Cisco GSS-4492R-K9 Скачать руководство пользователя страница 155

Страница: 155 / 230

5-11

Cisco Global Site Selector Administration Guide

OL-10410-01

Chapter 5 Configuring Access Lists and Filtering GSS Traffic

Filtering GSS Traffic Using Access Lists

access-list alist1 permit udp any eq 1304 destination-port eq 1304

access-list alist1 permit udp any destination-port eq 2000

access-list alist1 permit tcp any destination-port range 2001 2005

access-list alist1 permit tcp any range 2001 2005

access-list alist1 permit tcp any destination-port range 3002 3008

access-list alist1 permit tcp any range 3002 3008

access-list alist1 permit udp any destination-port eq 5002

access-list alist1 permit udp any eq 1974 destination-port eq 1974

access-list alist1 permit tcp any destination-port eq 5001

access-list alist1 permit tcp any eq 5001

access-list alist1 permit icmp any

Kernel output

access-list alist1 on interface eth0 (1 references)

target prot opt source destination

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:23

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:23

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:49

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123 dpt:123

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:161

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:1304 dpt:1304

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2000

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:2001:2005

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:2001:2005

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:3002:3008

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:3002:3008

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5002

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:1974 dpt:1974

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:5001

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

DROP all -- 0.0.0.0/0 0.0.0.0/0

Use the

show access-group

command to display a list of the access lists

associated with GSS interfaces Ethernet 0 and Ethernet 1.

gss1.example.com(config)#

show access-group

access group alist1 interface eth0

Содержание GSS-4492R-K9

Страница 1: ...ms Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Global Site Selector Administration Guide Software Version 2 0 March 2007 Text Part Number OL 10410 01 ...

Страница 2: ...N IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental Cisco Global Site S...

Страница 3: ...he GSS and Accessing the CNR GUI 1 4 Activating and Modifying GSS Devices 1 6 Activating GSS Devices from the Primary GSSM 1 6 Modifying GSS Device Name and Location 1 9 Deleting GSS Devices 1 10 Logically Removing a GSS or Standby GSSM from the Network 1 11 Configuring the Primary GSSM GUI 1 13 Printing and Exporting GSSM Data 1 14 Viewing Third Party Software Versions 1 15 C H A P T E R 2 Managi...

Страница 4: ... File 2 18 Displaying Files in a Directory 2 20 Renaming GSS Files 2 21 Securely Copying Files 2 22 Deleting Files 2 23 Displaying Users 2 23 Specifying the GSS Inactivity Timeout 2 24 Configuring the Terminal Screen Line Length 2 24 Modifying the Attributes of the Security Certificate on the GSSM 2 25 Stopping the GSS Software 2 27 Shutting Down the GSS Software 2 27 Restarting the GSS Software 2...

Страница 5: ...tion 2 48 Displaying GSS Processes 2 49 Displaying System Uptime 2 50 Displaying Disk Information 2 50 Displaying UDI Data 2 50 Displaying System Status 2 51 Displaying GSS Services 2 52 C H A P T E R 3 Creating and Managing User Accounts 3 1 Creating and Managing GSS CLI User Accounts 3 1 Creating a GSS User Account 3 2 Modifying a GSS User Account 3 3 Deleting a GSS User Account 3 3 Creating and...

Страница 6: ...guring Authentication Settings on the TACACS Server 4 5 Configuring Authorization Settings on the TACACS Server 4 7 Configuring Primary GSSM GUI Privilege Level Authorization from the TACACS Server 4 12 Enabling Custom User GUI Views When Authenticating a User from the TACACS Server 4 16 Configuring Accounting Settings on the TACACS Server 4 17 Identifying the TACACS Server Host on the GSS 4 19 Di...

Страница 7: ...rnet Interface 5 9 Displaying Access Lists 5 10 Deploying GSS Devices Behind Firewalls 5 12 GSS Firewall Deployment Overview 5 12 Configuring GSS Devices Behind a Firewall 5 16 C H A P T E R 6 Configuring SNMP 6 1 Overview 6 1 Configuring SNMP on the GSS 6 2 Configuring SNMP Servers 6 4 Configuring SNMP Server Notifications 6 5 Configuring SNMP Server Trap Limits 6 6 Specifying Recipients for SNMP...

Страница 8: ...oring the Database Status 8 5 Validating Database Records 8 6 Creating a Database Validation Report 8 6 Viewing the GSS Operating Configuration for Technical Support 8 8 C H A P T E R 9 Viewing Log Files 9 1 Understanding GSS Logging Levels 9 1 Configuring System Logging for a GSS 9 4 Specifying a Log File on the GSS Disk 9 5 Specifying a Host for a Log File Destination 9 6 Specifying a Syslog Fac...

Страница 9: ...5 Common System Log Messages 9 16 Viewing GSS System Logs Using CiscoWorks RME Syslog Analyzer 9 18 A P P E N D I X A Upgrading the GSS Software A 1 Verifying the GSSM Role in the GSS Network A 2 Backing up and Archiving the Primary GSSM A 3 Obtaining the Software Upgrade A 3 Upgrading Your GSS Devices A 5 I N D E X ...

Страница 10: ...Contents x Cisco Global Site Selector Administration Guide OL 10410 01 ...

Страница 11: ...is preface contains the following major sections Audience How to Use This Guide Related Documentation Symbols and Conventions Obtaining Documentation Obtaining Support and Security Guidelines Audience To use this guide you should be familiar with the Cisco Global Site Selector hardware which is discussed in the Global Site Selector Hardware Installation Guide In addition you should be familiar wit...

Страница 12: ...nts and primary GSSM GUI login accounts This chapter also describes how to specify user privileges and assign custom user views for accessing the primary GSSM GUI Chapter 4 Managing GSS User Accounts Through a TACACS Server Describes how to configure the GSS as a client of a TACACS server for authentication authorization and accounting Chapter 5 Configuring Access Lists and Filtering GSS Traffic D...

Страница 13: ...upgrade your GSS software Chapter Title Description Document Title Description Global Site Selector Hardware Installation Guide Information on installing your GSS device and getting it ready for operation It describes how to prepare your site for installation how to install the GSS device in an equipment rack and how to maintain and troubleshoot the GSS hardware Regulatory Compliance and Safety In...

Страница 14: ...s performed by the GSS Cisco Global Site Selector CLI Based Global Server Load Balancing Configuration Guide Procedures on how to configure your primary GSSM from the CLI to perform global server load balancing such as configuring source address lists domain lists answers answer groups DNS sticky network proximity and DNS rules This document also provides an overview of the GSS device and global s...

Страница 15: ...uide Information about how to use the CNR command line program nrcmd Document Title Description boldface font Commands and keywords are in boldface italic font Variables for which you supply values are in italics Elements in square brackets are optional x y z Alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and se...

Страница 16: ...t line of text in an example The symbol represents the key labeled Control For example the key combination D in a screen display means hold down the Control key while you press the D key Nonprinting characters such as passwords are in angle brackets Default responses to system prompts are in square brackets An exclamation point or a pound sign at the beginning of a line of code indicates a comment...

Страница 17: ...uidelines For information on obtaining documentation obtaining support providing documentation feedback security guidelines and also recommended aliases and general Cisco documents see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html ...

Страница 18: ...Preface xviii Cisco Global Site Selector CLI Based Global Server Load Balancing Configuration Guide OL 10413 01 ...

Страница 19: ...t includes the procedures for activating and configuring GSS devices and for changing the primary and standby GSSM roles in the GSS network This chapter contains the following major sections Logging Into the Primary GSSM Graphical User Interface Logging Into the GSS and Accessing the CNR GUI Activating and Modifying GSS Devices Logically Removing a GSS or Standby GSSM from the Network Configuring ...

Страница 20: ...or Netscape Navigator 2 Enter the secure HTTP address of your GSSM in the address field For example if your primary GSSM is named gssm1 example com enter the following to display the primary GSSM login dialog box and to access the GUI https gssm1 example com Note If you cannot locate the primary GSSM DNS name be aware that the GSS network uses secure connections and that the address of the GSSM in...

Страница 21: ...o Step 5 5 At the primary GSSM login window enter your username and password in the fields provided and then click Login see Figure 1 1 If this is your first time logging n to the GSSM use the default account name admin and password default to access the GUI The Primary GSSM Welcome page see Figure 1 2 appears See the Cisco Global Site Selector GUI based Global Server Load Balancing Configuration ...

Страница 22: ...imary GSSM GUI session 7 Click OK to confirm the logout or Cancel When you click OK the primary GSSM logs you out of the session and redisplays the Primary GSSM GUI Login window see Figure 1 1 Logging Into the GSS and Accessing the CNR GUI You can extend the capabilities of GSS by using the Cisco Network Registrar CNR CNR is purchased as a separate license add on and involves upgrading the existin...

Страница 23: ...rowser application such as Internet Explorer or Netscape Navigator 2 Enter the secure HTTP address of your GSS in the address field as follows http gss machine 8080 where gss machine is a resolvable name such as gss example cisco com or the IP address of that machine For instance each of the following can serve as valid addresses http gss example cisco com 8080 or http 16 1 1 114 8080 The Network ...

Страница 24: ...ing standby GSSM or GSS device from your network This section contains the following procedures Activating GSS Devices from the Primary GSSM Modifying GSS Device Name and Location Deleting GSS Devices Activating GSS Devices from the Primary GSSM After you configure your GSS devices from the CLI to function as a standby GSSM or as a GSS activate those devices from the primary GSSM GUI so they can r...

Страница 25: ... 01 Chapter 1 Managing GSS Devices from the GUI Activating and Modifying GSS Devices Figure 1 4 Global Site Selectors List Page Inactive Status 3 Click the Modify GSS icon for the first GSS device to activate The Modifying GSS details page appears see Figure 1 5 ...

Страница 26: ...bal Site Selectors list page see Figure 1 6 The status of the active GSS device is Online If the device is functioning properly and network connectivity is good between the device and the primary GSSM the status of the device changes to Online within approximately 30 seconds Note The device status remains Inactive if the device is not functioning properly or if there are problems with network conn...

Страница 27: ...vices using the primary GSSM GUI To modify other network information such as the hostname IP address or role you must access the CLI on that GSS device see the Cisco Global Site Selector Getting Started Guide To modify the name and location of a GSS device from the primary GSSM GUI perform the following steps 1 Click the Resources tab 2 Click the Global Site Selectors navigation link The Global Si...

Страница 28: ...lows you to remove the nonfunctioning device from your network or reconfigure and then reactivate a GSS device With the exception of the primary GSSM you can delete GSS devices from your network through the primary GSSM GUI To delete a GSS device from the primary GSSM GUI perform the following steps 1 Click the Resources tab 2 Click the Global Site Selectors navigation link The Global Site Selecto...

Страница 29: ...intenance or repair temporarily switch the roles of the primary and standby GSSMs as outlined in the Changing the GSSM Role in the GSS Network section of Chapter 2 Managing the GSS from the CLI The first four steps in this procedure assume that the GSS or standby GSSM is operational If that is not the case proceed directly to Step 5 To logically remove a GSS or standby GSSM from the network perfor...

Страница 30: ...ck the Modify GSS icon located to the left of the GSS device that you want to delete The Modifying GSS details page appears 8 Click the Delete icon in the upper right corner of the page The GSS software prompts you to confirm your decision to delete the GSS device 9 Click OK to confirm your decision and return to the Global Site Selectors list page The deleted device is no longer on the list For d...

Страница 31: ...vity timeout interval GSS device reporting interval and GUI screen refresh interval To modify GUI configuration settings from the primary GSSM GUI perform the following steps 1 Click the Tools tab 2 Click the GUI Configuration navigation link The GUI Configuration details page appears see Figure 1 7 Figure 1 7 GUI Configuration Details Page 3 Adjust one or more of the GUI configuration parameters ...

Страница 32: ...f 0 4 Click Submit to update the primary GSSM The Transaction Complete icon appears in the lower left corner of the configuration area to indicate the successful updating of the GUI session settings Printing and Exporting GSSM Data You can send any data that appears on the primary GSSM GUI to a local or network printer configured on your workstation You may also export that data to a flat file for...

Страница 33: ...tes a number of third party software products For that reason the primary GSSM GUI allows you to easily track information for all of the third party software that the GSS uses To view information on the third party software currently running on your GSS from the primary GSSM GUI perform the following steps 1 Click the Tools tab 2 Click the Third Party Software navigation link The GSSM Third Party ...

Страница 34: ...Chapter 1 Managing GSS Devices from the GUI Viewing Third Party Software Versions 1 16 Cisco Global Site Selector Administration Guide OL 10410 01 Figure 1 8 GSSM Third Party Software List Page ...

Страница 35: ...g and running config Files Managing GSS Files Displaying Users Specifying the GSS Inactivity Timeout Configuring the Terminal Screen Line Length Modifying the Attributes of the Security Certificate on the GSSM Stopping the GSS Software Shutting Down the GSS Software Restarting the GSS Software Performing a Cold Restart of a GSS Device Disabling the GSS Software Restoring GSS Factory Default Settin...

Страница 36: ...SH enter the hostname or IP address of the GSS to access the CLI Otherwise if you are using a direct serial connection between your terminal and the GSS device use a terminal emulation program to access the GSS CLI Note For details about making a direct connection to the GSS device using a dedicated terminal and about establishing a remote connection using SSH or Telnet see the Cisco Global Site S...

Страница 37: ...tures are available and configurable immediately except for the specifically licensed features If you want to enable the DDoS license package on a particular GSS you must purchase a DDoS license from Cisco Systems in order to receive a Product Access Key PAK number Ensure that each GSS in your GSS network possesses a unique license file to avoid any potential problems Do not install the same licen...

Страница 38: ...k licenses as well as a way for you to recover lost licenses Enables internal support organizations to obtain information about customer licenses To obtain a license file perform the following steps 1 Connect to the Cisco SWIFT web site at the following URLs Use the following website if you are a registered user of Cisco Connection Online https tools cisco com SWIFT Licensing PrivateRegistrationSe...

Страница 39: ...assword Password 230 Login successful ftp bin 200 Switching to Binary mode ftp put cnr_new lic 200 PORT command successful Consider using PASV 150 Ok to send data 226 File receive OK ftp 696 bytes sent in 0 00Seconds 696000 00Kbytes sec ftp quit 221 Goodbye 4 Install the license once you have transfered your license file by using the license command A valid license file always includes the lic ext...

Страница 40: ...cense install GSS20070920122230075 lic To verify the proper installation of the GSS and CNR license enter the show license command as follows gssm1 example com show license installed License modules are CNR 2 Install the CNR software on the GSS a Enable the GSS to serve as an FTP client gssm1 example com config t gssm1 example com config ftp client enable admin gssm1 example com config exit b From...

Страница 41: ...tall cnr_6_3 linux gtar gz cnr license xxxx xxxx xxxx xxxx Installing CNR from cli install This may take a few minutes If you provide an invalid or expired license key an error message appears and the installation halts The installation will then remove the CNR installation directory which may result in the removal of any previous versions or installations of CNR Note The CNR installation does not...

Страница 42: ...g example gssm1 example com config gssm1 example com config cnr enable Starting Network Registrar Local Server Agent If you did not properly install CNR on the GSS the cnr enable command displays a message informing you to first install the CNR license gssm1 example com config cnr enable CNR enable failed Please install CNR first 5 Verify that the CNR license installed properly gssm1 example com s...

Страница 43: ...arting and stopping the servers To access the nrcmd program perform the following steps 1 Enter the cnr command in the GSS privileged EXEC mode gssm1 example com cnr You must install and enable CNR on the GSS before you can enter the CNR nrcmd program Otherwise an error message appears 2 Enter the username and password when the prompts appear username user_name password 100 OK session cluster loca...

Страница 44: ...Chapter 2 Managing the GSS from the CLI Understanding GSS Software Licenses 2 10 Cisco Global Site Selector Administration Guide OL 10410 01 nrcmd exit gssm1 example com ...

Страница 45: ... or key import To invoke the CNR shell and execute the CNR utilities perform the following steps 1 Enter the cnr shell command in the GSS privileged EXEC mode gssm1 example com cnr shell 2 Press the Tab key in the CNR shell to display the supported utilities cnr shell cnr Tab cnr_exim cnr_tactool orig cnrdb_load cnrdb_verify cnr_exim orig cnrdb_archive cnrdb_printlog cnrservagt cnr_keygen cnrdb_ch...

Страница 46: ... File Displaying the running config File Displaying the startup config File Changing the startup config and running config Files The network configuration for a GSS device includes the following Interface Ethernet interface in use IP address Network address and subnet mask assigned to the interface GSS communications Interface Ethernet 0 or Ethernet 1 designated for handling GSS related communicat...

Страница 47: ...retains any changes to the network configuration of the device and uses those changes when the GSS is next rebooted Maintain the startup config file In this case the GSS device uses the running config file until you reboot the device The GSS then discards the running config file and restores the startup config file To change the startup config file for a GSS device perform the following steps 1 Lo...

Страница 48: ...iles perform the following steps 1 Log in to the CLI of the primary GSSM standby GSSM or a GSS device and enable privileged EXEC mode gss1 example com enable gss1 example com 2 Copy the current startup configuration to a file for use on other devices or for backup purposes by entering the following command gss1 example com copy startup config disk newstartupconfig The filename argument specifies t...

Страница 49: ... startup configuration from a file make sure that the file has been moved to a local directory on the GSS device To load the GSS device startup configuration from an external file perform the following steps 1 Log in to the CLI and enable privileged EXEC mode gssm1 example com enable gssm1 example com 2 Load the GSS device startup configuration settings from a named file located on the GSS by ente...

Страница 50: ...ning config interface ethernet 0 ip address 192 168 1 25 255 255 255 0 gss communications gss tcp keepalives hostname gssm1 example com ip default gateway 10 86 208 1 ip name server 172 16 124 122 ssh enable no ssh keys no ssh protocol version 1 telnet enable ftp enable ftp client enable all ntp enable snmp enable snmp community string set ntp server 16 1 1 11 cnr enable drp enable authentication ...

Страница 51: ...n a safe partition of the hard disk to prevent loss of data due to power failures To display the contents of the GSS startup config file enter the following command gssm1 example com show startup config GSS configuration Saved Thu Jul 10 16 20 25 UTC 2003 interface ethernet 0 ip address 192 168 1 25 255 255 255 0 gss communications gss tcp keepalives hostname gssm1 example com ip default gateway 1...

Страница 52: ...ority Warnings 4 tacacs server timeout 5 tacacs server keepalive enable Managing GSS Files This section describes how to manage the files included in a directory or subdirectory on a GSS device This section contains the following topics Displaying the Contents of a File Displaying Files in a Directory Renaming GSS Files Securely Copying Files Deleting Files Displaying the Contents of a File You ca...

Страница 53: ...owing file system log Sep 15 07 11 40 host css2 rc Stopping keytable succeeded Sep 15 07 11 42 host css2 inet inetd shutdown succeeded Sep 15 07 11 45 host css2 crond crond shutdown succeeded Sep 15 07 11 46 host css2 dd 1 0 records in Sep 15 07 11 46 host css2 dd 1 0 records out Sep 15 07 11 46 host css2 random Saving random seed succeeded Sep 15 07 11 48 host css2 kernel Kernel logging proc stop...

Страница 54: ... on the GSS including filenames and subdirectories You may optionally specify the name of the directory to list pwd Displays the current working directory of the GSS To view a detailed list of files contained within the working directory enter gssm1 example com dir or lls total 97684 rw r r 1 root root 39 Mar 8 21 04 JVM_EXIT_CODE rw r r 1 root root 9 Mar 14 21 23 RUNMODE rw r r 1 root root 33427 ...

Страница 55: ...software allows you to rename files located in the current directory or subdirectory such as backup files and log files To rename a GSS file use the rename command The syntax for this command is as follows rename source_filename new_filename The arguments are source_filename Alphanumeric name of the file that you want to rename new_filename Alphanumeric name to assign to the file Quotation marks a...

Страница 56: ...arget_host target_path Another device to the GSS device that you are currently logged in to scp user source_host source_path source_filename target_path The argument are as follows source_path Relative directory path and filename on the source device of the file being transferred source_filename Name of the file to be copied user target_host Login account name and hostname for the device to which ...

Страница 57: ...el filename The filename argument identifies the name of the file in the GSS file directory For example to delete the oldtechrept tgz file enter gssm1 example com del oldtechrept tgz Displaying Users You can display the username and permission status for a specific user or for all users of the GSS device as follows Use the show user username command to display user information for a particular use...

Страница 58: ...xec timeout command is as follows exec timeout minutes The minutes argument specifies the length of time that a user in privileged EXEC mode can be idle before the GSS terminates the session Valid entries are 1 to 44 640 minutes The default is 150 minutes For example to specify a GSS timeout period of 10 minutes enter gssm1 example com config exec timeout 10 To restore the default timeout value of...

Страница 59: ... Into the Primary GSSM Graphical User Interface section in Chapter 1 Managing GSS Devices from the GUI By using the certificate set attributes CLI command you can modify the X 509 fields extensions and properties included on the security certificate The attribute changes that you make affect the fields on the Details tab of the certificate To return the attributes for the security certificate to t...

Страница 60: ...n the device gssm1 example com config gssm1 example com config 4 Enter the certificate set attributes command and modify information at the prompts All fields displayed for each software prompt have a maximum character limit of 64 except for Country Code which has a maximum character limit of 2 gssm1 example com config certificate set attributes Country code 2 chars US State California MA City San...

Страница 61: ... For example enter gssm1 example com gss stop The following message appears when you stop the GSS software from the CLI Server is Shutting Down Use the gss start command to restart the GSS software on the selected device after it has been stopped For example enter gssm1 example com gss start Shutting Down the GSS Software If you intend to power down a GSS device we recommend that you use the shutd...

Страница 62: ...f a GSS Device You can halt GSS operation and perform a cold restart of your GSS device by using the reload command The reload command reboots the GSS device and performs a full power cycle of both the GSS hardware and software Any open connections with the GSS are dropped after you enter the reload command Before you perform a cold restart of the GSS save your recent GSS configuration changes to ...

Страница 63: ...your GSS hardware to the same state it was in when it first arrived from the factory If your GSS device is improperly configured use the restore factory defaults command to restore the device to its initial state and allow you to properly configure the GSS device for use on your network Before you enter the restore factory defaults command ensure that you back up any vital data in the database com...

Страница 64: ...low Chart for Replacing a Malfunctioning GSS Device This section contains the following topics 126920 Convert to interim primary GSSM Refer to Converting the Standby GSSM to a Primary GSSM GSS device fails Is there a standby GSSM Which GSS device failed Can you wait for a replacement Replacement GSS arrives Refer to Replacing the Standby GSSM in the Network Wait for the replacement GSS then refer ...

Страница 65: ...eplacing the Primary GSSM with an Available GSS section Converting the Standby GSSM to a Primary GSSM Note Ensure that the designated primary GSSM is either offline or configured as a standby GSSM before you attempt to enable the standby GSSM as the new interim primary GSSM Having two primary GSSM devices active at the same time may result in the inadvertent loss of configuration changes for your ...

Страница 66: ...ecords of the interim primary GSSM by entering the following command gssm2 example com gssm database validate 5 Exit privileged EXEC mode The standby GSSM begins to function in its new role as the interim primary GSSM and is now fully functional You may now access the GUI 6 When the replacement for the original primary GSSM is available place the current interim primary GSSM in standby mode by ent...

Страница 67: ...e if you have a full backup of the interim primary GSSM database that you can restore on the new primary GSSM as follows If yes restore the interim primary GSSM database See the Restoring a Primary GSSM Backup section in Chapter 7 Backing Up Restoring and Downgrading the GSSM Database You can now use the replacement primary GSSM in your GSS network If no determine if you have a backup of the origi...

Страница 68: ... all previously configured DNS rules and keepalives gssm2 example com gss disable d At the CLI of the standby GSSM enter the gss enable gssm standby command to configure the GSS device as the standby GSSM in the GSS network and direct it to the primary GSSM See the Replacing the Standby GSSM in the Network section for details about the gss enable gssm standby command gssm2 example com gss enable g...

Страница 69: ...t network and configuration settings see the Performing a Full Primary GSSM Backup section in Chapter 7 Backing Up Restoring and Downgrading the GSSM Database 3 Log in to the CLI of the GSS and enable privileged EXEC mode gss3 example com enable gss3 example com 4 Stop the GSS software running on the GSS by entering the following command gss3 example com gss stop 5 Remove the existing configuratio...

Страница 70: ...Global Server Load Balancing Configuration Guide GUI based or CLI based version b Send DNS queries to the new primary GSSM and ensure that it replies properly to the queries If the new primary GSSM replies properly proceed to Step 10c If it fails to reply properly verify the network connectivity settings and resend DNS queries to the device c At the CLI of the standby GSSM and of each GSS device i...

Страница 71: ... section in Chapter 1 Managing GSS Devices from the GUI You can now use the replacement primary GSSM in your GSS network Replacing the Standby GSSM in the Network To replace a malfunctioning standby GSSM in your GSS network perform the following steps 1 Determine if you can wait for the replacement standby GSSM or if you require an immediate configuration change in your GSS network as follows If y...

Страница 72: ...e the same hostname and IP address of the failed standby GSSM determine if you have a backup of the startup configuration file for that device as follows If yes reload the backup copy of the GSS device startup configuration settings see the Saving the startup config and running config Files section If no reenter the platform configuration following the procedures outlined in the Cisco Global Site ...

Страница 73: ...y for the replacement GSS device following the procedures outlined in the Cisco Global Site Selector Getting Started Guide Chapter 3 Setting Up Your GSS 2 If you want to use the same hostname and IP address of the failed GSS determine if you have a backup of the startup configuration file for that device as follows If yes reload the backup copy of the GSS device startup configuration settings see ...

Страница 74: ...vices from the Primary GSSM section in Chapter 1 Managing GSS Devices from the GUI You can now use the replacement GSS in your GSS network Changing the GSSM Role in the GSS Network The GSS software supports two GSSM devices in a single GSS network with one GSSM acting as the primary GSSM and the second GSSM acting as a standby device The standby GSSM can temporarily take over the role of the prima...

Страница 75: ...n the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online Use the interim primary GSSM to monitor GSS network behavior and if necessary to make configuration changes This section contains the following topics Switching the Roles of the Primary and Standby GSSM Devices Reversing the Roles of the Interim ...

Страница 76: ...r your GSS network Use the gssm standby to primary command to reconfigure your standby GSSM as the primary GSSM in your GSS network gssm2 example com gssm standby to primary Note After entering the gssm primary to standby command you should ensure that at least 1 minute passes before you enter the gssm standby to primary command in order to allow time for proper GSS device synchronization Configur...

Страница 77: ...EC mode gssm2 example com enable gssm2 example com 2 If the GUI configuration has changed perform a full backup of the interim primary GSSM to preserve the current network and configuration settings see the Performing a Full Primary GSSM Backup section in Chapter 7 Backing Up Restoring and Downgrading the GSSM Database 3 Place the current interim primary GSSM in standby mode to resume its role in ...

Страница 78: ...tion changes do not take effect immediately It may take up to 10 minutes before the other GSS devices in the network learn about the new primary GSSM You can now use the primary GSSM as in the original GSS network deployment Displaying GSS System Configuration Information The GSS CLI provides a comprehensive set of show commands that display GSS configuration information The show commands are avai...

Страница 79: ...4492 K9 Copyright c 1999 2007 by Cisco Systems Inc Version 2 0 1 0 0 Uptime 4 Hours 0 Minutes and 19 seconds To display detailed GSS software version information enter gssm1 example com show version verbose Global Site Selector GSS Model Number GSS 4490 K9 Copyright c 1999 2003 by Cisco Systems Inc Version 1 3 1 Uptime 23 Hours 57 Minutes and 53 seconds Full Version 1 3 1 0 0 Compiled on Wed Feb 1...

Страница 80: ...to 03d4 03d5 cga 03f8 03ff serial auto 6c00 6c7f ncr53c8xx 7000 701f Intel Speedo3 Ethernet 7400 741f Intel Speedo3 Ethernet fc00 fc07 ide0 fc08 fc0f ide1 gssm1 example com scsi0 Channel 00 Id 00 Lun 00 Vendor IBM Model IC35L018UCD210 0 Rev S5BS Type Direct Access ANSI SCSI revision 03 Displaying License Information You can display information about installed GSS licenses by using the show license...

Страница 81: ...m the primary GSS enter gssm1 example com show license gss all Own Primary GSS info Pak number is 1XIOS2C81AB DDoS Installed Active CNR Installed Active Other GSS info Address 2 7 0 2 Pak number are 1XIOS2C87AB DDoS Installed Active CNR Installed Active Address 2 3 0 2 Pak number is 1XIOS2C83AB DDoS Installed Active CNR Installed Active Displaying Memory Information You can display information abo...

Страница 82: ...Currently used RAM free Currently available RAM shared Memory shared between processes always 0 zero buffers Memory allocated as the internal kernel buffer space cached Memory allocated for the internal caching of file system data This memory is reclaimed as needed Swap total Total megabytes of swap space on the GSS used Currently used swap space free Currently available swap space Table 2 1 Field...

Страница 83: ...ersion associated with the Label Root Partition Device used for the Linux root partition the core of the Linux file system Linux Kernel Version of the Linux kernel used by the GSS software image Default Boot Image Listed software version of the default boot image for the GSS device Table 2 2 Field Descriptions for show boot config Command Field Description Table 2 3 Field Descriptions for show pro...

Страница 84: ...disk the size of the database and the free space available on the disk gssm1 example com show disk Table 2 4 describes the fields in the show disk output Displaying UDI Data You can display GSS Unique Device Identifier UDI data by using the show inventory command gssm1 example com show inventory NAME Chassis DESCR Global Site Selector 4492 PID GSS 4491 K9 VID V01 SN QTFNZD606000011 Table 2 4 Field...

Страница 85: ...he device and a device description are also included in the output of the show inventory command Displaying System Status You can display a report on the current operating status of your GSS device including the online status current software version and start date or time for the various components by using the show system status command Note The equivalent command to show GSS system status is gs...

Страница 86: ...inistration Guide OL 10410 01 Displaying GSS Services You can display the current state of the GSS services such as FTP NTP SSH TACACS Telnet and SNMP by using the show services command gssm1 example com config show services START SERVICE Jul23 Ftp Jul23 Ntp 11 08 Snmp 14 47 Ssh Jul23 Syslog Jul23 Tacacs Stats Jul23 Telnet ...

Страница 87: ...he Administrator Account Passwords Creating and Managing GSS CLI User Accounts From the CLI of a GSS device you can create user accounts that enable user access to a GSS device including the primary GSSM and standby GSSM You must individually manage user access to the CLI of each GSS device in the network Only users with the administrator privilege can create modify or remove a GSS user account fr...

Страница 88: ... global configuration mode on the GSS gss1 example com config gss1 example com config 3 Create and configure your new login account by entering the username command The syntax for this command is as follows username name delete password password privilege user admin The arguments and keywords are as follows name Specifies the username that you want to assign or change Enter an unquoted alphanumeri...

Страница 89: ... followed to create the account see the Creating a GSS User Account section Use the username command to enter the full username password and privilege level substituting the new values for the configuration settings that you want to change For example enter gss1 example com config username user_1 password newpwd privilege user User user_1 exists change info y n y Deleting a GSS User Account You ca...

Страница 90: ...rivileges specify custom GUI user views and maintain contact information for each user Only users with administrator privilege can create modify or remove a primary GSSM GUI user account Note The primary GSSM separately maintains the user accounts and passwords created to log in to the GUI from those accounts and passwords created to log in to the CLI This section contains the following topics Pri...

Страница 91: ...the three user privilege levels also called roles Each of the following roles grants specific access to the GUI based on the assigned role Administrator Full configuration privileges and complete access to the primary GSSM GUI Operator Limited configuration privileges in the primary GSSM GUI but the operator can view list pages view detail pages and monitor global server load balancing statistics ...

Страница 92: ...s only View list pages detail pages and statistics Restricted from creating modifying or deleting any configuration items appearing in the primary GSSM GUI The operator has the following access privileges DNS Rules Tab Access to all navigation links Access to the Modify icons to view the detail pages The Delete icon and Submit icons are unavailable Access to the Suspend and Activate icons on the M...

Страница 93: ...th a location Activate or suspend all answers associated with answer groups held by an owner Restricted from activating and suspending all DNS rules associated with an owner Monitoring tab Access to all navigation links and list pages Tools tab Access to only the Change Password navigation link and detail page Traffic Mgmt tab Access to all navigation links list pages and detail pages Table 3 1 Us...

Страница 94: ...ils Observer The observer has read only privileges to monitor statistics Observers cannot do the following Create modify or delete any configuration item Perform any suspend or activate functions View list pages or detail pages but observers can view statistics The observer has the following access privileges DNS Rules Tab Restricted from access to the DNS Rules tab Resources tab Restricted from a...

Страница 95: ...r Accounts Creating a GUI User Account To create a GSSM GUI user account from the primary GSSM GUI perform the following steps 1 Click the Tools tab 2 Click the User Administration navigation link The Users list page appears see Figure 3 1 Figure 3 1 Users List Page 3 Click the Create User icon The Creating New User details page appears see Figure 3 2 ...

Страница 96: ...ic password for the new account 6 In the Re type Password field reenter the password for the new account 7 In the Role field choose from the three user privilege levels to define what the user has access to when using the primary GSSM GUI Administrator Full configuration privileges and complete access to the primary GSSM GUI Operator Limited configuration privileges in the primary GSSM GUI but the...

Страница 97: ...nfiguration items and statistics displayed in the primary GSSM GUI This is the default selection when you create a user User View For a user with an assigned operator or observer role a user view allows the administrator to limit the configuration data and statistics available to the user when accessing the primary GSSM GUI Note Only an administrator can create a view See the Creating and Modifyin...

Страница 98: ...ant to modify The Modifying User details page appears see Figure 3 2 listing fields for modifying your GUI session settings 4 Use the fields in the Modifying User details page to modify the details of the user account 5 Click Submit to save changes to the account and return to the Users list page Removing a GUI User Account To remove an existing GSSM GUI user account from the primary GSSM GUI perf...

Страница 99: ...M GUI to change the password You must know the existing password for an account before you can change it Note If you change the administration password that is used to log in to the primary GSSM GUI and then either lose or forget the password you can reset it back to default by using the reset gui admin password CLI command See the Restoring or Changing the Administrator GUI Password section for d...

Страница 100: ...ssword Details Page 3 In the Old Password field enter your existing GSSM login password 4 In the New Password field enter the string that you would like to use as the new GSSM login password 5 In the Re type New Password field enter the new password string a second time This action is used to verify that you have entered your password correctly 6 Click Submit to update your login password ...

Страница 101: ...y or delete a user view This section contains the following topics Custom User View Overview Creating a GUI User View Modifying a GUI User View Deleting a GUI User View Custom User View Overview As the GSS administrator you can define a set of custom views that limit the data configuration data and statistics available on a primary GSSM GUI page Each custom user view can include selections from th...

Страница 102: ...s answer groups source address lists and domain lists specify owners as a defining property Answer groups specify answers as a defining property Answers specify locations as a defining property The relationship between configuration data in the primary GSSM GUI has a direct impact on what configuration data and statistics are visible in a custom view For example if the primary GSSM GUI has four co...

Страница 103: ...0410 01 Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3 4 User Views List Page 3 Click the Create User Views icon The Creating New User View General Configuration details page appears see Figure 3 5 ...

Страница 104: ... be from 1 to 80 alphanumeric characters and cannot contain spaces b In the Comments field enter descriptive information or important notes regarding the new user view 5 Click the Add Answers navigation link to define the answers available in the custom user view The Add Answers details page appears see Figure 3 6 Click the check box corresponding to each existing answer you want to add to the cus...

Страница 105: ... 6 Click the Add Keepalives navigation link to define the shared keepalives available in the custom user view The Add Keepalives details page appears see Figure 3 7 Click the check box corresponding to each existing shared keepalive you want to add to the custom user view If the list of shared keepalives on your GSS network spans more than one page select the shared keepalives from only the first ...

Страница 106: ... Locations navigation link to define the locations available in the custom user view The Add Locations details page appears see Figure 3 8 Click the check box corresponding to each existing location you want to add to the custom user view If the list of locations on your GSS network spans more than one page select the locations from only the first page of locations then click Add Selected before p...

Страница 107: ...e the owners available in the custom user view The Add Owners details page appears see Figure 3 9 Click the check box corresponding to each existing owner you want to add to the custom user view 9 If the list of owners on your GSS network spans more than one page select the owners from only the first page of owners and then click Add Selected before proceeding to another page of owners Note The pr...

Страница 108: ...ew View Add Owners Details Page 10 Click the appropriate Remove navigation link to remove answers keepalives locations or owners from this custom user view The associated detail page then appears Figure 3 10 illustrates the Remove Answers details page 11 Click the check boxes that correspond to the items that you want to remove from the custom user view and then click Remove Selected ...

Страница 109: ...0 Creating New View Remove Answers Details Page 12 When you complete defining the user view click the General Configuration navigation link to return to the Creating New User View General Configuration details page see Figure 3 11 The selected items assigned to this view appear in the Current Owners Current Locations Current Answers or Current KeepAlives section of the page ...

Страница 110: ... user view Modifying a GUI User View To modify a user view from the primary GSSM GUI perform the following steps 1 Click the Tools tab 2 Click the Views navigation link The User Views list page appears see Figure 3 4 3 Click the Modify User View icon located to the left of the user view that you want to modify The Modify User View details page appears 4 In the General Configuration details page Ge...

Страница 111: ... associated details page appears Click the check boxes that correspond to the items that you want to remove from the custom user view and then click Remove Selected 7 Click Submit to save changes to the user view Deleting a GUI User View To delete a user view from the primary GSSM GUI perform the following steps 1 Click the Tools tab 2 Click the Views navigation link The User Views list page appea...

Страница 112: ...GSS administrator account you can reset it from the GSS CLI You must have physical access to the GSS device to perform this procedure To reset the administrator CLI account password perform the following steps 1 Attach an ASCII terminal to the Console port on the GSS device See the Cisco Global Site Selector Hardware Installation Guide for instructions on connecting a console cable to your GSS ser...

Страница 113: ...ssword message appears on the console terminal while the GSS device reboots If the message does not appear repeat Steps 2 through 4 Pay close attention when you enter the GSS software_version RESETADMINCLIPW 1 command Changing the Administrator CLI Password You can change the administrator password that accesses the GSS CLI by using the username global configuration mode command The syntax for thi...

Страница 114: ...fe partition of the hard disk to prevent loss of data due to power failures If you change the administrator password and then either lose or forget the password you can reset the password back to default by using the reset gui admin password command on the primary GSSM Only users with the administrator privilege can remove or change the administrator s GUI password The syntax for this command is a...

Страница 115: ...g you to control who can access a GSS device control which CLI commands are available for particular users and to use the TACACS server to record the specific CLI commands and GUI pages accessed by a GSS user This chapter contains the following major sections TACACS Overview TACACS Configuration Quick Start Configuring a TACACS Server for Use with the GSS Identifying the TACACS Server Host on the ...

Страница 116: ...S security daemon to provide the AAA services The Cisco Secure Access Control Server ACS is an example of an AAA access control server TACACS uses TCP as the transport protocol for reliable delivery Optionally you can configure the GSS to encrypt all traffic transmitted between the GSS device and the TACACS server in the form of a shared secret When a user attempts to access a GSS device that is o...

Страница 117: ...ds the specific CLI commands and GUI pages accessed by a GSS user Accounting enables system administrators to monitor the activities of GSS users which is beneficial for administrating multi user GSS devices The information is contained in an accounting record that is sent to the TACACS server Each record includes the username the CLI command executed or the primary GSSM GUI page accessed the prim...

Страница 118: ...he CLI command see the sections following the table Table 4 1 TACACS Configuration Quick Start Task and Command Example 1 Configure the authentication authorization and accounting service settings on the TACACS server such as the Cisco Secure Access Control Server ACS 2 Enable global configuration mode on the GSS device gssm1 example com config gssm1 example com config 3 Define the TACACS server t...

Страница 119: ...rver Configuring Accounting Settings on the TACACS Server Note For the GSS to properly perform user authentication using a TACACS server the username and password must be identical on both the GSS CLI and the TACACS server Configuring Authentication Settings on the TACACS Server To configure the authentication settings on Cisco Secure ACS perform the following steps 1 Proceed to the Network Config...

Страница 120: ...e Selector Administration Guide OL 10410 01 Figure 4 2 Add AAA Client Page of Cisco Secure ACS 2 Configure the following selections AAA Client Hostname Enter the name that you want assigned to the GSS AAA Client IP Address Enter the IP address of the GSS Ethernet interface that will be used for communicating with the TACACS server ...

Страница 121: ...TACACS Cisco IOS selection activates the TACACS option when using Cisco Systems access servers routers and firewalls that support the TACACS authentication protocol This includes support with a GSS device as well Configuring Authorization Settings on the TACACS Server You can use the TACACS server to limit user access to a subset of CLI commands on a GSS device For the Cisco Secure ACS define the ...

Страница 122: ...m the following steps 1 Access the Group Setup section of the Cisco Secure ACS interface then access the Group Setup page Select the group for which you want to configure TACACS settings then click Edit Settings The Edit page appears 2 Scroll to the Shell Command Authorization Set section of the Group Setup page see Figure 4 3 Figure 4 3 Shell Command Authorization Set Section of Group Setup Page ...

Страница 123: ...hat the GSS sends to the Cisco Secure ACS For each argument of the Cisco IOS command specify whether the argument is to be permitted or denied These should be entered in the format permit argument or deny argument The GSS device may submit arguments in a format different from what a user types at a GSS CLI prompt To create effective device CLI command sets see the Cisco Global Site Selector Comman...

Страница 124: ...c Enter permit user in the Arguments text box d Click the Deny option under Unlisted arguments Figure 4 4 Command Privileges Example Deny All CLI Commands Except Specified Command To permit all CLI commands except for the gss tech report command see Figure 4 5 do the following a Click the Permit option under Per Group Command Authorization b Enter gss in the Command text box ...

Страница 125: ...ng GSS User Accounts Through a TACACS Server Configuring a TACACS Server for Use with the GSS c Enter deny tech report in the Arguments text box d Click the Permit option under Unlisted arguments Figure 4 5 Command Privileges Example Permit All CLI Commands Except Specified Command ...

Страница 126: ...ser terminate a GUI session and log back in to the primary GSSM Users are assigned privileges based on whether they are using the GUI or the GLI on the primary GSSM as follows For users who are using the GUI the privilege configured on the TACACS server takes preference over any privilege configured on the GSS For users who are using the CLI the privilege configured on the GSS takes preference ove...

Страница 127: ... primary GSSM GUI from the Cisco Secure ACS perform the following steps 1 If this is your first time enabling per user CLI command authorization access the Interface Configuration section of the Cisco Secure ACS interface and configure the following selections a Access the TACACS IOS page Click the Shell exec checkbox under both the User and Group columns see Figure 4 6 Figure 4 6 Interface Config...

Страница 128: ...ide OL 10410 01 b Access the Advanced Options page Check the Per user TACACS RADIUS Attributes checkbox see Figure 4 7 Figure 4 7 Interface Configuration Page Advanced Options Page 2 Access the User Setup section of the Cisco Secure ACS interface and choose the name of a user to which you want to assign a primary GSSM GUI privilege level The Edit page appears ...

Страница 129: ...ng a TACACS Server for Use with the GSS 3 Scroll to the Shell Command Authorization Set section of the User Setup page 4 Check the Per User Command Authorization checkbox 5 Check the Command check box and type GuiEnable in the Command text box see Figure 4 8 Figure 4 8 Assigning Operator Level Privileges to a User from Cisco Secure ACS ...

Страница 130: ...primary GSSM GUI 8 Click the Permit option for Unlisted arguments Enabling Custom User GUI Views When Authenticating a User from the TACACS Server For a user with an assigned operator or observer role a TACACS server does not directly support control over additional primary GSSM GUI application specific functions such as user views The GSS administrator can define a set of custom views that limit ...

Страница 131: ...t on the primary GSSM GUI However the GUI specific password is not used during user authentication from a TACACS server When you configure TACACS authentication on the GSS from the CLI if you choose not to select the local fallback option for the aaa authentication gui CLI command see the Configuring Authentication Settings on the TACACS Server section ensure that you set the user account GUI spec...

Страница 132: ...CSV TACACS Accounting report check box 3 Under Select Columns To Log in the Attributes column click the attribute that you want to log Click to move the attribute into the Logged Attributes column Click Up or Down to move the column for this attribute to the desired position in the log Repeat until all the desired attributes are in the desired positions in the Logged Attributes column 4 Click Subm...

Страница 133: ...mines that the first TACACS server is down the GSS attempts to connect to the next server in the list of configured TACACS servers as the backup server If a second or third TACACS server is available for use the GSS selects that server as the active TACACS server Note The GSS uses TCP keepalives as the default to monitor connectivity with the active TACACS server As a secondary measure if the TCP ...

Страница 134: ...ncryption key on the TACACS server power cycle the GSS Because the CLI commands entered prior to the power cycle were not saved in the GSS startup configuration file you can regain access to the GSS CLI and redo the TACACS configuration The syntax for this global configuration command is as follows tacacs server host ip_or_host port port key encryption_key The arguments and keywords for this globa...

Страница 135: ...rt number Use the no form of the tacacs server host command to delete an existing TACACS server from the running configuration For example to delete the TACACS server at IP address 192 168 1 101 with default TCP port 49 from the running configuration enter gss1 example com config no tacacs server host 192 168 1 101 or gss1 example com config no tacacs server host 192 168 1 101 port 49 If you defin...

Страница 136: ...f a second or third TACACS server is available for use the GSS selects that server as the active TACACS server To disable the use of TCP keepalives with the active TACACS server use the no form of the tacacs server keepalive enable command The syntax for this global configuration command is as follows no tacacs server keepalive enable If you disable TCP keepalives the GSS will continue to use the ...

Страница 137: ...ically applies the modified timeout period and the new value takes effect automatically on the next TACACS connection For example to set the timeout period to 60 seconds enter gss1 example com config tacacs server timeout 60 To reset the timeout period to the default of 5 seconds enter gss1 example com config no tacacs server timeout 60 Specifying TACACS Authentication of the GSS After you identif...

Страница 138: ...ection The local option is always enabled for the login console port or Telnet access method For example to enable TACACS authentication for an SSH remote access connection that can revert back to local authentication enter gss1 example com config aaa authentication ssh local Use the no form of the aaa authentication command to disable the TACACS authentication function For example to disable TACA...

Страница 139: ...ot saved in the GSS startup configuration file you can regain access to the GSS CLI and redo the TACACS configuration To enable TACACS authorization for the GSS CLI commands enter gss1 example com config aaa authorization commands Use the no form of this command to disable the TACACS CLI command authorization function For example enter gss1 example com config no aaa authorization commands For deta...

Страница 140: ...level EXEC mode commands that a user issues Command accounting generates accounting records for all user level and privileged level EXEC mode commands including global configuration and interface configuration commands gui Enables the TACACS accounting service to monitor access to the primary GSSM GUI pages and the actions performed on those pages To enable TACACS accounting for the GSS CLI enter ...

Страница 141: ...xample com show statistics tacacs Server 192 168 1 100 49 ONLINE PASS FAIL ERROR Authentication 321 4 0 Authorization 782 48 0 Accounting 535 0 0 Server 192 168 1 101 49 ONLINE PASS FAIL ERROR Authentication 17 1 0 Authorization 39 3 0 Accounting 12 0 0 Table 4 2 describes the fields in the show statistics tacacs command output Table 4 2 Field Descriptions for show statistics tacacs Command Field ...

Страница 142: ... CLI You must have physical access to the GSS device to perform this procedure To disable TACACS on a GSS device perform the following steps 1 Attach an ASCII terminal to the console port on the GSS device See the Cisco Global Site Selector Hardware Installation Guide for instructions on connecting a console cable to your Cisco Global Site Selector series hardware 2 Press the power control button ...

Страница 143: ...ot process the following appears Mounting other Filesystems OK Disabling TACACS Authentication and Authorization Building Properties You should now be able to locally access the GSS device and reconfigure the TACACS authentication and authorization functions for the GSS device 4 Save your configuration changes to memory gssm1 example com copy running config startup config If you fail to save your ...

Страница 144: ...Chapter 4 Managing GSS User Accounts Through a TACACS Server Disabling TACACS on a GSS 4 30 Cisco Global Site Selector Administration Guide OL 10410 01 ...

Страница 145: ...SS traffic It contains the following major sections Filtering GSS Traffic Using Access Lists Deploying GSS Devices Behind Firewalls Filtering GSS Traffic Using Access Lists This section contains the following topics Access List Overview Creating an Access List Associating an Access List with a GSS Interface Disassociating an Access List from a GSS Interface Adding Rules to an Access List Removing ...

Страница 146: ...t at any time Apply access lists to one or both of the GSS Ethernet interfaces using the access group command The GSS appends each additional criteria statement to the end of the access list statements Be aware that you cannot delete individual statements after creating them You can only delete an entire access list The order of access list statements is very important When the GSS decides whether...

Страница 147: ...r user configured TCP Return traffic for TACACS 53 UDP TCP GSS DNS server traffic 53 UDP Return traffic of GSS software reverse lookup dnslookup queries and name server forwarding 123 123 UDP Network Time Protocol NTP updates 161 UDP Simple Network Management Protocol SNMP traffic 443 TCP Primary GSSM GUI 1304 1304 UDP CRA keepalives 1974 1974 UDP Director Response Protocol DRP protocol traffic 20...

Страница 148: ... port The keywords and arguments are as follows name Alphanumeric name used to identify the access list you are creating permit Allows a connection when a packet matches the condition All provisions of the condition must be met to make a match deny Prevents a connection when a packet matches the condition All provisions of the condition must be met to make a match 3340 TCP Sticky and Config Agent ...

Страница 149: ...lace of the source address source netmask or host source address values the GSS matches packets from all incoming sources operator Arbitrary bytes within the packet The operator can be one of the following values eq equal neq not equal range range port Source or destination port of the packet destination port Compares the destination port of the packet with the access condition For example to conf...

Страница 150: ...q 1974 access list alist1 permit tcp any destination port eq 5001 access list alist1 permit tcp any eq 5001 access list alist1 permit icmp any Kernel output access list alist1 on interface eth0 1 references target prot opt source destination ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp dpts 20 23 ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp spt 20 ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp spt 21 ACCEPT tcp 0 0 0 0 0 0 0 0 0...

Страница 151: ...up command is as follows access group name interface eth0 eth1 The keywords and arguments are as follows name Name of a pre existing access list interface Specifies an interface on the GSS to which the access list will be assigned eth0 Identifies the first Ethernet interface on the GSS device eth1 Identifies the second Ethernet interface on the GSS device The GSS does not allow you to assign the s...

Страница 152: ... config no access group alist1 interface eth0 See the Associating an Access List with a GSS Interface section for an explanation of access group command syntax Adding Rules to an Access List After you create one or more access lists you can append rules to them at any time Use the access list command to add a new rule to an existing access list For example to add a new rule to the access list name...

Страница 153: ...to verify that the rule has been removed from your access list gss1 example com config show access list access list alist1 access list alist1 permit tcp any destination port eq 443 Segmenting GSS Traffic by Ethernet Interface By default the GSS devices listen for DNS traffic on both GSS Ethernet interfaces 0 and 1 In the case of inter GSS communications GSS devices listen for configuration and sta...

Страница 154: ...ic on the first Ethernet interface eth0 enter gss1 example com config gss1 example com config access list alist1 deny tcp any destination port ftp gss1 example com config access list alist1 deny tcp any destination port ssh gss1 example com config access list alist1 deny tcp any destination port telnet gss1 example com config access group alist1 eth0 Displaying Access Lists You can use the show ac...

Страница 155: ... 0 0 0 0 tcp spt 20 ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp spt 21 ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp spt 23 ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp spt 49 ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp dpt 53 ACCEPT udp 0 0 0 0 0 0 0 0 0 0 udp dpt 53 ACCEPT udp 0 0 0 0 0 0 0 0 0 0 udp spt 53 ACCEPT udp 0 0 0 0 0 0 0 0 0 0 udp spt 123 dpt 123 ACCEPT udp 0 0 0 0 0 0 0 0 0 0 udp dpt 161 ACCEPT tcp 0 0 0 0 0 0 0 0 0 0 tcp...

Страница 156: ...ng Depending on your GSS configuration you can also allow other traffic to pass through the firewall This requirement depends on your GSS configuration for example if you are using TCP based or KAL AP keepalives and the ability to access certain GSS services through the firewall for example SNMP The GSS does not support deployment of devices behind a NAT for inter GSS communication The communicati...

Страница 157: ...Return traffic of GSS software reverse lookup dnslookup queries and name server forwarding 80 or user configured TCP Return traffic of TCP and HTTP keepalives 123 123 UDP Return traffic of NTP updates 161 UDP SNMP traffic 443 TCP Primary GSSM GUI 1304 1304 UDP Return traffic of CRA keepalives 1974 1974 UDP Return traffic of DRP protocol traffic 2000 UDP Inter GSS periodic status reporting 2001 200...

Страница 158: ...L AP keepalives Table 5 2 Inbound Traffic Going Through a Firewall to the GSS continued Source Port Remote Device Destination Port GSS Protocol Details Table 5 3 Outbound Traffic Originating from the GSS Source Port GSS Destination Port Remote Device Protocol Details 20 23 TCP Return traffic of FTP SSH and Telnet server services on the GSS 49 or user configured TCP TACACS 20 23 TCP Traffic of FTP ...

Страница 159: ...SS periodic status reporting 2001 2005 TCP Inter GSS communication 2001 2005 TCP Return traffic of inter GSS communication 3002 3008 TCP Inter GSS communication 3002 3008 TCP Return traffic of inter GSS communication 3340 TCP Sticky and Config Agent communication 3341 TCP Sticky communication source 3342 TCP Sticky and DNS processes communication 5001 TCP Global sticky mesh protocol traffic 5001 T...

Страница 160: ...owing steps 1 Determine the level of access and the services that you want enabled on your GSS and GSSM devices Decide if you want to Allow FTP SSH and Telnet access to the GSS device Permit GUI access to the primary GSSM Table 5 2 and Table 5 3 list the GSS related ports and protocols to enable for the GSS device to function properly 2 Construct your access lists to filter traffic incoming and ou...

Страница 161: ...MP Server Notifications Configuring SNMP Server Trap Limits Specifying Recipients for SNMP Notification Operations Viewing SNMP Status Viewing MIB Files on the GSS Overview SNMP is a set of network management standards for IP based internetworks SNMP includes a protocol a database structure specification and a set of management data objects SNMP implementations typically consist of a management ap...

Страница 162: ...MP on the GSS Before you use SNMP to monitor the GSS or GSSM you must enable the SNMP agent on each GSS device In addition to enabling the SNMP agent on the GSS device you also specify an SNMP community name name of the contact person and the physical location for the GSS device Note Be aware that existing pre v2 0 SNMP community contact and location configurations are retained after a v2 0 softwa...

Страница 163: ...t options available on the GSS You can configure them by using either the pre v2 0 software CLI or the new v2 0 software CLI a Using the pre v2 0 CLI configure a contact person for this GSS device with the snmp contact command You can include information on how to contact a person for example a phone number or e mail address Enter an unquoted text string with a maximum of 255 characters including ...

Страница 164: ...the SNMP agent by using the following command gss1 example com config snmp enable 4 Configure SNMP server information by using the following command gss1 example com config snmp server 5 Specify an SNMP community name for this GSS device by using the community command and an unquoted text string with no spaces and a maximum of 32 characters gss1 example com config snmp server community MyCommunity...

Страница 165: ...following command gss1 example com config snmp enable 4 Enable SNMP server notifications by entering the snmp server enable traps command and following it with one of the available options gslb Enables all SNMP GSLB notifications gslb dns Enables SNMP DNS server notification gslb kal Enables SNMP GSLB keepalive notification gslb peer status Enables SNMP GSLB peer status change notification core En...

Страница 166: ...ble gss1 example com 2 Access global configuration mode gss1 example com config gss1 example com config 3 Enable the SNMP agent by using the following command gss1 example com config snmp enable 4 Enable SNMP server trap limits by entering the snmp server trap limit command and following it with one of the available options and a specified value answer trap value Configures a rate limit for the an...

Страница 167: ...ss1 example com config gss1 example com config 3 Enable the SNMP agent by entering the following command gss1 example com config snmp enable 4 Specify the recipients of SNMP notification operations by using the snmp server host command and a host address and a community string gss1 example com config snmp server host 10 1 1 1 MyCommunity 5 Send SNMP traps to the specified host by entering the foll...

Страница 168: ...ewing SNMP Status Once SNMP is enabled you can display the SNMP status on your GSS device by using the show snmp command Verify that your SNMP agent ucd snmp v4 2 3 is enabled or disabled as well as the configured names of the community string location and contact Note You can also use the show services command to verify if SNMP is enabled or disabled For example enter gss1 example com show snmp S...

Страница 169: ...another location on the GSS or to a remote network location use the scp command For example enter gss1 example com dir mibs total 1100 drwxr xr x 2 root root 4096 Jul 18 08 45 drwxrwxrwx 19 root root 4096 Jul 18 08 46 rw r r 1 root root 17455 Jul 18 08 45 AGENTX MIB txt rw r r 1 root root 19850 Jul 18 08 45 DISMAN SCHEDULE MIB txt rw r r 1 root root 64311 Jul 18 08 45 DISMAN SCRIPT MIB txt rw r r ...

Страница 170: ... 08 45 SNMP COMMUNITY MIB txt rw r r 1 root root 20750 Jul 18 08 45 SNMP FRAMEWORK MIB txt rw r r 1 root root 5261 Jul 18 08 45 SNMP MPD MIB txt rw r r 1 root root 19083 Jul 18 08 45 SNMP NOTIFICATION MIB txt rw r r 1 root root 8434 Jul 18 08 45 SNMP PROXY MIB txt rw r r 1 root root 21495 Jul 18 08 45 SNMP TARGET MIB txt rw r r 1 root root 38035 Jul 18 08 45 SNMP USER BASED SM MIB txt rw r r 1 roo...

Страница 171: ...ow to back up and restore the primary GSSM database It also describes how to downgrade to an earlier version of the GSS software on your GSSs and GSSMs and restore the software if you encounter problems with a GSS software upgrade It contains the following major sections Backing Up the Primary GSSM Restoring a Primary GSSM Backup Downgrading Your GSS Devices ...

Страница 172: ...ration and database will survive and your GSSM can be quickly restored We recommend that you perform a backup of your primary GSSM Before you switch GSSM roles and before you make the standby GSSM the primary GSSM on your network Before you perform a GSS software upgrade After you make any changes in the device or network configuration of your GSSM The GSS software performs a full backup of the GS...

Страница 173: ...le privileged EXEC mode gssm1 example com enable gssm1 example com 2 Copy the current primary GSSM startup configuration to a file for use on other devices or for backup purposes by using the copy startup config disk command The filename argument specifies the name of the file containing the startup configuration settings gssm1 example com copy startup config disk newstartupconfig Note The primary...

Страница 174: ...our Primary GSSM from a Previous Backup Restore Overview You may need to restore a previous primary GSSM backup for the following reasons You have replaced your primary GSSM with a new device and want to restore a previous backup to that primary GSSM You are downgrading the GSS software to an earlier release You have made a number of configuration changes to the primary GSSM and would like to retu...

Страница 175: ...stored Previous backups have a full file extension For details about locating files in a GSS directory see the Managing GSS Files section in Chapter 2 Managing the GSS from the CLI 1 Stop the GSS software on the primary GSSM and then use the gss status command to confirm that the primary GSSM has stopped atcr1 cisco com gss stop atcr1 cisco com gss status Cisco GSS 1 3 1 0 0 Wed Feb 15 11 33 47 UT...

Страница 176: ...abase backup Platform information includes all configuration parameters set at the CLI including interface configuration hostname service settings NTP SSH Telnet FTP and SNMP time zone logging levels web certificates inter GSS communication certificates access lists and access groups CLI user information GUI user information and property set CLI commands 5 Confirm your decision to restore the GSS ...

Страница 177: ...se to reboot the device the primary GSSM reboots 6 Confirm that the primary GSSM is up and running in normal operation mode runmode 5 by using the gss status command After you restore a backup file in which you did not preserve the GSS network information note the following configuration changes in the primary GSSM GUI All previous associations established between a GSS device and a location are r...

Страница 178: ...orm because of changes in the database schema between releases When downgrading the GSS software use the following order of operations to protect your critical GSS data and properly restore your GSSM database 1 Verify the GSSM role in the GSS network 2 Perform a backup of your primary GSSM that contains the more recent version of the GSS software 3 Obtain an earlier software upg file 4 Downgrade y...

Страница 179: ...ne See the Verifying the GSSM Role in the GSS Network section of Appendix A Upgrading the GSS Software 2 Perform a backup of your primary GSSM as described in the Performing a Full Primary GSSM Backup section 3 Obtain an earlier software version as described in the Obtaining the Software Upgrade section of Appendix A Upgrading the GSS Software 4 Install the earlier software version as described in...

Страница 180: ...Chapter 7 Backing Up Restoring and Downgrading the GSSM Database Downgrading Your GSS Devices 7 10 Cisco Global Site Selector Administration Guide OL 10410 01 ...

Страница 181: ...ogs from the CLI Viewing System Logs from the Primary GSSM GUI Viewing GSS System Logs Using CiscoWorks RME Syslog Analyzer Understanding GSS Logging Levels The GSS generates log messages to assist you with debugging and monitoring operations The GSS maintains logged records for a wide range of GSS network activity in the gss log file as well as through the system logs feature of the GSSM The subs...

Страница 182: ...uires immediate attention For example one of the GSS subsystems is not running 2 Critical The GSS encountered a critical condition that requires attention For example a GSS device cannot connect to the primary GSSM and does not have a local configuration snapshot to use 3 Errors The GSS encountered an error condition that requires prompt attention but can still function For example a GSS device is...

Страница 183: ...el Table 8 2 Logging Subsystems Subsystem Definition boomerang Boomerang logging messages crdirector CrDirector logging messages crm GSSM logging messages ddos Distributed Denial of Service DDoS prevention module logging messages dnsserver Domain Name System DNS logging messages drpagent Director Response Protocol DRP agent logging messages keepalive Keepalive Engine logging messages nodemgr Node ...

Страница 184: ...e logging functions use the no form of this command The default logging settings are as follows Logging to disk Enabled Priority of message for disk 5 Priority of message for host 4 Log filename home gss log Log file recycle size 10 MB Maximum number of log files 25 Note In rare instances when a GSS runs out of user disk space the device will stop logging messages to all log files Logging does not...

Страница 185: ...ot be logged Use one of the following keywords to select the logging level listed in order of priority emergencies The GSS is unusable Priority 0 alerts Immediate action needed Priority 1 critical Immediate action needed Priority 2 errors Error conditions Priority 3 warnings Warning conditions Priority 4 notifications Normal but significant conditions Priority 5 informational Informational message...

Страница 186: ...og for CrDirector subsystem logging messages and set the priority level to informational messages enter gssm1 example com config logging disk enable gssm1 example com config logging disk subsystem crdirector gssm1 example com config logging disk priority information To stop logging to GSS disk enter gssm1 example com config no logging disk enable Specifying a Host for a Log File Destination You ca...

Страница 187: ...rmational messages Priority 6 debugging Debugging messages Priority 7 subsystem Sets the log for a named GSS subsystem Each subsystem can have a different log level applied for its messages name Name of the GSS subsystem Use one of the following keywords to select a subsystem boomerang Boomerang logging messages crdirector CrDirector logging messages crm GSSM logging messages dnsserver Domain Name...

Страница 188: ...pecifying a Syslog Facility You can specify a syslog facility type to identify the behavior of the syslog daemon syslogd on the host by using the logging facility command in global configuration mode The syslog daemon on the host uses the specified facility type to determine how to process messages Note For more information on the syslog daemon and facility levels refer to your syslog daemon docum...

Страница 189: ...enter gssm1 example com config logging facility local7 To change the logging facility to back to the default of local5 enter gssm1 example com config no logging facility local7 Viewing Device Logs from the CLI Each GSS device contains a number of log files that retain records of both GSS related activity as well as the performance of the various GSS subsystems Access these log files from the CLI t...

Страница 190: ...anaging the GSS from the CLI Otherwise use the tail or follow options as described in this section to limit the output of the file The syntax for this command is as follows show logs follow tail The keywords are as follows follow Displays the log file as data that is appended to it tail Displays only the last ten lines of the log file To limit the output of the show logs command specify one of the...

Страница 191: ...1240 Sending circuit keepalive 192 10 2 1 Viewing System Message Logging You can display the system message log configuration for a GSS device by using the show logging command For example enter gssm1 example com show logging Logging to disk is enabled Priority for disk logging is Informational 6 Logging to host is disabled Priority for host logging is Warning 4 Viewing Subsystem Log Files from th...

Страница 192: ...Wed Jul 10 16 23 33 UTC 2003 1201 End of file dnsserver log 3 View only the last ten lines of the log file by using the following command gssm1 example com tail dnsserver log Rotating Existing Log Files from the CLI You can instruct the GSS to save archive copies of all existing log files in the STATE directory and subdirectories and replace them with fresh log files To force the GSS to restart it...

Страница 193: ...r log files To rotate existing log files gssm1 example com rotate logs To clear all rotated log files in the STATE directory and subdirectories except for the active log files enter gssm1 example com rotate logs delete rotated logs Viewing System Logs from the Primary GSSM GUI From the primary GSSM GUI you can view messages logged in the GSS system log file The system log file presents the logged ...

Страница 194: ...e primary GSSM GUI click the Tools tab 2 Click the System Logs option The System Log list page appears see Figure 8 1 displaying system log information Figure 8 1 System Log List Page System log information includes Time Time in Universal Coordinated Time UTC at which the logged event occurred on the GSS device Node type Type of GSS node GSS or GSSM on which the logged event occurred Node name Nam...

Страница 195: ...iption that explains the event Message Information about any relevant conditions encountered while the event was being logged 3 Click the column header of any of the displayed columns except for Severity or Description to sort the listed domains by a particular property Purging System Log Messages from the GUI You may want to remove older system log messages from the primary GSSM GUI An excessive ...

Страница 196: ...y GSSM database For example to purge all system log messages except for the last three messages enter gssm1 example com gssm database purge log records count 3 For example to purge all system log messages except for those generated within the last seven days enter gssm1 example com gssm database purge log records days 7 To verify that the GSS purged the specified system log messages perform the fo...

Страница 197: ...iled its internal consistency checks Multiple primary GSSMs detected The GSS detects multiple primary GSSMs operating concurrently Passed store invalidation The GSS has successfully completed the process of marking internally inconsistent database records Passed store validation The GSSM database passed its internal consistency checks Registered a new Global Site Selector A new GSS is online and h...

Страница 198: ...rity 7 debug messages are compliant with the syslog host message format Started store validation An internal consistency check has started for the GSSM database Store is corrupted The GSSM database failed the internal consistency checks x System Messages Dropped The GSS dropped and did not report a certain number of messages in an effort to throttle message traffic to the primary GSSM Unexpected G...

Страница 199: ...xample 2005 MAY 14 19 20 10 or mmm dd hh mm ss for example MAY 14 19 20 10 FACILITY Code consisting of two or more uppercase letters that indicate the facility to which the message refers A facility can be a hardware device a protocol or a module of the system software for example KAL TOMCAT SYS STK Note This is not the syslog server logging facility SEVERITY Single digit code from 0 to 7 that ref...

Страница 200: ...Chapter 8 Viewing Log Files Viewing GSS System Logs Using CiscoWorks RME Syslog Analyzer 8 20 Cisco Global Site Selector Administration Guide OL 10410 01 ...

Страница 201: ...base This chapter contains the following major sections Monitoring GSS and GSSM Status Monitoring GSSM Database Status Viewing the GSS Operating Configuration for Technical Support Note You can use the show statistics CLI command to display content routing and load balancing statistics for each component of your GSS global server load balancing operation Boomerang CRAs DNS DNS sticky network proxi...

Страница 202: ...ce role network address hostname and MAC address of each device This section contains the following topics Monitoring the GSS Device Online Status from the CLI Monitoring the GSS Device System Status from the CLI Monitoring the GSS Device Status from the Primary GSSM GUI Monitoring the GSS Device Online Status from the CLI To monitor the status and resource usage of a GSS device from the CLI perfo...

Страница 203: ...00 00 00 Nov02 Note When the DNS server is ready to serve DNS requests it generates the following subsystem log message and saves it in the system log file Mar 25 10 45 26 gssm1 example com DNS 5 SELREADYINFO 2073 Selector ready to start serving DNS requests 3 Include statistics about the CPU utilization when displaying information on the current GSS operating state by entering the following comma...

Страница 204: ... 1 3 1 GSS Manager primary Wed Feb 15 16 37 37 UTC 2006 Normal Operation runmode 5 START SERVER Jul09 Boomerang Jul09 Config Agent crdirector Jul09 Config Server crm Jul09 DNS Server Jul09 Database Jul09 GUI Server tomcat Jul09 Keepalive Engine Jul09 Node Manager Jul09 Proximity Jul09 Sticky Jul09 Web Server apache Note The equivalent CLI command is gss status Monitoring the GSS Device Status from...

Страница 205: ...ess Network address of the device Hostname Network hostname of the device MAC Machine address of the device 4 Click Cancel to return to the Global Site Selectors list page Monitoring GSSM Database Status The GSS software includes a number of CLI commands to monitor the status of the GSSM database and its contents This section contains the following topics Monitoring the Database Status Validating ...

Страница 206: ...ng your GSSM database you can generate a report called validation log that details which database records failed validation The gssm database report command constructs a list of invalid records in the GSSM database and writes the results to validation log in the home directory To generate a database validation report perform the following steps 1 Log in to the CLI of the primary GSSM and enable pr...

Страница 207: ...erty Validating Customer Validating DistTree Validating DnsRule Validating DomainElement Validating DomainGroup Validating ENodeConfig Validating ENodeStatus Validating KeepAliveConfig Validating KeepAlive Validating Location Validating OrderedanswerGroup Validating Owner Validating Region Validating RequestHandler Validating RoutedDomain Validating RoutingConfig Validating RrConfig Validating RrS...

Страница 208: ...port filename Generates a detailed report for use by a Cisco TAC representative in troubleshooting persistent GSS problems The file generated is a compressed tar format archive file with a tgz extension The filename argument identifies a user assigned name for the report generated by the gss tech report command For example to display an operating configuration report for your GSS device enter gssm...

Страница 209: ...GMT 00 00 2006 Global Site Selectors GSS1 Global Site Selector charon cisco com Status Online Node Services GSS IP Address 192 168 209 224 Location Region GSS2 Global Site Selector geryon cisco com Status Online Node Services GSS IP Address 192 168 209 225 Location Region GSS3 GGlobal Site Selector ladon cisco com Status Online Node Services GSS Standby GSSM IP Address 192 168 209 222 Location Reg...

Страница 210: ...hnical Support 9 10 Cisco Global Site Selector Administration Guide OL 10410 01 Answer Group 1 Database Services Balance Method 1 Hashed Balance Clause Options 1 DNS TTL 20 Return Record Count 1 Answer Group 2 Balance Method 2 Balance Clause Options 2 Answer Group 3 Balance Method 3 ...

Страница 211: ...ake full advantage of all of the features and capabilities of the software release we recommend that you upgrade all GSS devices in your network within the same time frame starting with the primary GSSM This upgrade sequence ensures that the other GSS devices properly receive configuration information from and are able to send statistics to the primary GSSM This section contains the following proc...

Страница 212: ...rrent primary GSSM in your network then the current primary GSSM and standby GSSM configuration is the original configuration and no further action is needed See the Backing up and Archiving the Primary GSSM section If the value of the domain name or IP address is the current standby GSSM in your network then the current primary GSSM and standby GSSM configuration is not the original configuration...

Страница 213: ...g the GSSM Database for instructions on performing a full backup of your primary GSSM Performing a full backup requires access to the CLI You are now ready to obtain the upgrade file and upgrade the software on a GSS device See the Obtaining the Software Upgrade section Obtaining the Software Upgrade Before you can update your GSS software obtain the appropriate software update file from Cisco Sys...

Страница 214: ... Cisco Global Site Selector link from the Software Center Content Networking page The Cisco GSS Software download page appears listing the available software upgrades for the Cisco GSS Software product Note When you first access the Content Networking page of the Software Center you must apply for eligibility for GSS software updates because it is considered a strong encryption image Under the Cis...

Страница 215: ...v1 3 3 and you then upgrade to v2 0 with CNR installed and enabled all DNS requests will be forwarded directly to CNR This action occurs even if there is a matching DNS rule with NS forwarding configured on the GSS To obtain support for reverse lookup for the answers configured on the GSS you need to explicitly configure the Pointer PTR records to do the same on CNR To perform NS forwarding on GSS...

Страница 216: ... command Before proceeding with the software upgrade the install command performs a validation check on the upgrade file unpacks the upgrade archive and installs the upgraded software Finally the install command restarts the affected GSS device Note Upgrading your GSS devices causes a temporary loss of service for each affected device To upgrade the GSS software starting with the primary GSSM perf...

Страница 217: ...guration Mode by entering the enable command and then the config command If the GSS does not have CNR loaded on it skip ahead to Step 11 9 Disable CNR if the GSS has CNR loaded on it gssm1 example com config no cnr enable 10 Type exit to leave Global Configuration mode 11 Install the upgrade by entering the following command gssm1 example com install gss upg 12 At the Proceed with install the devi...

Страница 218: ... 14 Verify that the GSS device reaches a normal operation state of runmode 4 or 5 by entering the gss status command 15 Enter configuration mode and enable CNR if the GSS has CNR loaded on it gssm1 example com config gssm1 example com config cnr enable 16 Repeat the entire procedure for the remaining GSS devices in your network ...

Страница 219: ...ress 5 5 TCP traffic filtering 5 5 UDP traffic filtering 5 5 viewing 5 9 activating GSS devices 1 6 adding rules to access lists 5 8 administration password changing 3 27 3 28 restoring 3 28 administrator account resetting 3 26 associating access list with interface 5 7 B backup of GSSM full backup procedure 7 3 overview 7 2 boot information displaying 2 48 C certificate accepting 1 2 attributes m...

Страница 220: ...esses 2 49 D database monitoring status of 8 5 purging 9 15 records purging 9 16 restoring GSSM from full backup 7 5 validating records 8 6 validation report 8 6 DDoS license file acquiring 2 4 license file installing 2 4 debug log message 9 15 default password 1 3 username 1 3 deleting files 2 23 deployment GSS devices behind firewall 5 12 directory current working directory displaying 2 20 displ...

Страница 221: ...ring for GSS 5 16 deploying GSS devices 5 12 inbound traffic to GSS 5 12 inbound traffic to the GSS 5 13 outbound traffic from the GSS 5 14 full GSSM backup 7 3 G Global Site Selector activating from primary GSSM 1 6 CNR installing 2 6 cold restart performing 2 28 CPU or memory processes displaying 2 49 deleting devices from primary GSSM 1 10 disabling GSS device 2 29 downgrading software 7 8 enab...

Страница 222: ...9 5 9 7 system status displaying 2 51 8 4 UDI displaying 2 50 user account creating 3 2 user account deleting 3 3 user account modifying 3 3 version information 2 45 Global Site Selector Manager activating 1 6 activating devices 1 6 backing up 7 2 changing role in GSS network 2 40 changing the GUI password 3 13 changing to standby 2 40 cold restart performing 2 28 configuring primary 4 29 configur...

Страница 223: ...twork traffic 5 9 logically removing a GSS 1 11 monitoring through CLI 8 1 monitoring through GUI 8 4 primary GSSM logically removing 1 11 reversing GSSM role 2 43 segmenting network traffic 5 9 standby GSSM logically removing 1 11 URL 1 2 1 5 GSS related ports and protocols 5 3 GUI configuration 1 13 default username and password 1 3 logging on 1 2 logging out 1 4 monitoring GSS device status 8 5...

Страница 224: ...pecifying 9 6 levels 9 1 9 4 log activity displaying 9 11 logging disk command 9 5 9 6 logs displaying 9 11 purging log records 9 15 subsystems 9 5 9 7 syslog facility 9 8 system logging 9 4 system message log displaying 9 11 tail command option 9 10 to a specific file on disk 9 5 to sys log file disabling 9 8 to sys log file enabling 9 6 turning off from disk 9 6 9 7 9 8 logging levels 9 1 9 5 9 ...

Страница 225: ...5 P packets denying 5 4 permitting 5 4 Partner Initiated Customer Access See PICA password changing default administration password 3 27 3 28 CLI resetting 3 15 CLI user account creating 3 2 default GUI 1 3 GSSM GUI changing 3 13 GUI entering 1 3 GUI user account changing password 3 13 GUI user account creating 3 10 resetting CLI administrator account 3 26 restoring default administration password...

Страница 226: ...ating log files 9 12 running configuration file changing 2 13 copying 2 14 copying as startup config file 2 13 displaying 2 15 overview 2 12 saving to startup configuration 2 13 summary 2 12 2 14 S segmenting GSS traffic by interface 5 9 session inactivity timeout 1 13 severity log message 9 15 show commands show access group command 5 11 show access list command 5 9 5 10 show boot config command ...

Страница 227: ... server enable traps command 6 5 6 6 software boot information showing 2 48 disabling GSS device 2 29 downgrade restoring earlier software version 7 9 downgrade procedure 7 8 enabling GSS device 2 29 restarting 2 28 shutting down 2 27 stopping 2 27 update obtaining update file A 3 upgrade procedure A 1 version information showing 2 45 software licenses CNR installing on GSS 2 6 installing 2 5 obta...

Страница 228: ...yzer 9 18 viewing from GUI 9 14 system uptime displaying 2 50 T TAC displaying GSS operating configuration 8 8 tech report 8 8 TACACS accounting overview 4 3 authentication overview 4 3 authorization overview 4 3 Cisco Secure Access Control Server ACS 4 5 disabling 4 28 GSS disabling enabling keepalives 4 22 GSS specifying accounting 4 25 GSS specifying authentication 4 23 GSS specifying authoriza...

Страница 229: ... account creating 3 2 CLI account deleting 3 3 CLI account modifying 3 3 CLI user privilege levels 3 2 creating for GUI 3 9 creating with CLI 3 2 deleting 3 3 GUI user privilege levels 3 5 3 6 3 8 3 10 GUI user views 3 11 GUI user account changing password 3 13 GUI user account creating 3 9 GUI user account modifying 3 12 GUI user account removing 3 12 modifying 3 3 3 12 removing 3 12 view overvie...

Страница 230: ...ation 4 16 V validating database records 8 6 verifying GSSM role A 2 version information 2 45 viewing access lists 5 9 gss log file 9 10 MIB files 6 9 SNMP status 6 8 subsystem log files 9 11 system log 9 13 system logs from CiscoWorks RME Syslog Analyzer 9 18 system logs from GUI 9 14 third party software information 1 15 W warning log message 9 15 ...

Результаты поиска

Содержание GSS-4492R-K9

Отзывы:

Похожие инструкции для GSS-4492R-K9

Бренды по названию

Популярные бренды

Cisco GSS-4492R-K9, Руководство администратора

Результаты поиска

Содержание GSS-4492R-K9

Отзывы:

Похожие инструкции для GSS-4492R-K9

Бренды по названию

Популярные бренды