0
Proxy Service:s6, Trust Point:t6
Key Pair Name:k6, Key Usage:RSA General Purpose, Not Exportable
Time of Key Generation:00:28:28 UTC Mar 1 1993
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:5CB5CFD6000100000D97
Validity Start Time:19:30:26 UTC Oct 30 2002
End Time:19:40:26 UTC Oct 30 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Total number of certificate history records displayed = 2
Related Commands
service
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-63
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy conn
show ssl-proxy conn
To display the TCP connections from the SSL Services Module, use the show ssl-proxy conn command.
show ssl-proxy conn 4tuple [local {ip local-ip-addr local-port} [remote [{ip remote-ip-addr [port
remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {port local-port} [remote [{ip remote-ip-addr [port
remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {remote [{ip remote-ip-addr [port remote-port]} | {port
remote-port [ip remote-ip-addr]}]]
show ssl-proxy conn module module
show ssl-proxy conn service name [context name] module [module]
Syntax Description
4tuple
Displays the TCP connections for a specific address.
local
(Optional) Displays the TCP connections for a specific local device.
ip local-ip-addr
IP address of a local device.
local-port
Port number of a local device.
remote
(Optional) Displays the TCP connections for a specific remote device.
ip remote-ip-addr
IP address of a remote device.
port remote-port
Port number of a remote device.
port local-port
(Optional) Displays the TCP connections for a specific local port.
module module
(Optional) Displays the information for a specific module.
The available options for the module variable are as follows:
•
all—all CPUs
•
fdu—FDU CPU
•
ssl1—SSL1 CPU
•
tcp1—TCP1 CPU
service name
Displays the connections for a specific proxy service.
context name
(Optional) Displays information about the specified context.
Defaults
This command has no default settings.
Command Modes
EXEC
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-64
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy conn
Command History
Examples
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
This command was changed to add the following keywords:
•
context name
•
module module
These examples show different ways to display the TCP connection that is established from the SSL
Services Module:
ssl-proxy# show ssl-proxy conn
Connections for TCP module 1
Local Address
Remote Address
--------------------- --------------------2.0.0.10:4430
1.200.200.14:48582
1.200.200.14:48582
2.100.100.72:80
VLAN
---2
2
Conid
-----0
1
Send-Q
-----0
0
Recv-Q
-----0
0
State
-----ESTAB
ESTAB
2.0.0.10:4430
1.200.200.14:48583
1.200.200.14:48583
2.100.100.72:80
2
2
2
3
0
0
0
0
ESTAB
ESTAB
2.0.0.10:4430
1.200.200.14:48584
1.200.200.14:48584
2.100.100.72:80
2
2
4
5
0
0
0
0
ESTAB
ESTAB
2.0.0.10:4430
1.200.200.14:48585
1.200.200.14:48585
2.100.100.72:80
2
2
6
7
0
0
0
0
ESTAB
ESTAB
2.0.0.10:4430
1.200.200.14:48586
1.200.200.14:48586
2.100.100.72:80
2
2
8
9
0
0
0
0
ESTAB
ESTAB
ssl-proxy# show ssl-proxy conn 4tuple local port 443
Connections for TCP module 1
Local Address
Remote Address
VLAN Conid Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ -----2.50.50.133:443
1.200.200.12:39728
2
113676 0
0
TWAIT
No Bound Connection
2.50.50.133:443
No Bound Connection
1.200.200.12:39729
2
113680 0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:40599
2
113684 0
0
TWAIT
2.50.50.132:443
No Bound Connection
1.200.200.13:48031
2
114046 0
0
TWAIT
2.50.50.132:443
No Bound Connection
1.200.200.13:48032
2
114048 0
0
TWAIT
2.50.50.132:443
No Bound Connection
1.200.200.13:48034
2
114092 0
0
TWAIT
2.50.50.132:443
No Bound Connection
1.200.200.13:48035
2
114100 0
0
TWAIT
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-65
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy conn
ssl-proxy# show ssl-proxy conn 4tuple remote ip 1.200.200.14
Connections for TCP module 1
Local Address
Remote Address
VLAN Conid Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ -----2.50.50.131:443
1.200.200.14:38814
2
58796 0
0
TWAIT
No Bound Connection
2.50.50.131:443
No Bound Connection
1.200.200.14:38815
2
58800
0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:38817
2
58802
0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:38818
2
58806
0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:38819
2
58810
0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:38820
2
58814
0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:38821
2
58818
0
0
TWAIT
ssl-proxy# show ssl-proxy conn service iis1
Connections for TCP module 1
Local Address
Remote Address
VLAN Conid Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ -----2.50.50.131:443
1.200.200.14:41217
2
121718 0
0
TWAIT
No Bound Connection
2.50.50.131:443
No Bound Connection
1.200.200.14:41218
2
121722 0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:41219
2
121726 0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:41220
2
121794 0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:41221
2
121808 0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:41222
2
121940 0
0
TWAIT
2.50.50.131:443
No Bound Connection
1.200.200.14:41223
2
122048 0
0
TWAIT
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-66
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy context
show ssl-proxy context
To display context information, use the show ssl-proxy context command.
show ssl-proxy context [name]
Syntax Description
name
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Examples
(Optional) Name of the context.
This example shows how to display all context information on the SSL Services Module:
ssl-proxy# show ssl-proxy context
Total number of contexts : 2
Context Name
-----------Default
c1
VRF
---
Num Proxies
----------2
200
This example shows how to display specific context information on the SSL Services Module:
ssl-proxy# show ssl-proxy context Default
Context id
Number of proxies
Num max conns allowed
: 0
: 2
: 65536
Context 'Default' has the following service(s) configured..
s2
s3
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-67
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy crash-info
show ssl-proxy crash-info
To collect information about the software-forced reset from the SSL Services Module, use the show
ssl-proxy crash-info command.
show ssl-proxy crash-info [brief | details]
Syntax Description
brief
(Optional) Collects a small subset of software-forced reset information,
limited to processor registers.
details
(Optional) Collects the full set of software-forced reset information,
including exception and interrupt stacks dump (this process can take up to
10 minutes to complete printing).
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Examples
This example shows how to collect information about the software-forced reset:
ssl-proxy# show ssl-proxy crash-info
===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====
------------- COMPLEX 0 [FDU_IOS] ---------------------NVRAM CHKSUM:0xEB28
NVRAM MAGIC:0xC8A514F0
NVRAM VERSION:1
++++++++++ CORE 0 (FDU) ++++++++++++++++++++++
CID:0
APPLICATION VERSION:2003.04.15 14:50:20 built for cantuc
APPROXIMATE TIME WHEN CRASH HAPPENED:14:06:04 UTC Apr 16 2003
THIS CORE DIDN'T CRASH
TRACEBACK:222D48 216894
CPU CONTEXT ----------------------------$0
a0
t0
t4
:00000000,
:00000001,
:00247834,
:02BF8BB0,
AT
a1
t1
t5
:00240008,
:0000003C,
:02BFAAA0,
:00247834,
v0
a2
t2
t6
:5A27E637,
:002331B0,
:02BF8BB0,
:00000000,
v1
a3
t3
t7
:000F2BB1
:00000000
:02BF8BA0
:00000001
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-68
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy crash-info
s0 :00000000, s1 :0024783C, s2 :00000000, s3 :00000000
s4 :00000001, s5 :0000003C, s6 :00000019, s7 :0000000F
t8 :00000001, t9 :00000001, k0 :00400001, k1 :00000000
gp :0023AE80, sp :031FFF58, s8 :00000019, ra :00216894
LO :00000000, HI :0000000A, BADVADDR :828D641C
EPC :00222D48, ErrorEPC :BFC02308, SREG :34007E03
Cause 0000C000 (Code 0x0):Interrupt exception
CACHE ERROR registers
-------------------
CacheErrI:00000000, CacheErrD:00000000
ErrCtl:00000000, CacheErrDPA:0000000000000000
PROCESS STACK ----------------------------stack top:0x3200000
Process stack in use:
sp is close to stack top;
printing 1024 bytes from stack top:
031FFC00:06405DE0
031FFC10:06405DE0
031FFC20:031FFC30
...........
...........
...........
FFFFFFD0:00000000
FFFFFFE0:00627E34
FFFFFFF0:00000000
002706E0 0000002D 00000001
002706E0 00000001 0020B800
8FBF005C 14620010 24020004
.@]`.'.`...-....
.@]`.'.`..... 8.
..|0.?.\.b..$...
00000000 00000000 00000000 ................
00000000 00000000 00000000 .b~4............
00000000 00000000 00000006 ................
===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======
This example shows how to collect a small subset of software-forced reset information:
ssl-proxy# show ssl-proxy crash-info brief
===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====
------------- COMPLEX 0 [FDU_IOS] ---------------------SKE CRASH INFO Error: wrong MAGIC # 0
CLI detected an error in FDU_IOS crash-info; wrong magic.
------------- COMPLEX 1 [TCP_SSL] ----------------------
Crashinfo fragment #0 from core 2 at offset 0 error:
Remote system reports wrong crashinfo magic.
Bad fragment received. Reception abort.
CLI detected an error in TCP_SSL crash-info;
===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-69
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy mac address
show ssl-proxy mac address
To display the current MAC address, use the show ssl-proxy mac address command.
show ssl-proxy mac address
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Examples
This example shows how to display the current MAC address that is used in the SSL Services Module:
ssl-proxy# show ssl-proxy mac address
STE MAC address: 00e0.b0ff.f232
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-70
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy natpool
show ssl-proxy natpool
To display information about the NAT pool, use the show ssl-proxy natpool command.
show ssl-proxy natpool [name][context name]
Syntax Description
name
(Optional) NAT pool name.
context name
(Optional) Context name.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Support for this command was introduced on the Catalyst 6500 series
Cisco IOS Release
switches.
12.1(13)E and
SSL Services Module
Release 1.1(1)
SSL Services Module This command was changed to add the context name keyword.
Release 3.1(1)
Examples
This example shows how to display information for a specific NAT address pool that is configured on
the SSL Services Module:
ssl-proxy# show ssl-proxy natpool
No context name provided, assuming context 'Default'...
natpool-name
start-ip
end-ip
netmask
n1
207.57.110.1
207.57.110.8
255.0.0.0
ssl-proxy#
use-count
2
This example shows how to display information for a specific NAT address pool that is configured on
the SSL Services Module:
ssl-proxy# show ssl-proxy natpool n1
No context name provided, assuming context 'Default'...
Start ip: 207.57.110.1
End ip: 207.57.110.8
netmask: 255.0.0.0
vlan associated with natpool: 2
SSL proxy services using this natpool:
S2
S3
Num of proxies using this natpool: 2
ssl-proxy#
Related Commands
natpool
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-71
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy policy
show ssl-proxy policy
To display the configured SSL proxy policies, use the show ssl-proxy policy command.
show ssl-proxy policy {health-probe tcp [name] [context name] | http-header | ssl | tcp |
url-rewrite} [name]
Syntax Description
health-probe tcp
Displays the configured TCP health probe policies.
name
(Optional) TCP health probe name.
context name
(Optional) Displays the TCP health probe policies in this context.
http-header
Displays the configured HTTP header policies.
ssl
Displays the configured SSL policies.
tcp
Displays the configured TCP policies.
url-rewrite
Displays the configured URL rewrite policies.
name
(Optional) Policy name.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 2.1(1)
This command was changed to include the http-header and url-rewrite
keywords.
SSL Services Module
Release 3.1(1)
This command was changed to add the health-probe tcp keyword.
Examples
This example shows how to display information about the HTTP header policy:
ssl-proxy# show ssl-proxy policy http-header h1
No context name provided, assuming context 'Default'...
Prefix
SSL
Client Certificate Insertion
Not Enabled
Session Header Insertion
All
Client IP/Port Insertion
Not Enabled
Hdr #
Custom Header
0
"a:"
1
"b:"
2
"c:"
3
"d:"
4
"e:"
5
"f:"
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-72
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy policy
6
7
8
9
10
11
12
13
"g:"
"h:"
"i:"
"j:"
"k:"
"l:"
"m:"
"n:"
Usage count of this policy: 0
ssl-proxy#
This example shows how to display policy information about a specific SSL policy that is configured on
the SSL Services Module:
ssl-proxy# show ssl-proxy policy ssl ssl-policy1
No context name provided, assuming context 'Default'...
Cipher suites: (None configured, default ciphers included)
rsa-with-rc4-128-md5
rsa-with-rc4-128-sha
rsa-with-des-cbc-sha
rsa-with-3des-ede-cbc-sha
SSL Versions enabled:SSL3.0, TLS1.0
close protocol: default (close_notify sent but not expected from peer)
Session Cache:enabled
Session timeout: 72000 seconds
Renegotiation timeout: 100 seconds
Handshake timeout not configured (never times out)
TLS Rollback: default (version number rollback not allowed)
No. of policy users : 0
ssl-proxy#
This example shows how to display policy information about a specific TCP policy that is configured on
the SSL Services Module:
ssl-proxy# show ssl-proxy policy tcp tcp-policy1
No context name provided, assuming context 'Default'...
MSS
1460
SYN timeout
75
Idle timeout
600
FIN wait timeout
75
Reassembly timeout 60
Persist timeout
0
Rx Buffer Share
32768
Tx Buffer Share
65536
TOS Carryover
Disabled
Delayed ACK timer 200
Delayed ACK Threshold 2
Nagle algorithm
Enabled
Forced ACK
Enabled
No. of policy users : 0
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-73
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy policy
This example shows how to display information about the URL rewrite policy:
ssl-proxy# show ssl-proxy policy url-rewrite urlrw-policy
No context name provided, assuming context 'Default'...
Rule URL
Clearport SSLport
1 wwwin.cisco.com
80
443
2 www.cisco.com
8080
444
Usage count of this policy: 0
ssl-proxy#
This example shows how to display information about the TCP health probe policy:
ssl-proxy# show ssl-proxy policy health-probe tcp
No context name provided, assuming context 'Default'...
TCP Health Probe Policy Name
tcp-health
Usage-Count
1
This example shows how to display information about the specified TCP health probe policy:
ssl-proxy# show ssl-proxy policy health-probe tcp tcp-health
No context name provided, assuming context 'Default'...
TCP Health Probe Details : tcp-health
Server Port number
80
Interval between probe
30
Interval between failed probe
60
TCP Connection open timeout
80
Maximum retries for success probe 3
No. of policy users
1
SSL proxy services using this policy:
s3
Usage count of this policy: 1
Related Commands
Connected
policy health-probe tcp
policy http-header
policy ssl
policy tcp
policy url-rewrite
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-74
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy service
show ssl-proxy service
To display information about the configured SSL virtual service, use the show ssl-proxy service
command.
show ssl-proxy service [name][context name]
Syntax Description
name
(Optional) Service name.
context name
(Optional) Displays service information for the specifed context name.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
Support for this command was introduced on the Catalyst 6500 series
12.1(13)E and SSL Services switches.
Module Release 1.1(1)
SSL Services Module
Release 3.1(1)
Examples
This command was changed to add the context name keyword.
This example shows how to display all SSL virtual services that are configured on the SSL Services
Module:
ssl-proxy# show ssl-proxy service
No context name provided, assuming context 'Default'...
Proxy Service Name
Context Name
s2
s3
Default
Default
Admin
status
up
up
Operation
status
up
up
ssl-proxy#
This example shows how to display a specific SSL virtual service that is configured on the SSL Services
Module:
ssl-proxy# show ssl-proxy service S6
No context name provided, assuming context 'Default'...
Service id: 1, bound_service_id: 257
Virtual IP: 10.10.1.104, port: 443
Server IP: 10.10.1.100, port: 80
Virtual SSL Policy: SSL1_PLC
Server TCP Policy: nagle
TCP Health Probe Policy: tcp-health
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-75
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy service
Nat pool: n2
rsa-general-purpose certificate trustpoint: tptest
Certificate chain for new connections:
Certificate:
Key Label: mytp, 1024-bit, not exportable
Key Timestamp: 07:21:09 UTC Apr 20 2005
Serial Number: 0FE5
Root CA Certificate:
Serial Number: 01
Certificate chain complete
Context name: Default
Context Id : 0
Admin Status: up
Operation Status: up
ssl-proxy#
This example shows how to display a specific SSL virtual service on a specific context that is configured
on the SSL Services Module:
ssl-proxy# show ssl-proxy service s2 context c1
Service id: 214, bound_service_id: 470
Virtual IP: 10.12.0.2, port: 443
Server IP: 10.0.207.203, port: 80
TCP Health Probe Policy: h1
rsa-general-purpose certificate trustpoint: mytp
Certificate chain for new connections:
Certificate:
Key Label: mytp, 1024-bit, not exportable
Key Timestamp: 07:21:09 UTC Apr 20 2005
Serial Number: 0FE5
Root CA Certificate:
Serial Number: 01
Certificate chain complete
Context name: c1
Context Id : 167
Admin Status: up
Operation Status: up
ssl-proxy#
Related Commands
service
service client
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-76
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy stats
show ssl-proxy stats
To display information about the statistics counter, use the show ssl-proxy stats command.
show ssl-proxy stats [type]
Syntax Description
type
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 1.2(1)
The output of the show ssl-proxy stats command was changed to
include information about the session allocation failure and session
limit-exceed table.
SSL Services Module
Release 3.1(1)
This command was changed to add the following keywords:
Usage Guidelines
(Optional) Information type; valid values are content, context, crypto, fdu,
hdr, ipc, module, pki, service, ssl, tcp, and url. See the “Usage
Guidelines” section for additional information.
•
content
•
context
•
hdr
•
module module
•
url
The type values are defined as follows:
•
content—Displays content scan object statistics.
•
context—Displays context statistics information.
•
crypto—Displays crypto statistics.
•
fdu—Displays FDU statistics.
•
hdr—Displays HTTP header insertion statistics.
•
ipc—Displays IPC statistics.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-77
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy stats
•
module module—Displays statistics for the specified module; module type includes the following:
– all—all CPUs
– fdu—FDU CPU
– ssl1—SSL1 CPU
– tcp1—TCP1 CPU
Examples
•
pki—Displays PKI statistics.
•
service—Displays proxy service statistics.
•
ssl—Displays SSL detailed statistics.
•
tcp—Displays TCP detailed statistics.
•
url—Displays URL rewrite statistics.
This example shows how to display all the statistics counters that are collected on the SSL Services
Module:
ssl-proxy# show ssl-proxy
TCP Statistics:
Conns initiated
:
Conns established
:
Conns closed
:
Idle timeouts
:
Data packets sent
:
Total Pkts rcvd
:
Bytes rcvd in seq
:
20636
28744
41272
0
0
70016
0
Conns accepted
Conns dropped
SYN timeouts
Total pkts sent
Data bytes sent
Pkts rcvd in seq
:
:
:
:
:
:
20636
28744
0
57488
0
0
SSL Statistics:
conns attempted
full handshakes
active conns
renegs attempted
handshake failures
fatal alerts rcvd
no-cipher alerts
no-compress alerts
pad errors
:
:
:
:
:
:
:
:
:
20636
0
0
0
20636
0
0
0
0
conns completed
resumed handshakes
active sessions
conns in reneg
data failures
fatal alerts sent
ver mismatch alerts
bad macs received
session fails
:
:
:
:
:
:
:
:
:
20636
0
0
0
0
0
0
0
0
FDU Statistics:
IP Frag Drops
Conn Id Drops
Vlan Id Drops
IOS Congest Drops
Hash Full Drops
Flow Creates
conn_id allocs
Tagged Drops
Add ipcs
Disable ipcs
Unsolicited ipcs
IOS broadcast pkts
IOS total pkts
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
41272
41272
0
3
3
0
29433
29438
Serv_Id Drops
Bound Conn Drops
Checksum Drops
IP Version Drops
Hash Alloc Fails
Flow Deletes
conn_id deallocs
Non-Tagged Drops
Delete ipcs
Enable ipcs
Duplicate ADD ipcs
IOS unicast pkts
:
:
:
:
:
:
:
:
:
:
:
:
9
0
0
0
0
41272
41272
0
0
0
0
5
stats
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-78
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy stats
This example shows how to display the TCP statistics:
ssl-proxy# show ssl-proxy stats tcp
TCP Statistics:
Connection related :
Initiated
: 4
Established
: 8
Dropped before est
: 0
Persist timeout drops : 0
Current TIME-WAIT
: 0
Maximum TIME-WAIT
: 1
Conns Allocated
: 4
Conn Deletes sent
: 8
Timer related :
RTT estimates
: 48
delayed acks sent
: 5
Retransmit timeouts
: 0
SYN timeouts
: 0
Reassembly timeouts
: 0
Packet Transmit related :
Total packets
: 140
Data bytes sent
: 87332
Retransmitted bytes
: 0
Window probes
: 0
Window Update pkts
: 16
Tx TOS - normal
: 122
Tx TOS - max. rel.
: 0
Tx TOS - min. delay
: 0
Packet Receive related :
Total packets
: 173
In seq data bytes
: 85188
Too short
: 0
Dup-only data bytes
: 2896
Part. Dup. data bytes : 0
OOO data bytes rcvd
: 0
Bytes after rx window : 0
Window Probes
: 0
ACKs for unsent data : 0
Bytes acked by acks
: 87313
PAWS dropped pkts
: 0
Hdr pred. data pkts
: 68
3 dup-only pkts
: 0
Rx TOS - normal
: 157
Rx TOS - max. rel.
: 0
Rx TOS - min. delay
: 0
Unrecognized Options : 0
Accepted
Dropped
Closed
Rxmt timeout drops
Current ESTABLISHED
Maximum ESTABLISHED
Conns Deallocated
:
:
:
:
:
:
:
4
6
8
0
0
4
4
RTT est. updates
FIN-WAIT2 timeouts
Persist Timeouts
Idle Timeouts
:
:
:
:
85
0
0
0
Data packets
Retransmitted pkts
Ack only pkts
URG only pkts
Cntrl pkts (S/F/R)
Tx TOS - Min. Cost
Tx TOS - Max. thru.
Tx TOS - invalid
:
:
:
:
:
:
:
:
93
0
19
0
12
0
18
0
In seq data pkts
Bad Offset
Dup-only data pkts
Part. dup. data pkts
OOO data pkts
Pkts after rx win
Pkts after close
Duplicate ACKs
ACK-only pkts
Window Update pkts
Hdr pred. ACKs
TCB cache misses
Partial Acks
Rx TOS - Min. Cost
Rx TOS - Max. thru.
Rx TOS - invalid
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
77
0
2
0
0
0
0
6
85
0
0
103
0
0
16
0
This example shows how to display the PKI statistics:
ssl-proxy# show ssl-proxy stats pki
PKI Memory Usage Counters:
Malloc count: 0
Setstring count: 0
Free count: 0
Malloc failed: 0
Ipc alloc count: 0
Ipc free count: 0
Ipc alloc failed: 0
PKI IPC Counters:
Request buffer sent: 0
Request buffer received: 0
Request duplicated: 0
Response buffer sent: 0
Response buffer received: 0
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-79
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy stats
Response timeout: 0
Response with error status: 0
Response with no request: 0
Response duplicated: 0
Message type error: 0
PKI Accumulative Certificate Counters:
Proxy service trustpoint added: 0
Proxy service trustpoint deleted: 0
Proxy service trustpoint modified: 0
Keypair added: 0
Keypair deleted: 0
Wrong key type: 0
Server certificate added: 0
Server certificate deleted: 0
Server certificate rolled over: 0
Server certificate completed: 0
Intermediate CA certificate added: 0
Intermediate CA certificate deleted: 0
Root CA certificate added: 0
Root CA certificate deleted: 0
Certificate overwritten: 0
History records written: 0
History records read from NVRAM: 0
Key cert table entries in use: 0
ssl-proxy#
This example shows how to display the HTTP header insertion statistics:
ssl-proxy# show ssl-proxy stats hdr
Header Insert Statistics:
Session Headers Inserted : 0
Session Id's Inserted
: 0
Client IP/Port Inserted : 0
Aliased Hdrs Inserted
: 0
No End of Hdr Detected
: 0
Desc Alloc Failed
: 0
Client Cert Errors
: 0
Service Errors
: 0
Buffers allocated
: 0
Insertion Points Found
: 0
End of Header Found
: 0
Multi-buffer IP Port
: 0
Multi-buffer Session Hdr : 0
Scan Internal Error
: 0
Custom Headers Inserted : 0
Client Cert. Inserted
: 0
PEM Cert. Inserted
: 0
Payload no HTTP header :
Buffer Alloc Failed
:
Malloc failed
:
Conn Entry Invalid
:
Buffers Scanned
:
Hdrs Spanning Records
:
Buffers Accumulated
:
Multi-buffer Session Id :
Multi-buffer Custom Hdr :
Database Not Initialized:
0
0
0
0
0
0
0
0
0
0
This example shows how to display context statistics:
ssl-proxy# show ssl-proxy stats context
Context name : Default
TCP Context Statistics
======================
Current conns ACTIVE
: 0
Num conns DROPPED (hit max limit) : 0
Maximum conns ESTABLISHED
: 0
This example shows how to display the URL rewrite statistics:
ssl-proxy# show ssl-proxy stats url
URL Rewrite Statistics:
Rewrites Succeeded
: 0
Rsp Scan Incomplete : 0
Invalid Conn Entry
: 0
URL Object Error
: 0
3xx URL Not Rewritten: 0
Scan Dbase not Init. : 0
Rewrites Failed
:
URL Scan Incomplete :
URL Mismatch
:
Dbase not initialized:
Scan Internal Error :
0
0
0
0
0
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-80
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy stats
This example shows how to display content statistics:
ssl-proxy# show ssl-proxy stats content
Scan object statistics in CPU: SSL1
Objects in use
: 0
Obj alloc failures
: 0
Max obj in use
: 0
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-81
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy status
show ssl-proxy status
To display information about the SSL Services Module proxy status, use the show ssl-proxy status
command.
show ssl-proxy status [fdu | ssl | tcp]
Syntax Description
fdu
(Optional) Displays the FDU status.
ssl
(Optional) Displays the SSL status.
tcp
(Optional) Displays the TCP status.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 1.2(1)
The output of the show ssl-proxy status command was changed to
include statistics that are displayed at a 5-second, 1-minute, and
5-minute traffic rate for CPU utilization.
SSL Services Module
Release 3.1(1)
This command was changed to add the following keywords:
Examples
•
fdu
•
ssl
•
tcp
This example shows how to display the status of the SSL Services Module:
ssl-proxy# show ssl-proxy status
FDU cpu is alive!
FDU cpu utilization:
% process util
: 0
proc cycles : 0x2DB3980C
total cycles: 0x4E75127FCEA4
% process util (5 sec)
: 0
% process util (1 min) : 0
% process util (5 min) : 0
% interrupt util : 0
int cycles
: 0x2ADACD71
% interrupt util (5 sec) : 0
% interrupt util (1 min): 0
% interrupt util (5 min) : 0
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-82
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy status
TCP cpu is alive!
TCP cpu utilization:
% process util
: 0
% interrupt util : 0
proc cycles : 0x2E42C686
total cycles: 0x4E799DB3F5F8
% process util (5 sec)
: 0
% process util (1 min) : 0
% process util (5 min) : 0
SSL cpu is alive!
SSL cpu utilization:
% process util
: 0
int cycles
: 0x47F7C36A91
% interrupt util (5 sec) : 0
% interrupt util (1 min): 0
% interrupt util (5 min) : 0
% interrupt util : 0
proc cycles : 0x9E396A4
total cycles: 0x4E798224EDC1
% process util (5 sec)
: 0
% process util (1 min) : 0
% process util (5 min) : 0
int cycles
: 0xDB85C98B
% interrupt util (5 sec) : 0
% interrupt util (1 min): 0
% interrupt util (5 min) : 0
This example shows how to display the status of the TCP CPU on the SSL Services Module:
ssl-proxy# show ssl-proxy status tcp
TCP cpu is alive!
TCP cpu utilization:
% process util
: 0
% interrupt util : 0
proc cycles : 0x2E45DAEE
total cycles: 0x4E7EC4499DC8
% process util (5 sec)
: 0
% process util (1 min) : 0
% process util (5 min) : 0
int cycles
: 0x47FC7C2AC5
% interrupt util (5 sec) : 0
% interrupt util (1 min): 0
% interrupt util (5 min) : 0
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-83
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy version
show ssl-proxy version
To display the current image version, use the show ssl-proxy version command.
show ssl-proxy version
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Examples
This example shows how to display the image version that is currently running on the SSL Services
Module:
ssl-proxy# show ssl-proxy version
Cisco IOS Software, SVCSSL Software (SVCSSL-K9Y9-M)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 09-Jan-06 16:54 by integ
ROM: System Bootstrap, Version 12.2(11)YS1 RELEASE SOFTWARE
ssl-proxy uptime is 1 day, 15 hours, 57 minutes
System returned to ROM by power-on
System image file is "tftp://10.1.1.1/unknown"
AP Version 3.1(1)
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-84
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
show ssl-proxy vlan
show ssl-proxy vlan
To display VLAN information, use the show ssl-proxy vlan command.
show ssl-proxy vlan [vlan-id][debug][module module]
Syntax Description
vlan-id
(Optional) VLAN ID. Displays information for a specific VLAN; valid
values are from 1 to 1005.
debug
(Optional) Displays debug information.
module module
(Optional) Displays statistics for the specified module; module type
includes the following:
•
all—all CPUs
•
fdu—FDU CPU
•
ssl1—SSL1 CPU
•
tcp1—TCP1 CPU
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
This command was changed to add the module module keyword.
Examples
This example shows how to display all the VLANs that are configured on the SSL Services Module:
ssl-proxy# show ssl-proxy vlan
VLAN index 2:
Associated with interface SSL-Proxy0.2 (UP)
IP addr 207.10.0.16 NetMask 255.0.0.0
VLAN index 3:
Associated with interface SSL-Proxy0.3 (UP)
IP addr 208.10.0.16 NetMask 255.0.0.0
VLAN index 4:
Associated with interface SSL-Proxy0.4 (UP)
IP addr 209.10.0.16 NetMask 255.0.0.0
ssl-proxy#
Related Commands
interface ssl-proxy
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-85
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
snmp-server enable
snmp-server enable
To configure the SNMP traps and informs, use the snmp-server enable command. Use the no form of
this command to disable SNMP traps and informs.
snmp-server enable {informs | traps {ipsec | isakmp | snmp | {ssl-proxy [cert-expiring]
[oper-status]}}}
no snmp-server enable {informs | traps {ipsec | isakmp | snmp | {ssl-proxy [cert-expiring]
[oper-status]}}}
Syntax Description
informs
Enables SNMP informs.
traps
Enables SNMP traps.
ipsec
Enables IPsec traps.
isakmp
Enables ISAKMP traps.
snmp
Enables SNMP traps.
ssl-proxy
Enables SNMP SSL proxy notification traps.
cert-expiring
(Optional) Enables SSL proxy certificate-expiring notification traps.
oper-status
(Optional) Enables SSL proxy operation-status notification traps.
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module Support for this command was introduced on the Catalyst 6500 series
Release 2.1(1)
SSL Services Module.
Examples
This example shows how to enable SNMP informs:
ssl-proxy (config)# snmp-server enable informs
ssl-proxy (config)#
This example shows how to enable SSL-proxy traps:
ssl-proxy (config)# snmp-server enable traps ssl-proxy
ssl-proxy (config)#
This example shows how to enable SSL-proxy notification traps:
ssl-proxy (config)# snmp-server enable traps ssl-proxy cert-expiring oper-status
ssl-proxy (config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-86
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy context
ssl-proxy context
To enter the SSL context submode and define the virtual SSL context, use the ssl-proxy context
command. Use the no form of this command to remove any commands that you have entered in the SSL
context subcommand mode from the configuration.
ssl-proxy context [name]
no ssl-proxy context name
Syntax Description
name
Defaults
The default context name is “Default.”
Command Modes
Global configuration
Command History
Release
Name of the context.
Modification
SSL Services Module Support for this command was introduced on the Catalyst 6500 series
Release 3.1(1)
switches.
Usage Guidelines
The name argument is case sensitive.
After you enter the ssl-proxy context command, the prompt changes to the following:
ssl-proxy(config-context)#
After you enter the context submode, you can use the context submode commands listed in Table 2-10
to configure the context services.
Table 2-10 Context Submode Commands
Command
Purpose and Guidelines
default
Set a command to its defaults
description description
(Optional) Allows you to enter a short description
for this context.
exit
Exit from context configuration mode.
maxconns connections
(Optional) Configures the maximum number of
connections for this context. Valid values are from
1 to 65536.
natpool name start_ip_addr
end_ip_addr netmask netmask
Configures the NAT pool settings. See the “natpool”
section on page 2-30.
policy health-probe tcp
policy-name
Configures the TCP health probe policy. See the
“policy health-probe tcp” section on page 2-31.
Defaults
65536
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-87
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy context
Table 2-10 Context Submode Commands (continued)
Command
Purpose and Guidelines
policy http-header policy-name
Configures the HTTP header insertion policy. See
the “policy http-header” section on page 2-34.
policy ssl policy-name
Configures the SSL policy. See the“policy ssl”
section on page 2-39.
policy tcp policy-name
Configures the TCP policy. See the “policy tcp”
section on page 2-45.
policy url-rewrite policy-name
Configures the URL rewrite policy. See the “policy
url-rewrite” section on page 2-49.
pool ca name
Configures a pool of resources. See the “pool ca”
section on page 2-51.
service service_name
Enters SSL proxy service subcommand mode and
lets you configure the SSL client or server proxy
service. See the “service” section on page 2-52 for
information about SSL proxy services.
vrf-name name
Configures the VRF associated with this context.
Examples
Defaults
This example shows how to configure the context “hubble”:
ssl-proxy# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context hubble
ssl-proxy(config-context)# vrf-name hubble
ssl-proxy(config-context)# service hubble
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 3.100.100.108 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 5.100.100.41 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint shuttle
ssl-proxy(config-ctx-ssl-proxy)# nat client hubble
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# natpool hubble 5.100.100.20 5.100.100.27 netmask 255.255.255.0
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# port 80
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)#
ssl-proxy(config-context)# description Example context
ssl-proxy(config-context)# end
ssl-proxy#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-88
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy crypto selftest
ssl-proxy crypto selftest
To initiate a cryptographic self-test, use the ssl-proxy crypto selftest command. Use the no form of this
command to disable the testing.
ssl-proxy crypto selftest [time-interval seconds]
no ssl-proxy crypto selftest
Syntax Description
time-interval
seconds
Defaults
3 seconds
Command Modes
Global configuration
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Usage Guidelines
(Optional) Sets the time interval between test cases; valid values are from
1 to 8 seconds.
The ssl-proxy crypto selftest command enables a set of crypto algorithm tests to be run on the SSL
processor in the background. Random number generation, hashing, encryption and decryption, and MAC
generation are tested with a time interval between test cases.
This test is run only for troubleshooting purposes. Running this test will impact run-time performance.
To display the results of the self-test, enter the show ssl-proxy stats crypto command.
Examples
This example shows how to start a cryptographic self-test:
ssl-proxy (config)# ssl-proxy crypto selftest
ssl-proxy (config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-89
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy mac address
ssl-proxy mac address
To configure a MAC address, use the ssl-proxy mac address command.
ssl-proxy mac address mac-addr
Syntax Description
mac-addr
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
MAC address; see the “Usage Guidelines” section for additional
information.
Usage Guidelines
Enter the MAC address in this format: H.H.H.
Examples
This example shows how to configure a MAC address:
ssl-proxy (config)# ssl-proxy mac address 00e0.b0ff.f232
ssl-proxy (config)#
Related Commands
show ssl-proxy mac address
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-90
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy pki
ssl-proxy pki
To configure and define the PKI implementation on the SSL Services Module, use the ssl-proxy pki
command. Use the no form of this command to disable the logging and clear the memory.
ssl-proxy pki {{authenticate {timeout seconds}} | {cache {{size entries} | {timeout minutes}}}
| {certificate {check-expiring {interval hours}}} | history}
no ssl-proxy pki {authenticate | cache | certificate | history}
Syntax Description
Defaults
authenticate
Configures the certificate authentication and authorization.
timeout seconds
Specifies the timeout in seconds for each request; valid values are from 1 to
600 seconds.
cache
Configures the peer-certificate cache.
size entries
Specifies the maximum number of cache entries; valid values are from 0 to
5000 entries.
timeout minutes
Specifies the aging timeout value of entries; valid values are from 1 to 600
minutes.
certificate
Configures the check-expiring interval.
check-expiring
interval hours
Specifies the check-expiring interval; valid values are from 0 to 720 hours.
history
Key and certificate history.
The default settings are as follows:
•
timeout seconds—180 seconds
•
size entries—0 entries
•
timeout minutes—15 minutes
•
interval hours—0 hours, do not check
Command Modes
Global configuration
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 2.1(1)
This command was changed to add the following keywords:
•
authenticate
•
cache
•
certificate
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-91
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy pki
Usage Guidelines
The ssl-proxy pki history command enables logging of certificate history records per-proxy service into
memory and generates a syslog message per record. Each record tracks the addition or deletion of a key
pair or certificate into the proxy services key and the certificate table.
When the index of the table changes, this command logs the following information:
•
Key pair name
•
Trustpoint label
•
Service name
•
Subject name
•
Serial number of the certificate
Up to 512 records can be stored in the memory at one time.
Examples
This example shows how to specify the timeout in seconds for each request:
ssl-proxy (config)# ssl-proxy pki authenticate timeout 200
ssl-proxy (config)#
This example shows how to specify the cache size:
ssl-proxy (config)# ssl-proxy pki cache size 50
ssl-proxy (config)#
This example shows how to specify the aging timeout value of entries:
ssl-proxy (config)# ssl-proxy pki cache timeout 20
ssl-proxy (config)#
This example shows how to specify the check-expiring interval:
ssl-proxy (config)# ssl-proxy pki certificate check-expiring interval 100
ssl-proxy (config)#
This example shows how to enable PKI event-history:
ssl-proxy (config)# ssl-proxy pki history
ssl-proxy (config)#
Related Commands
show ssl-proxy stats
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-92
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy crypto key unlock rsa
ssl-proxy crypto key unlock rsa
To unlock the key automatically after a reload, use the ssl-proxy crypto key unlock rsa command.
ssl-proxy crypto key unlock rsa key-name passphrase passphrase
Syntax Description
key-name
passphrase
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Examples
Name of the key.
Pass phrase.
This example shows how to unlock the keys automatically after a reload:
ssl-proxy(config)# ssl-proxy crypto key unlock rsa pki1-72a.cisco.com passphrase cisco1234
ssl-proxy(config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-93
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy ip-frag-ttl
ssl-proxy ip-frag-ttl
To adjust the IP fragment reassembly timer, use the ssl-proxy ip-frag-ttl command.
ssl-proxy ip-frag-ttl time
Syntax Description
time
Defaults
time is 6 seconds.
Command Modes
Global configuration
Command History
Release
Modification
SSL Services Module
Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series
SSL Services Module.
Examples
(Optional) Adjust the IP fragment reassembly timer; valid values
are from 3 to 120 seconds.
This example shows how to configure the IP reassembly timeout to 60 seconds:
ssl-proxy(config)# ssl-proxy ip-frag-ttl 60
ssl-proxy(config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-94
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
ssl-proxy ssl ratelimit
ssl-proxy ssl ratelimit
To prohibit new connections during overload conditions, use the ssl-proxy ssl ratelimit command.
Use the no form of this command to allow new connections if memory is available.
ssl-proxy ssl ratelimit
no ssl-proxy ssl ratelimit
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
Modification
Cisco IOS Release
12.1(13)E and
SSL Services Module
Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
Examples
This example shows how to prohibit new connections during overload conditions:
ssl-proxy (config)# ssl-proxy ssl ratelimit
ssl-proxy (config)#
This example shows how to allow new connections during overload conditions if memory is available:
ssl-proxy (config)# no ssl-proxy ssl ratelimit
ssl-proxy (config)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-95
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby authentication
standby authentication
To configure an authentication string for HSRP, use the standby authentication command. Use the no
form of this command to delete an authentication string.
standby [group-number] authentication text string
no standby [group-number] authentication text string
Syntax Description
Defaults
group-number
(Optional) Group number on the interface to which this authentication string
applies. Valid values are from 0 to 255 for HSRP version 1; valid values are
from 0 to 4095 for HSRP version 2. See the “standby version” section on
page 2-116 for information about changing the HSRP version.
text string
Specifies the authentication string, which can be up to eight characters.
The defaults are as follows:
•
group-number is 0.
•
string is cisco.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
HSRP ignores unauthenticated HSRP messages.
The authentication string is sent unencrypted in all HSRP messages. You must configure the same
authentication string on all routers and access servers on a cable to ensure interoperation. Authentication
mismatch prevents a device from learning the designated hot standby IP address and the hot standby
timer values from the other routers that are configured with HSRP.
When you use group number 0, no group number is written to NVRAM, providing backward
compatibility.
Examples
This example shows how to configure “word” as the authentication string to allow hot standby routers
in group 1 to interoperate:
ssl-proxy (config-subif)# standby 1 authentication text word
ssl-proxy (config-subif)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-96
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby delay minimum reload
standby delay minimum reload
To configure a delay before the HSRP groups are initialized, use the standby delay minimum reload
command. Use the no form of this command to disable the delay.
standby delay minimum [min-delay] reload [reload-delay]
no standby delay minimum [min-delay] reload [reload-delay]
Syntax Description
Defaults
min-delay
(Optional) Minimum time (in seconds) to delay HSRP group initialization after
an interface comes up; valid values are from 0 to 10000 seconds.
reload-delay
(Optional) Time (in seconds) to delay after the router has reloaded; valid values
are from 0 to 10000 seconds.
The defaults are as follows:
•
min-delay is 1 second.
•
reload-delay is 5 seconds.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
The min-delay applies to all subsequent interface events.
The reload-delay applies only to the first interface-up event after the router has reloaded.
If the active router fails or you remove it from the network, the standby router automatically becomes
the new active router. If the former active router comes back online, you can control whether it takes over
as the active router by using the standby preempt command.
However, in some cases, even if you do not use the standby preempt command, the former active router
resumes the active role after it reloads and comes back online. Use the standby delay minimum reload
command to set a delay for HSRP group initialization. This command allows time for the packets to get
through before the router resumes the active role.
We recommend that you use the standby delay minimum reload command if the standby timers
command is configured in milliseconds or if HSRP is configured on a VLAN interface of a switch.
In most configurations, the default values provide sufficient time for the packets to get through and
configuring longer delay values is not necessary.
The delay is canceled if an HSRP packet is received on an interface.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-97
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby delay minimum reload
Examples
This example shows how to set the minimum delay to 30 seconds and the delay after the first reload to
120 seconds:
ssl-proxy(config)# interface ssl-proxy 0.100
ssl-proxy (config-subif)# standby delay minimum 30 reload 120
ssl-proxy (config-subif)#
Related Commands
show standby delay
standby preempt
standby timers
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-98
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby ip
standby ip
To activate HSRP, use the standby ip command. Use the no form of this command to disable HSRP.
standby [group-number] ip [ip-address [secondary]]
no standby [group-number] ip [ip-address]
Syntax Description
Defaults
group-number
(Optional) Group number on the interface for which HSRP is being activated.
ip-address
(Optional) IP address of the hot standby router interface.
secondary
(Optional) Indicates the IP address is a secondary hot standby router interface.
The defaults are as follows:
•
group-number is 0.
•
HSRP is disabled by default.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
The standby ip command allows you to configure primary and secondary HSRP addresses.
The standby ip command activates HSRP on the configured interface. If you specify an IP address, that
address is used as the designated address for the hot standby group. If you do not specifiy an IP address,
the designated address is learned through the standby function. So that HSRP can elect a designated
router, at least one router on the cable must have been configured with, or have learned, the designated
address. Configuring the designated address on the active router always overrides a designated address
that is currently in use.
When you enable the standby ip command on an interface, the handling of proxy ARP requests is
changed (unless proxy ARP was disabled). If the hot standby state of the interface is active, proxy ARP
requests are answered using the MAC address of the hot standby group. If the interface is in a different
state, proxy ARP responses are suppressed.
When you use group number 0, no group number is written to NVRAM, providing backward
compatibility.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-99
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby ip
Examples
This example shows how to activate HSRP for group 1 on Ethernet interface 0. The IP address that is
used by the hot standby group is learned using HSRP.
ssl-proxy (config-subif)# standby 1 ip
ssl-proxy (config-subif)#
This example shows how to indicate that the IP address is a secondary hot standby router interface:
ssl-proxy (config-subif)# standby ip 1.1.1.254
ssl-proxy (config-subif)# standby ip 1.2.2.254 secondary
ssl-proxy (config-subif)# standby ip 1.3.3.254 secondary
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-100
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby mac-address
standby mac-address
To specify a virtual MAC address for HSRP, use the standby mac-address command. Use the no form
of this command to revert to the standard virtual MAC address (0000.0C07.ACxy).
standby [group-number] mac-address mac-address
no standby [group-number] mac-address
Syntax Description
group-number
(Optional) Group number on the interface for which HSRP is being activated.
The default is 0.
mac-address
MAC address.
Defaults
If this command is not configured, and the standby use-bia command is not configured, the standard
virtual MAC address is used: 0000.0C07.ACxy, where xy is the group number in hexadecimal. This
address is specified in RFC 2281, Cisco Hot Standby Router Protocol (HSRP).
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
This command cannot be used on a Token Ring interface.
You can use HSRP to help end stations locate the first-hop gateway for IP routing. The end stations are
configured with a default gateway. However, HSRP can provide first-hop redundancy for other protocols.
Some protocols, such as Advanced Peer-to-Peer Networking (APPN), use the MAC address to identify
the first hop for routing purposes. In this case, it is often necessary to be able to specify the virtual MAC
address; the virtual IP address is unimportant for these protocols. Use the standby mac-address
command to specify the virtual MAC address.
The specified MAC address is used as the virtual MAC address when the router is active.
This command is intended for certain APPN configurations. The parallel terms are shown in Table 2-11.
Table 2-11 Parallel Terms Between APPN and IP
APPN
IP
End node
Host
Network node
Router or gateway
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-101
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby mac-address
In an APPN network, an end node is typically configured with the MAC address of the adjacent network
node. Use the standby mac-address command in the routers to set the virtual MAC address to the value
that is used in the end nodes.
Examples
This example shows how to configure HSRP group 1 with the virtual MAC address:
ssl-proxy (config-subif)# standby 1 mac-address 4000.1000.1060
ssl-proxy (config-subif)#
Related Commands
show standby
standby version
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-102
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby mac-refresh
standby mac-refresh
To change the interval at which packets are sent to refresh the MAC cache when HSRP is running over
FDDI, use the standby mac-refresh command. Use the no form of this command to restore the default
value.
standby mac-refresh seconds
no standby mac-refresh
Syntax Description
seconds
Defaults
seconds is 10 seconds.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
Number of seconds in the interval at which a packet is sent to refresh the MAC
cache; valid values are from 1 to 255 seconds.
This command applies to HSRP running over FDDI only. Packets are sent every 10 seconds to refresh
the MAC cache on learning bridges or switches. By default, the MAC cache entries age out in
300 seconds (5 minutes).
All other routers participating in HSRP on the FDDI ring receive the refresh packets, although the
packets are intended only for the learning bridge or switch. Use this command to change the interval.
Set the interval to 0 if you want to prevent refresh packets (if you have FDDI but do not have a learning
bridge or switch).
Examples
This example shows how to change the MAC-refresh interval to 100 seconds. In this example, a learning
bridge needs to miss three packets before the entry ages out.
ssl-proxy (config-subif)# standby mac-refresh 100
ssl-proxy (config-subif)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-103
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby name
standby name
To configure the name of the standby group, use the standby name command. Use the no form of this
command to disable the name.
standby name group-name
no standby name group-name
Syntax Description
group-name
Defaults
HSRP is disabled.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Name of the standby group.
Usage Guidelines
The group-name argument specifies the HSRP group.
Examples
This example shows how to specifiy the standby name as SanJoseHA:
ssl-proxy (config-subif)# standby name SanJoseHA
ssl-proxy (config-subif)#
Related Commands
ip mobile home-agent redundancy (refer to the Cisco IOS Release 12.2 Command Reference)
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-104
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby preempt
standby preempt
To configure HSRP preemption and preemption delay, use the standby preempt command. Use the no
form of this command to restore the default values.
standby [group-number] preempt [delay{minimum delay | reload delay | sync delay}]
no standby [group-number] preempt [delay{minimum delay | reload delay | sync delay}]
Syntax Description
Defaults
group-number
(Optional) Group number on the interface to which the other arguments in
this command apply.
delay
(Optional) Required if either the minimum, reload, or sync keywords are
specified.
minimum delay
(Optional) Specifies the minimum delay in delay seconds; valid values are
from 0 to 3600 seconds (1 hour).
reload delay
(Optional) Specifies the preemption delay after a reload only.
sync delay
(Optional) Specifies the maximum synchronization period in delay seconds.
The defaults are as follows:
•
group-number is 0.
•
delay is 0 seconds; the router preempts immediately. By default, the router that comes up later
becomes the standby router.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
The delay argument causes the local router to postpone taking over the active role for delay (minimum)
seconds since that router was last restarted.
When you use this command, the router is configured to preempt, which means that when the local router
has a hot standby priority that is higher than the current active router, the local router should attempt to
assume control as the active router. If you do not configure preemption, the local router assumes control
as the active router only if it receives information indicating no router is in the active state (acting as the
designated router).
When a router first comes up, it does not have a complete routing table. If you configure the router to
preempt, it becomes the active router, but it cannot provide adequate routing services. You can configure
a delay before the preempting router actually preempts the currently active router.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-105
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby preempt
When you use group number 0, no group number is written to NVRAM, providing backward
compatibility.
IP-redundancy clients can prevent preemption from taking place. The standby preempt delay sync
delay command specifies a maximum number of seconds to allow IP-redundancy clients to prevent
preemption. When this expires, preemption takes place regardless of the state of the IP-redundancy
clients.
The standby preempt delay reload delay command allows preemption to occur only after a router
reloads. This provides stabilization of the router at startup. After this initial delay at startup, the
operation returns to the default behavior.
The no standby preempt delay command disables the preemption delay but preemption remains
enabled. The no standby preempt delay minimum delay command disables the minimum delay but
leaves any synchronization delay if it was configured.
Examples
This example shows how to configure the router to wait for 300 seconds (5 minutes) before attempting
to become the active router:
ssl-proxy (config-subif)# standby preempt delay minimum 300
ssl-proxy (config-subif)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-106
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby priority
standby priority
To configure the priority for HSRP, use the standby priority command. Use the no form of this
command to restore the default values.
standby [group-number] priority priority
no standby [group-number] priority priority
Syntax Description
Defaults
group-number
(Optional) Group number on the interface to which the other arguments in
this command apply.
priority
Priority value that prioritizes a potential hot standby router; valid values are
from 1 to 255, where 1 denotes the lowest priority and 255 denotes the
highest priority.
The defaults are as follows:
•
group-number is 0.
•
priority is 100.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
The router in the HSRP group with the highest priority value becomes the active router.
When you use group number 0, no group number is written to NVRAM, providing backward
compatibility.
The assigned priority is used to help select the active and standby routers. Assuming that preemption is
enabled, the router with the highest priority becomes the designated active router. In case of ties, the
primary IP addresses are compared, and the higher IP address has priority.
The priority of the device can change dynamically if an interface is configured with the standby track
command and another interface on the router goes down.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-107
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby priority
Examples
This example shows how to change the router priority:
ssl-proxy (config-subif)# standby priority 120
ssl-proxy (config-subif)#
Related Commands
standby track
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-108
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby redirects
standby redirects
To enable HSRP filtering of Internet Control Message Protocol (ICMP) redirect messages, use the
standby redirects command. Use the no form of this command to disable the HSRP filtering of ICMP
redirect messages.
standby redirects [enable | disable] [timers advertisement holddown] [unknown]
no standby redirects [unknown]
Syntax Description
Defaults
enable
(Optional) Allows the filtering of ICMP redirect messages on interfaces that
are configured with HSRP, where the next-hop IP address may be changed
to an HSRP virtual IP address.
disable
(Optional) Disables the filtering of ICMP redirect messages on interfaces
that are configured with HSRP.
timers
(Optional) Adjusts HSRP-router advertisement timers.
advertisement
(Optional) HSRP-router advertisement interval in seconds; valid values are
from 10 to 180 seconds.
holddown
(Optional) HSRP-router holddown interval in seconds; valid values are
from 61 to 3600.
unknown
(Optional) Allows sending of ICMP packets to be sent when the next-hop
IP address that is contained in the packet is unknown in the HSRP table of
real IP addresses and active virtual IP addresses.
The defaults are as follows:
•
HSRP filtering of ICMP redirect messages is enabled if you configure HSRP on an interface.
•
advertisement is 60 seconds.
•
holddown is 180 seconds.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
You can configure the standby redirects command globally or on a per-interface basis. When you first
configure HSRP on an interface, the setting for that interface inherits the global value. If you explicitly
disable the filtering of ICMP redirects on an interface, then the global command cannot reenable this
functionality.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-109
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby redirects
The no standby redirects command is the same as the standby redirects disable command. We do not
recommend that you save the no form of this command to NVRAM. Because the command is enabled
by default, we recommend that you use the standby redirects disable command to disable the
functionality.
With the standby redirects command enabled, the real IP address of a router can be replaced with a
virtual IP address in the next-hop address or gateway field of the redirect packet. HSRP looks up the
next-hop IP address in its table of real IP addresses versus virtual IP addresses. If HSRP does not find a
match, the HSRP router allows the redirect packet to go out unchanged. The host HSRP router is
redirected to a router that is unknown, that is, a router with no active HSRP groups. You can specify the
no standby redirects unknown command to stop these redirects from being sent.
Examples
This example shows how to allow HSRP to filter ICMP redirect messages:
ssl-proxy (config-subif)# standby redirects
ssl-proxy (config-subif)#
This example shows how to change the HSRP router advertisement interval to 90 seconds and the
holddown timer to 270 seconds on interface Ethernet 0:
ssl-proxy (config-subif)# standby redirects timers 90 270
ssl-proxy (config-subif)#
Related Commands
show standby
show standby redirect
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-110
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby timers
standby timers
To configure the time between hello packets and the time before other routers declare the active hot
standby or standby router to be down, use the standby timers command. Use the no form of this
command to return to the default settings.
standby [group-number] timers [msec] hellotime [msec] holdtime
no standby [group-number] timers [msec] hellotime [msec] holdtime
Syntax Description
Defaults
group-number
(Optional) Group number on the interface to which the timers apply.
msec
(Optional) Specifies the interval in milliseconds.
hellotime
Hello interval (in seconds); see the “Usage Guidelines” section for valid
values.
holdtime
Time (in seconds) before the active or standby router is declared to be down;
see the “Usage Guidelines” section for valid values.
The defaults are as follows:
•
group-number is 0.
•
hellotime is 3 seconds.
•
holdtime is 10 seconds.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
The valid values for hellotime are as follows:
•
If you did not enter the msec keyword, valid values are from 1 to 254 seconds.
•
If you enter the msec keyword, valid values are from 15 to 999 milliseconds.
The valid values for holdtime are as follows:
•
If you did not enter the msec keyword, valid values are from x to 255 seconds, where x is the
hellotime and 50 milliseconds and is rounded up to the nearest 1 second.
•
If you enter the msec keyword, valid values are from y to 3000 milliseconds, where y is greater than
or equal to 3 times the hellotime and is not less than 50 milliseconds.
If you specify the msec keyword, the hello interval is in milliseconds. Millisecond timers allow for faster
failover.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-111
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby timers
The standby timers command configures the time between standby hello packets and the time before
other routers declare the active or standby router to be down. Routers or access servers on which timer
values are not configured can learn timer values from the active or standby router. The timers configured
on the active router always override any other timer settings. All routers in a Hot Standby group should
use the same timer values. Normally, holdtime is greater than or equal to three times the value of
hellotime. The range of values for holdtime force the holdtime to be greater than the hellotime. If the
timer values are specified in milliseconds, the holdtime is required to be at least three times the hellotime
value and not less than 50 milliseconds.
Some HSRP state flapping can occasionally occur if the holdtime is set to less than 250 milliseconds,
and the processor is busy. It is recommended that holdtime values less than 250 milliseconds be used.
Setting the process-max-time command to a suitable value may also help with flapping.
The value of the standby timer will not be learned through HSRP hellos if it is less than 1 second.
When group number 0 is used, no group number is written to NVRAM, providing backward
compatibility.
Examples
This example sets, for group number 1 on Ethernet interface 0, the time between hello packets to 5
seconds, and the time after which a router is considered to be down to 15 seconds:
interface ethernet 0
standby 1 ip
standby 1 timers 5 15
This example sets, for the hot router interface that is located at 172.19.10.1 on Ethernet interface 0, the
time between hello packets to 300 milliseconds, and the time after which a router is considered to be
down to 900 milliseconds:
interface ethernet 0
standby ip 172.19.10.1
standby timers msec 300 msec 900
This example sets, for the hot router interface that is located at 172.18.10.1 on Ethernet interface 0, the
time between hello packets to 15 milliseconds, and the time after which a router is considered to be down
to 50 milliseconds. Note that the holdtime is three times larger than the hellotime because the minimum
holdtime value in milliseconds is 50.
interface ethernet 0
standby ip 172.18.10.1
standby timers msec 15 msec 50
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-112
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby track
standby track
To configure HSRP to track an object and change the hot standby priority based on the state of the object,
use the standby track command. Use the no form of this command to remove the tracking.
standby [group-number] track object-number [decrement priority]
no standby [group-number] track object-number [decrement priority]
Syntax Description
Defaults
group-number
(Optional) Group number to which the tracking applies.
object-number
Object number in the range from 1 to 500 representing the object to be
tracked.
decrement priority
(Optional) Specifies the amount by which the hot standby priority for the
router is decremented (or incremented) when the tracked object goes down
(or comes back up).
The defaults are as follows:
•
group-number is 0.
•
priority is 10.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
This command ties the hot standby priority of the router to the availability of its tracked objects. Use the
track interface or track ip route global configuration command to track an interface object or an IP
route object. The HSRP client can register its interest in the tracking process by using the standby track
command commands and take action when the object changes.
When a tracked object goes down, the priority decreases by 10. If an object is not tracked, its state
changes do not affect the priority. For each object configured for hot standby, you can configure a
separate list of objects to be tracked.
The optional priority argument specifies how much to decrement the hot standby priority when a tracked
object goes down. When the tracked object comes back up, the priority is incremented by the same
amount.
When multiple tracked objects are down, the decrements are cumulative, whether configured with
priority values or not.
Use the no standby group-number track command to delete all tracking configuration for a group.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-113
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby track
When you use group number 0, no group number is written to NVRAM, providing backward
compatibility.
The standby track command syntax prior to Release 12.2(15)T is still supported. Using the older form
will cause a tracked object to be created in the new tracking process. This tracking information can be
displayed using the show track command.
Examples
This example shows how to track the IP routing capability of serial interface 1/0. HSRP on Ethernet
interface 0/0 registers with the tracking process to be informed of any changes to the IP routing state of
serial interface 1/0. If the IP state on Serial interface 1/0 goes down, the priority of the HSRP group is
reduced by 10.
If both serial interfaces are operational, Router A becomes the HSRP active router because it has the
higher priority.
However, if IP routing on serial interface 1/0 in Router A fails, the HSRP group priority is reduced and
Router B takes over as the active router, thus maintaining a default virtual gateway service to hosts on
the 10.1.0.0 subnet.
Router A Configuration
!
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.21 255.255.0.0
standby 1 ip 10.1.0.1
standby 1 priority 105
standby 1 track 100 decrement 10
Router B Configuration
!
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.22 255.255.0.0
standby 1 ip 10.1.0.1
standby 1 priority 100
standby 1 track 100 decrement 10
Related Commands
standby preempt
standby priority
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-114
OL-9105-01
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby use-bia
standby use-bia
To configure HSRP to use the burned-in address of the interface as its virtual MAC address instead of
the preassigned MAC address (on Ethernet and FDDI) or the functional address (on Token Ring), use
the standby use-bia command. Use the no form of this command to restore the default virtual MAC
address.
standby use-bia [scope interface]
no standby use-bia
Syntax Description
scope interface
Defaults
HSRP uses the preassigned MAC address on Ethernet and FDDI or the functional address on Token
Ring.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
(Optional) Specifies that this command is configured only for the subinterface
on which it was entered, instead of the major interface.
You can configure multiple standby groups on an interface when you enter the standby use-bia
command. Hosts on the interface must have a default gateway configured. We recommend that you set
the no ip proxy-arp command on the interface. We also recommend that you configure the standby
use-bia command on a Token Ring interface if there are devices that reject ARP replies with source
hardware addresses that are set to a functional address.
When HSRP runs on a multiple-ring, source-routed bridging environment and the HRSP routers reside
on different rings, configuring the standby use-bia command can prevent confusion about the routing
information field (RFI).
Without the scope interface keywords, the standby use-bia command applies to all subinterfaces on the
major interface. You cannot enter the standby use-bia command both with and without the scope
interface keywords at the same time.
Examples
This example shows how to map the virtual MAC address to the virtual IP address:
ssl-proxy (config-subif)# standby use-bia
ssl-proxy (config-subif)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
2-115
Chapter 2
Commands for the Catalyst 6500 Series SSL Services Module
standby version
standby version
To change the version of the Hot Standby Router Protocol (HSRP), use the standby version command:
standby version {1 | 2}
Syntax Description
1
Specifies HSRP version 1.
2
Specifies HSRP version 2.
Defaults
The default HSRP version is 1.
Command Modes
Subinterface configuration submode
Command History
Release
Modification
SSL Services Module
Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series
switches.
SSL Services Module
Release 3.1(1)
The command mode for this command was changed from Proxy-VLAN to
Subinterface.
Usage Guidelines
HSRP version 2 addresses limitations of HSRP version 1 by providing an expanded group number range
of 0 to 4095.
HSRP version 2 will not interoperate with HSRP version 1. An interface cannot operate both version 1
and version 2 because both versions are mutually exclusive. You cannot change from version 2 to version
1 if you have configured groups above 255. Using the no standby version command sets the HSRP
version to the default version, version 1.
If an HSRP version is changed, each group will reinitialize because it now has a new virtual MAC
address.
Examples
This example shows how to configure HSRP version 2:
ssl-proxy (config-subif)# standby version 2
ssl-proxy (config-subif)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-116
OL-9105-01
A P P E N D I X
A
Acronyms
Table A-1 defines the acronyms that are used in this publication.
Table A-1
List of Acronyms
Acronym
Expansion
AAL
ATM adaptation layer
ACE
access control entry
ACL
access control list
ACNS
Application and Content Networking System
AFI
authority and format identifier
Agport
aggregation port
ALPS
Airline Protocol Support
AMP
Active Monitor Present
APaRT
Automated Packet Recognition and Translation
ARP
Address Resolution Protocol
ATA
Analog Telephone Adaptor
ATM
Asynchronous Transfer Mode
AV
attribute value
BDD
binary decision diagrams
BECN
backward explicit congestion notification
BGP
Border Gateway Protocol
Bidir
bidirectional PIM
BPDU
bridge protocol data unit
BRF
bridge relay function
BSC
Bisync
BSTUN
Block Serial Tunnel
BUS
broadcast and unknown server
BVI
bridge-group virtual interface
CAM
content-addressable memory
CAR
committed access rate
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
A-1
Appendix A
Table A-1
Acronyms
List of Acronyms (continued)
Acronym
Expansion
CBAC
context based access control
CCA
circuit card assembly
CDP
Cisco Discovery Protocol
CEF
Cisco Express Forwarding
CHAP
Challenge Handshake Authentication Protocol
CIR
committed information rate
CIST
Common and Internal Spanning Tree
CLI
command-line interface
CLNS
Connection-Less Network Service
CMNS
Connection-Mode Network Service
CNS
Cisco Networking Services
COPS
Common Open Policy Server
COPS-DS
Common Open Policy Server Differentiated Services
CoS
class of service
CPLD
Complex Programmable Logic Device
CRC
cyclic redundancy check
CRF
concentrator relay function
CSM
Content Switching Module
CST
Common Spanning Tree
CUDD
University of Colorado Decision Diagram
DCC
Data Country Code
dCEF
distributed Cisco Express Forwarding
DDR
dial-on-demand routing
DE
discard eligibility
DEC
Digital Equipment Corporation
DF
designated forwarder
DFC
Distributed Forwarding Card
DFI
Domain-Specific Part Format Identifier
DFP
Dynamic Feedback Protocol
DISL
Dynamic Inter-Switch Link
DLC
Data Link Control
DLSw
Data Link Switching
DMP
data movement processor
DNS
Domain Name System
DoD
Department of Defense
DoS
denial of service
Catalyst 6500 Series Switch SSL Services Module Command Reference
A-2
OL-9105-01
Appendix A
Acronyms
Table A-1
List of Acronyms (continued)
Acronym
Expansion
dot1q
802.1Q
dot1x
802.1x
DRAM
dynamic RAM
DRiP
Dual Ring Protocol
DSAP
destination service access point
DSCP
differentiated services code point
DSPU
downstream SNA Physical Units
DTP
Dynamic Trunking Protocol
DTR
data terminal ready
DXI
data exchange interface
EAP
Extensible Authentication Protocol
EARL
Enhanced Address Recognition Logic
EEPROM
electrically erasable programmable read-only memory
EHSA
enhanced high system availability
EIA
Electronic Industries Association
ELAN
Emulated Local Area Network
EOBC
Ethernet out-of-band channel
EOF
end of file
EoMPLS
Ethernet over Multiprotocol Label Switching
ESI
end-system identifier
FAT
File Allocation Table
FIB
Forwarding Information Base
FIE
Feature Interaction Engine
FECN
forward explicit congestion notification
FM
feature manager
FRU
field replaceable unit
fsck
file system consistency check
FSM
feasible successor metrics
FSU
fast software upgrade
FWSM
Firewall Services Module
GARP
General Attribute Registration Protocol
GBIC
Gigabit Interface Converter
GMRP
GARP Multicast Registration Protocol
GVRP
GARP VLAN Registration Protocol
HSRP
Hot Standby Routing Protocol
ICC
Inter-card Communication or interface controller card
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
A-3
Appendix A
Table A-1
Acronyms
List of Acronyms (continued)
Acronym
Expansion
ICD
International Code Designator
ICMP
Internet Control Message Protocol
IDB
interface descriptor block
IDP
initial domain part or Internet Datagram Protocol
IDSM
Intrusion Detection System Module
IFS
IOS File System
IGMP
Internet Group Management Protocol
IGMPv2
IGMP version 2
IGMPv3
IGMP version 3
IGRP
Interior Gateway Routing Protocol
ILMI
Integrated Local Management Interface
IP
Internet Protocol
IPC
interprocessor communication
IPX
Internetwork Packet Exchange
IS-IS
Intermediate System-to-Intermediate System Intradomain Routing
Protocol
ISL
Inter-Switch Link
ISL VLANs
Inter-Switch Link VLANs
ISO
International Organization of Standardization
ISR
Integrated SONET router
LACP
Link Aggregation Control Protocol
LACPDU
Link Aggregation Control Protocol data unit
LAN
local area network
LANE
LAN Emulation
LAPB
Link Access Procedure, Balanced
LCP
Link Control Protocol
LDA
Local Director Acceleration
LEC
LAN Emulation Client
LECS
LAN Emulation Configuration Server
LEM
link error monitor
LER
link error rate
LES
LAN Emulation Server
LLC
Logical Link Control
LOU
logical operation units
LTL
Local Target Logic
MAC
Media Access Control
Catalyst 6500 Series Switch SSL Services Module Command Reference
A-4
OL-9105-01
Appendix A
Acronyms
Table A-1
List of Acronyms (continued)
Acronym
Expansion
MD5
message digest 5
MDIX
media-dependent interface crossover
MDSS
Multicast Distributed Shortcut Switching
MFD
multicast fast drop
MIB
Management Information Base
MII
media-independent interface
MLS
Multilayer Switching
MLSE
maintenance loop signaling entity
MLSM
multilayer switching for multicast
MOP
Maintenance Operation Protocol
MOTD
message-of-the-day
MPLS
Multiprotocol Label Switching
MRM
multicast routing monitor
MSDP
Multicast Source Discovery Protocol
MSFC
Multilayer Switching Feature Card
MSM
Multilayer Switch Module
MST
Multiple Spanning Tree (802.1s)
MTU
maximum transmission unit
MVAP
multiple VLAN access port
NAM
Network Analysis Module
NBP
Name Binding Protocol
NCIA
Native Client Interface Architecture
NDE
NetFlow Data Export
NDR
no drop rate
NET
network entity title
NetBIOS
Network Basic Input/Output System
NFFC
NetFlow Feature Card
NMP
Network Management Processor
NSAP
network service access point
NTP
Network Time Protocol
NVGEN
nonvolatile generation
NVRAM
nonvolatile RAM
OAM
Operation, Administration, and Maintenance
ODM
order dependent merge
OIF
Outgoing interface of a multicast {*,G} or {source, group} flow
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
A-5
Appendix A
Table A-1
Acronyms
List of Acronyms (continued)
Acronym
Expansion
OSI
Open System Interconnection
OSM
Optical Services Module
OSPF
open shortest path first
PAE
port access entity
PAgP
Port Aggregation Protocol
PBD
packet buffer daughterboard
PBR
policy-based routing
PC
Personal Computer (formerly PCMCIA)
PCM
pulse code modulation
PCR
peak cell rate
PDP
policy decision point
PDU
protocol data unit
PEP
policy enforcement point
PFC
Policy Feature Card
PGM
Pragmatic General Multicast
PHY
physical sublayer
PIB
policy information base
PIM
protocol independent multicast
PPP
Point-to-Point Protocol
ppsec
packets per second
PRID
Policy Rule Identifiers
PVLANs
private VLANs
PVST+
Per-VLAN Spanning Tree+
QDM
QoS device manager
QM
QoS manager
QM-SP
SP QoS manager
QoS
quality of service
Q-in-Q
802.1Q in 802.1Q
RACL
router interface access control list
RADIUS
Remote Access Dial-In User Service
RAM
random-access memory
RCP
Remote Copy Protocol
RF
Redundancy Facility
RGMP
Router-Ports Group Management Protocol
RIB
routing information base
RIF
Routing Information Field
Catalyst 6500 Series Switch SSL Services Module Command Reference
A-6
OL-9105-01
Appendix A
Acronyms
Table A-1
List of Acronyms (continued)
Acronym
Expansion
RMON
remote network monitor
ROM
read-only memory
ROMMON
ROM monitor
RP
route processor or rendezvous point
RPC
remote procedure call
RPF
reverse path forwarding
RPR
Route Processor Redundancy
RPR+
Route Processor Redundancy+
RSPAN
remote SPAN
RST
reset
RSTP
Rapid Spanning Tree Protocol
RSTP+
Rapid Spanning Tree Protocol plus
RSVP
ReSerVation Protocol
SAID
Security Association Identifier
SAP
service access point
SCM
service connection manager
SCP
Switch-Module Configuration Protocol
SDLC
Synchronous Data Link Control
SFP
small form factor pluggable
SGBP
Stack Group Bidding Protocol
SIMM
single in-line memory module
SLB
server load balancing
SLCP
Supervisor Line-Card Processor
SLIP
Serial Line Internet Protocol
SMDS
Software Management and Delivery Systems
SMF
software MAC filter
SMP
Standby Monitor Present
SMRP
Simple Multicast Routing Protocol
SMT
Station Management
SNAP
Subnetwork Access Protocol
SNMP
Simple Network Management Protocol
SPAN
Switched Port Analyzer
SREC
S-Record format, Motorola defined format for ROM contents
SSL
Secure Sockets Layer
SSM
Source Specific Multicast
SSTP
Cisco Shared Spanning Tree
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
A-7
Appendix A
Table A-1
Acronyms
List of Acronyms (continued)
Acronym
Expansion
STP
Spanning Tree Protocol
SVC
switched virtual circuit
SVI
switched virtual interface
TACACS+
Terminal Access Controller Access Control System Plus
TARP
Target Identifier Address Resolution Protocol
TCAM
Ternary Content Addressable Memory
TCL
table contention level
TCP/IP
Transmission Control Protocol/Internet Protocol
TFTP
Trivial File Transfer Protocol
TIA
Telecommunications Industry Association
TopN
Utility that allows the user to analyze port traffic by reports
ToS
type of service
TLV
type-length-value
TTL
Time To Live
TVX
valid transmission
UDLD
UniDirectional Link Detection Protocol
UDP
User Datagram Protocol
UNI
User-Network Interface
UTC
Coordinated Universal Time
VACL
VLAN access control list
VCC
virtual channel circuit
VCI
virtual circuit identifier
VCR
Virtual Configuration Register
VINES
Virtual Network System
VLAN
virtual LAN
VMPS
VLAN Membership Policy Server
VMR
value mask result
VPN
virtual private network
VRF
VPN routing and forwarding
VTP
VLAN Trunking Protocol
VVID
voice VLAN ID
WAN
wide area network
WCCP
Web Cache Coprocessor Protocol
WFQ
weighted fair queueing
WRED
weighted random early detection
Catalyst 6500 Series Switch SSL Services Module Command Reference
A-8
OL-9105-01
Appendix A
Acronyms
Table A-1
List of Acronyms (continued)
Acronym
Expansion
WRR
weighted round-robin
XNS
Xerox Network System
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
A-9
Appendix A
Acronyms
Catalyst 6500 Series Switch SSL Services Module Command Reference
A-10
OL-9105-01
A P P E N D I X
B
Acknowledgments for Open-Source Software
The Cisco IOS software on the Catalyst 6500 series switches software pipe command uses Henry
Spencer’s regular expression library (regex).
Henry Spencer’s regular expression library (regex). Copyright 1992, 1993, 1994, 1997 Henry Spencer.
All rights reserved. This software is not subject to any license of the American Telephone and Telegraph
Company or of the Regents of the University of California.
Permission is granted to anyone to use this software for any purpose on any computer system, and to
alter it and redistribute it, subject to the following restrictions:
1.
The author is not responsible for the consequences of use of this software, no matter how awful, even
if they arise from flaws in it.
2.
The origin of this software must not be misrepresented, either by explicit claim or by omission.
Since few users ever read sources, credits must appear in the documentation.
3.
Altered versions must be plainly marked as such, and must not be misrepresented as being the
original software. Since few users ever read sources, credits must appear in the documentation.
4.
This notice may not be removed or altered.
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
B-1
Appendix B
Acronyms
Catalyst 6500 Series Switch SSL Services Module Command Reference
B-2
OL-9105-01
I N D EX
binary decision diagrams
Symbols
See BDD
# character (privileged EXEC mode prompt)
$ character
1-8, 1-10
* (asterisk)
1-7
+ (plus sign)
. (period)
Border Gateway Protocol
See BGP
bridge protocol data unit
1-7
See BPDU
1-7
? command
^ (caret)
1-5
1-1
C
1-8, 1-10
_ (underscore)
1-8, 1-10
CAs
| (pipe or vertical bar)
exporting
specifying alternative patterns
1-10
PEM
2-7
importing
PEM
Numerics
2-7
certificate authority pool
802.3ad
entering
See LACP
configuration submode
2-51
certificate authority pool configuration submode
entering
A
Cisco Express Forwarding
See CEF
abbreviating commands
context-sensitive help
1-1
See ACLs
acronyms, list of
CLI
string search
access control lists
alternation
A-1
Address Resolution Protocol
anchoring
vii
1-10
1-10
expressions
filtering
See ARP
audience
2-51
1-7
1-7
multiple-character patterns
multipliers
1-9
parentheses for recall
B
searching outputs
bidirectional PIM
See BIDIR
1-11
1-7
single-character patterns
using
1-9
1-7
1-7
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
IN-1
Index
command-line interface
multiple-character patterns
multiplying pattern occurrence
See CLI
single-character patterns
command modes
accessing
exiting
1-9
1-7
specifying alternative patterns
1-5
1-11
1-10
1-5
understanding
1-5
F
commands
mode types
1-5
fast software upgrade
committed information rate
See FSU
See CIR
feature interaction engine
Content Switching Module
See FIE
See CSM
field-replaceable unit
See FRU
file system consistency check
D
See fsck utility
default form of a command, using
Firewall Services Module
1-6
designated forwarder
See FWSM
See DF
fm
Distributed Forwarding Card
See feature manager
See DFC
documentation
conventions
viii
organization
vii
G
global configuration mode, summary
1-5
dot1q
See also 802.1Q tunneling
H
dot1x
See 802.1x
Hot Standby Router Protocol
See HSRP
HSRP
E
configuring
Enhanced Address Recognition Logic
initialization delay period
See EARL
MAC address
Ethernet over Multiprotocol Label Switching
priority
EXEC-level commands
issuing in other modes
2-101
preemption delay
See EoMPLS
2-105
2-107
virtual MAC address
2-26
2-97
2-101
disabling
expressions
filtering of ICMP redirect messages
matching multiple expression occurrences
1-9
2-109
HSRP
Catalyst 6500 Series Switch SSL Services Module Command Reference
IN-2
OL-9105-01
Index
configuring
secondary interface
initialization delay period
enabling
intermediate system-to-intermediate system
2-99
2-97
See IS-IS
Internet Group Management Protocol
2-99
See IGMP
filtering of ICMP redirect messages
2-109
Internetwork Packet Exchange
ICMP redirect messages
disabling
2-109
enabling
2-109
See IPX
interprocessor communication
See IPC
MAC address
configuring
Inter-Switch Link VLANs
2-101
See ISL VLANs
preemption delay
configuring
2-105
restoring default
L
2-105
priority
Link Aggregation Control Protocol
configuring
2-107
See LACP
restoring
preemption delay default
2-105
M
virtual MAC address
configuring
2-101
maintenance loop signaling entity
HSRP (Hot Standby Router Protocol)
burned-in address
MAC refresh interval
2-103
password, configuring
2-96
timers, setting
See MLSE
2-115
MDSS
Multicast Distributed Shortcut Switching
Media Access Control
2-111
See MAC address table
HTTP header
message digest 5
configuring
policy
See MD5
2-34
message-of-the-day
displaying
policy information
See MOTD
2-72
MLSM
entering
insertion configuration submode
multilayer switching for multicast
2-34
modes
See command modes
more commands
I
filter
inter-card communication
See ICC
1-7
--More-- prompt
interface configuration mode
summary
search
1-7
1-6
table defining modes
filter
search
1-7
1-7
1-7
1-6
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
IN-3
Index
Multilayer Switch Feature Card
See PEM
See MSFC
private VLANs
Multilayer Switching
See PVLANs
See MLS
privileged EXEC mode, summary
multiple-character patterns
1-5
prompts
1-9
Multiple Spanning Tree
system
1-5
Protocol Independent Multicast
See MST
See PIM
Multiprotocol Label Switching
proxy policy
See MPLS
displaying
configured HTTP header information
N
NetFlow Data Export
configured SSL information
2-72
configured TCP information
2-72
configured URL rewrite information
See NDE
2-72
2-72
network entity title
See NET
no form of a command, using
Q
1-6
Q-in-Q
802.1Q in 802.1Q
O
See 802.1Q tunneling
QoS Device Manager
order-dependent merge algorithm
See QDM
See ODD
question command
1-1
P
R
paging prompt
Rapid Spanning Tree Protocol
see --More-- prompt
See RSTP
per-VLAN spanning tree
Rapid Spanning Tree Protocol+
See PVST+
See RSTP+
pipe symbol
specifying alternative patterns
1-10
See RPC
2-91
disabling
2-91
remote SPAN
enabling
2-91
See RSPAN
policy-service configuration submode
entering
Reverse Path Forwarding
See RPF
2-52
privacy-enhanced mail
vii
remote procedure call
PKI event history
clearing the memory
related documentation
RFC 2281, Cisco Hot Standby Router Protocol
(HSRP) 2-101
Catalyst 6500 Series Switch SSL Services Module Command Reference
IN-4
OL-9105-01
Index
ROM monitor mode,
summary
1-6
Route Processor Redundancy
standby mac-address command
2-101
standby mac-refresh command
2-103
standby timers command
2-111
standby track command
See RPR
2-113
standby use-bia command
Route Processor Redundancy+
2-115
subinterface configuration mode, summary
See RPR+
1-6
Switch-Module Configuration Protocol
See SCP
S
system prompts
1-5
Secure Sockets Layer
See SSL
T
server load balancing
See SLB
Tab key
show commands
filter
command completion
table contention level
1-7
search
See TCL
1-7
single-character patterns
special characters, table
tables
characters with special meaning
1-7
source specific multicast
multipliers, table
1-9
used for anchoring
special characters
anchoring, table
1-7
special characters
See SSM
1-10
TCP
1-10
displaying
SP QoS manager
policy information
See QM-SP
2-72
TCP configuration
SSL policy
defining policy
defining
HTTP header insertion content policy
SSL policy
1-1
2-34
2-45
Ternary Content Addressable Memory
2-39
TCP policy templates
entering submode
2-45
See TCAM
2-45
defining URL rewrite policy
2-49
entering
HTTP header configuration submode
2-34
U
SSL configuration submode
2-39
URL rewrite
TCP configuration submode
2-45
defining
SSL proxy
content policy
enabling
displaying
certificate expiring notication traps
2-86
enabling operation status notification traps
standby authentication command
2-49
policy information
2-86
2-72
entering
2-96
Catalyst 6500 Series Switch SSL Services Module Command Reference
OL-9105-01
IN-5
Index
configuration submode
2-49
user EXEC mode, summary
1-5
V
value mask result
See VMR
virtual MAC address
2-101
VLAN access control lists
See VACL
VMR
acronym for value mask result
W
Web Cache Coprocessor Protocol
See WCCP
weighted random early detection
See WRED
weighted round robin
See WRR
Catalyst 6500 Series Switch SSL Services Module Command Reference
IN-6
OL-9105-01
Download PDF

advertising