Manual Chapter : GLOBAL-SITE Controller v2.2 Adminstrator Guide: ITCMconsole Command Line Interface

Applies To:

Show Versions Show Versions

GLOBAL-SITE Controller

  • 2.2 PTF-02, 2.2 PTF-01, 2.2.0
Manual Chapter


6

ITCMconsole Command Line Interface



ITCMconsole commands

The ITCMconsole command line interface adds new functionality to the GLOBAL-SITE Controller. With these new commands you have an even greater ability to configure and run the controller.

This chapter lists the various ITCMconsole commands, including syntax requirements and functional descriptions. Table 6.1 outlines the conventions used in the command line syntax.

Command line conventions

Item in text

Description

\

Continue to the next line without typing a line break.

< >

You enter text for the enclosed item. For example, if the command has <your name>, type your name.

|

Separates alternate options for a command.

[ ]

Syntax inside the brackets is optional.

...

Indicates that you can type a series of items.

Using the ITCMconsole

To run the ITCMconsole, you have to be logged in as the root user. You can use the ITCMconsole in two ways, batch mode and interactive mode. For batch mode, if you are at the command prompt, and you know the entire command, you can type it out in a string (starting with ITCMconsole) on one line and then press the Enter key. For interactive mode, you have to be inside the ITCMconsole shell, which you open by typing ITCMconsole at the command prompt and pressing the Enter key. Interactive mode is very useful if you are unsure of the exact syntax of the commands, or if you want to see the online help for the commands. You use interactive mode by pressing the Enter key after each command, which allows the system to query you as to what you would like to type next.

For example, the interactive process shown in Figure 6.1 gets the same results as this string:

ITCMconsole user logadmin enable

Figure 6.1 Sample interactive mode for the ITCMconsole

 [root@user /root]# ITCMconsole    
Press ? for help at any time
Press Ctrl-U to clear the line

ITCMconsole___FCKpd___0gt;user
Commands:
root Modify root user account
support Modify the support user account
logadmin Modify FTP user account
gsite Modify gsite user account

ITCMconsole___FCKpd___0gt;user logadmin
Commands:
disable Disable the FTP user (logadmin)
enable Enable the FTP user (logadmin)
password Change the password for the FTP user (logadmin)

ITCMconsole___FCKpd___0gt;user logadmin enable
Logadmin account enabled

In interactive mode, you can use auto-complete (also known as tabbed complete). If you type the first few letters of a command and press the Tab key, the command completes itself without your having to type the entire command.

Ctrl + U clears all the text in front of the ITCMconsole prompt. Ctrl + X breaks you out of an interactive command prompt and returns you to the ITCMconsole prompt. The quit command closes the ITCMconsole shell.

We present the commands and examples in this chapter assuming that you are using interactive mode. If you are using batch mode, you need to preface each command with the prefix ITCMconsole. For example, to use the command show user in batch mode, you type:

ITCMconsole show user

Tip: You can type ITCMconsole or gsconfig to open the ITCMconsole command line interface.

Commands

The following lists in alphabetical order the individual ITCMconsole commands, with a concise definition, and a page reference where you can find the detailed description.

Command

Description

Page

?

Displays the ITCMconsole commands or subcommands for that level and the online help for those commands.

6-4

acl

Configures the access control list (ACL).

6-5

alert

Configures default and user-defined alerts.

6-6

date

Sets the current date and time.

6-12

gs_identifier

Sets a new, unique GLOBAL-SITE identifier.

6-13

ldap

Provides tools used to configure LDAP.

6-14

license

Checks if there is a valid license for the product.

6-17

netinet

Configures the network settings.

6-18

ratelimit

Configures outbound transfer rate limiting.

6-22

reboot

Reboots the machine.

6-27

service

Configures system services and daemons.

6-28

show

Shows details of the system.

6-31

timezone

Configures the system time zone.

6-32

user

Modifies system user accounts.

6-33

webserver

Configures the webserver.

6-34

webuser

Creates/modifies/deletes web users.

6-36

wrapper

Allows/denies/sets priority for tcp wrappers.

6-38

?

<command> ?

The ? command displays the list of commands or subcommands and the corresponding online help for each.

To see the list of initial commands, at the ITCMconsole prompt, type:

?

Figure 6.2 demonstrates the results when you type alert ?.

Figure 6.2 Example of subcommand list text

 ITCMconsole___FCKpd___1gt;alert ?    
Commands:
raise Raise a named alert with optional data
add Add an alert with an associated action
delete Delete an alert and its associated action
modify Modify an existing alert
named_action Add/Delete/Modify a named action for alerts
setting Configure default settings for alerts

ITCMconsole___FCKpd___1gt;alert

Figure 6.3 demonstrates the results when you type alert raise ?.

Figure 6.3 Example of command help text

 ITCMconsole___FCKpd___2gt;alert raise ?    
Raise a named alert with optional data.

Usage: alert raise [name][args]
Where
[name] is the name of the alert and
[args] are any action overrides in the form of setting=value pairs.
Whether overrides are used depends on which actions are configured.

Available settings are:
description (used for trap messages and email subject lines)
toaddress (override for To: address field for email actions)
fromaddress (override for email From: address field)
attachment (file name for overriding email attachment field)
body (default body text for email actions)
command (overrides command to run for exec actions)

acl

acl syntax

acl migrateacl

The access control list (ACL) tells the operating system what access rights each user has for a particular object. The .acl file is /config/default.acl.

Working with the default.acl file

You should only edit the /config/default.acl file if you understand the rules associated with it. Using the acl command, you can check the file syntax and migrate the default.acl file to the LDAP database. To see a sample ACL file, go to /config/sample1.acl.

To check the syntax of the acl file

If you modify the default.acl file, you should check the syntax of your changes. To do this, type:

acl syntax

To migrate the default.acl file to the LDAP database, type:

acl migrateacl

alert

show alert [all | named | action | setting]
alert raise [name][args]
alert add [name][action][args]
alert delete [name]
alert modify add_action [name][action][args]
alert modify delete_action [name][action_name]
alert named_action add [action_name][subaction][args]
alert named_action delete [action name]
alert named_action add_subaction [name][subaction][args]
alert named_action delete_subaction [name][subaction]
alert setting add [variable=value]
alert setting delete [name]

You use the alert command to configure default alerts (see Default alerts, on page 7-3 ) and user-defined alerts (see Creating user-defined alerts, on page 7-4 ). Most default alerts have SNMP trap information associated with them. Alerts with OIDs can be triggered by specific events (see Figure 6.4 for a complete list of the default alerts and their triggers). For more specific information see Chapter 7, SNMP, MIBs, Traps, and Alerts .

To view all the alerts, actions, and global settings use the show alert all command.

Creating actions and subactions

User-defined alerts are made up of actions and/or subactions. Default alerts can be modified to use actions and/or subactions. Actions and subactions use one of the following: exec, email, or named_action. Actions and subactions tell the alert what to do when it triggers. Description is a required field and should be used to describe the triggering event for an alert.

exec

Use exec when you want to run a command when the alert triggers. Commands run as root when triggered. The exec command requires a command to run when an alert triggers.

email

Use email when you want to send email notification of an event (modifying a default alert) or when you raise an alert. The email command requires a To address and may have one or more of the following:

  • additional To addresses
    You can add as many addresses as you want. Separate each address with a semi-colon (;).
  • From address
    The address you want to appear in the email From box. This variable is optional, press the Enter key to choose the default [none].
  • body
    The text you want to appear in the body of the email. This variable optional, press the Enter key to choose the default [none].
  • attachment
    The file name of any attachment you want sent with the email alert. This variable is optional, press the Enter key to choose the default [none].
  • description
    The text for the subject line of the email.

named_action

A named_action groups together a set of email, exec, or other named_actions into a single entity. Once you create a named_action, you can reuse it in any number of alerts just by adding its name to the alert. If you need to use the same action more than once, then using a named_action is the most efficient way to do this.

Initially the named_action is created with a single subaction. Additional subactions may be added once the named_action has been created. The information you need to create a named_action depends on the type of subaction you use: email or exec, and the args you use (if any). Global settings provide values for any variables (args) that you do not give a value to. You use the following command to create a named_action.

alert named_action add [action_name][subaction][args]

Creating user-defined alerts

From the ITCMconsole, you can create your own user-defined alerts using the alert commands. User-defined alerts are not triggered by an event, they can however be issued by using the alert raise command. (If you want to send an alert based on an event, you need to modify a default alert. See Default alerts, on page 7-3 .) User-defined alerts do not have an OID and therefore cannot be used to send SNMP traps.

The show alert all command displays both default alerts and user-defined alerts. The main information that you need is the name of the alert and then only if you plan on modifying it in some way. You can also see what named actions or subactions you have assigned to an alert. You need the named_action (or subaction) if you wanted to change or delete it.

To create or modify a user-defined alert

  1. From the ITCMconsole, type:

    alert add

  2. At the prompt for Alert name, type a name for the alert.
  3. Choose to add either a named_action, email, or exec as your action.

    · A named_action is an user-defined action that you created previously. (Please see named_action, on page 6-7 for information on creating a named_action.) At the prompt, type the name of the named_action you created.

    · An email action sends an email for the alert. At the prompt, type email (see email, on page 6-6 for more information). The steps that follow ask you for the to address, from address, body text, and if you want to add an attachment, the attachment name.

    · An exec action runs scripts or executables for the alert (see exec, on page 6-6 for more information). At the prompt, type exec. The steps that follows asks you for a command to execute when the alert triggers and for a description of the alert.

Modifying default alerts

You can add or delete user-defined actions to the default alerts, but you cannot delete default alerts, change the name of the default alerts, or change the OID. Actions can be either named_action, email, or exec. For example, upon successful publication of a site, the snmpd sends the GLOBALSITE.globalsiteTrapPublicationSucceeded trap "Publication succeeded" to the destination IP address. You can modify the default alert and add an email action that sends mail to additional people, to inform them of the successful publication as well.

 /*Alerts:*/    
COMMON.trapDiskDriveFailure
/*OID*/ ".1.3.6.1.4.1.3375.1.5.110.2.1"
/*DESCRIPTION*/ "A disk drive has failed."
COMMON.trapFreeVirtualMem
/*OID*/ ".1.3.6.1.4.1.3375.1.5.110.2.2"
/*DESCRIPTION*/ "There is not enough memory to complete an operation."
COMMON.trapExcessiveCpuUsage
/*OID*/ ".1.3.6.1.4.1.3375.1.5.110.2.3"
/*DESCRIPTION*/ "The CPU usage exceeds its threshold."
GLOBALSITE.globalsiteTrapDataDiskFull
/*OID*/ ".1.3.6.1.4.1.3375.1.4.110.2.1"
/*DESCRIPTION*/ "The data disk is full."
GLOBALSITE.globalsiteTrapConfigurationDiskFull
/*OID*/ ".1.3.6.1.4.1.3375.1.4.110.2.2"
/*DESCRIPTION*/ "The configuration disk is full."
GLOBALSITE.globalsiteTrapPublicationSucceeded
/*OID*/ ".1.3.6.1.4.1.3375.1.4.110.2.3"
/*DESCRIPTION*/ "Publication succeeded."
GLOBALSITE.globalsiteTrapPublicationFailed
/*OID*/ ".1.3.6.1.4.1.3375.1.4.110.2.4"
/*DESCRIPTION*/ "Publication failed."
GLOBALSITE.globalsiteTrapPublicationCheckedForNew
/*OID*/ ".1.3.6.1.4.1.3375.1.4.110.2.5"
/*DESCRIPTION*/ "There is no new version of this publication."

Figure 6.4 Default alerts

To modify a default alert

To modify a default alert, you first need to know the name of that alert. Default alert names can be fairly long and must be typed accurately. You can also find the names of the default alerts in the GLOBAL-SITE MIB, which can be accessed from the GLOBAL-SITE Controller home screen or from the Documentation section of the product CD splash screen.

Tip: If you are accessing the GLOBAL-SITE Controller from an SSH application, and this application allows you to copy and paste, we recommend you do so.

  1. To get the name of the alert from the ITCMconsole, type:

    show alert all

  2. If possible copy the name of the alert you want to modify.
  3. From the ITCMconsole, type:

    alert modify add_action

  4. At the prompt for Alert name paste or type the name of the alert.
  5. Choose to add either a named_action, email, or exec as your action.

    · A named_action is an user-defined action that you created previously. (Please see exec, on page 6-6 for information on creating a named_action.) At the prompt, type the name of the named_action.

    · An email action sends an email when the alert triggers (please see email, on page 6-6 for more information). At the prompt, type email. The steps that follow ask you for the to address, from address, description (subject line), body text, and if you want to add an attachment, the attachment name.

    · An exec action runs scripts or executables for the alert (please see exec, on page 6-6 ). At the prompt, type exec. The steps that follows asks you for a command to execute when the alert triggers and a description of the alert.

Changing global settings

There are six global settings that you can assign a value to. These global settings become the default values in the alerts or actions you create. When you use the global settings you do not have to retype the same information over and over for each alert or action you create. If you leave a global setting without a value, the setting is ignored.

The global settings are:

  • description
    used for default alert messages and email subject lines
  • toaddress
    the To address box for email actions
  • fromaddress
    the From address box for email actions
  • attachment
    the file name for the email attachment
  • body
    the default body text for email actions
  • command
    the command to run for exec actions

To set the global settings

Changing or setting the global settings requires that you know the name of the setting you want to change. The names are listed here, but you can also find them by typing:

alert setting add ?

Then, to change a setting, you type:

alert setting add [setting name]

For example, to change or set the description variable, type:

alert setting add description This is a GLOBAL-SITE alert.

When the setting changes, you see a confirmation message.

Warning: You are not given any warning if you are overwriting a global setting that you already gave a default value. Use the show alert all command to see any set global settings.

Overriding global settings

You use [args] to override the global settings within an individual alert, named_action, or sub_action. For example, if you create a new alert, named globalsite_action and you want to override the toaddress global setting, you type:

alert add globalsite_action email toaddress=bob@yourcompany.com

date

date

date [MMDDhhmm[[CC]YY][.ss]]

The date command allows you to reset the date and time ( using a 24 hour clock) on your machine. The format for the date command is: [MMDDhhmm[[CC]YY][.ss]].

Setting the date and time

You set the date and time using the following system:

  • MM is the two-digit month number
  • DD is the two-digit date
  • hh is the two-digit hour (24 hour clock)
  • mm is the two-digit minute
  • CCYY (optional) is the four-digit year
  • .ss (optional) is for seconds (0 - 61)

    So to set the clock for October 10, 2001 at 4 p.m., you could type:

    date 101016002001

    or

    date 10101600.21

gs_identifier

gs_identifier <identifier>

show gs_identifier

The GLOBAL-SITE identifier is a unique, pre-assigned numeric identifier provided by your vendor that distinguishes one GLOBAL-SITE from all others.

A host name must already be set prior to running this command.

The gs_identifier command resets the GLOBAL-SITE identifier on the controller. The identifier can be any integer, but it does not accept letters or special characters.

To show the current GLOBAL-SITE identifier, type:

show gs_identifier

Warning: If you change the GLOBAL-SITE identifier on a controller, you must update its gs_identifier information on all the GLOBAL-SITE Controllers that use that controller as a distributor. This is done from the web-based user interface from the Distributor List screen.

ldap

show ldap | host | admin | status
ldap sethost <hostname>
ldap setpassword <password> <password>
ldap checkhost [<hostname> [<userdn> <password>]]
ldap checklogin
ldap installhost <LDAP admin dn> <LDAP admin pwd>
ldap enable
ldap disable
ldap start
ldap stop

This group of commands configures the LDAP server. The GLOBAL-SITE Controller uses the LDAP server for iControl and web user authentication purposes.

Running the LDAP server

To allow the LDAP server to start when you reboot the computer, type:

ldap enable

If you do not want the LDAP server to start when you reboot the computer, type:

ldap disable

To start or stop the LDAP server, type:

ldap start
ldap stop

Administering the LDAP server

The command ldap setpassword modifies the LDAP root password.

You can change the LDAP host used for authentication with the ldap sethost command.

Checking the host name for the LDAP server

The ldap checkhost command shows whether the host has an LDAP server available for authentication. You can use the fully qualified domain name or the IP address as the <hostname> variable.

To see if a login is valid on the LDAP server, you can add the <userdn> and <password> pair to the command. The <userdn> must be a distinguished name, for example, cn=Manager,dc=f5,dc=com. To find the userdn for the local LDAP server, type:

show ldap admin

Changing the IP address of the controller

If for some reason you need to change the IP address for the GLOBAL-SITE Controller, you need to run the following command after you make the change:

ldap installhost <AdminDN> <LDAP admin password>

Changing the LDAP server

If you change the LDAP server you use for authentication, you need to stop and restart the CORBA daemon using the service corba stop and service corba start commands. For information on the CORBA daemon, see service, on page 6-28 of this chapter. Changes to the LDAP server are any of the following:

  • remote host to local host
  • local host to remote host
  • remote host to a different remote host

To change from a remote LDAP server to a local LDAP server

If your controller currently points to a remote LDAP server and you need to set up a local LDAP server, use the following script. Note that when you type the new LDAP admin password, you are creating a new administrator password for the local LDAP server.

/usr/local/bin/setuplocalldap.sh <new LDAP admin password>

To change from a local LDAP server to a remote LDAP server

If your controller currently has an LDAP server, and you want to change to a remote server that is already set up, use the following script:

/usr/local/bin/useremoteldap.sh <hostname> <remote LDAP admin password>

To change from one remote LDAP server to a different remote LDAP server

If your controller currently points to one remote LDAP server and you want to change it to another remote LDAP server, use the following two commands:

ldap sethost <hostname>

ldap installhost <cn=manager,dc=f5,dc=com> <remote server's ldap admin pwd>

Checking status on the LDAP server

To see if the LDAP server is enabled and running, type:

show ldap status

To see what the host name is for the LDAP server, type:

show ldap host

license

license [check] <product>

Use license check to see if you are licensed for the product you purchased. Type:

license check

If you are properly licensed, the response reads: Authorized for GLOBAL-SITE. If you are not authorized, please contact support to get a valid license key.

netinet

show netinet [config | dns | domains | hostname | defaultrouter | interfaces]
netinet defaultrouter <router> | none
netinet dns <dns> | none
netinet domains <domains> | none
netinet ntp <ntp server> | none
netinet hostname <host name>
netinet hostsfile
netinet interface [add_sub | remove_sub | eth0 | eth1]
netinet route

The netinet command configures your network devices. You first configured these devices during the First-Time Boot utility. Use this command to make any changes to the configuration of those devices.

For all netinet commands except the netinet ntp command, you need to reboot for your changes to take effect. To reboot, type reboot from the ITCMconsole. For netinet ntp, you need to stop and restart the NTP daemon for your changes to take effect. At the ITCMconsole, type the following to stop and restart the NTP daemon:

service ntpd stop

service ntpd start

Configuring network devices

Table 6.2 lists the devices you can configure with the netinet command.

netinet commands

Command

Description

netinet defaultrouter

Set the default router for the system. Use netinet defaultrouter none to clear the current settings for the default router.

netinet dns

Set the DNS for the system. Use netinet dns none to clear the current settings for DNS.

netinet domains

Set the search domains for the system. Use netinet domains none to clear the current settings for the domains.

netinet ntp

Set the NTP server for the system. Use netinet ntp none to clear the current settings for the NTP.

netinet hostname

Set the host name for the system.

netinet hostsfile

With normal use of the controller, you should never need this command. If for some reason you change your host name manually (without using the netinet hostname command), use netinet hostsfile to synchronize software with the current host name.

netinet interface

Configure the network interface(s). See Configuring interfaces, on page 6-19 for more information on the netinet interface command.

netinet route

Use the netinet route command to add, delete, or move static routes. In some network environments you need additional network routes besides the default route. This is common when the GLOBAL-SITE Controller uses multiple network interfaces, or the physical placement of the controller is in a multi-homed network. To add static routes, use the following command:

netinet route add <INTERFACE> <IP NETWORK> <IP NETMASK> <GATEWAY>

This example instructs the controller to forward all packets with a destination IP address inside the 192.168.12.0 network to the router at 192.168.11.254.

netinet route add eth0 192.168.12.0 255.255.255.0 192.168.11.254

In order for the newly added network route to take effect, you must reboot the GLOBAL-SITE Controller.

Warning: Be aware that changing the host name on a GLOBAL-SITE Controller resets the host name in the GLOBAL-SITE database. If you use this controller in conjunction with other GLOBAL-SITE Controllers, you need to update these controllers with the new host name of the changed controller.

Configuring interfaces

You can change a variety values on the interface using the netinet interface <interface> command. Table 6.3 lists these values.

netinet interface subcommands

command

Description

netinet interface eth0 broadcast

Set the broadcast IP address for the system interface.

netinet interface eth0 down

When you use this command, the interface is shut down immediately, dropping all current connections. You are not given a confirmation when you press the Enter key.

Warning: Do not run this command from a remote interface.

netinet interface eth0 duplex

Configure the duplex mode for the interface. The command returns a choice of duplex modes. Choose the number that corresponds to the duplex mode for your interface.

netinet interface eth0 ip

Set or change the IP address for the system interface. To clear the IP address, use:

netinet interface eth0 ip none

netinet interface eth0 up

Activate the configured interface. You are not given a confirmation for this action.

NIC negotiation

NIC negotiation is the setting of the duplex mode for the network interface card (NIC). You set the duplex during the First-Time Boot utility, but if you change or add a NIC, you need to reset the duplex mode.

To set the duplex mode for an interface

  1. You need to choose which interface you want to configure. To display a list of available interfaces, from the ITCMconsole command line, type:

    netinet interface

  2. From the new prompt, type the name of interface you want to configure.
  3. From the new prompt, type duplex.
    The ITCMconsole displays a list of available duplex modes.
  4. From the list of available duplex modes, type the corresponding number for the mode you want to use.
    You get a confirmation of what mode you set.

Viewing your configuration

You can view your entire current configuration or the configuration of your network devices using the show netinet command. For example, to see, the entire configuration, type:

show netinet config

The display looks like Figure 6.4 .

Sample output for show netinet config

 hostname=machine.company.net    
defaultrouter=192.168.11.254
dns=192.50.100.1
search_domains=win.net
interface=eth0 ip=192.168.11.240 netmask=255.255.255.0
interface=eth1 ip=0.0.0.0 netmask=0.0.0.0

Changing the host name of the controller

You may need to change the host name of the controller, for instance if you move it from a test environment into production.

To change the host name of the controller

To change the host name for the GLOBAL-SITE Controller, type the following command:

netinet hostname <hostname>

ratelimit

show ratelimit [aggregate | classes | class | stats | status]
ratelimit aggregate [max | set| clear]
ratelimit custom [add | delete | modify | promote | demote]
ratelimit on
ratelimit off
ratelimit enable
ratelimit disable

The GLOBAL-SITE Controller regulates available Internet connection bandwidth with aggregate and custom rate limiting. If publication delivery degrades server performance, you can use the controller's rate limiting capability to slow down its output to particular servers and at particular times of day. This allows you to better manage available bandwidth and meet your traffic needs.

Warning: The GLOBAL-SITE Controller cannot limit the rate at which it receives data from clients and servers. It can only limit the rate at which it sends data to clients and servers.

Note: When both aggregate and custom rate limiting are in use at the same time, the custom rates take priority over the aggregate limit, although each individual custom class is limited to the aggregate limit.

Configuring aggregate rate limiting

To configure aggregate rate limiting, you need to know what type of network interface card (NIC) you have in your machine. If you opted to purchase the Gigabit NIC, that interface has a total capacity of 1000 Mbps. The standard NIC is 100 Mbps.

To set or modify the maximum possible bandwidth

Maximum bandwidth is set at installation time. If you are using rate limiting, maximum bandwidth must be modified if a new device is added or if the interface is connected to a hub that is slower than 100 Mbps. (If you are not using rate limiting, the setting for maximum possible bandwidth has no bearing on traffic flow.) The only valid values for maximum possible bandwidth are: 10, 100, and 1000. The command is:

ratelimit aggregate max <interface> <max value>

For example, to set the maximum bandwidth to 1000, on the eth0 interface, type:

ratelimit aggregate max eth0 1000

To add an aggregate rate limit to an interface

Use the ratelimit aggregate set command to add an aggregate rate limit to an interface. The command is:

ratelimit aggregate set <interface> <Mbps>

For example, to set a rate limit of 20 (on a 100 Mbps NIC), type:

ratelimit aggregate set eth0 20

To clear an aggregate rate limit

The clear command removes an aggregate rate limit from an interface. You only need to provide the interface name with the command, not the rate limit. The command is:

ratelimit aggregate clear <interface>

For example, to clear the rate limit from interface eth0, type:

ratelimit aggregate clear eth0

Configuring custom rate limiting

You use custom rate limiting to limit response data for protocols that use known ports, such as HTTP, when responding to clients. From the ITCMconsole, you can create or delete custom rate limit classes. These rate limit classes allow rate limiting based on specified characteristics of the outbound IP packets, such as source and destination IP addresses and ports.

To add a custom rate limit class

Custom rate limit classes have several variables which you can use to further limit traffic across the interface. If you choose not to use these variables to limit traffic rates, you opt out of using them. The command is:

ratelimit custom add <class name> <interface> <limit in Mbps> <non-optional variable(s)> [optional variables]

Configuring custom rate limiting involves three types of variables, required, non-optional (meaning you have to use at least one), and optional.

  1. From the ITCMconsole command prompt, type:

    ratelimit custom add

  2. At the Class name prompt, type a name for the class.
  3. At the Interface prompt, type which interface you would like this class to be on.
  4. Enter the limit in Mbps that you want to use.
  5. For the non-optional variables, you must enter one or more IP addresses or ports. At the appropriate prompt, type a destination or source IP address, and/or a destination or source port for this class. The default is any, but you cannot have any for all the non-optional values. You must enter at least one actual IP address or port.
  6. Choose the relative priority for this class. The default is 5. The system uses priority to give one class a priority over another class when sending packets. It does not resolve filtering conflicts (see To promote or demote a class, on page 6-25 for more information on class order). Filtering traffic into classes is done in the order the classes appear in the show ratelimit classes list.

    You can use priority as a quality of service tool in that you can give one class a higher priority than another, and that gives the customer with the higher priority more bandwidth than another customer.
  7. Type y or n to choose which optional variables you want to use. See Table 6.5 for the optional variables and their descriptions. If you do not want to use optional variables, type n for each of the options presented.
Optional variables for custom rate limit classes

Optional variable

Description

Is this class bounded [y]

If this class is bounded, meaning that it cannot borrow capacity from its parent class, choose the default [y].

Borrowing from a parent class means that if the overall bandwidth limit is not being exceeded, a class can use more than its limit to meet temporary demand. The parent class in this case is the whole device (as the controller does not allow sub-classes of traffic). Borrowing might adversely affect some other class in the short term, which is why you can prevent a class from borrowing (bound it).

If it is not bounded, type n.

Is this class isolated [n]

If this class is isolated, meaning that other classes cannot use any excess bandwidth from this class, choose the default [n].

Isolating a class prevents other classes from borrowing so much of the excess bandwidth that the short-term needs of this class may not be met.

If it is not isolated, type y.

Do you wish to add a time-based rate [n]

A time-based rate sets a different Mbps for a specified time frame that you choose. To allow a time-based rate, type y.

Starting time (HH:MM using 24 hour clock)[8:00]

This is the time you want the temporary rate limit to start. Type a start time using the 24 hour clock.

Ending time (HH:MM using 24 hour clock)[17:00]

This is the time you want the temporary rate limit to end. Type an end time using the 24 hour clock.

Temporary rate limit (Mbps)

Type the rate limit you want to use during the time you specified.

To modify a rate limit class

You can modify any of the rate limit variables using the following command:

ratelimit custom modify

The interactive mode asks you for: class name, the variable to modify, and then it displays the variable and asks for a new value. If you are unsure of the variable name or value, type:

show ratelimit class <class name>

You can use this command change the priority of a class.

ratelimit custom modify prior <number 1 - 8>

To promote or demote a class

You use the promote or demote commands to move a particular rate limit class up or down in the list of classes. Ranking the classes allows you to choose in what order traffic hits the filters, thereby controlling how the controller filters that traffic. This is important when a particular set of traffic may match multiple rules, such as an HTTP rule and a rule for traffic to a particular client. To see the order that the classes are in, type:

show ratelimit classes

If you decide you want to move a rate limit class so that it filters packets before another rate limit class, you use the following command:

ratelimit custom [promote | demote] <class name>

This command promotes (or demotes) a rate limit class by increments of one. If you want to move a class more than one spot up or down, you need to run this command again.

Viewing rate limit statistics

You use the show ratelimit command to view statistics for rate limits. You can view the statistics for aggregate rate limits by typing:

show ratelimit stats aggregate <interface>

You can view the statistics for a particular rate limit class by typing:

show ratelimit stats <class name>

Using the batch mode to create custom rate limits

If you choose to create custom rate limits in the batch mode (starting at the system prompt and starting each line with gsconfig) you need the short-hand names for the variables. See Table 6.6 for the shorthand variable name and its definition. Following is the usage of the commands for batch mode:

gsconfig ratelimit custom add <class> <interface> <limit in Mbsp> <non-optional variable(s)> <optional variables>

Shortcut variable syntax for custom rate limit classes

Shorthand variable

value

dest

destination IP address

src

source IP address

dport

destination port

sport

source port

priority

priority level (range of 1 through 8)

bounded

0 (not bounded) or 1 (bounded)

isolated

0 (not isolated) or 1 (isolated)

hours

HH:MM-HH:MM@rate

For example, to set a time-based rate limit for HTTP response traffic (port 8080), that is 100 Mbps by default, but 10 Mbps from 8:00 a.m. to 5:00 p.m., type:

gsconfig ratelimit custom add http_filter eth0 10 sport=8080 hours=8:00-17:00@100

reboot

reboot

The reboot command reboots the GLOBAL-SITE Controller immediately once you press the Enter key. You are not given any confirmation notice.

service

show <service name>
service alertd [enable | disable | start | stop]
service big3d [enable | disable | start | stop]
service corba [disable | dualmode | enable | ip | passphrase | start | stop]
service ITCMgswatch [enable | disable | start | stop]
service ntpd [enable | disable | start | stop]
service snmpd [enable | disable | start | stop | traps]
service sshd [enable | disable | start | stop]
service telnet [enable | disable]
service ftpd [enable | disable]

Use the service command to configure services on the GLOBAL-SITE Controller.

[enable | disable | start | stop]

You can enable and disable all services using the service enable | disable command. For FTP and Telnet, enable and disable also start and stop the service. You can also start and stop all other services with the service start | stop command.

  • start
    Start the service now. On reboot, the GLOBAL-SITE Controller restarts the service only if it is enabled.
  • stop
    Stop the service now. On reboot, the GLOBAL-SITE Controller restarts the service only if it is enabled.
  • enable
    The service does not start now (except for FTP and Telnet). On reboot, the GLOBAL-SITE Controller starts the service.
  • disable
    The service does not stop now (except for FTP and Telnet). On reboot, the GLOBAL-SITE Controller does not start the service.

    Table 6.7 lists the services that are configurable with the service command and what they are for.

Configurable services

Service

Description

alertd

The alert daemon watches for specified events and takes any appropriate actions associated with alerts when those events occur. If you stop alertd, no actions (email, exec, or traps) trigger for events configured in alert.conf.

big3d

The big3d daemon answers 3-DNS system queries. The 3-DNS uses big3d to collect information about the network path between the BIG-IP and the client requesting a connection. The daemon collects performance data, and returns the data to the requesting 3-DNS. The 3-DNS uses the path information for its own dynamic load balancing.

corba

The CORBA daemon provides the iControl portal service. See the section Configuring the CORBA service, on page 6-29 for more information.

ITCMgswatch

ITCMgswatch is a system event monitor. It detects events such as excessive CPU usage, excessive memory usage, and low configuration and data disk capacity. It uses thresholds and timeouts to determine when alerts will be sent for each of the items.

ntpd

ntpd is used to configure the NTP daemon. The NTPd automatically updates the system time from and NTP (Network Time Protocol) server.

snmpd

With this command, you configure the SNMPd and the SNMP trap community, destination, and port. See SNMP agent, on page 7-1 for more information on SNMP.

sshd

When running, the SSH daemon provides secure remote access to your controller.

telnet

Telnet allows non-secure access to your controller. You enable or disable Telnet with the service telnet command.

ftpd

When enabled ftpd permits FTP access to the controller.

Configuring the CORBA service

The CORBA daemon provides the iControl portal service on a GLOBAL-SITE Controller. It is enabled by default so that the GLOBAL-SITE Controller can be an application-aware appliance on the CDN. If you stop the CORBA daemon, other products or iControl client programs cannot communicate with the GLOBAL-SITE Controller. Table 6.8 lists the available service corba commands and their use.

CORBA commands

Command

Description

service corba disable

Use the service corba disable command so that the CORBA daemon does not restart on reboot. This command does not stop the daemon if it is currently running. Use service corba stop to stop the daemon.

service corba dualmode

The CORBA daemon can run in dual mode, which means that it allows iControl client programs to make connections on either a secure port (Secure Socket Layer [SSL]) or a non-secure port (Internet Inter-ORB Protocol [IIOP]). The command service corba dualmode [on | off] turns dual mode on or off. If turned off, the iControl client can only connect to the iControl service through the secure port channel.

service corba enable

Use the service corba enable command so that the CORBA daemon does restart on reboot. This command does not start the daemon if it is currently running. Use service corba start to start the daemon.

service corba ip

Set the IP address on which the CORBA daemon listens for client traffic with the service corba ip command. Multiple IP addresses are comma delimited.

service corba passphrase

Set the CORBA SSL certificate passphrase.

service corba start

Start the CORBA daemon.

service corba stop

Stop the CORBA daemon.

Displaying service status

Use the show command to see the status of the various services.

  • show alertd [config | status]
  • show big3d [config | status]
  • show corba [config | dualmode | ip | port | status]
  • show ftpd
  • show ITCMgswatch [config | status]
  • show ntpd [status | config | server]
  • show snmpd [config | status | trap]
  • show sshd [config | status]
  • show telnet

show

show ?

show <command>

The show command displays different kinds of information depending on what command it is paired with. You can see configuration information, status, and statistics. Using the show ? command lists the subcommands for the show command.

Using the show command

Use the show command to display pertinent information about a system in the GLOBAL-SITE Controller. The show command syntax is displayed in the syntax summary box at the start of each section of this chapter with four exceptions: acl, license, reboot, and stats.

The show command can also be paired with commands that do not appear as first level commands. For example, to configure FTPd you type service ftpd enable. However, to see if FTP is enabled, you type: show ftpd.

Viewing the software version

The show version command displays the version of the GLOBAL-SITE Controller you are running. It displays:

  • Product name and version number.
  • Build number
  • Crypto Edition, which indicates that the unit is encrypted
  • The machine ID number

timezone

show timezone

timezone config

timezone options

The timezone command lets you set the timezone for the controller.

Setting the time zone

If you do not know the specific name of a time zone that you want to set, use the timezone config command. This command steps you through setting the time zone and you set it by selecting a country and city (for example America, Los Angeles). To get a list of actual time zones, use the timezone options command, which displays a complete list of time zones.

To set the time zone using country and city

  1. At the ITCMconsole prompt, type timezone config.
    A display of countries with pre-assigned numbers appears.
  2. Type the assigned number by the country you want and press Enter.
    A display of cities with pre-assigned numbers appears.
  3. Type the assigned number by the city you want and press Enter.
  4. Type Y to confirm the time zone you selected, or type N if the time zone is not correct. Accepting the time zone here sets the new time zone for the controller. Rejecting the time zone (typing N) returns you to the ITCMconsole prompt.

To set the time zone using a time zone name

  1. At the ITCMconsole prompt, type timezone options.
    A list of all available named time zones appears.
  2. Find the time zone you want to use and note it so that you can type it exactly as it appears.
  3. Once you find the time zone you want to use, you can either use
    Ctrl + X to escape to the ITCMconsole command prompt, or you can continue paging through the list until you come to the prompt.
  4. At the ITCMconsole prompt, type, timezone config <timezone>. For example to set the time zone for Los Angeles, California, you type:

    timezone config US/Pacific

user

show user [root | support | logadmin | gsite]
user root [password]
user support [enable | disable | password]
user logadmin [enable | disable | password]
user gsite [enable | disable | password]

The user command lets you set passwords for the system accounts: root, support, logadmin, and gsite. You can also enable or disable any of those accounts except for root. The root account is always enabled. System user accounts are not the same as webuser accounts (see webuser, on page 6-36 ). System user accounts have access to the internal configurations of the controller and the command line.

Configuring user accounts

Warning: If you use regular command syntax to specify a password, the GLOBAL-SITE Controller command line displays the password on-screen, in clear text, and logs the password in the operating system history file. If you interactively specify a password, it does not appear on-screen or in the history file.

The root account is for managing command line access.

The support account manages technical support access.

The logadmin account configures the FTP log file access user account.

The gsite user is the system user on the GLOBAL-SITE Controller.

webserver

show webserver [allow | config | port | status]
webserver allow <IP address(es)> | all
webserver cert (same as FTBU)
webserver disable
webserver enable
webserver gencert
webserver port
webserver start
webserver stop

The webserver command configures the Apache webserver for the web-based user interface.

Configuring the webserver

You can configure your webserver using the webserver commands on Table 6.9, on page 6-35 .

The webserver commands

command

description

webserver allow

You can limit who has access to the web-based user interface by only allowing certain IP addresses access. Use the webserver allow <ip address(es)> | all command to restrict access to the user interface. You can type a space delimited string of IP addresses or domains, an allowable subnet (for example, 192.168.0.0), or all to allow all users access. For example:

webuser allow 192.168.0.0

webserver cert

Generate an authentication certificate using the webserver cert command. This is the same certificate that you generate during the First-Time Boot utility and it calls for the same information: port, country code, state, locality, organization, name, email address.

webserver cert <port> <country code> <state> <locality> <organization> <name> <email>

<port>
The port for the management web server. You can type, none to not use port in the certificate.

<country code>
The two-letter country code

<state>
Your state or province

<locality>
Your locality or city

<organization>
Your organization or department name

<name>
The network common name for the web server

<email>
The email address of the web server administrator. This must be a valid email address. You can choose to type none.

webserver disable

This command disables the webserver, which means that on reboot, the webserver does not automatically start. Disabling the webserver does not stop it.

webserver enable

This command enables the webserver, which means that on reboot, the webserver does automatically start. Enabling the webserver does not start it.

webserver gencert

The webserver gencert command re-generates an authentication certificate using the authentication information that was specified either using the webserver cert command or through the First-Time Boot utility.

webserver port

This command configures the webserver port. The default is 443. If you change the webserver port, you need to use the new port number when you access the web-based configuration utility.

webserver start

webserver start immediately starts the webserver.

webserver stop

webserver stop immediately stops the webserver.

webuser

show webusers
webuser add icontrol <username> <password> <password>
webuser delete icontrol <username>
webuser migrate
webuser icontrol [enable | disable | admin | regular]

The webuser command creates iControl interface accounts. (Please see iControl documentation for more information on iControl and the iControl SDK.) To create web user accounts for the GLOBAL-SITE Controller, please use the Add User page on the web-based user interface. See the online help for that page for more information.

Configuring accounts

You create a user account using the webuser command in that you create one user/password pair for the Apache web server (to access the GLOBAL-SITE Controller) and for the iControl interface.

To add a user with access to the iControl interface

  1. From the ITCMconsole, type:

    webuser add icontrol

  2. At the Username prompt, type the user name you want to assign.
  3. At the Password prompt, type the password for the user account. Passwords must be between 6 and 15 characters long. The interactive mode masks the password on the screen.
  4. Confirm the password at the Confirm Password prompt.
    When you complete this process you receive confirmation.

Migrating htpasswd contents to the LDAP server

Warning: The webuser migrate command runs automatically when you upgrade from an earlier version of the GLOBAL-SITE Controller. You should never need to run it again.

The webuser migrate command migrates the contents of .htpasswd to the LDAP server. You need to use this command if you upgraded from an earlier version of the GLOBAL-SITE Controller that did not use LDAP authentication.

Configuring LDAP users

Use the webuser icontrol command to configure LDAP users. Once you create a user, you can enable or disable the user as an LDAP user, give the user LDAP administrative privileges, or return a user to regular LDAP privileges. Following is a procedure for giving LDAP administrative privileges, but you can use it for any of the webuser icontrol commands.

To give a user administrative privileges

Prior to giving a user account administrative privileges, the user account must already exist in the database.

  1. From the ITCMconsole, type:

    webuser icontrol admin

  2. At the User to give LDAP Administrator privileges prompt, type the user name.
    The system confirms that the user now has administrative privileges.

wrapper

show wrapper [in.telenetd | big3d | slapd | sshd]

wrapper allow <service> <string>

wrapper allow_append <service> <string>

The wrapper command sets the permissions for access to services that are listed in the etc/hosts.allow file. By default those services are: in.telenetd, big3d, slapd, and sshd.

Setting permissions

You can set access permission for in.telenetd, big3d, slapd, and sshd with the wrapper command. Once you have set permissions, if you use the wrapper allow command, you overwrite existing permissions. Instead, use wrapper allow_append to append new permissions to the original string in the etc/hosts.allow file.

To set access permission

To set permission for specific IP addresses, type:

wrapper allow slapd 192.168.0.0

To set permission for all users, type:

wrapper allow slapd all