Cisco Systems 6500 Switch User Manual
Contents
1. W How to Find Command Options Table 1 2 Howto Find Command Options continued Command Comment ssl proxy config if channel group group lt 1 256 gt Channel group number ssl proxy config if channel group group After you enter the group keyword enter a to display what you must enter next on the command line In this example you must enter a channel group number from 1 to 256 Because a lt cr gt is not displayed it indicates that you must enter more information to complete the command ssl proxy config if channel group 1 mode Etherchannel Mode of the interface ssl proxy config if After you enter the channel group number enter a to display what you must enter next on the command line In this example you must enter the mode keyword Because a lt cr gt is not displayed it indicates that you must enter more information to complete the command ssl proxy config if channel group 1 mode auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only ssl proxy config if After you enter the mode keyword enter a to display what you must enter next on the command line In this example you must enter the auto desirable or on keyword Because a lt cr gt is not displayed it indicates that you must enter more information to complete the command ssl proxy config if channel group 1 mode auto2. W show ssl proxy mac address show ssl proxy mac address To display the current MAC address use the show ssl proxy mac address command show ssl proxy mac address Syntax Description This command has no arguments or keywords Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Examples This example shows how to display the current MAC address that is used in the SSL Services Module ssl proxy show ssl proxy mac address STE MAC address 00e0 b0ff 232 ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference e270 i OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy natpool W show ssl proxy natpool To display information about the NAT pool use the show ssl proxy natpool command show ssl proxy natpool name context name Syntax Description name Optional NAT pool name context name Optional Context name Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to add the context name
3. url string Specifies the host portion of the URL link to be rewritten it can have a maximum of 251 characters You can use the asterisk wildcard only as a prefix or a suffix of a hostname in a rewrite rule For example you can use the hostname in one of the following ways e www cisco com e cisco com e wwwin cisco I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W policy url rewrite clearport port number Optional Specifies the port portion of the URL link that is to be rewritten valid values are from 1 to 65535 sslport port number Optional Specifies the port portion of the URL link that is to be written valid values are from 1 to 65535 Enter the no form of the command to remove the policy Examples This example shows how to enter the URL rewrite configuration submode for the test1 policy ssl proxy config ssl pro context s1 ssl proxy config context ssl proxy policy url rewrite test1 ssl proxy config ctx url rewrite policy This example shows how to define the URL rewrite policy for the test1 policy ssl proxy config ssl pro context s1 ssl proxy config context ssl proxy policy url rewrite test1 ssl proxy config ctx url rewrite policy www cisco com clearport 80 sslport 443 redirectonly ssl proxy config ctx url rewrite policy This example shows how to delete the URL rewrite
4. I OL 9105 01 AppendixA Acronyms E Table A 1 List of Acronyms continued Acronym Expansion STP Spanning Tree Protocol SVC switched virtual circuit SVI switched virtual interface TACACS Terminal Access Controller Access Control System Plus TARP Target Identifier Address Resolution Protocol TCAM Ternary Content Addressable Memory TCL table contention level TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol TIA Telecommunications Industry Association TopN Utility that allows the user to analyze port traffic by reports ToS type of service TLV type length value TTL Time To Live TVX valid transmission UDLD UniDirectional Link Detection Protocol UDP User Datagram Protocol UNI User Network Interface UTC Coordinated Universal Time VACL VLAN access control list VCC virtual channel circuit VCI virtual circuit identifier VCR Virtual Configuration Register VINES Virtual Network System VLAN virtual LAN VMPS VLAN Membership Policy Server VMR value mask result VPN virtual private network VRF VPN routing and forwarding VTP VLAN Trunking Protocol VVID voice VLAN ID WAN wide area network WCCP Web Cache Coprocessor Protocol WFQ weighted fair queueing WRED weighted random early detection Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 AppendixA Acronyms
5. show ssl proxy service name context name name Optional Service name context name Optional Displays service information for the specifed context name This command has no default settings EXEC Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and SSL Services switches Module Release 1 1 1 SSL Services Module This command was changed to add the context name keyword Release 3 1 1 Examples This example shows how to display all SSL virtual services that are configured on the SSL Services Module ssl proxy show ssl proxy service No context name provided assuming context Default Proxy Service Name Context Name Admin Operation status status s2 Default up up s3 Default up up ssl proxy This example shows how to display a specific SSL virtual service that is configured on the SSL Services Module ssl proxy show ssl proxy service S6 No context name provided assuming context Default Service id 1 bound_service_id 257 Virtual IP 10 10 1 104 port 443 Server IP 10 10 1 100 port 80 Virtual SSL Policy SSL1_PLC Server TCP Policy nagle TCP Health Probe Policy tcp health Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 a 275 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy service Nat pool n2 rsa general purpose certificate trustpoint tptest
6. m Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HZ service client Examples This example shows how to enter the client proxy service configuration submode ssl proxy config ssl proxy context s1 ssl proxy config context service S7 client ssl proxy config ctx ssl proxy This example shows how to configure the certificate for the specified SSL proxy services ssl proxy config ctx ssl proxy certificate rsa general purpose trustpoint tpl ssl proxy config ctx ssl proxy These examples show how to set a specified command to its default value default certificate ssl proxy default inservice config ctx ssl proxy ssl proxy config ctx ssl proxy default nat ssl proxy config ctx ssl proxy default server default virtual config ctx ssl proxy config ctx ssl proxy ssl proxy ssl proxy ssl proxy config ctx ssl proxy This example shows how to configure a virtual IP address for the specified virtual server ssl proxy config ctx ssl proxy virtual ipaddr 207 59 100 20 protocol tcp port 443 ssl proxy config ctx ssl proxy This example shows how to configure the SSL policy for the specified virtual server ssl proxy config ctx ssl proxy virtual policy ssl sslpl1l ssl proxy config ctx ssl proxy This example shows how to configure the TCP policy for the specified virtual server ssl proxy config ctx ssl proxy virtual policy tcp tcppl1 ssl proxy config ctx ssl pr
7. policy url rewrite Syntax Description Defaults Command Modes Command History Usage Guidelines To enter the URL rewrite configuration submode use the policy url rewrite command In URL rewrite configuration submode you can define the URL rewrite content policy that is applied to the payload policy url rewrite url rewrite policy name url rewrite policy name URL rewrite policy name This command has no default settings Context subcommand mode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The policy url rewrite command entered in context subcommand mode Release 3 1 1 replaces the ssl proxy policy url rewrite command entered in global subcommand mode URL rewrite allows you to rewrite redirection links only A URL rewrite policy consists of up to 32 rewrite rules for each SSL proxy service Table 2 6 lists the commands that are available in proxy policy configuration submode Table 2 6 Proxy policy Configuration Submode Command Descriptions default Sets a command to its default settings exit Exits from proxy policy configuration submode help Provides a description of the interactive help system no url url string clearport port number Allows you to configure the URL string to be rewritten Use the no form of sslport port number this command to remove the policy
8. yes Writing file to tftp 10 1 1 1 tp99 crt oe UO oe dP iv dP oP ssl proxy config crypto pki import pem Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto pkiimport pem W crypto pki import pem Syntax Description Defaults Command History Command History Usage Guidelines To import a PEM formatted file to the SSL Services Module use the crypto pki import pem command crypto pki import trustpoint_label pem exportable terminal url url usage keys pass_phrase trustpoint label Name of the trustpoint exportable Optional Specifies the key that can be exported terminal Displays the request on the terminal url url Specifies the URL location Valid values are as follows e ftp Exports to the FTP file system e null Exports to the null file system e nvram Exports to the NVRAM file system e rcp Exports to the RCP file system e scp Exports to the SCP file system e system Exports to the system file system e tftp Exports to the TFTP file system pass_phrase Pass phrase usage keys Specifies that two special usage key pairs should be generated instead of one general purpose key pair This command has no default settings Global configuration Release Modification SSL Services Module Support for this
9. Exports to the TFTP file system 3des Specifies the 168 bit DES 3DES encryption algorithm des Specifies the 56 bit DES CBC encryption algorithm exportable Optional Specifies that the key can be exported pass_phrase Pass phrase This command has no default settings Global configuration Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 1 2 1 switches The pass phrase can be any phrase including spaces and punctuation except for the question mark which has a special meaning to the Cisco IOS parser Pass phrase protection associates a pass phrase with the key The pass phrase is used to encrypt the key when it is exported When this key is imported you must enter the same pass phrase to decrypt it I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HI crypto key export rsa pem Examples This example shows how to export a key from the SSL Services Module ssl proxy config crypto key export rsa test keys pem url scp Key name test keys Usage General Purpose Key Exporting public key Address or name of remote host 7 0 0 7 Destination username ssl proxy lab Destination filename test keys pub 3des password Password Writing test keys pub Writing file to scp lab 7 0 0 7 test keys pub Password Exp
10. Regular expressions are case sensitive and allow for complex matching requirements Examples of simple regular expressions are Serial misses and 138 Examples of complex regular expressions are 00210 is and Oo utput You can perform three types of filtering e Use the begin keyword to begin output with the line that contains a specified regular expression e Use the include keyword to include output lines that contain a specified regular expression e Use the exclude keyword to exclude output lines that contain a specified regular expression You can then search this filtered output at the More prompts Note The CLI string search function does not allow you to search or filter backward through previous output filtering cannot be specified using HTTP access to the CLI Regular Expressions A regular expression can be a single character that matches the same single character in the command output or multiple characters that match the same multiple characters in the command output This section describes how to create both single character patterns and multiple character patterns and how to create more complex regular expressions using multipliers alternation anchoring and parentheses Single Character Patterns The simplest regular expression is a single character that matches the same single character in the command output You can use any letter A Z a z or digit 0 9 as a single character pattern You can also use o
11. Table A 1 List of Acronyms continued Acronym Expansion WRR weighted round robin XNS Xerox Network System Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 E AppendixA Acronyms Catalyst 6500 Series Switch SSL Services Module Command Reference EuN OL 9105 01 Acknowledgments for Open Source Software The Cisco IOS software on the Catalyst 6500 series switches software pipe command uses Henry Spencer s regular expression library regex Henry Spencer s regular expression library regex Copyright 1992 1993 1994 1997 Henry Spencer All rights reserved This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California Permission is granted to anyone to use this software for any purpose on any computer system and to alter it and redistribute it subject to the following restrictions 1 The author is not responsible for the consequences of use of this software no matter how awful even if they arise from flaws in it 2 The origin of this software must not be misrepresented either by explicit claim or by omission Since few users ever read sources credits must appear in the documentation 3 Altered versions must be plainly marked as such and must not be misrepresented as being the original software Since few users ever read sources credits must appear in the documentation 4 This notic
12. Trust Point t6 Key Pair Name k6 Key Usage RSA General Purpose Not Exportable Time of Key Generation 00 28 28 UTC Mar 1 1993 Subject Name CN host1l cisco com OID 1 2 840 113549 1 9 2 simpson5 2 ste cisco com OID 1 2 840 113549 1 9 8 207 79 1 8 OID 2 5 4 5 BOFFF235 Issuer Name CN SimpsonTestCA OU Simpson Lab O Cisco Systems L San Jose ST CA C US EA lt 16 gt simpson pki cisco com Serial Number 5CB5CFD6000100000D97 Validity Start Time 19 30 26 UTC Oct 30 2002 End Time 19 40 26 UTC Oct 30 2003 Renew Time 00 00 00 UTC Jan 1 1970 End of Certificate Record o Total number of certificate history records displayed 4 ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference Ka OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module Related Commands show ssl proxy certificate history i This example shows how to display the certificate record for a specific proxy service ssl proxy show ssl proxy certificate history service s6 Record 3 Timestamp 00 01 34 16 37 18 UTC Oct 31 2002 Installed Server Certificate Index 7 Proxy Service s6 Trust Point t10 Key Pair Name k10 Key Usage RSA General Purpose Exportable Time of Key Generation 07 56 43 UTC Oct 11 2002 Subject Name CN hostl cisco com OID 1 2 840 113549 1 9 2 simpson5 2 ste cisco com OID 1 2 840 113549 1 9 8 207 79 1 9 OID 2 5 4 5 BOFFF235 Issuer Name CN SimpsonTestCA
13. X 509 basic constraints ClientCert X509v3 Key Usage X 509 key usage ClientCert X509v3 Subject Alternative Name X 509 subject alternative name ClientCert X509v3 CRL Distribution Points X 509 CRL distribution points ClientCert X509v3 Authority Information Access X 509 authority information access ClientCert Signature Algorithm Certificate signature algorithm ClientCert Signature Certificate signature e Client Certificate in PEM format When you specify client cert pem the SSL module sends the entire client certificate in PEM format e Client IP and Port Address Network address translation NAT removes the client IP address and port information When you specify client ip port the SSL module inserts the client IP address and information about the client port into the HTTP header allowing the server to see the client IP address and port e Custom When you specify custom custom string the SSL module inserts the user defined header into the HTTP header e Prefix When you specify prefix prefix string the SSL module adds the specified prefix into the HTTP header to enable the server to identify that the connections are coming from the SSL module not from other appliances e Header alias Some applications use different names for the standard header You can create an alias for the standard name of the header so that the same value is passed using the aliased name instead of th
14. clear ssl proxy session 2 4 clear ssl proxy stats 2 5 crypto pki exportpem 2 7 crypto pki import pem 2 9 crypto pki export pkcs12 2 11 crypto pki import pkcs12 2 13 crypto key decrypt rsa 2 15 crypto key encrypt rsa 2 16 crypto key export rsa pem 2 17 crypto key import rsa pem 2 19 crypto key lock rsa 2 21 crypto key unlock rsa 2 22 debug ssl proxy 2 23 do 2 26 interface ssl proxy 2 27 natpool 2 30 policy health probe tcp 2 31 policy http header 2 34 policy ssl 2 39 policy tcp 2 45 policy url rewrite 2 49 poolca 2 51 service 2 52 service client 2 56 show interfaces ssl proxy 2 59 show ssl proxy buffers 2 60 show ssl proxy certificate history 2 61 show ssl proxy conn 2 64 show ssl proxy context 2 67 show ssl proxy crash info 2 68 show ssl proxy mac address 2 70 show ssl proxy natpool 2 71 Catalyst 6500 Series Switch SSL Services Module Command Reference a OL 9105 01 APPENDIX A APPENDIX B INDEX show ssl proxy policy 2 72 show ssl proxy service 2 75 show ssl proxy stats 2 77 show ssl proxy status 2 82 show ssl proxy version 2 84 show ssl proxy vlan 2 85 snmp server enable 2 86 n sl proxy context 2 87 N sl proxy crypto selftest 2 89 n sl proxy mac address 2 90 N sl proxy pki 2 91 n sl proxy crypto key unlock rsa 2 93 N sl proxy ip frag ttl 2 94 n sl proxy ssl ratelimit 2 95 standby authentication 2 96 standby delay minimum rel
15. ssl proxy config ctx ssl ssl proxy config ctx ssl l proxy l proxy l proxy l proxy l proxy configure the method for certificate verification authenticate verify all configure the certificate for the specified SSL proxy services certificate rsa general purpose trustpoint tpl These examples show how to set a specified command to its default value config ctx ssl config ctx ssl config ctx ssl ssl proxy ssl proxy config ctx ssl ssl proxy ssl proxy config ctx ssl config ctx ssl ssl proxy ssl proxy This example shows how to ssl proxy config ctx ssl ssl proxy config ctx ssl This example shows how to ssl proxy config ctx ssl ssl proxy config ctx ssl This example shows how to ssl proxy config ctx ssl ssl proxy config ctx ssl This example shows how to ssl proxy config ctx ssl l proxy l proxy l proxy l proxy l proxy l proxy l proxy l proxy l proxy l proxy l proxy l proxy l proxy ssl proxy config ctx ssl l proxy default certificate default inservice default nat default server default virtual apply a trusted certificate authenticate configuration to a proxy server trusted ca test1 configure a virtual IP address for the specified virtual server virtual ipaddr 207 59 100 20 protocol tcp port 443 configure the SSL policy for the specified virtual server virtual policy ssl sslpl11 configure the TCP policy for
16. 0 1 ssl proxy config context service ssloffload ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy virtual ipaddr 7 100 100 180 protocol tcp port 443 server ipaddr 19 0 0 1 protocol tcp port 80 certificate rsa general purpose trustpoint cert1024 policy health probe tcp probel nat client natpool inservice exit ssl proxy config context policy health probe tcp probel ssl proxy config ctx tcp probe Warning Port in the service ssl health probe configuration 81 ssl proxy config ctx tcp probe ssl proxy config context 81 offload configuration 80 differs from the port in the exit This example shows how to configure TCP health probe to check whether service at port 80 is up and running on virtual IP address 7 100 100 180 ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy ssl proxy config ctx tcp probe ssl proxy config context config context service ssloffload virtual ipaddr 7 100 100 180 protocol tcp port 443 ser
17. 109 MAC address configuring 2 101 preemption delay configuring 2 105 restoring default 2 105 priority configuring 2 107 restoring preemption delay default 2 105 virtual MAC address configuring 2 101 HSRP Hot Standby Router Protocol burned in address 2 115 MAC refresh interval 2 103 password configuring 2 96 timers setting 2 111 HTTP header configuring policy 2 34 displaying policy information 2 72 entering insertion configuration submode 2 34 inter card communication See ICC interface configuration mode summary 1 6 table defining modes 1 6 intermediate system to intermediate system See IS IS Internet Group Management Protocol See IGMP Internetwork Packet Exchange See IPX interprocessor communication See IPC Inter Switch Link VLANs See ISL VLANs Index L Link Aggregation Control Protocol See LACP maintenance loop signaling entity See MLSE MDSS Multicast Distributed Shortcut Switching Media Access Control See MAC address table message digest 5 See MD5 message of the day See MOTD MLSM multilayer switching for multicast modes See command modes more commands filter 1 7 search 1 7 More prompt 1 7 filter 1 7 search 1 7 I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference W index Multilayer Switch Feature Card See MSFC Multilayer Switching See MLS multiple character patterns 1 9 Multiple Spanning Tree See MST Multiprotocol Label Switch
18. 89 B9 45 9E 66 0B 90 0B B1 BD F4 C8 15 12 CD 85 13 B2 0B FE 7E 8D F0 D7 4A 98 BB 08 88 6E CC 49 60 37 22 74 4D 73 1E 96 58 91 SSL OFFLOAD ClientCert RSA Exponent 00 01 00 01 SSL OFFLOAD ClientCert X509v3 Authority Key Identifier keyid EE EF 5B BD 4D CD F5 6B 60 9D CF 46 C2 EA 25 7B 22 A5 08 00 SSL OFFLOAD ClientCert X509v3 Basic Constraints SSL OFFLOAD ClientCert Signature Algorithm shalWithRSAEncryption SSL OFFLOAD ClientCert Signature 87 09 C1 F8 86 C1 15 C5 57 18 8E B3 0D 62 E1 0F 6F D4 9D 75 DA 5D 53 E2 C6 0B 73 99 61 BE B0 F6 19 83 F2 E5 48 1B D2 6C 92 83 66 B3 63 A6 58 B4 5C 0OE 5D 1B 60 F9 86 AF B3 93 07 77 16 74 4B C5 SSL OFFLOAD ClientCert X509v3 Subject Alternative Name ipAddress 192 168 1 100 rfc822Name my other com SSL OFFLOAD ClientCert X509v3 Key Usage Digital Signature Non Repudiation Key Encipherment Data Encipherment Key Agreement Key Cert Sign CRL Signature Encipher Only Decipher Only SSL OFFLOAD ClientCert X509v3 Authority Information Access Access Method OCSP Access Location http ocsp my host SSL OFFLOAD ClientCert X509v3 CRL Distribution Points http myhost com myca crl Related Commands show ssl proxy policy Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module policyss W policy ssl To enter the SSL policy configuration submode use the policy ssl command In the SSL policy configur
19. Allows you to configure the connection establishment timeout valid values are from 5 to 75 seconds Use the no form of this command to return to the default setting E Catalyst 6500 Series Switch SSL Services Module Command Reference Commands for the Catalyst 6500 Series SSL Services Module OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module policytcp W Table 2 5 Proxy policy TCP Configuration Submode Command Descriptions continued Syntax Description no timeout reassembly time Allows you to configure the amount of time in seconds before the reassembly queue is cleared valid values are from 0 to 960 seconds 0 disabled If the transaction is not complete within the specified time the reassembly queue is cleared and the connection is dropped Use the no form of this command to return to the default setting no tos carryover Forwards the type of service ToS value to all packets within a flow Note If the policy is configured as a server TCP policy the ToS value is sent from the server to the client If the policy is configured as a virtual policy the ToS value is sent from the client to the server Note The ToS value needs to be learned before it can be propagated For example when a ToS value is configured to be propagated from the server to client connection the server connection must be established before the value is learned and propagated Therefore some of the init
20. Certificate chain for new connections Certificate Key Label mytp 1024 bit not exportable Key Timestamp 07 21 09 UTC Apr 20 2005 Serial Number OFE5 Root CA Certificate Serial Number 01 Certificate chain complete Context name Default Context Id 0 Admin Status up Operation Status up ssl proxy This example shows how to display a specific SSL virtual service on a specific context that is configured on the SSL Services Module ssl proxy show ssl proxy service s2 context c1 Service id 214 bound_service_id 470 Virtual IP 10 12 0 2 port 443 Server IP 10 0 207 203 port 80 TCP Health Probe Policy h1 rsa general purpose certificate trustpoint mytp Certificate chain for new connections Certificate Key Label mytp 1024 bit not exportable Key Timestamp 07 21 09 UTC Apr 20 2005 Serial Number OFE5 Root CA Certificate Serial Number 01 Certificate chain complete Context name cl Context Id 167 Admin Status up Operation Status up ssl proxy Related Commands service service client Catalyst 6500 Series Switch SSL Services Module Command Reference e276 E OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy stats show ssl proxy stats To display information about the statistics counter use the show ssl proxy stats command show ssl proxy stats type Syntax Description type Optional Information type valid values are content context crypto
21. Module W standby redirects The no standby redirects command is the same as the standby redirects disable command We do not recommend that you save the no form of this command to NVRAM Because the command is enabled by default we recommend that you use the standby redirects disable command to disable the functionality With the standby redirects command enabled the real IP address of a router can be replaced with a virtual IP address in the next hop address or gateway field of the redirect packet HSRP looks up the next hop IP address in its table of real IP addresses versus virtual IP addresses If HSRP does not find a match the HSRP router allows the redirect packet to go out unchanged The host HSRP router is redirected to a router that is unknown that is a router with no active HSRP groups You can specify the no standby redirects unknown command to stop these redirects from being sent Examples This example shows how to allow HSRP to filter ICMP redirect messages ssl proxy config subif standby redirects ssl proxy config subif This example shows how to change the HSRP router advertisement interval to 90 seconds and the holddown timer to 270 seconds on interface Ethernet 0 ssl proxy config subif standby redirects timers 90 270 ssl proxy config subif Related Commands show standby show standby redirect Catalyst 6500 Series Switch SSL Services Module Command Reference cea OL 9105 01 Chapter2 Commands fo
22. OU Simpson Lab O Cisco Systems L San Jose ST CA C US EA lt 16 gt simpson pki cisco com Serial Number 24BC81B7000100000D85 Validity Start Time 22 38 00 UTC Oct 19 2002 End Time 22 48 00 UTC Oct 19 2003 Renew Time 00 00 00 UTC Jan 1 1970 End of Certificate Record Record 4 Timestamp 00 01 40 16 37 23 UTC Oct 31 2002 Deleted Server Certificate Index 0 Proxy Service s6 Trust Point t6 Key Pair Name k6 Key Usage RSA General Purpose Not Exportable Time of Key Generation 00 28 28 UTC Mar 1 1993 Subject Name CN host1l cisco com OID 1 2 840 113549 1 9 2 simpson5 2 ste cisco com OID 1 2 840 113549 1 9 8 207 79 1 8 OID 2 5 4 5 BOFFF235 Issuer Name CN SimpsonTestCA OU Simpson Lab O Cisco Systems L San Jose ST CA C US EA lt 16 gt simpson pki cisco com Serial Number 5CB5CFD6000100000D97 Validity Start Time 19 30 26 UTC Oct 30 2002 End Time 19 40 26 UTC Oct 30 2003 Renew Time 00 00 00 UTC Jan 1 1970 End of Certificate Record Total number of certificate history records displayed 2 service I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy conn show ssl proxy conn Syntax Description Defaults Command Modes To display the TCP connections from the SSL Services Module use the show ssl proxy conn command show ssl proxy conn 4tuple local ip local ip ad
23. SSL Services Module standby priority W standby priority Syntax Description Defaults Command Modes Command History Usage Guidelines To configure the priority for HSRP use the standby priority command Use the no form of this command to restore the default values standby group number priority priority no standby group number priority priority group number Optional Group number on the interface to which the other arguments in this command apply priority Priority value that prioritizes a potential hot standby router valid values are from 1 to 255 where 1 denotes the lowest priority and 255 denotes the highest priority The defaults are as follows e group number is 0 e priority is 100 Subinterface configuration submode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface The router in the HSRP group with the highest priority value becomes the active router When you use group number 0 no group number is written to NVRAM providing backward compatibility The assigned priority is used to help select the active and standby routers Assuming that preemption is enabled the router with the highest priority becomes the designated active router In case of ties the primary IP addresses are co
24. SSL Services Module Release 1 1 1 SSL Services Module Release 1 2 1 The output of the show ssl proxy status command was changed to include statistics that are displayed at a 5 second 1 minute and 5 minute traffic rate for CPU utilization SSL Services Module Release 3 1 1 This command was changed to add the following keywords e fdu e ssl e tcp This example shows how to display the status of the SSL Services Module ssl proxy show ssl proxy status FDU cpu is alive FDU cpu utilization process util 0 interrupt util 0 proc cycles 0x2DB3980C int cycles 0x2ADACD71 total cycles 0x4E75127FCEA4 process util 5 process util 1 process util 5 oe o sec 0 interrupt util min 0 interrupt util interrupt util 5 sec 0 1 min 0 min 0 5 min 0 Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module TCP cpu is alive TCP cpu utilization process util a proc cycles Ox2E42C686 total cycles 0x4E799DB3F5F8 process util 5 sec ae process util 1 min 0 oP dP process util 5 min 0 SSL cpu is alive SSL cpu utilization process util 0 proc cycles Ox9E396A4 total cycles 0x4E798224EDC1 process util 5 sec wg process util 1 min 0 process util 5 min 0 interrupt util 0 int cycles 0x47F7C36A9
25. Services Module ssl proxy show ssl proxy policy ssl ssl policyl No context name provided assuming context Default Cipher suites None configured default ciphers included rsa with rc4 128 md5 rsa with rc4 128 sha rsa with des cbc sha rsa with 3des ede cbc sha SSL Versions enabled SSL3 0 TLS1 0 close protocol default close_notify sent but not expected from peer Session Cache enabled Session timeout 72000 seconds Renegotiation timeout 100 seconds Handshake timeout not configured never times out TLS Rollback default version number rollback not allowed No of policy users 0 ssl proxy This example shows how to display policy information about a specific TCP policy that is configured on the SSL Services Module ssl proxy show ssl proxy policy tcp tcp policyl No context name provided assuming context Default MSS 1460 SYN timeout 75 Idle timeout 600 FIN wait timeout 75 Reassembly timeout 60 Persist timeout 0 Rx Buffer Share 32768 Tx Buffer Share 65536 TOS Carryover Disabled Delayed ACK timer 200 Delayed ACK Threshold 2 Nagle algorithm Enabled Forced ACK Enabled No of policy users 0 ssl proxy I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy policy This example shows how to display information about the URL rewrite policy ssl proxy show ssl pr
26. Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module Command History Release Modification show ssl proxy conn Cisco IOS Release 12 1 13 E and SSL Services Module Release 1 1 1 Support for this command was introduced on the Catalyst 6500 series switches SSL Services Module Release 3 1 1 This command was changed to add the following keywords e context name e module module Examples These examples show different ways to display the TCP connection that is established from the SSL Services Module ssl proxy show ssl proxy conn Connections for TCP module 1 Local Address Remote Address VLAN Conid Send Q Recv Q State 2 0 0 10 4430 1 200 200 14 48582 2 0 0 0 ESTAB 1 200 200 14 48582 2 100 100 72 80 2 1 0 0 ESTAB 2 0 0 10 4430 1 200 200 14 48583 2 2 0 0 ESTAB 1 200 200 14 48583 2 100 100 72 80 2 3 0 0 ESTAB 2 0 0 10 4430 L 200 200 14 48584 2 4 0 0 ESTAB 1 200 200 14 48584 2 100 100 72 80 2 5 0 0 ESTAB 2 0 0 10 4430 L 200 200 14 48585 2 6 0 0 ESTAB 1 200 200 14 48585 2 100 100 72 80 2 7 0 0 ESTAB 2 0 0 10 4430 1 200 200 14 48586 2 8 0 0 ESTAB 1 200 200 14 48586 2 100 100 72 80 2 9 0 0 ESTAB ssl proxy show ssl proxy conn 4tuple local port 443 Connections for TCP module 1 Local Address Remote Address VLAN Conid Send Q Recv Q State 2 50 50 133 443 1 200 200 12 39728 2 3676
27. This command was changed to add the timeout reassembly time Release 1 2 1 subcommand SSL Services Module This command was changed to add the tos carryover subcommand Release 2 1 4 SSL Services Module The policy tcp command entered in context subcommand mode Release 3 1 1 replaces the ssl proxy policy tcp command entered in global subcommand mode This command was changed to add the following submode commands e forced ack e nagle I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter 2 W policy tcp Usage Guidelines After you define the TCP policy you can associate the TCP policy with a proxy server using the proxy policy TCP configuration submode commands Each proxy policy TCP configuration submode command is entered on its own line Table 2 5 lists the commands that are available in proxy policy TCP configuration submode Table 2 5 Proxy policy TCP Configuration Submode Command Descriptions Syntax Description no buffer share rx buffer limit in bytes Allows you to configure the maximum size of the receive buffer share per connection valid values are from 8192 to 262144 Use the no form of this command to return to the default setting no buffer share tx buffer limit in bytes Allows you to configure the maximum size of the transmit buffer share per connection valid values are from 8192 to 262144 Use the no form of this command to retu
28. VLAN access control lists See VACL VMR acronym for value mask result W Web Cache Coprocessor Protocol See WCCP weighted random early detection See WRED weighted round robin See WRR E Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01
29. a command does Configuration commands can have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variables set to certain default values In these cases the default form of the command enables the command and sets variables to their default values This publication describes what the default form of a command does if the command is not the same as the no form Catalyst 6500 Series Switch SSL Services Module Command Reference lt OL 9105 01 _ Chapter 1 Command Line Interface Using the CLI String Search W Using the CLI String Search The pattern in the command output is referred to as a string The CLI string search feature allows you to search or filter any show or more command output and allows you to search and filter at More prompts This feature is useful when you need to sort though large amounts of output or if you want to exclude output that you do not need to see With the search function you can begin unfiltered output at the first line that contains a regular expression that you specify You can then specify a maximum of one filter per command or start a new search from the More prompt A regular expression is a pattern a phrase number or more complex pattern that software uses to match against show or more command output
30. and a subnet mask Enter the secondary keywork to make this IP address a secondary address no Negates a command or sets its defaults I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W interface ssl proxy Table 2 1 Subinterface Configuration Submode Command Descriptions continued Syntax Description no shutdown Shuts down the subinterface Use the no form of this command to put the subinterface in service standby group number authentication Configures redundancy on the subinterface See the following commands for text string delay minimum min delay valid values reload reload delay ip ip address secondary mac address mac address mac refresh seconds name e standby delay minimum reload group name preempt delay minimum e standby ip delay reload delay sync delay priority priority redirects enable disable timers advertisement holddown e standby mac refresh unknown timers msec hellotime msec holdtime track object number decrement priority version 11 2 e standby preempt e standby authentication e standby mac address e standby name e standby priority e standby redirects e standby timers e standby track e standby use bia e standby version timeout absolute minutes seconds Sets the session timeout values for th
31. and unlocked ssl proxy config crypto key encrypt rsa name pkil 72a cisco com passphrase cisco1234 ssl proxy config exit ssl proxy show crypto key mypubkey rsa Key name pkil 72a cisco com Usage General Purpose Key The key is protected and UNLOCKED Key is not exportable Key Data 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 OOEOCCIA 1D23B52C Key pair was generated at 00 15 32 GMT Jun 25 2003 ssl proxy Related Commands crypto key decrypt rsa crypto key lock rsa crypto key unlock rsa Catalyst 6500 Series Switch SSL Services Module Command Reference Ea OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto key export rsa pem W crypto key export rsa pem Syntax Description Defaults Command Modes Command History Usage Guidelines To export a PEM formatted RSA key to the SSL Services Module use the crypto key export rsa pem command crypto key export rsa keylabel pem terminal url url 3des des exportable pass_phrase keylabel Name of the key terminal Displays the request on the terminal url url Specifies the URL location Valid values are as follows e ftp Exports to the FTP file system e null Exports to the null file system e nvram Exports to the NVRAM file system e rep Exports to the RCP file system e scp Exports to the SCP file system e system Exports to the system file system e tftp
32. can also specify a pattern containing multiple characters You create multiple character regular expressions by joining letters digits or keyboard characters that do not have special meaning For example a4 is a multiple character regular expression Put a backslash in front of the keyboard characters that have special meaning when you want to remove their special meaning With multiple character patterns order is important The regular expression a4 matches the character a followed by a 4 followed by a sign If the string does not have a4 in that order pattern matching fails This multiple character regular expression a uses the special meaning of the period character to match the letter a followed by any single character With this example the strings ab a or a2 are all valid matches for the regular expression You can remove the special meaning of the period character by putting a backslash in front of it In the following expression a only the string a matches this regular expression You can create a multiple character regular expression containing all letters all digits all keyboard characters or a combination of letters digits and other keyboard characters These examples are all valid regular expressions telebit 3107 v32bis You can create more complex regular expressions to match multiple occurrences of a specified regular expression by using some special characters with your single and multiple character
33. cipher s use size Table 2 3 lists the commands available in HTTP header insertion configuration submode Table 2 3 HTTP Header Insertion Configuration Submode Command Descriptions Syntax Description alias user defined name Specifies the alias name of the header standard name Note You can configure only one alias per standard name You cannot configure the same alias name for multiple standard names client cert pem Allows the back end server to see the attributes of the client certificate command that the SSL module has authenticated and approved Note You can insert the headers listed below by entering the client cert command or you can send the entire client certificate in PEM format by entering the client cert pem Note The client certificate headers or the client certificate in PEM format are inserted only if the policy s service is configured for client authentication The root CA and intermediate CA certificates will not be inserted the when client certificate is inserted in the HTTP header Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module Examples policy http header W Table 2 3 HTTP Header Insertion Configuration Submode Command Descriptions continued Syntax Description client ip port Inserts the client IP address and information about the client port into the HTTP
34. command was introduced on the Catalyst 6500 series Release 1 2 1 switches SSL Services Module The syntax for this command changed from crypto ca to crypto pki Release 3 1 1 You will receive an error if you enter the pass phrase incorrectly The pass_phrase can be any phrase including spaces and punctuation except for the question mark which has a special meaning to the Cisco IOS parser Pass phrase protection associates a pass phrase with the key The pass phrase is used to encrypt the key when it is exported When this key is imported you must enter the same pass phrase to decrypt it When importing RSA keys you can use a public key or its corresponding certificate I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module W crypto pki import pem The crypto pki import pem command imports only the private key prv the server certificate crt and the issuer CA certificate ca If you have more than one level of CA in the certificate chain you need to import the root and subordinate CA certificates before this command is issued for authentication Use cut and paste or TFTP to import the root and subordinate CA certificates Examples This example shows how to import a PEM formatted file from the SSL Services Module ssl proxy config crypto pki import TP5 pem url tftp 10 1 1 1 TP5 password 2 Importing CA
35. configured HTTP header policies ssl Displays the configured SSL policies tcp Displays the configured TCP policies url rewrite Displays the configured URL rewrite policies name Optional Policy name Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to include the http header and url rewrite Release 2 1 1 keywords SSL Services Module This command was changed to add the health probe tcp keyword Release 3 1 1 Examples This example shows how to display information about the HTTP header policy ssl proxy show ssl proxy policy http header h1 No context name provided assuming context Default Prefix SSL Client Certificate Insertion Not Enabled Session Header Insertion All Client IP Port Insertion Not Enabled Hdr Custom Header 0 n n Ua PWN PR Moa Catalyst 6500 Series Switch SSL Services Module Command Reference Ka OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy policy E gi h n i 9 Mie 10 kg 11 ws 12 m 13 a elisa ona Usage count of this policy 0 ssl proxy This example shows how to display policy information about a specific SSL policy that is configured on the SSL
36. following headers to the back end server Field To Insert Description ClientCert Valid Certificate validity state ClientCert Error Error conditions ClientCert Fingerprint Hash output Catalyst 6500 Series Switch SSL Services Module Command Reference 234 Bs OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module Field To Insert policy http header W Description ClientCert Subject CN X 509 subject s common name ClientCert Issuer CN X 509 certificate issuer s common name ClientCert Certificate Version X 509 certificate version ClientCert Serial Number Certificate serial number ClientCert Data Signature Algorithm X 509 hashing and encryption method ClientCert Subject X 509 subject s distinguished name ClientCert Issuer X 509 certificate issuer s distinguished name ClientCert Not Before Certificate is not valid before this date ClientCert Not After Certificate is not valid after this date ClientCert Public Key Algorithm The algorithm used for the public key ClientCert RSA Public Key Size Size of the RSA public key ClientCert RSA Modulus Size Size of the RSA private key ClientCert RSA Modulus RSA modulus ClientCert RSA Exponent The public RSA exponent ClientCert X509v3 Authority Key Identifier X 509 authority key identifier ClientCert X509v3 Basic Constraints
37. has reloaded valid values are from 0 to 10000 seconds Defaults The defaults are as follows e min delay is 1 second e reload delay is 5 seconds Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface Usage Guidelines The min delay applies to all subsequent interface events The reload delay applies only to the first interface up event after the router has reloaded If the active router fails or you remove it from the network the standby router automatically becomes the new active router If the former active router comes back online you can control whether it takes over as the active router by using the standby preempt command However in some cases even if you do not use the standby preempt command the former active router resumes the active role after it reloads and comes back online Use the standby delay minimum reload command to set a delay for HSRP group initialization This command allows time for the packets to get through before the router resumes the active role We recommend that you use the standby delay minimum reload command if the standby timers command is configured in milliseconds or if HSRP is configured on a VLAN interface of a switch In most
38. header allowing the server to see the client IP address and port custom custom string Inserts the custom string header into the HTTP header prefix Adds the prefix string to the HTTP header to enable the server to identify the connections that come from the SSL module not from other appliances session Passes information that is specific to an SSL connection to the back end server as session headers This example shows how to enter the HTTP header insertion configuration submode ssl proxy config ssl proxy context s1 ssl proxy config context policy http header test1 ssl proxy config ctx http header policy This example shows how to allow the back end server to see the attributes of the client certificate that the SSL module has authenticated and approved ssl proxy config ctx http header policy client cert ssl proxy config ctx http header policy This example shows how to insert the client IP address and information about the client port into the HTTP header allowing the server to see the client IP address and port ssl proxy config ctx http header policy client ip port ssl proxy config ctx http header policy This example shows how to insert the custom string header into the HTTP header ssl proxy config ctx http header policy custom SOFTWARE VERSION 3 1 1 ssl proxy config ctx http header policy custom module SSL MODULE CATALYST 6500 ssl proxy config ctx http header policy cust
39. introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface Usage Guidelines The group name argument specifies the HSRP group Examples This example shows how to specifiy the standby name as SanJoseHA ssl proxy config subif standby name SanJoseHA ssl proxy config subif Related Commands ip mobile home agent redundancy refer to the Cisco IOS Release 12 2 Command Reference Catalyst 6500 Series Switch SSL Services Module Command Reference ca OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standby preempt W standby preempt Syntax Description Defaults Command Modes Command History Usage Guidelines To configure HSRP preemption and preemption delay use the standby preempt command Use the no form of this command to restore the default values standby group number preempt delay minimum delay reload delay syne delay no standby group number preempt delay minimum delay reload delay sync delay group number Optional Group number on the interface to which the other arguments in this command apply delay Optional Required if either the minimum reload or syne keywords are specified minimum delay Optional Specifies the minimum delay in delay seconds valid values are from 0 to 3600 seconds 1 hour reload delay Optio
40. this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Examples This example shows how to collect information about the software forced reset ssl proxy show ssl proxy crash info SSL SERVICE MODULE START OF CRASHINFO COLLECTION COMPLEX 0 FDU_IOS NVRAM CHKSUM 0xEB28 NVRAM MAGIC 0xC8A514F0 NVRAM VERSION 1 CORE 0 FDU 4 4 4 44 44 4444444 444 CID 0 APPLICATION VERSION 2003 04 15 14 50 20 built for cantuc APPROXIMATE TIME WHEN CRASH HAPPENED 14 06 04 UTC Apr 16 2003 THIS CORE DIDN T CRASH TRACEBACK 222D48 216894 CPU CONTEXT 0 00000000 AT 00240008 vO 5A27E637 v1 000F2BB1 a0 00000001 al 0000003C a2 002331B0 a3 00000000 tO 00247834 t1 02BFAAA0 t2 02BF8BBO t3 02BF8BA0 t4 02BF8BBO t5 00247834 t6 00000000 t7 00000001 Catalyst 6500 Series Switch SSL Services Module Command Reference M268 i OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module s0 00000000 s1 s4 00000001 s5 CACHE ERROR registers CacheErrI 00000000 t8 00000001 t9 gp 0023AE80 sp LO 00000000 HI EPC 00222D48 Cause 0000C000 ErrCt1 00000000 PROCESS STACK stack top 0x3200000 0024783C 0000003C 00000001 031FFF58 0000000A ErrorEPC BFC02308 Process stack in use sp is close to s
41. you can enter any EXEC command or enter global configuration mode Most EXEC commands are one time commands such as show commands which show the current status of a given item and clear commands which clear counters or interfaces The EXEC commands are not saved across reboots of the Catalyst 6500 series switch The configuration modes allow you to make changes to the running configuration If you later save the configuration these commands are stored across Catalyst 6500 series switch reboots In order to get to the various configuration modes you must start at global configuration mode where you can enter interface configuration mode subinterface configuration mode and a variety of protocol specific modes ROM monitor mode is a separate mode that is used when the Catalyst 6500 series switch cannot boot properly If your Catalyst 6500 series switch or access server does not find a valid system image when it is booting or if its configuration file is corrupted at startup the system might enter ROM monitor mode Table 1 3 provides a summary of the main command modes Table 1 3 Summary of Main Command Modes Command Mode Access Method Prompt Exit Method User EXEC Log in ssl proxy gt Use the logout command Privileged From user EXEC mode _ ssl proxy To exit to user EXEC mode enter the disable EXEC enter the enable EXEC command command To enter global configuration mode enter the configure terminal privi
42. 0 0 TWAIT No Bound Connection 2 50 50 133 443 1 200 200 12 39729 2 113680 0 0 TWAIT No Bound Connection 2 50 50 131 443 1 200 200 14 40599 2 113684 0 0 TWAIT No Bound Connection 2 50 50 132 443 1 200 200 13 48031 2 114046 0 0 TWAIT No Bound Connection 2 50 50 132 443 L 200 200 13 48032 2 14048 0 0 TWAIT No Bound Connection 2 50 50 132 443 L 200 200 13 48034 2 14092 0 0 TWAIT No Bound Connection 2 50 50 132 443 1 200 200 13 48035 2 14100 0 0 TWAIT No Bound Connection Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 mw 265 Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module WE show ssl proxy conn ssl proxy show ssl proxy conn 4tuple remote ip 1 200 200 14 Connections for TCP module 1 Local Address 2 50 50 132s 443 No Bound Connection 2 50 50 131 443 No Bound Connection 2 50 50 131 443 No Bound Connection 2 50 50 131 443 No Bound Connection 2250250131 443 No Bound Connection 2 50 50 131 443 No Bound Connection 2 50 50 131 443 No Bound Connection ssl proxy show ssl proxy conn service iisl Connections for TCP module 1 Local Address 2 50 50 131 1 200 200 14 443 No Bound Connection 2 50 50 131 443 No Bound Connection 2250450613 ts 443 No Bound Connection 2 50 50 131 443 No Bound Connection 2 50 50 131 2443 No Bound Connection 2 50 50 1313 443 No Bound Connectio
43. 1 interrupt util 5 sec interrupt util 1 min interrupt util 5 min interrupt util 0 int cycles 0xDB85C98B interrupt util 5 sec interrupt util 1 min interrupt util 5 min 0 0 show ssl proxy status 0 0 0 0 This example shows how to display the status of the TCP CPU on the SSL Services Module ssl proxy show ssl proxy status tcp TCP cpu is alive TCP cpu utilization process util 0 proc cycles 0x2E45DAEE total cycles 0x4E7EC4499DC8 process util 5 sec 0 process util 1 min 0 process util 5 min 0 o interrupt util 0 int cycles 0x47FC7C2AC5 interrupt util 5 sec interrupt util 1 min interrupt util 5 min 0 0 I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy version show ssl proxy version To display the current image version use the show ssl proxy version command show ssl proxy version Syntax Description This command has no arguments or keywords Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Examples This example shows how to display the image version that is currently running on the SS
44. 5 understanding 1 5 commands mode types 1 5 committed information rate See CIR Content Switching Module See CSM D default form of a command using 1 6 designated forwarder See DF Distributed Forwarding Card See DFC documentation conventions viii organization vii dotlq See also 802 1Q tunneling dot1x See 802 1x Enhanced Address Recognition Logic See EARL Ethernet over Multiprotocol Label Switching See EoMPLS EXEC level commands issuing in other modes 2 26 expressions matching multiple expression occurrences multiple character patterns 1 9 multiplying pattern occurrence 1 11 single character patterns 1 7 specifying alternative patterns 1 10 F fast software upgrade See FSU feature interaction engine See FIE field replaceable unit See FRU file system consistency check See fsck utility Firewall Services Module See FWSM fm See feature manager G global configuration mode summary 1 5 Hot Standby Router Protocol See HSRP HSRP configuring initialization delay period 2 97 MAC address 2 101 preemption delay 2 105 priority 2 107 virtual MAC address 2 101 disabling filtering of ICMP redirect messages 2 109 HSRP Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 configuring secondary interface 2 99 initialization delay period 2 97 enabling 2 99 filtering of ICMP redirect messages 2 109 ICMP redirect messages disabling 2 109 enabling 2
45. 6 28744 57488 20636 Oo Se Sa oO So O O O W oO 41272 41272 uoo Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module This example shows how to display the TCP statistics ssl proxy show ssl proxy stats tcp TCP Statistics Connection related Initiated Established Dropped before est Persist timeout drops Current TIME WAIT Maximum TIME WAIT Conns Allocated Conn Deletes sent Timer related RTT estimates delayed acks sent Retransmit timeouts SYN timeouts Reassembly timeouts Packet Transmit related Total packets Data bytes sent Retransmitted bytes Window probes Window Update pkts Tx TOS normal Tx TOS max rel Tx TOS min delay Packet Receive related Total packets In seq data bytes Too short Dup only data bytes Part Dup data bytes OOO data bytes rcvd Bytes after rx window Window Probes ACKs for unsent data Bytes acked by acks PAWS dropped pkts Hdr pred data pkts 3 dup only pkts Rx TOS normal Rx TOS max rel Rx TOS min delay Unrecognized Options oo Ae eOO0OO0OO A Oooo fF 140 87332 16 122 I73 85188 2896 TA 7313 OCOOrRPFONDOAGDAAOACOA FO Accepted Dropped Closed Rxmt timeout drops Current ESTABLISHED Maximum ESTABLISHED Conns Deallocated RTT est updates FIN WAIT2 timeouts Persist Timeouts Idle Timeouts Data packets Retr
46. Bisync BSTUN Block Serial Tunnel BUS broadcast and unknown server BVI bridge group virtual interface CAM content addressable memory CAR committed access rate Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 EN AppendixA Acronyms E Table A 1 List of Acronyms continued Acronym Expansion CBAC context based access control CCA circuit card assembly CDP Cisco Discovery Protocol CEF Cisco Express Forwarding CHAP Challenge Handshake Authentication Protocol CIR committed information rate CIST Common and Internal Spanning Tree CLI command line interface CLNS Connection Less Network Service CMNS Connection Mode Network Service CNS Cisco Networking Services COPS Common Open Policy Server COPS DS Common Open Policy Server Differentiated Services CoS class of service CPLD Complex Programmable Logic Device CRC cyclic redundancy check CRF concentrator relay function CSM Content Switching Module CST Common Spanning Tree CUDD University of Colorado Decision Diagram DCC Data Country Code dCEF distributed Cisco Express Forwarding DDR dial on demand routing DE discard eligibility DEC Digital Equipment Corporation DF designated forwarder DFC Distributed Forwarding Card DFI Domain Specific Part Format Identifier DFP Dynamic Feedback Protocol DISL Dynamic Inter Switch Link DLC Data Link Con
47. Cisco SYSTEMS Catalyst 6500 Series Switch SSL Services Module Command Reference Release 3 1 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Text Part Number OL 9105 01 Y THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED
48. Cisco com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL http www cisco com go marketplace Nonregistered Cisco com users can order technical documentation from 8 00 a m to 5 00 p m 0800 to 1700 PDT by calling 1 866 463 3487 in the United States and Canada or elsewhere by calling 011 408 519 5055 You can also order documentation by e mail at tech doc store mkp external cisco com or by fax at 1 408 519 5001 in the United States and Canada or elsewhere at 011 408 519 5001 Documentation Feedback You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco com You can send comments about Cisco documentation to bug doc cisco com You can submit comments by using the response card if present behind the front cover of your document or by writing to the following address Cisco Systems Attn Customer Document Ordering 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL http www cisco com en US products products_security_vulnerability_policy html From this site you can perform these tasks e Report security vulnerabilities in Cisco products e Obtain assistance with security incidents that involve Cisco products e Register to re
49. INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCSP CCVP the Cisco Square Bridge logo Follow Me Browsing and Stack Wise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Study are service marks of Cisco Systems Inc and Access Registrar Aironet BPX Catalyst CCDA CCDP CCIE CCIP CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Registrar Packet PIX Post Routing Pre Routing ProConnect RateMUX ScriptShare SlideCast SMARTnet The Fastest Way to Increase Your Internet Quotient and TransPath are registered trademarks of Cisco Systems Inc and or its affilia
50. Key Key is not exportable Key Data 30819F30 ODO6092A 864886F7 0D010101 05000381 Key pair was generated at 15 42 15 PST Jun ssl proxy crypto key encrypt rsa crypto key lock rsa crypto key unlock rsa I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HZ crypto key encrypt rsa crypto key encrypt rsa To encrypt the RSA keys use the crypto key encrypt rsa command crypto key encrypt write rsa name key name passphrase passphrase Syntax Description write Optional Writes the configuration to the startup configuration name key name Optional Name of the key passphrase passphrase Pass phrase Defaults This command has no default settings Command Modes Global configuration Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Usage Guidelines After you enter this command the router can continue to use the key the key remains unlocked If you do not enter the write keyword you must manually write the configuration to NVRAM otherwise the encrypted key will be lost the next time that the router is reloaded Examples This example shows how to encrypt the RSA key pkil 72a cisco com Enter the show crypto key mypubkey rsa command to verify that the RSA key is encrypted protected
51. L Services Module ssl proxy show ssl proxy version Cisco IOS Software SVCSSL Software SVCSSL K9Y9 M Copyright c 1986 2006 by Cisco Systems Inc Compiled Mon 09 Jan 06 16 54 by integ ROM System Bootstrap Version 12 2 11 YS1 RELEASE SOFTWAR EJ ssl proxy uptime is 1 day 15 hours 57 minutes System returned to ROM by power on System image file is tftp 10 1 1 1 unknown AP Version 3 1 1 ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference asa OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy vlan W show ssl proxy vlan To display VLAN information use the show ssl proxy vlan command show ssl proxy vlan v an id debug module module Syntax Description vlan id Optional VLAN ID Displays information for a specific VLAN valid values are from 1 to 1005 debug Optional Displays debug information module module Optional Displays statistics for the specified module module type includes the following e all all CPUs e fdu FDU CPU e sslI SSL1 CPU e tep1 TCP1 CPU Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to add the module module keyw
52. NAT use the natpool command natpool nat pool name start_ip_addr end_ip_addr netmask netmask nat pool name NAT pool name start ip addr First IP address in the pool end ip addr Last IP address in the pool netmask netmask Specifies the netmask address This command has no default settings Context subcommand mode Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module The natpool command entered in context subcommand mode replaces Release 3 1 1 the ssl proxy natpool command entered in global subcommand mode This example shows how to define a pool of IP addresses ssl proxy config ssl proxy context Example ssl proxy config context natpool NP2 207 59 10 01 207 59 10 08 netmask 255 0 0 0 ssl proxy config context show ssl proxy natpool Catalyst 6500 Series Switch SSL Services Module Command Reference e230 By OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module policy health probe tcp W policy health probe tcp To enter the TCP health probe configuration submode use the policy health probe command In TCP health probe configuration submode you can define the TCP health probe policy that is applied policy health probe tcp policy name Syntax Description policy name TCP health probe policy name Defaults The defa
53. P Multicast Registration Protocol GVRP GARP VLAN Registration Protocol HSRP Hot Standby Routing Protocol ICC Inter card Communication or interface controller card Catalyst 6500 Series Switch SSL Services Module Command Reference I OL 9105 01 AppendixA Acronyms Table A 1 List of Acronyms continued Acronym Expansion ICD International Code Designator ICMP Internet Control Message Protocol IDB interface descriptor block IDP initial domain part or Internet Datagram Protocol IDSM Intrusion Detection System Module IFS IOS File System IGMP Internet Group Management Protocol IGMPv2 IGMP version 2 IGMPv3 IGMP version 3 IGRP Interior Gateway Routing Protocol ILMI Integrated Local Management Interface IP Internet Protocol IPC interprocessor communication IPX Internetwork Packet Exchange IS IS Intermediate System to Intermediate System Intradomain Routing Protocol ISL Inter Switch Link ISL VLANs Inter Switch Link VLANs ISO International Organization of Standardization ISR Integrated SONET router LACP Link Aggregation Control Protocol LACPDU Link Aggregation Control Protocol data unit LAN local area network LANE LAN Emulation LAPB Link Access Procedure Balanced LCP Link Control Protocol LDA Local Director Acceleration LEC LAN Emulation Client LECS LAN Emulation Configuration Server LEM link error monitor LER link error ra
54. P messages The authentication string is sent unencrypted in all HSRP messages You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation Authentication mismatch prevents a device from learning the designated hot standby IP address and the hot standby timer values from the other routers that are configured with HSRP When you use group number 0 no group number is written to NVRAM providing backward compatibility Examples This example shows how to configure word as the authentication string to allow hot standby routers in group to interoperate ssl proxy config subif standby 1 authentication text word ssl proxy config subif Catalyst 6500 Series Switch SSL Services Module Command Reference P2968 i OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standby delay minimum reload W standby delay minimum reload To configure a delay before the HSRP groups are initialized use the standby delay minimum reload command Use the no form of this command to disable the delay standby delay minimum min delay reload reload delay no standby delay minimum min delay reload reload delay Syntax Description min delay Optional Minimum time in seconds to delay HSRP group initialization after an interface comes up valid values are from 0 to 10000 seconds reload delay Optional Time in seconds to delay after the router
55. SRP is disabled by default Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface Usage Guidelines The standby ip command allows you to configure primary and secondary HSRP addresses The standby ip command activates HSRP on the configured interface If you specify an IP address that address is used as the designated address for the hot standby group If you do not specifiy an IP address the designated address is learned through the standby function So that HSRP can elect a designated router at least one router on the cable must have been configured with or have learned the designated address Configuring the designated address on the active router always overrides a designated address that is currently in use When you enable the standby ip command on an interface the handling of proxy ARP requests is changed unless proxy ARP was disabled If the hot standby state of the interface is active proxy ARP requests are answered using the MAC address of the hot standby group If the interface is in a different state proxy ARP responses are suppressed When you use group number 0 no group number is written to NVRAM providing backward compatibility Catalyst 6500 Series Swi
56. SSL OFFLOAD Session Cipher Key Size 128 SSL OFFLOAD Session Cipher Use Size 128 SSL OFFLOAD Session Step Up FALSE SSL OFFLOAD Session Initial Cipher Key Size SSL OFFLOAD Session Initial Cipher Name SSL OFFLOAD Session Initial Cipher Use Size SSL OFFLOAD ClientCert Valid 1 SSL OFFLOAD ClientCert Error none SSL OFFLOAD ClientCert Fingerprint 1B 11 0F E8 20 3F 6C 23 12 9C 76 C0 C1 C2 CC 85 SSL OFFLOAD ClientCert Subject CN a SSL OFFLOAD ClientCert Issuer CN Certificate Manager SSL OFFLOAD ClientCert Certificate Version 3 SSL OFFLOAD ClientCert Serial Number 0F E5 SSL OFFLOAD ClientCert Data Signature Algorithm shalWithRSAEncryption SSL OFFLOAD ClientCert Subject OID 1 2 840 113549 1 9 2 ste2 server cisco com OID 2 5 4 5 BOFFF22E CN a O Cisco SSL OFFLOAD ClientCert Issuer CN Certificate Manager OU HSS O Cisco L San Jose ST California C US SSL OFFLOAD ClientCert Not Before 22 29 26 UTC Jul 30 2003 SSL OFFLOAD ClientCert Not After 07 00 00 UTC Apr 27 2006 SSL OFFLOAD ClientCert Public Key Algorithm rsaEncryption SSL OFFLOAD ClientCert RSA Public Key Size 1024 bit SSL OFFLOAD ClientCert RSA Modulus Size 1024 bit SSL OFFLOAD ClientCert RSA Modulus B3 32 3C 5E C9 D1 CC 76 FF 81 F6 F7 97 58 91 4D B2 0E C1 3A 7B 62 63 BD 5D F6 5F 68 F0 7D AC C6 72 F5 72 46 7E FD 38 D3 A2 E1 03 8B EC F7 C9 9A 80 C7 37 DA F3 BE 1F F4 5B 59 BD 52 72 94 EE 46 F5 29 A4 B3 9B 2E 4C 69 D0 11 59 F7 68 3A D9 6E ED 6D 54 4E B5 A7
57. SSL Services Module Release 3 x e Catalyst 6500 Series Switch SSL Services Module Configuration Note e Catalyst 6500 Series Switch SSL Services Module System Message Guide e Catalyst 6500 Series Switch SSL Services Module Installation and Verification Note e Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 goi Preface HZ Conventions The Cisco IOS documentation set includes these documents e Configuration Fundamentals Configuration Guide e Command Reference For information about MIBs refer to this URL http www cisco com public sw center netmgmt cmtk mibs shtml Conventions This document uses the following conventions Convention Description boldface font Commands command options and keywords are in boldface italic font Arguments for which you supply values are in italics Elements in square brackets are optional xlylz Alternative keywords are grouped in braces and separated by vertical bars Braces can also be used to group keywords and or aguments for example interface interface type xlylz Optional alternative keywords are grouped in brackets and separated by vertical bars string A nonquoted set of characters Do not use quotation marks around the string or the string will include the quotation marks screen font Terminal sessions and information the sys
58. SSL Services Module The syntax for this command changed from crypto ca to crypto pki Release 3 1 1 Usage Guidelines If you are using SSH we recommend using SCP secure file transfer when importing a PKCS12 file SCP authenticates the host and encrypts the transfer session If you do not specify pkcs12_filename you will be prompted to accept the default filename the default filename is the trustpoint_label or to enter the filename For the ftp or tftp value include the full path in the pkcs12_filename You will receive an error if you enter the pass phrase incorrectly If there is more than one level of CA the root CA and all the subordinate CA certificates are exported in the PKCS12 file Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 SEE Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HI crypto pki import pkes12 Examples This example shows how to import a PKCS12 file using SCP ssl proxy config crypto pki import TP2 pkcs12 scp sky is blue Address or name of remote host 10 1 1 1 Source username ssl proxy admin 1 Source filename TP2 users admin 1 pkcs12 TP2 p12 Password password Sending file modes C0644 4379 TP2 p12 ssl proxy config Aug 22 12 30 00 531 CRYPTO 6 PKCS12IMPORT_SUCCESS PKCS 12 Successfully Imported ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference P24 E OL 9105 01 C
59. Services Module W crypto pki export pem You can change the default file extensions when prompted The default file extensions are as follows e public key pub e private key prv e certificate crt e CA certificate ca e signature key sign e encryption key encr Note Examples Related Commands In SSL software release 1 2 only the private key prv the server certificate crt and the issuer CA certificate ca of the server certificate are exported To export the whole certificate chain including all the CA certificates use a PKCS12 file instead of PEM files This example shows how to export a PEM formatted file on the SSL Services Module ssl proxy config crypto ca export TP5 pem url tftp 10 1 1 1 tp99 3des password Exporting CA certificate Address or name of remote host 10 1 1 1 Destination filename tp99 ca File tp99 ca already exists Do you really want to overwrite it yes no yes Writing file to tftp 10 1 1 1 tp99 ca Key name keyl Usage General Purpose Key Exporting private key Address or name of remote host 10 1 1 1 estination filename tp99 prv File tp99 prv already exists Do you really want to overwrite it yes no yes Writing file to tftp 10 1 1 1 tp99 prv Exporting router certificate Address or name of remote host 10 1 1 1 estination filename tp99 crt File tp99 crt already exists Do you really want to overwrite it yes no
60. Turns on health probe debugging ipc Turns on IPC debugging pki type Turns on PKI debugging optional type valid values are cert events history ipc and key See the Usage Guidelines section for additional information ssl type Turns on SSL debugging optional type valid values are alert error handshake and pkt See the Usage Guidelines section for additional information tcp type Turns on TCP debugging optional type valid values are event packet state and timers See the Usage Guidelines section for additional information vlan Turns on VLAN debugging This command has no default settings EXEC I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module WE debug ssl proxy Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to add the following keywords Release 3 1 1 e content type e flash e health probe e module module e vlan Usage Guidelines The content type includes the following values e detail content detail e error content error e ipc content ipc e module module module to be debugged module includes the following values fdu fdu cpu ssli ssll1 cpu t
61. al business hours to restore service to satisfactory levels Severity 4 S4 You require information or assistance with Cisco product capabilities installation or configuration There is little or no effect on your business operations Catalyst 6500 Series Switch SSL Services Module Command Reference Pox OL 9105 01 Preface Obtaining Additional Publications and Information W Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is available from various online and printed sources Cisco Marketplace provides a variety of Cisco books reference guides documentation and logo merchandise Visit Cisco Marketplace the company store at this URL http www cisco com go marketplace Cisco Press publishes a wide range of general networking training and certification titles Both new and experienced users will benefit from these publications For current Cisco Press titles and other information go to Cisco Press at this URL http www ciscopress com Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments Each quarter Packet delivers coverage of the latest industry trends technology breakthroughs and Cisco products and solutions as well as network deployment and troubleshooting tips configuration examples customer case studies certification and training information and links to scores of in dept
62. alth probe tcp Table 2 2 TCP Health Probe Submode Command Descriptions continued Syntax Description open timeout seconds Optional Allows you to set the maximum time to wait to establish a TCP connection The default is 80 seconds The valid range is from 70 to 120 seconds port port_number Optional Allows you to configure an optional port for the health probe Valid values are from 1 to 65535 By default the TCP health probe uses the server IP address and port for the SSL server proxy service Enter the port command to specify a different port for the health probe If you configured the SSL server proxy service with no nat server the TCP health probe uses the virtual IP address that you configured on the SSL server proxy service instead of the server IP address Note TCP health probe is not supported when you configure a wildcard proxy and no nat server on the SSL server proxy service See the service section on page 2 52 for information on configuring the SSL server proxy service Examples This example shows how to configure TCP health probe to check whether service at port 80 is up and running on server IP address 19 0 0 1 ssl proxy config ssl proxy context ssl ssl proxy config context service ssl 1 ssl proxy config ctx ssl proxy virtual ipddr 7 100 100 180 protocol tcp port 443 ssl proxy config ctx ssl proxy server ipaddr 19 0 0 1 protocol tcp port 80 ssl proxy config ctx ssl proxy certi
63. alyst 6500 Series SSL Services Module service W In most cases all of the SSL server proxy configurations that are performed are also valid for the SSL client proxy configuration except for the following e You must configure a certificate for the SSL server proxy but you do not have to configure a certificate for the SSL client proxy If you configure a certificate for the SSL client proxy that certificate is sent in response to the certificate request message that is sent by the server during the client authentication phase of the handshake protocol e The SSL policy is attached to the virtual subcommand for the SSL server proxy service whereas the SSL policy is attached to the server subcommand for the SSL client proxy service Enter each proxy service or proxy client configuration submode command on its own line Table 2 8 lists the commands that are available in proxy service or proxy client configuration submode Table 2 8 Proxy service Configuration Submode Command Descriptions Syntax Description authenticate verify all signature only Configures the method for certificate verification You can specify the following e all Verifies CRLs and signature authority e signature only Verifies the signature only certificate rsa general purpose trustpoint trustpoint name Configures the certificate with RSA general purpose keys and associates a trustpoint to the certificate default certificate
64. ame of the PKCS12 file to import pass_phrase Specifies the pass phrase of the PKCS12 file Defaults This command has no default settings Command Modes Global configuration Command History Release Modification Cisco IOS Release 12 1 13 E and SSL Services Module Release 1 1 1 Support for this command was introduced on the Catalyst 6500 series switches SSL Services Module Release 3 1 1 The syntax for this command changed from crypto ca to crypto pki Usage Guidelines Imported key pairs cannot be exported If you are using SSH we recommend using SCP secure file transfer when exporting a PKCS12 file SCP authenticates the host and encrypts the transfer session If you do not specify pkcs12_filename you will be prompted to accept the default filename the default filename is the trustpoint_label or enter the filename For the ftp or tftp value include the full path in the pkcs12_filename You will receive an error if you enter the pass phrase incorrectly If there is more than one level of CA the root CA and all the subordinate CA certificates are exported in the PKCS12 file I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HI crypto pki export pkcs12 Examples This example shows how to export a PKCS12 file using SCP ssl proxy config crypto pki export TP1 pkcs12 scp sky is blue A
65. ansmitted pkts Ack only pkts URG only pkts Cntrl pkts S F R Tx TOS Min Cost Tx TOS Max thru Tx TOS invalid In seq data pkts Bad Offset Dup only data pkts Part dup data pkts OOO data pkts Pkts after rx win Pkts after close Duplicate ACKs ACK only pkts Window Update pkts Hdr pred ACKs TCB cache misses Partial Acks Rx TOS Min Cost Rx TOS Max thru Rx TOS invalid This example shows how to display the PKI statistics ssl proxy show ssl proxy stats pki PKI Memory Usage Counters Malloc count 0 Setstring count 0 Free count 0 Malloc failed 0 Ipc alloc count 0 Ipc free count 0 Ipc alloc failed 0 PKI IPC Counters Request buffer sent 0 Request buffer received Request duplicated 0 Response buffer sent 0 Response buffer received 0 FPP OODOWAD FS ooo amp 93 19 12 18 N oO w OrRPROCOORPROOANRNDODAAAN OO gt I Oo uo show ssl proxy stats I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy stats Response timeout 0 Response with error status 0 Response with no request 0 Response duplicated 0 Message type error 0 PKI Accumulative Certificate Counters Proxy service trustpoint added 0 Proxy service trustpoint deleted 0 Proxy service trustpoint modified 0 Keypair added 0 Keypair deleted 0 Wrong key type 0 Serv
66. ate with HSRP version 1 An interface cannot operate both version 1 and version 2 because both versions are mutually exclusive You cannot change from version 2 to version 1 if you have configured groups above 255 Using the no standby version command sets the HSRP version to the default version version 1 If an HSRP version is changed each group will reinitialize because it now has a new virtual MAC address Examples This example shows how to configure HSRP version 2 ssl proxy config subif standby version 2 ssl proxy config subif Catalyst 6500 Series Switch SSL Services Module Command Reference P2116 OL 9105 01 APPENDIX A Acronyms Table A 1 defines the acronyms that are used in this publication Table A 1 List of Acronyms Acronym Expansion AAL ATM adaptation layer ACE access control entry ACL access control list ACNS Application and Content Networking System AFI authority and format identifier Agport aggregation port ALPS Airline Protocol Support AMP Active Monitor Present APaRT Automated Packet Recognition and Translation ARP Address Resolution Protocol ATA Analog Telephone Adaptor ATM Asynchronous Transfer Mode AV attribute value BDD binary decision diagrams BECN backward explicit congestion notification BGP Border Gateway Protocol Bidir bidirectional PIM BPDU bridge protocol data unit BRF bridge relay function BSC
67. ation submode you can define the SSL policy for one or more SSL proxy services policy ssl ssl policy name Syntax Description ssl policy name SSL policy name Defaults The defaults are as follows e cipher is all strong e close protocol is disabled e session caching is enabled e version is all e session cache size size is 262143 entries e timeout session timeout is 0 seconds e timeout handshake timeout is 0 seconds e cert req empty is disabled e tls rollback is disabled e renegotiation is disabled Command Modes Context subcommand mode Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to add the following subcommands Release 1 2 1 e session cache size size e timeout session timeout absolute Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 EEN Chapter 2 W policy ssi Release Modification SSL Services Module Release 2 1 5 This command was changed to add the following subcommands e cert req empty e tls rollback current any SSL Services Module Release 3 1 1 The policy ss command entered in context subcommand mode replaces the ssl proxy policy ssl command entered in global subcommand mode This command was changed to add the following submode command
68. ation traps Defaults This command has no default setting Command Modes Global configuration Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 SSL Services Module Examples This example shows how to enable SNMP informs ssl proxy config snmp server enable informs ssl proxy config This example shows how to enable SSL proxy traps ssl proxy ssl proxy config config snmp server enable traps ssl proxy This example shows how to enable SSL proxy notification traps ssl proxy ssl proxy config config snmp server enable traps ssl proxy cert expiring oper status Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module ssl proxy context W ssl proxy context To enter the SSL context submode and define the virtual SSL context use the ssl proxy context command Use the no form of this command to remove any commands that you have entered in the SSL context subcommand mode from the configuration ssl proxy context name no ssl proxy context name Syntax Description name Name of the context Defaults The default context name is Default Command Modes Global configuration Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 seri
69. buffers Adjust system buffer pool parameters cdp Global CDP configuration subcommands class map Configure QoS Class Map Output is truncated This example shows how to list a keyword s associated arguments ssl proxy config if channel group 1 mode auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only ssl proxy config if How to Find Command Options This section provides an example of how to display syntax for a command The syntax can consist of optional or required keywords To display keywords for a command enter a question mark at the configuration prompt or after entering part of a command followed by a space The Catalyst 6500 series SSL Services Module software displays a list of available keywords along with a brief description of the keywords For example if you are in global configuration mode and want to see all the keywords for the ssl proxy command you enter ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference 2 E OL 9105 01 Chapter1 Command Line Interface How to Find Command Options W Table 1 2 shows examples of how you can use the question mark to assist you in entering commands Table 1 2 Howto Find Command Options Command Comment ssl proxy gt enable Password lt password gt ssl proxy Enter the enable command and password to access privileged EXEC commands You are in pri
70. ceive security information from Cisco A current list of security advisories and notices for Cisco products is available at this URL http www cisco com go psirt If you prefer to see advisories and notices as they are updated in real time you can access a Product Security Incident Response Team Really Simple Syndication PSIRT RSS feed from this URL http www cisco com en US products products_psirt_rss_feed html Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Preface Obtaining Technical Assistance W Reporting Security Problems in Cisco Products Tip Cisco is committed to delivering secure products We test our products internally before we release them and we strive to correct all vulnerabilities quickly If you think that you might have identified a vulnerability in a Cisco product contact PSIRT e Emergencies security alert cisco com An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported All other conditions are considered nonemergencies e Nonemergencies psirt cisco com In an emergency you can also reach PSIRT by telephone e 1 877 228 7302 e 1 408 525 6532 We encourage you to use Pretty Good Privacy PGP or a compatible product to encrypt any sensitive information that you send to Cisco PSIRT can work from encrypted information that is compatible with PGP ve
71. certificate Address or name of remote host 10 1 1 1 Destination filename TP5 ca Reading file from tftp 10 1 1 1 TP5 ca Loading TP5 ca from 10 1 1 1 via Ethernet0 0 168 OK 1976 bytes Importing private key PEM file Address or name of remote host 10 1 1 1 Destination filename TP5 prv Reading file from tftp 10 1 1 1 TP5 prv Loading TP5 prv from 10 1 1 1 via Ethernet0 0 168 OK 963 bytes Importing certificate PEM file Address or name of remote host 10 1 1 1 Destination filename TP5 crt Reading file from tftp 10 1 1 1 TP5 crt Loading TP5 crt from 10 1 1 1 via Ethernet0 0 168 OK 1692 bytes PEM files import succeeded ssl proxy config end ssl proxy Apr 11 15 11 29 901 SYS 5 CONFIG_I Configured from console by console Related Commands crypto pki export pem Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto pki export pkcs12 W crypto pki export pkcs12 To export a PKCS12 file from the SSL Services Module use the crypto pki export pkcs12 command crypto pki export trustpoint_label pkes12 file_system pkcs12_filename pass_phrase Syntax Description trustpoint_label Specifies the trustpoint label file_system Specifies the file system Valid values are sep ftp nvram rep and tftp pkcs12_filename Optional Specifies the n
72. characters table 1 7 source specific multicast See SSM special characters anchoring table 1 10 SP QoS manager See QM SP SSL policy defining HTTP header insertion content policy 2 34 SSL policy 2 39 TCP policy templates 2 45 defining URL rewrite policy 2 49 entering HTTP header configuration submode 2 34 SSL configuration submode 2 39 TCP configuration submode 2 45 SSL proxy enabling certificate expiring notication traps 2 86 enabling operation status notification traps 2 86 standby authentication command 2 96 standby mac address command 2 101 standby mac refresh command 2 103 standby timers command 2 111 standby track command 2 113 standby use bia command 2 115 subinterface configuration mode summary 1 6 Switch Module Configuration Protocol See SCP system prompts 1 5 Index W T Tab key command completion 1 1 table contention level See TCL tables characters with special meaning 1 7 special characters multipliers table 1 9 used for anchoring 1 10 TCP displaying policy information 2 72 TCP configuration defining policy 2 45 entering submode 2 45 Ternary Content Addressable Memory See TCAM U URL rewrite defining content policy 2 49 displaying policy information 2 72 entering I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference W index configuration submode 2 49 user EXEC mode summary 1 5 V value mask result See VMR virtual MAC address 2 101
73. clear ssl proxy conn context name module module service name context name module module Syntax Description context name Optional Clears the connections for a specific context module module Optional Clears the connections for the specified module type The available options for the module variable are as follows e all All CPUs e fdu FDU CPU e ssliI SSL1 CPU e tcep1 TCP1 CPU e tep2 TCP2 CPU service name Optional Clears the connections for the specified service Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to add the following keywords Release 3 1 1 e context name e module module Examples This example shows how to clear the connections for the specified service ssl proxy clear ssl proxy conn service S6 This example shows how to clear all TCP connections on the entire system ssl proxy clear ssl proxy conn ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module clear ssl proxy content W clear ssl proxy content To clear all TCP connections on the entire system use the clear ssl proxy conn command clear ss
74. command for the SSL server proxy service whereas the SSL policy is attached to the server subcommand for the SSL client proxy service Each proxy service or proxy client configuration submode command is entered on its own line Catalyst 6500 Series Switch SSL Services Module Command Reference 256 i OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module service client W Table 2 9 lists the commands that are available in proxy client configuration submode Table 2 9 Proxy client Configuration Submode Command Descriptions Syntax Description certificate rsa general purpose trustpoint trustpoint name Configures the certificate with RSA general purpose keys and associates a trustpoint to the certificate default certificate inservice nat server virtual Sets a command to its default settings description Allows you to enter a description for the proxy service exit Exits from proxy client configuration submode help Provides a description of the interactive help system inservice Declares a proxy client as administratively up nat server client natpool name Specifies the usage of either server NAT or client NAT for the server side connection that is opened by the SSL Services Module policy health probe tcp policy name Applies a TCP health probe policy to a proxy server policy http header policy name Applies an HTTP header insertion policy
75. configurations the default values provide sufficient time for the packets to get through and configuring longer delay values is not necessary The delay is canceled if an HSRP packet is received on an interface Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 m Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W standby delay minimum reload Examples This example shows how to set the minimum delay to 30 seconds and the delay after the first reload to 120 seconds ssl proxy config interface ssl proxy 0 100 ssl proxy config subif standby delay minimum 30 reload 120 ssl proxy config subif Related Commands show standby delay standby preempt standby timers Catalyst 6500 Series Switch SSL Services Module Command Reference P2938 i OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standbyip W standby ip To activate HSRP use the standby ip command Use the no form of this command to disable HSRP standby group number ip ip address secondary no standby group number ip ip address Syntax Description group number Optional Group number on the interface for which HSRP is being activated ip address Optional IP address of the hot standby router interface secondary Optional Indicates the IP address is a secondary hot standby router interface Defaults The defaults are as follows e group number is 0 e H
76. ctivity 300 ssl proxy config ctx tcp policy Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 E 2 47 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HI policy tcp This example shows how to define the maximum size for the receive buffer configuration ssl proxy config ctx tcp policy buffer share rx 16384 ssl proxy config ctx tcp policy This example shows how to define the maximum size for the transmit buffer configuration ssl proxy config ctx tcp policy buffer share tx 13444 ssl proxy config ctx tcp policy This example shows how to define the maximum size for the TCP segment ssl proxy config ctx tcp policy mss 1460 ssl proxy config ctx tcp policy This example shows how to define the initial connection SYN timeout value ssl proxy config ctx tcp policy timeout syn 5 ssl proxy config ctx tcp policy This example shows how to define the reassembly timeout value ssl proxy config ctx tcp policy timeout reassembly 120 ssl proxy config ctx tcp policy This example shows how to carryover the ToS value to all packets within a flow ssl proxy config ctx tcp policy tos carryover ssl proxy config ctx tcp policy Related Commands show ssl proxy policy Catalyst 6500 Series Switch SSL Services Module Command Reference e248 i OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module policy url rewrite W
77. ddress or name of remote host 10 1 1 1 Destination username ssl proxy admin 1 Destination filename TP1 TP1 p12 Password Writing TP1 p12 Writing pkcs12 file to scp admin 1 10 1 1 1 TP1 p12 Password CRYPTO_PKI Exported PKCS12 file successfully ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference Ea OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto pki import pkcs12 W crypto pki import pkcs12 To import a PKCS12 file to the SSL Services Module use the crypto pki import pkcs12 command crypto pki import trustpoint_label pkes12 file_system pkcs12_filename pass_phrase Syntax Description trustpoint_label Specifies the trustpoint label file_system Specifies the file system Valid values are as follows e ftp Imports from the FTP file system e nvram Imports from the NVRAM file system e rep Imports from the RCP file system e scp Imports from the SCP file system e tftp Imports from the TFTP file system pkcs12_filename Optional Specifies the name of the PKCS12 file to import pass_phrase Specifies the pass phrase of the PKCS12 file Defaults This command has no default settings Command Modes Global configuration Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1
78. dr local port remote ip remote ip addr port remote port port remote port ip remote ip addr show ssl proxy conn 4tuple local port ocal port remote ip remote ip addr port remote port port remote port ip remote ip addr show ssl proxy conn 4tuple local remote ip remote ip addr port remote port port remote port ip remote ip addr show ssl proxy conn module module show ssl proxy conn service name context name module module 4tuple Displays the TCP connections for a specific address local Optional Displays the TCP connections for a specific local device ip local ip addr IP address of a local device local port Port number of a local device remote Optional Displays the TCP connections for a specific remote device ip remote ip addr IP address of a remote device port remote port Port number of a remote device port local port Optional Displays the TCP connections for a specific local port module module Optional Displays the information for a specific module The available options for the module variable are as follows e all all CPUs e fdu FDU CPU e ssli SSL1 CPU e tep1 TCP1 CPU service name Displays the connections for a specific proxy service context name Optional Displays information about the specified context This command has no default settings EXEC Catalyst 6500 Series
79. e use the clear ssl proxy stats command clear ssl proxy stats context name crypto fdu hdr ipc module module pki service ssl tep url context Optional Clears statistics information about the context name Optional Specifies the name of the context crypto Optional Clears statistics information about the crypto fdu Optional Clears statistics information about the FDU hdr Optional Clears statistics information about HTTP header insertion ipc Optional Clears statistics information about the inter process communications IPC module module Optional Clears statistics information about the specified module type The available options for the module variable are as follows e all All CPUs e fdu FDU CPU e ssli SSL1 CPU e tcp1 TCP1 CPU e tcp2 TCP2 CPU pki Optional Clears information about the public key infrastruture PKI service name Optional Clears statistics information for a specific service ssl Optional Clears statistics information about the SSL tcp Optional Clears statistics information about the TCP url Optional Clears statistics information about URL rewrite This command has no default settings EXEC I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W clear ssl proxy stats Command History Re
80. e may not be removed or altered I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference AppendixB Acronyms Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Symbols character privileged EXEC mode prompt 1 5 character 1 8 1 10 asterisk 1 7 plus sign 1 7 period 1 7 command 1 1 caret 1 8 1 10 _ underscore 1 8 1 10 pipe or vertical bar specifying alternative patterns 1 10 Numerics 802 3ad See LACP A abbreviating commands context sensitive help 1 1 access control lists See ACLs acronyms listof A 1 Address Resolution Protocol See ARP audience vii INDEX binary decision diagrams See BDD Border Gateway Protocol See BGP bridge protocol data unit See BPDU Cc CAs exporting PEM 2 7 importing PEM 2 7 certificate authority pool entering configuration submode 2 51 certificate authority pool configuration submode entering 2 51 Cisco Express Forwarding See CEF CLI string search alternation 1 10 anchoring 1 10 expressions 1 7 filtering 1 7 multiple character patterns 1 9 multipliers 1 9 parentheses for recall 1 11 B searching outputs 1 7 bidirectional PIM single character patterns 1 7 See BIDIR using 1 7 Catalyst 6500 Series Switch SSL Services Module Command Reference T oL 9105 01 iN W index command line interface See CLI command modes accessing 1 5 exiting 1
81. e standard name that the SSL Services Module sends If you have specified a prefix for header insertion the prefix is also applied to the aliased name I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module HH policy http header e SSL Session Session headers including the session ID are used to cache client certificates that are based on the session ID The session headers are also cached on a session basis if the server wants to track connections that are based on a particular cipher suite When you specify session the SSL Services Module passes information specific to an SSL connection to the back end server in the form of the following session headers Field to insert Description Session Id The SSL session ID Session Cipher Name The symmetric cipher suite Session Cipher Key Size The symmetric cipher key size Session Cipher Use Size The symmetric cipher use size Session Step Up TRUE if the server presented a stepup certificate and the client renegotiated the cipher otherwise FALSE Session Initial Cipher Name If Session Step Up is TRUE the initially negotiated cipher name Session Initial Cipher Key Size If Session Step Up is TRUE the initially negotiated cipher s key size Session Initial Cipher Use Size If Session Step Up is TRUE the initially negotiated
82. ecause the letters are specified before the numbers Alternation Alternation allows you to specify alternative patterns to match against a string You separate the alternative patterns with a vertical bar l Exactly one of the alternatives can match the string For example the regular expression codex telebit matches the string codex or the string telebit but not both codex and telebit Anchoring You can match a regular expression pattern against the beginning or the end of the string That is you can specify that the beginning or end of a string contains a specific pattern You anchor these regular expressions to a portion of the string using the special characters shown in Table 1 6 Table 1 6 Special Characters Used for Anchoring Character Description A Matches the beginning of the string Matches the end of the string This regular expression matches a string only if the string starts with abcd abcd In contrast this expression is in a range that matches any single letter as long as it is not the letters a b c or d Aabcd With this example the regular expression matches a string that ends with 12 12 Contrast these anchoring characters with the special character underscore _ The underscore matches the beginning of a string the end of a string parentheses space braces comma or underscore _ With the underscore character you can specify that a pattern ex
83. ecifies the 56 bit DES CBC encryption algorithm 3des Specifies the 168 bit DES 3DES encryption algorithm url url Specifies the URL location Valid values are as follows e ftp Exports to the FTP file system e null Exports to the NULL file system e nvram Exports to the NVRAM file system e rep Exports to the RCP file system e scp Exports to the SCP file system e system Exports to the system file system e tftp Exports to the TFTP file system pass phrase Pass phrase that is used to protect the private key Defaults This command has no default settings Command Modes Global configuration Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 1 2 1 switches SSL Services Module The syntax for this command changed from crypto ca to crypto pki Release 3 1 1 Usage Guidelines The pass_phrase can be any phrase including spaces and punctuation except for the question mark which has a special meaning to the Cisco IOS parser Pass phrase protection associates a pass phrase with the key The pass phrase is used to encrypt the key when it is exported When this key is imported you must enter the same pass phrase to decrypt it A key that is marked as unexportable cannot be exported Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 EN Chapter2 Commands for the Catalyst 6500 Series SSL
84. ecimal This address is specified in RFC 2281 Cisco Hot Standby Router Protocol HSRP Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface Usage Guidelines This command cannot be used on a Token Ring interface You can use HSRP to help end stations locate the first hop gateway for IP routing The end stations are configured with a default gateway However HSRP can provide first hop redundancy for other protocols Some protocols such as Advanced Peer to Peer Networking APPN use the MAC address to identify the first hop for routing purposes In this case it is often necessary to be able to specify the virtual MAC address the virtual IP address is unimportant for these protocols Use the standby mac address command to specify the virtual MAC address The specified MAC address is used as the virtual MAC address when the router is active This command is intended for certain APPN configurations The parallel terms are shown in Table 2 11 Table 2 11 Parallel Terms Between APPN and IP APPN IP End node Host Network node Router or gateway Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 2 101 Chapter2 Commands for the Catalys
85. ed with HSRP timers Optional Adjusts HSRP router advertisement timers advertisement Optional HSRP router advertisement interval in seconds valid values are from 10 to 180 seconds holddown Optional HSRP router holddown interval in seconds valid values are from 61 to 3600 unknown Optional Allows sending of ICMP packets to be sent when the next hop IP address that is contained in the packet is unknown in the HSRP table of real IP addresses and active virtual IP addresses The defaults are as follows e HSRP filtering of ICMP redirect messages is enabled if you configure HSRP on an interface e advertisement is 60 seconds e holddown is 180 seconds Subinterface configuration submode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface You can configure the standby redirects command globally or on a per interface basis When you first configure HSRP on an interface the setting for that interface inherits the global value If you explicitly disable the filtering of ICMP redirects on an interface then the global command cannot reenable this functionality I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference ga Chapter2 Commands for the Catalyst 6500 Series SSL Services
86. ee times the hellotime value and not less than 50 milliseconds Some HSRP state flapping can occasionally occur if the holdtime is set to less than 250 milliseconds and the processor is busy It is recommended that holdtime values less than 250 milliseconds be used Setting the process max time command to a suitable value may also help with flapping The value of the standby timer will not be learned through HSRP hellos if it is less than 1 second When group number 0 is used no group number is written to NVRAM providing backward compatibility Examples This example sets for group number 1 on Ethernet interface 0 the time between hello packets to 5 seconds and the time after which a router is considered to be down to 15 seconds interface ethernet 0 standby 1 ip standby 1 timers 5 15 This example sets for the hot router interface that is located at 172 19 10 1 on Ethernet interface 0 the time between hello packets to 300 milliseconds and the time after which a router is considered to be down to 900 milliseconds interface ethernet 0 standby ip 172 19 10 1 standby timers msec 300 msec 900 This example sets for the hot router interface that is located at 172 18 10 1 on Ethernet interface 0 the time between hello packets to 15 milliseconds and the time after which a router is considered to be down to 50 milliseconds Note that the holdtime is three times larger than the hellotime because the minimum holdtime value in millisecond
87. elp that is specific to a command mode a command a keyword or an argument Table 1 1 Getting Help Command Purpose abbreviated command entry Obtain a list of commands that begin with a particular character string Do not leave a space between the command and question mark abbreviated command entry lt Tab gt Complete a partial command name 2 List all commands available for a particular command mode I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter1 Command Line Interface W How to Find Command Options Table 1 1 Getting Help continued Command Purpose command List a command s associated keywords Leave a space between the command and question mark command keyword List a keyword s associated arguments Leave a space between the keyword and question mark This example shows how to obtain a list of commands that begin with a particular character string or complete a partial command name ssl proxy tu tunnel simpsonl 2 tu This example shows how to list all commands available for a particular command mode ssl proxy config Configure commands aaa Authentication Authorization and Accountin access list Add an access list entry alias Create command alias arp Set a static ARP entry async bootp Modify system bootp parameters banner Define a login banner boot Modify system boot parameters bridge Bridge Group
88. epl tcp cpu e rewriting content rewriting e scanning content scanning The fdu type includes the following values e cli Debugs the FDU CLI e hash Debugs the FDU hash e ipc Debugs the FDU IPC e trace Debugs the FDU trace The pki type includes the following values e certs Debugs the certificate management e events Debugs events e history Debugs the certificate history e ipc Debugs the IPC messages and buffers e key Debugs key management The ssl type includes the following values e alert Debugs the SSL alert events e error Debugs the SSL error events e handshake Debugs the SSL handshake events e pkt Debugs the received and transmitted SSL packets Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module Examples debug ssl proxy W Note Use the TCP debug commands only to troubleshoot basic connectivity issues under little or no load conditions for instance when no connection is being established to the virtual server or real server If you run TCP debug commands the TCP module displays large amounts of debug information on the console which can significantly slow down module performance Slow module performance can lead to delayed processing of TCP connection timers packets and state transitions The tcp type includes the following values e events Debugs the TCP e
89. er certificate added 0 Server certificate deleted 0 Server certificate rolled over 0 Server certificate completed 0 Intermediate CA certificate added 0 Intermediate CA certificate deleted 0 Root CA certificate added 0 Root CA certificate deleted 0 Certificate overwritten 0 History records written 0 History records read from NVRAM 0 Key cert table entries in use 0 ssl proxy This example shows how to display the HTTP header insertion statistics ssl proxy show ssl proxy stats hdr Header Insert Statistics Session Headers Inserted Session Id s Inserted Client IP Port Inserted Aliased Hdrs Inserted No End of Hdr Detected Desc Alloc Failed Client Cert Errors Service Errors Buffers allocated Insertion Points Found End of Header Found Multi buffer IP Port Multi buffer Session Hdr Scan Internal Error Custom Headers Inserted Client Cert Inserted PEM Cert Inserted Payload no HTTP header Buffer Alloc Failed Malloc failed Conn Entry Invalid Buffers Scanned Hdrs Spanning Records Buffers Accumulated Multi buffer Session Id Multi buffer Custom Hdr oo Oo oo 0 Oo 0 0 0 o o o o This example shows how to display context statistics ssl proxy show ssl proxy stats context Context name Default TCP Context Statistics Current conns ACTIVE 7 0 Num conns DROPPED hit max limit 0 Maximum conns ESTABLISHED fe This example shows how to display the URL rewrite statistics ssl proxy show ssl proxy sta
90. es Release 3 1 1 switches Usage Guidelines The name argument is case sensitive After you enter the ssl proxy context command the prompt changes to the following ssl proxy config context After you enter the context submode you can use the context submode commands listed in Table 2 10 to configure the context services Table 2 10 Context Submode Commands Command Purpose and Guidelines Defaults default Set a command to its defaults description description Optional Allows you to enter a short description for this context exit Exit from context configuration mode maxconns connections Optional Configures the maximum number of 65536 connections for this context Valid values are from 1 to 65536 natpool name start_ip_addr Configures the NAT pool settings See the natpool end_ip_addr netmask netmask section on page 2 30 policy health probe tcp Configures the TCP health probe policy See the policy name policy health probe tcp section on page 2 31 Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 m Chapter2 Commands for the Catalyst 6500 Series SSL Services Module E ssl proxy context Table 2 10 Context Submode Commands continued Command Purpose and Guidelines Defaults policy http header policy name Configures the HTTP header insertion policy See the policy http header section on page 2 34 policy ssl policy name Co
91. fault and should not be shut down or otherwise configured interface 0 subinterface number Syntax Description subinterface number Subinterface ID valid values are from 0 to 4294967295 Defaults This command has no default settings Command Modes Global configuration Command History Release Modification SSL Services Module Release 3 1 1 Support for this command was introduced on the Catalyst 6500 series SSL Services Module This command replaces the ssl proxy vlan command Usage Guidelines When you upgrade to SSL software release 3 x from SSL software release 2 x or 1 x the VLAN configuration is converted automatically to an subinterface configuration For example ssl proxy vlan 3 is converted to interface ssl proxy0 3 Note The ssl proxy0 interface is enabled by default and should not be shut down or otherwise configured Table 2 1 lists the commands that are available in subinterface configuration submode Table 2 1 Subinterface Configuration Submode Command Descriptions Syntax Description default Sets a command to its defaults description Allows you to enter a description for the subinterface encapsulation dotlq vlan_ID native Sets the encapsulation type for the interface Enter the native keyword to make this a native VLAN exit Exits from the subinterface configuration submode ip address ipaddress subnet secondary Configures the subinterface with an IP address
92. fdu hdr ipc module pki service ssl tcp and url See the Usage Guidelines section for additional information Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module The output of the show ssl proxy stats command was changed to Release 1 2 1 include information about the session allocation failure and session limit exceed table SSL Services Module This command was changed to add the following keywords Release 3 1 1 e content e context e hdr e module module e url Usage Guidelines The type values are defined as follows content Displays content scan object statistics context Displays context statistics information crypto Displays crypto statistics fdu Displays FDU statistics hdr Displays HTTP header insertion statistics ipc Displays IPC statistics I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy stats e module module Displays statistics for the specified module module type includes the following all all CPUs fdu FDU CPU ssliI SSL1 CPU tepl1 TCP1 CPU e pki Displays PKI statistics e service Di
93. ficate rsa general purpose trustpoint cert1024 ssl proxy config ctx ssl proxy policy health probe tcp probel ssl proxy config ctx ssl proxy inservice ssl proxy config ctx ssl proxy exit ssl proxy config context policy health probe tcp probel ssl proxy config ctx tcp probe end ssl proxy This example shows the state of the SSL proxy service when the health probe has failed Note The proxy service is down until service at port 81 is up and running again ssl proxy show ssl proxy service ssl 1 context ssl Service id 0 bound_service_id 256 Virtual IP 7 100 100 180 port 443 Server IP 19 0 0 1 port 81 TCP Health Probe Policy probel rsa general purpose certificate trustpoint cert1024 Certificate chain for new connections Certificate Key Label cert1024 key 1024 bit exportable Key Timestamp 05 18 23 UTC Dec 30 2005 Serial Number 12F332E200000000000D Root CA Certificate Serial Number 6522F512C30E078447D8AFC35567B101 Certificate chain complete Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module Related Commands Context name ssl Context Id 1 Admin Status up Operation Status down Proxy status policy health probe tcp W Health Probe Failed This example shows how to configure TCP health probe to check whether service at port 81 is up and running on server IP address 19 0
94. g letters a e i 0 or u One and only one of these characters must exist in the string for pattern matching to succeed To specify a range of single character patterns enclose the single character patterns in square brackets For example aeiou matches any one of the five vowels of the lowercase alphabet while abed ABCD matches any one of the first four letters of the lower or uppercase alphabet You can simplify ranges by entering only the end points of the range separated by a dash Simplify the previous range as follows a dA D To add a dash as a single character pattern in your range include another dash and precede it with a backslash a dA D You can also include a right square bracket as a single character pattern in your range To do so enter the following a dA D The previous example matches any one of the first four letters of the lower or uppercase alphabet a dash or a right square bracket You can reverse the matching of the range by including a caret at the start of the range This example matches any letter except the ones listed 4a dqsv This example matches anything except a right square bracket or the letter d d Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter1 Command Line Interface Using the CLI String Search W Multiple Character Patterns Multipliers When creating regular expressions you
95. h online resources You can access Packet magazine at this URL http www cisco com packet iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterity com ciscoiq sample Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com ipj Networking products offered by Cisco Systems as well as customer support services can be obtained at this URL http www cisco com en US products index html Networking Professionals Connection is an interactive website for networking professionals to share questions suggestions and information about networking products and technologies with Cisco experts and other networking professionals Join a discussion at this URL http www cisco com discuss networking World class networking training is a
96. hapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto key decryptrsa W crypto key decrypt rsa Syntax Description Defaults Command Modes Command History Usage Guidelines Examples Related Commands To delete the encrypted key and leave only the unencrypted key use the crypto key decrypt rsa command crypto key decrypt write rsa name key name passphrase passphrase write Optional Writes the configuration to the startup configuration name key name Optional Name of the key passphrase passphrase Pass phrase This command has no default settings Global configuration mode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Entering the write keyword immediately saves the unencrypted key to NVRAM If you do not enter the write keyword you must manually write the configuration to NVRAM otherwise the key remains encrypted the next time that the router is reloaded This example shows how to display the administration VLAN and related IP and gateway addresses ssl proxy config crypto key decrypt rsa name pkil 72a cisco com passphrase cisco1234 WARNING Configuration with decrypted key not saved Please save it manually as soon as possible to save decrypted key ssl proxy config end ssl proxy show crypto key mypubkey rsa Key name pkil 72a cisco com Usage General Purpose
97. he certificate associated with the trustpoint and does not look for a CA name match By default the SSL Services Module always looks for a CA name match before returning the certificate If the SSL server does not include a CA name list in the certificate request during client authentication the handshake fails By default the SSL Services Module uses the maximum supported SSL protocol version SSL2 0 SSL3 0 or TLS1 0 in the ClientHello message Enter the tls rollback current any command if the SSL client uses the negotiated version instead of the maximum supported version as specified in the ClientHello message Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module policy ss W When you enter the tls rollback current command the SSL protocol version can be either the maximum supported version or the negotiated version When you enter the tls rollback any command the SSL protocol version is not checked at all Examples This example shows how to enter the SSL policy configuration submode ssl proxy config ssl proxy context s1 ssl proxy config context policy ssl sslpl1 ssl proxy config ctx ssl policy This example shows how to define the cipher suites that are supported for the SSL policy ssl proxy config ctx ssl policy cipher RSA_WITH_3DES_EDE_CBC_SHA ssl proxy config ctx ssl
98. his URL http www cisco com techsupport You can access the Cisco website at this URL http www cisco com You can access international Cisco websites at this URL http www cisco com public countries_languages shtml Product Documentation DVD Cisco documentation and additional literature are available in the Product Documentation DVD package which may have shipped with your product The Product Documentation DVD is updated regularly and may be more current than printed documentation The Product Documentation DVD is a comprehensive library of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installation configuration and command guides for Cisco products and to view technical documentation in HTML With the DVD you have access to the same documentation that is found on the Cisco website without being connected to the Internet Certain products also have pdf versions of the documentation available The Product Documentation DVD is available as a single unit or as a subscription Registered Cisco com users Cisco direct customers can order a Product Documentation DVD product number DOC DOCDVD from Cisco Marketplace at this URL http www cisco com go marketplace I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Preface HZ Documentation Feedback Ordering Documentation Beginning June 30 2005 registered
99. his command has no default settings Global configuration Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 1 2 1 switches The pass phrase can be any phrase including spaces and punctuation except for the question mark which has a special meaning to the Cisco IOS parser Pass phrase protection associates a pass phrase with the key The pass phrase is used to encrypt the key when it is exported When this key is imported you must enter the same pass phrase to decrypt it I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HI crypto key import rsa pem Examples This example shows how to import a PEM formatted RSA key from an external system and export the PEM formatted RSA key to the SSL Services Module ssl proxy config crypto key import rsa newkeys pem url scp password Importing public key or certificate PEM file Address or name of remote host 7 0 0 7 Source username ssl proxy lab Source filename newkeys pub test keys pub Password Sending file modes C0644 272 test keys pub Reading file from scp lab 7 0 0 7 test keys pub Importing private key PEM file Address or name of remote host 7 0 0 7 Source username ssl proxy lab Source filename newkeys prv test keys prv Password Sending file modes C0644 963 tes
100. his command was changed to add the following keywords Release 2 1 1 e authenticate e cache e certificate Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 SEN Commands for the Catalyst 6500 Series SSL Services Module W ssl proxy pki Usage Guidelines Examples Related Commands The ssl proxy pki history command enables logging of certificate history records per proxy service into memory and generates a syslog message per record Each record tracks the addition or deletion of a key pair or certificate into the proxy services key and the certificate table When the index of the table changes this command logs the following information e Key pair name e Trustpoint label e Service name e Subject name e Serial number of the certificate Up to 512 records can be stored in the memory at one time This example shows how to specify the timeout in seconds for each request ssl proxy ssl proxy This example shows how to specify the cache size ssl proxy ssl proxy This example shows how to specify the aging timeout value of entries ssl proxy ssl proxy This example shows how to specify the check expiring interval ssl proxy ssl proxy This example shows how to enable PKI event history ssl proxy ssl proxy show ssl proxy stats config config config config config config config config config config ssl proxy pki authe
101. ial packets will not carry the ToS value Usage Guidelines TCP commands that you enter on the SSL Services Module can apply either globally or to a particular proxy server You can configure a different maximum segment size for the client side and the server side of the proxy server The TCP policy template allows you to define parameters that are associated with the TCP stack You can either enter the no form of the command or use the default keyword to return to the default setting Examples This example shows how to enter the proxy policy TCP configuration submode ssl proxy config ssl proxy context s1 ssl proxy config context ssl proxy policy tcp tcppl1 ssl proxy config ctx tcp policy These examples show how to set a given command to its default value default timeout fin wait config ctx tcp policy default inactivity timeout config ctx tcp policy default buffer share rx config ctx tcp policy ssl proxy config ctx tcp policy default buffer share tx ssl proxy ssl proxy ssl proxy ssl proxy config ctx tcp policy default mss ssl proxy config ctx tcp policy default timeout syn ssl proxy config ctx tcp policy This example shows how to define the FIN wait timeout in seconds ssl proxy config ctx tcp policy timeout fin wait 200 ssl proxy config ctx tcp policy This example shows how to define the inactivity timeout in seconds ssl proxy config ctx tcp policy timeout ina
102. iate a SSL policy with a particular proxy server using the proxy server configuration CLI The SSL policy template allows you to define various parameters that are associated with the SSL handshake stack I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module policy ss When you enter the close notify strict command the SSL Services Module sends a close notify alert message to the SSL peer and the SSL Services Module expects a close notify alert message from the SSL peer If the SSL Services Module does not receive a close notify alert SSL resumption is not allowed for that session When you enter the close notify none command the SSL Services Module does not send a close notify alert message to the SSL peer and the SSL Services Module does not expect a close notify alert message from the SSL peer The SSL Services Module preserves the session information so that SSL resumption can be used for future SSL connections When close notify is disabled default the SSL Services Module sends a close notify alert message to the SSL peer however the SSL peer does not expect a close notify alert before removing the session Whether the SSL peer sends the close notify alert or not the session information is preserved allowing session resumption for future SSL connections The cipher suite names follow the same convention as the existing SSL s
103. id values are from y to 3000 milliseconds y is greater than or equal to 3 times the hellotime and is not less than 50 milliseconds The default is 10 seconds This example shows how to enter the subinterface configuration submode ssl proxy config interface ssl proxy 0 6 ssl proxy config subif This example shows how to configure the specified subinterface with an IP address and subnet mask ssl proxy config subif ip address 208 59 100 18 255 0 0 0 ssl proxy config subif This example shows how to configure the HSRP on the SSL module ssl proxy config interface ssl proxy 0 100 ssl proxy config subif ip address 10 1 0 20 255 255 255 0 standby 1 ip 10 1 0 21 standby priority 110 ssl proxy config subif standby preempt ssl proxy config subif 1 1 ssl proxy config subif standby 2 ip 10 1 0 22 2 2 ssl proxy config subif standby priority 100 standby preempt end ssl proxy config subif ssl proxy config subif ssl proxy config subif ssl proxy show interfaces ssl proxy show ssl proxy vlan I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module E natpool natpool Syntax Description Defaults Command Modes Command History Examples Related Commands To define a pool of IP addresses which the SSL Services Module uses for implementing the client
104. iguration submode use the service client command service ssl proxy name client ssl proxy name SSL proxy service name Client NAT is disabled Context subcommand mode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The service client command entered in context subcommand mode Release 3 1 1 replaces the ssl proxy service client command entered in global subcommand mode This command was changed to add the following submode commands e policy health probe tcp e policy http header You cannot use the same service_name for both the server proxy service and the client proxy service In client proxy service configuration submode you specify that the proxy service accept clear text traffic encrypt it into SSL traffic and forward it to the back end SSL server In most cases all of the SSL server proxy configurations that are performed are also valid for the SSL client proxy configuration except for the following e You must configure a certificate for the SSL server proxy but you do not have to configure a certificate for the SSL client proxy If you configure a certificate for the SSL client proxy that certificate is sent in response to the certificate request message that is sent by the server during the client authentication phase of the handshake protocol e The SSL policy is attached to the virtual sub
105. ing See MPLS NetFlow Data Export See NDE network entity title See NET no form of a command using 1 6 0 order dependent merge algorithm See ODD P paging prompt see More prompt per VLAN spanning tree See PVST pipe symbol specifying alternative patterns 1 10 PKI event history clearing the memory 2 91 disabling 2 91 enabling 2 91 policy service configuration submode entering 2 52 privacy enhanced mail See PEM private VLANs See PVLANs privileged EXEC mode summary 1 5 prompts system 1 5 Protocol Independent Multicast See PIM proxy policy displaying configured HTTP header information 2 72 configured SSL information 2 72 configured TCP information 2 72 configured URL rewrite information 2 72 Q Q in Q 802 1Q in 802 1Q See 802 1Q tunneling QoS Device Manager See QDM question command 1 1 Rapid Spanning Tree Protocol See RSTP Rapid Spanning Tree Protocol See RSTP related documentation vii remote procedure call See RPC remote SPAN See RSPAN Reverse Path Forwarding See RPF RFC 2281 Cisco Hot Standby Router Protocol HSRP 2 101 E Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 ROM monitor mode summary 1 6 Route Processor Redundancy See RPR Route Processor Redundancy See RPR S Secure Sockets Layer See SSL server load balancing See SLB show commands filter 1 7 search 1 7 single character patterns special
106. inservice nat server virtual Sets a command to its default settings description Allows you to enter a description for proxy service exit Exits from proxy service or proxy client configuration submode help Provides a description of the interactive help system inservice Declares a proxy server or client as administratively up nat server client natpool name Specifies the usage of either server NAT or client NAT for the server side connection that is opened by the SSL Services Module policy health probe tcp policy name Applies a TCP health probe policy to a proxy server policy http header policy name Applies an HTTP header insertion policy to a proxy server policy urlrewrite policy name Applies a URL rewrite policy to a proxy server server ipaddr ip addr protocol protocol port portno sslv2 Defines the IP address of the target server for the proxy server You can also specify the port number and the transport protocol The target IP address can be a virtual IP address of an SLB device or a real IP address of a web server The sslv2 keyword specifies the server that is used for handling SSL version 2 traffic server policy tcp server side tcp policy name Applies a TCP policy to the server side of a proxy server You can specify the port number and the transport protocol trusted ca ca pool name Applies a trusted certificate authenticate configuration to a proxy ser
107. is command has no default settings EXEC Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module This example shows how to display information about the configured subinterfaces ssl proxy show ionterfaces 0 3 SSL Proxy0 3 is up line protocol is up Hardware is STE interface address is 0001 6445 c744 bia 00e0 14c1 30e9 Internet address is 10 10 0 16 8 MTU 1500 bytes BW 1000000 Kbit DLY 10 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation 802 190 Virtual LAN Vlan ID 3 ARP type ARPA ARP Timeout 04 00 00 Last clearing of Show interface counters never ssl proxy policy tcp I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy buffers show ssl proxy buffers To display information about TCP buffer usage use the show ssl proxy buffers command show ssl proxy buffers Syntax Description This command has no arguments or keywords Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Examples This example shows how to display the buffer usage and other information in the TCP subsyste
108. is interface Valid values for minutes are from 0 to 71582787 minutes Valid values for seconds are from 0 to 59 seconds The valid values for configuring HSRP are as follows e group number Optional Group number on the interface for which HSRP is being activated valid values are from 0 to 255 for HSRP version 1 valid values are from 0 to 4095 for HSRP version 2 See the standby version section on page 2 116 for information about changing the HSRP version If you do not specify a group number group 0 is used e ip ip addr Specifies the IP address of the HSRP interface e priority priority Specifies the priority for the HSRP interface Increase the priority of at least one interface in the HSRP group The interface with the highest priority becomes active for that HSRP group e prempt Enables preemption When you enable preemption if the local router has a hot standby priority that is higher than the current active router the local router attempts to assume control as the active router If you do not configure preemption the local router assumes control as the active router only if it receives information indicating that no router is in the active state acting as the designated router e delay Optional Specifies the preemption delay When a router first comes up it does not have a complete routing table If itis configured to preempt it becomes the active router but cannot provide adequate routing services Y
109. ist anywhere in the string Catalyst 6500 Series Switch SSL Services Module Command Reference i10 i OL 9105 01 _ Chapter 1 Command Line Interface Using the CLI String Search W For example _1300_ matches any string that has 1300 somewhere in the string The string s 1300 can be preceded by or end with a space brace comma or underscore For example 1300_ matches the regular expression but 21300 and 13000 do not Using the underscore character you can replace long regular expression lists such as the following 1300 1300 space space 1300 1300 1300 1300 1300 1300 with _1300_ Parentheses for Recall As shown in the Multipliers section on page 1 9 you use parentheses with multiple character regular expressions to multiply the occurrence of a pattern You can also use parentheses around a single or multiple character pattern to remember a pattern for use elsewhere in the regular expression To create a regular expression that recalls a previous pattern you use parentheses to indicate a remembered specific pattern and a backslash followed by an integer to reuse the remembered pattern The integer specifies the occurrence of the parentheses in the regular expression pattern If you have more than one remembered pattern in your regular expression then 1 indicates the first remembered pattern 2 indicates the second remembered pattern and so on This regular expression uses parentheses fo
110. keyword Release 3 1 1 Examples This example shows how to display information for a specific NAT address pool that is configured on the SSL Services Module ssl proxy show ssl proxy natpool No context name provided assuming context Default natpool name start ip end ip netmask use count ni 207 57 110 1 207 57 110 8 255 0 0 0 2 ssl proxy This example shows how to display information for a specific NAT address pool that is configured on the SSL Services Module ssl proxy show ssl proxy natpool n1 No context name provided assuming context Default Start ip 207 57 110 1 End ip 207 57 110 8 netmask 255 0 0 0 vlan associated with natpool 2 SSL proxy services using this natpool S2 s3 Num of proxies using this natpool 2 ssl proxy Related Commands natpool Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 pn Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy policy show ssl proxy policy To display the configured SSL proxy policies use the show ssl proxy policy command show ssl proxy policy health probe tcp name context name http header ssl tcp url rewrite name Syntax Description health probe tcp Displays the configured TCP health probe policies name Optional TCP health probe name context name Optional Displays the TCP health probe policies in this context http header Displays the
111. l proxy content all rewrite scanning module module Syntax Description all Clears all content statistics scanning Clears scanning statistics rewrite Clears rewriting statistics module module Optional Clears statistics for the specified module type The available options for the module variable are as follows e all All CPUs e fdu FDU CPU e ssliI SSL1 CPU e tcep1 TCP1 CPU e tep2 TCP2 CPU Defaults This command has no default settings Command Modes EXEC Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Usage Guidelines To reset all the content statistics that the SSL Services Module maintains use the clear ssl proxy content all command Examples This example shows how to clear all of the content statistics ssl proxy clear ssl proxy content all Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 EN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W clear ssl proxy session clear ssl proxy session To clear all entries from the session cache use the clear ssl proxy session command clear ssl proxy session service name context name module module Syntax Description context name Optional Clears the session cache for a specific context module module Optional Clears session cache for the specified modu
112. le type The available options for the module variable are as follows e all All CPUs e fdu FDU CPU e ssliI SSL1 CPU e tcep1 TCP1 CPU e tep2 TCP2 CPU service name Optional Clears the session cache for the specified service Defaults This command has no default settings Command Modes EXEC Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 1 2 1 switches SSL Services Module This command was changed to add the following keywords Release 3 1 1 e context name e module module Usage Guidelines To clear all entries from the session cache for all services use the clear ssl proxy session command without options Examples This example shows how to clear the entries from the session cache for the specified service on the SSL Services Module ssl proxy clear ssl proxy session service S6 This example shows how to clear all entries in the session cache that are maintained on the SSL Services Module ssl proxy clear ssl proxy session ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference P24 E OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module clear ssl proxy stats To reset the statistics counters that are maintained in the different system components on the SSL Syntax Description Defaults Command Modes clear ssl proxy stats W Services Modul
113. lease Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to add the following keywords Release 3 1 1 e context name e hdr e module module e url Usage Guidelines To reset all the statistics counters that the SSL Services Module maintains use the clear ssl proxy stats command without options Examples This example shows how to reset the statistics counters that are maintained in the different system components on the SSL Services Module ssl proxy clear ssl proxy stats crypto ssl proxy clear ssl proxy stats ipc ssl proxy clear ssl proxy stats pki ssl proxy clear ssl proxy stats service S6 This example shows how to clear all the statistic counters that the SSL Services Module maintains ssl proxy clear ssl proxy stats ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference P26 W OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto pkiexportpem W crypto pki export pem To export privacy enhanced mail PEM files from the SSL Services Module use the crypto pki export pem command crypto pki export trustpoint_label pem terminal des 3des url url pass_phrase Syntax Description trustpoint label Name of the trustpoint terminal Displays the request on the terminal des Sp
114. lease Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module This command was changed to add the following submode commands Release 2 1 1 e authenticate e policy urlrewrite policy name e trusted ca ca pool name e sslv2 See the server ipaddr subcommand SSL Services Module The service command entered in context subcommand mode replaces Release 3 1 1 the ssl proxy service command entered in global subcommand mode This command was changed to add the following submode commands e policy health probe tcp policy name e policy http header policy name You cannot use the same service_name for both the server proxy service and the client proxy service In proxy service configuration submode you can configure the virtual IP address and port that is associated with the proxy service and the associated target IP address and port You can also define TCP and SSL policies for both the client side beginning with the virtual keyword and the server side of the proxy beginning with the server keyword In client proxy service configuration submode you specify that the proxy service accept clear text traffic encrypt it into SSL traffic and forward it to the back end SSL server Catalyst 6500 Series Switch SSL Services Module Command Reference M252 By OL 9105 01 _ Chapter 2 Commands for the Cat
115. leged EXEC command Global From privileged EXEC ssl proxy config To exit to privileged EXEC mode enter the exit configuration mode enter the or end command or press Ctrl Z configure terminal To enter interface configuration mode enter an privileged EXEC interface configuration command command Global From global ssl proxy config submode To exit to global configuration submode enter configuration configuration mode the exit command submode enter a submode command Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 EN Chapter1 Command Line Interface HZ Using the No and Default Forms of Commands Table 1 3 Summary of Main Command Modes continued Command Mode Access Method Prompt Exit Method Interface From global ssl proxy config if To exit to global configuration mode enter the configuration configuration mode exit command enter by specifying an To exit to privileged EXEC mode enter the exit interface with an A command or press Ctrl Z interface command To enter subinterface configuration mode specify a subinterface with the interface command Subinterface From interface ssl proxy config subinterf To exit to global configuration mode enter the configuration configuration mode acei exit command SP ecify subinterface To enter privileged EXEC mode enter the end with an interface command or press Ctrl Z command ROM monitor From privileged EXEC Rommon g
116. licy TCP Configuration Submode Command Descriptions Syntax Description ca Configures a certificate authority The available subcommand is as follows trustpoint ca trustpoint name Configures a certificate authority trustpoint Use the no form of this command to return to the default setting default Sets a command to its default settings exit Exits from proxy service configuration submode help Allows you to configure the connection establishment timeout valid values are from 5 to 75 seconds Use the no form of this command to return to the default setting Examples This example shows how to add a certificate authority trustpoint to a pool ssl proxy config ssl proxy context s1 ssl proxy config context pool ca test1 ssl proxy config ctx ca pool ca trustpoint test20 ssl proxy config ctx ca pool Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 ESN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module E service service Syntax Description Defaults Command Modes Command History Usage Guidelines To enter the proxy service configuration submode use the service command service ssl proxy name client ssl proxy name SSL proxy name client Optional Allows you to configure the SSL client proxy services See the service client command Server NAT is enabled and client NAT is disabled Context subcommand mode Re
117. lt cr gt ssl proxy config if In this example the auto keyword is entered After you enter the auto keyword enter a to display what you must enter next on the command line Because a lt cr gt is displayed it indicates that you can press Return to complete the command If additional keywords are listed you can enter more keywords or press Return to complete the command ssl proxy config if channel group 1 mode auto ssl proxy config if In this example press Return to complete the command Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 _ Chapter 1 Command Line Interface Understanding Command Modes W Understanding Command Modes This section contains descriptions of the command modes for the Cisco IOS user interface Cisco IOS User Interface The Cisco IOS user interface is divided into many different modes The commands that are available to you depend on which mode you are currently in You can obtain a list of commands that are available for each command mode by entering a question mark at the system prompt When you Start a session on the Catalyst 6500 series switch you begin in user mode often called EXEC mode Only a limited subset of the commands are available in EXEC mode In order to have access to all commands you must enter privileged EXEC mode Normally you must enter a password to enter privileged EXEC mode From privileged EXEC mode
118. m ssl proxy show ssl proxy buffers Buffers info for TCP module 1 TCP data buffers used 2817 limit 88064 TCP ingress buffer pool size 44032 egress buffer pool size 44032 TCP ingress data buffers min thresh 5636096 max thresh 9017344 TCP ingress data buffers used Current 0 Max 0 TCP ingress buffer RED shift 9 max drop prob 10 Conns consuming ingress data buffers 0 Buffers with App 0 TCP egress data buffers used Current 0 Max 0 Conns consuming egress data buffers 0 In sequence queue bufs 0 OOO bufs 0 Per flow avg qlen 0 Global avg qlen 0 Pp p Pp Pp ssl proxy Related Commands policy tcp Catalyst 6500 Series Switch SSL Services Module Command Reference M260 i OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy certificate history i show ssl proxy certificate history To display information about the event history of the certificate use the show ssl proxy certificate history command show ssl proxy certificate history service name Syntax Description service name Displays all certificate records of a proxy service and optionally for a specific proxy service Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Usage Guidelines _ The show ssl
119. mmand Reference OL 9105 01 AppendixA Acronyms Table A 1 List of Acronyms continued Acronym Expansion RMON remote network monitor ROM read only memory ROMMON ROM monitor RP route processor or rendezvous point RPC remote procedure call RPF reverse path forwarding RPR Route Processor Redundancy RPR Route Processor Redundancy RSPAN remote SPAN RST reset RSTP Rapid Spanning Tree Protocol RSTP Rapid Spanning Tree Protocol plus RSVP ReSerVation Protocol SAID Security Association Identifier SAP service access point SCM service connection manager SCP Switch Module Configuration Protocol SDLC Synchronous Data Link Control SFP small form factor pluggable SGBP Stack Group Bidding Protocol SIMM single in line memory module SLB server load balancing SLCP Supervisor Line Card Processor SLIP Serial Line Internet Protocol SMDS Software Management and Delivery Systems SMF software MAC filter SMP Standby Monitor Present SMRP Simple Multicast Routing Protocol SMT Station Management SNAP Subnetwork Access Protocol SNMP Simple Network Management Protocol SPAN Switched Port Analyzer SREC S Record format Motorola defined format for ROM contents SSL Secure Sockets Layer SSM Source Specific Multicast SSTP Cisco Shared Spanning Tree Catalyst 6500 Series Switch SSL Services Module Command Reference
120. mpared and the higher IP address has priority The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HZ standby priority Examples This example shows how to change the router priority ssl proxy config subif standby priority 120 ssl proxy config subif Related Commands standby track Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standby redirects W standby redirects Syntax Description Defaults Command Modes Command History Usage Guidelines To enable HSRP filtering of Internet Control Message Protocol ICMP redirect messages use the standby redirects command Use the no form of this command to disable the HSRP filtering of ICMP redirect messages standby redirects enable disable timers advertisement holddown unknown no standby redirects unknown enable Optional Allows the filtering of ICMP redirect messages on interfaces that are configured with HSRP where the next hop IP address may be changed to an HSRP virtual IP address disable Optional Disables the filtering of ICMP redirect messages on interfaces that are configur
121. n 2 00 50 131 443 No Bound Connection Remote Address 1 200 1 200 1 200 1 200 1 200 1 200 200 200 200 200 200 200 14 14 14 14 14 14 738815 238817 738818 238819 738820 238821 Remote Address 1 200 1 200 1 200 1 200 1 200 1 200 200 200 200 200 200 200 14 14 14 14 14 14 741218 241219 241220 241221 241222 241223 VLAN Conid 2 58796 2 58800 2 58802 2 58806 2 58810 2 58814 2 58818 2 121718 2 121722 2 121726 2 121794 2 121808 2 121940 2 122048 Send Q Recv Q 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Send Q Recv Q 0 0 0 0 0 0 0 0 0 0 0 0 0 0 State m m a TWAIT TWAIT TWAIT WAIT WATT WATT State m P m Fn P TWAT WAT TWAT WAT TWAT WAT gt x m E Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy context W show ssl proxy context To display context information use the show ssl proxy context command show ssl proxy context name Syntax Description name Optional Name of the context Defaults This command has no default settings Command Modes EXEC Command History Release Modification SSL Services Module Sup
122. n can be displayed using the show track command Examples This example shows how to track the IP routing capability of serial interface 1 0 HSRP on Ethernet interface 0 0 registers with the tracking process to be informed of any changes to the IP routing state of serial interface 1 0 If the IP state on Serial interface 1 0 goes down the priority of the HSRP group is reduced by 10 If both serial interfaces are operational Router A becomes the HSRP active router because it has the higher priority However if IP routing on serial interface 1 0 in Router A fails the HSRP group priority is reduced and Router B takes over as the active router thus maintaining a default virtual gateway service to hosts on the 10 1 0 0 subnet Router A Configuration track 100 interface seriall 0 ip routing interface Ethernet0 0 ip address 10 1 0 21 255 255 0 0 standby 1 ip 10 1 0 1 standby 1 priority 105 standby 1 track 100 decrement 10 Router B Configuration track 100 interface seriall 0 ip routing interface Ethernet0 0 ip address 10 1 0 22 255 255 0 0 standby 1 ip 10 1 0 1 standby 1 priority 100 standby 1 track 100 decrement 10 Related Commands standby preempt standby priority Catalyst 6500 Series Switch SSL Services Module Command Reference ca OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standby use bia W standby use bia Syntax Description Defaults Command Modes Command His
123. nal Specifies the preemption delay after a reload only sync delay Optional Specifies the maximum synchronization period in delay seconds The defaults are as follows e group number is 0 e delay is O seconds the router preempts immediately By default the router that comes up later becomes the standby router Subinterface configuration submode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface The delay argument causes the local router to postpone taking over the active role for delay minimum seconds since that router was last restarted When you use this command the router is configured to preempt which means that when the local router has a hot standby priority that is higher than the current active router the local router should attempt to assume control as the active router If you do not configure preemption the local router assumes control as the active router only if it receives information indicating no router is in the active state acting as the designated router When a router first comes up it does not have a complete routing table If you configure the router to preempt it becomes the active router but it cannot provide adequate routing services You can configure a delay before the preempting router ac
124. nd UNLOCKED Key is exportable Key Data 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 O0D7808D C5FF14AC Key pair was generated at 16 00 11 PST Feb 28 2002 ssl proxy Related Commands crypto key decrypt rsa crypto key encrypt rsa crypto key lock rsa Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 _ Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module debug ssl proxy To turn on the debug flags in different system components use the debug ssl proxy command Use the no form of this command to turn off the debug flags Syntax Description Defaults Command Modes debug ssl proxy W debug ssl proxy app content type fdu type flash module module health probe ipc pki type ssl type tep type vlan app Turns on App debugging content type Turns on content debugging optional type valid values are detail error ipc module module rewriting and scanning See the Usage Guidelines section for additional information fdu type Turns on FDU debugging optional type valid values are cli hash ipc and trace See the Usage Guidelines section for additional information flash Turns on Flash debugging module module Specifies the module to be debugged The available options for the module variable are as follows e fdu FDU CPU e sslI SSL1 CPU e tcep1 TCP1 CPU health probe
125. nfigures the SSL policy See the policy ssl section on page 2 39 policy tep policy name Configures the TCP policy See the policy tcp section on page 2 45 policy url rewrite policy name Configures the URL rewrite policy See the policy url rewrite section on page 2 49 pool ca name Configures a pool of resources See the pool ca section on page 2 51 service service_name Enters SSL proxy service subcommand mode and lets you configure the SSL client or server proxy service See the service section on page 2 52 for information about SSL proxy services vrf name name Configures the VRF associated with this context Examples This example shows how to configure the context hubble ssl proxy configure terminal ssl proxy config ssl proxy context hubble ssl proxy config context vrf name hubble ssl proxy config context service hubble ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy nat client hubble ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy inservice exit Enter configuration commands one per line End with CNTL Z virtual ipaddr 3 100 100 108 protocol tcp port 443 server ipaddr 5 100 100 41 protocol tcp port 80 certificate rsa general purpose trustpoint shuttle ssl proxy config context natpool hubble 5 100 100 20 5 100 100 27 ne
126. ning this test will impact run time performance To display the results of the self test enter the show ssl proxy stats crypto command Examples This example shows how to start a cryptographic self test ssl proxy config ssl proxy crypto selftest ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 TEN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W sssl proxy mac address ssl proxy mac address To configure a MAC address use the ssl proxy mac address command ssl proxy mac address mac addr Syntax Description mac addr MAC address see the Usage Guidelines section for additional information Defaults This command has no default settings Command Modes Global configuration Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Usage Guidelines Enter the MAC address in this format H H H Examples This example shows how to configure a MAC address ssl proxy config ssl proxy mac address 00e0 b0ff 232 ssl proxy config Related Commands show ssl proxy mac address Catalyst 6500 Series Switch SSL Services Module Command Reference P2390 By OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module ssl proxy pki Hi ssl proxy pki To configure and define the PKI im
127. nticate timeout 200 ssl proxy pki cache size 50 ssl proxy pki cache timeout 20 ssl proxy pki certificate check expiring interval 100 ssl proxy pki history Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module ssl proxy crypto key unlock rsa W ssl proxy crypto key unlock rsa Syntax Description Defaults Command Modes Command History To unlock the key automatically after a reload use the ssl proxy crypto key unlock rsa command ssl proxy crypto key unlock rsa key name passphrase passphrase key name Name of the key passphrase Pass phrase This command has no default settings Global configuration Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Examples This example shows how to unlock the keys automatically after a reload ssl proxy config ssl proxy crypto key unlock rsa pkil 72a cisco com passphrase cisco1234 ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 my 293 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W ssl proxy ip frag ttl ssl proxy ip frag ttl To adjust the IP fragment reassembly timer use the ssl proxy ip frag ttl command ssl proxy ip frag ttl time Syntax Description time Optional Adj
128. ntinue if the peer does not respond to the renegotiation request after timeout This setting is disabled by default and the session is disconnected after timeout no session cache Allows you to enable the session caching feature Use the no form of this command to disable session caching session cache size size Specifies the maximum number of session entries to be allocated for a given service valid values are from 1 to 262143 entries timeout handshake timeout Allows you to configure how long the module keeps the connection in the handshake phase valid values are from 0 to 65535 seconds timeout session timeout absolute Allows you to configure the session timeout The syntax description is as follows e timeout Session timeout valid values are from 0 to 72000 seconds e absolute Optional The session entry is not removed until the configured timeout has completed tls rollback current any Allows you to specify if the SSL protocol version number in the TLS SSL premaster secret message is either the maximum version or the negotiated version current or if the version is not checked any version all ssI3 tls1 Allows you to set the version of SSL to one of the following e all Both SSL3 and TLS1 versions are used e ssl3 SSL version 3 is used e tls1 TLS version 1 is used You can define the SSL policy templates using the policy ssl ss policy name command and assoc
129. oad 2 97 standby ip 2 99 standby mac address 2 101 standby mac refresh 2 103 standby name 2 104 standby preempt 2 105 standby priority 2 107 standby redirects 2 109 standby timers 2 111 standby track 2 113 standby use bia 2 115 standby version 2 116 Acronyms A 1 Acknowledgments for Open Source Software B 1 I OL 9105 01 Contents Catalyst 6500 Series Switch SSL Services Module Command Reference E Contents Catalyst 6500 Series Switch SSL Services Module Command Reference x OL 9105 01 Preface This preface describes the audience organization and conventions of this publication and provides information on how to obtain related documentation Audience This publication is for experienced network administrators who are responsible for configuring and maintaining Catalyst 6500 series switches Organization This publication is organized as follows Chapter Title Description Chapter 1 Command Line Interface Describes the Catalyst 6500 series switch CLI Chapter 2 Commands for the Catalyst 6500 Lists alphabetically and provides detailed Series Switch SSL Services information for commands specific to the Module Catalyst 6500 series switch SSL Services Module Appendix A Acronyms Defines the acronyms used in this publication Related Documentation The Catalyst 6500 series switch Cisco IOS documentation set includes these documents e Release Notes for Catalyst 6500 Series Switch
130. om type of proxy server_proxy_1024 bit_key_ size ssl proxy config ctx http header policy This example shows how to add the prefix string into the HTTP header ssl proxy config ctx http header policy prefix SSL OFFLOAD ssl proxy config ctx http header policy This example shows how to pass information that is specific to an SSL connection to the back end server as session headers ssl proxy config ctx http header policy session ssl proxy config ctx http header policy This example shows how to create a header alias for the standard session cipher name header ssl proxy config ctx http header policy alias My Session Cipher session cipher name I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HH policy http header In addition to the standard HTTP headers the following header information is inserted Note The alias name My Session Cipher is used instead of the standard name session cipher name SSL OFFLOAD Client IP 7 100 100 1 SSL OFFLOAD Client Port 59008 SSL OFFLOAD SOFTWARE VERSION 3 1 1 SSL OFFLOAD module SSL MODULE CATALYST 6500 SSL OFFLOAD type of proxy server_proxy_1024_ bit_key_size SSL OFFLOAD Session 1d 33 FF 2C 2D 25 15 3C 50 56 AB FA 5A 81 0A EC E9 00 00 0A 03 00 60 2F 30 9C 2F CD 56 2B 91 F2 FF SSL OFFLOAD My Session Cipher RC4 SHA
131. ord Release 3 1 1 Examples This example shows how to display all the VLANs that are configured on the SSL Services Module ssl proxy show ssl proxy vlan VLAN index 2 Associated with interface SSL Proxy0 2 UP IP addr 207 10 0 16 NetMask 255 0 0 0 VLAN index 3 Associated with interface SSL Proxy0 3 UP IP addr 208 10 0 16 NetMask 255 0 0 0 VLAN index 4 Associated with interface SSL Proxy0 4 UP IP addr 209 10 0 16 NetMask 255 0 0 0 ssl proxy Related Commands interface ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 SEN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W ssnmp server enable snmp server enable To configure the SNMP traps and informs use the snmp server enable command Use the no form of this command to disable SNMP traps and informs snmp server enable informs traps ipsec isakmp snmp ssl proxy cert expiring oper status no snmp server enable informs traps ipsec isakmp snmp ssl proxy cert expiring oper status Syntax Description informs Enables SNMP informs traps Enables SNMP traps ipsec Enables IPsec traps isakmp Enables ISAKMP traps snmp Enables SNMP traps ssl proxy Enables SNMP SSL proxy notification traps cert expiring Optional Enables SSL proxy certificate expiring notification traps oper status Optional Enables SSL proxy operation status notific
132. orting private key Address or name of remote host 7 0 0 7 Destination username ssl proxy lab Destination filename test keys prv Password Writing test keys prv Writing file to scp lab 7 0 0 7 test keys prv Password ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto key importrsapem W crypto key import rsa pem Syntax Description Defaults Command Modes Command History Usage Guidelines To import a PEM formatted RSA key from an external system use the crypto key import rsa pem command crypto key import rsa keylabel pem usage keys terminal url url exportable passphrase keylabel Name of the key usage keys Optional Specifies that two special usage key pairs should be generated instead of one general purpose key pair terminal Displays the request on the terminal url url Specifies the URL location Valid values are as follows e ftp Imports from the FTP file system e null Imports from the null file system e nvram Imports from the NVRAM file system e rep Imports from the RCP file system e scp Imports from the SCP file system e system Imports from the system file system e tftp Imports from the TFTP file system exportable Optional Specifies that the key can be exported passphrase Pass phrase T
133. ou can configure a delay before the preempting router actually preempts the currently active router Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module Examples Related Commands interface ssl proxy W e type time Specifies the preemption type and delay valid values are as follows minimum time Specifies the minimum delay period in delay seconds valid values are from 0 to 3600 seconds 1 hour reload time Specifies the preemption delay after a reload only sync time Specifies the maximum synchronization period in delay seconds e timers msec hellotime holdtime Configures the time between hello packets and the time before other routers declare the active hot standby or standby router to be down valid values are as follows msec Optional Interval in milliseconds Millisecond timers allow for faster failover hellotime Hello interval in seconds valid values are from to 254 seconds If you specify the msec keyword the hello interval is in milliseconds valid values are from 15 to 999 milliseconds The default is 3 seconds holdtime Time in seconds before the active or standby router is declared to be down valid values are from x to 255 x is the hellotime plus 50 milliseconds and is rounded up to the nearest 1 second If you specify the msec keyword the holdtime is in milliseconds val
134. outers reside on different rings configuring the standby use bia command can prevent confusion about the routing information field RFI Without the scope interface keywords the standby use bia command applies to all subinterfaces on the major interface You cannot enter the standby use bia command both with and without the scope interface keywords at the same time Examples This example shows how to map the virtual MAC address to the virtual IP address ssl proxy config subif standby use bia ssl proxy config subif Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 g 2115 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W standby version standby version To change the version of the Hot Standby Router Protocol HSRP use the standby version command standby version 112 Syntax Description 1 Specifies HSRP version 1 Specifies HSRP version 2 Defaults The default HSRP version is 1 Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface Usage Guidelines HSRP version 2 addresses limitations of HSRP version 1 by providing an expanded group number range of 0 to 4095 HSRP version 2 will not interoper
135. overload conditions if memory is available ssl proxy config no ssl proxy ssl ratelimit ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 SE Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HZ standby authentication standby authentication To configure an authentication string for HSRP use the standby authentication command Use the no form of this command to delete an authentication string standby group number authentication text string no standby group number authentication text string Syntax Description group number Optional Group number on the interface to which this authentication string applies Valid values are from 0 to 255 for HSRP version 1 valid values are from 0 to 4095 for HSRP version 2 See the standby version section on page 2 116 for information about changing the HSRP version text string Specifies the authentication string which can be up to eight characters Defaults The defaults are as follows e group number is 0 e string is cisco Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface Usage Guidelines HSRP ignores unauthenticated HSR
136. oxy This example shows how to configure a clear text web server for the SSL Services Module to forward the decrypted traffic ssl proxy config ctx ssl proxy server ipaddr 207 50 0 50 protocol tcp port 80 ssl proxy config ctx ssl proxy This example shows how to configure a TCP policy for the given clear text web server ssl proxy config ctx ssl proxy server policy tcp tcppl1 ssl proxy config ctx ssl proxy This example shows how to configure a NAT pool for the client address that is used in the server connection of the specified service SSL offload ssl proxy config ctx ssl proxy nat client NP1 ssl proxy config ctx ssl proxy This example shows how to enable a NAT server address for the server connection of the specified service SSL offload ssl proxy config ctx ssl proxy nat server ssl proxy config ctx ssl proxy Related Commands show ssl proxy service Catalyst 6500 Series Switch SSL Services Module Command Reference M258 By OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show interfaces ssl proxy W show interfaces ssl proxy Syntax Description Defaults Command Modes Command History Examples Related Commands To display information about the configured subinterfaces use the show interfaces ssl proxy command show interfaces ssl proxy 0 subinterface subinterface number Subinterface ID valid values are from 0 to 4294967295 Th
137. oxy policy url rewrite urlrw policy No context name provided assuming context Default Rule URL Clearport SSLport 1 wwwin cisco com 80 443 2 www cisco com 8080 444 Usage count of this policy 0 ssl proxy This example shows how to display information about the TCP health probe policy ssl proxy show ssl proxy policy health probe tcp No context name provided assuming context Default TCP Health Probe Policy Name Usage Count tcp health 1 This example shows how to display information about the specified TCP health probe policy ssl proxy show ssl proxy policy health probe tcp tcp health No context name provided assuming context Default TCP Health Probe Details tcp health Server Port number 80 Interval between probe 30 Interval between failed probe 60 TCP Connection open timeout 80 Maximum retries for success probe 3 No of policy users 1 SSL proxy services using this policy s3 Connected Usage count of this policy 1 Related Commands policy health probe tcp policy http header policy ssl policy tcp policy url rewrite Catalyst 6500 Series Switch SSL Services Module Command Reference Eza OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy service W show ssl proxy service Syntax Description Defaults Command Modes Command History To display information about the configured SSL virtual service use the show ssl proxy service command
138. patterns Table 1 5 lists the special characters that specify multiples of a regular expression Table 1 5 Special Characters Used as Multipliers Character Description Matches 0 or more single or multiple character patterns Matches 1 or more single or multiple character patterns Matches 0 or 1 occurrences of the single or multiple character patterns This example matches any number of occurrences of the letter a including none a This pattern requires that at least one letter a in the string is matched a This pattern matches the string bb or bab ba b This string matches any number of asterisks Fk I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter1 Command Line Interface W Using the CLI String Search To use multipliers with multiple character patterns you enclose the pattern in parentheses In the following example the pattern matches any number of the multiple character string ab ab As amore complex example this pattern matches one or more instances of alphanumeric pairs but not none that is an empty string is not a match A Za z 0 9 The order for matches using multipliers or is to put the longest construct first Nested constructs are matched from outside to inside Concatenated constructs are matched beginning at the left side of the construct The regular expression matches A9b3 but not 9Ab3 b
139. plementation on the SSL Services Module use the ssl proxy pki command Use the no form of this command to disable the logging and clear the memory ssl proxy pki authenticate timeout seconds cache size entries timeout minutes certificate check expiring interval hours history no ssl proxy pki authenticate cache certificate history Syntax Description authenticate Configures the certificate authentication and authorization timeout seconds Specifies the timeout in seconds for each request valid values are from 1 to 600 seconds cache Configures the peer certificate cache size entries Specifies the maximum number of cache entries valid values are from 0 to 5000 entries timeout minutes Specifies the aging timeout value of entries valid values are from to 600 minutes certificate Configures the check expiring interval check expiring Specifies the check expiring interval valid values are from 0 to 720 hours interval hours history Key and certificate history Defaults The default settings are as follows e timeout seconds 180 seconds e size entries O entries e timeout minutes 15 minutes e interval hours O hours do not check Command Modes Global configuration Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module T
140. policy This example shows how to enable the SSL session closing protocol and configure the strict closing protocol behavior ssl proxy config ctx ssl policy close protocol strict ssl proxy config ctx ssl policy This example shows how to disable the SSL session closing protocol ssl proxy config ctx ssl policy no close protocol ssl proxy config ctx ssl policy These examples shows how to set a given command to its default setting ssl proxy config ctx ssl policy default cipher ssl proxy config ctx ssl policy default close protocol ssl proxy config ctx ssl policy default session cache ssl proxy config ctx ssl policy default version ssl proxy config ctx ssl policy This example shows how to enable a session cache ssl proxy config ctx ssl policy session cache ssl proxy config ctx ssl policy This example shows how to disable a session cache ssl proxy config ctx ssl policy no session cache ssl proxy config ctx ssl policy This example shows how to set the maximum number of session entries to be allocated for a given service ssl proxy config ctx ssl policy session cache size 22000 ssl proxy config ctx ssl policy This example shows how to configure the session timeout to absolute ssl proxy config ctx ssl policy timeout session 30000 absolute ssl proxy config ctx ssl policy These examples show how to enable the support of different SSL versions ssl proxy config ctx ssl policy ver
141. policy configuration submode Catalyst 6500 Series Switch SSL Services Module Command Reference Commands for the Catalyst 6500 Series SSL Services Module OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module policyss W Table 2 4 SSL Policy Configuration Submode Command Descriptions continued Syntax Description help Provides a description of the interactive help system renegotiation volume size Allows you to enable autorenegotiation and specifies the data volume size in kilobytes When the encrypted or decrypted data amount exceeds this size the SSL Services Module sends a renegotiation request This setting is disabled by default The valid range is from 1024 to 1073741824 kilobytes renegotiation interval time Allows you to enable autorenegotiation and specifies the interval in seconds After the set interval the SSL Services Module sends an renegotiation request This setting is disabled by default The valid range is from 60 to 86400 seconds renegotiation wait time time Optional When you enable autorenegotiation this command specifies the amount of time in seconds that the SSL Services Module waits for the peer to respond to the renegotiation request The default is 100 seconds The valid range is from 10 to 300 seconds renegotiation optional Optional When you enable autorenegotiation the SSL Services Module allows the session to co
142. policy for the test1 policy ssl proxy config ssl pro context s1 ssl proxy config context ssl proxy policy url rewrite test1 ssl proxy config ctx url rewrite policy no www cisco com clearport 80 sslport 443 redirectonly ssl proxy config ctx url rewrite policy Related Commands show ssl proxy policy Catalyst 6500 Series Switch SSL Services Module Command Reference M250 U OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module polca W pool ca To enter the certificate authority pool configuration submode use the pool ca command In the certificate authority pool configuration submode you can configure a certificate authority pool which lists the CAs that the module can trust pool ca ca pool name Syntax Description ca pool name Certificate authority pool name Defaults This command has no arguments or keywords Command Modes Context subcommand mode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The pool ca command entered in context subcommand mode replaces Release 3 1 1 the ssl proxy pool ca command entered in global subcommand mode Usage Guidelines Enter each certificate authority pool configuration submode command on its own line Table 2 7 lists the commands that are available in certificate authority pool configuration submode Table 2 7 Proxy po
143. policy http header policy http header To enter the HTTP header insertion configuration submode use the policy http header command policy http header http header policy name Syntax Description http header policy name HTTP header policy name Defaults This command has no default settings Command Modes Context subcommand mode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The policy http header command entered in context subcommand Release 3 1 1 mode replaces the ssl proxy policy http header command entered in global subcommand mode This command was changed to add the following submode commands e client cert pem e alias Usage Guidelines In HTTP header insertion configuration submode you can define the HTTP header insertion content policy that is applied to the payload HTTP header insertion allows you to insert additional HTTP headers to indicate to the real server that the connection is actually an SSL connection These headers allow server applications to collect correct information for each SSL session and or client You can insert these header types e Client Certificate Client certificate header insertion allows the back end server to see the attributes of the client certificate that the SSL module has authenticated and approved When you specify client cert the SSL module passes the
144. port for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Examples This example shows how to display all context information on the SSL Services Module ssl proxy show ssl proxy context Total number of contexts 2 Context Name VRF Num Proxies Default 2 c1 200 This example shows how to display specific context information on the SSL Services Module ssl proxy show ssl proxy context Default Context id 0 Number of proxies 2 Num max conns allowed 65536 Context Default has the following service s configured s2 s3 ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 ms 267 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy crash info show ssl proxy crash info To collect information about the software forced reset from the SSL Services Module use the show ssl proxy crash info command show ssl proxy crash info brief details Syntax Description brief Optional Collects a small subset of software forced reset information limited to processor registers details Optional Collects the full set of software forced reset information including exception and interrupt stacks dump this process can take up to 10 minutes to complete printing Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for
145. proxy certificate history command displays these records e Service name e Key pair name e Generation or import time e Trustpoint name e Certificate subject name e Certificate issuer name e Serial number e Date A syslog message is generated for each record The oldest records are deleted after the limit of 512 records is reached Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 EGN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HZ show ssl proxy certificate history Examples This example shows how to display the event history of all the certificate processing ssl proxy show ssl proxy certificate history Record 1 Timestamp 00 00 51 16 36 34 UTC Oct 31 2002 OID Installed Server Certificate Index 5 Proxy Service sl Trust Point t3 Key Pair Name k3 Key Usage RSA General Purpose Exportable Time of Key Generation 12 27 58 UTC Oct 30 2002 Subject Name OID 1 2 840 113549 1 9 2 simpson5 2 ste cisco com 1 2 840 113549 1 9 8 207 79 1 9 OID 2 5 4 5 BOFFF235 Issuer Name CN SimpsonTestCA OU Simpson Lab O Cisco Systems L San Jose ST CA C US EA lt 16 gt simpson pki cisco com Serial Number 5D3D1931000100000D99 Validity Start Time 21 58 12 UTC Oct 30 2002 End Time 22 08 12 UTC Oct 30 2003 Renew Time 00 00 00 UTC Jan 1 1970 End of Certificate Record Record 2 Timestamp 00 01 06 16 36 49 UTC Oct 31 2002 Installed Server Certifica
146. r recall a be 1 2 This regular expression matches an a followed by any character call it character 1 followed by bc followed by any character character 2 followed by character again and then followed by character 2 again The regular expression can match aZbcTZT The software remembers that character is Z and character 2 is T and then uses Z and T again later in the regular expression I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter1 Command Line Interface HZ Using the CLI String Search Catalyst 6500 Series Switch SSL Services Module Command Reference i12 i OL 9105 01 CHAPTER 2 Commands for the Catalyst 6500 Series Switch SSL Services Module This chapter contains an alphabetical listing of commands for the Catalyst 6500 series switch SSL Services Module For additional SSL Services Module information refer to the following documentation e Catalyst 6500 Series Switch SSL Services Module Configuration Note e Catalyst 6500 Series Switch SSL Services Module System Message Guide e Catalyst 6500 Series Switch SSL Services Module Installation and Verification Note Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 EN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W clear ssl proxy conn clear ssl proxy conn To clear all TCP connections on the entire system use the clear ssl proxy conn command
147. r the Catalyst 6500 Series SSL Services Module standby timers W standby timers Syntax Description Defaults Command Modes Command History Usage Guidelines To configure the time between hello packets and the time before other routers declare the active hot standby or standby router to be down use the standby timers command Use the no form of this command to return to the default settings standby group number timers msec hellotime msec holdtime no standby group number timers msec hellotime msec holdtime group number Optional Group number on the interface to which the timers apply msec Optional Specifies the interval in milliseconds hellotime Hello interval in seconds see the Usage Guidelines section for valid values holdtime Time in seconds before the active or standby router is declared to be down see the Usage Guidelines section for valid values The defaults are as follows e group number is 0 e hellotime is 3 seconds e holdtime is 10 seconds Subinterface configuration submode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface The valid values for hellotime are as follows e If you did not enter the msec keyword valid values are from to 254 second
148. r to the availability of its tracked objects Use the track interface or track ip route global configuration command to track an interface object or an IP route object The HSRP client can register its interest in the tracking process by using the standby track command commands and take action when the object changes When a tracked object goes down the priority decreases by 10 If an object is not tracked its state changes do not affect the priority For each object configured for hot standby you can configure a separate list of objects to be tracked The optional priority argument specifies how much to decrement the hot standby priority when a tracked object goes down When the tracked object comes back up the priority is incremented by the same amount When multiple tracked objects are down the decrements are cumulative whether configured with priority values or not Use the no standby group number track command to delete all tracking configuration for a group Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 E 2113 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W standby track When you use group number 0 no group number is written to NVRAM providing backward compatibility The standby track command syntax prior to Release 12 2 15 T is still supported Using the older form will cause a tracked object to be created in the new tracking process This tracking informatio
149. rn to the default setting default Sets a command to its default settings delayed ack threshold delay Allows you to configure the delayed ACK threshold The default is 2 The valid range is from 1 to 10 delayed ack timeout timer Allows you to configure the delayed ACK timeout The default is 200 seconds The valid range is from 50 to 500 seconds exit Exits from proxy service configuration submode forced ack Allows you to enable the forced ACK algorithm help Provides a description of the interactive help system no mss max segment size in bytes Allows you to configure the maximum segment size that the connection identifies in the generated SYN packet valid values are from 64 to 1460 Use the no form of this command to return to the default setting no nagle Allows you to enable or disable the Nagle algorithm Nagle is enabled by default no timeout fin wait timeout in seconds Allows you to configure the FIN wait timeout valid values are from 75 to 600 seconds Use the no form of this command to return to the default setting no timeout inactivity timeout in seconds Allows you to configure the inactivity timeout valid values are from 0 to 960 seconds This command allows you to set the aging timeout for an idle connection and helps protect the connection resources Use the no form of this command to return to the default setting no timeout syn timeout in seconds
150. rsions 2 x through 8 x Never use a revoked or an expired encryption key The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL http www cisco com en US products products_security_vulnerability_policy html The link on this page has the current PGP key ID in use Obtaining Technical Assistance Cisco Technical Support provides 24 hour a day award winning technical assistance The Cisco Technical Support amp Documentation website on Cisco com features extensive online support resources In addition if you have a valid Cisco service contract Cisco Technical Assistance Center TAC engineers provide telephone support If you do not have a valid Cisco service contract contact your reseller Cisco Technical Support amp Documentation Website The Cisco Technical Support amp Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco Technical Support amp Documentation website requires a Cisco com user ID and password If you have a valid service contract but do not have a user ID or password you can register at this URL http tools cisco com RPF register register do I OL 9105 01 Catalyst 6500 Series Swi
151. s e If you enter the msec keyword valid values are from 15 to 999 milliseconds The valid values for holdtime are as follows e If you did not enter the msec keyword valid values are from x to 255 seconds where x is the hellotime and 50 milliseconds and is rounded up to the nearest second e If you enter the msec keyword valid values are from y to 3000 milliseconds where y is greater than or equal to 3 times the hellotime and is not less than 50 milliseconds If you specify the msec keyword the hello interval is in milliseconds Millisecond timers allow for faster failover I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W standby timers The standby timers command configures the time between standby hello packets and the time before other routers declare the active or standby router to be down Routers or access servers on which timer values are not configured can learn timer values from the active or standby router The timers configured on the active router always override any other timer settings All routers in a Hot Standby group should use the same timer values Normally holdtime is greater than or equal to three times the value of hellotime The range of values for holdtime force the holdtime to be greater than the hellotime If the timer values are specified in milliseconds the holdtime is required to be at least thr
152. s e cipher rsa exp with des40 cbc sha e cipher rsa exp with rce4 40 md5 e cipher rsa exp1024 with des cbc sha e cipher rsa exp1024 with rc4 56 md5 e cipher rsa exp1024 with rce4 56 sha e cipher rsa with null md5 e renegotiation volume e renegotiation interval e renegotiation wait time e renegotiation optional Usage Guidelines Each SSL policy configuration submode command is entered on its own line Table 2 4 lists the commands available in SSL policy configuration submode Table 2 4 SSL Policy Configuration Submode Command Descriptions Syntax Description cert req empty Allows you to specify that the SSL Services Module backend service always returns the certificate associated with the trustpoint and does not look for a CA name match cipher suite all all export all strong rsa exp with des40 cbe sha rsa exp with rce4 40 md5 rsa exp1024 with des cbc sha rsa exp1024 with re4 56 md5 rsa exp1024 with re4 56 sha rsa with 3des ede cbc sha rsa with des cbc sha rsa with null md5 rsa with rc4 128 md5 rsa with rc4 128 sha Allows you to configure a list of cipher suites acceptable to the proxy server no close protocol strict none Allows you to configure the SSL close protocol behavior Use the no form of this command to disable close protocol default cipher close protocol session cache version Sets a command to its default settings exit Exits from SSL
153. s is 50 interface ethernet 0 standby ip 172 18 10 1 standby timers msec 15 msec 50 Catalyst 6500 Series Switch SSL Services Module Command Reference ca OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standby track W standby track To configure HSRP to track an object and change the hot standby priority based on the state of the object use the standby track command Use the no form of this command to remove the tracking standby group number track object number decrement priority no standby group number track object number decrement priority Syntax Description group number Optional Group number to which the tracking applies object number Object number in the range from 1 to 500 representing the object to be tracked decrement priority Optional Specifies the amount by which the hot standby priority for the router is decremented or incremented when the tracked object goes down or comes back up Defaults The defaults are as follows e group number is 0 e priority is 10 Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface Usage Guidelines This command ties the hot standby priority of the route
154. sco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Do not enter the do command in EXEC mode Interruption of service may occur You cannot use the do command to execute the configure terminal command because entering the configure terminal command changes the mode to configuration mode You cannot use the do command to execute the copy or write command in the global configuration or any other configuration mode or submode This example shows how to execute the EXEC level show interfaces command from within global configuration mode ssl proxy config do show interfaces serial 3 0 Serial3 0 is up line protocol is up Hardware is M8T RS232 MTU 1500 bytes BW 1544 Kbit DLY 20000 usec rely 255 255 load 1 255 Encapsulation HDLC loopback not set keepalive set 10 sec Last input never output 1d17h output hang never Last clearing of Show interface counters never ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module interface ssl proxy interface ssl proxy W To enter the subinterface configuration submode use the interface ssl proxy command In interface configuration submode you can configure a subinterface for the SSL Services Module amp Note The ssl proxy0 interface is enabled by de
155. sion all ssl proxy config ctx ssl policy version ss13 ssl proxy config ctx ssl policy version tls1 ssl proxy config ctx ssl policy Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 a 2 43 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W policy ssi Related Commands show ssl proxy stats show ssl proxy stats ssl Catalyst 6500 Series Switch SSL Services Module Command Reference M244 OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module policy tcp Syntax Description Defaults Command Modes Command History policytcp W To enter the proxy policy TCP configuration submode use the policy tcp command In proxy policy TCP configuration submode you can define the TCP policy templates policy tcp tcp policy name tcp policy name TCP policy name The defaults are as follows buffer share rx is 32768 bytes buffer share tx is 32768 bytes delayed ack threshold is 2 delayed ack timeout is 200 seconds mss is 1460 bytes nagle is enabled timeout syn is 75 seconds timeout reassembly is 60 seconds timeout inactivity is 600 seconds timeout fin wait is 600 seconds tos carryover is disabled Context subcommand mode Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 SSL Services Module
156. splays proxy service statistics e ssl Displays SSL detailed statistics e tcp Displays TCP detailed statistics e url Displays URL rewrite statistics Examples This example shows how to display all the statistics counters that are collected on the SSL Services Module ssl proxy show ssl proxy stats TCP Statistics Conns initiated 20636 Conns established 28744 Conns closed 41272 Idle timeouts o0 Data packets sent 0 Total Pkts rcvd 70016 Bytes rcvd in seq 0 SSL Statistics conns attempted 20636 full handshakes 0 active conns o renegs attempted 0 handshake failures 20636 fatal alerts rcvd s 0 no cipher alerts 0 no compress alerts 0 pad errors 0 FDU Statistics IP Frag Drops 0 Conn Id Drops 0 Vlan Id Drops 0 IOS Congest Drops 0 Hash Full Drops 0 Flow Creates 41272 conn_id allocs 41272 Tagged Drops 0 Add ipcs 33 Disable ipcs FAE Unsolicited ipcs ane IOS broadcast pkts 29433 IOS total pkts 29438 ssl proxy Conns accepted Conns dropped SYN timeouts Total pkts sent Data bytes sent Pkts rcvd in seq conns completed resumed handshakes active sessions conns in reneg data failures fatal alerts sent ver mismatch alerts bad macs received session fails Serv_Id Drops Bound Conn Drops Checksum Drops IP Version Drops Hash Alloc Fails Flow Deletes conn_id deallocs Non Tagged Drops Delete ipcs Enable ipcs Duplicate ADD ipcs IOS unicast pkts 2063
157. t To exit ROM monitor mode you must reload mode enter the reload the image by entering the boot command If you EXEC command Press use the boot command without specifying a file the Break key during the or any other boot instructions the system boots first 60 seconds while the from the default Flash image the first image in system is booting onboard Flash memory Otherwise you can instruct the system to boot from a specific Flash image using the boot system flash filename command For more information on command modes refer to the Using the Command Line Interface chapter of the Configuration Fundamentals Configuration Guide amp Note You can issue EXEC level Cisco IOS commands such as show clear and debug commands from within global configuration mode or other modes by issuing the do command followed by the EXEC command See the do command for information on how to use this command Using the No and Default Forms of Commands Almost every configuration command has a no form In general enter the no form to disable a function Use the command without the keyword no to reenable a disabled function or to enable a function that is disabled by default For example IP routing is enabled by default To disable IP routing specify the no ip routing command and specify the ip routing command to reenable it This publication provides the complete syntax for the configuration commands and describes what the no form of
158. t 6500 Series SSL Services Module W standby mac address In an APPN network an end node is typically configured with the MAC address of the adjacent network node Use the standby mac address command in the routers to set the virtual MAC address to the value that is used in the end nodes Examples This example shows how to configure HSRP group 1 with the virtual MAC address ssl proxy config subif standby 1 mac address 4000 1000 1060 ssl proxy config subif Related Commands show standby standby version Catalyst 6500 Series Switch SSL Services Module Command Reference ca OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standby mac refresh W standby mac refresh To change the interval at which packets are sent to refresh the MAC cache when HSRP is running over FDDI use the standby mac refresh command Use the no form of this command to restore the default value standby mac refresh seconds no standby mac refresh Syntax Description seconds Number of seconds in the interval at which a packet is sent to refresh the MAC cache valid values are from 1 to 255 seconds Defaults seconds is 10 seconds Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Pro
159. t keys prv Reading file from scp lab 7 0 0 7 test keys prv Key pair import succeeded ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference 220 OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module crypto key lock rsa W crypto key lock rsa To lock the encrypted private key use the crypto key lock rsa command crypto key lock rsa name key name passphrase passphrase Syntax Description name key name Optional Name of the key passphrase passphrase Pass phrase Defaults This command has no default settings Command Modes EXEC Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 switches Usage Guidelines After the key is locked it cannot be used to authenticate the router to a peer device This behavior disables any IPsec or SSL connections that use the locked key Any existing IPsec tunnels created on the basis of the locked key will be closed If all RSA keys are locked SSH will automatically be disabled Examples This example shows how to lock the key pkil 72a cisco com Enter the show crypto key mypubkey rsa command to verify that the key is protected encrypted and locked ssl proxy crypto key lock rsa name pkil 72a cisco com passphrase cisco1234 ssl proxy show crypto key mypubkey rsa Key name pkil 72a cisco com Usage General Purpose Ke
160. tack top printing 1024 bytes from stack top 031FFC00 06405DE0 031FFC10 06405DE0 031FFC20 031FFC30 00000000 00627E34 00000000 002706E0 002706E0 8FBFO005C 00000000 00000000 00000000 DeeS s2 00000000 s3 00000000 s6 00000019 s7 0000000F kO 00400001 k1 00000000 s8 00000019 ra 00216894 BADVADDR 828D641C SREG 34007E03 Code 0x0 Interrupt exception CacheErrD 00000000 CacheErrDPA 0000000000000000 0000002D 00000001 00000001 0020B800 14620010 24020004 0 00000000 00000000 00000000 00000000 b 4 00000000 00000006 show ssl proxy crash info This example shows how to collect a small subset of software forced reset information ssl proxy show ssl proxy crash info brief SKE CRASH INFO Error CLI detected an error Crashinfo fragment 0 Remote system reports Bad fragment received SSL SERVICE SASasat COMPLEX 0 FDU_IOS MODULE START OF CRASHINFO COLL Aiaia COMPLEX 1 TC CLI detected an error in TC SSL SERVICE MODULE wrong MAGIC 0 in FDU_IOS crash info wrong magic P_SSL P_SSL cra sh info from core 2 at offset 0 error wrong crashinfo magic Reception abort END OF CRASHINFO COLLECTION I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module
161. tacks The cipher suites that are acceptable to the proxy server are as follows e all export All export ciphers e all strong All strong ciphers default e all All supported ciphers e RSA WITH 3DES EDE CBC SHA RSA with 3des sha e RSA WITH DES CBC SHA RSA with des sha e RSA WITH RC4 128 MD5 RSA with rc4 md5 e RSA WITH RC4 128 SHA RSA with rc4 sha e RSA EXP WITH DES40 CBC SHA RSA export with des40 sha e RSA EXP WITH RC4 40 MD5 RSA export with rc4 md5 e RSA EXP1024 WITH DES CBC SHA RSA export1024 with des sha e RSA EXP1024 WITH RC4 56 MD5 RSA export1024 with re4 md5 e RSA EXP1024 WITH RC4 56 SHA RSA export1024 with rc4 sha e RSA WITH NULL MD5 RSA with null md5 If you enter the timeout session timeout absolute command the session entry is kept in the session cache for the configured timeout before it is cleaned up If the session cache is full the timers are active for all the entries the absolute keyword is configured and all further new sessions are rejected If you enter the timeout session timeout command without the absolute keyword the specified timeout is treated as the maximum timeout and a best effort attempt is made to keep the session entry in the session cache If the session cache runs out of session entries the session entry that is currently being used is removed for incoming new connections When you enter the cert req empty command the SSL Services Module back end service always returns t
162. tch SSL Services Module Command Reference Preface HZ Obtaining Technical Assistance amp Note Use the Cisco Product Identification CPI tool to locate your product serial number before submitting a web or phone request for service You can access the CPI tool from the Cisco Technical Support amp Documentation website by clicking the Tools amp Resources link under Documentation amp Tools Choose Cisco Product Identification Tool from the Alphabetical Index drop down list or click the Cisco Product Identification Tool link under Alerts amp RMAs The CPI tool offers three search options by product ID or model name by tree view or for certain products by copying and pasting show command output Search results show an illustration of your product with the serial number label location highlighted Locate the serial number label on your product and record the information before placing a service call Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information After you describe your situation the TAC Service Request Tool provides recommended solutions If your issue is not resolved using the recommended resources your service request is assigned to a Cisco engineer The TAC Service Request Tool is located at this URL http
163. tch SSL Services Module Command Reference T o1 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W standby ip Examples This example shows how to activate HSRP for group 1 on Ethernet interface 0 The IP address that is used by the hot standby group is learned using HSRP ssl proxy config subif standby 1 ip ssl proxy config subif This example shows how to indicate that the IP address is a secondary hot standby router interface ssl proxy config subif standby ip 1 1 1 254 ssl proxy config subif standby ip 1 2 2 254 secondary ssl proxy config subif standby ip 1 3 3 254 secondary Catalyst 6500 Series Switch SSL Services Module Command Reference 2 100 iE OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module standby mac address W standby mac address To specify a virtual MAC address for HSRP use the standby mac address command Use the no form of this command to revert to the standard virtual MAC address 0000 0C07 ACxy standby group number mac address mac address no standby group number mac address Syntax Description group number Optional Group number on the interface for which HSRP is being activated The default is 0 mac address MAC address Defaults If this command is not configured and the standby use bia command is not configured the standard virtual MAC address is used 0000 0C07 ACxy where xy is the group number in hexad
164. te Index 6 Proxy Service s5 Trust Point t10 Key Pair Name k10 Key Usage RSA General Purpose Exportable Time of Key Generation 07 56 43 UTC Oct 11 2002 Subject Name CN host1l cisco com OID 1 2 840 113549 1 9 2 simpson5 2 ste cisco com OID 1 2 840 113549 1 9 8 207 79 1 9 OID 2 5 4 5 BOFFF235 Issuer Name CN SimpsonTestCA OU Simpson Lab O Cisco Systems L San Jose ST CA C US EA lt 16 gt simpson pki cisco com Serial Number 24BC81B7000100000D85 Validity Start Time 22 38 00 UTC Oct 19 2002 End Time 22 48 00 UTC Oct 19 2003 Renew Time 00 00 00 UTC Jan 1 1970 End of Certificate Record Record 3 Timestamp 00 01 34 16 37 18 UTC Oct 31 2002 Installed Server Certificate Index 7 Proxy Service s6 Trust Point t10 Key Pair Name k10 Key Usage RSA General Purpose Exportable Time of Key Generation 07 56 43 UTC Oct 11 2002 Subject Name CN host1l cisco com OID 1 2 840 113549 1 9 2 simpson5 2 ste cisco com OID 1 2 840 113549 1 9 8 207 79 1 9 OID 2 5 4 5 BOFFF235 Issuer Name CN SimpsonTestCA OU Simpson Lab O Cisco Systems L San Jose ST CA C US EA lt 16 gt simpson pki cisco com Serial Number 24BC81B7000100000D85 Validity Start Time 22 38 00 UTC Oct 19 2002 End Time 22 48 00 UTC Oct 19 2003 Renew Time 00 00 00 UTC Jan 1 1970 End of Certificate Record Record 4 Timestamp 00 01 40 16 37 23 UTC Oct 31 2002 Deleted Server Certificate Index 0 Proxy Service s6
165. te LES LAN Emulation Server LLC Logical Link Control LOU logical operation units LTL Local Target Logic MAC Media Access Control Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 AppendixA Acronyms Table A 1 List of Acronyms continued Acronym Expansion MD5 message digest 5 MDIXx media dependent interface crossover MDSS Multicast Distributed Shortcut Switching MFD multicast fast drop MIB Management Information Base MII media independent interface MLS Multilayer Switching MLSE maintenance loop signaling entity MLSM multilayer switching for multicast MOP Maintenance Operation Protocol MOTD message of the day MPLS Multiprotocol Label Switching MRM multicast routing monitor MSDP Multicast Source Discovery Protocol MSFC Multilayer Switching Feature Card MSM Multilayer Switch Module MST Multiple Spanning Tree 802 1s MTU maximum transmission unit MVAP multiple VLAN access port NAM Network Analysis Module NBP Name Binding Protocol NCIA Native Client Interface Architecture NDE NetFlow Data Export NDR no drop rate NET network entity title NetBIOS Network Basic Input Output System NFFC NetFlow Feature Card NMP Network Management Processor NSAP network service access point NTP Network Time Protocol NVGEN nonvolatile generation NVRAM nonvolatile RAM OAM Operation Administra
166. tem displays are in screen font boldface screen font Information you must enter is in boldface screen font italic screen font Arguments for which you supply values are in italic screen font A The symbol represents the key labeled Control for example the key combination D in a screen display means hold down the Control key while you press the D key Nonprinting characters such as passwords are in angle brackets Default responses to system prompts are in square brackets An exclamation point or a pound sign at the beginning of a line of code indicates a comment line Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Preface Obtaining Documentation W Notes use the following conventions Note A Means reader take note Notes contain helpful suggestions or references to material not covered in the publication Cautions use the following conventions Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Obtaining Documentation Cisco com Cisco documentation and additional literature are available on Cisco com Cisco also provides several ways to obtain technical assistance and other technical resources These sections explain how to obtain technical information from Cisco Systems You can access the most current Cisco documentation at t
167. tes in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0601R Catalyst 6500 Series Switch SSL Services Module Command Reference 2006 Cisco Systems Inc All rights reserved Preface vii Audience vii Organization vii Related Documentation vii Conventions viii Obtaining Documentation ix Cisco com ix Product Documentation DVD ix Ordering Documentation x Documentation Feedback x Cisco Product Security Overview x Reporting Security Problems in Cisco Products xi Obtaining Technical Assistance xi Cisco Technical Support amp Documentation Website xi Submitting a Service Request xii Definitions of Service Request Severity xii Obtaining Additional Publications and Information xiii cuapTeR 1 Command Line Interface 1 1 Getting Help 1 1 How to Find Command Options 1 2 Understanding Command Modes 1 5 Cisco IOS User Interface 1 5 Using the No and Default Forms of Commands 1 6 Using the CLI String Search 1 7 Regular Expressions 1 7 Alternation 1 10 Anchoring 1 10 Parentheses for Recall 1 11 Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 E Contents CHAPTER 2 Commands for the Catalyst 6500 Series Switch SSL Services Module 2 1 clear ssl proxy conn 2 2 clear ssl proxy content 2 3
168. the specified virtual server virtual policy tcp tcppl1 Catalyst 6500 Series Switch SSL Services Module Command Reference M254 Bs OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module service W This example shows how to configure a clear text web server for the SSL Services Module to forward the decrypted traffic ssl proxy config ctx ssl proxy server ipaddr 207 50 0 50 protocol tcp port 80 ssl proxy config ctx ssl proxy This example shows how to configure a TCP policy for the given clear text web server ssl proxy config ctx ssl proxy server policy tcp tcppl1 ssl proxy config ctx ssl proxy This example shows how to configure a NAT pool for the client address that is used in the server connection of the specified service SSL offload ssl proxy config ctx ssl proxy nat client NP1 ssl proxy config ctx ssl proxy This example shows how to enable a NAT server address for the server connection of the specified service SSL offload ssl proxy config ctx ssl proxy nat server ssl proxy config ctx ssl proxy Related Commands show ssl proxy service Catalyst 6500 Series Switch SSL Services Module Command Reference T O1 9105 01 TEN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W service client service client Syntax Description Defaults Command Modes Command History Usage Guidelines To enter the client proxy service conf
169. ther keyboard characters such as or as single character patterns but certain keyboard characters have special meaning when used in regular expressions Table 1 4 lists the keyboard characters with special meaning Table 1 4 Characters with Special Meaning Character Special Meaning Matches any single character including white space Matches 0 or more sequences of the pattern Matches or more sequences of the pattern Matches 0 or 1 occurrences of the pattern I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter1 Command Line Interface W Using the CLI String Search Table 1 4 Characters with Special Meaning continued Character Special Meaning A Matches the beginning of the string Matches the end of the string _ underscore Matches a comma left brace right brace left parenthesis right parenthesis the beginning of the string the end of the string or a space To enter these special characters as single character patterns remove the special meaning by preceding each character with a backslash These examples are single character patterns matching a dollar sign an underscore and a plus sign respectively _ You can specify a range of single character patterns to match against command output For example you can create a regular expression that matches a string containing one of the followin
170. tion and Maintenance ODM order dependent merge OIF Outgoing interface of a multicast G or source group flow Catalyst 6500 Series Switch SSL Services Module Command Reference I OL 9105 01 AppendixA Acronyms Table A 1 List of Acronyms continued Acronym Expansion OSI Open System Interconnection OSM Optical Services Module OSPF open shortest path first PAE port access entity PAgP Port Aggregation Protocol PBD packet buffer daughterboard PBR policy based routing PC Personal Computer formerly PCMCIA PCM pulse code modulation PCR peak cell rate PDP policy decision point PDU protocol data unit PEP policy enforcement point PFC Policy Feature Card PGM Pragmatic General Multicast PHY physical sublayer PIB policy information base PIM protocol independent multicast PPP Point to Point Protocol ppsec packets per second PRID Policy Rule Identifiers PVLANs private VLANs PVST Per VLAN Spanning Tree QDM QoS device manager QM QoS manager QM SP SP QoS manager Qos quality of service Q in Q 802 1Q in 802 1Q RACL router interface access control list RADIUS Remote Access Dial In User Service RAM random access memory RCP Remote Copy Protocol RF Redundancy Facility RGMP Router Ports Group Management Protocol RIB routing information base RIF Routing Information Field Catalyst 6500 Series Switch SSL Services Module Co
171. tmask 255 255 255 0 ssl proxy config context policy health probe tcp probel ssl proxy config ctx tcp probe port 80 ssl proxy config ctx tcp probe exit ssl proxy config context ssl proxy config context description Example context ssl proxy config context end ssl proxy Catalyst 6500 Series Switch SSL Services Module Command Reference 2 88 OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module ssl proxy crypto selftest W ssl proxy crypto selftest To initiate a cryptographic self test use the ssl proxy crypto selftest command Use the no form of this command to disable the testing ssl proxy crypto selftest time interval seconds no ssl proxy crypto selftest Syntax Description time interval Optional Sets the time interval between test cases valid values are from seconds 1 to 8 seconds Defaults 3 seconds Command Modes Global configuration Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Usage Guidelines The ssl proxy crypto selftest command enables a set of crypto algorithm tests to be run on the SSL processor in the background Random number generation hashing encryption and decryption and MAC generation are tested with a time interval between test cases This test is run only for troubleshooting purposes Run
172. to a proxy server policy urlrewrite policy name Applies a URL rewrite policy to the proxy server server ipaddr ip addr protocol protocol port portno sslv2 Defines the IP address of the target server for the proxy server You can also specify the port number and the transport protocol The target IP address can be a virtual IP address of an SLB device or a real IP address of a web server The sslv2 keyword enables SSL version 2 server policy tcp server side tcp policy name Applies a TCP policy to the server side of a proxy server You can specify the port number and the transport protocol virtual ipaddr ip addr protocol protocol port portno secondary Defines the IP address of the target server for the proxy server You can also specify the port number and the transport protocol The target IP address can be a virtual IP address of an SLB device or a real IP address of a web server virtual policy ssl ss policy name Applies an SSL policy with the client side of a proxy server virtual policy tcp client side tcp policy name Applies a TCP policy to the client side of a proxy server vlan vlan Virtual Service VLAN configuration Both secured mode and bridge mode between the Content Switching Module CSM and the SSL Services Module are supported Use the secondary keyword optional for the bridge mode topology Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01
173. tory Usage Guidelines To configure HSRP to use the burned in address of the interface as its virtual MAC address instead of the preassigned MAC address on Ethernet and FDDI or the functional address on Token Ring use the standby use bia command Use the no form of this command to restore the default virtual MAC address standby use bia scope interface no standby use bia scope interface Optional Specifies that this command is configured only for the subinterface on which it was entered instead of the major interface HSRP uses the preassigned MAC address on Ethernet and FDDI or the functional address on Token Ring Subinterface configuration submode Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 2 1 1 switches SSL Services Module The command mode for this command was changed from Proxy VLAN to Release 3 1 1 Subinterface You can configure multiple standby groups on an interface when you enter the standby use bia command Hosts on the interface must have a default gateway configured We recommend that you set the no ip proxy arp command on the interface We also recommend that you configure the standby use bia command on a Token Ring interface if there are devices that reject ARP replies with source hardware addresses that are set to a functional address When HSRP runs on a multiple ring source routed bridging environment and the HRSP r
174. trol DLSw Data Link Switching DMP data movement processor DNS Domain Name System DoD Department of Defense DoS denial of service Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 AppendixA Acronyms Table A 1 List of Acronyms continued Acronym Expansion dotlq 802 1Q dotlx 802 1x DRAM dynamic RAM DRiP Dual Ring Protocol DSAP destination service access point DSCP differentiated services code point DSPU downstream SNA Physical Units DTP Dynamic Trunking Protocol DTR data terminal ready DXI data exchange interface EAP Extensible Authentication Protocol EARL Enhanced Address Recognition Logic EEPROM electrically erasable programmable read only memory EHSA enhanced high system availability EIA Electronic Industries Association ELAN Emulated Local Area Network EOBC Ethernet out of band channel EOF end of file EoMPLS Ethernet over Multiprotocol Label Switching ESI end system identifier FAT File Allocation Table FIB Forwarding Information Base FIE Feature Interaction Engine FECN forward explicit congestion notification FM feature manager FRU field replaceable unit fsck file system consistency check FSM feasible successor metrics FSU fast software upgrade FWSM Firewall Services Module GARP General Attribute Registration Protocol GBIC Gigabit Interface Converter GMRP GAR
175. ts url URL Rewrite Statistics Rewrites Succeeded Rsp Scan Incomplete Invalid Conn Entry URL Object Error 3xx URL Not Rewritten Scan Dbase not Init Rewrites Failed URL Scan Incomplete URL Mismatch Dbase not initialized Scan Internal Error O OOGO aAa DTO a O gA Database Not Initialized oo OS Oo SS os Catalyst 6500 Series Switch SSL Services Module Command Reference OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module show ssl proxy stats W This example shows how to display content statistics ssl proxy show ssl proxy stats content Scan object statistics in CPU SSL1 Objects in use 0 Obj alloc failures 0 Max obj in use 50 Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 ESN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module W show ssl proxy status show ssl proxy status To display information about the SSL Services Module proxy status use the show ssl proxy status command show ssl proxy status fdu ssl tep Syntax Description fdu Optional Displays the FDU status ssl Optional Displays the SSL status tcp Optional Displays the TCP status Defaults This command has no default settings Command Modes EXEC Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches Examples
176. tually preempts the currently active router I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module Hi standby preempt When you use group number 0 no group number is written to NVRAM providing backward compatibility IP redundancy clients can prevent preemption from taking place The standby preempt delay sync delay command specifies a maximum number of seconds to allow IP redundancy clients to prevent preemption When this expires preemption takes place regardless of the state of the IP redundancy clients The standby preempt delay reload delay command allows preemption to occur only after a router reloads This provides stabilization of the router at startup After this initial delay at startup the operation returns to the default behavior The no standby preempt delay command disables the preemption delay but preemption remains enabled The no standby preempt delay minimum delay command disables the minimum delay but leaves any synchronization delay if it was configured Examples This example shows how to configure the router to wait for 300 seconds 5 minutes before attempting to become the active router ssl proxy config subif standby preempt delay minimum 300 ssl proxy config subif Catalyst 6500 Series Switch SSL Services Module Command Reference ea OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series
177. ults are as follows e failed interval is 60 seconds e interval is 30 seconds e maximum retry is 0 e open timeout is 80 seconds e port is the port of the server IP address that you configured in the SSL server proxy service Command Modes Context subcommand mode Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Usage Guidelines Table 2 9 lists the commands that are available in TCP health probe policy configuration submode Table 2 2 TCP Health Probe Submode Command Descriptions Syntax Description interval seconds Optional Allows you to set the interval between probes in seconds from the end of the previous probe to the beginning of the next probe when the server is healthy The default is 30 seconds The valid range is from 30 to 300 seconds failed interval seconds Optional Allows you to set the time between health checks after the service has been marked as failed The default is 60 seconds The valid range is from 30 to 3600 seconds maximum retry retries Optional Sets the number of failed probes that are allowed before marking the service as failed The default is 0 retries The valid range is from to 5 retries Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 EEN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HH policy he
178. ust the IP fragment reassembly timer valid values are from 3 to 120 seconds Defaults time is 6 seconds Command Modes Global configuration Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Examples This example shows how to configure the IP reassembly timeout to 60 seconds ssl proxy config ssl proxy ip frag ttl 60 ssl proxy config Catalyst 6500 Series Switch SSL Services Module Command Reference P2394 By OL 9105 01 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module ssl proxy ssl ratelimit Ti ssl proxy ssl ratelimit To prohibit new connections during overload conditions use the ssl proxy ssl ratelimit command Use the no form of this command to allow new connections if memory is available ssl proxy ssl ratelimit no ssl proxy ssl ratelimit Syntax Description This command has no arguments or keywords Defaults This command has no default settings Command Modes Global configuration Command History Release Modification Cisco IOS Release Support for this command was introduced on the Catalyst 6500 series 12 1 13 E and switches SSL Services Module Release 1 1 1 Examples This example shows how to prohibit new connections during overload conditions ssl proxy config ssl proxy ssl ratelimit ssl proxy config This example shows how to allow new connections during
179. vailable from Cisco You can view current offerings at this URL http www cisco com en US learning index html I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Preface HZ Obtaining Additional Publications and Information Catalyst 6500 Series Switch SSL Services Module Command Reference Pav OL 9105 01 CHAPTER 1 Command Line Interface This chapter provides information for understanding and using the Catalyst 6500 series switch SSL Services Module software using the command line interface CLI The CLI for the Catalyst 6500 series switch SSL Services Module is based on the Cisco IOS CLI For information about Cisco IOS commands that are not contained in this publication refer to the current Cisco IOS documentation including e Cisco IOS Release 12 2 Configuration Fundamentals Configuration Guide e Cisco IOS Release 12 2 Command Reference This chapter includes the following sections e Getting Help page 1 1 e How to Find Command Options page 1 2 e Understanding Command Modes page 1 5 e Using the No and Default Forms of Commands page 1 6 e Using the CLI String Search page 1 7 Getting Help To obtain a list of commands that are available for each command mode enter a question mark at the system prompt You also can obtain a list of any command s associated keywords and arguments with the context sensitive help feature Table 1 1 lists commands that you can enter to get h
180. vents e pkt Debugs the received and transmitted TCP packets e state Debugs the TCP states e timers Debugs the TCP timers This example shows how to turn on App debugging ssl proxy debug ssl proxy app ssl proxy This example shows how to turn on FDU debugging ssl proxy debug ssl proxy fdu ssl proxy This example shows how to turn on IPC debugging ssl proxy debug ssl proxy ipc ssl proxy This example shows how to turn on PKI debugging ssl proxy debug ssl proxy pki ssl proxy This example shows how to turn on SSL debugging ssl proxy debug ssl proxy ssl ssl proxy This example shows how to turn on TCP debugging ssl proxy debug ssl proxy tcp ssl proxy This example shows how to turn off TCP debugging ssl proxy no debug ssl proxy tcp ssl proxy I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module do Syntax Description Defaults Command Modes Command History Usage Guidelines A Caution Examples To execute EXEC level commands from global configuration mode or other configuration modes or submodes use the do command do command command EXEC level command to be executed This command has no default settings Global configuration or any other configuration mode or submode from which you are executing the EXEC level command Release Modification Ci
181. ver virtual ipaddr ip addr protocol protocol port portno secondary Defines the virtual IP address of the virtual server to which the STE is proxying You can also specify the port number and the transport protocol The valid values for protocol are tcp valid values for portno is from 1 to 65535 The secondary keyword optional prevents the STE from replying to the ARP request coming to the virtual IP address I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module WE service Table 2 8 Proxy service Configuration Submode Command Descriptions continued Syntax Description virtual policy ssl ss policy name Applies an SSL policy with the client side of a proxy server virtual policy tcp client side tcp policy name Applies a TCP policy to the client side of a proxy server vlan vlan Examples Virtual Service VLAN configuration Both secured and bridge mode between the Content Switching Module CSM and the SSL Services Module is supported Use the secondary keyword optional for bridge mode topology This example shows how to enter the proxy service configuration submode ssl proxy config ssl proxy context s1 ssl proxy config context service S6 ssl proxy config ctx ssl This example shows how to ssl proxy config ctx ss ssl proxy config ctx ssl This example shows how to
182. ver ipaddr 19 0 0 1 protocol tcp port 80 certificate rsa general purpose trustpoint cert1024 policy health probe tcp probel no nat server nat client natpool inservice exit config context policy health probe tcp probel exit This example shows how to configure TCP health probe to check whether service at port 444 is up and running on virtual IP address 7 100 100 180 ssl proxy config context service ssloffload virtual ipaddr 7 100 100 180 protocol tcp port 443 server ipaddr 19 0 0 1 protocol tcp port 80 certificate rsa general purpose trustpoint cert1024 policy health probe tcp probel no nat server nat client natpool inservice exit ssl proxy config context policy health probe tcp probel ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx ssl proxy ssl proxy config ctx tcp probe ssl proxy config ctx tcp probe Warning Port in the service ssl 444 health probe configuration ssl proxy config context show ssl proxy policy show ssl proxy service 444 exit offload configuration 80 differs from the port in the I OL 9105 01 Catalyst 6500 Series Switch SSL Services Module Command Reference Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HH
183. vileged EXEC mode when the prompt changes to ssl proxy ssl proxy configure terminal Enter configuration commands one per line End with CNTL Z ssl proxy config Enter global configuration mode You are in global configuration mode when the prompt changes to ssl proxy config ssl proxy config crypto ca trustpoint trustpoint label ssl proxy ca trustpoint Enter the configuration submode You are in the configuration submode when the prompt displays the submode for example ssl proxy ca trustpoint ssl proxy config interface type mod port ssl proxy config if From the global configuration mode you can also enter the interface configuration mode by entering the interface global configuration command You are in interface configuration mode when the prompt changes to ssl proxy config if ssl proxy config if channel group group channel group of the interface ssl proxy config if channel group Enter the command that you want to configure for the controller In this example the channel group command is used Enter a to display what you must enter next on the command line In this example you must enter the group keyword Because a lt cr gt is not displayed it indicates that you must enter more information to complete the command Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 EN Chapter1 Command Line Interface
184. www cisco com techsupport servicerequest For S1 or S2 service requests or if you do not have Internet access contact the Cisco TAC by telephone S1 or S2 service requests are those in which your production network is down or severely degraded Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly To open a service request by telephone use one of the following numbers Asia Pacific 61 2 8446 7411 Australia 1 800 805 227 EMEA 32 2 704 55 55 USA 1 800 553 2447 For a complete list of Cisco TAC contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situation Severity 2 S2 Operation of an existing network is severely degraded or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products You and Cisco will commit full time resources during normal business hours to resolve the situation Severity 3 S3 Operational performance of your network is impaired but most business operations remain functional You and Cisco will commit resources during norm
185. xy VLAN to Release 3 1 1 Subinterface Usage Guidelines This command applies to HSRP running over FDDI only Packets are sent every 10 seconds to refresh the MAC cache on learning bridges or switches By default the MAC cache entries age out in 300 seconds 5 minutes All other routers participating in HSRP on the FDDI ring receive the refresh packets although the packets are intended only for the learning bridge or switch Use this command to change the interval Set the interval to 0 if you want to prevent refresh packets if you have FDDI but do not have a learning bridge or switch Examples This example shows how to change the MAC refresh interval to 100 seconds In this example a learning bridge needs to miss three packets before the entry ages out ssl proxy config subif standby mac refresh 100 ssl proxy config subif Catalyst 6500 Series Switch SSL Services Module Command Reference T o1 9105 01 E 2 103 Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HZ standby name standby name To configure the name of the standby group use the standby name command Use the no form of this command to disable the name standby name group name no standby name group name Syntax Description group name Name of the standby group Defaults HSRP is disabled Command Modes Subinterface configuration submode Command History Release Modification SSL Services Module Support for this command was
186. y The key is protected and LOCKED Key is exportable Key Data 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC Key pair was generated at 16 00 11 PST Feb 28 2002 ssl proxy Related Commands crypto key decrypt rsa crypto key encrypt rsa crypto key unlock rsa Catalyst 6500 Series Switch SSL Services Module Command Reference oL 9105 01 EN Chapter2 Commands for the Catalyst 6500 Series SSL Services Module HZ crypto key unlock rsa crypto key unlock rsa To unlock the encrypted private key use the crypto key unlock rsa command crypto key unlock rsa name key name passphrase passphrase Syntax Description name key name Optional Name of the key passphrase passphrase Pass phrase Defaults This command has no default settings Command Modes EXEC Command History Release Modification SSL Services Module Support for this command was introduced on the Catalyst 6500 series Release 3 1 1 SSL Services Module Examples This example shows how to lock the key pkil 72a cisco com Enter the show crypto key mypubkey rsa command to verify that the key is protected encrypted and locked ssl proxy crypto key unlock rsa name pkil 72a cisco com passphrase cisco1234 Jun 18 00 26 08 275 STE 5 UPDOWN ssl proxy service vipl changed state to UP ssl proxy show crypto key mypubkey rsa Key name pkil 72a cisco com Usage General Purpose Key The key is protected a
Download Pdf Manuals
Related Search