Cisco Global Site Selector Administration Guide Software Version 1.2 November 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xiii Audience xiv How to Use This Guide xiv Related Documentation xvi Symbols and Conventions xvii Obtaining Documentation, Obtaining Support, and Security Guidelines xix CHAPTER 1 Managing GSS Devices from the GUI 1-1 Logging Into the Primary GSSM Graphical User Interface 1-2 Activating and Modifying GSS Devices 1-4 Activating GSS Devices from the Primary GSSM 1-4 Modifying GSS Device Name and Location 1-8 Deleting GSS Devices 1-8 Logically Removing a GSS or Standby GSSM from the Netwo
Contents Displaying the Running-Config File 2-6 Displaying the Startup-Config File 2-7 Managing GSS Files 2-9 Displaying the Contents of a File 2-9 Displaying Files in a Directory 2-11 Renaming GSS Files 2-12 Securely Copying Files 2-13 Deleting Files 2-14 Displaying Users 2-14 Specifying GSS Inactivity Timeout 2-15 Configuring Terminal Screen Line Length 2-16 Modifying the Attributes of the Security Certificate on the GSSM 2-17 Stopping the GSS Software 2-19 Shutting Down the GSS Software 2-19 Restarting
Contents Displaying Software Version Information 2-38 Displaying Memory Information 2-40 Displaying Boot Configuration 2-40 Displaying GSS Processes 2-42 Displaying System Uptime 2-42 Displaying Disk Information 2-42 Displaying System Status 2-43 Displaying GSS Services 2-44 CHAPTER 3 Creating and Managing User Accounts 3-1 Creating and Managing GSS CLI User Accounts 3-1 Creating a GSS User Account 3-2 Modifying a GSS User Account 3-3 Deleting a GSS User Account 3-3 Creating and Managing Primary GSSM GU
Contents CHAPTER 4 Managing GSS User Accounts Through a TACACS+ Server 4-1 TACACS+ Overview 4-2 TACACS+ Configuration Quick Start 4-4 Configuring a TACACS+ Server for Use with the GSS 4-5 Configuring Authentication Settings on the TACACS+ Server 4-6 Configuring Authorization Settings on the TACACS+ Server 4-7 Configuring Primary GSSM GUI Privilege Level Authorization from the TACACS+ Server 4-12 Enabling Custom User GUI Views When Authenticating a User from the TACACS+ Server 4-16 Configuring Accounting
Contents Segmenting GSS Traffic by Ethernet Interface 5-9 Displaying Access Lists 5-10 Deploying GSS Devices Behind Firewalls 5-11 GSS Firewall Deployment Overview 5-11 Configuring GSS Devices Behind a Firewall 5-14 CHAPTER 6 Configuring SNMP 6-1 Overview 6-1 Configuring SNMP on Your GSS 6-2 Viewing SNMP Status 6-3 Viewing MIB Files on the GSS 6-4 CHAPTER 7 Backing Up and Restoring the GSSM 7-1 Backing Up the Primary GSSM 7-2 Backup Overview 7-2 Performing a Full Primary GSSM Backup 7-3 Restoring a P
Contents Viewing Subsystem Log Files from the CLI 8-10 Rotating Existing Log Files from the CLI 8-11 Viewing System Logs from the Primary GSSM GUI 8-12 Viewing System Logs from the Primary GSSM GUI 8-12 Purging System Log Messages from the GUI 8-14 Common System Log Messages 8-16 CHAPTER Monitoring GSS Operation 9-1 9 Monitoring GSS and GSSM Status 9-2 Monitoring GSS Device Online Status from the CLI 9-2 Monitoring GSS Device System Status from the CLI 9-3 Monitoring GSS Device Status from the Primary
F I G U R E S Figure 1-1 Primary GSSM Welcome Page Figure 1-2 Global Site Selectors List Page - Inactive Status Figure 1-3 Modifying GSS Details Page Figure 1-4 Global Site Selectors List Page - Active Status Figure 1-5 GUI Configuration Details Page Figure 1-6 GSSM Third-Party Software List Page Figure 2-1 Flow Chart for Replacing a Malfunctioning GSS Device Figure 3-1 Users List Page Figure 3-2 Creating New User Details Page Figure 3-3 GSSM Change Password Details Page Figure 3-4 Use
Figures Figure 4-4 Command Privileges Example—Deny All CLI Commands Except Specified Command 4-10 Figure 4-5 Command Privileges Example—Permit All CLI Commands Except Specified Command 4-11 Figure 4-6 Interface Configuration Page—TACACS+ (IOS) Page Figure 4-7 Interface Configuration Page—Advanced Options Page Figure 4-8 Assigning Operator-Level Privileges to a User from Cisco Secure ACS Figure 4-9 CSV TACACS+ Accounting File Logging Page of Cisco Secure ACS Figure 8-1 System Log List Page 4-1
T A B L E S Table 2-1 Field Descriptions for show memory Command Table 2-2 Field Descriptions for show boot-config Command Table 2-3 Field Descriptions for show processes Command Table 2-4 Field Descriptions for show disk Command Table 3-1 User Privilege Roles for Using the Primary GSSM GUI Table 4-1 TACACS+ Configuration Quick Start Table 4-2 Field Descriptions for show statistics tacacs Command Table 5-1 GSS-Related Ports and Protocols for Inbound Traffic 5-3 Table 5-2 Inbound Traffic G
Preface This guide includes information on configuring the Cisco Global Site Selector (GSS). It describes the procedures necessary to properly manage and maintain your GSSM and GSS devices, including login security, GSS software upgrades, GSSM database administration, and log files.
Preface Audience Audience To use this guide, you should be familiar with the Cisco Global Site Selector hardware, which is discussed in the Global Site Selector Hardware Installation Guide. In addition, you should be familiar with basic TCP/IP and networking concepts, router configuration, Domain Name System (DNS), the Berkeley Internet Name Domain (BIND) software or similar DNS products, and your organization’s specific network configuration.
Preface How to Use This Guide Chapter/Title Description Chapter 6, Configuring SNMP Describes how to configure Simple Network Management Protocol (SNMP) on your GSS. Chapter 7, Backing Up Describes the procedures to back up and restore the and Restoring the GSSM primary GSSM database. This chapter also includes a set of general guidelines for when and how to back up your primary GSSM. Chapter 8, Viewing Log Files Includes information on auditing logged information about your GSS devices.
Preface Related Documentation Related Documentation In addition to this document, the GSS documentation set includes the following: Document Title Provides Global Site Selector Hardware Installation Guide Information on installing your GSS device and getting it ready for operation. It describes how to prepare your site for installation, how to install the GSS device in an equipment rack, and how to maintain and troubleshoot the GSS hardware.
Preface Symbols and Conventions Symbols and Conventions This guide uses the following symbols and conventions to emphasize certain information. Command descriptions use the following conventions: boldface font Commands and keywords are in boldface. italic font Variables for which you supply values are in italics. [ ] Elements in square brackets are optional. {x | y | z} Alternative keywords are grouped in braces and separated by vertical bars.
Preface Symbols and Conventions [ ] Default responses to system prompts are in square brackets. !, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. Graphical user interface elements use the following conventions: boldface text Instructs the user to enter a keystroke or act on a GUI element. Courier text Indicates text that appears in a command line, including the CLI prompt.
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco Global Site Selector Administration Guide xx OL-5480-01
C H A P T E R 1 Managing GSS Devices from the GUI This chapter describes how to configure and manage your GSSM and GSS devices from the primary GSSM graphical user interface. It includes the procedures for activating and configuring GSS devices and for changing the primary and standby GSSM roles in the GSS network.
Chapter 1 Managing GSS Devices from the GUI Logging Into the Primary GSSM Graphical User Interface Logging Into the Primary GSSM Graphical User Interface After you configure and enable your primary GSSM, you may access the GUI. The primary GSSM uses secure HTTP (HTTPS) to communicate with web clients. When you first log in to the primary GSSM GUI, use the system default administrative account and password.
Chapter 1 Managing GSS Devices from the GUI Logging Into the Primary GSSM Graphical User Interface 4. To install the signed certificate, if you are using: – Internet Explorer—In the Security Alert dialog box, click View Certificate, choose the Install Certificate option, and follow the prompts of the Certificate Manager Import Wizard. Proceed to step 5. – Netscape—In the New Site Certificate dialog box, click Next and follow the prompts of the New Site Certificate Wizard. Proceed to step 5. 5.
Chapter 1 Managing GSS Devices from the GUI Activating and Modifying GSS Devices Activating and Modifying GSS Devices Activate your GSS devices from the primary GSSM GUI to add those devices to your GSS network. You also use the primary GSSM GUI to remove a non-functioning standby GSSM or GSS device from your network.
Chapter 1 Managing GSS Devices from the GUI Activating and Modifying GSS Devices 2. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears (Figure 1-2). All active GSS devices appear with an “Online” status. The GSS devices requiring activation appear with an “Inactive” status.
Chapter 1 Managing GSS Devices from the GUI Activating and Modifying GSS Devices 3. Click the Modify GSS icon for the first GSS device to activate. The Modifying GSS details page appears (Figure 1-3). Figure 1-3 Modifying GSS Details Page 4. Check the Activate check box. This check box does not appear in the Modifying GSS details page once the GSS device has been activated. 5. Click the Submit button, which returns you to the Global Site Selectors list page (Figure 1-4).
Chapter 1 Managing GSS Devices from the GUI Activating and Modifying GSS Devices Note The device status remains as “Inactive” if the device is not functioning properly or there are problems with network connectivity. If this occurs, cycle power to the GSS device and check your network connections, then repeat this procedure. If you still cannot activate the GSS device, contact Cisco TAC. Figure 1-4 6.
Chapter 1 Managing GSS Devices from the GUI Activating and Modifying GSS Devices Modifying GSS Device Name and Location You can modify the name and location of any of your GSS devices using the primary GSSM GUI. To modify other network information such as the hostname, IP address, or role, you must access the CLI on that GSS device (refer to the Cisco Global Site Selector Getting Started Guide). To modify the name and location of a GSS device from the primary GSSM GUI: 1. Click the Resources tab. 2.
Chapter 1 Managing GSS Devices from the GUI Logically Removing a GSS or Standby GSSM from the Network 4. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the GSS device. 5. Click OK to confirm your decision and return to the Global Site Selectors list page. The deleted device is removed from the list. To reconfigure the GSS device, refer to the Cisco Global Site Selector Getting Started Guide.
Chapter 1 Managing GSS Devices from the GUI Logically Removing a GSS or Standby GSSM from the Network 3. Use the gss stop command to stop the GSS software running on the GSS. gss1.example.com# gss stop 4. Use the gss disable command to disable the GSSM or GSS. This command removes the existing configuration and returns the GSS device to an initial state, which includes deleting the GSSM database from the GSS device and removing all configured DNS rules and keepalives.
Chapter 1 Managing GSS Devices from the GUI Configuring the Primary GSSM GUI Configuring the Primary GSSM GUI The primary GSSM GUI provides you with a number of configuration options for modifying the behavior and performance of the primary GSSM web-based GUI. You can configure the GUI inactivity timeout interval, GSS device reporting interval, and GUI screen refresh interval. To modify GUI configuration settings from the primary GSSM GUI: 1. Click the Tools tab. 2.
Chapter 1 Managing GSS Devices from the GUI Printing and Exporting GSSM Data 4. a. Click the GUI Session Inactivity Timeout Enable check box. b. In the GUI Session Inactivity Timeout field, enter the length of time that can pass without user activity before the primary GSSM terminates the session. Valid entries are 5 to 120 minutes. The default is 10 minutes.
Chapter 1 Managing GSS Devices from the GUI Viewing Third-Party Software Versions Note To export the output of all primary GSSM GUI configured fields when troubleshooting a GSS device with a Cisco technical support representative, issue the show tech-support config CLI command. Refer to Chapter 9, Monitoring GSS Operation for details. Viewing Third-Party Software Versions The GSS software incorporates a number of third-party software products.
Chapter 1 Managing GSS Devices from the GUI Viewing Third-Party Software Versions Figure 1-6 GSSM Third-Party Software List Page Cisco Global Site Selector Administration Guide 1-14 OL-5480-01
C H A P T E R 2 Managing the GSS from the CLI This chapter describes the procedures to manage the GSS software from the CLI.
Chapter 2 Managing the GSS from the CLI Logging in to the CLI and Enabling Privileged EXEC Mode Logging in to the CLI and Enabling Privileged EXEC Mode To log in to a GSS device and enable privileged EXEC mode at the CLI perform these steps: 1. Press the power control button on the GSS. After the GSS boot process completes, the software prompts you to log in to the device. 2.
Chapter 2 Managing the GSS from the CLI Using the Startup and Running Configuration File Using the Startup and Running Configuration File When you make device configuration changes, the GSS places those changes in a virtual running configuration file (called running-config). Before you log out or reboot the GSS, you must copy the contents of the running-config file to the startup-configuration file (called startup-config) to save configuration changes.
Chapter 2 Managing the GSS from the CLI Using the Startup and Running Configuration File Each GSS device tracks the following configurations: • Startup configuration—The default network configuration. The GSS loads the startup configuration settings each time you boot the device. • Running configuration—The network configuration currently in use by the GSS device. Typically, the running-config and the startup-config files are identical.
Chapter 2 Managing the GSS from the CLI Using the Startup and Running Configuration File Saving the Startup and Running Configuration Files To save the running-config file to the startup-config file on the GSS, or to copy the current startup configuration to a file for use on other devices or for backup purposes, use one of the following commands: • copy startup-config disk filename—Copies the GSS device startup configuration to a named file on the GSS.
Chapter 2 Managing the GSS from the CLI Using the Startup and Running Configuration File 4. Use the copy running-config startup-config command to save the running-config file as the new startup-config file. The GSS retains any changes to the network configuration of the device and uses those changes when the GSS is next rebooted. gss1.example.
Chapter 2 Managing the GSS from the CLI Using the Startup and Running Configuration File To display the current running-config file for the GSS, enter: gssm1.example.com# show running-config interface ethernet 0 ip address 192.168.1.25 255.255.255.0 gss-communications gss-tcp-keepalives hostname gssm1.example.com ip default-gateway 10.86.208.1 ip name-server 172.16.124.
Chapter 2 Managing the GSS from the CLI Using the Startup and Running Configuration File hostname gssm1.example.com ip default-gateway 10.86.208.1 ip name-server 172.16.124.
Chapter 2 Managing the GSS from the CLI Managing GSS Files Managing GSS Files This section describes how to manage the files included in a directory or subdirectory on a GSS device.
Chapter 2 Managing the GSS from the CLI Managing GSS Files For example, to display the last 10 lines in the system.log, enter: gssm1.example.com# tail system.log Showing file system.
Chapter 2 Managing the GSS from the CLI Managing GSS Files Displaying Files in a Directory The GSS software directories contain the GSS files, including boot files, backup files, and log files. Use the dir, lls, ls, or pwd commands to view the files available in the current directory or subdirectory on the GSS. • dir [directory]—Displays a detailed list of files contained within the working directory on the GSS, including names, sizes, and time created.
Chapter 2 Managing the GSS from the CLI Managing GSS Files -rw-r--r-1 sysMessages.log drwxr-xr-x 2 drwxrwxrwx 2 -rw-r--r-1 root root root root root root root root 49 Mar 7 18:05 4096 Mar 7 15:40 sysmsg 4096 Mar 8 21:02 sysout 41652 Mar 14 21:23 system.log To list the filenames and subdirectories of the current working directory, enter: gssm1.example.com# ls gss-1.0.2.0.2-k9.upg gss-1.0.904.0.1-k9.upg id_rsa.pub gss_sample.full megara.back.1_0.full megara.back.1_1.
Chapter 2 Managing the GSS from the CLI Managing GSS Files Securely Copying Files The GSS supports the secure copying of files from: • The GSS device you are currently logged in to • Another device to the GSS device you are currently logged in to Use the scp command to securely copy files from: • A GSS device that you are logged in to: scp {source_path [source_filename] user@target_host:target_path} • Another device to a GSS device that you are logged in to: scp {user@source_host:/source_path[sourc
Chapter 2 Managing the GSS from the CLI Displaying Users To securely copy files from another device to a GSS device that you are logged in to, enter: gssm1.example.com# scp myusername@192.168.0.0:/cisco/state/ mygssmfile.log /cisco/state/dump/home Deleting Files The GSS allows you to remove a specific file (startup-config, logs, or archive file) stored on hard disk. You may want to remove older files or files that you no longer use from the GSS. To delete files from your GSS, use the del command.
Chapter 2 Managing the GSS from the CLI Specifying GSS Inactivity Timeout To display information for all users, enter: gssm1.example.com# show users Username permission ----------------lstar admin admin admin paulr-admin admin For details about creating GSS users, refer to Chapter 3, Creating and Managing User Accounts. Specifying GSS Inactivity Timeout You can modify the length of time that can expire before a GSS automatically logs off an inactive user by using the exec-timeout command.
Chapter 2 Managing the GSS from the CLI Configuring Terminal Screen Line Length Configuring Terminal Screen Line Length You can specify the number of screen lines to display on your terminal by using the terminal length command. The maximum number of displayed screen lines is 512. The default is 23 screen lines. When the terminal length command is set to a value of 0, the GSS sends all of its data to the screen at once without pausing to buffer the data.
Chapter 2 Managing the GSS from the CLI Modifying the Attributes of the Security Certificate on the GSSM Modifying the Attributes of the Security Certificate on the GSSM You can customize the attributes of the security certificate issued by Cisco Systems and installed on the primary GSSM (as described in the “Logging Into the Primary GSSM Graphical User Interface” section in Chapter 1, Managing GSS Devices from the GUI). By using the certificate set-attributes CLI command, you can modify the X.
Chapter 2 Managing the GSS from the CLI Modifying the Attributes of the Security Certificate on the GSSM 4. Enter the certificate set-attributes command and modify information at the prompts. All fields displayed for each software prompt have a maximum character limit of 64, except for Country Code, which has a maximum character limit of two. gssm1.example.com(config)# certificate set-attributes Country code (2 chars) [US]: State [California]: MA City [San Jose]: Boston Organization [Cisco Systems, Inc.
Chapter 2 Managing the GSS from the CLI Stopping the GSS Software Stopping the GSS Software Stop the GSS software before you: • Upgrade GSS software • Perform a warm reboot • Restore GSS factory defaults • Disable an active GSS device • Perform GSS maintenance or troubleshooting Use the gss stop command to stop the GSS software. For example, enter: gssm1.example.com# gss stop The following message appears when you stop the GSS software from the CLI.
Chapter 2 Managing the GSS from the CLI Restarting the GSS Software Restarting the GSS Software To perform a warm restart of the GSS software, use the gss restart command. Before you perform a warm restart of the GSS software, save your recent GSS configuration changes to memory. Use the copy running-config startup-config CLI command to save your configuration changes. If you fail to save your configuration changes, the GSS device reverts to its previous settings upon a reboot.
Chapter 2 Managing the GSS from the CLI Disabling the GSS Software Disabling the GSS Software Disabling a GSS device is necessary when you need to: • Switch the role of a GSS within a network • Change a GSS to a GSSM • Move a GSS or GSSM to a different network of GSS devices Use the gss disable command to disable a selected GSSM or GSS.
Chapter 2 Managing the GSS from the CLI Restoring GSS Factory Default Settings Caution User files will also be deleted as an action of entering the restore-factory-defaults command. If you have any important files in the /home directory that you want to save, use either the secure copy (scp) or ftp commands to copy those files before you enter the restore-factory-defaults command.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network Replacing GSS Devices in Your GSS Network If you encounter problems with one of the GSS devices in your GSS network, determine which GSS device exhibits the problem (primary GSSM, standby GSSM, or GSS) and configure a replacement GSS device for use in your network. Figure 2-1 summarizes the decision-making process to follow when replacing a malfunctioning GSS device.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network This section contains the following procedures: • Replacing the Primary GSSM in the Network • Replacing the Standby GSSM in the Network • Replacing a GSS in the Network Replacing the Primary GSSM in the Network To replace a malfunctioning primary GSSM in your GSS network to regain GUI management, determine if there is a standby GSSM available in your network: • If you have a standby GSSM that you can convert to the p
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network 3. Configure the current standby GSSM to function as the temporary primary GSSM for your GSS network. Use the gssm standby-to-primary command to reconfigure your standby GSSM as the primary GSSM in your GSS network. gssm2.example.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network 9. Configure basic network connectivity settings following the procedures outlined in the Cisco Global Site Selector Getting Started Guide, Chapter 3, Setting Up Your GSS. Ensure that you specify the same hostname and IP address of the original primary GSSM. Save your configuration changes to memory. gssm1.example.com# copy running-config startup-config 10.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network 12. If you do not have a backup of either the interim or original primary GSSM database: a. Reconfigure the global server load-balancing configuration settings on the new primary GSSM as described in the Cisco Global Site Selector Global Server Load-Balancing Configuration Guide. b. Send DNS queries to the new primary GSSM and ensure that it replies properly to the queries.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network f. Register the standby GSSM and each GSS device with the new primary GSSM. Refer to the “Activating GSS Devices from the Primary GSSM” section in Chapter 1, Managing GSS Devices from the GUI.. You can now use the replacement primary GSSM in your GSS network. Replacing the Primary GSSM With an Available GSS To replace a malfunctioning primary GSSM with an available GSS: 1.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network 6. If this is a new GSS device, configure basic network connectivity settings following the procedures outlined in the Cisco Global Site Selector Getting Started Guide, Chapter 3, Setting Up Your GSS. Ensure that you specify the same hostname and IP address of the original primary GSSM. Save your configuration changes to memory. gssm1.example.com# copy running-config startup-config 7.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network d. At the CLI of the standby GSSM, enter the gss enable gssm-standby command to reenable the standby GSSM in the GSS network and direct it to the primary GSSM. See the “Replacing the Standby GSSM in the Network” section for details about the gss enable gssm-standby command. gss1.example.com# gss enable gssm-standby gssm1.example.com e.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network 3. Use the gss stop command to stop the GSS software running on the GSS. gss3.example.com# gss stop 4. Use the gss disable command to disable the GSS. This command removes the existing configuration and returns the GSS device to an initial state, including the removal of all previously configured DNS rules and keepalives. gss3.example.com# gss disable 5.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network The variables are: • primary_GSSM_hostname—The DNS hostname of the device currently serving as the primary GSSM • primary_GSSM_IP_address—The DNS hostname of the device currently serving as the primary GSSM For example, to enable gss3.example.com as the standby GSSM and direct it to the primary GSSM, gssm1.example.com, enter: gss3.example.com# gss enable gssm-standby gssm1.example.com 9.
Chapter 2 Managing the GSS from the CLI Replacing GSS Devices in Your GSS Network 4. Enter the gss enable command to enable your GSS device as a GSS and direct it to the primary GSSM in your GSS network. Specify either the domain name or the network address of the primary GSSM.
Chapter 2 Managing the GSS from the CLI Changing the GSSM Role in the GSS Network Changing the GSSM Role in the GSS Network The GSS software supports two GSSM devices in a single GSS network, with one GSSM acting as the primary GSSM and the second GSSM acting as a standby device.
Chapter 2 Managing the GSS from the CLI Changing the GSSM Role in the GSS Network Switching the Roles of the Primary and Standby GSSM Devices This procedure assumes that your primary GSSM is online and functional at the time you are switching GSSM roles. If the primary GSSM is not functional, proceed directly to step 6. To change the role of your primary and standby GSSM devices: 1. Log in to the CLI and enable privileged EXEC mode. gssm1.example.com> enable gssm1.example.com# 2.
Chapter 2 Managing the GSS from the CLI Changing the GSSM Role in the GSS Network Configuration changes do not take effect immediately. It can sometimes take up to ten minutes for the other GSS devices in the network to learn about the new primary GSSM. 8. Enter the gssm database validate command to validate the database records of the interim primary GSSM. gssm2.example.com# gssm database validate 9. Exit privileged EXEC mode.
Chapter 2 Managing the GSS from the CLI Changing the GSSM Role in the GSS Network 3. Use the gssm primary-to-standby command to place the current interim primary GSSM in standby mode and resume its role in the GSS network as the standby GSSM. gssm2.example.com# gssm primary-to-standby Ensure that a minimum of five minutes have passed since the last GUI configuration change before you enter the gssm primary-to-standby command to convert the interim primary GSSM back to its role as standby GSSM. 4.
Chapter 2 Managing the GSS from the CLI Displaying GSS System Configuration Information Displaying GSS System Configuration Information The GSS CLI provides a comprehensive set of show commands that display GSS configuration information. The show commands are available in all CLI modes.
Chapter 2 Managing the GSS from the CLI Displaying GSS System Configuration Information To display detailed GSS software version information, enter: gssm1.example.com# show version verbose Global Site Selector (GSS) Model Number: GSS-4490-K9 Copyright (c) 1999-2003 by Cisco Systems, Inc. Version 1.2(1) Uptime: 23 Hours 57 Minutes and 53 seconds Full Version: 1.2(1.0.
Chapter 2 Managing the GSS from the CLI Displaying GSS System Configuration Information Displaying Memory Information To display information about the GSS memory blocks and statistics, use the show memory command. For example, enter: gssm1.example.com# show memory Table 2-1 describes the fields in the show memory output.
Chapter 2 Managing the GSS from the CLI Displaying GSS System Configuration Information Table 2-2 describes the fields in the show boot-config output.
Chapter 2 Managing the GSS from the CLI Displaying GSS System Configuration Information Displaying GSS Processes To display a list of internal GSS device processes, use the show processes command. For example, enter: gssm1.example.com# show processes Table 2-3 describes the fields in the show processes output.
Chapter 2 Managing the GSS from the CLI Displaying GSS System Configuration Information Table 2-4 describes the fields in the show disk output.
Chapter 2 Managing the GSS from the CLI Displaying GSS System Configuration Information Displaying GSS Services To display the current state of the GSS services, such as FTP, NTP, SSH, TACACS+, Telnet, and SNMP, use the show services command. show services For example, enter: gssm1.example.
C H A P T E R 3 Creating and Managing User Accounts This chapter describes how to create and manage GSS device CLI user login accounts and primary GSSM GUI user login accounts.
Chapter 3 Creating and Managing User Accounts Creating and Managing GSS CLI User Accounts This section includes the following procedures: • Creating a GSS User Account • Modifying a GSS User Account • Deleting a GSS User Account Creating a GSS User Account When you create a user account from the GSS CLI, specify the new username, password, and privilege level using the username command. You cannot create a new account without designating a value for each of these configuration settings.
Chapter 3 Creating and Managing User Accounts Creating and Managing GSS CLI User Accounts For example: gss1.example.com(config)# username user_1 password mypwd privilege admin User user_1 added. 4. Repeat step 3 for each new user account that you wish to create. Modifying a GSS User Account You can modify a GSS user account from the CLI by using the same procedure that you followed to create the account (see the “Creating a GSS User Account” section).
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Creating and Managing Primary GSSM GUI User Accounts By using the administrative capabilities of the primary GSSM GUI, you can create and maintain user accounts to access the primary GSSM GUI. In addition to login name and password information, you can assign user privileges, specify custom GUI user views, and maintain contact information for each user.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Privilege Levels for Using the Primary GSSM GUI As the GSS administrator, you can control the GUI pages that a user accesses and the associated functions that a user can perform from the primary GSSM GUI. You control primary GSSM GUI access through the assignment of one of the three user privilege levels, called “roles.” Each role grants specific access to the GUI based on the assigned role.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Table 3-1 User Privilege Roles for Using the Primary GSSM GUI User Role Functionality Accessibility Administrator Full functionality Full access to the primary GSSM GUI pages.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Table 3-1 User Privilege Roles for Using the Primary GSSM GUI (continued) User Role Operator (continued) Functionality Accessibility • Resources tab—Access to the Locations and Owners navigation links to: – Activate or suspend all answers associated with a location – Activate or suspend all answers associated with answer groups held by an owner.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Table 3-1 User Privilege Roles for Using the Primary GSSM GUI (continued) User Role Functionality Accessibility Observer The observer has read-only privileges to monitor statistics. The observer has the following access privileges: Observers cannot: • Create, modify, or delete any configuration item.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Creating a GUI User Account To create a GSSM GUI user account from the primary GSSM GUI: 1. Click the Tools tab. 2. Click the User Administration navigation link. The Users list page appears (Figure 3-1). Figure 3-1 3. Users List Page Click the Create User icon. The Creating New User details page appears (Figure 3-2).
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-2 Creating New User Details Page 4. In the User Account area, enter the login name for the new account in the Username field. Usernames can contain spaces. 5. In the Password field, enter the alphanumeric password for the new account. 6. In the Re-type Password field, reenter the password for the new account. 7.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts You must assign a user to one of the three privilege levels. If you fail to assign a privilege level, the GSS automatically assigns the observer role to a new user. Note Primary GSSM GUI privileges assigned to a user from the TACACS+ server override the user privilege level defined from the GSSM User Administration details page.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts 11. Optionally, fill in the rest of the user contact information: – Job Title—Position within the organization – Department—Business unit or group – Phone—Business telephone number – E-mail—E-mail address – Comments—Any important information or comments about the user account 12. Click Submit to create your new user account and return to the User Administration list page.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts 4. Click the Delete icon. The software prompts you to confirm your decision to permanently remove the user. You cannot delete the “admin” account. 5. Click OK to remove the user account and return to the Users list page. The user account is removed from the list page. Changing the User Account GUI Password You can change the password for the account that is used to log in to the primary GSSM.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-3 GSSM Change Password Details Page 3. In the Old Password field, enter your existing GSSM login password. 4. In the New Password field, enter the string that you would like to use as the new GSSM login password. 5. In the Re-type New Password field, enter the new password string a second time. This is used to verify that you have entered your password correctly. 6.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Creating and Modifying User Views for the Primary GSSM GUI By default, an administrator, operator, and observer has the view set to View All and can see all configuration data and global server load-balancing statistics in the primary GSSM GUI pages.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts You can also apply a to a user with administrator privileges. However, with administrator privileges, that user can change the view used for the GUI session (for example, back to the View All setting). This capability can be useful for an administrator to test the behavior of a view while in the process of creating it.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-4 3. User Views List Page Click the Create User Views icon. The Creating New User View—General Configuration details page appears (Figure 3-5).
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-5 4. Creating New User View—General Configuration Details Page In the General Configuration details page (General Configuration navigation link), perform the following: a. In the Name field, enter a name for your new user view. View names can be from 1 to 80 alphanumeric characters and cannot contain spaces. b.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Note Figure 3-6 6. The primary GSSM GUI supports a maximum of 100 answers in a custom user view. Creating New View—Add Answers Details Page To define the shared keepalives available in the custom user view, click the Add Keepalives navigation link. The Add Keepalives details page appears (Figure 3-7).
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-7 7. Creating New View—Add Keepalives Details Page To define the locations available in the custom user view, click the Add Locations navigation link. The Add Locations details page appears (Figure 3-8). Click the check box corresponding to each existing location you wish to add to the custom user view.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-8 8. Creating New View—Add Locations Details Page To define the owners available in the custom user view, click the Add Owners navigation link. The Add Owners details page appears (Figure 3-9). Click the check box corresponding to each existing owner you wish to add to the custom user view.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-9 9. Creating New View—Add Owners Details Page To remove answers, keepalives, locations, or owners from this custom user view, click the appropriate Remove navigation link and the associated detail page appears. Figure 3-10 illustrates the Remove Answers details page.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-10 Creating New View—Remove Answers Details Page 10. When you complete defining the user view, click the General Configuration navigation link to return to the Creating New User View - General Configuration details page. Note that the selected items assigned to this view appear in the Current Owners, Current Locations, Current Answers, or Current KeepAlives section of the page.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts Figure 3-11 Creating New User View—General Configuration Details Page With Selected Items Assigned to the View 11. Click Submit to save your new user view. Modifying a GUI User View To modify a user view from the primary GSSM GUI: 1. Click the Tools tab. 2. Click the Views navigation link. The User Views list page appears (see Figure 3-4). 3.
Chapter 3 Creating and Managing User Accounts Creating and Managing Primary GSSM GUI User Accounts 5. To add additional answers, keepalives, locations, or owners to the custom user view, click the appropriate Add navigation link and the associated details page appears. Click the check boxes corresponding to the items that you wish to add to the custom user view, then click the Add Selected button. 6.
Chapter 3 Creating and Managing User Accounts Modifying the Administrator Account Passwords Modifying the Administrator Account Passwords This section describes how to reset the administrator account password from the GSS CLI. It also discusses how to restore the default administration password to log in to the primary GSSM.
Chapter 3 Creating and Managing User Accounts Modifying the Administrator Account Passwords Note 4. Enter the ? command within a few seconds of seeing the LILO boot prompt or the GSS device continues to boot. If you miss the time window to enter the ? command, wait for the GSS to properly complete booting, cycle power to the GSS device, and try again to access the LILO boot prompt. At the boot: prompt, enter GSS- RESETADMINCLIPW=1.
Chapter 3 Creating and Managing User Accounts Modifying the Administrator Account Passwords For example, to change the administrator password to mynewpassword, enter: gssm1.example.
Chapter 3 Creating and Managing User Accounts Modifying the Administrator Account Passwords Restoring or Changing the Administrator’s GUI Password To restore the default administrator password used to log in to the primary GSSM GUI, or if you want to change the administrator password, use the reset-gui-admin-password command. The GSS stores the administrator username and password in a safe partition of the hard disk to prevent loss of data due to power failures.
Chapter 3 Creating and Managing User Accounts Modifying the Administrator Account Passwords Cisco Global Site Selector Administration Guide 3-30 OL-5480-01
C H A P T E R 4 Managing GSS User Accounts Through a TACACS+ Server This chapter describes how to configure the GSS, primary GSSM, or standby GSSM as a client of a TACACS+ server for separate authentication, authorization, and accounting (AAA) services.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server TACACS+ Overview TACACS+ Overview The Terminal Access Controller Access Control System (TACACS+) protocol is a security application that provides centralized validation of users who are attempting to gain access to the GSS. TACACS+ services are maintained in a relational database on a TACACS+ security daemon running on a UNIX or Windows NT/Windows 2000 server.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server TACACS+ Overview The TACACS+ server provides the following AAA independent services to the GSS operating as a TACACS+ client: • Authentication—Identifies users attempting to access a GSS. Authentication frequently involves verifying a username with an assigned password. GSS users are authenticated against the TACACS+ server when remotely accessing a GSS through the console, Telnet, SSH, FTP, or the primary GSSM GUI interfaces.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server TACACS+ Configuration Quick Start If the GSS cannot contact any of the three specified TACACS+ servers, the GSS checks for the local authentication setting and falls back to performing local user authentication through either the console port or a Telnet connection. Local authentication is always enabled on the console port and Telnet connection to avoid lockout. Local authentication is an option for an FTP, GUI, or SSH connection.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS Table 4-1 TACACS+ Configuration Quick Start (continued) Task and Command Example 6. Enable the TACACS+ authorization service to permit or restrict user access to specific GSS CLI commands, as defined by the TACACS+ server. gssm1.example.com(config)# aaa authorization commands 7.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS Configuring Authentication Settings on the TACACS+ Server To configure the authentication settings on Cisco Secure ACS: 1. Proceed to the Network Configuration section of the Cisco Secure ACS HTML interface, the Add AAA Client page (Figure 4-2).
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS 2. Note Configure the following selections: • AAA Client Hostname—Enter the name you want assigned to the GSS. • AAA Client IP Address—Enter the IP address of the GSS Ethernet interface that will be used for communicating with the TACACS+ server. • Key—Enter the shared secret that the GSS and Cisco Secure ACS use to authenticate transactions.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS To define CLI command privileges for the GSS from the Cisco Secure ACS: 1. Access the Group Setup section of the Cisco Secure ACS interface, then access the Group Setup page. Select the group for which you want to configure TACACS+ settings, then click Edit Settings. The Edit page appears. 2. Scroll to the Shell Command Authorization Set section of the Group Setup page (Figure 4-3).
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS 3. Click the Per Group Command Authorization check box. 4. For unlimited GSS command access, under Unmatched Cisco IOS Commands, click the Permit option. Leave the command field blank. 5. To set access restrictions on specific GSS CLI commands: a. Check the Command check box. b. Click the Deny option. c.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS b. Enter show in the Command text box. c. Enter permit user in the Arguments text box. d. Click the Deny option under Unlisted Arguments.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS • To permit all CLI commands except for the gss tech-report command (see Figure 4-4): a. Click the Permit option under Per Group Command Authorization. b. Enter gss in the Command text box. c. Enter deny tech-report in the Arguments text box. d. Click the Permit option under Unlisted Arguments.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS Configuring Primary GSSM GUI Privilege Level Authorization from the TACACS+ Server You can configure the Cisco Secure ACS TACACS+ server to define the privilege level (role) of a user when accessing the primary GSSM GUI. The primary GSSM GUI learns the user’s associated privilege level when communicating with the TACACS+ server.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS To specify a user privilege-level for accessing the primary GSSM GUI from the Cisco Secure ACS: 1. If this is the first time enabling per-user CLI command authorization, access the Interface Configuration section of the Cisco Secure ACS interface and configure the following selections: a. Access the TACACS+ (IOS) page.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS b. Access the Advanced Options page. Click the Per-user TACACS+/RADIUS Attributes checkbox (Figure 4-7). Figure 4-7 2. Interface Configuration Page—Advanced Options Page Access the User Setup section of the Cisco Secure ACS interface and select the name of a user that you want to assign a primary GSSM GUI privilege level. The Edit page appears.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS 3. Scroll to the Shell Command Authorization Set section of the User Setup page. 4. Click the Per User Command Authorization checkbox. 5. Check the Command check box and type GuiEnable in the Command text box (Figure 4-8).
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS 6. To assign operator user-level privileges from the TACACS+ server, enter the following string in the Arguments text box (see Figure 4-8): deny administrator The deny administrator string forces a user to have operator-level privileges when using the primary GSSM GUI. 7.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS If you want to assign a view to an authenticated user, configure a custom GUI view for the user on the primary GSSM GUI. Be sure to use the exact login name when creating the primary GSSM GUI user account. During the user authentication process, the GSS makes a correlation with the user name to determine if there is an associated user view configured on the primary GSSM GUI for that user.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Configuring a TACACS+ Server for Use with the GSS Figure 4-9 CSV TACACS+ Accounting File Logging Page of Cisco Secure ACS 2. Click the Log to CSV TACACS+ Accounting report check box. 3. Under Select Columns To Log, in the Attributes column, click the attribute you wish to log. Click -> to move the attribute into the Logged Attributes column. Click Up or Down to move the column for this attribute to the desired position in the log.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Identifying the TACACS+ Server Host on the GSS Identifying the TACACS+ Server Host on the GSS The TACACS+ server contains the TACACS+ authentication, authorization, and accounting relational databases. You can designate a maximum of three servers on the GSS. However, the GSS uses only one server at a time.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Identifying the TACACS+ Server Host on the GSS The variables and options for this global configuration command are: • ip_or_host—The IP address or host name of the TACACS+ server you want to access. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1) or a mnemonic host name (for example, myhost.mydomain.com). • port port—(Optional) The TCP port of the TACACS+ server. The default port is 49.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Disabling TACACS+ Server Keepalives on the GSS If you specified a TCP port other than default port number 49 when configuring the TACACS+ server, you must also include the TCP port to delete the TACACS+ server. For example, if you specified port 8877 for the TACACS+ server at IP address 192.168.1.101, enter: gss1.example.com(config)# no tacacs-server host 192.168.1.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Specifying the TACACS+ Server Timeout on the GSS To disable the use of TCP keepalives with the active TACACS+ server, enter: gss1.example.com(config)# no tacacs-server keepalive-enable To reenable the use of TCP keepalives with the active TACACS+ server, enter: gss1.example.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Specifying TACACS+ Authentication of the GSS Specifying TACACS+ Authentication of the GSS After you identify a TACACS+ server, enable the TACACS+ authentication service on the GSS. Use the aaa authentication command to enable TACACS+ authentication for a specific access method. By default, the GSS falls back to local authentication with either the console port or a Telnet connection if the GSS cannot remotely contact a TACACS+ server.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Specifying TACACS+ Authorization of the GSS Use the no form of the aaa authentication command to disable the TACACS+ authentication function. For example, to disable TACACS+ authentication for an SSH remote access connection, enter: gss1.example.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Specifying TACACS+ Accounting on the GSS Specifying TACACS+ Accounting on the GSS TACACS+ accounting enables you to monitor GSS CLI commands or primary GSSM GUI pages and user actions executed in the GSS. The information is contained in an accounting record and is transmitted from the GSS to the TACACS+ server.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Showing TACACS+ Statistics on the GSS Showing TACACS+ Statistics on the GSS Use the show tacacs command to display a summary of the TACACS configuration on your GSS device. For example, to display the current TACACS+ configuration, enter: gss1.example.com# show tacacs Current tacacs server configuration tacacs-server timeout 5 tacacs-server keepalive-enable tacacs-server host 1192.168.1.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Clearing TACACS+ Statistics on the GSS Table 4-2 Field Descriptions for show statistics tacacs Command Field Description Server The IP address or host name, along with the TCP port, of the active TACACS+ server. This field also indicates whether the TCP keepalive is ONLINE or OFFLINE. Pass The Pass counter increments when a “pass” condition occurs for the specific service.
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server Disabling TACACS+ on a GSS Disabling TACACS+ on a GSS As GSS administrator, if you accidentally lock yourself out of a GSS device and are unable to receive TACACS+ user authentication or authorization to access that device, you can disable the TACACS+ function on that GSS from the CLI. You must have physical access to the GSS device to perform this procedure. To disable TACACS+ on a GSS device: 1.
C H A P T E R 5 Configuring Access Lists and Filtering GSS Traffic You can filter incoming traffic received by the GSS through the use of access lists. You create access lists at the CLI of each GSS device. This chapter describes how to create access lists and access groups to filter GSS traffic.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists Access List Overview The packet filtering tools on the GSS instruct each device to permit or refuse specific packets based on a combination of criteria that includes: • Destination port of the packets • Requesting host • Protocol used (TCP, UDP, or ICMP) You create packet-filtering tools, called access lists, from the GSS CLI.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists Table 5-1 GSS-Related Ports and Protocols for Inbound Traffic Source Port (Remote Device) Destination Port (GSS) Protocol Details * 20–23 TCP FTP, SSH, and Telnet server services on the GSS 20–23 * TCP Return traffic of FTP and Telnet GSS CLI commands * 53 UDP, TCP GSS DNS server traffic 53 * UDP GSS software reverse lookup and “dnslookup” queries 123 123 UDP Network Time Protocol
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists Creating an Access List Use the access-list command in global configuration mode to create an access list. You must have access to the CLI of each GSS device to create access lists for that device.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists • port—Specifies the source or destination port of the packet. • destination-port—Compares the destination port of the packet with the access condition. For example, to configure an access list named alist1 containing a rule that allows any traffic using the TCP protocol on port 443 on the GSS device, enter the following: gss1.example.com# config gss1.example.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists Kernel output access-list acl_1 on interface eth0 (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp ACCEPT udp -- 0.0.0.0/0 0.0.0.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists The options and variables are: • name—Identifies the name of a pre-existing access list. • interface—Specifies an interface on the GSS to which the access list will be assigned. • eth0—Identifies the first Ethernet interface on the GSS device. • eth1—Identifies the second Ethernet interface on the GSS device.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists Adding Rules to an Access List After you create one or more access lists, you can append rules to them at any time. Use the access-list command to add a new rule to an existing access list. For example, to add a new rule to the access list named alist1 to block all traffic from host 192.168.1.101, enter the following: gss1.example.com# config gss1.example.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists Segmenting GSS Traffic by Ethernet Interface By default, the GSS devices listen for DNS traffic on both GSS Ethernet interfaces, 0 and 1. In the case of inter-GSS communications, GSS devices listen for configuration and status updates on one interface only. Ethernet interface 0 is the default.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Filtering GSS Traffic Using Access Lists Displaying Access Lists Use the show access-list command to display all configured access lists. gss1.example.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Deploying GSS Devices Behind Firewalls ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT DROP tcp udp udp tcp tcp icmp all -------- 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Deploying GSS Devices Behind Firewalls GSS Firewall Deployment Overview In addition to the packet-filtering features of the access-list and access-group commands (see the “Filtering GSS Traffic Using Access Lists” section), you can also deploy your GSS devices behind an existing firewall on your enterprise network. When you configure your GSS for deployment behind a firewall, you must allow DNS traffic into the device.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Deploying GSS Devices Behind Firewalls Table 5-2 Inbound Traffic Going Through a Firewall to the GSS (continued) Source Port (Remote Device) Destination Port (GSS) Protocol Details * 161 UDP Simple Network Management Protocol (SNMP) traffic * 443 TCP Primary GSSM GUI 1304 1304 UDP CRA keepalives * 2000 UDP Inter-GSS periodic status reporting * 2001–2005 TCP Inter-GSS communication * 3002–3008 TCP Inter-GSS communicat
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Deploying GSS Devices Behind Firewalls Table 5-3 Outbound Traffic Originating from the GSS (continued) Source Port (GSS) Destination Port (Remote Device) Protocol Details * 53 UDP GSS software reverse lookup and “dnslookup” queries 123 123 UDP Network Time Protocol (NTP) updates 161 * UDP Simple Network Management Protocol (SNMP) traffic 443 * TCP Primary GSSM GUI 1304 1304 UDP CRA keepalives * 2000 UDP Inter-GSS pe
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Deploying GSS Devices Behind Firewalls Configuring GSS Devices Behind a Firewall To configure GSS devices to operate behind a firewall: 1. Determine the level of access and the services you want enabled on your GSS and GSSM devices.
Chapter 5 Configuring Access Lists and Filtering GSS Traffic Deploying GSS Devices Behind Firewalls Cisco Global Site Selector Administration Guide 5-16 OL-5480-01
C H A P T E R 6 Configuring SNMP This chapter describes how to configure Simple Network Management Protocol (SNMP) to query GSS devices for standard MIB resources. It contains the following major sections: • Overview • Configuring SNMP on Your GSS • Viewing SNMP Status • Viewing MIB Files on the GSS Overview SNMP is a set of network management standards for IP-based internetworks. SNMP includes a protocol, a database-structure specification, and a set of management data objects.
Chapter 6 Configuring SNMP Configuring SNMP on Your GSS Each GSS or GSSM contains an SNMP agent, ucd-snmp v4.2.3, to query other GSS devices for standard MIB resources found in MIB-II (RFC-1213) and Host Resources MIB (RFC 2790). SNMP runs on GSS port 161 by default. The SNMP agent receives instructions from the SNMP manager, and also sends management information back to the SNMP manager as events occur.
Chapter 6 Configuring SNMP Viewing SNMP Status 5. To specify the name of the contact person for this GSS device, use the snmp contact command. You can include information on how to contact the person; for example, a phone number or e-mail address. Enter an unquoted text string with a maximum of 255 characters including spaces. gss1.example.com(config)#snmp contact Enter new Contact Info: Cisco Systems, Inc. 6. To specify the physical location of this GSS device, use the snmp location command.
Chapter 6 Configuring SNMP Viewing MIB Files on the GSS Viewing MIB Files on the GSS To view the MIB files contained in the /mibs directory on the GSS, use the dir command. If you want to copy the MIB files from the /mibs directory on the GSS to another location on the GSS or to a remote network location, use the ftp or scp command. For example, enter: gss1.example.
Chapter 6 Configuring SNMP Viewing MIB Files on the GSS -rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r-- 1 1 1 1 1 1 1 1 1 root root root root root root root root root root root root root root root root root root 38034 3981 10765 2058 3131 2928 8037 30343 4076 Jul Jul Jul Jul Jul Jul Jul Jul Jul 18 18 18 18 18 18 18 18 18 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 SNMPv2-TC.txt SNMPv2-TM.txt TCP-MIB.txt UCD-DEMO-MIB.txt UCD-DISKIO-MIB.txt UCD-DLMOD-MIB.
Chapter 6 Configuring SNMP Viewing MIB Files on the GSS Cisco Global Site Selector Administration Guide 6-6 OL-5480-01
C H A P T E R 7 Backing Up and Restoring the GSSM This chapter describes the procedures to backup and restore the primary GSSM database. It also includes a set of recommended guidelines on when to perform a primary GSSM backup.
Chapter 7 Backing Up and Restoring the GSSM Backing Up the Primary GSSM Backing Up the Primary GSSM This section describes the procedure to perform a full backup of the primary GSSM database. It contains the following sections: • Backup Overview • Performing a Full Primary GSSM Backup Backup Overview The GSSM database of the primary GSSM is the heart of your GSS network.
Chapter 7 Backing Up and Restoring the GSSM Backing Up the Primary GSSM When you execute a database restore on your primary GSSM, the archive file is automatically unpacked and the database copied to the GSSM, overwriting the current GSSM database. Backing up your GSSM database requires access to the GSS CLI and the completion of the following actions: 1. Determining the appropriate time to backup your GSSM 2. Performing the backup 3.
Chapter 7 Backing Up and Restoring the GSSM Backing Up the Primary GSSM 3. Use the gssm backup full command to create a full backup of your primary GSSM. The gssm backup full command performs a backup of both the database component of the GSSM and its network and device configuration information. Supply a filename for your backup. gssm1.example.com# gssm backup full gssmfullbk GSSM database backup succeeded [gssmfullbk.full] 4.
Chapter 7 Backing Up and Restoring the GSSM Restoring a Primary GSSM Backup Restoring a Primary GSSM Backup This section describes the procedure to restore a backup of the primary GSSM database.
Chapter 7 Backing Up and Restoring the GSSM Restoring a Primary GSSM Backup Restoring Your Primary GSSM from a Previous Backup When restoring the primary GSSM from a previous backup, use the last backup to restore the GSS device network configuration settings as well as the encryption keys used to communicate with other GSS devices. Restoring the primary GSSM from a backup returns the device to its exact configuration as of the last backup.
Chapter 7 Backing Up and Restoring the GSSM Restoring a Primary GSSM Backup 6. Confirm your decision to restore primary GSSM platform information or only the GSS database. This selection enables you to return the primary GSSM back to the original state prior to the database backup.
Chapter 7 Backing Up and Restoring the GSSM Restoring a Primary GSSM Backup • Note Select n to instruct the software not to restore GSS network information to the GSSM. If you choose not to restore the GSS network information, you must reenable each device, then reregister the device with the primary GSSM. Refer to the Cisco Global Site Selector Getting Started Guide for details.
Chapter 7 Backing Up and Restoring the GSSM Downgrading Your GSS Devices Downgrading Your GSS Devices If you encounter problems with a GSS software upgrade, restore an earlier version of the GSS software on your GSSs and GSSMs. To restore an earlier version of your software, you must have a previous backup of the primary GSSM database that corresponds to the current version of GSS software. For example, if you wish to downgrade from GSS software Release 1.2 to GSS software Release 1.
Chapter 7 Backing Up and Restoring the GSSM Downgrading Your GSS Devices 4. Install the earlier software version as described in the “Upgrading Your GSS Devices” section of Appendix A, Upgrading the GSS Software. 5. After you downgrade the software on your primary GSSM, proceed to the “Restoring Your Primary GSSM from a Previous Backup” section and restore your GSSM database backup previously saved from the downgraded GSS software release.
C H A P T E R 8 Viewing Log Files This chapter describes how to store and view logged information about your GSS devices. Each GSS device contains a number of log files that retain records of specified GSS-related activities and the performance of various GSS subsystems. You can access these log files using the CLI to troubleshoot problems or to better understand the behavior of a GSS device.
Chapter 8 Viewing Log Files Understanding GSS Logging Levels The GSS supports eight separate logging levels to identify the wide range of critical and noncritical logged events that may occur on a GSS device. Table 8-1 describes the different logging levels. Table 8-2 lists GSS subsystems for which you can enable logging. Table 8-1 GSS Logging Levels Level Number Level Name Description 0 Emergencies The GSS has become unusable.
Chapter 8 Viewing Log Files Understanding GSS Logging Levels Table 8-1 GSS Logging Levels (continued) Level Number Level Name Description 6 Information Messages at this level are normal operational messages for the GSS device, such as status or configuration changes. 7 Debug Messages at this level (such as detailed information about DNS request or keepalive handling, and specific code path tracking) are intended for use by technical support personnel.
Chapter 8 Viewing Log Files Configuring System Logging for a GSS Configuring System Logging for a GSS By default, the GSS maintains system logged records in the gss.log file on the hard disk. You can change the location to log files to a remote host machine. Decisions about what level of GSS logging to use can be made globally, or configured on a subsystem-by-subsystem basis.
Chapter 8 Viewing Log Files Configuring System Logging for a GSS The options and variables are: • enable—Enables logging to disk. • priority—Sets the priority level of the messages to log to disk. • loglevel—Identifies the threshold that system messages must meet to be logged. Messages with lower priorities than the specified log level cannot be logged.
Chapter 8 Viewing Log Files Configuring System Logging for a GSS For example, to enable logging to disk and to set the priority level for error conditions, enter: gssm1.example.com(config)# logging disk enable gssm1.example.com(config)# logging disk priority error For example, to enable logging to disk, set the log for CrDirector subsystem logging messages, and set the priority level to informational messages, enter: gssm1.example.com(config)# logging disk enable gssm1.example.
Chapter 8 Viewing Log Files Configuring System Logging for a GSS – errors—Error conditions (Priority 3) – warnings—Warning conditions (Priority 4) – notifications—Normal but significant conditions (Priority 5) – informational—Informational messages (Priority 6) – debugging—Debugging messages (Priority 7) • subsystem—Sets the log for a named GSS subsystem. Each subsystem can have a different log level applied for its messages. • name— Specifies the name of the GSS subsystem.
Chapter 8 Viewing Log Files Viewing Device Logs from the CLI To stop logging to GSS disk, enter: gssm1.example.com(config)# no logging host Viewing Device Logs from the CLI Each GSS device contains a number of log files that retain records of both GSS-related activity as well as the performance of the various GSS subsystems. Access these log files from the CLI to troubleshoot problems or to better understand the behavior of a GSS device.
Chapter 8 Viewing Log Files Viewing Device Logs from the CLI The options are: • follow—Displays the log file as data that is appended to it. • tail—Displays only the last 10 lines of the log file. To limit the output of the show logs command, specify one of the following: • Use the tail option of the show logs command to view only the last ten lines of logged information. gssm1.example.
Chapter 8 Viewing Log Files Viewing Device Logs from the CLI Viewing System Message Logging To display the system message log configuration for a GSS device, use the show logging command. For example, enter: gssm1.example.com# show logging Logging to disk is enabled. Priority for disk logging is Informational(6). Logging to host is disabled. Priority for host logging is Warning(4). Viewing Subsystem Log Files from the CLI In addition to the gss.
Chapter 8 Viewing Log Files Viewing Device Logs from the CLI 2. To display the contents of the log file, use the type command. gssm1.example.com> type dnsserver.log dnsserver.log Starting dnsserver: Mon Jul 1 13:52:50 UTC 2003 [(1221)] 2003-07-10 16:23:08 relog: Booting... Starting dnsserver: Wed Jul 10 16:23:33 UTC 2003 [(1201)] End of file dnsserver.log ] 3. To view only the last ten lines of the log file, use the tail command. gssm1.example.com# tail dnsserver.
Chapter 8 Viewing Log Files Viewing System Logs from the Primary GSSM GUI To rotate existing log files: gssm1.example.com# rotate-logs To clear all rotated log files in the $STATE directory and subdirectories, except for the active log files: gssm1.example.com# rotate-logs delete-rotated-logs Viewing System Logs from the Primary GSSM GUI From the primary GSSM GUI, you can view messages logged in the GSS system.log file. The system.
Chapter 8 Viewing Log Files Viewing System Logs from the Primary GSSM GUI Figure 8-1 System Log List Page System log information includes: – Time—Time in Universal Coordinated Time (UTC) at which the logged event occurred on the GSS device. – Node type—Type of GSS node (GSS or GSSM) on which the logged event occurred. – Node name—The name assigned to the GSS device using the primary GSSM. – Module—GSS component logging the message (for example, server or storeAdmin).
Chapter 8 Viewing Log Files Viewing System Logs from the Primary GSSM GUI • Fatal—Indicates that the GSS or one of its components failed. Fatal errors are rare and are usually caused by exceptions from which it is impossible to recover, or by the failure of a GSS component to initialize properly. • Warning—Indicates a noncritical error or unexpected condition. • Info—Provides information about the normal operation of the GSS and its components.
Chapter 8 Viewing Log Files Viewing System Logs from the Primary GSSM GUI The options and variables are: • count —Purges all system log messages from the primary GSSM database, except the specified number of most recently generated log messages. • number_records_to_keep—Identifies the number of system log messages to keep, starting back from the most recently generated log message, when purging the primary GSSM database.
Chapter 8 Viewing Log Files Viewing System Logs from the Primary GSSM GUI Common System Log Messages Table 8-3 lists common GSS system messages that can appear on the System Log list page. Messages appear alphabetically with a brief description. If you require more detailed information about a specific system message, contact a Cisco technical support representative.
Chapter 8 Viewing Log Files Viewing System Logs from the Primary GSSM GUI Table 8-3 System Log Messages (continued) System Log Message Description Server Started The GSS software has been started from the CLI. Standby GSSM database error An error occurred on the standby GSSM embedded database. Started store invalidation The GSS has started the process of marking internally inconsistent database records. Started store validation An internal consistency check has started for the GSSM database.
Chapter 8 Viewing Log Files Viewing System Logs from the Primary GSSM GUI Cisco Global Site Selector Administration Guide 8-18 OL-5480-01
C H A P T E R 9 Monitoring GSS Operation The GSS software includes a number of tools for monitoring the operating status of the GSS devices on your GSS network. These tools include CLI-based commands and the primary GSSM GUI pages that display the status of your GSSs, GSSMs (primary and standby), and the GSSM database.
Chapter 9 Monitoring GSS Operation Monitoring GSS and GSSM Status Monitoring GSS and GSSM Status From the CLI of each GSS device, you can monitor the following: • Online status and resource usage of the individual GSS subsystems (servers) by using the gss status command.
Chapter 9 Monitoring GSS Operation Monitoring GSS and GSSM Status Jul09 Jul09 Jul09 Jul09 Jul09 3. Keepalive Engine Node Manager Proximity Sticky Web Server (apache) Enter the gss status verbose command to include statistics about CPU utilization when displaying information on the current operating state of the GSS device. gss1.example.com# gss status verbose Cisco GSS - 1.2(1) - Development build GSSM - primary [Tue Jun 17 11:56:26 UTC 2003] Normal Operation [runmode = 5] %CPU START SERVER 0.
Chapter 9 Monitoring GSS Operation Monitoring GSS and GSSM Status 2. Note Enter the show system-status CLI command to display the current running status of the GSS device. The equivalent CLI command is gss status. For example: gssm1.example.com# show system-status Cisco GSS - 1.
Chapter 9 Monitoring GSS Operation Monitoring GSSM Database Status Displayed information includes: – Status—Online or offline – Version—Software version currently loaded on the device – Node services—Current role of the device (GSS, primary or standby GSSM, or both) – IP address—Network address of the device – Hostname—Network host name of the device – MAC—Machine address of the device 4. Click Cancel to return to the Global Site Selectors list page.
Chapter 9 Monitoring GSS Operation Monitoring GSSM Database Status Validating Database Records To validate the records in your GSSM database: 1. Log in to the CLI of the primary GSSM and enable privileged EXEC mode. gssm1.example.com> enable gssm1.example.com# 2. Enter the gssm database validate command to validate the content of your GSSM database. gssm1.example.com# gssm database validate GSSM database passed validation.
Chapter 9 Monitoring GSS Operation Monitoring GSSM Database Status Validating CachingConfig Validating ClusterConfig Validating CmdControl Validating CmdPurgeRd Validating CmdUpdate Validating ConfigProperty Validating Customer Validating DistTree Validating DnsRule Validating DomainElement Validating DomainGroup Validating ENodeConfig Validating ENodeStatus Validating KeepAliveConfig Validating KeepAlive Validating Location Validating OrderedanswerGroup Validating Owner Validating Region Validating Reque
Chapter 9 Monitoring GSS Operation Viewing the GSS Operating Configuration for Technical Support Viewing the GSS Operating Configuration for Technical Support The GSS software includes two CLI commands to assist a Cisco Technical Assistance Center (TAC) representative in troubleshooting potential problems on your GSS network.
Chapter 9 Monitoring GSS Operation Viewing the GSS Operating Configuration for Technical Support ip address 10.86.209.220 255.255.254.0 gss-communications interface ethernet 1 ip address 192.168.1.25 255.255.255.0 gss-tcp-keepalives ... To export the output of all configured fields from the primary GSSM GUI, enter the show tech-support config command: gssm1.example.
Chapter 9 Monitoring GSS Operation Viewing the GSS Operating Configuration for Technical Support Status: Active Match DNS Query Type: A record Answer Group 1: Database-Services Balance Method 1: Hashed Balance Clause Options 1: DNS TTL: 20; Return Record Count: 1; Answer Group 2: Balance Method 2: Balance Clause Options 2: Answer Group 3: Balance Method 3: Balance Clause Options 3: ... To display a listing of all core files useful to Cisco TAC, enter the show tech-support config command: gssm1.example.
A P P E N D I X A Upgrading the GSS Software To upgrade to a new software version, you must: • Have access to the GSS download area of the Cisco software download site and to Cisco.com. • Be familiar with the proper procedure for updating your GSS devices and know the CLI commands required to execute the backup.
Appendix A Upgrading the GSS Software Verifying the GSSM Role in the GSS Network Before you continue with the upgrade procedure, verify that the roles of the designated primary and standby GSSMs have not changed. The changing of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. To verify the role of the current primary GSSM and the standby GSSM: 1.
Appendix A Upgrading the GSS Software Backing up and Archiving the Primary GSSM Before you upgrade your GSS software, ensure that you have a full backup of your primary GSSM database and that you archive the backup by moving it to a remote device. The GSSM database maintains all network and device configuration information, as well the DNS rules that are used by your GSS devices to route DNS queries from users to available hosts.
Appendix A Upgrading the GSS Software To add an upgrade file for the GSS software: 1. Launch your preferred web browser and point it to the Cisco Global Site Selector download page. When prompted, log in to Cisco.com using your designated Cisco.com username and password. The Cisco GSS Software download page appears, listing the available software upgrades for the GSS software product. 2. If you do not have a shortcut to the Cisco Global Site Selector download page: a. Log in to Cisco.
Appendix A Upgrading the GSS Software 7. Click the filename link labeled Download. If prompted by software, reenter your username and password. 8. Click Save to file, then choose a location on your workstation to temporarily store the .upg upgrade file. 9. Post the .upg file that you downloaded to a designated area on your network that is accessible to all your GSS devices. You are now ready to upgrade the software on a GSS device. Proceed to the “Upgrading Your GSS Devices” section.
Appendix A Upgrading the GSS Software 230 User admin logged in. Access restrictions apply. Remote system type is UNIX. Using ascii mode to transfer files. ftp> binary ftp> get (remote-file) gss.upg (local-file) gss.upg local: gss.upg remote: gss.upg 200 PORT command successful. ... 3. Enable privileged EXEC mode. gssm1.example.com> enable gssm1.example.com# 4. Enter the gss stop command to stop the GSS software. gssm1.example.com# gss stop 5. Enter the install command to install the upgrade. gssm1.
INDEX A administrator account, resetting 3-26 associating access list with interface 5-6 access lists access-group command 5-6, 5-7 access-list command 5-4 adding rules to 5-8 B backup of GSSM associating with an interface 5-6 full backup procedure 7-3 creating 5-4 overview 7-2 destination port 5-5 boot information, displaying 2-40 disassociating from an interface 5-7 displaying 5-10 filtering traffic 5-1 C ICMP traffic filtering 5-4 certificate operator 5-4 accepting 1-2 overview 5-2 attr
Index privileged EXEC mode, enabling 2-2 current working directory, displaying 2-11 privilege level, specifying 3-2 displaying files 2-11 resetting CLI administrator account 3-26 disabling GSS software 2-21 resetting password 3-15 disassociating access list from interface 5-7 TACACS+ server, authorization settings 4-9 disk user account, creating 3-2 displaying information 2-42 cold restart, performing 2-20 community string (SNMP) 6-2 specifying for log file destination 8-4 documentation copyi
Index fatal error log message 8-14 deleting devices from primary GSSM 1-8 files disabling GSS device 2-21 deleting 2-14 downgrading software 7-9 displaying entire contents 2-9 enabling GSS device 2-21 displaying in directory 2-11 firewalls 5-11, 5-14 displaying last 10 lines 2-9 GSS-related port and protocols 5-3 listing within directory 2-43 hard disk information, displaying 2-42 renaming 2-12 inactivity timeout 2-15 securely copying 2-13 inter-GSS communications 5-9 filtering logging l
Index services information, displaying 2-44 exporting data 1-12 shutting down GSS software 2-19 GUI, configuring 1-11 startup configuration 2-3, 2-5 inactivity timeout 2-15 status 2-43, 9-3 logging on 1-2 stopping GSS software 2-19 logically removing GSS or standby GSSM 1-9 subsystem levels 8-1 subsystems 8-5, 8-7 login accounts 3-4 system status, displaying 2-43, 9-3 modifying devices 1-8 user account, creating 3-2 modifying user account (GUI) 3-12 user account, deleting 3-3 monitoring de
Index changing GSSM role 2-34 specifying 3-10 GSS, logically removing 1-9 TACACS+ server authorization 4-12 limiting network traffic 5-9 logically removing a GSS 1-9 monitoring through CLI 9-1 monitoring through GUI 9-4 H host, specifying as log file destination 8-6 primary GSSM, logically removing 1-9 reversing GSSM role 2-36 segmenting network traffic 5-9 I standby GSSM, logically removing 1-9 Info log message 8-14 URL 1-2 inter-GSS communications 5-9 GSS-related ports and protocols 5-3 GUI c
Index levels 8-1, 8-4 modifying 3-3, 3-12 log activity, displaying 8-10 removing 3-12 logging disk command 8-4, 8-6 logs, displaying 8-10 purging log records 8-14 M subsystems 8-5, 8-7 memory blocks and statistics 2-40 system logging 8-4 messages system message log, displaying 8-10 purging 8-14 tail command option 8-8, 8-9 system log 8-16 to a specific file on disk 8-4 viewing 8-12 to sys.log file, disabling 8-8 MIBs 6-2, 6-4 to sys.
Index P R packets record denying 5-4 database records, validating 9-6 permitting 5-4 purging 8-14 Partner Initiated Customer Access See PICA password changing default administration password 3-27, 3-28 refreshing the GUI 1-12 registering GSS devices 1-4 renaming a GSS file 2-12 replacing flowchart 2-23 CLI, resetting 3-15 GSS 2-32 CLI user account, creating 3-2 primary GSSM 2-28 default (GUI) 1-3 standby GSSM 2-30 GSSM GUI, changing 3-13 report, database validation creating 9-6 GUI, enter
Index copying as startup-config file 2-4 SNMP displaying 2-6 community string 6-2 overview 2-3 configuring 6-2 saving to startup configuration 2-4, 2-6 contact information 6-3 summary 2-3, 2-5 disabling 6-3 enabling 6-2 location 6-3 S MIB files, viewing 6-4 segmenting GSS traffic by interface 5-9 overview 6-2 session inactivity timeout 1-11 port, changing 6-4 severity log message 8-13 setup 6-2 show commands snmp command 6-2 show access-group command 5-11 show access-list command 5-9, 5
Index replacing 2-30 typical messages 8-16 startup configuration viewing 8-12 changing 2-3, 2-5 loading from external file 2-5 viewing from GUI 8-12 system uptime, displaying 2-42 saving running configuration as startup configuration 2-4, 2-6 startup configuration file changing 2-4 copying 2-5 copying device startup configuration settings 2-6 copying running configuration file as 2-4 displaying 2-7 loading from external file 2-6 overview 2-3 stopping GSS software 2-19 subsystem log files rotating 8-1
Index server, authorization settings 4-7 CLI account, modifying 3-3 server, configuring 4-5, 4-6 CLI user, privilege levels 3-2 shared secret with GSS 4-20 creating for GUI 3-9 statistics, clearing 4-27 creating with CLI 3-2 statistics, displaying 4-26 deleting 3-3 tail command option 8-10 GUI user, privilege levels 3-5, 3-6, 3-8, 3-10 terminal screen line length, configuring 2-16 GUI user, views 3-11 third-party software, viewing information 1-13 GUI user account, changing password 3-13 tr
Index modifying 3-24 naming 3-18 overview 3-15 owners, adding 3-21 owners, removing 3-22 specifying 3-11 TACACS+ server authorization 4-16 V validating database records 9-6 verifying GSSM role A-2 version information 2-38 viewing access lists 5-9 gss.
