Configuration Guide
Page 8
... Client-Side Access 5-4 Administrative Time Out 5-5 Web Management User Interface 5-5 General Configuration Examples 5-7 Example: Setting the Device Name (Hostname) 5-7 Example: Resetting the IP Address 5-8 Example: Configuring an Ethernet Interface 5-9 Example: Enabling RIP 5-10 Example: Adding a Route to the Routing Table 5-11 Example: Working with Syslogs 5-13 Example: Restricting Access using an Access List 5-14 Example: Reloading (Rebooting) the Appliance 5-17 Example: Setting an Enable Password 5-18 Example: Configuring SNMP 5-19 SSL Configuration Examples 5-22 Cisco 11000 Series Secure...
... Client-Side Access 5-4 Administrative Time Out 5-5 Web Management User Interface 5-5 General Configuration Examples 5-7 Example: Setting the Device Name (Hostname) 5-7 Example: Resetting the IP Address 5-8 Example: Configuring an Ethernet Interface 5-9 Example: Enabling RIP 5-10 Example: Adding a Route to the Routing Table 5-11 Example: Working with Syslogs 5-13 Example: Restricting Access using an Access List 5-14 Example: Reloading (Rebooting) the Appliance 5-17 Example: Setting an Enable Password 5-18 Example: Configuring SNMP 5-19 SSL Configuration Examples 5-22 Cisco 11000 Series Secure...
Configuration Guide
Page 10
...B-19 Connecting the Device to a Terminal Server B-30 Web Site Changes B-30 Transparent Local-Listen B-31 Command Summary C-1 Input Data Format Specification C-2 Text Conventions C-2 Editing and Completion Features C-3 Command Hierarchy C-5 Configuration Security C-6 Passwords C-6 Access Lists C-7 Factory Default Reset Password C-7 Methods to Manage the Device C-7 Initiating a Management Session C-9 Serial Management and IP Address Assignment C-9 Telnet C-10 Command Listing C-10 Top Level Command Set C-31 Non-Privileged Command Set C-31 clear screen C-31 cls C-31 enable C-31 Cisco 11000 Series...
...B-19 Connecting the Device to a Terminal Server B-30 Web Site Changes B-30 Transparent Local-Listen B-31 Command Summary C-1 Input Data Format Specification C-2 Text Conventions C-2 Editing and Completion Features C-3 Command Hierarchy C-5 Configuration Security C-6 Passwords C-6 Access Lists C-7 Factory Default Reset Password C-7 Methods to Manage the Device C-7 Initiating a Management Session C-9 Serial Management and IP Address Assignment C-9 Telnet C-10 Command Listing C-10 Top Level Command Set C-31 Non-Privileged Command Set C-31 clear screen C-31 cls C-31 enable C-31 Cisco 11000 Series...
Configuration Guide
Page 25
... Example 5-8 Resetting IP Information Configuration Example 5-9 Ethernet Interface Configuration Example 5-10 RIP Configuration Example 5-11 Routing Table Configuration Example 5-12 Adding a Route Example 5-12 Syslog Configuration Example 5-13 Access List Configuration Example 5-14 Add Access List Entry Example 5-15 Subsystem Access Configuration Example 5-16 Device Reloading Example 5-17 Save Changes Button 5-17 Change Password Example 5-18 SNMP Configuration Example 5-19 SNMP Trap Example 5-20 Add SNMP Trap Host Example 5-21 Cisco 11000 Series Secure Content Accelerator Configuration Guide...
... Example 5-8 Resetting IP Information Configuration Example 5-9 Ethernet Interface Configuration Example 5-10 RIP Configuration Example 5-11 Routing Table Configuration Example 5-12 Adding a Route Example 5-12 Syslog Configuration Example 5-13 Access List Configuration Example 5-14 Add Access List Entry Example 5-15 Subsystem Access Configuration Example 5-16 Device Reloading Example 5-17 Save Changes Button 5-17 Change Password Example 5-18 SNMP Configuration Example 5-19 SNMP Trap Example 5-20 Add SNMP Trap Host Example 5-21 Cisco 11000 Series Secure Content Accelerator Configuration Guide...
Configuration Guide
Page 38
... operations. xxxviii Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Network functionality is degraded. No workaround is available. • Priority level 1 (P1)-Your production network is down, and a critical impact to business operations will occur if service is available. Cisco TAC Website You can open a case online at this URL: http://www.cisco.com/en/US/support/index.html...
... operations. xxxviii Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Network functionality is degraded. No workaround is available. • Priority level 1 (P1)-Your production network is down, and a critical impact to business operations will occur if service is available. Cisco TAC Website You can open a case online at this URL: http://www.cisco.com/en/US/support/index.html...
Configuration Guide
Page 42
...;guration security • Management via command line and Web-based graphical user interfaces • Hardware server keepalive support • Arbitrary HTTP headers • TCP tuning facility • Syslog facility support • Authentication logging • SSL version control • RIP client version 1 and 2 support • Multiple SNTP server support • SNMP MIB-II support (read-only) • Transparent/non-transparent SSL proxy toggling • Non-SSL traffic blocking when operating in default in-line (dual-port) mode...
...;guration security • Management via command line and Web-based graphical user interfaces • Hardware server keepalive support • Arbitrary HTTP headers • TCP tuning facility • Syslog facility support • Authentication logging • SSL version control • RIP client version 1 and 2 support • Multiple SNTP server support • SNMP MIB-II support (read-only) • Transparent/non-transparent SSL proxy toggling • Non-SSL traffic blocking when operating in default in-line (dual-port) mode...
Configuration Guide
Page 46
Firmware files Cisco 11000 Series Secure Content Accelerator Configuration Guide 2-2 78-13124-06 Warning Before you should know before working with the system. Please see Appendix A. PDF version of this guide - This guide contains important safety information you install, operate, or service the system, read the electrical, environmental, and physical requirements as described in Appendix A. Secure Content Accelerator documentation - Required Tools and Equipment To install the...
Firmware files Cisco 11000 Series Secure Content Accelerator Configuration Guide 2-2 78-13124-06 Warning Before you should know before working with the system. Please see Appendix A. PDF version of this guide - This guide contains important safety information you install, operate, or service the system, read the electrical, environmental, and physical requirements as described in Appendix A. Secure Content Accelerator documentation - Required Tools and Equipment To install the...
Configuration Guide
Page 64
... a new server. Type y, and enter the IP address at the prompt. Using the QuickStart Wizard Chapter 3 Using the QuickStart Wizard Type y to confirm. Type n to connect outside of the local subnet. The password you like to set a name for this device: A default gateway is not displayed. SCA myDevice Keys capacity 255, defined 3 Name Id RC V default 1 0 Y default-512 2 0 Y default-1024 3 0 Y 3-10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78...
... a new server. Type y, and enter the IP address at the prompt. Using the QuickStart Wizard Chapter 3 Using the QuickStart Wizard Type y to confirm. Type n to connect outside of the local subnet. The password you like to set a name for this device: A default gateway is not displayed. SCA myDevice Keys capacity 255, defined 3 Name Id RC V default 1 0 Y default-512 2 0 Y default-1024 3 0 Y 3-10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78...
Configuration Guide
Page 84
... flash. (config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA# 4-16 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Create an access list allowing management access to the SNMP subsystem. If it is not saved, the configuration is lost during a power cycle or when the reload command is forced to the Web management subsystem. (config[myDevice])# web-management access-list 1 5. Configuring an Ethernet Interface The Ethernet interfaces on the...
... flash. (config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA# 4-16 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Create an access list allowing management access to the SNMP subsystem. If it is not saved, the configuration is lost during a power cycle or when the reload command is forced to the Web management subsystem. (config[myDevice])# web-management access-list 1 5. Configuring an Ethernet Interface The Ethernet interfaces on the...
Configuration Guide
Page 118
... Password page opens automatically, as shown in the Confirm New Password text box. 4. Click Update. 5-18 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Figure 5-15 Change Password Example 2. Click Access to the device. 1. Type the password to set the password. If an Enable password has already been assigned, type it in Figure 5-15. General Configuration Examples Chapter 5 Graphical User Interface Reference Example: Setting an Enable Password The Enable password is requested prior to connecting to activate the Access...
... Password page opens automatically, as shown in the Confirm New Password text box. 4. Click Update. 5-18 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Figure 5-15 Change Password Example 2. Click Access to the device. 1. Type the password to set the password. If an Enable password has already been assigned, type it in Figure 5-15. General Configuration Examples Chapter 5 Graphical User Interface Reference Example: Setting an Enable Password The Enable password is requested prior to connecting to activate the Access...
Configuration Guide
Page 151
...# fips enable 3. Passwords must be used . Some commands are supported. Enter new password: Confirm password: You need to do this text is displayed. and enable-level passwords previously set previously, this ? (y/n) [n] 4. Enter new password: Confirm new password: 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide 6-3 Read the text carefully before replying to it. The Secure Content Accelerator checks access- Firmware signature verification is available only via the serial console. A caution...
...# fips enable 3. Passwords must be used . Some commands are supported. Enter new password: Confirm password: You need to do this text is displayed. and enable-level passwords previously set previously, this ? (y/n) [n] 4. Enter new password: Confirm new password: 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide 6-3 Read the text carefully before replying to it. The Secure Content Accelerator checks access- Firmware signature verification is available only via the serial console. A caution...
Configuration Guide
Page 168
Use with the CSS Appendix B Deployment Examples Table B-1 In-Line Installation Device Configuration CSS Configuration • Create a VLAN for each Secure Content Accelerator • Create a VLAN for the servers • Create services as required for each server, adding "keepalive" attributes as necessary • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN • Create Layer 5 rules for the secure content • Create content...
Use with the CSS Appendix B Deployment Examples Table B-1 In-Line Installation Device Configuration CSS Configuration • Create a VLAN for each Secure Content Accelerator • Create a VLAN for the servers • Create services as required for each server, adding "keepalive" attributes as necessary • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN • Create Layer 5 rules for the secure content • Create content...
Configuration Guide
Page 174
...; Set up single-port operation using the mode one-port command (Appendix C) • If client IP accounting is necessary, use the log-url command to specify the host for writing the access log Below is a sample configuration for the CSS. !Generated on 11/18/2000 17:38:37 !Active version: ap0400007s configure GLOBAL bridge spanning-tree disabled ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 B-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78...
...; Set up single-port operation using the mode one-port command (Appendix C) • If client IP accounting is necessary, use the log-url command to specify the host for writing the access log Below is a sample configuration for the CSS. !Generated on 11/18/2000 17:38:37 !Active version: ap0400007s configure GLOBAL bridge spanning-tree disabled ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 B-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78...
Configuration Guide
Page 201
... access lists, see the commands show access-list, access-list, snmp access-list, telnet access-list, and web-mgmt access-list in FIPS Mode. 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-7 Methods to single-port mode via a serial cable. - When prompted for appliance management. - A device can be set to Manage the Device You can configure the Cisco Secure Content Accelerator using the factory default reset password. The FailSafe password can be managed while physically connected via serial connection. - Factory Default Reset Password...
... access lists, see the commands show access-list, access-list, snmp access-list, telnet access-list, and web-mgmt access-list in FIPS Mode. 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-7 Methods to single-port mode via a serial cable. - When prompted for appliance management. - A device can be set to Manage the Device You can configure the Cisco Secure Content Accelerator using the factory default reset password. The FailSafe password can be managed while physically connected via serial connection. - Factory Default Reset Password...
Configuration Guide
Page 211
... IP address to pass through of the current device. Enables pass through the single "Network" Ethernet port. Adds a static route entry for resolution of the device. Stores the registration code of unqualified names. This is the default configuration Sets the access- Cisco 11000 Series Secure Content Accelerator Configuration Guide C-17 Specifies and RDATE-protocol server to be ignored Enables secure and non-secure traffic to the device routing table. Displays...
... IP address to pass through of the current device. Enables pass through the single "Network" Ethernet port. Adds a static route entry for resolution of the device. Stores the registration code of unqualified names. This is the default configuration Sets the access- Cisco 11000 Series Secure Content Accelerator Configuration Guide C-17 Specifies and RDATE-protocol server to be ignored Enables secure and non-secure traffic to the device routing table. Displays...
Configuration Guide
Page 232
... device. The interval in seconds. If a single interface is not specified, information is displayed for the "Server" interface. Specifies an interval for the specified Ethernet interface(s). C-38 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Top Level Command Set Appendix C Command Summary show interface Displays information for display updates. Related Commands show interface errors (Non-Privileged Command Set) show interface statistics (Non-Privileged Command Set) interface...
... device. The interval in seconds. If a single interface is not specified, information is displayed for the "Server" interface. Specifies an interval for the specified Ethernet interface(s). C-38 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Top Level Command Set Appendix C Command Summary show interface Displays information for display updates. Related Commands show interface errors (Non-Privileged Command Set) show interface statistics (Non-Privileged Command Set) interface...
Configuration Guide
Page 233
... are updated every second. Specifies an interval for the "Network" interface. If continuous is specified, error statistics are updated every second. Press any key to stop displaying errors. show interface statistics (Non-Privileged Command Set) interface (Configuration Command Set) See the section "Interface Configuration Command Set". Press any key to stop displaying statistics. 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide...
... are updated every second. Specifies an interval for the "Network" interface. If continuous is specified, error statistics are updated every second. Press any key to stop displaying errors. show interface statistics (Non-Privileged Command Set) interface (Configuration Command Set) See the section "Interface Configuration Command Set". Press any key to stop displaying statistics. 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide...
Configuration Guide
Page 241
...-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-47 FIPS Mode (serial only) Related Commands show ssl cert (Non-Privileged Command Set) show ssl certgroup (Non-Privileged Command Set) show ssl errors (Non-Privileged Command Set) show ssl key (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl Usage Guidelines Availability: Serial, Telnet; show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) See...
...-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-47 FIPS Mode (serial only) Related Commands show ssl cert (Non-Privileged Command Set) show ssl certgroup (Non-Privileged Command Set) show ssl errors (Non-Privileged Command Set) show ssl key (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl Usage Guidelines Availability: Serial, Telnet; show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) See...
Configuration Guide
Page 351
... FIPS mode. session-cache timeout Syntax Description seconds Specifies the number of the command disables SSL version 2 protocols. Related Commands sslv3 enable (Reverse-Proxy Server Configuration Command Set) tlsv1 enable (Reverse-Proxy Server Configuration Command Set) 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-157 Usage Guidelines Availability: Serial, Telnet; sslv2 enable no sslv2 enable Usage Guidelines Availability: Serial, Telnet Using the no form of seconds before being timed...
... FIPS mode. session-cache timeout Syntax Description seconds Specifies the number of the command disables SSL version 2 protocols. Related Commands sslv3 enable (Reverse-Proxy Server Configuration Command Set) tlsv1 enable (Reverse-Proxy Server Configuration Command Set) 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-157 Usage Guidelines Availability: Serial, Telnet; sslv2 enable no sslv2 enable Usage Guidelines Availability: Serial, Telnet Using the no form of seconds before being timed...
Configuration Guide
Page 436
... the file name as a factory reset. • Telnet connection, configuration manager - Only one of three methods, two of the following formats: [] URL In situations where a file is not allowed, use this format: ftp://username:password@host/directory/filename F-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 An IP address need not have been assigned for...
... the file name as a factory reset. • Telnet connection, configuration manager - Only one of three methods, two of the following formats: [] URL In situations where a file is not allowed, use this format: ftp://username:password@host/directory/filename F-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 An IP address need not have been assigned for...
Configuration Guide
Page 450
... ports 2 client authentication with GUI 5-33 client-side Web access 5-4 device name with GUI 5-7 enabling RIP with GUI 5-10 Ethernet interface 4-16 Ethernet interface with GUI 5-9 generating a certificate 4-24 generating a key with CLI 4-24 GUI 5-1, 6-1, C-7, 12 importing a certificate group with GUI 5-46, 5-47 key 3-6, 4-8 key with GUI 5-22 management method comparison C-7, 12 non-privileged command set C-31 other secure protocols 4-27, 5-37 password 3-10 privileged command set C-68 QuickStart wizard 3-1 reloading with GUI 5-17 remote configuration manager...
... ports 2 client authentication with GUI 5-33 client-side Web access 5-4 device name with GUI 5-7 enabling RIP with GUI 5-10 Ethernet interface 4-16 Ethernet interface with GUI 5-9 generating a certificate 4-24 generating a key with CLI 4-24 GUI 5-1, 6-1, C-7, 12 importing a certificate group with GUI 5-46, 5-47 key 3-6, 4-8 key with GUI 5-22 management method comparison C-7, 12 non-privileged command set C-31 other secure protocols 4-27, 5-37 password 3-10 privileged command set C-68 QuickStart wizard 3-1 reloading with GUI 5-17 remote configuration manager...