|
10% de réduction sur vos envois d'emailing --> CLIQUEZ ICI
Retour à l'accueil, cliquez ici
Documentation CISCO
http://www.cisco.com/cisco/web/psa/default.html
Guide d'utilisation de
Cisco IP Communicator
Ver sion 7.0
Juin 200
http://www.cisco.com/en/US/docs/voice_ip_comm/cipc/7_0/localization/ipcugfra.pdf
Command Reference, Cisco ACE
Application Control Engine
For the Cisco ACE Application Control Engine Module and
Cisco ACE 4700 Series Application Control Engine Appliance
Software Version A5(1.0)
September 201
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/ACE_cr.pdf
Cisco Aironet Antennas and Accessorie
http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.pdf
Cisco SAFE Reference Guide
Cisco Validated Design
Revised: July 8, 2010, OL-19523-0 17 Mo
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.pdf
Cisco IOS Quick Reference Guide for IBN
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_c27-574041.pdf
Medianet Reference Guide
Last Updated: October 26, 2010
6 Mo
http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/Medianet_Ref_Gd/medianet_DG.pdf
Command Line Interface Reference Guide for
Cisco Unified Communications Solutions
Release 7.1(2
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cli_ref/7_1_2/cli_ref_712.pdf
Common Phone Task
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7962g_7961g_7961g-ge_7942g_7941g_7941g-ge/8_5/english/quick_reference/7962qrcrd85.pdf
Cisco IOS XR System Error Message
Reference Guide, Release 3.8.2
November 2009
51 Mo
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.8.2/error/messages/em382sems.pdf
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.8.2/error/messages/em382sems.pdf
Siège social en Amérique
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tél : 408 526-4000
800 553-NETS (6387)
Fax : 408 527-0883
Guide d'utilisation de
Cisco IP Communicator
Ver sion 7.0
Juin 2009
Référence texte : OL-19177-01LES SPÉCIFICATIONS ET INFORMATIONS RELATIVES AUX PRODUITS PRÉSENTÉS DANS CE MANUEL SONT SUSCEPTIBLES DE
MODIFICATIONS SANS PRÉAVIS. TOUTES LES DÉCLARATIONS, INFORMATIONS ET RECOMMANDATIONS FOURNIES DANS CE
MANUEL SONT EXACTES À NOTRE CONNAISSANCE MAIS SONT PRÉSENTÉES SANS GARANTIE D'AUCUNE SORTE, EXPRESSE OU
IMPLICITE. LES UTILISATEURS ASSUMENT L'ENTIÈRE RESPONSABILITÉ DE L'APPLICATION DE TOUT PRODUIT.
LA LICENCE DE LOGICIEL ET LA GARANTIE LIMITÉE DU PRODUIT CI-JOINT SONT DÉFINIES DANS LES INFORMATIONS
FOURNIES AVEC LE PRODUIT ET SONT INTÉGRÉES AUX PRÉSENTES PAR CETTE RÉFÉRENCE. SI VOUS NE TROUVEZ PAS LA
LICENCE DE LOGICIEL OU LA GARANTIE LIMITÉE, CONTACTEZ VOTRE REPRÉSENTANT CISCO POUR EN AVOIR UNE COPIE.
L'implémentation par Cisco de la compression d'en-tête TCP est une adaptation d'un programme développé par l'Université de Californie, Berkeley
(UCB) dans le cadre de la version du système d'exploitation UNIX diffusée dans le domaine public par UCB. Tous droits réservés. Copyright © 1981,
Regents of the University of California.
PAR DÉROGATION À TOUTE AUTRE GARANTIE DÉFINIE ICI, TOUS LES FICHIERS DE DOCUMENTATION ET LOGICIELS DE CES
FOURNISSEURS SONT FOURNIS «EN L'ÉTAT» AVEC TOUS LEURS DÉFAUTS. CISCO ET LES FOURNISSEURS SUS-MENTIONNÉS
EXCLUENT TOUTES GARANTIES, EXPRESSES OU IMPLICITES Y COMPRIS DE MANIÈRE NON LIMITATIVE LES GARANTIES DE
QUALITÉ MARCHANDE, D'ADÉQUATION À UN USAGE PARTICULIER ET DE NON-INFRACTION OU DES GARANTIES ÉMANANT
D'UNE CONDUITE, D'UN USAGE OU D'UNE PRATIQUE COMMERCIALE.
EN AUCUN CAS, CISCO OU SES FOURNISSEURS NE POURRONT ÊTRE TENUS RESPONSABLES DE TOUT DOMMAGE INDIRECT,
PARTICULIER, CONSÉCUTIF OU ACCIDENTEL Y COMPRIS DE MANIÈRE NON LIMITATIVE LE MANQUE A GAGNER, LA PERTE OU
LA DÉTÉRIORATION DE DONNÉES RÉSULTANT DE L'UTILISATION OU DE L'IMPOSSIBILITÉ D'UTILISER CE MANUEL, MÊME SI
CISCO OU SES FOURNISSEURS ONT ÉTÉ AVERTIS DE L'ÉVENTUALITÉ DE TELS DOMMAGES.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, le logo Cisco, DCE et Welcome
to the Human Network sont des marques de commerce ; Changing the Way We Work, Live, Play, and Learn et Cisco Store sont des marques de service
; et Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco,
le logo Cisco Certified Internetwork Expert, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, le logo Cisco Systems, Cisco Unity,
Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink,
Internet Quotient, IOS, iPhone, iQuick Study, IronPort, le logo IronPort, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime
Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet,
Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx et le logo WebEx sont des marques déposées
de Cisco Systems, Inc. et/ou de ses société affiliées aux États-Unis et dans certains autres pays.
Toutes les autres marques mentionnées dans ce document ou sur le site Web sont la propriété de leurs détenteurs respectifs. L'utilisation du mot
« partenaire » n'implique nullement une relation de partenariat entre Cisco et toute autre entreprise. (0809R)
Les adresse IP (Internet Protocol) utilisées dans ce document sont fictives. Tous les exemples, tous les écrans de commandes et toutes les figures que
contient ce document sont fournis uniquement à titre d'illustration. L'utilisation d'une adresse IP réelle dans un exemple serait fortuite et involontaire.
Guide d'utilisation de Cisco IP Communicator version 7.0
© 2009 Cisco Systems, Inc. Tous droits réservés.
iii
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
TABLE D E S M A T I È R E S
C H A P I T R E 1 Mise en route de Cisco IP Communicator 1-1
Généralités sur la sécurité des produits Cisco 1-2
Liste de contrôle pour la mise en route 1-2
Installation de périphériques audio avant le lancement initial 1-3
Installation de Cisco IP Communicator sur votre ordinateur 1-4
Lancement de Cisco IP Communicator 1-5
Utilisation de l'Assistant de réglage audio 1-6
Configuration et enregistrement Cisco IP Communicator 1-9
Test de Cisco IP Communicator 1-10
C H A P I T R E 2 Généralités sur les fonctionnalités et l'interface de
Cisco IP Communicator 2-1
Fonctionnalités de Cisco IP Communicator 2-1
À propos de l'interface de Cisco IP Communicator 2-4
Boutons et autres composants 2-4
Fonctions de l'écran du téléphone 2-8
Navigation dans l'interface 2-10
À l'aide des raccourcis clavier 2-10
À l'aide du menu 2-11
Utilisation des boutons de contrôle de la fenêtre 2-13
Utilisation de la notification d'appel entrant 2-14
Choix des éléments apparaissant sur l'écran du téléphone 2-14
Utilisation des menus de fonctions 2-15Sommaire
iv
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Saisie et modification d'un texte 2-16
Combiné décroché et raccroché 2-16
États et icônes d'appel et de ligne 2-17
Accès à l'aide en ligne 2-19
Fonctionnement et disponibilité des fonctions 2-20
C H A P I T R E 3 Traitement des appels avec Cisco IP Communicator 3-1
Comment traiter les appels simples 3-1
Passer un appel 3-3
Établissement d'un appel vidéo 3-8
Réponse à un appel 3-9
Fin d'un appel 3-11
Utilisation des fonctions Attente et Reprise 3-12
Utilisation de la fonction Secret 3-13
Transfert d'un appel connecté 3-14
Sélection des appels 3-15
Passage d'un appel à l'autre 3-15
Transfert d'un appel en cours vers un autre téléphone 3-17
Renvoi de vos appels vers un autre numéro 3-17
Utilisation de la fonction Ne pas déranger 3-19
Établissement de conférences téléphoniques 3-21
Utilisation de la fonction Conférence. 3-21
Utilisation de la fonction Joindre (uniquement sur les téléphones SCCP) 3-22
Utilisation de la fonction InsConf 3-23
Utilisation de la fonction Meet-Me 3-23
Affichage ou exclusion des participants à une conférence 3-24
Traitement des fonctions d'appel avancées 3-25
Utilisation de la fonction de mobilité de poste de Cisco 3-26
Traitement des appels professionnels à l'aide d'un seul numéro de
téléphone 3-27v
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Sommaire
Stockage et récupération des appels parqués 3-29
Déconnexion de groupes de recherche 3-29
Emission et réception d'appels sécurisés 3-30
Suivi des appels suspects 3-31
Donner la priorité aux appels critiques 3-32
Redirection d'un appel entrant vers Cisco IP Communicator 3-33
Rappel d'une ligne occupée dès qu'elle devient disponible 3-34
Utilisation des indicateurs de fonction de ligne occupée pour déterminer
l'état d'une ligne 3-34
Utilisation de lignes partagées 3-35
Établissement ou prise d'appels intercom 3-38
C H A P I T R E 4 Personnalisation des paramètres sur Cisco IP Communicator 4-1
Accès aux paramètres 4-1
Réglage du volume d'un appel 4-2
Personnalisation des sonneries et des indicateurs de message 4-3
Personnalisation de l'écran du téléphone 4-4
Affichage et personnalisation des préférences 4-5
Paramètres utilisateur 4-5
Paramètres réseau 4-7
Paramètres audio 4-8
Affectation de modes audio 4-9
Paramètres audio du réseau 4-13
Paramètres audio avancés 4-13
Paramètres de répertoire 4-15Sommaire
vi
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
C H A P I T R E 5 Utilisation de casques d'écoute et d'autres périphériques audio avec
Cisco IP Communicator 5-1
Obtention de périphériques audio 5-1
Utilisation d'un casque 5-2
Utilisation de votre ordinateur comme poste téléphonique à haut-parleur 5-4
Utilisation d'un combiné USB 5-5
Suppression et réinstallation de périphériques audio 5-6
C H A P I T R E 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires
sur Cisco IP Communicator 6-1
Accès aux messages vocaux 6-1
Utilisation des journaux d'appels 6-3
Composition à partir d'un répertoire 6-5
Utilisation du répertoire d’entreprise 6-6
Utilisation du répertoire personnel 6-7
Utilisation de la fonction Recherche rapide 6-10
Saisie d'informations de mot de passe pour la fonction Recherche
rapide 6-11
C H A P I T R E 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur
Cisco Unified CM 7-1
Connexion aux pages Web Options utilisateur Cisco Unified CM 7-2
Utilisation de votre Carnet d'adresses personnel 7-3
Configuration de numéros abrégés 7-4
Configuration de la numérotation abrégée 7-5
Configuration de services téléphoniques 7-7
Contrôle des paramètres utilisateur 7-9
Contrôle des paramètres de ligne 7-10
Configuration de téléphones et de listes d'accès pour la connexion mobile 7-12
Utilisation de Cisco WebDialer 7-15vii
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Sommaire
C H A P I T R E 8 Dépannage Cisco IP Communicator 8-1
Problèmes d'ordre général 8-1
Problèmes de qualité vocale 8-5
Utilisation de l'outil de génération de rapports sur la qualité pour résoudre les
problèmes de performance 8-10
Activation de journaux détaillés 8-11
Capture d'informations sur les problèmes 8-11Sommaire
viii
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01C H A P I T R E
1-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
1
Mise en route de
Cisco IP Communicator
Cisco IP Communicator est une application bureautique qui fournit à votre ordinateur
toutes les fonctions d'un téléphone IP Cisco Unified permettant de passer, de prendre
et de traiter des appels. Si vous installez Cisco IP Communicator sur un ordinateur
portable, vous pouvez utiliser Cisco IP Communicator (ainsi que tous vos paramètres
et services téléphoniques) où que vous soyez à condition de disposer d'une connexion
au réseau de votre entreprise. Si, par exemple, vous êtes en déplacement
professionnel, Cisco IP Communicator vous permet de recevoir des appels ou de
consulter vos messages vocaux lorsque vous êtes en ligne. Si vous travaillez à
domicile, vos collègues peuvent vous contacter en composant votre numéro de
téléphone professionnel.
Cisco IP Communicator fonctionne avec Cisco Unified Video Advantage, une autre
application bureautique, pour améliorer vos communications grâce à la vidéo. Par
exemple, si vous passez un appel par le biais de Cisco IP Communicator et, la vidéo
disponible sera automatiquement affichée par le biais de Cisco Unified
Video Advantage.
• Généralités sur la sécurité des produits Cisco, page 1-2
• Liste de contrôle pour la mise en route, page 1-2
• Installation de périphériques audio avant le lancement initial, page 1-3
• Installation de Cisco IP Communicator sur votre ordinateur, page 1-4
• Lancement de Cisco IP Communicator, page 1-5
• Utilisation de l'Assistant de réglage audio, page 1-6
• Configuration et enregistrement Cisco IP Communicator, page 1-9
• Test de Cisco IP Communicator, page 1-10Chapitre 1 Mise en route de Cisco IP Communicator
Généralités sur la sécurité des produits Cisco
1-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Généralités sur la sécurité des produits Cisco
Ce produit contient des fonctions cryptographiques et est soumis aux lois des
États-Unis et d'autres pays, qui en régissent l'importation, l'exportation, le
transfert et l'utilisation. La fourniture de produits cryptographiques Cisco
n'implique pas le droit d'un tiers à importer, exporter, distribuer ou utiliser le
cryptage. Les importateurs, exportateurs, distributeurs et utilisateurs ont la
responsabilité de respecter les lois américaines et celles d'autres pays. En utilisant
ce produit, vous vous engagez à respecter les lois et réglementations applicables.
Si vous n'êtes pas en mesure de respecter les lois américaines et celles d'autres
pays, renvoyez-nous ce produit immédiatement.
Vous trouverez un récapitulatif des lois américaines régissant les produits
cryptographiques Cisco à l'adresse suivante :
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html. Si vous avez besoin
d'aide supplémentaire, envoyez-nous un e-mail à l'adresse export@cisco.com.
Liste de contrôle pour la mise en route
Référez-vous à cette liste de contrôle pour configurer Cisco IP Communicator sur
votre bureau afin de pouvoir passer des appels.
Tâche de démarrage rapide Pour plus d'informations, consultez...
1. Installer les cartes son ou les périphériques audio
USB que vous souhaitez utiliser, notamment un
combiné ou un casque USB.
Installation de périphériques audio avant le
lancement initial, page 1-3
2. Installer l'application Cisco IP Communicator. Installation de Cisco IP Communicator sur
votre ordinateur, page 1-4
3. Lancer Cisco IP Communicator. Lancement de Cisco IP Communicator,
page 1-5
4. Utiliser l'Assistant de réglage audio pour
sélectionner des modes audio et régler les
périphériques audio.
• Utilisation de l'Assistant de réglage
audio, page 1-6
• Affectation de modes audio, page 4-9
5. Réaliser les étapes de configuration réseau ou
d'enregistrement définies par votre administrateur
système.
Configuration et enregistrement
Cisco IP Communicator, page 1-9
6. Passer des appels de test. Test de Cisco IP Communicator, page 1-101-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 1 Mise en route de Cisco IP Communicator
Installation de périphériques audio avant le lancement initial
Installation de périphériques audio avant le
lancement initial
Avant d'installer et de lancer Cisco IP Communicator pour la première fois, vous
devez installer et configurer tous les périphériques audio (cartes son, combinés
USB ou casques USB) qui nécessitent des pilotes. Pour une expérience audio
optimale, nous vous recommandons d'utiliser un combiné ou un casque USB
certifié.
Vous pouvez utiliser plusieurs périphériques audio avec Cisco IP Communicator
comme indiqué dans le tableau suivant. Pour obtenir la liste des marques de
périphériques audio que vous pouvez utiliser avec Cisco IP Communicator,
consultez votre administrateur système.
Périphérique audio Description Remarques
Périphériques USB :
• un combiné
USB ;
• un casque USB.
Les périphériques USB
nécessitent un pilote et sont
dotés de fiches
rectangulaires.
Suivez les instructions du fabricant du
périphérique pour installer des périphériques
USB. Le cas échéant, suivez les étapes de
l'Assistant Nouveau matériel détecté de
Microsoft Windows.
Périphériques
analogiques
externes :
• casque
analogique
• haut-parleurs ou
microphones
externes
Les périphériques audio
analogiques ne nécessitent
pas de logiciels. Ils
fonctionnent comme des
extensions de la carte son de
l'ordinateur.
Branchez les périphériques analogiques aux
prises jacks audio de l'ordinateur.
Cisco IP Communicator reconnaît les
périphériques analogiques comme des
extensions de la carte son. Pour afficher ou
modifier les paramètres des périphériques
analogiques, sélectionnez la carte son.
Périphériques audio
internes :
• microphone
intégré
• haut-parleurs
intégrés
Ces périphériques audio
sont des composants
internes de l'ordinateur et
fonctionnent avec la carte
son de celui-ci.
Il est toujours possible de sélectionner ou
d'utiliser les périphériques audio internes.Chapitre 1 Mise en route de Cisco IP Communicator
Installation de Cisco IP Communicator sur votre ordinateur
1-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Remarque Si vous installez ou insérez un périphérique audio qui nécessite un pilote de
périphérique (un combiné USB, un casque USB ou une carte son) après le
lancement de Cisco IP Communicator, l'application ne reconnaîtra pas le
périphérique tant que vous n'aurez pas redémarré Cisco IP Communicator.
L'Assistant de réglage audio est alors automatiquement lancé afin que vous
puissiez régler le périphérique.
Rubriques connexes
• Installation de Cisco IP Communicator sur votre ordinateur, page 1-4
• Utilisation d'un casque, page 5-2
• Suppression et réinstallation de périphériques audio, page 5-6
Installation de Cisco IP Communicator sur votre
ordinateur
Avant de commencer
• Si vous utilisez un ordinateur portable, vérifiez que vous n'êtes pas connecté
à une station d'accueil lorsque vous lancez Cisco IP Communicator pour la
première fois après l'installation. La station d'accueil peut interférer avec la
capacité de Cisco IP Communicator à localiser la carte réseau de l'ordinateur.
• Si Cisco Unified Personal Communicator est en cours d'exécution, quittez-le
avant de démarrer Cisco IP Communicator.
• Si vous installez Cisco IP Communicator sur un ordinateur tournant sous
Microsoft Vista, le message de sécurité Windows ne peut pas vérifier l'éditeur
de ce pilote risque de s'afficher. Cliquez sur Installer ce pilote quand même
pour poursuivre l'installation.1-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 1 Mise en route de Cisco IP Communicator
Lancement de Cisco IP Communicator
Procédure
Étape 1 Effectuez un double clic sur le fichier exécutable (CiscoIPcommunicatorSetup.exe)
pour l'ouvrir, ou cliquez sur le lien d'installation que vous a fourni votre administrateur
système.
Étape 2 Cliquez sur Suivant pour lancer l'Assistant InstallShield.
Étape 3 Lisez attentivement l'accord de licence, puis cliquez sur J'accepte et sur Suivant.
Étape 4 Sélectionnez le dossier cible par défaut de l'application ou parcourez la liste pour
en sélectionner un autre.
Étape 5 Cliquez sur Installer dans la fenêtre Prêt à installer. L'installation peut durer
plusieurs minutes.
Étape 6 Cliquez sur Lancer le programme puis sur Terminer pour lancer
Cisco IP Communicator. Dans certains cas, vous serez invité à redémarrer
l'ordinateur à ce stade et la case à cocher Lancer le programme ne sera pas
affichée.
Rubriques connexes
• Lancement de Cisco IP Communicator, page 1-5
Lancement de Cisco IP Communicator
Remarque Si vous utilisez un ordinateur portable, vérifiez que vous n'êtes pas connecté à une
station d'accueil lors du premier lancement de Cisco IP Communicator après
l'installation.
Si Cisco Unified Personal Communicator est en cours d'exécution, quittez-le
avant de démarrer Cisco IP Communicator.
Si vous avez activé la case à cocher Lancer le programme lors de l'étape
d'installation finale, Cisco IP Communicator est automatiquement lancé.
Pour lancer le programme manuellement, choisissez Démarrer > Programmes >
Cisco IP Communicator, ou double cliquez sur le raccourci de bureau
Cisco IP Communicator.Chapitre 1 Mise en route de Cisco IP Communicator
Utilisation de l'Assistant de réglage audio
1-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
La première fois que vous lancez Cisco IP Communicator :
• Le message de sécurité Windows ne peut pas vérifier l'éditeur de ce pilote
risque de s'afficher si vous installez Cisco IP Communicator sur un
ordinateur tournant sous Microsoft Vista. Cliquez sur Installer ce pilote
quand même pour poursuivre l'installation.
• L'Assistant de réglage audio s'ouvre. Votre périphérique audio doit être
disponible pour le réglage.
Lors des lancements suivants, vous pourrez être invité à l'utiliser pour rétablir
des paramètres de volume précédents.
• Des invites de LocaleDownloader peuvent s'afficher.
En règle générale, il est conseillé d'accepter ces invites dès que possible afin
de disposer en permanence de la dernière version du produit sur l'ordinateur.
Toutefois, si vous utilisez Cisco IP Communicator avec une connexion à
distance, vous pouvez choisir de retarder l'exécution de LocaleDownloader
jusqu'à ce que vous soyez connecté localement. Si vous travaillez à domicile,
par exemple, vous pouvez attendre d'être revenu au bureau. Les sessions
LocaleDownloader risquent de durer plus longtemps sur une connexion à
distance.
Rubriques connexes
• Utilisation de l'Assistant de réglage audio, page 1-6
Utilisation de l'Assistant de réglage audio
L'Assistant de réglage audio vous guide lors de la sélection et du réglage des
périphériques audio installés.
• La sélection d'un périphérique audio consiste à associer celui-ci à un ou
plusieurs modes audio et/ou à la sonnerie.
• Le réglage consiste à tester et, le cas échéant, à modifier le volume du
haut-parleur et du microphone pour chaque périphérique sélectionné.
L'Assistant de réglage audio apparaît automatiquement lors du premier lancement
de Cisco IP Communicator après l'installation. Vous pouvez y accéder
manuellement à partir du menu lors des lancements suivants. Le tableau suivant
fournit des informations complémentaires sur l'Assistant de réglage audio et
d'autres options de paramétrage audio.1-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 1 Mise en route de Cisco IP Communicator
Utilisation de l'Assistant de réglage audio
Remarque Avant d'utiliser l'Assistant de réglage audio pour régler un périphérique audio doté
d'un dispositif de réglage du volume, tel qu'un casque avec des commandes de
volume sur le cordon, augmentez le volume du périphérique à son maximum.
Si... Procédez comme suit... Remarques
Vous venez d'installer
Cisco IP Communicator
et vous utilisez l'Assistant
de réglage audio pour la
première fois
Réglez tous les périphériques audio
lorsque l'Assistant de réglage audio
apparaît.
L'Assistant de réglage audio vous
permet de sélectionner des
périphériques audio pour des modes
audio ou d'utiliser le périphérique
audio Windows par défaut.
Le réglage d'un périphérique et
la modification du paramètre de
volume pour un appel sont des
opérations distinctes. Il est
préférable de ne régler chaque
périphérique qu'une seule fois et
de modifier le réglage
uniquement si vous rencontrez
des problèmes de qualité vocale.
Pour plus d'informations, voir
Affectation de modes audio,
page 4-9 et Sélection d'un mode
audio, page 4-9.
La fenêtre Vérifier les
paramètres audio apparaît
lors d'un lancement
postérieur à l'installation
Cliquez sur l'un de ces boutons :
• Rétablir : rétablir les paramètres
précédemment associés à ce
périphérique audio.
• Régler : recommencer le réglage
de ce périphérique.
• Ignorer : conserver les paramètres
modifiés (pour maintenir le volume
de la carte son coupé, par
exemple).
La fenêtre Vérifier les
paramètres audio apparaît lors de
lancements ultérieurs si vous
avez modifié (ou coupé) le
volume d'un périphérique depuis
son dernier réglage (si, par
exemple, vous avez coupé le
volume de la carte son de
l'ordinateur ou modifié les
commandes de volume d'un
casque ou d'un combiné USB).Chapitre 1 Mise en route de Cisco IP Communicator
Utilisation de l'Assistant de réglage audio
1-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Configuration et enregistrement Cisco IP Communicator, page 1-9
Vous souhaitez changer le
volume lors d'un appel
Cliquez sur le bouton Volume de
Cisco IP Communicator. Cliquez sur
Enregistrer pour enregistrer vos
paramètres.
Il s'agit de la méthode la plus
adaptée pour modifier les
paramètres de volume pour un
appel donné. Voir Réglage du
volume d'un appel, page 4-2.
Vous souhaitez régler à
nouveau un périphérique
audio pour résoudre des
problèmes de qualité
vocale
Accéder à l'Assistant de réglage audio
(cliquez avec le bouton droit de la
souris sur > Assistant de réglage
audio).
Vo ir Problèmes de qualité
vocale, page 8-5.
Vous souhaitez modifier
vos sélections de mode
audio sans recommencer
le réglage des
périphériques audio
Cliquez avec le bouton droit de la
souris sur > Préférences >
onglet Audio).
Vo ir Affectation de modes audio,
page 4-9.
Si... Procédez comme suit... Remarques1-9
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 1 Mise en route de Cisco IP Communicator
Configuration et enregistrement de Cisco IP Communicator
Configuration et enregistrement de Cisco IP Communicator
Après avoir installé l'application Cisco IP Communicator, exécuté l'Assistant de
réglage audio, et visualisé l'interface Cisco IP Communicator sur votre bureau,
vous devrez peut-être effectuer d'autres tâches de configuration et
d'enregistrement avant de pouvoir passer des appels.
Remarque Les tâches suivantes peuvent varier en fonction des sociétés et des systèmes
téléphoniques. Votre administrateur système vous fournira des instructions.
Réalisez ces opérations uniquement si vous y avez été invité.
Tâche Remarques
Choix d'un nom de
périphérique
Cisco IP Communicator utilise la carte réseau ou le nom du
périphérique pour s'identifier auprès du réseau. Dans les deux cas,
votre administrateur système vous indiquera quelle carte choisir, ou
quel nom de périphérique saisir :
• Sélectionnez la carte réseau spécifiée par votre administrateur
système dans Cisco IP Communicator (cliquez avec le bouton
droit de la souris sur > Préférences > onglet Réseau). En
général, la carte sélectionnée est celle qui fournit une connectivité
permanente ou celle qui est toujours activée, même si elle n'est
pas branchée. Les cartes sans fil sont à éviter. La carte réseau
adéquate doit être sélectionnée afin que Cisco IP Communicator
fonctionne correctement.
Remarque Ce paramètre est utilisé pour l'identification sur le réseau,
et non pour les transmissions audio. Une fois ce
paramètre défini, vous n'aurez pas à le modifier, à moins
que vous ne supprimiez ou désactiviez définitivement la
carte réseau sélectionnée. Dans ce cas, contactez votre
administrateur système avant de sélectionner une autre
carte.
• Entrez le nom du périphérique que vous a fourni votre
administrateur système dans Cisco IP Communicator (cliquez
avec le bouton droit de la souris sur > Préférences > onglet
Réseau> Utiliser ce nom de périphérique).Chapitre 1 Mise en route de Cisco IP Communicator
Test de Cisco IP Communicator
1-10
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Test de Cisco IP Communicator, page 1-10
Test de Cisco IP Communicator
Avant de tester Cisco IP Communicator, vérifiez que votre numéro de poste est
affiché à l'écran et que vous entendez une tonalité lorsque vous décrochez le
combiné.
Remarque Si votre numéro de poste n'apparaît pas ou si vous n'entendez pas de tonalité,
consultez Problèmes d'ordre général, page 8-1.
Recherche d'un nom de
périphérique
Si votre administrateur système vous demande le nom de périphérique
de votre carte réseau, vous trouverez ce dernier dans
Cisco IP Communicator (cliquez avec le bouton droit de la souris
sur > Préférences > onglet Réseau> section Nom du périphérique).
Spécification des adresses de
serveurs TFTP
Sur les conseils de votre administrateur système, entrez les adresses
des serveurs TFTP dans Cisco IP Communicator (cliquez avec le
bouton droit de la souris sur > Préférences > onglet Réseau>
Utiliser les serveurs TFTP suivants).
Enregistrement à l'aide de
l'outil TAPS
Après avoir installé et démarré Cisco IP Communicator et sur les
directives de votre administrateur système, enregistrez
automatiquement Cisco IP Communicator à l'aide de l'outil TAPS
(Tool for Auto-Registered Phones Support).
Votre administrateur système vous communiquera le numéro à
composer dans Cisco IP Communicator pour effectuer
l'enregistrement à l'aide de TAPS. Il se peut que vous ayez à entrer la
totalité de votre numéro de poste, y compris l'indicatif régional.
Suivez les indications vocales. Lorsque Cisco IP Communicator
affiche un message de confirmation, vous pouvez mettre fin à l'appel.
Cisco IP Communicator sera redémarré.
Tâche Remarques1-11
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 1 Mise en route de Cisco IP Communicator
Test de Cisco IP Communicator
Passez quelques appels de test et demandez à vos interlocuteurs s'ils vous
entendent correctement. Le tableau suivant énumère les éventuelles actions à
effectuer lors des appels de test.
Rubriques connexes
• Fonctionnalités de Cisco IP Communicator, page 2-1
• Réglage du volume d'un appel, page 4-2
• Paramètres audio, page 4-8
• Problèmes de qualité vocale, page 8-5.
Pour... Procédez comme suit :
Régler le volume Réglez le volume du mode audio dans Cisco IP Communicator. Cliquez
sur le bouton Volume ou appuyez sur les touches Page préc./Page suiv.
du clavier.
Utiliser une connexion à
distance
Si vous utiliser Cisco IP Communicator sur une connexion à distance (par
exemple, sur une connexion VPN à votre domicile ou dans un hôtel),
activez l'option Optimiser pour une bande passante étroite (cliquez avec
le bouton droit de la souris sur > Préférences > onglet Audio).
Une fois cette fonction activée, appelez une personne et demandez-lui si
elle vous entend correctement. Chapitre 1 Mise en route de Cisco IP Communicator
Test de Cisco IP Communicator
1-12
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01C H A P I T R E
2-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
2
Généralités sur les fonctionnalités et
l'interface de Cisco IP Communicator
• Fonctionnalités de Cisco IP Communicator, page 2-1
• À propos de l'interface de Cisco IP Communicator, page 2-4
• Navigation dans l'interface, page 2-10
• Accès à l'aide en ligne, page 2-19
Fonctionnalités de Cisco IP Communicator
Cisco IP Communicator fonctionne de façon très similaire à un téléphone
classique ; il permet de passer et de prendre des appels téléphoniques, de mettre
des appels en attente, d'utiliser la numérotation abrégée, de transférer des appels,
etc. Cisco IP Communicator prend également en charge des fonctions
téléphoniques spéciales (telles que le parcage d'appels et les conférences
Meet-Me) qui offrent des capacités de traitement d'appels supplémentaires et
personnalisées.
Le fonctionnement de Cisco IP Communicator et les fonctionnalités dont vous
disposez sont variables d'un système à l'autre. Les fonctionnalités disponibles
peuvent varier selon l'agent de traitement des appels utilisé par votre société et
selon la façon dont l'assistance technique de votre société a configuré votre
système téléphonique. Pour tout renseignement sur le fonctionnement ou la
disponibilité des fonctions, contactez l'assistance technique ou votre
administrateur système.Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Fonctionnalités de Cisco IP Communicator
2-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Vous pouvez accéder à de nombreuses fonctionnalité en appuyant sur une touche
de fonction ou sur un bouton de ligne. Voir le Tableau 2-1 pour prendre
connaissance des fonctionnalités et des touches de fonction. Vous pouvez
configurer certaines fonctionnalités, mais votre administrateur système contrôle
la plupart d'entre elles.
Outre les fonctions de traitement des appels, Cisco IP Communicator prend en
charge les éléments suivants :
• L'Assistant de réglage audio
• La composition de numéros à partir de répertoires avec la fonction Recherche
rapide
• L'accès rapide à vos pages Web Options utilisateur Cisco Unified CM et à
vos services téléphoniques
• Un système d'aide en ligne complet
• La modification de l'apparence de Cisco IP Communicator
• La composition de numéros par glisser-déplacer
• La composition de numéros par copier-coller
• Des messages intempestifs de notification d'appel entrant
• La composition alphanumérique
• Des raccourcis clavier
• L'interfonctionnement vidéo avec Cisco Unified Video Advantage
version 2.0.
Remarque Lorsque Cisco IP Communicator utilise le protocole de contrôle
d'appels SIP, il ne prend pas en charge la vidéo avec Cisco Unified
Video Advantage. Votre administrateur système vous indiquera si
votre déploiement prend en charge la vidéo.2-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Fonctionnalités de Cisco IP Communicator
Ta b l e a u 2-1 Fonctionnalités et touches de fonction
Rubriques connexes
• À propos de l'interface de Cisco IP Communicator, page 2-4
Fonctionnalité
Touche de
fonction
Rappel Rappel
Renvoi d'appels RenvTt
Parcage d'appel Parquer
Interception d'appel Intrcpt
Conférence Conf.
Liste de conférence ListConf
Ne pas déranger NPD
Mettre fin à un appel FinApp.
Interception d'appels de
groupe
GrpIntr
Mise en attente Attente
Identification d'appels
malveillants
IDAM
Conférences Meet-Me MeetMe
Mobilité Mobilité
Nouvel appel NvAppel
Autre groupe de prise d'appel AGrpIntr
Outil de génération de rapports
sur la qualité
QRT
Bis Bis
Suppression du dernier
participant à une conférence
SupDerA
Transférer TrnsferChapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
À propos de l'interface de Cisco IP Communicator
2-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
À propos de l'interface de Cisco IP Communicator
Utilisez la souris pour cliquer sur les boutons et les éléments de menu, et le clavier de
l'ordinateur pour entrer des lettres et des nombres et utiliser des raccourcis clavier.
Cisco IP Communicator propose deux présentations de bureau appelées apparences :
• Boutons et autres composants, page 2-4
• Fonctions de l'écran du téléphone, page 2-8
Boutons et autres composants
Le Tableau 2-2 présente les boutons et autres composants communs aux deux
apparences.
Figure 2-1 Cisco IP Communicator en mode compact
1
4 8 7 5 6 14 9 12 11 10
2
3
16
1412092-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
À propos de l'interface de Cisco IP Communicator
Figure 2-2 Cisco IP Communicator en mode par défaut
Ta b l e a u 2-2 Boutons et autres composants
1 Écran du téléphone Permet d'afficher l'état des appels et les menus de fonctions et d'activer des
éléments de menu. Voir Fonctions de l'écran du téléphone, page 2-8.
2 Boutons de contrôle
de la fenêtre
Permettent d'afficher le menu, de masquer Cisco IP Communicator, de passer
d'une apparence à l'autre ou de quitter l'application. Voir Fonctionnement et
disponibilité des fonctions, page 2-20.
2
14 13 12 11 10
16
17
5
7
9
8
6
4
3
15
105031
1Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
À propos de l'interface de Cisco IP Communicator
2-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
3 Touches
programmables
Selon la configuration de votre téléphone, les touches programmables
permettent l'accès aux :
• Lignes téléphoniques et lignes intercom (boutons de ligne)
• Numéros abrégés (boutons de numérotation abrégée, y compris la
fonctionnalité de numérotation abrégée FLO)
• Services Web (bouton du carnet d'adresses personnel, par exemple)
• Fonctionnalités d'appel (par exemple, bouton de confidentialité, de mise
en attente ou de transfert).
Les boutons s'allument et leur couleur indique l'état de l'appel :
• Vert fixe : appel actif ou appel intercom bidirectionnel
• Vert clignotant : appel en attente
• Orange fixe : fonction de confidentialité en cours d'utilisation, appel
intercom unidirectionnel ou activation de NPD
• Orange clignotant : appel entrant ou à reprendre
• Rouge fixe : ligne distante en cours d'utilisation (ligne partagée ou état
FLO)
Vous pouvez transformer les boutons de ligne supplémentaires en boutons de
numérotation abrégée. Voir Configuration de la numérotation abrégée,
page 7-5
4 Bouton Messages Compose automatiquement le numéro de votre service de messagerie vocale
(varie selon le service). (Raccourci clavier : Ctrl + M.) Voir Accès aux
messages vocaux, page 6-1.
5 Bouton
Répertoires
Ouvre ou ferme le menu Répertoires. Permet d'afficher les journaux d'appels
et un répertoire d'entreprise, et de composer des numéros à partir de ceux-ci.
(Raccourci clavier : Ctrl + D.) Vous pouvez également utiliser la fonction
Recherche rapide (Alt + K) pour effectuer une recherche dans des répertoires.
Vo ir Utilisation des journaux d'appels, page 6-3.
6 Bouton Aide Active le menu Aide. (Raccourci clavier : Ctrl + I.) Voir Accès à l'aide en
ligne, page 2-19.
7 Bouton
Paramètres
Ouvre ou ferme le menu Paramètres. Permet de modifier les paramètres de
l'écran tactile et des sonneries. (Raccourci clavier : Ctrl + S.) Voir
Personnalisation des sonneries et des indicateurs de message, page 4-3.
Tableau 2-2 Boutons et autres composants (suite)2-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
À propos de l'interface de Cisco IP Communicator
8 Bouton Services Ouvre ou ferme le menu Services. (Raccourci clavier : Ctrl + R.) Voir
Configuration de services téléphoniques, page 7-7.
9 Bouton Volume Permet de définir le volume des modes audio et d'autres paramètres.
(Raccourci clavier : Page préc./Page suiv.). Voir Réglage du volume d'un
appel, page 4-2.
1
10 Bouton
Haut-parleur
Active/Désactive le mode haut-parleur. Lorsque le mode haut-parleur est
activé, le bouton est allumé. (Raccourci clavier : Ctrl + P.) Vo ir Utilisation de
casques d'écoute et d'autres périphériques audio avec
Cisco IP Communicator, page 5-1.
11 Bouton Secret Active/Désactive la fonction Secret. Lorsque la fonctionnalité est activée, le
bouton est allumé. (Raccourci clavier : Ctrl + T.) Voir Utilisation de la
fonction Secret, page 3-13.
12 Bouton Casque Permet d'activer/de désactiver le mode Casque. (Raccourci clavier :
Ctrl + H.) Voir Utilisation de casques d'écoute et d'autres périphériques audio
avec Cisco IP Communicator, page 5-1.
13 Bouton Navigation Permet de faire défiler les menus et de mettre les éléments de menu en
surbrillance. À utiliser avec les touches de fonction pour activer les éléments
mis en surbrillance. Par ailleurs, lorsque Cisco IP Communicator est
raccroché, appuyez sur le bouton Navigation pour accéder aux numéros de
téléphone du journal des appels composés.
14 Bouton Cisco
Unified Video
Advantage
Permet de lancer Cisco Unified Video Advantage. Vous devez exécuter
Cisco Unified Video Advantage version 2.1.1 et Cisco IP Communicator 2.0
(ou version ultérieure) sur le même PC pour pouvoir utiliser cette
fonctionnalité.
2
15 Clavier Permet d'entrer des chiffres et des lettres et de sélectionner des éléments de
menu. (Non disponible avec l'apparence facultative.) Vous pouvez également
utiliser le clavier de l'ordinateur.
16 Touches de
fonction
Chaque bouton permet d'activer une touche de fonction. Vous pouvez
également cliquer sur les libellés de touche de fonction (au lieu des boutons).
(Raccourcis clavier : F2 à F6.) Voir Traitement des appels avec
Cisco IP Communicator, page 3-1.
17 Indicateur de
message vocal et de
sonnerie
Indique un appel entrant et un nouveau message vocal. Voir Personnalisation
des sonneries et des indicateurs de message, page 4-3.
1. Raccourci clavier dans toutes les versions antérieures à la version 2.0 : Ctrl + V
2. Lorsque Cisco IP Communicator utilise le protocole de contrôle d'appels SIP, il ne prend pas en charge la vidéo avec Cisco
Unified Video Advantage. Votre administrateur système vous indiquera si votre déploiement prend en charge la vidéo.
Tableau 2-2 Boutons et autres composants (suite)Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
À propos de l'interface de Cisco IP Communicator
2-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Conseils
• Vous pouvez cliquer sur l'icône de menu en haut de l'une ou l'autre des
apparences, cliquer avec le bouton droit sur Cisco IP Communicator ou
appuyer sur Maj + F10 pour afficher et configurer les paramètres,
sélectionner des apparences et activer le mode Écran uniquement. Voir À
l'aide du menu, page 2-11.
• Le mode par défaut (Figure 2-2) et le mode compact (Figure 2-1) présentent
les mêmes icônes de bouton. La forme et l'emplacement des boutons peuvent
toutefois varier selon l'apparence utilisée.
• Pour obtenir la liste complète des raccourcis, voir À l'aide des raccourcis
clavier, page 2-10.
• Vo ir Fonctions de l'écran du téléphone, page 2-8 pour plus d'informations sur
l'affichage des appels et des lignes à l'écran de Cisco IP Communicator.
Fonctions de l'écran du téléphone
Lorsque des appels sont actifs et que plusieurs menus de fonctions sont ouverts,
l'écran du téléphone Cisco IP Communicator peut présenter l'aspect suivant.2-9
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
À propos de l'interface de Cisco IP Communicator
Rubriques connexes
• À propos de l'interface de Cisco IP Communicator, page 2-4
• Navigation dans l'interface, page 2-10
1 Ligne
téléphonique
principale
Affiche le numéro de téléphone (numéro de répertoire) de votre ligne
téléphonique principale.
2 Indicateurs des
boutons
programmables
Les boutons programmables peuvent servir de boutons de ligne téléphonique, de
boutons de ligne intercom, de boutons de la numérotation abrégée, de boutons de
service téléphonique ou des boutons de fonction téléphonique. Les icônes et les
étiquettes indiquent comment ces boutons sont configurés.
Icône de ligne téléphonique : correspond à une ligne téléphonique. Les
icônes de ligne peuvent varier.
Icône de numéro abrégé : correspond à un bouton de numérotation
abrégée, le cas échéant.
Icône de service téléphonique : le cas échéant, correspond à un service
téléphonique disponible via le Web, tel que le carnet d'adresses personnel.
Icône de fonction : le cas échéant, correspond à une fonction, telle que
la fonction Confidentialité.
Pour plus d'information sur les autres icônes, voir États et icônes d'appel et de
ligne, page 2-17.
3 Libellés des
touches de
fonction
Chaque étiquette décrit la fonction d'une touche de fonction.
4 Ligne d'état Affiche les icônes de mode audio, les informations d'état et les invites.
5 Zone d'activité
des appels
Affiche les appels en cours par ligne, y compris l'ID de l'appelant, la durée et l'état
de l'appel de la ligne mise en surbrillance (en mode d'affichage standard).
6 Onglet
Téléphone
Indique l'activité des appels. Cliquez sur cet onglet pour revenir à la zone
d'activité des appels, si nécessaire.
7 Onglets de
fonctions
Chaque onglet correspond à un menu de fonctions activé.Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
2-10
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Navigation dans l'interface
• À l'aide des raccourcis clavier, page 2-10
• À l'aide du menu, page 2-11
• Utilisation des boutons de contrôle de la fenêtre, page 2-13
• Utilisation de la notification d'appel entrant, page 2-14
• Choix des éléments apparaissant sur l'écran du téléphone, page 2-14
• Utilisation des menus de fonctions, page 2-15
• Saisie et modification d'un texte, page 2-16
• Combiné décroché et raccroché, page 2-16
• États et icônes d'appel et de ligne, page 2-17
À l'aide des raccourcis clavier
Cisco IP Communicator vous permet d'accéder aux boutons de la fenêtre sans
utiliser la souris. Ces raccourcis de navigation sont particulièrement utiles si vous
êtes mal-voyant et dans l'impossibilité de parcourir l'interface.
Consultez le Tableau 2-3 pour obtenir une liste des raccourcis clavier permettant
de naviguer dans l'interface.
Ta b l e a u 2-3 Raccourcis clavier pour Cisco IP Communicator
Frappe de touche Action
Ctrl + D Ouvrir ou fermer le menu Répertoires
Ctrl + S Ouvrir ou fermer le menu Paramètres
Ctrl + R Ouvre ou ferme le menu Services
Ctrl + M Ouvrir le système de messagerie vocale
Ctrl + I Ouvrir ou fermer le système d'aide en ligne
Ctrl + H Permet d'activer/de désactiver le mode Casque
Ctrl + P Permet d'activer/de désactiver le mode Haut-parleur
Ctrl + T Active/Désactive la fonction Secret2-11
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
À l'aide du menu
Vous pouvez accéder aux éléments de menu suivants en cliquant sur l'icône de
menu affichée dans le coin supérieur droit de l'interface, en cliquant avec le
bouton droit dans l'interface, ou en appuyant sur Maj + F10.
Ctrl + (touches numériques de 1
à 8)
Ouvrir ou fermer les boutons de ligne ou les boutons de
numérotation abrégée 1 à 8
Ctrl + V Coller un nom ou un numéro de téléphone
Ctrl + Maj + A ou F2 Répondre à un appel
Alt + S Ouvrir la boîte de dialogue Préférences
Alt + K Accéder à la fonction de recherche rapide dans le répertoire
Alt + X Quitter Cisco IP Communicator
Alt + F4 Fermer Cisco IP Communicator
Entrée Composer un appel
Échap Raccrocher
Page préc. Augmenter le volume du mode audio actuellement sélectionné
Page suiv. Diminuer le volume du mode audio actuellement sélectionné
F2 à F6 Activer les touches de fonction 1 à 5
/ (avec fonction Verr. num activée) Activer la touche #
Maj + F10 Ouvrir le menu
Tableau 2-3 Raccourcis clavier pour Cisco IP Communicator (suite)
Frappe de touche Action
Élément Description
Apparences Permet de modifier l'apparence de l'interface. Cisco IP Communicator est
proposé avec deux apparences : l'apparence par défaut (clic droit >
Apparences > Mode par défaut) et l'apparence compacte (clic droit >
Apparences > Mode compact). La Figure 2-2 et la Figure 2-1 illustrent
ces deux apparences.Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
2-12
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Écran uniquement Permet d'activer/de désactiver l'affichage Écran uniquement. Les
raccourcis clavier s'avèrent particulièrement utiles lorsque vous utilisez
Cisco IP Communicator en affichage Écran uniquement. Voir À l'aide des
raccourcis clavier, page 2-10.
Toujours au-dessus Permet d'activer/de désactiver cette fonction. Lorsqu'elle est activée, cette
fonctionnalité permet de toujours afficher Cisco IP Communicator sur
votre bureau même si d'autres applications sont actives. Vous pouvez
cependant réduire l'interface. Voir Fonctionnement et disponibilité des
fonctions, page 2-20.
Assistant de réglage audio Permet de lancer l'Assistant de réglage audio, qui permet de sélectionner
et de régler les périphériques audio. Voir Utilisation de l'Assistant de
réglage audio, page 1-6 et Dépannage Cisco IP Communicator, page 8-1.
Coller Permet de copier un numéro à partir d'un programme Windows, de le
coller dans la boîte de composition et de cliquer sur Compos. ou d'appuyer
sur Entrée pour passer l'appel. Le raccourci clavier de cette fonction est
Ctrl + V. Cis c o IP Communicator applique ensuite les règles de
numérotation appropriées au numéro, avant de le composer
automatiquement.
Recherche rapide Permet d'ouvrir la boîte de dialogue Recherche rapide. Le raccourci
clavier correspondant à cette boîte de dialogue est Alt + K. La fonction
Recherche rapide permet de lancer une recherche dans un ou plusieurs
répertoires à l'aide d'une même commande. Voir Utilisation du répertoire
personnel, page 6-7.
Options utilisateur Cisco
Unified CM
Permet d'ouvrir la page Web Options utilisateur Cisco Unified CM, où
vous pouvez configurer des fonctions, des paramètres et des services
téléphoniques IP (notamment les boutons de numérotation abrégée). Voir
Personnalisation de Cisco IP Communicator à l'aide des options utilisateur
Cisco Unified CM, page 7-1.
Préférences Permet d'ouvrir la boîte de dialogue Préférences, qui regroupe les onglets
Utilisateur, Réseau, Audio et Répertoires. Le raccourci clavier
correspondant à la boîte de dialogue Préférences est Alt + S.
Aide Lance l'aide en ligne de Cisco IP Communicator.
À propos de
Cisco IP Communicator
Affiche les informations sur la version du logiciel Cisco IP Communicator
et d'importantes notices sur Cisco IP Communicator.
Quitter Permet de quitter Cisco IP Communicator.
Élément Description2-13
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
Utilisation des boutons de contrôle de la fenêtre
Pour... Procédez comme suit :
Accéder au menu Effectuez l'une des opérations suivantes :
• Cliquez sur le bouton de menu dans l'angle supérieur droit de l'interface.
• Cliquez avec le bouton droit dans l'interface.
• Appuyez sur Maj + F10
Réduire
l'interface
Effectuez l'une des opérations suivantes :
• Cliquez sur le bouton de réduction dans le coin supérieur droit de l'interface.
• Cliquez une ou plusieurs fois sur le bouton Cisco IP Communicator dans la
barre des tâches
Basculer entre
des modes
Effectuez l'une des opérations suivantes :
• Cliquez sur le bouton de mode dans le coin supérieur droit de l'interface.
• Choisissez Apparences dans le menu.
Masquer
l'interface
Cliquez avec le bouton droit sur l'icône de la barre d'état système et choisissez
MasquerCisco IP Communicator. L'icône Cisco IP Communicator disparaît de
la barre des tâches mais l'application n'est pas fermée.
Récupérer
l'interface
Effectuez l'une des opérations suivantes :
• Double-cliquez sur l'icône de la barre d'état système.
• Cliquez sur l'icône de bouton dans la barre des tâches.
Quitter Effectuez l'une des opérations suivantes :
• Choisissez Quitter dans le menu.
• Cliquez avec le bouton droit sur l'icône de la barre d'état système et choisissez
Quitter.Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
2-14
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Conseils
• Si vous recevez un appel alors que Cisco IP Communicator est masqué ou réduit,
la fenêtre de notification d'appel entrant apparaît si cette option est activée. Si
vous avez activé l'option Ramener au premier plan lors d'un appel actif (clic
droit > Préférences > onglet Utilisateur), Cisco IP Communicator est
automatiquement affiché au premier plan de votre bureau.
• Pour que Cisco IP Communicator reste visible sur le bureau même lorsque
d'autres applications sont actives, choisissez Toujours au-dessus dans le
menu. (Vous pouvez réduire l'interface même lorsque l'option Toujours
au-dessus est sélectionnée.)
Utilisation de la notification d'appel entrant
Choix des éléments apparaissant sur l'écran du téléphone
Pour... Procédez comme suit :
Répondre à un
appel
Cliquez n'importe où dans la fenêtre contextuelle (sauf sur l'icône Secret).
Couper la
sonnerie
Cliquez sur l'icône Secret de la fenêtre contextuelle. La fonction Secret s'applique
à l'appel qui sonne actuellement.
Masquer la
notification
d'appel entrant
Choisissez Préférences > onglet Utilisateur > Masquer la notification d'appel
entrant.
Pour sélectionner un
élément de l'écran du
téléphone... Procédez comme suit :
En cliquant Cliquez sur un élément de l'écran du téléphone. Sur certains écrans de
téléphone (comme l'écran de pré-numérotation) lorsque vous cliquez sur un
numéro de téléphone, Cisco IP Communicator risque de composer ce
numéro.
Un clic sur un élément ou la saisie d'un numéro peuvent déclencher une
action. Si l'élément mène à un menu, ce dernier est ouvert.2-15
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
Utilisation des menus de fonctions
Par le numéro de
l'élément
Cliquez sur le numéro correspondant sur votre clavier. Par exemple, cliquez
sur 4 pour sélectionner le quatrième élément d'un menu.
Par défilement Cliquez sur le bouton Navigation ou utilisez les touches fléchées du clavier
pour faire défiler une liste et mettre un élément en surbrillance. Cliquez sur
la touche de fonction correspondante, par exemple Sélect. ou Compos. pour
achever l'opération.
Pour... Procédez comme suit :
Ouvrir ou fermer un
menu de fonctions
Cliquez sur bouton de fonction :
• Messages
• Services
• Aide
• Répertoires
• Paramètres
Faire défiler une liste ou
un menu
Cliquez sur le bouton Navigation.
Remonter d'un niveau
au sein d'un menu de
fonctions
Cliquez sur Quitter. (Notez que si vous cliquez sur Quitter alors que vous
êtes dans le niveau supérieur d'un menu, ce dernier est fermé.)
Basculer d'un menu de
fonctions actif à un
autre
Cliquez sur un onglet de fonction sur l'écran du téléphone. (À chaque menu
d'options correspond un onglet en haut de l'écran du téléphone. Celui-ci est
visible lorsque le menu de fonctions est ouvert.)
Pour sélectionner un
élément de l'écran du
téléphone... Procédez comme suit :Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
2-16
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Saisie et modification d'un texte
Combiné décroché et raccroché
Certaines tâches et instructions de Cisco IP Communicator varient selon que
Cisco IP Communicator est raccroché ou décroché.
• Raccroché : aucun appel n'est actif, aucune tonalité. Sur votre
Cisco IP Communicator, vous pouvez composer votre numéro le combiné
raccroché (pré-numérotation), ce qui vous permet d'entrer ou de sélectionner
des numéros de téléphone avant d'activer l'appel. Lorsque votre
Cisco IP Communicator est raccroché, l'icône suivante apparaît en regard de
chaque numéro de téléphone :
• Décroché : le haut-parleur est actif ou une autre méthode est utilisée pour
obtenir une tonalité et répondre à un appel entrant. Lorsque le téléphone est
décroché, l'une des icônes suivantes apparaît, selon l'état de l'appel ou de la
ligne : , , , , ou
Rubriques connexes
• États et icônes d'appel et de ligne, page 2-17
Pour... Procédez comme suit :
Entrer une lettre sur
l'écran du téléphone
Cliquez pour mettre en surbrillance une fonction d'appel et utilisez le clavier
pour entrer des lettres ou des chiffres.
Supprimer des
caractères dans une
entrée ou déplacer le
curseur
Utilisez la touche Retour arrière du clavier ou cliquez sur << ou sur Suppr.
sur l'écran du téléphone pour supprimer une lettre ou un chiffre. Pour
déplacer le curseur vers la droite, cliquez sur >> sur l'écran du téléphone.
Vous pouvez peut-être utiliser le bouton Navigation ou les touches fléchées
gauche et droite de votre clavier.2-17
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
États et icônes d'appel et de ligne
• Lignes : chaque ligne est associée à un numéro de répertoire ou intercom que
vos interlocuteurs peuvent utiliser pour vous appeler. Votre
Cisco IP Communicator prend en charge un maximum de huit lignes, selon
sa configuration. Le nombre de lignes dont vous disposez figure dans la partie
droite de l'écran du téléphone. Vous disposez d'autant de lignes que de
numéros de téléphone et d'icônes de ligne téléphonique : .
• Appels : chaque ligne peut prendre en charge plusieurs appels. Par défaut,
Cisco IP Communicator prend en charge quatre appels connectés par ligne,
mais votre administrateur système peut ajuster ce nombre en fonction de vos
besoins. Un seul appel à la fois peut être actif à un moment donné ; les autres
appels sont automatiquement mis en attente.
Le Tableau 2-4 décrit les icônes qui vous permettront de déterminer l'état des
appels et des lignes.
Ta b l e a u 2-4 Icônes d'état d'appel et de ligne
Icône
État de l'appel ou
de la ligne Description
Ligne raccrochée Aucune activité d'appel sur cette ligne. Si vous composez un numéro avec
le téléphone raccroché (pré-numérotation), l'appel ne débute que lorsque
vous décrochez.
Ligne décrochée Vous êtes en train de composer un numéro ou un appel sortant est en
sonnerie. Voir Passer un appel, page 3-3.
Appel connecté La communication avec votre interlocuteur est établie.
Appel en sonnerie Un appel est en sonnerie sur l'une de vos lignes. Voir Réponse à un appel,
page 3-9.
Appel en attente Vous avez mis cet appel en attente. Voir Utilisation des fonctions Attente
et Reprise, page 3-12.
Utilisé à distance Un autre téléphone qui partage votre ligne est associé à un appel connecté.
Vo ir Utilisation de lignes partagées, page 3-35.
Appel authentifié L'appel connecté est sécurisé. Voir Déconnexion de groupes de recherche,
page 3-29.
Appel chiffré L'appel connecté est chiffré. Les appels chiffrés sont également
authentifiés. Voir Déconnexion de groupes de recherche, page 3-29.Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Navigation dans l'interface
2-18
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Le Tableau 2-5 décrit les icônes indiquant comment les boutons de ligne sont
configurés.
Ta b l e a u 2-5 Icônes de bouton de ligne
Icôn
e
État de l'appel ou
de la ligne Description
Ligne inactive
(FLO)
Vo ir Utilisation des indicateurs de fonction de ligne occupée pour
déterminer l'état d'une ligne, page 3-34.
Ligne occupée
(FLO)
Vo ir Utilisation des indicateurs de fonction de ligne occupée pour
déterminer l'état d'une ligne, page 3-34.
Ligne en mode Ne
pas déranger
(FLO)
Vo ir Utilisation des indicateurs de fonction de ligne occupée pour
déterminer l'état d'une ligne, page 3-34.
Ligne intercom
inactive
La ligne intercom n'est pas en cours d'utilisation. Voir Établissement ou
prise d'appels intercom, page 3-38.
Appel intercom
unidirectionnel
La ligne intercom envoie ou reçoit de l'audio unidirectionnelle. Voir
Établissement ou prise d'appels intercom, page 3-38.
Appel intercom
bidirectionnel
Le destinataire a appuyé sur le bouton de ligne intercom pour utiliser la
fonction audio bidirectionnelle avec l'appelant. Voir Établissement ou
prise d'appels intercom, page 3-38.2-19
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Accès à l'aide en ligne
Accès à l'aide en ligne
Cisco IP Communicator comprend un système complet d’aide en ligne. Les
rubriques d'aide apparaissent sur l'écran du téléphone.
Pour... Procédez comme suit :
Afficher le menu
principal
Cliquez sur le bouton Aide de Cisco IP Communicator et attendez quelques
secondes que le menu s'affiche. Si l'aide est déjà ouverte, cliquez sur Princ.
Les éléments du menu principal sont les suivants :
• À propos de Cisco IP Communicator : description détaillée de
Cisco IP Communicator
• Comment... ? Procédures et informations relatives aux tâches courantes
dans Cisco IP Communicator
• Fonctions d'appel : description et procédures d'utilisation des fonctions
d'appel
• Aide : conseils sur l'utilisation et l'accès à l'Aide
Obtenir des
informations sur un
bouton ou une touche de
fonction
Cliquez sur le bouton Aide, puis cliquez rapidement sur un bouton ou une
touche de fonction.
Obtenir des
informations sur un
élément de menu
Cliquez sur le bouton Aide, puis cliquez rapidement sur un élément de menu
sur l'écran du téléphone.
Vous pouvez également cliquer rapidement deux fois sur le bouton Aide
après avoir sélectionné l'élément de menu.
Apprendre à utiliser
l'Aide
Cliquez sur le bouton Aide. Attendez une secondes ou deux, puis cliquez de
nouveau sur le bouton Aide ou sélectionnez Aide dans le menu principal.
Accéder au Guide de
l'utilisateur
Sélectionnez menu > Aide ou effectuez un clic droit sur > Aide.Chapitre 2 Généralités sur les fonctionnalités et l'interface de Cisco IP Communicator
Fonctionnement et disponibilité des fonctions
2-20
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Fonctionnement et disponibilité des fonctions
Le fonctionnement de Cisco IP Communicator et les fonctionnalités dont vous
disposez peuvent varier selon l'agent de traitement des appels utilisé par votre
société et selon la façon dont l'assistance technique de votre société a configuré
votre système téléphonique. Pour tout renseignement sur le fonctionnement ou la
disponibilité des fonctions, contactez l'assistance technique ou votre
administrateur système. Vous pouvez accéder à de nombreuses fonctionnalité en
appuyant sur une touche de fonction ou sur un bouton de ligne. Vous pouvez
configurer certaines fonctionnalités, mais votre administrateur système contrôle
la plupart d'entre elles. Voici quelques informations sur l'accès aux fonctionnalités
à l'aide des touches de fonction :
Fonctionnalité
Touche de
fonction
Rappel Rappel
Renvoi d'appels RenvTt
Parcage d'appel Parquer
Interception d'appel Intrcpt
Conférence Conf.
Liste de conférence ListConf
Ne pas déranger NPD
Mettre fin à un appel FinApp.
Interception d'appels de groupe GrpIntr
Mise en attente Attente
Identification d'appels
malveillants
IDAM
Conférences Meet-Me MeetMe
Mobilité Mobilité
NvAppel NvAppel
Autre groupe de prise d'appel AGrpIntr
Outil de génération de rapports
sur la qualité
QRT
Bis Bis
Suppression du dernier
participant à une conférence
SupDerA
Trnsfer TrnsferC H A P I T R E
3-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
3
Traitement des appels avec
Cisco IP Communicator
• Comment traiter les appels simples, page 3-1
• Établissement de conférences téléphoniques, page 3-21
• Traitement des fonctions d'appel avancées, page 3-25
Comment traiter les appels simples
Cette section décrit les principales tâches de gestion des appels telles que
l'établissement, la prise et le transfert d'appels. Les fonctions nécessaires pour
réaliser ces tâches sont standard et disponibles sur la plupart des systèmes
téléphoniques.
Remarque Le protocole utilisé par votre téléphone peut déterminer les fonctionnalités dont
vous disposez. Demandez à votre administrateur quelles fonctionnalités sont
prises en charge par votre téléphone.
• Passer un appel, page 3-3
• Établissement d'un appel vidéo, page 3-8
• Réponse à un appel, page 3-9
• Fin d'un appel, page 3-11
• Utilisation des fonctions Attente et Reprise, page 3-12Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
• Utilisation de la fonction Secret, page 3-13
• Transfert d'un appel connecté, page 3-14
• Sélection des appels, page 3-15
• Passage d'un appel à l'autre, page 3-15
• Renvoi de vos appels vers un autre numéro, page 3-17
• Utilisation de la fonction Ne pas déranger, page 3-193-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
Passer un appel
Pour... Procédez comme suit :
Pré-numéroter
(composer le numéro
avec le combiné
raccroché, sans entendre
de tonalité au départ)
• Entrez un numéro de téléphone (la fonction de numérotation
automatique peut vous proposer des numéros de téléphone de votre
journal Appels composés correspondant aux chiffres saisis).
ou
• Cliquez sur le bouton Navigation pour afficher les numéros de
téléphone de votre journal Appels composés.
Cliquez ensuite sur le numéro affiché sur l'écran du téléphone pour le
composer. Vous pouvez également effectuer l'une des opérations suivantes
pour décrocher le téléphone et composer le numéro en surbrillance :
• Cliquez sur le bouton Haut-parleur ou Casque.
• Cliquez sur Compos. ou appuyez sur la touche Entrée du clavier.
• Cliquez sur un bouton de ligne.
• Appuyez sur la touche Entrée du clavier.
ou
• Faites glisser un numéro à partir d'un programme Windows prenant en
charge le glisser-déplacer, déposez-le n'importe où dans l'interface de
Cisco IP Communicator, puis cliquez sur Compos. ou appuyez sur la
touche Entrée du clavier.
• Faites glisser une vCard et déposez-la n'importe où dans l'interface de
Cisco IP Communicator. Si la vCard contient plusieurs numéros,
sélectionnez celui à composer dans la fenêtre contextuelle et cliquez sur
Compos. ou appuyez sur la touche Entrée du clavier.
ou
• Copiez un numéro à partir d'une autre source, puis cliquez sur Menu >
Coller. (Vous pouvez également coller un numéro de téléphone à l'aide
du raccourci clavier Ctrl + V.) Le numéro est automatiquement saisi.
Cliquez sur Compos. ou appuyez sur la touche Entrée du clavier.
Composer le numéro
après avoir décroché
(après la tonalité)
Cliquez sur NvAppel, sur les boutons Haut-parleur ou Casque, ou sur un
bouton de ligne, et entrez un numéro. Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rappeler le dernier
numéro composé
Cliquez sur Bis. Par défaut, la fonction Bis utilise votre ligne principale.
Toutefois, vous pouvez ouvrir une ligne secondaire, puis cliquer sur Bis.
Pour ouvrir une ligne, cliquez sur un bouton de ligne.
Composer un numéro
abrégé
• Cliquez sur un bouton de numérotation abrégée avant ou après avoir
décroché.
ou
• Entrez un code de numérotation abrégée (de 1 à 99 sur le clavier) avec
le téléphone raccroché, puis cliquez sur NumAbr.
Passer un appel lorsqu'un
autre appel est actif (en
utilisant une autre ligne)
Cliquez sur un bouton de ligne pour la nouvelle ligne. L'appel de la première
ligne est automatiquement mis en attente.
Passer un appel lorsqu'un
autre appel est actif (en
utilisant la même ligne)
Cliquez sur Attente, puis sur NvAppel. Vous pouvez à présent composer le
numéro ou utiliser la fonction Bis ou la numérotation abrégée. Vous avez
également la possibilité de poursuivre l'appel actif tout en vous préparant à
composer un numéro à partir d'un journal d'appels ou d'un répertoire Pour
récupérer l'appel en attente, cliquez sur Reprend. (voir les deux lignes
suivantes de ce tableau pour plus de détails).
Composer un numéro à
partir d'un journal
d'appels
Cliquez sur le bouton Répertoires.
Sélectionnez Appels en absence, Appels reçus, ou Appels composés. Pour
composer un numéro, cliquez dessus ou recherchez-le en faisant défiler la
liste et décrochez le téléphone.
Si vous souhaitez composer un numéro à partir d'un journal d'appels tout en
poursuivant un appel actif, faites défiler la liste pour afficher
l'enregistrement souhaité et cliquez sur Compos. ou appuyez sur la touche
Entrée du clavier. Choisissez ensuite un élément de menu pour traiter l'appel
initial :
• Attente : met le premier appel en attente et compose le second.
• Transfert : transfère le premier interlocuteur vers le second (cliquez de
nouveau sur Transfert pour terminer l'opération).
• Conférence : établit une conférence téléphonique entre tous les
interlocuteurs (cliquez sur Conf. pour terminer l'opération).
• Fin app. : déconnecte le premier appel et compose le second.
Pour... Procédez comme suit :3-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
Composer une entrée
d'un annuaire
d'entreprise sur le
téléphone
Cliquez sur le bouton Répertoires.
Sélectionnez Répertoire d'entreprise (le nom exact de ce service peut
varier). Entrez les lettres à l'aide du clavier, puis cliquez sur Recher. Pour
composer un numéro, cliquez dessus ou recherchez-le en faisant défiler la
liste et décrochez le téléphone.
Si vous souhaitez composer un numéro à partir d'un répertoire tout en
poursuivant un appel actif, faites défiler la liste pour afficher
l'enregistrement souhaité et cliquez sur Compos. ou appuyez sur la touche
Entrée du clavier. Choisissez ensuite un élément de menu pour traiter l'appel
initial :
• Attente : met le premier appel en attente et compose le second.
• Transfert : transfère le premier interlocuteur vers le second (cliquez de
nouveau sur Transfert pour terminer l'opération).
• Conférence : établit une conférence téléphonique entre tous les
interlocuteurs (cliquez sur Conf. pour terminer l'opération).
• Fin app. : déconnecte le premier appel et compose le second.
Composer un numéro à
partir d'un répertoire
d'entreprise de votre
ordinateur personnel à
l'aide Cisco WebDialer
• Ouvrez un navigateur Web et accédez à un répertoire d'entreprise
compatible avec WebDialer.
• Cliquez sur le numéro à composer.
Voir le guide Customizing Your Cisco Unified IP Phone on the Web
(Personnalisation de votre téléphone IP Cisco Unified) pour plus de détails :
http://www.cisco.com/en/US/products/hw/phones/ps379/products_user_
guide_list.html
Utiliser la fonction de
rappel de Cisco pour
recevoir une notification
lorsqu'un poste occupé
ou qui ne répond pas se
libère
• Appuyez sur Rappel lorsque vous entendez la tonalité occupé ou la
sonnerie.
• Raccrochez. Votre téléphone vous avertit lorsque la ligne se libère.
• Passez à nouveau l'appel.
Pour... Procédez comme suit :Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Voir si une ligne associée
à la numérotation abrégée,
à l'enregistrement d'appel,
ou à l'inscription à un
répertoire est occupée
avant de passer un appel
sur cette ligne
Recherchez des indicateurs de fonction de ligne occupée. Utilisation des
indicateurs de fonction de ligne occupée pour déterminer l'état d'une ligne,
page 3-34
Composer un numéro en
mode Casque
• Si le bouton Casque n'est pas allumé, cliquez dessus avant ou après la
numérotation, la recomposition du dernier numéro (bis) ou la composition
d'un numéro abrégé.
ou
• Si le bouton Casque est allumé, cliquez sur NvAppel, Bis, un bouton de
numérotation abrégée ou un bouton de ligne. Le cas échéant, entrez un
numéro de téléphone et cliquez sur Compos. ou appuyez sur la touche
Entrée du clavier. Voir Utilisation d'un casque, page 5-2.
Composer un numéro en
mode Haut-parleur
Vérifiez tout d'abord qu'aucun casque analogique n'est branché sur les prises
jacks audio de l'ordinateur. Cliquez sur NvAppel ou sur appuyez sur le bouton
Haut-parleur et saisissez un numéro de téléphone. Vous pouvez également
utiliser une autre méthode pour passer l'appel, puis cliquer sur le bouton
Haut-parleur pour basculer en mode Haut-parleur.
Un grand nombre d'opérations réalisées lorsque vous composez un numéro
entraînent le déclenchement automatique du mode Haut-parleur. Voir Utilisation
de votre ordinateur comme poste téléphonique à haut-parleur, page 5-4.
Composer un numéro en
mode Combiné
Décrochez le combiné avant ou après la numérotation, la recomposition du
dernier numéro (bis) ou la composition d'un numéro abrégé. Voir Utilisation d'un
combiné USB, page 5-5.
Pour... Procédez comme suit :3-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
Composer un numéro à
partir de votre carnet
d'adresses personnel
Uniquement disponible si activé sur Cisco Unified
Communications Manager (anciennement Cisco Unified CallManager).
Renseignez-vous auprès de votre administrateur système.
• Si vous utilisez une autre version de Cisco Unified
Communications Manager que la version 4.x, cliquez sur le bouton
Répertoires et sélectionnez Répertoire personnel.
• Si vous utilisez Cisco Unified Communications Manager 4.x, cliquez
sur le bouton Services et sélectionnez Service PAB (le nom exact peut
varier).
(Selon la configuration, vous pourrez également utiliser la fonction
Recherche rapide. Consultez la Utilisation du répertoire personnel,
page 6-7.)
Avant d'utiliser ce service, vous devez vous y abonner. Voir Utilisation de
votre Carnet d'adresses personnel.
Composer un numéro à
l'aide d'un code de
numérotation abrégée
Uniquement disponible si activé sur Cisco Unified
Communications Manager (anciennement Cisco Unified CallManager).
Renseignez-vous auprès de votre administrateur système.
• Si vous utilisez une autre version de Cisco Unified
Communications Manager que la version 4.x, cliquez sur le bouton
Répertoires et sélectionnez Répertoire personnel.
• Si vous utilisez Cisco Unified Communications Manager 4.x, cliquez
sur le bouton Services et sélectionnez Fast Dials (Numérotation
abrégée) (le nom exact peut varier). Pour composer un numéro à partir
d'une liste, cliquez dessus ou sélectionnez-le et décrochez.
Pour plus d'informations sur le service de numérotation abrégée, consultez
la Configuration de numéros abrégés, page 7-4.
Passer un appel en
utilisant un code de
facturation ou de suivi
Composez un numéro ou entrez un code d'affaire client ou un code
d'autorisation forcée lorsque vous entendez une tonalité différente.
L'administrateur système vous indiquera si vous avez besoin d'entrer ces
types de code et peut vous fournir des instructions détaillées si nécessaire.
Pour... Procédez comme suit :Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Conseils
• Pour ajouter un préfixe à un numéro figurant dans l'un de vos journaux
d'appels, sélectionnez le numéro et cliquez sur ModNum.
• Si vous composez le numéro avant de décrocher, le numéro ne peut pas
commencer par un astérisque (*) ou le signe dièse (#). Si vous avez besoin
d'utiliser ces caractères, décrochez le combiné pour obtenir la tonalité et
composez le numéro.
Rubriques connexes
• Réponse à un appel, page 3-9
• Fin d'un appel, page 3-11
Établissement d'un appel vidéo
Lorsque vous utilisez Cisco IP Communicator avec Cisco Unified Video
Advantage, vous pouvez passer des appels vidéo.
Pour passer un appel vidéo, vous devez remplir les critères suivants :
• Cisco Unified Video Advantage doit être installé sur votre système.
• Cisco IP Communicator doit être activé pour les appels vidéo sur le serveur
de traitement des appels. Après l'activation, Cisco IP Communicator affiche
l'icône dans le coin inférieur droit de l'écran du téléphone.
Passer un appel
prioritaire
Entrez le numéro d'accès MLPP (Multilevel Precedence and Preemption)
(fourni par votre administrateur système), puis le numéro de téléphone.
Passer un appel en
utilisant votre profil de
mobilité de poste Cisco
Vérifiez que vous êtes connecté à la fonction de mobilité de poste. Appuyez
sur le bouton Services et sélectionnez Service EM (le nom exact de ce
service peut varier), puis entrez vos informations de connexion à l'aide du
clavier. Si vous partagez un téléphone, il se peut que vous deviez vous
connecter au service de mobilité de poste pour accéder à certaines fonctions
ou passer un appel. Le service de mobilité de poste est une fonction spéciale
qui n'est pas disponible par défaut et que votre administrateur système peut
affecter aux téléphones et à leurs utilisateurs.
Pour... Procédez comme suit :3-9
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
• Vous devez lancer Cisco Unified Video Advantage avant d'établir l'appel
vidéo.
• Votre correspondant doit également satisfaire aux mêmes critères et utiliser
un périphérique qui soit un point d'accès vidéo.
Si vous souhaitez activer votre téléphone pour les appels vidéo, contactez votre
administrateur système pour obtenir de l'aide et consultez le guide d'utilisation de
Cisco Unified Video Advantage :
http://www.cisco.com/en/US/products/sw/voicesw/ps5662/products_user_
guide_list.html
Réponse à un appel
Pour... Procédez comme suit :
Répondre en mode Casque Cliquez sur le bouton Casque, s'il n'est pas allumé.
Ou, si le bouton Casque est allumé, cliquez sur Répond. ou sur un
bouton de ligne clignotant. Voir Utilisation d'un casque, page 5-2.
Répondre en mode Haut-parleur Cliquez sur le bouton Haut-parleur ou Répond. ou sur un bouton
de ligne clignotant. Voir Utilisation de votre ordinateur comme
poste téléphonique à haut-parleur, page 5-4.
Répondre en mode Combiné Soulevez le combiné (ou activez-le comme il convient). Voir
Utilisation d'un combiné USB, page 5-5.
Prendre un appel à l'aide du
raccourci clavier
Appuyez sur F2 ou sur Ctrl + Maj + A sur votre clavier.
Répondre avec la notification
d'appel entrant
Cliquez sur l'icône de sonnerie ou sur les informations d'ID de
l'appelant.
Si vous cliquez sur l'icône Secret dans la fenêtre de notification
d'appel entrant qui apparaît au cours d'un appel actif, la sonnerie est
coupée et la fenêtre de notification disparaît. Vous devez revenir
dans l'interface de l'application pour afficher les détails de l'appel
placé en mode Secret et désactiver cette fonction pour les futurs
appels entrants.
Répondre à un appel en sonnerie
à partir d'un appel déjà connecté
Voir Passage d'un appel à l'autre, page 3-15 et Utilisation des
fonctions Attente et Reprise, page 3-12.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-10
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Fin d'un appel, page 3-11
• Utilisation des fonctions Attente et Reprise, page 3-12
• Transfert d'un appel connecté, page 3-14
• Passage d'un appel à l'autre, page 3-15
• Utilisation de la fonction de mobilité de poste de Cisco, page 3-26
Paramétrer
Cisco IP Communicator pour qu'il
se connecte automatiquement à
l'appel entrant après une ou deux
sonneries
Demandez à votre administrateur de configurer la fonction Réponse
automatique pour vos lignes. Vous pouvez utiliser cette fonction en
mode Haut-parleur ou Casque. Voir Utilisation de casques d'écoute et
d'autres périphériques audio avec Cisco IP Communicator, page 5-1.
Récupérer ou permettre à une
autre personne de récupérer un
appel en attente sur un autre
téléphone (celui d'une salle de
conférence, par exemple)
Utilisez la fonction de parcage d'appel. Voir Utilisation de la fonction
de mobilité de poste de Cisco, page 3-26.
Utiliser votre téléphone pour
répondre à un appel en sonnerie
sur un autre téléphone
Utilisez la fonction d'interception d'appels. Voir Redirection d'un appel
entrant vers Cisco IP Communicator, page 3-33.
Répondre à un appel prioritaire Mettez fin à l'appel en cours en raccrochant, puis cliquez sur Répond.
Envoyer un appel entrant
directement vers votre système de
messagerie vocale
Cliquez sur Rvoi Im. L'appel entrant est automatiquement transféré
vers l'annonce d'accueil de votre messagerie vocale.
Prendre un appel sur votre
téléphone portable ou à sur un
autre périphérique cible distant
Configurez Mobile Connect et répondez au téléphone.
Lorsque vous activez Mobile Connect :
Les appels sont simultanément reçus sur votre Bureau et sur les
périphériques cibles à distance. Lorsque vous prenez l'appel sur votre
téléphone de bureau, les périphériques cibles distants cessent de
sonner, sont déconnectés, et affichent un message indiquant un appel en
absence. Lorsque vous prenez l'appel sur un périphérique cible distant,
les autres périphériques cibles distants cessent de sonner, sont
déconnectés, et un message indiquant un appel en absence s'affiche sur
les autres périphériques cibles distants.
Pour... Procédez comme suit :3-11
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
Fin d'un appel
Conseil Vous devez conserver le mode Casque activé pour utiliser la fonction Réponse
automatique avec le casque (cette fonction doit être configurée par
l'administrateur système). Si vous utilisez un casque sans la fonction Réponse
automatique, il peut également être préférable de maintenir le mode Casque
activé. Voir Obtention de périphériques audio, page 5-1.
Rubriques connexes
• Passer un appel, page 3-3
• Réponse à un appel, page 3-9
• Transfert d'un appel connecté, page 3-14
Pour... Procédez comme suit :
Raccrocher lorsque vous utilisez
le mode Combiné
Désactivez le combiné, cliquez sur FinApp ou appuyez sur la
touche Échap du clavier. Voir Utilisation d'un combiné USB,
page 5-5.
Raccrocher lorsque vous utilisez
le mode Casque
Cliquez sur le bouton Casque, s'il est allumé.
Pour que le mode Casque reste actif, maintenez le bouton allumé en
cliquant sur FinApp ou en appuyant sur la touche Échap du clavier.
Vo ir Utilisation d'un casque, page 5-2.
Raccrocher lorsque vous utilisez
le mode Haut-parleur
Cliquez sur FinApp ou appuyez sur la touche Échap du clavier.
Vo ir Utilisation de votre ordinateur comme poste téléphonique à
haut-parleur, page 5-4.
Mettre fin à un appel sans pour
autant mettre fin à un autre appel
sur la même ligne
Cliquez sur FinApp ou appuyez sur la touche Échap. Si nécessaire,
commencez par cliquer sur Reprend pour récupérer un appel en
attente.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-12
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Utilisation des fonctions Attente et Reprise
Vous pouvez mettre en attente ou reprendre des appels. Lorsque vous mettez un
appel en attente, l'icône Attente apparaît en regard de l'ID de l'appelant et le
bouton de ligne correspondant clignote en vert.
Si la fonction d'inversion de la mise en attente est activée pour votre téléphone,
les appels mis en attente sonnent à nouveau après un certain temps. L'appel «
inversé » reste en attente jusqu'à ce que vous le repreniez ou jusqu'à l'expiration
du délai d'inversion.
Votre téléphone indique la présence d'un appel inversé :
• En vous avertissant à intervalles réguliers à l'aide d'une simple sonnerie (ou
d'un clignotement ou d'un bip, selon la configuration de votre ligne
téléphonique).
• En affichant brièvement un message d'inversion de mise en attente dans la
barre d'état au bas de l'écran du téléphone.
• En affichant l'icône animée d'inversion de mise en attente en regard de l'ID de
l'appelant correspondant à l'appel en attente.
• En affichant un bouton de ligne clignotant de couleur orange (selon l'état de
la ligne).
Pour... Procédez comme suit :
Mettre un appel en attente 1. Vérifiez que l'appel à mettre en attente est sélectionné.
2. Cliquez sur Attente.
Reprendre sur la ligne active
un appel mis en attente
1. Vérifiez que l'appel adéquat et mis en surbrillance.
2. Cliquez sur Reprendre.
Reprendre sur une autre ligne
un appel mis en attente
1. Cliquez sur un bouton de ligne vert clignotant. Si cette ligne ne
comporte qu'un seul appel en attente, la reprise de ce dernier est
automatique.
2. Si elle en comporte plusieurs, assurez-vous que l'appel concerné
est mis en surbrillance, puis cliquez sur Reprend.3-13
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
Conseils
• Habituellement, l’activation de la fonction de mise en attente génère de la
musique ou un bip.
• Si un message vous alerte simultanément d'un appel entrant et d'un appel
inversé, l'écran de votre téléphone affiche par défaut l'appel entrant. Votre
administrateur système peut changer cette priorité d'affichage.
• Si vous utilisez une ligne partagée, l'inversion de mise en attente ne sonne que
sur le téléphone sur lequel l'appel a été mis en attente, et non sur les autres
téléphones qui partagent la ligne.
• L'intervalle entre les alertes d'inversion est déterminé par votre
administrateur système.
Utilisation de la fonction Secret
La fonction Secret coupe le son du casque, du haut-parleur ou du microphone.
Lorsque la fonction Secret est activée, vous pouvez entendre vos interlocuteurs,
mais ces derniers ne peuvent pas vous entendre.
Remarque Si vous lancez Cisco IP Communicator alors que votre périphérique audio ou
ordinateur est mis en sourdine, la fenêtre Vérifier les paramètres audio vous invite
à rétablir, régler ou annuler vos paramètres audio. Si les paramètres audio que
vous aviez définis auparavant fonctionnaient correctement, choisissez Rétablir.
Si vous souhaitez les afficher ou les modifier, choisissez Régler. Pour conserver
la fonction Secret activée, choisissez Annuler.
Pour... Procédez comme suit :
Activer la fonction Secret Cliquez sur le bouton Secret qui n'est pas allumé.
Désactiver la fonction Secret Cliquez sur le bouton Secret qui est allumé.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-14
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Transfert d'un appel connecté
Le transfert permet de rediriger un appel connecté. La cible est le numéro vers
lequel vous souhaitez transférer l'appel.
Conseils
• Si le transfert en mode téléphone raccroché est activé, vous pouvez
raccrocher directement ou cliquer sur Trnsfer avant de raccrocher.
• S'il n'est pas activé sur votre téléphone, sachez que le fait de raccrocher plutôt
que de cliquer surCisco IP Communicator Trnsfer a pour effet d'annuler le
transfert et de mettre en attente la personne dont l'appel doit être transféré.
• Vous ne pouvez pas utiliser la touche Trnsfer pour rediriger un appel en
attente. Cliquez sur Reprend. pour le reprendre avant de le transférer.
Pour... Procédez comme suit :
Transférer un appel sans en
informer le destinataire du
transfert
Au cours de l'appel, cliquez sur Transférer et entrez le numéro cible.
Quand vous entendez la sonnerie d'appel, cliquez de nouveau sur
Transférer.
Informer le destinataire du
transfert avant de lui
transférer un appel
(transférer en consultant)
Au cours de l'appel, cliquez sur Transférer et entrez le numéro cible.
Patientez quelques instants pour laisser le temps au destinataire du
transfert de répondre. Si le destinataire accepte l'appel transféré, cliquez
de nouveau sur Transférer. Si le destinataire refuse l'appel, appuyez sur
Reprend. pour récupérer l'appel initial.
Transférer deux appels en
cours l'un vers l'autre
(transfert direct)
Sélectionnez un appel sur la ligne, puis cliquez sur Sélect. Renouvelez
cette procédure pour le second appel. Lorsque l'un des appels
sélectionnés est mis en surbrillance, cliquez sur TrnsDir (il se peut que
vous deviez au préalable cliquer sur autres pour afficher cette option.)
Les deux appels se connectent l'un à l'autre et vous ne participez plus à
l'appel.
Pour rester en ligne avec ces interlocuteurs, utilisez l'option Joindre
pour créer une conférence téléphonique.
Transférer un appel vers
votre système de messagerie
vocale
Cliquez sur Rvoi Im. L'appel est automatiquement transféré vers le
message d'accueil de votre messagerie vocale. Cette fonction est
disponible lorsqu'un appel est actif, en sonnerie ou en attente.3-15
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
Sélection des appels
De nombreuses fonctions de Cisco IP Communicator nécessitent que vous
sélectionniez les appels à utiliser avec une fonction particulière. Par exemple, si
vous avez quatre appels en attente mais que vous souhaitiez ne joindre que deux
d'entre eux à une conférence téléphonique, vous pouvez sélectionner les appels à
ajouter avant d'activer la fonction de conférence.
Passage d'un appel à l'autre
Vous pouvez passer d'un appel à l'autre sur une ou plusieurs lignes. Si l'appel vers
lequel vous souhaitez basculer n'est pas sélectionné (mis en surbrillance)
automatiquement, cliquez sur l'image qui lui est associée sur l'écran du téléphone.
Pour... Procédez comme suit :
Mettre un appel en
surbrillance
Cliquez sur un appel dans la liste des appels. Les appels mis en surbrillance
apparaissent sur un fond plus clair et plus lumineux.
Sélectionner un appel Mettez en surbrillance un appel connecté ou en attente, puis cliquez sur Sélect.
Les appels sélectionnés sont signalés par une coche.
Vérifier les appels
sélectionnés
Cliquez sur le bouton Navigation pour faire défiler la liste des appels. Les
appels sélectionnés sont signalés par une coche et regroupés au sein de la liste
des appels.
Pour... Procédez comme suit :
Basculer entre des appels
connectés sur une ligne
Sélectionnez l'appel vers lequel vous souhaitez basculer et cliquez sur
Reprend. L'autre appel est automatiquement mis en attente.
Basculer entre des appels
connectés sur des lignes
différentes
Cliquez sur le bouton de ligne vert clignotant qui correspond à la ligne
(et à l'appel) vers laquelle vous souhaitez basculer. Si cette ligne ne
comporte qu'un seul appel en attente, la reprise de ce dernier est
automatique. Si elle en comporte plusieurs, mettez en surbrillance
l'appel concerné (si nécessaire) et cliquez sur Reprend.
Répondre à un appel en
sonnerie à partir d'un appel
déjà connecté
Cliquez sur Répond. ou sur un bouton de ligne jaune clignotant. Cette
procédure permet de répondre au nouvel appel et de placer
automatiquement le premier appel en attente. Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-16
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Conseils
• Un seul appel à la fois peut être actif à un moment donné ; les autres appels
connectés sont automatiquement mis en attente.
• Lorsque vous avez plusieurs appels sur une même ligne, les appels avec le
niveau de priorité le plus élevé et dont la durée est la plus longue apparaissent
en haut de la liste des appels.
• Les appels d'un même type sont regroupés au sein de la liste des appels. Par
exemple, les appels auxquels vous avez participé sont regroupés vers le haut ;
ensuite viennent les appels sélectionnés. Ceux auxquels vous n'avez pas
encore répondu sont regroupés en bas (en dernier).
Passer d'un appel entrant à
l'autre à l'aide de la
notification d'appel entrant
Cliquez dans la fenêtre de notification de l'appel entrant (sauf sur
l'icône Secret). L'appel actif est ainsi mis en attente et vous pouvez
répondre à l'appel entrant.
Afficher la liste des appels
actifs
Cliquez sur un bouton de ligne vert pendant un appel actif afin de
revenir à l'écran principal en masquant les informations associées à
l'appel actif. Vous obtenez ainsi la liste de tous les appels actifs sur
chacune de vos lignes. Il s'agit de l'appel actif ou, si tous les appels
sont en attente, de l'appel qui est en attente depuis la plus longue
durée. Cliquez de nouveau sur le bouton de ligne vert pour revenir à
l'affichage initial.
Consulter tous les appels sur
une ligne donnée
Cliquez sur le bouton Aide puis cliquez immédiatement sur le bouton
de ligne. Cette action permet d'afficher les détails sur l'appel sans
affecter l'état de l'appel. Utilisez cette procédure lorsque vous êtes sur
une ligne et que vous voulez afficher les appels en attente sur une autre
ligne.
Pour... Procédez comme suit :3-17
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
Transfert d'un appel en cours vers un autre téléphone
Si vous utilisez la configuration Mobile Connect, vous pouvez transférer les
appels en cours du téléphone logiciel Cisco IP Communicator vers votre
téléphone portable ou vers une autre destination distante.
Renvoi de vos appels vers un autre numéro
Vous pouvez utiliser les fonctions de renvoi d'appel pour rediriger des appels
entrants de votre téléphone vers un autre numéro.
Remarque Entrez le numéro cible pour le renvoi de tous les appels exactement comme vous
le composeriez sur votre téléphone. Par exemple, si nécessaire, entrez un code
d'accès, tel que le 9 ou l'indicatif régional.
Pour... Procédez comme suit :
Transférer un appel en cours de votre
téléphone logiciel Cisco IP
Communicator vers un téléphone
portable
Appuyez sur la touche de fonction
Mobilité et sélectionez Transférer
l'appel vers le téléphone portable.
Prenez l'appel en cours sur votre
téléphone portable.
Le bouton de la ligne téléphonique
devient rouge et des icônes de combiné
et le numéro de l'appelant sont affichés
à l'écran du téléphone. Bien que vous
ne puissiez pas utiliser la même ligne
téléphonique pour d'autres appels,
vous pouvez prendre ou passer des
appels sur une autre ligne si votre
téléphone prend en charge plusieurs
lignes.
Transférer un appel en cours d'un
téléphone portable vers le téléphone
logiciel Cisco IP Communicator
Raccrochez votre téléphone portable
pour déconnecter le téléphone portable
mais pas l'appel.
Appuyez sur Reprend. sur votre
téléphone dans les 4 secondes et
commencez à parler au téléphone de
bureau.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-18
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Votre administrateur système peut vous proposer de choisir entre deux types de
fonctions de renvoi d'appels :
• Le renvoi d'appels sans condition (Renvoi de tous les appels) : s'applique à
tous les appels que vous recevez.
• Le renvoi d'appel conditionnel (Renvoi si sans réponse, Renvoi si occupé, Pas
de couverture) : s'applique à certains appels que vous recevez, sous certaines
conditions.
Vous pouvez accéder à la fonction de renvoi de tous les appels sur votre téléphone;
les autres fonctions de renvoi d'appels ne sont accessibles que sur les pages Web
Options utilisateur Cisco Unified CM. Votre administrateur système détermine
quelles fonctions de renvoi d'appels sont disponibles sur votre téléphone.
Conseils
• Entrez le numéro cible du renvoi d'appels exactement comme si vous le
composiez sur votre téléphone. Par exemple, le cas échéant, entrez un code
d'accès ou l'indicatif régional.
Pour... Procédez comme suit :
Configurer le renvoi de tous
vos appels sur votre ligne
principale
Appuyez sur RenvTt ou Renvoyer tout, puis entrez un numéro de
téléphone cible.
Annuler le renvoi de tous les
appels sur votre ligne
principale
Appuyez surRenvTt ou Renvoyer tout.
Vérifier que le renvoi de tous
les appels est activé sur votre
ligne principale
Recherchez :
• L'icône de renvoi d'appel au-dessus du numéro de téléphone
principal : .
• Le numéro cible du renvoi d'appel sur la ligne d'état.
Configurer ou annuler le
renvoi d'appels à distance, ou
pour une ligne secondaire
1. Accédez aux pages Web Options utilisateur Cisco Unified CM.
2. Allez aux paramètres de renvoi d'appel. Voir Contrôle des
paramètres de ligne, page 7-10.
Remarque Lorsque la fonction de renvoi d'appels est activée pour
toute autre ligne que la ligne principale, aucun signal sur
votre téléphone ne vous confirme que les appels sont
bien renvoyés. Vous devez vérifier vos paramètres dans
les pages Web Options utilisateur Cisco Unified CM. 3-19
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
• Le renvoi d'appel dépend de la ligne téléphonique. Si le renvoi d'appels n'est
pas activé sur la ligne sur laquelle il arrive, l'appel déclenche la sonnerie
normale.
• Votre administrateur système peut activer une fonction d'annulation du renvoi
d'appel pour que la personne qui reçoit vos appels transférés puisse vous
joindre. Lorsque l'annulation est activée, les appels passés à partir du
téléphone cible vers votre téléphone ne sont pas transférés ; ils déclenchent
une sonnerie sur votre poste.
Rubriques connexes
• Réponse à un appel, page 3-9
• Transfert d'un appel connecté, page 3-14
• Traitement des fonctions d'appel avancées, page 3-25
Utilisation de la fonction Ne pas déranger
Vous pouvez utiliser la fonction Ne pas déranger (NPD) pour bloquer les appels
entrants sur votre téléphone à l'aide de la tonalité occupé.
Lorsque la fonction NDP et le renvoi d'appels sont activés sur votre téléphone, les
appels sont renvoyés et l'appelant n'entend pas de tonalité occupé.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Comment traiter les appels simples
3-20
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Conseils
• Lorsque vous activez la fonction NPD :
– Cisco IP Communicator ne bloque ni les appels à destination de lignes
intercom, ni les appels critiques tels que les appels provenant de
Cisco Emergency Responder et les appels MLPP.
– Cisco IP Communicator n'enregistre pas les appels entrants dans le
journal des Appels en absence de votre téléphone.
– Si vous avez également activé Renvoyer tout, cette fonction est prioritaire
sur les appels entrants. C'est-à-dire que Cisco IP Communicator
transfère tous vos appels, et que l'appelant n'entend pas de tonalité
occupé.
– Si la fonction Renvoi si occupé est activée sur votre ligne,
Cisco IP Communicator transfère les appels au numéro Renvoi si
occupé. Les appelants n'entendent pas de tonalité occupé.
• Si la fonction NPD est désactivée sur votre téléphone, contactez votre
administrateur système.
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Pour... Procédez comme suit :
Activer la fonction Ne pas
déranger
1. Cliquez sur Paramètres> Configuration du périphérique>
Préférences d'appel> Ne pas déranger.
2. Sélectionnez Oui, puis cliquez sur Enregistrer.
Ne pas déranger s'affiche sur la ligne d'état et la touche de fonction
NPD est ajoutée.
Désactiver la fonction
NPD
Cliquez sur la touche de fonction NPD. La touche de fonction NPD est
supprimée.
Personnaliser les options
Ne pas déranger
1. Sélectionnez Options utilisateur Cisco Unified CM.
2. Accédez aux pages Web Options utilisateur Cisco Unified CM.
3. À partir du menu déroulant, choisissez Options utilisateur>
Périphérique
4. Sélectionnez le Nom de votre périphérique Cisco IP Communicator.
5. Il est possible d'utiliser les caractères génériques suivants :
– Ne pas déranger : Activer/désactiver NPD.
– Alerte d’appel entrant avec la fonction NPD : configurez l'alerte
afin qu'elle émette unbip seulement ou qu'elle clignote seulement,
ou désactivez toutes les notifications visuelles et sonores. 3-21
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Établissement de conférences téléphoniques
Établissement de conférences téléphoniques
Vous pouvez créer une conférence de différentes manières, en fonction de vos
besoins et des fonctions disponibles sur votre téléphone.
• Conférence : Permet de créer une conférence standard (ad hoc) en appelant
chaque participant. Utilisez la touche de fonction Conf.
• Joindre : permet de créer une conférence standard (ad hoc) en associant des
appels existants. Utilisez la touche de fonction Joindre. La fonction Joindre
n'est disponible que sur les téléphones SCCP.
• InsConf : permet de créer une conférence standard (ad hoc) en vous ajoutant
à un appel sur une ligne partagée. Appuyez sur un bouton de ligne ou sur la
touche de fonction InsConf. La fonction InsConf est disponible uniquement
sur les téléphones qui utilisent des lignes partagées.
• Meet-Me : permet de créer ou de rejoindre une conférence en appelant un
numéro de conférence. Utilisez la touche de fonction MeetMe.
Utilisation de la fonction Conférence.
Pour... Procédez comme suit :
Créer une conférence 1. Au cours d'un appel, appuyez sur Conf. (Il se peut que vous
deviez appuyer sur la touche autres pour accéder à la touche
Conf.)
2. Entrez le numéro de téléphone du participant.
3. Attendez que l'appel soit établi.
4. Appuyez de nouveau sur Conf. pour ajouter ce participant à votre
appel.
5. Répétez cette procédure pour ajouter d'autres participants.
Ajouter de nouveaux
participants à une conférence
existante
Répétez les étapes ci-dessus.
Votre administrateur système détermine si vous pouvez ajouter ou
supprimer des participants si vous n'êtes pas l'organisateur de la
conférence.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Établissement de conférences téléphoniques
3-22
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Utilisation de la fonction Joindre (uniquement sur les téléphones
SCCP)
La fonction Joindre permet de combiner plusieurs appels existants afin de créer
une conférence à laquelle vous participez.
Pour... Procédez comme suit :
Créer une conférence en
joignant des appels existants
passés sur une même ligne
téléphonique
1. À partir d'un appel actif, mettez en surbrillance un autre appel à
inclure dans la conférence, puis appuyez sur Sélect.
2. Répétez cette étape pour chacun des appels à ajouter.
3. Appuyez sur Joindre. (Il se peut que vous deviez appuyer sur la
touche de fonction autres pour accéder à la touche Joindre.)
Créer une conférence en
joignant des appels existants
passés sur plusieurs lignes
téléphoniques
1. À partir d'un appel en cours, appuyez sur Joindre. (Il se peut que
vous deviez appuyer sur la touche de fonction autres pour
accéder à la touche Joindre.)
2. Appuyez sur le bouton de ligne vert clignotant correspondant aux
appels à inclure à la conférence.
L'un des événements suivants se produit :
• Les appels sont joints.
• Une fenêtre s'ouvre sur l'écran du téléphone ; un message vous y
invite à sélectionner les appels à joindre. Mettez les appels en
surbrillance et appuyez ensuite sur Sélect, puis sur Joindre pour
terminer l'opération.
Remarque Si votre téléphone ne prend pas en charge la fonction
Joindre pour les appels sur plusieurs lignes, transférez
les appels vers une ligne unique. Vous pourrez alors
utiliser la fonction Joindre.
Combiner deux conférences
existantes
Utilisez les touches de fonction Joindre ou TrnsDir.
Demandez à votre administrateur système si votre système est équipé
de cette fonction.3-23
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Établissement de conférences téléphoniques
Utilisation de la fonction InsConf
Vous pouvez créer une conférence en utilisant la fonction InsConf pour vous
ajouter à un appel sur une ligne partagée.
Utilisation de la fonction Meet-Me
Le mode de conférence téléphonique Meet-Me permet de démarrer une
conférence ou de s'y joindre en composant son numéro.
Pour... Procédez comme suit :
Créer une conférence en vous
connectant par insertion à un
appel sur une ligne partagée
Appuyez sur le bouton de ligne correspondant à la ligne partagée.
Dans certains cas, vous devez mettre l'appel en surbrillance et appuyer
sur InsConf pour terminer l'opération.
Pour plus d'informations, consultez Procédure pour se connecter
personnellement à un appel sur une ligne partagée, page 3-36.
Pour... Procédez comme suit :
Lancer une conférence
Meet-Me
1. Demandez à votre administrateur système un numéro de téléphone
Meet-Me.
2. Communiquez ce numéro à tous les participants.
3. Lorsque vous êtes prêt à lancer la conférence, décrochez pour
obtenir une tonalité, puis appuyez sur MeetMe.
4. Composez le numéro de la conférence Meet-Me.
Les participants peuvent à présent se joindre à la conférence en
composant le numéro correspondant.
Remarque Les participants entendront une tonalité occupé s'ils
composent le numéro de la conférence avant que
l'organisateur ne soit lui-même connecté. Dans ce cas, ils
doivent rappeler.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Établissement de conférences téléphoniques
3-24
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Affichage ou exclusion des participants à une conférence
Rejoindre une conférence
Meet-Me
Composez le numéro de la conférence Meet-Me (que vous a
communiqué l'organisateur de la conférence).
Remarque Vous entendrez une tonalité occupé si vous composez le
numéro de la conférence avant que l'organisateur ne soit
connecté. Dans ce cas, rappelez ultérieurement.
Mettre fin à une conférence
Meet-Me
Tous les participants doivent raccrocher.
La conférence ne s'arrête pas automatiquement lorsque l'organisateur se
déconnecte.
Pour... Procédez comme suit :
Afficher la liste des participants
à une conférence
Appuyez sur ListConf.
Les participants sont répertoriés dans l'ordre dans lequel ils rejoignent la
conférence, les derniers à la rejoindre apparaissant en tête de liste.
Mettre à jour la liste des
participants à une conférence
Lorsque la liste des participants à la conférence est affichée, appuyez sur
MàJ.
Savoir qui a organisé la
conférence
La liste des participants à la conférence étant affichée, recherchez le
participant qui apparaît au bas de la liste, avec un astérisque (*) en regard
de son nom.
Exclure un participant de la
conférence
La liste étant affichée, mettez en surbrillance le nom du participant, puis
appuyez sur Suppr.
Abandonner le dernier
interlocuteur à avoir rejoint la
conférence
Alors que la liste des participants à la conférence est affichée, appuyez sur
SupDerA ou sur Supprimer dernier participant.
Pour... Procédez comme suit :3-25
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
Traitement des fonctions d'appel avancées
Les tâches avancées de traitement des appels font intervenir des fonctions
spéciales (non standard) que votre administrateur système peut configurer sur
Cisco IP Communicator en fonction de vos besoins et de votre environnement de
travail. Par défaut, vous ne pouvez pas accéder à ces fonctions.
• Utilisation de la fonction de mobilité de poste de Cisco, page 3-26
• Traitement des appels professionnels à l'aide d'un seul numéro de téléphone,
page 3-27
• Utilisation de la fonction de mobilité de poste de Cisco, page 3-26
• Déconnexion de groupes de recherche, page 3-29
• Suivi des appels suspects, page 3-31
• Donner la priorité aux appels critiques, page 3-32
• Redirection d'un appel entrant vers Cisco IP Communicator, page 3-33
• Rappel d'une ligne occupée dès qu'elle devient disponible, page 3-34
• Utilisation des indicateurs de fonction de ligne occupée pour déterminer l'état
d'une ligne, page 3-34
• Utilisation de lignes partagées, page 3-35
• Établissement ou prise d'appels intercom, page 3-38Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-26
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Utilisation de la fonction de mobilité de poste de Cisco
La fonctionnalité de mobilité de poste de Cisco (EM, Cisco Extension Mobility)
permet de configurer temporairement un téléphone Cisco Unified IP comme étant
le vôtre. Lorsque vous vous connectez à EM, le téléphone adopte votre profil
utilisateur, vos lignes téléphoniques, vos fonctions, vos services établis et vos
paramètres Web. Seul l'administrateur système peut configurer la mobilité de
poste.
Conseils
• Vous êtes automatiquement déconnecté de la mobilité de poste au bout d'un
certain temps. Ce délai est déterminé par l'administrateur système.
• Les modifications que vous apportez à votre profil de mobilité de poste dans
les pages Web Options utilisateur sont prises en compte immédiatement si
vous êtes connecté à la fonction de mobilité de poste par téléphone. Sinon,
elles ne seront prises en compte qu'à votre prochaine connexion.
• Les modifications que vous apportez à votre téléphone dans les pages Web
Options utilisateur sont prises en compte immédiatement si vous êtes
déconnecté d'EM. Sinon, elles prendront effet après votre déconnexion.
• Les paramètres locaux réglables sur le téléphone ne sont pas enregistrés dans
votre profil de mobilité de poste.
Pour... Procédez comme suit :
Vous connecter
au service EM
1. Cliquez sur le bouton Services et sélectionnez Service EM (le nom de la
fonction peut varier).
2. Saisissez votre ID utilisateur et votre numéro d'identification personnel
(fournis par votre administrateur système).
3. Si vous y êtes invité, sélectionnez un profil de périphérique.
Vous déconnecter
du service EM
1. Cliquez sur le bouton Services et sélectionnez Service EM (le nom de la
fonction peut varier).
2. Lorsque vous êtes invité à vous déconnecter, appuyez sur Oui.3-27
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
Traitement des appels professionnels à l'aide d'un seul numéro
de téléphone
Lorsque Mobile Connect et Mobile Voice Access sont installés, vous pouvez
utiliser votre téléphone portable pour traiter les appels associés au numéro de
votre téléphone de bureau. Un smartphone est un téléphone portable doté de
fonctionnalités d'ordinateur personnel telles que la navigation Web, la messagerie
électronique, le carnet d'adresses et le calendrier.
Pour... Procédez comme suit :
Configurer Mobile Connect Utilisez les pages Web Options utilisateur Cisco Unified CM pour
configurer des destinations distantes et créer des listes d'accès pour
autoriser ou bloquer le transfert d'appels provenant de numéros
spécifiques vers ces destinations distantes. Voir Configuration de
téléphones et de listes d'accès pour la connexion mobile, page 7-12.
Répondre à un appel sur
votre téléphone portable
Vo ir Réponse à un appel, page 3-9.
Passer un appel en cours de
votre téléphone de bureau à
un téléphone portable
Vo ir Transfert d'un appel en cours vers un autre téléphone, page 3-17.
Mettre en attente un appel
pris sur votre smartphone
1. Appuyez sur la touche de mise en attente d'appel professionnel (le
nom de la fonction peut varier) du smartphone.
Votre interlocuteur est mis en attente.
2. Sur votre smartphone, appuyez sur la touche de fonction Reprend.
(le nom de la fonction peut varier) du smartphone. Voir Transfert
d'un appel en cours vers un autre téléphone, page 3-17.
Transférer un appel pris sur
un smartphone vers un autre
numéro
1. Appuyez sur la touche de fonction de transfert d'appel
professionnel (le nom de la fonction peut varier) du smartphone.
2. Composez le code d'accès de transfert d'appel de votre société pour
initier un nouvel appel. Votre interlocuteur est mis en attente.
3. Appuyez sur la touche de fonction de transfert d'appel
professionnel pour terminer le transfert d'appel.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-28
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Initier une conférence
téléphonique lors d'un appel
pris sur un smartphone
1. Appuyez sur la touche de fonction de conférence professionnelle (le
nom de la fonction peut varier) du smartphone.
2. Composez le code d'accès de conférence de votre société pour
initier un nouvel appel. Votre interlocuteur est mis en attente.
3. Appuyez sur la touche de fonction de conférence professionnelle
pour finir de configurer la conférence et inclure les deux
interlocuteurs dans la conférence.
Obtenir la fonction d'accès
vocal mobile (Mobile Voice
Access)
1. À partir de n'importe quel téléphone, composez le numéro d'accès
vocal mobile qui vous a été attribué.
2. Saisissez le numéro depuis lequel vous appelez, si vous y êtes invité,
et votre numéro d'identification personnel.
Activer la connexion mobile
(Mobile Connect) à partir de
votre téléphone portable
1. Composez le numéro d'accès vocal mobile qui vous a été attribué.
2. Saisissez votre numéro de téléphone portable (si vous y êtes invité),
et votre numéro d'identification personnel.
3. Appuyez sur 2 pour activer la connexion mobile.
4. Choisissez d'activer la connexion mobile pour tous les téléphones
configurés ou pour un seul :
– Tous les téléphones : saisissez 2.
– Un seul téléphone : saisissez 1, puis le numéro à ajouter en tant
que destination distante, suivi de #.
Désctiver la connexion
mobile (Mobile Connect) à
partir de votre téléphone
portable
1. Composez le numéro d'accès vocal mobile qui vous a été attribué.
2. Saisissez votre numéro de téléphone portable (si vous y êtes invité),
et votre numéro d'identification personnel.
3. Appuyez sur 3 pour désactiver la connexion mobile.
4. Choisissez de désactiver la connexion mobile pour tous les
téléphones configurés ou pour un seul :
– Tous les téléphones : saisissez 2.
– Un seul téléphone : saisissez 1, puis le numéro à supprimer en
tant que destination distante, suivi de #.
Pour... Procédez comme suit :3-29
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
Stockage et récupération des appels parqués
Lorsque vous souhaitez stocker un appel, vous pouvez le parquer pour qu'une
autre personne ou vous-même puissiez le récupérer sur un autre téléphone (par
exemple, le téléphone du bureau d'un collègue ou celui d'une salle de conférence)
du système de traitement des appels. Le parcage d'appel est une fonction spéciale
que votre administrateur système peut paramétrer pour vous.
Remarque Vous disposez d'undélai limité pour récupérer l'appel avant qu'il recommence à sonner
sur le poste auquel il était destiné à l'origine. Consultez votre administrateur
système pour connaître ce délai.
Rubriques connexes
• Comment traiter les appels simples, page 3-1
• Utilisation des fonctions Attente et Reprise, page 3-12
• Transfert d'un appel connecté, page 3-14
Déconnexion de groupes de recherche
Si votre entreprise reçoit un volume importantd 'appels entrants, vous pouvez être
membre d'un groupe de recherche. Un groupe de recherche inclut une série de
numéros de répertoire partageant la charge des appels entrants. Lorsque le
premier numéro de répertoire du groupe de recherche est occupé, le système
recherche le prochain numéro de répertoire disponible dans le groupe et dirige les
appels vers ce téléphone.
Pour... Procédez comme suit :
Stocker un appel actif à
l'aide de la fonction de
parcage d'appel
Au cours d'un appel, cliquez sur Parquer (vous devrez peut-être cliquer
au préalable sur la touche de fonction autres). Cette opération indique à
Cisco IP Communicator qu'il doit stocker l'appel. Notez le numéro de
parcage d'appels affiché sur l'écran du téléphone et raccrochez.
Récupérer un appel parqué Entrez le numéro de parcage sur n'importe quel téléphone
Cisco IP Communicator ou téléphone IP Cisco du réseau pour vous
connecter à l'appel.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-30
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Lorsque vous n'êtes pas à votre poste, vous pouvez vous déconnecter des groupes
de recherche pour que votre téléphone ne sonne pas.
Conseil La déconnexion des groupes de recherche n'empêche pas votre téléphone de
sonner lorsque d'autres appels arrivent.
Emission et réception d'appels sécurisés
Selon la configuration que votre administrateur système a choisie pour votre
système téléphonique, Cisco IP Communicator peut prendre en charge
l'établissement et la réception d'appels sécurisés.
Cisco IP Communicator prend en charge les types d'appel suivants :
• Appel authentifié : l'identité de tous les téléphones participant à l'appel a été
vérifiée.
• Appel chiffré : le téléphone reçoit et transmet des données audio chiffrées
(votre conversation) sur le réseau IP Cisco. Les appels chiffrés sont
également authentifiés.
• Appel non sécurisé : au moins un des téléphones participant à l'appel ou la
connexion ne prennent pas en charge cette fonction de sécurité ou il n'est pas
possible de vérifier l'identité des téléphones.
Pour... Procédez comme suit :
Vous déconnecter des groupes
de recherche pour bloquer
temporairement les appels de
groupes de recherche
Appuyez sur Groupmt ou sur Groupe de recherche. L'écran du
téléphone affiche le texte « Déconnecté du grpe rech. »
Vous connecter pour recevoir
des appels des groupes de
recherche
Appuyez sur Groupmt ou sur Groupe de recherche. Lorsque vous
êtes connecté, le bouton Groupe de recherche est allumé.3-31
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
Remarque Des interactions, des restrictions et des limites affectent le fonctionnement des
fonctions de sécurité sur Cisco IP Communicator. Pour en savoir plus, contactez
votre administrateur système.
Suivi des appels suspects
Si vous recevez des appels suspects ou malveillants, votre administrateur système
peut ajouter la fonction d'identification des appels malveillants (IDAM) sur votre
téléphone. Cette fonction vous permet d'identifier un appel actif comme suspect,
ce qui lance une série de messages automatisés de suivi et de notification. Le
système de traitement des appels peut alors identifier et enregistrer la source de
l'appel entrant sur le réseau.
Pour... Procédez comme suit :
Contrôler le niveau de sécurité d’un
appel
Regardez si l'une des icônes de sécurité suivantes apparaît en
haut à droite de la zone d'activité des appels, en regard de
l'indicateur de durée d'appel :
Appel authentifié ou conférence
Appel chiffré ou conférence
Si ces icônes ne sont pas affichées, l'appel n'est pas sécurisé.
Déterminer s'il est possible de passer
des appels sécurisés au sein de votre
société
Contactez votre administrateur système.
Pour... Procédez comme suit :
Informer votre
administrateur système d'un
appel suspect ou malveillant
Appuyez sur IDAM.
Vous entendez une tonalité et le message IDAM réussie s'affiche sur
votre téléphone.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-32
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Donner la priorité aux appels critiques
Dans certains environnements spécialisés, tels que des bureaux de l’Armée ou de
l’État, il se peut que vous ayez besoin de passer et de recevoir des appels urgents
ou critiques. Si vous avez besoin de ce traitement spécialisé des appels, votre
administrateur système peut ajouter une fonction de préséance et préemption à
plusieurs niveaux (MLPP) sur votre téléphone.
Il est utile de se souvenir des termes suivants :
• La préséance indique la priorité associée à un appel.
• La préemption est le processus qui permet de mettre fin à un appel existant
dont la priorité est inférieure, tout en acceptant un appel de priorité supérieure
qui est envoyé vers votre téléphone.
Si... Procédez comme suit :
Souhaitez pouvoir choisir le niveau de
priorité (préséance) d’un appel sortant
Contactez votre administrateur système pour obtenir la liste
des numéros de priorité correspondant aux appels.
Souhaitez passer un appel prioritaire
(qui a la préséance)
Entrez le numéro d'accès MLPP (que vous a fourni votre
administrateur système), puis le numéro de téléphone.
Entendez une sonnerie différente (plus
rapide que d'habitude) ou une tonalité
d'attente spéciale
Vous recevez un appel prioritaire (qui a la préséance). Une
icône MLPP s'affiche sur l'écran de votre téléphone pour
indiquer le niveau de priorité de l'appel.
Souhaitez afficher le niveau de priorité
d’un appel
Recherchez une icône MLPP sur l'écran de votre téléphone :
Appel prioritaire
Appel d’importance moyenne (immédiat)
Appel très important (rapide)
Appel de la plus haute importance (suppression
rapide) ou appel prioritaire
Les appels les plus importants s’affichent en haut de la liste
des appels. Si aucune icône MLPP n'apparaît, l'appel est un
appel normal (routine).
Vous entendez une tonalité continue
qui interrompt votre appel
Cela signifie que vous ou votre interlocuteur recevez un appel
qui est prioritaire sur l'appel en cours. Raccrochez
immédiatement pour permettre à l'appel plus important de
sonner sur votre téléphone.3-33
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
Conseils
• Lorsque vous passez ou recevez un appel compatible MLPP, vous entendez
une sonnerie et une tonalité d'attente spéciales, différentes des sonnerie et
tonalité standard.
• Si vous entrez un numéro d’accès MLPP incorrect, un message vocal vous en
avertit.
• Un appel MLPP garde son statut prioritaire lorsque vous :
– le mettez en attente
– le transférez
– l'ajoutez à une conférence
– y répondez par interception.
• La fonction MLPP est prioritaire sur la fonction NPD (Ne pas déranger).
Redirection d'un appel entrant vers Cisco IP Communicator
La fonction d'interception d'appels vous permet de réacheminer un appel en
sonnerie sur le téléphone d'un collègue vers votre Cisco IP Communicator pour
que vous puissiez répondre à cet appel. L'interception d'appels est une fonction
spéciale que votre administrateur système peut configurer pour vous, en fonction
de vos besoins en matière de gestion d'appels et de votre environnement de travail.
Par exemple, vous pouvez avoir besoin de cette fonction si vous partagez avec vos
collègues des responsabilités au niveau de la gestion des appels.
Pour... Procédez comme suit :
Répondre à un appel en sonnerie sur
un autre poste de votre groupe
Cliquez sur un bouton de ligne disponible et sur Intrcpt.
L'appel sonne sur votre ligne.
Répondre à un appel en sonnerie sur
un autre poste en dehors du groupe
Cliquez sur un bouton de ligne disponible et sur GrpIntr.
Entrez le code d'interception du groupe fourni par votre
administrateur système. L'appel sonne sur votre ligne.
Répondre à un appel en sonnerie, que
ce soit sur un autre poste de votre
groupe ou sur celui d'un groupe
associé
Cliquez sur un bouton de ligne disponible et sur AGrpIntr. Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-34
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Conseils
• Pour prendre l'appel qui sonne depuis plus longtemps, appuyez sur Intrcpt
ou sur GrpIntr.
• Pour prendre l'appel du groupe d'interception qui a la plus haute priorité,
appuyez sur AGrpIntr.
Rubriques connexes
• Transfert d'un appel connecté, page 3-14
Rappel d'une ligne occupée dès qu'elle devient disponible
Si le numéro que vous appelez est occupé ou ne répond pas, vous pouvez
configurer Cisco IP Communicator pour vous avertir dès que la ligne devient
disponible. Pour configurer la notification, composez le numéro et cliquez sur
Rappel lorsque vous entendez la tonalité occupé ou la sonnerie. Ensuite,
raccrochez.
Lorsque le poste se libère, vous recevez un signal sonore et visuel sur votre
téléphone. Le rappel du numéro n'est pas automatique ; vous devrez passer
l'appel. Le rappel d'un numéro est une fonction spéciale que votre administrateur
système peut configurer pour vous sur votre téléphone.
Conseil Le rappel ne fonctionne pas si le renvoi d'appels est activé sur le poste de votre
interlocuteur.
Utilisation des indicateurs de fonction de ligne occupée pour
déterminer l'état d'une ligne
Selon la configuration, vous pouvez utiliser les indicateurs de fonction de ligne
occupée (FLO) pour déterminer l'état d'une ligne téléphonique associée à un
bouton de numérotation abrégée, un journal d'appels, ou une liste de répertoire de
votre Cisco IP Communicator. Vous pouvez appeler cette ligne quel que soit l'état
de l'indicateur FLO. Cette fonction n'empêche pas de composer un numéro.3-35
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
Utilisation de lignes partagées
Votre administrateur système peut vous affecter une ligne partagée. Une ligne
partagée est utilisée principalement dans les cas suivants:
• Vous souhaitez utiliser une même ligne pour plusieurs téléphones, afin que
votre téléphone de bureau et votre téléphone Cisco IP Communicatorsoient
associés au même numéro de poste, par exemple 23456. Dans ce cas, tous les
appels entrants destinés au numéro de poste 23456 sonneront sur le téléphone
Cisco IP Communicator et sur le téléphone de bureau et vous pourrez prendre
l'appel sur l'un ou l'autre.
• Plusieurs personnes partagent une même ligne. Par exemple, vous êtes
directeur et vous partagez une ligne et un poste avec votre assistant. Tous les
appels entrants destinés au numéro de poste partagé sonneront alors
simultanément sur votre téléphone et celui de votre assistant. Si votre
assistant répond, vous pourrez utiliser la fonction de ligne partagée intitulée
« Insertion » afin de participer à la conversation engagée.
Pour... Procédez comme suit :
Afficher l'état d'une
ligne de numérotation
abrégée
Recherchez l'un des indicateurs suivant près du numéro de ligne :
+ La ligne est en cours d'utilisation.
+ La ligne est inactive.
L'indicateur FLO n'est pas disponible ou n'est pas configuré pour
cette ligne.
+ La ligne est en mode Ne pas déranger.
Afficher l'état d'une
ligne figurant dans un
journal d'appels ou un
répertoire
Recherchez l'un des indicateurs suivant près du numéro de ligne :
La ligne est en cours d'utilisation.
La ligne est inactive.
L'indicateur FLO n'est pas disponible pour cette ligne.
La ligne est en mode Ne pas déranger.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-36
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
• Pour plus d'informations sur les lignes partagées, consultez votre
administrateur système. Les fonctions de ligne partagée telles que la fonction
Insertion ne s'appliquent pas aux lignes standard, non partagées.
Rubriques connexes
• Procédure pour se connecter personnellement à un appel sur une ligne
partagée, page 3-36
• Procédures pour empêcher d'autres personnes d'afficher ou de se joindre à un
appel sur une ligne partagée, page 3-37
Procédure pour se connecter personnellement à un appel sur une ligne partagée
Si vous utilisez une ligne partagée, vous pouvez rejoindre une conversation en
cours à l'aide de l'option Insertion. Quand vous utilisez cette fonction, tous les
autres interlocuteurs de l'appel entendent un bip signalant votre présence. Lorsque
vous raccrochez, les autres interlocuteurs entendent une tonalité de déconnexion
et l'appel initial continue. La fonction Insertion s'applique aux lignes partagées
uniquement.
Pour... Procédez comme suit :
Intégrer un appel en cours sur une
ligne partagée
Sélectionnez l'appel sur l'écran du téléphone et cliquez sur
Insert (vous devrez peut-être cliquer auparavant sur la touche
de fonction autres).
Terminer un appel en insertion sur
une ligne partagée
Raccrochez.3-37
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
Conseils
• Vous serez déconnecté de l'appel en cours que vous avez intégré sur une ligne
partagée si cet appel est mis en attente, transféré ou transformé en conférence
téléphonique.
• Vous ne pouvez pas répondre à un appel sur une autre ligne lorsque vous
intervenez dans un appel en cours sur une ligne partagée.
• Cliquez sur un bouton de ligne vert lorsque l'appel est actif pour revenir à
l'écran principal. Vous obtiendrez ainsi la liste de tous les appels actifs.
Rubriques connexes
• Comment traiter les appels simples, page 3-1
• Utilisation des indicateurs de fonction de ligne occupée pour déterminer l'état
d'une ligne, page 3-34
• Procédures pour empêcher d'autres personnes d'afficher ou de se joindre à un
appel sur une ligne partagée, page 3-37
Procédures pour empêcher d'autres personnes d'afficher ou de se joindre à un
appel sur une ligne partagée
Si vous partagez une ligne téléphonique, vous pouvez utiliser la fonctionnalité de
confidentialité pour empêcher les personnes qui partagent votre ligne d'afficher
vos appels ou de s'y joindre.
Pour... Procédez comme suit :
Empêcher d'autres personnes
d’afficher des appels sur une ligne
partagée ou de s'y connecter
1. Appuyez sur Confidentiel.
2. Pour vérifier que la fonction de confidentialité est désactivée,
vérifiez la présence de l'icône de la fonction désactivée en
regard d'un bouton de ligne de couleur orange.
Autoriser d'autres personnes à
afficher ou à se joindre aux appels
sur une ligne partagée
1. Appuyez sur Confidentiel.
2. Pour vérifier que la fonction de confidentialité est désactivée,
vérifiez la présence de l'icône de la fonction désactivée en
regard d'un bouton de ligne de couleur éteint.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-38
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Conseils
• Si vous partagez la ligne avec un téléphone dont la fonction de confidentialité
est activée, vous pouvez passer et recevoir des appels normalement sur la
ligne partagée.
• La fonction de confidentialité s’applique à toutes les lignes partagées de votre
téléphone. Par conséquent, si vous avez plusieurs lignes partagées et que la
fonction de confidentialité est activée, vos collègues ne pourront pas afficher
les appels sur vos lignes partagées, ni s'y joindre.
Rubriques connexes
• Comment traiter les appels simples, page 3-1
• Utilisation des indicateurs de fonction de ligne occupée pour déterminer l'état
d'une ligne, page 3-34
• Procédure pour se connecter personnellement à un appel sur une ligne
partagée, page 3-36
Établissement ou prise d'appels intercom
Vous pouvez passer un appel intercom vers un téléphone cible qui réponde
automatiquement à l'appel en mode Haut-parleur et coupure du microphone. Les
appels intercom unidirectionnels permettent d'envoyer un bref message à leur
destinataire. Si le destinataire utilise un combiné ou un casque, il entend le
message dans ce périphérique. Si le destinataire a déjà un appel en cours, celui-ci
se poursuit simultanément.
Le destinataire de l'appel reçoit une tonalité d'alerte intercom et peut alors choisir de :
• Écouter l'appelant, son microphone étant coupé (il peut écouter l'appelant,
mais ce dernier ne peut pas l'entendre).
• Mettre fin à l'appel intercom en appuyant sur la touche de fonction FinApp.
après avoir sélectionné l'appel intercom. Utilisez cette option si vous ne
souhaitez pas écouter le message.
• Parler à l'appelant en appuyant sur le bouton intercom actif, en utilisant le
combiné, le casque ou le haut-parleur. L'appel intercom devient une
connexion bidirectionnelle au cours de laquelle vous pouvez parler avec
l'appelant.
Lorsque vous utilisez la fonction intercom, souvenez-vous que :3-39
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
• À partir d'une ligne intercom, vous ne pouvez appeler que d'autres lignes
intercom.
• Vous ne pouvez utiliser qu'une ligne intercom à la fois.
• Vous ne pouvez pas prendre ou passer d'appel intercom si votre appel actif est
surveillé ou enregistré.
• Vous ne pouvez pas mettre un appel intercom en attente.
Remarque Si vous vous connectez à votre téléphone de bureau tous les jours à l'aide de votre
profil de mobilité de poste, vérifiez que votre administrateur système a configuré
votre profil de mobilité de poste en y incluant la fonction intercom.
Pour... Procédez comme suit :
Passer un appel intercom vers une
cible intercom préconfigurée
1. Appuyez sur une ligne intercom cible.
2. Attendez jusqu'à ce que vous entendiez la tonalité d'alerte
intercom.
3. Commencez à parler.
Passer un appel intercom vers un
numéro intercom
1. Appuyez sur une ligne intercom cible.
2. Procédez comme suit :
– Entrez le numéro intercom cible.
– Appuyez sur le numéro abrégé de votre cible.
3. Attendez jusqu'à ce que vous entendiez la tonalité d'alerte
intercom.
4. Commencez à parler.
Recevoir un appel intercom Lorsque vous entendez la tonalité d'alerte intercom, vous pouvez
traiter l'appel de l'une des manières suivantes :
• Écouter le message en audio unidirectionnel.
• Appuyer sur une ligne intercomme orange active pour parler
à l'appelant. (La ligne devient verte lorsque l'appel devient
bidirectionnel.)
• Appuyez sur Fin app. après avoir sélectionné l'appel
intercom pour déconnecter ce dernier.Chapitre 3 Traitement des appels avec Cisco IP Communicator
Traitement des fonctions d'appel avancées
3-40
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01C H A P I T R E
4-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
4
Personnalisation des paramètres sur
Cisco IP Communicator
• Accès aux paramètres, page 4-1
• Réglage du volume d'un appel, page 4-2
• Personnalisation des sonneries et des indicateurs de message, page 4-3
• Personnalisation de l'écran du téléphone, page 4-4
• Affichage et personnalisation des préférences, page 4-5
Accès aux paramètres
Voici des informations utiles concernant les paramètres de Cisco IP Communicator :
• Vous pouvez accéder à la plupart des paramètres en choisissant Préférences dans
le menu. Vous pouvez accéder au menu à partir de l'icône de menu dans la barre
de boutons de contrôle de la fenêtre, en cliquant avec le bouton droit dans
l'interface, ou en appuyant sur Maj+ F10
• Les paramètres associés aux sonneries et aux images d'arrière-plan peuvent être
définis en choisissant bouton Paramètres > Préférences utilisateur.
• La plupart des paramètres sont accessibles dans IP Communicator, mais
quelques-uns d'entre eux sont accessibles en ligne via vos pages Web
Options utilisateur. Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Réglage du volume d'un appel
4-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Remarque Si vous n'obtenez pas de réponse lorsque vous appuyez sur le bouton Paramètres,
il est possible que votre administrateur système ait désactivé cette touche sur votre
téléphone. Pour plus d'informations, contactez votre administrateur système.
Rubriques connexes
• Affichage et personnalisation des préférences, page 4-5
• Personnalisation des sonneries et des indicateurs de message, page 4-3
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Réglage du volume d'un appel
.
Conseils
• Vous pouvez régler le volume uniquement pour le mode audio actif. Si vous
augmentez le volume en mode Haut-parleur, par exemple, le volume du mode
Casque demeure inchangé.
• Si vous réglez le volume d'un mode audio sans enregistrer la modification, le
niveau précédent sera rétabli lorsque vous réutiliserez ce mode.
• Si vous réglez le volume d'un périphérique audio directement sur celui-ci (par
exemple, si vous réglez les contrôles de volume de l'ordinateur), il est
possible que la fenêtre Vérifier les paramètres audio apparaisse au prochain
démarrage de Cisco IP Communicator. Voir Utilisation de l'Assistant de
réglage audio, page 1-6.
Pour... Procédez comme suit :
Régler le volume au
cours d'un appel
Cliquez sur le bouton Volume ou appuyez sur les touches Page préc./Page
suiv au cours d'un appel ou après avoir déclenché la tonalité. Cliquez sur
Enreg. pour adopter le nouveau volume comme niveau par défaut du mode
audio actif.
Vous pouvez également régler le niveau du volume à l'aide des options de
réglage de l'ordinateur ou des réglages disponibles sur le périphérique audio
(voir la section Conseils pour plus d'informations sur la procédure à suivre).
Régler le volume de la
sonnerie
Cliquez sur le bouton Vo lume alors que Cisco IP Communicator est raccroché
(aucun appel et aucune tonalité en cours). Le nouveau volume de la sonnerie
est automatiquement enregistré.4-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Personnalisation des sonneries et des indicateurs de message
Personnalisation des sonneries et des indicateurs
de message
Vous pouvez personnaliser la manière dont Cisco IP Communicator signale la
présence d'un appel entrant ou d'un nouveau message vocal sur chacune de vos
lignes. La personnalisation des sonneries et autres indicateurs peut vous aider à
différencier rapidement plusieurs lignes. Par exemple, vous pouvez sélectionner
un pépiement d'oiseau pour indiquer que l'appel entrant est sur la ligne1 et un
battement de tambour pour les appels entrants sur la ligne 2. Les options des pages
Web Options utilisateur Cisco Unified CM peuvent varier. Si vous ne parvenez
pas à trouver une option, contactez votre administrateur système.
Pour... Procédez comme suit :
Utiliser une mélodie
différente pour chaque ligne
1. Cliquez sur le bouton Paramètres et sélectionnez Préférences
utilisateur> Sonneries.
2. Choisissez une ligne téléphonique ou la sonnerie par défaut.
3. Sélectionnez une sonnerie pour en entendre un échantillon.
4. Appuyez sur Sélect. et sur Enreg. pour utiliser cette sonnerie, ou
appuyez sur Annuler.
Modifier la séquence de la
sonnerie (clignotement
seulement, une sonnerie, bip
seulement, etc.)
1. Sélectionnez Options utilisateur Cisco Unified CM dans le menu
contextuel.
2. Accédez aux pages Web Options utilisateur Cisco Unified CM.
3. Sélectionnez votre périphérique.
4. Cliquez sur Paramètres de ligne, et effectuez des sélections dans la
section Paramètres de sonnerie.Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Personnalisation de l'écran du téléphone
4-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Réglage du volume d'un appel, page 4-2
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Personnalisation de l'écran du téléphone
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Modifier le comportement
de l'indicateur de message
vocal
1. Sélectionnez Options utilisateur Cisco Unified CM dans le menu
contextuel.
2. Accédez aux pages Web Options utilisateur Cisco Unified CM.
3. Sélectionnez votre périphérique.
4. Cliquez sur Paramètres de ligne, et effectuez vos modifications
dans la section Indicateur de messages en attente. En général, la
stratégie par défaut est de toujours allumer l'indicateur lorsque vous
recevez un nouveau message vocal.
Notez l'emplacement de l'indicateur de messages en attente :
• Si vous utilisez le mode par défaut (clic droit > Apparences >
Mode par défaut), l'indicateur est la bande lumineuse qui apparaît
sur le côté gauche de l'interface.
• Si vous utilisez le mode compact (clic droit > Apparences > Mode
compact), l'indicateur est l'icône d'enveloppe clignotante à côté du
bouton de ligne.
Pour... Procédez comme suit :
Pour... Procédez comme suit :
Modifier l'image
d'arrière-plan de l'écran
du téléphone
Cliquez sur le bouton Paramètres et sélectionnez >Préférences
utilisateur > Images d'arrière-plan. Cliquez sur le bouton affiché à gauche
de l'image à utiliser, cliquez sur Sélect., puis sur Aperçu pour afficher
l'arrière-plan. Cliquez sur Quitter pour revenir au menu de sélection.
Cliquez sur Enreg. pour accepter l'image ou sur Annuler pour revenir au
paramètre précédemment enregistré.
Modifier la langue de
l'écran de votre
téléphone
Connectez-vous à vos pages Web Options utilisateur Cisco Unified CM et
sélectionnez votre périphérique. Sélectionnez Options utilisateur >
Paramètres utilisateur, modifiez les informations sur la langue de
l'utilisateur, puis cliquez sur Enreg.4-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
Affichage et personnalisation des préférences
Vous pouvez accéder à la plupart des paramètres de Cisco IP Communicator par
le biais de la fenêtre Préférences (clic droit > Préférences).
• Paramètres utilisateur, page 4-5
• Paramètres réseau, page 4-7
• Paramètres audio, page 4-8
• Affectation de modes audio, page 4-9
• Paramètres audio du réseau, page 4-13
• Paramètres audio avancés, page 4-13
• Paramètres de répertoire, page 4-15
Paramètres utilisateur
Vous pouvez accéder à l'onglet Utilisateur de la fenêtre Préférences (clic droit >
Préférences > onglet Utilisateur).
Élément Description
Pour plus d'informations,
consultez...
Activer la
journalisation
Lorsque cette option est activée, votre administrateur
système peut extraire des journaux Cisco IP
Communicator détaillés pour procéder à la résolution
de problèmes.
Votre administrateur système peut vous demander
d'activer ce paramètre.
Dépannage
Cisco IP Communicator,
page 8-1
Fermer masque
l'application
Lorsque vous activez cette fonctionnalité puis fermez
l'application, CIPC n'est pas fermé : il est caché dans
l'icône de la barre d'état système . Double-cliquez sur
l'icône de la barre d'état système pour restaurer
l'application. Cette fonctionnalité est activée par
défaut.
Passer un appel, page 3-3Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
4-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Paramètres réseau, page 4-7
• Paramètres audio, page 4-8
• Paramètres de répertoire, page 4-15
Ramener au
premier plan lors
d'un appel actif
Lorsque cette option est activée, l'application est
affichée au-dessus de toutes les autres lorsqu'un appel
entrant arrive. Lorsque l'option est désactivée,
l'application n'est pas affichée au-dessus des autres
lorsqu'un appel entrant arrive. Les seuls éléments
indiquant l'arrivée de l'appel sont la sonnerie et la
fenêtre intempestive de notification.
Réponse à un appel, page 3-9
Masquer la
notification
d'appel entrant
Lorsque cette option, le message de notification
d'appel entrant ne s'affiche plus lorsqu'un appel
arrive.
Réponse à un appel, page 3-9
Utiliser la valeur
par défaut
(Serveur TFTP)
Lorsque cette option est sélectionnée, l'adresse du
serveur TFTP spécifiée dans l'onglet Paramètres
réseau est utilisée. Il s'agit de la valeur par défaut.
Le format est le suivant :
http:///utilisateurccm
Votre administrateur système vous indiquera si
vous devez modifier ce paramètre.
Chapitre 7, “Personnalisation
de Cisco IP Communicator à
l'aide des options utilisateur
Cisco Unified CM”
Utiliser une URL
spécifique
Saisissez une autre URL à utiliser lors de
l'ouverture de la page Options utilisateur Cisco
Unified CM. Utilisez le format suivant :
http:///utilisateurccm
Votre administrateur système vous indiquera si
vous devez modifier ce paramètre.
Chapitre 7, “Personnalisation
de Cisco IP Communicator à
l'aide des options utilisateur
Cisco Unified CM”
Élément Description
Pour plus d'informations,
consultez...4-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
Paramètres réseau
Vous pouvez accéder à l'onglet Réseau de la fenêtre Préférences (clic droit >
Préférences > onglet Réseau).
Attention La modification de ces paramètres risque d'entraîner une panne sur votre
téléphone. Ne modifiez pas ces paramètres avant d'avoir consulté votre
administrateur système.
Rubriques connexes
• Paramètres audio, page 4-8
• Paramètres de répertoire, page 4-15
Élément Description
Pour plus d'informations,
consultez...
Utiliser l'adaptateur
réseau pour générer le
nom de périphérique
Ce paramètre, défini immédiatement après
l'installation, permet à Cisco IP
Communicator de s'identifier sur le réseau ; il
n'est pas utilisé pour les transmissions audio.
C'est pourquoi vous n'avez pas besoin de
modifier ce paramètre une fois qu'il a été
défini, à moins que vous ne supprimiez ou
désactiviez définitivement la carte réseau
sélectionnée. Dans ce cas, contactez votre
administrateur système avant de sélectionner
une autre carte.
Si vous disposez de plusieurs cartes réseau et
si vous êtes invité à en choisir une
immédiatement après l'installation de Cisco IP
Communicator, votre administrateur système
vous indiquera quelle carte utiliser.
Configuration et
enregistrement
Cisco IP Communicator,
page 1-9
Utiliser ce nom de
périphérique
Ce paramètre permet de saisir un nom de
périphérique en texte libre que Cisco IP
Communicator pourra utiliser pour s'identifier
auprès du réseau. Votre administrateur
système vous fournira le nom du périphérique.
Configuration et
enregistrement
Cisco IP Communicator,
page 1-9
Zone Serveurs TFTP Cette zone permet d'indiquer les serveurs
TFTP ou de rétablir l'utilisation du serveur
TFTP par défaut. Votre administrateur vous
indiquera si vous devez modifier ce paramètre.
Configuration et
enregistrement
Cisco IP Communicator,
page 1-9Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
4-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Paramètres audio
Vous pouvez accéder à l'onglet Audio de la fenêtre Préférences (clic droit >
Préférences > onglet Audio).
Rubriques connexes
• Affectation de modes audio, page 4-9
• Paramètres audio du réseau, page 4-13
• Paramètres audio avancés, page 4-13
Élément Description Pour plus d'informations, voir...
Zone
Périphériques
pour les modes
audio
Cette zone permet d'associer un périphérique à un
mode audio. La liste déroulante affiche les
périphériques audio actuellement disponibles,
installés avant le démarrage de Cisco IP
Communicator.
Pour des informations sur le paramètre
Périphérique audio Windows par défaut, voir
Sélection d'un mode audio, page 4-9.
• Installation de
périphériques audio avant
le lancement initial,
page 1-3
• Affectation de modes
audio, page 4-9
• Utilisation de casques
d'écoute et d'autres
périphériques audio avec
Cisco IP Communicator,
page 5-1
Zone
Périphérique
pour la sonnerie
Cette zone permet d'associer un périphérique à la
sonnerie.
Installation de périphériques
audio avant le lancement
initial, page 1-3
Optimiser pour
une bande
passante étroite
Si vous utilisez Cisco IP Communicator sur une
connexion à distance (par exemple, la connexion
VPN de votre domicile ou d'un hôtel), vous
risquez de rencontrer des problèmes de qualité
vocale en raison d'une bande passante
insuffisante. Lorsque vous utilisez Cisco IP
Communicator sur une connexion à distance, vous
pouvez éviter les éventuels problèmes de son
robotisé.et d'autres problèmes en activant l'option
Optimiser pour une bande passante étroite.
Dépannage
Cisco IP Communicator,
page 8-1
Bouton Réseau Ce bouton permet d'ouvrir la fenêtre Paramètres
audio réseau.
Paramètres audio du réseau,
page 4-13
Bouton Avancés Ce bouton permet d'ouvrir la fenêtre Paramètres
audio avancés.
Paramètres audio avancés,
page 4-134-9
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
Affectation de modes audio
Vous devez affecter un mode audio à chaque périphérique audio utilisé avec Cisco
IP Communicator :
• mode Casque
• mode Haut-parleur
• mode Combiné
• mode de sonnerie
La sélection d'un mode audio indique à Cisco IP Communicator quels
périphériques audio utiliser pour les entrées et les sorties audio.
Au démarrage initial de Cisco IP Communicator, vous pouvez affecter des
périphériques audio à des modes audio à l'aide de l'Assistant de réglage audio.
Vous pouvez ensuite affecter des périphériques audio aux modes en cliquant avec
le bouton droit dans Cisco IP Communicator et en sélectionnant Préférences >
onglet Audio.
Rubriques connexes
• Installation de périphériques audio avant le lancement initial, page 1-3
• Sélection d'un mode audio, page 4-9
• Activation d'un mode audio, page 4-11
• À propos des périphériques audio des listes déroulantes Audio, page 4-12
Sélection d'un mode audio
Par défaut, Cisco IP Communicator sélectionne un périphérique audio pour tous
les modes audio et pour la sonnerie. Il peut s'agir d'une carte son, par exemple. Si
vous disposez de plusieurs périphériques audio, vous bénéficiez d'options de
configuration supplémentaires. Par exemple, si vous utilisez un casque USB, vous
pouvez le sélectionner pour le mode Casque et l'activer en cliquant sur le bouton
Casque.Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
4-10
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Vous pouvez conserver la configuration par défaut ou la personnaliser. Si vous
décidez de personnaliser la configuration, suivez les recommandations ci-après :
• Si vous utilisez un casque USB, associez-le au mode Casque.
• Si vous utilisez un haut-parleur USB externe, associez-le au mode
Haut-parleur.
• Si vous utilisez un combiné USB, associez-le au mode Combiné.
• Si vous utilisez un casque analogique, associez la carte son de l'ordinateur au
mode Casque.
• Si vous ne disposez pas d'un haut-parleur externe, sélectionnez la carte son
de l'ordinateur pour le mode Haut-parleur.
• Associez la sonnerie au périphérique qui doit vous signaler les appels
entrants. Notez toutefois que si vous associez la sonnerie à une carte son et
branchez un casque analogique sur l'ordinateur, vous n'entendrez pas le
téléphone sonner si vous ne portez pas le casque.
Conseil Vous pouvez utiliser les paramètres de lecture et d'enregistrement du son du
Panneau de configuration de Windows (Sons et multimédia > onglet Audio ou
Sons et périphériques audio > onglet Audio pour Windows XP) comme
périphériques audio de Cisco IP Communicator. Dans la fenêtre Préférences de
Cisco IP Communicator (clic droit > Préférences > onglet Audio), sélectionnez
Périphérique audio Windows par défaut dans le liste déroulante pour un ou
plusieurs paramètres et cliquez sur OK. Utilisez cette méthode pour utiliser un
périphérique pour la lecture du son et un autre (par exemple, un microphone de
caméra VT) pour l'enregistrement du son.
Rubriques connexes
• Activation d'un mode audio, page 4-11
• À propos des périphériques audio des listes déroulantes Audio, page 4-124-11
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
Activation d'un mode audio
Rubriques connexes
• Sélection d'un mode audio, page 4-9
• À propos des périphériques audio des listes déroulantes Audio, page 4-12
• Utilisation d'un casque, page 5-2
• Utilisation de votre ordinateur comme poste téléphonique à haut-parleur,
page 5-4
• Utilisation d'un combiné USB, page 5-5
Pour... Procédez comme suit :
Activer le mode Casque Cliquez sur le bouton Casque (éteint). Cette action active le
périphérique que vous avez sélectionné pour ce mode.
Si vous souhaitez adopter le mode Casque comme mode par défaut,
cliquez sur le bouton Casque (éteint) et sur FinApp.
Le mode Casque restera le mode audio par défaut tant que le bouton
Casque sera allumé (sauf si un combiné USB est activé).
Activer le mode Haut-parleur Cliquez sur le bouton Haut-parleur. Cette action active le
périphérique que vous avez sélectionné pour ce mode.
Par défaut, le mode Haut-parleur est activé lorsque vous cliquez sur
les touches de fonction, les boutons de ligne et les boutons de
numérotation abrégée (sauf si un combiné USB est activé).
Activer le mode Combiné Décrochez à l'aide du combiné USB (à condition que ce
périphérique soit disponible et associé au mode Combiné). La
méthode employée pour décrocher le combiné USB dépend de la
façon dont le combiné est conçu. Vous devrez peut-être appuyer sur
un interrupteur ou sur un bouton de mise en route.
Activer la sonnerie La sonnerie est activée quand vous recevez un appel.Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
4-12
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
À propos des périphériques audio des listes déroulantes Audio
Les listes déroulantes Audio de l'onglet Audio (clic droit > Préférences > onglet
Audio) contiennent un ou plusieurs périphériques audio. Voici quelques
informations sur le contenu de ces listes :
• Si un seul périphérique audio est installé au démarrage de Cisco IP
Communicator, un seul périphérique audio apparaît dans chaque liste.
• Tous les périphériques audio installés ne figurent pas dans les listes des
modes audio. Les périphériques présentés dans ces menus sont ceux
nécessitant des pilotes (combinés USB, casques USB et cartes son).
• Les périphériques audio analogiques, qui se branchent dans les prises audio
de l'ordinateur, ne figurent pas dans les listes de modes audio. Cisco IP
Communicator ne fait aucune distinction entre les périphériques audio
analogiques et votre carte son. Pour sélectionner un périphérique analogique,
sélectionnez votre carte son
• Si aucun périphérique audio USB installé et aucune carte son ne figurent dans
la liste, vérifiez que le périphérique est inséré et relancez Cisco IP
Communicator. Cisco IP Communicator ne reconnaît que les périphériques
audio qui sont installés et branchés lors du lancement de l'application.)
Remarque Si le système d'exploitation Windows trouve des périphériques audio et si
Périphérique audio Windows par défaut apparaît dans la liste déroulante,
consultez Sélection d'un mode audio, page 4-9.
Rubriques connexes
• Installation de périphériques audio avant le lancement initial, page 1-3
• Utilisation de l'Assistant de réglage audio, page 1-6
• Affichage et personnalisation des préférences, page 4-5
• Suppression et réinstallation de périphériques audio, page 5-64-13
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
Paramètres audio du réseau
Vous pouvez accéder à l'onglet Audio du réseau de la fenêtre Préférences (clic
droit > Préférences > onglet Audio> bouton Réseau).
Attention La modification de ces paramètres risque d'entraîner une panne sur votre
téléphone. Ne modifiez pas ces paramètres avant d'avoir consulté votre
administrateur système.
Rubriques connexes
• Paramètres audio, page 4-8
• Paramètres audio avancés, page 4-13
• Dépannage Cisco IP Communicator, page 8-1
Paramètres audio avancés
Vous pouvez accéder aux paramètres audio avancés dans la fenêtre Préférences
(clic droit > Préférences > onglet Audio> bouton Avancés).
Élément Description
Zone Adresse IP audio Le paramètre par défaut de cette zone est Détecter
automatiquement. Ne le modifiez que si l'administrateur
système vous le demande.
Zone Plage de ports audio Le paramètre par défaut de cette zone est Utiliser la plage de
ports par défaut. Ne le modifiez que si l'administrateur système
vous le demande.Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
4-14
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Élément Description Pour plus d'informations, voir...
Mode Sélectionne le mode audio (haut-parleur, casque
ou combiné) auquel appliquer les modifications.
• Affectation de modes audio,
page 4-9
• Utilisation de casques
d'écoute et d'autres
périphériques audio avec
Cisco IP Communicator,
page 5-1
Noise Suppression
Enabled (Annulation
du bruit active)
Tente de supprimer les bruits de fond entendus
dans le microphone et qui interfèrent avec votre
voix. L'annulation du bruit est activée par défaut.
Dépannage
Cisco IP Communicator, page 8-1
Levels of
Aggressiveness
(Niveaux
d'agressivité)
Définit le degré d'annulation du bruit.
L'annulation de bruit minimale est la valeur par
défaut.
Vous devez augmenter le niveau d'agressivité
d'un cran si votre interlocuteur se plaint de ne
pas bien vous entendre à cause des bruits de
fond.
Ne passez pas directement d'un extrême à
l'autre ; par exemple, passez toujours du niveau
minimum au niveau moyen, et du niveau moyen
au niveau maximum. Tentez de sélectionner le
mode le moins agressif pour réduire ou éliminer
le bruit.
Remarque En changeant le niveau
d'agressivité, vous risquez de
modifier également la manière
dont votre voix est transmise.
Votre interlocuteur risque
d'entendre une voix robotisée ou
métallique.
Dépannage
Cisco IP Communicator, page 8-14-15
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
Rubriques connexes
• Paramètres audio, page 4-8
• Paramètres audio du réseau, page 4-13
Paramètres de répertoire
Vous pouvez accéder à l'onglet Répertoires de la fenêtre Préférences (clic droit >
Préférences > onglet Répertoires).
Avant d'utiliser la fonction Recherche rapide pour consulter les répertoires
d'entreprise, vous devrez peut-être entrer un nom d'utilisateur et un mot de passe
dans la fenêtre Répertoires. Essayez tout d'abord d'utiliser la fonction Recherche
rapide sans entrer ces informations. Si la fonction ne répond pas, demandez vos
nom d'utilisateur et mot de passe pour la fenêtre Répertoires à votre
administrateur système et entrez ces informations ici.
Vous devez également indiquer vos nom d'utilisateur et mot de passe pour les
répertoires dans cette fenêtre si vous souhaitez utiliser la fonction Recherche
rapide pour consulter votre Carnet d'adresses personnel.
Rubriques connexes
• Utilisation du répertoire personnel, page 6-7
• Saisie d'informations de mot de passe pour la fonction Recherche rapide,
page 6-11
Bouton OK Enregistre toutes les modifications effectuées
(y compris les changements apportés aux
modes qui ne sont pas actuellement
sélectionnés).
Affectation de modes audio,
page 4-9
Bouton Appliquer à
tous
Applique les paramètres du mode audio
actuellement sélectionné à tous les autres
modes audio.
Affectation de modes audio,
page 4-9
Élément Description Pour plus d'informations, voir...Chapitre 4 Personnalisation des paramètres sur Cisco IP Communicator
Affichage et personnalisation des préférences
4-16
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01C H A P I T R E
5-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
5
Utilisation de casques d'écoute et
d'autres périphériques audio avec
Cisco IP Communicator
Ce chapitre décrit comment utiliser des périphériques tels qu'un combiné, un
casque d'écoute et les haut-parleurs et le microphone de l'ordinateur avec les
modes audio de Cisco IP Communicator (mode Combiné, mode Casque et mode
Haut-parleur).
• Obtention de périphériques audio, page 5-1
• Utilisation d'un casque, page 5-2
• Utilisation de votre ordinateur comme poste téléphonique à haut-parleur,
page 5-4
• Utilisation d'un combiné USB, page 5-5
• Suppression et réinstallation de périphériques audio, page 5-6
Obtention de périphériques audio
Votre administrateur système vous fournira peut-être des périphériques audio. Si
vous prévoyez d'en acheter, demandez à votre administrator système de vous
fournir la plus récente liste de périphériques pris en charge.Chapitre 5 Utilisation de casques d'écoute et d'autres périphériques audio avec Cisco IP Communicator
Utilisation d'un casque
5-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Utilisation d'un casque
Vous pouvez utiliser un casque USB ou un casque analogique avec
Cisco IP Communicator.
• Les casques USB sont dotés de fiches plates et rectangulaires qui se branchent
dans un port USB de votre ordinateur.
• Les casques analogiques sont dotés de fiches rondes qui se branchent dans les
connecteurs audio de l'ordinateur.
Les casques analogiques fonctionnent avec la carte son de l'ordinateur et ne
nécessitent pas de pilote de périphérique.
Le tableau suivant indique comment utiliser un casque pour passer et prendre des
appels.
Pour... Procédez comme suit :
Utiliser un casque
pour passer et
prendre des appels
Vérifiez que le bouton Casque est activé (allumé) pour indiquer que
Cisco IP Communicator fonctionne en mode Casque. Vous pouvez activer et
désactiver le mode Casque en cliquant sur le bouton Casque ou à l'aide du
raccourci clavier Ctrl + H.
Si vous utilisez un casque en tant que périphérique audio principal, il est utile de
garder le bouton Casque allumé même après la fin d'un appel, en cliquant sur
FinApp. au lieu d'appuyer sur le bouton Casque pour raccrocher. Lorsque le
bouton Casque n'est pas allumé, Cisco IP Communicator utilise le mode
Haut-parleur comme mode audio par défaut. Cisco IP Communicator répond à
l'activation de touches de fonctions et de boutons de numérotation abrégée, ainsi
qu'à d'autres fonctionnalités, en acheminant l'audio par le biais du mode actif.
Vous pouvez utiliser un casque avec tous les contrôles de
Cisco IP Communicator, y compris le bouton Volume et le bouton Secret.
Remarque Bien que les casques analogiques fonctionnent en mode
Haut-parleur, leur utilisation en mode Casque permet
d'améliorer la qualité du son.5-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 5 Utilisation de casques d'écoute et d'autres périphériques audio avec Cisco IP Communicator
Utilisation d'un casque
Conseil La fonction Réponse automatique est une fonction spéciale que votre
administrateur système peut activer pour vous si vous recevez un volume
important d'appels entrants, ou si vous gérez les appels d'autres personnes.
Lorsque la fonction Réponse automatique est activée, Cisco IP Communicator
répond automatiquement aux appels téléphoniques et les achemine par le biais du
mode Haut-parleur ou du mode Casque, selon votre configuration.
Rubriques connexes
• Comment traiter les appels simples, page 3-1
• Affectation de modes audio, page 4-9
• Utilisation de votre ordinateur comme poste téléphonique à haut-parleur,
page 5-4
Utiliser un casque
analogique comme
périphérique audio
unique
Suivez les directives décrites à la ligne précédente. Souvenez-vous que la
sonnerie n'est audible que par le biais des haut-parleurs de votre casque lorsque
ce dernier est branché dans votre ordinateur. Vous devez porter votre casque pour
pouvoir entendre la sonnerie du téléphone.
Utiliser la fonction
Réponse
automatique avec
un casque
Gardez le bouton Casque activé (allumé) en cliquant sur FinApp pour
raccrocher. (Cliquez d'abord sur le bouton Casque si nécessaire). Lorsque le
bouton Casque est allumé, Cisco IP Communicator fonctionne en mode Casque.
Passer au mode
Casque pendant un
appel
Cliquez sur le bouton Casque ou utilisez le raccourci clavier Ctrl + H. Si vous
utilisiez un combiné USB avant le changement de mode, vous pouvez l'éteindre
ou le raccrocher.
Pour... Procédez comme suit :Chapitre 5 Utilisation de casques d'écoute et d'autres périphériques audio avec Cisco IP Communicator
Utilisation de votre ordinateur comme poste téléphonique à haut-parleur
5-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Utilisation de votre ordinateur comme poste
téléphonique à haut-parleur
Vous pouvez utiliser la carte son de l'ordinateur pour passer et prendre des appels
en mode Haut-parleur.
Conseil La fonction Réponse automatique est une fonction spéciale que votre
administrateur système peut activer pour vous si vous recevez un volume
important d'appels entrants, ou si vous gérez les appels d'autres personnes.
Lorsque la fonction Réponse automatique est activée, Cisco IP Communicator
répond automatiquement aux appels téléphoniques et les achemine par le biais du
mode Haut-parleur ou du mode Casque, selon votre configuration.
Pour... Procédez comme suit :
Utiliser votre ordinateur
comme un téléphone à
haut-parleur pour passer
et prendre des appels
Vérifiez que le bouton Haut-parleur est allumé pour vous assurer que
Cisco IP Communicator fonctionne en mode Haut-parleur. À l'encontre des
autres modes, le mode Haut-parleur permet la suppression de l'écho. Vous
pouvez activer et désactiver le mode Haut-parleur en cliquant sur le bouton
Haut-parleur ou à l'aide du raccourci clavier Ctrl + P.
Le mode Haut-parleur est activé par défaut. Cela signifie que de nombreuses
actions nécessaires pour passer ou prendre un appel (telles que l'utilisation
d'un bouton de numérotation abrégée ou d'une touche de fonction)
déclenchent automatiquement le mode Haut-parleur.
Remarque Lorsqu'un casque analogique est branché sur votre ordinateur,
vous ne pouvez pas entendre de son par le biais des
haut-parleurs de l'ordinateur en mode Haut-parleur.
Passer au mode
Haut-parleur pendant un
appel
Cliquez sur le bouton Haut-parleur ou utilisez le raccourci clavier Ctrl + P.
Si vous utilisiez un combiné avant le changement de mode, éteignez-le ou
raccrochez-le.
Utiliser le haut-parleur
de l'ordinateur comme
sonnerie pour vous
avertir des appels
entrants
Vérifiez que votre carte son est affectée au mode Sonnerie et que vous n'avez
pas coupé le son du haut-parleur de l'ordinateur. Si vous branchez un casque
analogique sur votre ordinateur, la sonnerie n'est audible que par le biais des
haut-parleurs du casque.
Utiliser la fonction
Réponse automatique
en mode Haut-parleur
Cliquez sur le bouton Haut-parleur pour passer, prendre ou mettre fin à des
appels, pour ouvrir et fermer des lignes et pour passer d'un autre
périphérique audio au mode Haut-parleur. Comme le mode Haut-parleur est
activé par défaut, il n'est pas nécessaire de garder le bouton correspondant
allumé comme pour le mode Casque.5-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 5 Utilisation de casques d'écoute et d'autres périphériques audio avec Cisco IP Communicator
Utilisation d'un combiné USB
Rubriques connexes
• Comment traiter les appels simples, page 3-1
• Affectation de modes audio, page 4-9
• Utilisation d'un casque, page 5-2
• Utilisation d'un combiné USB, page 5-5
Utilisation d'un combiné USB
Vous devez affecter un combiné USB au mode Combiné. Cette configuration
permet à Cisco IP Communicator de savoir si le combiné est raccroché
ou décroché, pour que vous puissiez, par exemple, mettre fin à un appel en
raccrochant le combiné USB. Pour plus d'informations sur cette affectation, voir
Affectation de modes audio, page 4-9.
Rubriques connexes
• Installation de périphériques audio avant le lancement initial, page 1-3
• Comment traiter les appels simples, page 3-1
• Utilisation d'un casque, page 5-2
• Utilisation de votre ordinateur comme poste téléphonique à haut-parleur,
page 5-4
• Suppression et réinstallation de périphériques audio, page 5-6
Pour... Procédez comme suit :
Passer ou mettre fin à un appel à
l'aide du combiné
Activer ou désactiver le combiné USB. De nombreux combinés sont
dotés d'un crochet commutateur ou d'un interrupteur. Soulevez le
combiné ou activez-le pour le décrocher.
Vous pouvez utiliser un combiné USB avec tous les contrôles de
Cisco IP Communicator, y compris le bouton Volume et le bouton
Secret.
Passer au mode Combiné
pendant un appel
Soulevez le combiné (ou activez-le comme il convient). Chapitre 5 Utilisation de casques d'écoute et d'autres périphériques audio avec Cisco IP Communicator
Suppression et réinstallation de périphériques audio
5-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Suppression et réinstallation de périphériques audio
Si vous utilisez Cisco IP Communicator sur un ordinateur portable, vous devrez
sans doute souvent supprimer et réinstaller les périphériques audio lorsque vous
vous déplacez. Le tableau suivant contient des informations sur la réinstallation
d'un périphérique audio lorsque vous êtes prêt à l'utiliser de nouveau.
Pour... Procédez comme suit :
Réinstaller un
combiné USB, un
casque USB ou une
carte son
préalablement réglés
1. Installer le périphérique audio (par exémple, branchez le combiné USB)
lorsque Cisco IP Communicator n'est pas en cours d'exécution.
2. Lancez Cisco IP Communicator.
3. Sélectionnez le périphérique et réglez-le si nécessaire. Vous pouvez accéder
manuellement à l'Assistant de réglage audio par le biais de
Cisco IP Communicator (cliquez avec le bouton droit de la souris sur>
Préférences > onglet Audio).
4. Si nécessaire, affectez le périphérique aux modes audio souhaités.
Installer un nouveau
périphérique lorsque
l'application est en
cours d'exécution et
l'utiliser comme
périphérique audio de
Cisco IP Communica
tor
1. Cliquez avec le bouton droit de la souris sur > Préférences > onglet Audio,
et sélectionnez le périphérique dans la liste déroulante pour le mode audio.
2. Cliquez sur OK.
3. Réglez le périphérique lorsque l'Assistant de réglage audio est
automatiquement lancé.
Définissez un
périphérique
spécifique à utiliser
lors du prochain
appel
1. Vérifiez que Cisco IP Communicator est en cours d'exécution.
2. Configurez-le pour utiliser le périphérique Windows par défaut (cliquez avec
le bouton droit de la souris sur > Préférences > onglet Audio et
sélectionnez Périphérique audio Windows par défaut).
3. Connectez un nouveau périphérique et définissez-le comme périphérique
audio Windows par défaut dans le Panneau de configuration de Windows.
4. Lancez manuellement l'Assistant de réglage audio (cliquez avec le bouton
droit de la souris sur > Assistant de réglage audio) pour régler ce
périphérique avant de l'utiliser.
Si vous redémarrez l'application sans avoir réglé le périphérique, l'Assistant de
réglage audio est automatiquement lancé afin que vous puissiez régler le
périphérique, et Cisco IP Communicator utilise ce périphérique lors du prochain
appel.5-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 5 Utilisation de casques d'écoute et d'autres périphériques audio avec Cisco IP Communicator
Suppression et réinstallation de périphériques audio
Conseils
• Chaque fois que vous le lancez, Cisco IP Communicator vérifie que le
périphérique audio que vous avez utilisé lors de votre session pécédente est
présent. Si le périphérique est introuvable, Cisco IP Communicator vous
invite à le brancher.
• Si vous installez un périphérique audio qui nécessite des pilotes de
périphérique (un combiné USB, un casque USB ou une carte son) après le
lancement de Cisco IP Communicator, ce dernier ne reconnaîtra pas le
périphérique tant que vous n'aurez pas lancé à nouveau l'application.
L'Assistant de réglage audio est automatiquement lancé afin que vous
puissiez régler le périphérique.
• Si vous utilisez Cisco IP Communicator sur une connexion à distance,
établissez la connectivité VPN avant de lancer Cisco IP Communicator.
• Si vous réinstallez un combiné ou un casque USB sur un poste de travail
Microsoft Vista, assurez-vous que le système d'exploitation détecte le
périphérique USB. Sinon, Cisco IP Communicator ne pourra pas le trouver.
Rubriques connexes
• Installation de périphériques audio avant le lancement initial, page 1-3
• Utilisation de l'Assistant de réglage audio, page 1-6
• Affectation de modes audio, page 4-9
• Suppression et réinstallation de périphériques audio, page 5-6Chapitre 5 Utilisation de casques d'écoute et d'autres périphériques audio avec Cisco IP Communicator
Suppression et réinstallation de périphériques audio
5-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01C H A P I T R E
6-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
6
Utilisation de la messagerie vocale,
des journaux d'appels et des
répertoires sur Cisco IP Communicator
• Accès aux messages vocaux, page 6-1
• Utilisation des journaux d'appels, page 6-3
• Composition à partir d'un répertoire, page 6-5
• Utilisation du répertoire personnel, page 6-7
Accès aux messages vocaux
Votre société détermine le service de messagerie vocale utilisé par votre système
téléphonique. Pour obtenir des informations précises et détaillées sur ce service,
consultez la documentation correspondante. Le tableau suivant fournit une vue
d'ensemble des fonctionnalités du service de messagerie vocale.Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur
Accès aux messages vocaux
6-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Contrôle des paramètres de ligne, page 7-10
• Personnalisation des sonneries et des indicateurs de message, page 4-3
Pour... Procédez comme suit :
Configurer et
personnaliser votre
service de messagerie
vocale
Cliquez sur le bouton Messages et suivez les invites vocales. Si un menu
apparaît à l'écran de votre téléphone, sélectionnez l'élément de menu
approprié.
Consulter vos nouveaux
messages vocaux
Recherchez :
• Un témoin lumineux rouge fixe sur votre combiné. (Cet indicateur peut
varier.)
• Une icône d'enveloppe clignotante et un message texte sur l'écran du
téléphone.
Remarque Le témoin lumineux rouge et l'icône de message en attente ne
s'affichent que lorsque vous avez un message sur votre ligne
principale, même si des messages vocaux arrivent sur d'autres
lignes.
Vé r if iez s i :
Une tonalité accélérée se fait entendre dans le combiné, le casque ou le
haut-parleur lorsque vous passez un appel.
Remarque La tonalité accélérée est propre à la ligne. Vous ne l'entendez que
lorsque vous utilisez la ligne associée au message en attente.
Écouter vos messages
vocaux ou accéder au
menu des messages
vocaux
Cliquez sur le bouton Messages. Selon le service de messagerie vocale dont
vous disposez, cette opération compose automatiquement le numéro du
service de messagerie ou affiche un menu à l'écran.
Transférer un appel vers
votre système de
messagerie vocale
Cliquez sur Rvoi Im. La fonction Rvoi Im transfère automatiquement un
appel (y compris un appel en sonnerie ou en attente) vers votre système de
messagerie vocale. Les appelants entendent le message d'accueil de votre
messagerie vocale et peuvent vous laisser un message.6-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur Cisco IP Communicator
Utilisation des journaux d'appels
Utilisation des journaux d'appels
Cisco IP Communicator tient à jour des journaux d'appels. Les journaux
contiennent les enregistrement de vos appels en absence, passés et reçus.
Pour... Procédez comme suit :
Afficher les
journaux d’appels
Cliquez sur le bouton Répertoires et choisissez Appels en absence, Appels
composés ou Appels reçus. Chaque journal peut contenir un nmaximum de 100
enregistrements.
Afficher les détails
d'un enregistrement
d'appel
1. Cliquez sur le bouton Répertoires et choisissez Appels en absence, Appels
composés ou Appels reçus.
2. Mettre un enregistrement d'appel en surbrillance
3. Appuyez sur Détails. Cette action permet d'afficher des informations
comme le numéro appelé, le numéro de l'appelant, l'heure et la durée de
l'appel (uniquement pour les appels passés et reçus).
Effacer les
enregistrements
d'appels de tous les
journaux
Cliquez sur le bouton Répertoires puis sur Effacer.
Effacer tous les
enregistrements
d'appels d'un journal
1. Cliquez sur le bouton Répertoires et choisissez Appels en absence, Appels
composés ou Appels reçus.
2. Mettre un enregistrement d'appel en surbrillance
3. Appuyez sur Effacer. (Vous devrez peut-être appuyer d'abord sur la touche
de fonction autres pour afficher le bouton Effacer).
Effacer un seul
enregistrement
d'appel
1. Cliquez sur le bouton Répertoires et choisissez Appels en absence, Appels
composés ou Appels reçus.
2. Mettre un enregistrement d'appel en surbrillance
3. Cliquez sur Supprimer. Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur
Utilisation des journaux d'appels
6-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Utilisation des indicateurs de fonction de ligne occupée pour déterminer l'état
d'une ligne, page 3-34
Composer un
numéro à partir d'un
journal d'appel (sans
être déjà en ligne)
1. Cliquez sur le bouton Répertoires et choisissez Appels en absence, Appels
composés ou Appels reçus.
2. Mettre un enregistrement d'appel en surbrillance
Remarque Si la touche de fonction Détails apparaît, l'appel est l'entrée
principale d'un appel à plusieurs interlocuteurs.
3. Pour afficher le numéro, appuyez sur ModNum puis sur << ou >>. Pour
supprimer le numéro, appuyez sur ModNum puis sur Supprimer. (Vous
devrez peut-être appuyer d'abord sur la touche de fonction autres pour
afficher le bouton Supprimer).
4. Décrochez pour passer l'appel.
Composer un
numéro à partir d'un
journal d'appel (en
étant déjà en ligne)
1. Cliquez sur le bouton Répertoires et choisissez Appels en absence, Appels
composés ou Appels reçus.
2. Mettre un enregistrement d'appel en surbrillance
3. Pour afficher le numéro, appuyez sur ModNum puis sur << ou >>. Pour
supprimer le numéro, appuyez sur ModNum puis sur Supprimer. (Vous
devrez peut-être appuyer d'abord sur la touche de fonction autres pour
afficher le bouton Supprimer).
4. Appuyez sur Compos.
5. Choisissez ensuite un élément de menu pour traiter l'appel initial :
– Attente : met le premier appel en attente et compose le second.
– Transfert : transfère le premier interlocuteur vers le second et vous
déconnecte de l'appel. Sélectionnez à nouveau cette option après avoir
composé le numéro pour terminer l'opération.
– Conférence : établit une conférence téléphonique entre tous les
interlocuteurs, vous y compris. (Appuyez à nouveau sur Conf. ou
Conférence après avoir composé le numéro pour terminer l'opération.)
– FinApp. : déconnecte le premier appel et compose le second.
Voir si la ligne
figurant dans le
journal d'appels est
occupée avant
d'appeler cette ligne
Recherchez des indicateurs de fonction de ligne occupée.
Afficher l'historique
des appels intercom
Cliquez sur le bouton Répertoires et sélectionnez Historique intercom. Les
détails des 25 plus récents appels intercom sont enregistrés. Il est impossible de
composer des numéros intercom à partir de cette liste.
Pour... Procédez comme suit :6-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur Cisco IP Communicator
Composition à partir d'un répertoire
Composition à partir d'un répertoire
Selon sa configuration, Cisco IP Communicator peut proposer des fonctionnalités
de répertoire d'entreprise et personnel :
• Répertoire d'entreprise : contacts professionnels auxquels vous pouvez
accéder sur Cisco IP Communicator. Il est configuré et géré par votre
administrateur système.
• Répertoire personnel : il s'agit, le cas échéant, de contacts personnels et des
codes de numérotation abrégée associés que vous pouvez configurer et
auxquels vous pouvez accéder à partir de Cisco IP Communicator et de vos
pages Web Options utilisateur Cisco Unified CM. Le répertoire personnel
comprend le carnet d'adresses personnel et les numéros abrégés :
– Le carnet d'adresses personnel est un répertoire contenant vos contacts
personnels.
– Les numéros abrégés sont des codes affectés aux entrées du carnet
d'adresses personnel pour permettre leur composition rapide.Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur
Composition à partir d'un répertoire
6-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Utilisation du répertoire d’entreprise
Rubriques connexes
• Utilisation des indicateurs de fonction de ligne occupée pour déterminer l'état
d'une ligne, page 3-34
Pour... Procédez comme suit :
Composer un numéro à
partir d'un répertoire
d'entreprise (sans être
déjà en ligne)
1. Appuyez sur le bouton Répertoires, puis sélectionnez Répertoire
d'entreprise (le nom exact de ce service peut varier).
2. Saisissez un nom complet ou partiel à l'aide du clavier, puis appuyez sur
Recher.
3. Pour composer un numéro, appuyez dessus dans la liste ou recherchez-le
en faisant défiler la liste et décrochez le combiné.
Composer un numéro à
partir d'un répertoire
d'entreprise (lorsque
vous êtes déjà en ligne)
1. Appuyez sur le bouton Répertoires, puis sélectionnez Répertoire
d'entreprise (le nom exact de ce service peut varier).
2. Saisissez un nom complet ou partiel à l'aide du clavier, puis appuyez sur
Recher.
3. Faites défiler la liste jusqu'au numéro souhaité et appuyez sur Sélect.
4. Choisissez ensuite un élément de menu pour traiter l'appel initial :
– Attente : met le premier appel en attente et compose le second.
– Transfert : transfère le premier interlocuteur vers le second et vous
déconnecte de l'appel. Sélectionnez à nouveau cette option après
avoir composé le numéro pour terminer l'opération.
– Conférence : établit une conférence téléphonique entre tous les
interlocuteurs, vous y compris. (Appuyez à nouveau sur Conf. ou
Conférence après avoir composé le numéro pour terminer
l'opération.)
– FinApp. : déconnecte le premier appel et compose le second.
Vérifier si la ligne de
téléphone du répertoire
est occupée
Vérifiez la présence d'indicateurs d'affichage de ligne occupé (FLO). 6-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur Cisco IP Communicator
Composition à partir d'un répertoire
Utilisation du répertoire personnel
Les fonctions du répertoire personnel comprennent le carnet d'adresses personnel
et les numéros abrégés.
Pour... Procédez comme suit :
Accéder au répertoire
personnel (pour le
carnet d'adresses
personnel et les codes
de numérotation
abrégée)
1. Cliquez sur le bouton Répertoires, puis sélectionnez Répertoire
personnel (le nom exact de ce service peut varier).
2. Saisissez votre ID utilisateur et votre PIN Cisco Unified Communications
Manager, puis appuyez sur Soum.
Rechercher une
entrée dans le carnet
d'adresses personnel
1. Accédez au répertoire personnel, puis sélectionnez Carnet d'adresses
personnel.
2. Saisissez des critères de recherche, puis appuyez sur Soum.
3. Vous pouvez cliquer sur Préc. ou sur Suivant pour passer d'une entrée à
l'autre.
4. Mettez en surbrillance l'entrée de carnet d'adresses personnel de votre
choix et appuyez sur Sélect.
Composer un numéro
à partir d’une entrée
du carnet d’adresses
personnel
1. Recherchez une entrée.
2. Mettez l'entrée en surbrillance, puis appuyez sur Sélect.
3. Appuyez sur Compos. (Vous devrez peut-être d'abord cliquer sur la
touche de fonction autres pour afficher le bouton Compos.)
4. Entrez le numéro de téléphone du participant.
5. Mettez en surbrillance le numéro à composer et cliquez sur OK.
6. Appuyez de nouveau sur OK pour composer le numéro.
Supprimer une entrée
du carnet d'adresses
personnel
1. Recherchez une entrée.
2. Mettez l'entrée en surbrillance, puis appuyez sur Sélect.
3. Cliquez sur Supprimer.
4. Cliquez sur OK pour confirmer la suppression.Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur
Composition à partir d'un répertoire
6-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Modifier une entrée
du carnet d'adresses
personnel
1. Recherchez une entrée.
2. Mettez l'entrée en surbrillance et appuyez surModif. pour changer un nom
ou une adresse électronique.
3. Si nécessaire, sélectionnez Téléph. pour modifier un numéro de
téléphone.
4. Cliquez sur MàJ.
Ajouter une nouvelle
entrée au carnet
d'adresses personnel
1. Accédez au répertoire personnel, puis sélectionnez Carnet d'adresses
personnel.
2. Accéder à la page Recherche en sélectionnant Soum. (Il n'est pas
nécessaire d'entrer les critères de recherche au préalable.)
3. Cliquez sur Nouveau.
4. Utilisez le clavier de votre téléphone pour saisir un nom et les informations
de l'adresse électronique.
5. Sélectionnez Téléph. et utilisez le clavier pour saisir des numéros de
téléphone. Prenez soin d'inclure tous les codes d'accès nécessaires, comme
9 ou 1.
6. Sélectionnez Soum. pour ajouter l'entrée à la base de données.
Affecter un code de
numérotation abrégée
à une entrée du carnet
d'adresses personnel
1. Rechercher l'entrée dans le carnet d'adresses personnel.
2. Mettez l'entrée en surbrillance, puis appuyez sur Sélect.
3. Appuyez sur Numéro abrégé.
4. Mettez en surbrillance le numéro à composer et appuyez sur Sélect.
5. Mettez en surbrillance le code de numérotation abrégée à affecter au
numéro, puis appuyez sur Sélect.
Ajouter un code de
numérotation abrégée
(sans utiliser une
entrée du carnet
d’adresses personnel)
1. Cliquez sur le bouton Répertoires et sélectionnez Répertoire personnel>
Numéros abrégés personnels.
2. Appuyez sur Numéro abrégé.
3. Mettez en surbrillance un code de numérotation abrégée non affecté, puis
appuyez sur Sélect.
4. Appuyez sur Affecter.
5. Entrez un numéro de téléphone
6. Cliquez sur MàJ.
Pour... Procédez comme suit :6-9
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur Cisco IP Communicator
Composition à partir d'un répertoire
Conseils
• L’administrateur système peut vous fournir l’ID utilisateur et le code PIN
nécessaires pour vous connecter au répertoire personnel.
• Vous êtes automatiquement déconnecté du répertoire personnel au bout d'un
certain temps. Ce délai est variable. Pour plus d'informations, contactez votre
administrateur système.
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
• Utilisation de votre Carnet d'adresses personnel, page 7-3
• Configuration de numéros abrégés, page 7-4
Rechercher des codes
de numérotation
abrégée
1. Cliquez sur le bouton Répertoires et sélectionnez Numéros abrégés
personnels.
2. Vous pouvez cliquer sur Préc. ou sur Suivant pour passer d'une entrée à
l'autre.
3. Mettez en surbrillance l'entrée de votre choix et appuyez sur Sélect.
Passer un appel à
l’aide d’un code de
numérotation abrégée
1. Recherchez un code de numérotation abrégée.
2. Mettez en surbrillance l'entrée de votre choix et appuyez sur Sélect.
3. Appuyez sur Compos.
4. Appuyez sur OK pour terminer l'opération.
Supprimer un code de
numérotation abrégée
1. Recherchez un code de numérotation abrégée.
2. Mettez en surbrillance l'entrée de votre choix et appuyez sur Sélect.
3. Appuyez sur Suppr.
Vous déconnecter du
répertoire personnel
1. Cliquez sur le bouton Répertoires, puis sélectionnez Répertoire
personnel (le nom exact de ce service peut varier).
2. Choisissez Déconn.
Pour... Procédez comme suit :Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur
Utilisation de la fonction Recherche rapide
6-10
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Utilisation de la fonction Recherche rapide
La fonction Recherche rapide permet de lancer une recherche dans un ou plusieurs
répertoires à l'aide d'une même commande. La recherche peut porter sur plusieurs
répertoires d'entreprise et votre carnet d'adresses personnel, selon les paramètres
configurés par votre administrateur système.
Remarque La Recherche rapide dans le carnet d'adresses personnel n'est pas prise en charge
dans toutes les versions de Cisco Unified Communications Manager. Demandez
à votre administrateur système si cete fonctionnalité est disponible sur votre
système.
Pour accéder à la Recherche rapide, cliquez avec le bouton droit de la souris sur
Cisco IP Communicator, et sélectionnez Recherche rapide.
Dans la fenêtre Recherche rapide, entrez un nom ou un numéro de poste, puis
cliquez sur Numérotation rapide ou sur Rechercher :
• Numérotation rapide : permet de composer automatiquement le numéro
lorsque le résultat fournit une seule correspondance. Vous devez toutefois
cliquer sur la touche de fonction Compos. pour établir l'appel. Si la recherche
renvoie plusieurs correspondances, celles-ci sont affichées.
• Rechercher : affiche les résultats de la recherche sans composer
automatiquement de numéro.
Remarque Seuls les numéros de téléphone saisis dans le champ Professionnel du carnet
d'adresses sont affichés dans les résultats de la Recherche rapide. Les numéros de
téléphone personnels et de téléphone portable ne sont pas affichés.
Pour passer un appel à partir des résultats de la recherche, cliquez sur une entrée
de la fenêtre Recherche rapide, puis cliquez sur Compos.
Rubriques connexes
• Saisie d'informations de mot de passe pour la fonction Recherche rapide,
page 6-116-11
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur Cisco IP Communicator
Utilisation de la fonction Recherche rapide
Saisie d'informations de mot de passe pour la fonction
Recherche rapide
Selon la manière dont vous souhaitez utiliser la Recherche rapide, vous derez
peut-être saisir vos informations d'ouverture de session (nom d'utilisateur et mot
de passe) comme décrit dans le tableau suivant.
Pour... Procédez comme suit :
Effectuer une
recherche dans un
répertoire d'entreprise
Si vous n'utilisez pas le service Carnet d'adresses personnel et si vous faites
appel à la fonction Recherche rapide uniquement pour trouver des collègues
dans le répertoire de l'entreprise, il ne sera peut-être pas nécessaire d'effectuer
de configuration. Effectuez un test en sélectionnant Recherche rapide dans le
menu contextuel :
• Si la fenêtre Recherche rapide apparaît, aucune configuration n'est
nécessaire.
• Si la fenêtre Recherche rapide ne s'ouvre pas, entrez un nom d'utilisateur
et un mot de passe (clic droit > Préférences > onglet Répertoire).
Demandez les informations correspondantes à votre administrateur
système.Chapitre 6 Utilisation de la messagerie vocale, des journaux d'appels et des répertoires sur
Utilisation de la fonction Recherche rapide
6-12
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Traitement des appels avec Cisco IP Communicator, page 3-1
• Personnalisation des paramètres sur Cisco IP Communicator, page 4-1
• Utilisation des journaux d'appels, page 6-3
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Effectuer une
recherche dans votre
carnet d'adresses
personnel
Si vous utilisez le service Carnet d'adresses personnel, la fonction Recherche
rapide peut essayer d'établir des correspondances dans un premier temps avec
votre carnet d'adresses et dans un deuxième temps avec le répertoire de
l'entreprise. Les conditions suivantes doivent être remplies pour que la
Recherche rapide puisse accéder à votre carnet d'adresses personnel :
• Votre administrateur système doit configurer la fonction Recherche rapide
afin de l'intégrer dans les répertoires personnels.
• Vous devez vous abonner au service Carnet d'adresses personnel (clic
droit > Options utilisateur Cisco Unified CM).
• Vous devez entrer votre nom d'utilisateur et votre mot de passe dans la
fenêtre Répertoires (clic droit >Préférences > onglet Répertoires).
Utiliser une autre
méthode de recherche
Si vous souhaitez utiliser une autre méthode de recherche que la fonction
Recherche rapide, vous disposez des options suivantes :
• Pour effectuer une recherche dans des répertoires d'entreprise, cliquez sur
le bouton Répertoires, puis sélectionnez Répertoire d'entreprise (le nom
exact de ce service peut varier).
• Pour effectuer une recherche dans votre carnet d'adresses personenl,
cliquez sur le bouton Services et sélectionnez Service Carnet d'adresses
personnel (le nom exact de ce service peut varier).
Entrez les informations concernant la recherche et cliquez sur Rechercher.
Pour... Procédez comme suit :C H A P I T R E
7-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
7
Personnalisation de Cisco IP
Communicator à l'aide des options
utilisateur Cisco Unified CM
Comme votre téléphone Cisco IP Communicator est un périphérique réseau, il
peut partager des données avec d’autres périphériques réseau de votre société,
notamment votre ordinateur et vos services Web accessibles via un navigateur
Web sur votre ordinateur.
Vous pouvez établir des services téléphoniques et contrôler les fonctions à partir
de votre ordinateur à l'aide des pages Web Options utilisateur de votre serveur de
traitement d'appels Cisco Unified Communications Manager. Une fois les
fonctions et services configurés sur les pages Web, vous pouvez y accéder à partir
de votre Cisco IP Communicator. Vous pouvez, par exemple, configurer des
boutons de numérotation abrégée à partir des pages Web, puis y accéder sur votre
téléphone.
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
• Utilisation de votre Carnet d'adresses personnel, page 7-3
• Configuration de la numérotation abrégée, page 7-5
• Configuration de services téléphoniques, page 7-7
• Contrôle des paramètres utilisateur, page 7-9
• Contrôle des paramètres de ligne, page 7-10
• Configuration de téléphones et de listes d'accès pour la connexion mobile,
page 7-12
• Utilisation de Cisco WebDialer, page 7-15Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Connexion aux pages Web Options utilisateur Cisco Unified CM
7-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Connexion aux pages Web Options utilisateur Cisco
Unified CM
Procédure
Étape 1 Cliquez sur le bouton Menu (ou cliquez avec le bouton droit de la souris sur Cisco
IP Communicator), et choisissez Options utilisateur Cisco Unified CM.
Étape 2 Entrez l'ID d'utilisateur et le mot de passe par défaut fournis par votre
administrateur système.
Étape 3 À partir du menu principal, choisissez Options utilisateur > Périphérique.
a. Sélectionnez le nom de périphérique qui correspond à Cisco IP
Communicator.
b. Une fois votre sélection effectuée, utilisez les boutons situés au bas de la
fenêtre pour accéder aux paramètres appropriés pour votre périphérique.
c. Cliquez sur Déconnecter pour quitter l'application.
Étape 3 Si vous utilisez Cisco Unified Communications Manager 4.x :
a. Dans le menu général, choisissez un type de périphérique dans la liste
déroulante Sélectionner un périphérique.
b. Une fois votre sélection effectuée, un menu contextuel apparaît et propose les
options appropriées pour ce type de périphérique. (Si le type de périphérique
ne figure pas dans la liste, contactez votre administrateur.)
c. Cliquez sur Déconnecter pour quitter l'application.
Conseil • Sélectionnez votre périphérique dans la page de menu pour afficher
l'ensemble de vos options.
• Cliquez sur MàJ pour appliquer et enregistrer vos modifications.
• Cliquez sur Retour au menu pour revenir au menu contextuel.7-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Utilisation de votre Carnet d'adresses personnel
Utilisation de votre Carnet d'adresses personnel
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
• Configuration de numéros abrégés, page 7-4
• Configuration de la numérotation abrégée, page 7-5
Pour...
Effectuez l'action suivante après avoir accédé à la page Web
Options utilisateur Cisco Unified CM
Ajouter une nouvelle entrée
au carnet d'adresses
personnel
1. Choisissez Options utilisateur> Carnet d'adresses personnel.
2. Cliquez sur Ajouter nouveau.
3. Saisissez les informations correspondant à l'entrée.
4. Cliquez sur Enregistrer.
Rechercher une entrée dans
le carnet d'adresses
personnel
1. Choisissez Options utilisateur> Carnet d'adresses personnel.
2. Indiquez les informations recherchées et cliquez sur Rechercher.
Modifier une entrée du
carnet d'adresses personnel
1. Recherchez l'entrée dans le carnet d'adresses personnel.
2. Cliquez sur un nom ou un pseudonyme.
3. Modifiez l'entrée et cliquez sur Enreg.
Supprimer une entrée du
carnet d'adresses personnel
1. Recherchez l'entrée dans le carnet d'adresses personnel.
2. Sélectionnez une ou plusieurs entrées.
3. Cliquez sur Supprimer la sélection.Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Utilisation de votre Carnet d'adresses personnel
7-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Configuration de numéros abrégés
Rubriques connexes
• Utilisation de votre Carnet d'adresses personnel, page 7-3
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM
Affecter un code de
numérotation abrégée à
une entrée du carnet
d'adresses personnel
1. Créez une entrée dans le carnet d'adresses personnel.
2. Sélectionnez Options utilisateur> Numéros abrégés.
3. Cliquez sur Ajouter nouveau.
4. Utilisez la zone des options de recherche pour trouver l'entrée du carnet
d'adresses personnel.
5. Cliquez sur un numéro de téléphone dans la zone des résultats de
recherche.
6. Modifiez le code de numérotation abrégée, le cas échéant.
7. Cliquez sur Enregistrer.
Affecter un code de
numérotation abrégée à
un numéro de téléphone
(sans utiliser d'entrée du
carnet d'adresses
personnel)
1. Sélectionnez Options utilisateur> Numéros abrégés.
2. Cliquez sur Ajouter nouveau.
3. Modifiez le code de numérotation abrégée, le cas échéant.
4. Entrez un numéro de téléphone
5. Cliquez sur Enregistrer.
Rechercher une entrée
de numérotation
abrégée
1. Sélectionnez Options utilisateur> Numéros abrégés.
2. Indiquez les informations recherchées et cliquez sur Rechercher.
Modifier le numéro de
téléphone
correspondant à un
numéro abrégé
1. Sélectionnez Options utilisateur> Numéros abrégés.
2. Recherchez le numéro abrégé à modifier.
3. Cliquez sur un composant de l’entrée.
4. Modifiez le numéro de téléphone.
5. Cliquez sur Enregistrer.
Supprimer un numéro
abrégé
1. Recherchez le numéro abrégé.
2. Sélectionnez une ou plusieurs entrées.
3. Cliquez sur Supprimer la sélection.7-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Configuration de la numérotation abrégée
Conseil Vous pouvez créer jusqu'à 500 entrées de numéros abrégés et de carnet d'adresses
personnel.
Conseil Vous pouvez créer de nouveaux numéros abrégés sans utiliser d'entrée du carnet
d'adresses personnel. Ces entrées de numérotation abrégée sont étiquetées brut
dans les pages Web Options utilisateur et n’affichent pas d’étiquette de texte
configurable.
Configuration de la numérotation abrégée
Selon sa configuration, votre Cisco IP Communicator peut prendre en charge
plusieurs fonctions de numérotation abrégée :
• Les boutons de numérotation abrégée
• La numérotation abrégée
• Les numéros abrégés.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM
Configurer les
boutons de
numérotation
abrégée
1. Sélectionnez Options utilisateur > Périphérique.
2. Sélectionnez un téléphone dans le menu déroulant Nom.
3. Cliquez sur Numérotations abrégées.
4. Saisissez le numéro et l'intitulé correspondant à un bouton de numérotation
abrégée (bouton programmable) de votre téléphone.
5. Cliquez sur Enregistrer.
Remarque Votre téléphone utilise le champ Nom sans caract. accentués.Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Configuration de la numérotation abrégée
7-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
• Configuration de numéros abrégés, page 7-4
• Utilisation du répertoire personnel, page 6-7
Configurer les
boutons de
numérotation
abrégée
Cisco Unified Communications Manager version 4.x
Accédez à vos pages Web Options utilisateur Cisco Unified CM, sélectionnez
votre périphérique, puis sélectionnez Ajouter/mettre à jour vos numéros
abrégés dans le menu principal.
Dans la section Paramètres de numérotation abrégée du téléphone, entrez un
numéro de téléphone et un intitulé pour chaque bouton de numérotation abrégée
disponible. Entrez le numéro exactement comme si vous le composiez sur votre
téléphone fixe. Par exemple, si nécessaire, entrez un code d'accès, tel que le 9 ou
l'indicatif régional.
L'intitulé que vous entrez apparaît en regard du bouton de numérotation abrégée
sur l'écran de votre téléphone.
Configurer la
numérotation
abrégée
1. Sélectionnez Options utilisateur > Périphérique.
2. Sélectionnez un téléphone dans le menu déroulant Nom.
3. Cliquez sur Numérotations abrégées.
4. Saisissez le numéro et le libellé correspondant à un code de numérotation
abrégée.
5. Cliquez sur Enregistrer.
Configuration de la
numérotation
abrégée
Cisco Unified Communications Manager version 4.x
Accédez à vos pages Web Options utilisateur Cisco Unified CM, sélectionnez
votre périphérique, puis sélectionnez Ajouter/mettre à jour vos numéros
abrégés dans le menu principal.
1. Dans la section Paramètres de numérotation abrégée non associés à un
bouton du téléphone, entrez un numéro de téléphone et un intitulé pour
chaque bouton de numérotation abrégée disponible. Entrez le numéro
exactement comme si vous le composiez sur votre téléphone. Par exemple,
si nécessaire, entrez un code d'accès, tel que le 9 ou l'indicatif régional.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM7-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Configuration de services téléphoniques
Configuration de services téléphoniques
Les services téléphoniques peuvent inclure des fonctions téléphoniques spéciales,
des données réseau et des informations basées sur le Web (par exemple les cours
de la bourse ou les programmes de cinéma). Vous devez vous abonner à un service
téléphonique pour pouvoir y accéder sur votre téléphone.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM
S'abonner à un service 1. Sélectionnez Options utilisateur > Périphérique.
2. Sélectionnez un nom Cisco IP Communicator dans le menu déroulant.
3. Cliquez sur Services téléphoniques.
4. Cliquez sur Ajouter nouveau.
5. Choisissez un service dans la liste déroulante et cliquez sur Suivant.
6. Changez l'intitulé du service et/ou saisissez des informations
supplémentaires sur le service, le cas échéant (facultatif).
7. Cliquez sur Enregistrer.
Cisco Unified Communications Manager 4.x
Dans le menu principal, sélectionnez Configurer vos services
téléphoniques IP Cisco. Sélectionnez un service dans la liste déroulante
Services disponibles, puis cliquez sur Continuer. Saisissez les
renseignements supplémentaires qui vous sont demandés (par exemple, un
code postal ou un code PIN), puis cliquez sur S'abonner.
Rechercher des services 1. Sélectionnez un Nom de périphérique Cisco IP Communicator.
2. Cliquez sur Services téléphoniques.
3. Cliquez sur Rechercher.
Modifier un service ou
vous désabonner
1. Recherchez les services.
2. Sélectionnez une ou plusieurs entrées.
3. Cliquez sur Supprimer la sélection.
Cisco Unified Communications Manager 4.x
Dans le menu principal, sélectionnez Configurer vos services
téléphoniques IP Cisco. Cliquez sur un service dans le volet Vos
abonnements. Cliquez sur MàJ après avoir effectué vos modifications ou sur
Se désabonner. Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Configuration de services téléphoniques
7-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Changer le nom d’un
service
1. Recherchez les services.
2. Cliquez sur le nom du service.
3. Modifiez les informations et cliquez sur Enreg.
Associer un service à un
bouton programmable
disponible
1. Sélectionnez Options utilisateur > Périphérique.
2. Sélectionnez un nom Cisco IP Communicator dans le menu déroulant.
3. Cliquez sur URL de service.
Remarque Si cette option n'apparaît pas à l'écran, demandez à votre
administrateur système de configurer un bouton d'URL de
service pour votre téléphone.
4. Sélectionnez un service dans la liste déroulante Bouton de service.
5. Si vous souhaitez renommer le service, modifiez les champs
d’étiquettes.
Remarque Votre téléphone utilise le champ Nom sans caract. accentués s'il
ne prend pas en charge les jeux de caractères à deux octets.
6. Cliquez sur Enregistrer.
7. Cliquez sur Réinitialiser pour réinitialiser votre téléphone (nécessaire
pour afficher le nouveau libellé du bouton sur votre téléphone).
Cisco Unified Communications Manager version 4.x
Après vous être abonné à un service, sélectionnez Ajouter/mettre à jour
vos boutons URL de service dans le menu principal. Pour chaque touche
disponible, sélectionnez un service dans la liste déroulante, puis saisissez
une description. Une fois vos modifications effectuées, cliquez sur MàJ.
L'administrateur du système détermine le nombre de touches pouvant être
associées à des services ; il peut également affecter des touches de service à
votre téléphone.
Accéder à un service sur
le téléphone
Cliquez sur le bouton Services. Ou bien, si vous avez ajouté un service à un
bouton programmable, appuyez sur le bouton.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM7-9
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Contrôle des paramètres utilisateur
Contrôle des paramètres utilisateur
Les paramètres utilisateur incluent votre mot de passe, votre nuémro
d'identification personnel et vos paramètres de langue.
Conseil Votre code PIN et votre mot de passe permettent d'accéder à plusieurs fonctions
et services. Par exemple, utilisez votre code PIN pour vous connecter au service
de mobilité de poste de Cisco ou au répertoire personnel de votre téléphone.
Utilisez votre mot de passe pour vous accéder à vos pages Web Options utilisateur
et à Cisco WebDialer sur votre ordinateur. Pour en savoir plus, contactez votre
administrateur système.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web
Options utilisateur Cisco Unified CM
Changement de mot de passe 1. Sélectionnez Options utilisateur > Paramètres utilisateur.
2. Remplissez les champs de la zone Mot de passe du navigateur.
3. Cliquez sur Sauvegarder.
Modification de votre numéro
d'identification personnel
1. Sélectionnez Options utilisateur > Paramètres utilisateur.
2. Remplissez les champs de la zone PIN du téléphone,
3. Cliquez sur Enregistrer.
Modifier la langue des pages
Web Options utilisateur
1. Sélectionnez Options utilisateur > Paramètres utilisateur.
2. Dans la zone Langue utilisateur, choisissez une option dans la
liste déroulante Langue.
3. Cliquez sur Enregistrer.
Modifier la langue de l'écran de
votre téléphone
1. Sélectionnez Options utilisateur > Paramètres utilisateur.
2. Sélectionnez une option dans la liste déroulante Langue
utilisateur.
3. Cliquez sur Enregistrer.Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Contrôle des paramètres de ligne
7-10
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Contrôle des paramètres de ligne
Les paramètres de ligne affectent une ligne précise (numéro d'annuaire) de votre
Cisco IP Communicator. Les paramètres de ligne peuvent inclure le transfert
d'appels, les indicateurs de message vocal, la mélodie de sonneries et les libellés
de ligne.
Vous pouvez configurer d'autres paramètres de ligne directement sur votre Cisco
IP Communicator :
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM...
Configurer le renvoi
d'appels par ligne
1. Sélectionnez Options utilisateur > Périphérique.
2. Sélectionnez un nom de Cisco IP Communicator dans le menu déroulant
Nom.
3. Cliquez sur Paramètres de ligne.
4. Si plusieurs numéros de répertoire (lignes) sont affectés à votre
téléphone, sélectionnez une ligne dans le menu déroulant Ligne.
5. Dans la zone Renvoi des appels entrants, choisissez les paramètres de
transfert d'appels correspondant à diverses circonstances.
6. Cliquez sur Enregistrer.
Modifier le paramètre
d'indicateur de message
vocal selon la ligne
(témoin lumineux)
1. Sélectionnez Options utilisateur> Périphérique.
2. Sélectionnez un nom de Cisco IP Communicator dans le menu déroulant
Nom.
3. Cliquez sur Paramètres de ligne.
4. Si plusieurs numéros de répertoire (lignes) sont affectés à votre
téléphone, sélectionnez une ligne dans le menu déroulant Ligne.
5. Dans la zone Indicateur de messages en attente, choisissez un ou
plusieurs paramètres.
Remarque En général, le paramètre par défaut pour les messages en
attente demande à votre téléphone d'afficher un témoin
lumineux rouge fixe sur la bande lumineuse du combiné pour
signaler la présence d'un nouveau message vocal.
6. Cliquez sur Enregistrer.7-11
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Contrôle des paramètres de ligne
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
• Personnalisation des sonneries et des indicateurs de message, page 4-3
• Accès aux paramètres, page 4-1
Modifier le paramètre
d'indicateur sonore de
message vocal selon la
ligne
1. Sélectionnez Options utilisateur > Périphérique.
2. Sélectionnez un nom de Cisco IP Communicator dans le menu déroulant
Nom.
3. Cliquez sur Paramètres de ligne.
4. Si plusieurs numéros de répertoire (lignes) sont affectés à votre
téléphone, sélectionnez une ligne dans le menu déroulant Ligne.
5. Dans la zone Indicateur de messages en attente, choisissez un ou
plusieurs paramètres.
Remarque En général, le paramètre par défaut pour les messages en attente
demande à votre téléphone d'afficher un témoin lumineux rouge
fixe sur la bande lumineuse du combiné pour signaler la
présence d'un nouveau message vocal.
6. Cliquez sur Enregistrer.
Modifier ou créer un
libellé de ligne affiché à
l'écran de votre
téléphone
1. Sélectionnez Options utilisateur > Périphérique.
2. Sélectionnez un téléphone dans le menu déroulant Nom.
3. Cliquez sur Paramètres de ligne.
4. Si plusieurs numéros de répertoire (lignes) sont affectés à votre
téléphone, sélectionnez une ligne dans le menu déroulant Ligne.
5. Dans la zone Libellé de ligne, saisissez un libellé.
6. Cliquez sur Enregistrer.
Remarque Votre téléphone utilise le champ Nom sans caract. accentués s'il
ne prend pas en charge les jeux de caractères à deux octets.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM...Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Configuration de téléphones et de listes d'accès pour la connexion mobile
7-12
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Configuration de téléphones et de listes d'accès
pour la connexion mobile
Lorsque vous utilisez la fonction de connexion mobile Cisco Mobile Connect,
vous devez indiquer les téléphones portables et les autres téléphones à utiliser
pour passer et prendre des appels en utilisant les mêmes numéros de répertoire que
ceux de votre téléphone de bureau. Ces téléphones sont appelés destinations
distantes. Vous pouvez également définir des listes d'accès pour interdire ou
autoriser l'envoi vers votre téléphone portable d'appels en provenance de certains
numéros.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM
Créer une liste
d'accès
1. Sélectionnez Options utilisateur > Paramètres de mobilité > Listes
d'accès.
2. Cliquez sur Ajouter nouveau.
3. Saisissez les informations suivantes :
– Nom : identifie la liste d'accès
– Description : décrit la liste d'accès.
4. Sélectionnez l'une des options suivantes :
– Liste d'accès bloqué : crée la liste des numéros à bloquer
– Liste d'accès autorisé : crée la liste des numéros autorisés
5. Cliquez sur Enregistrer. 7-13
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Configuration de téléphones et de listes d'accès pour la connexion mobile
Ajouter des
membres à une liste
d'accès.
1. Créez une liste d'accès.
2. Cliquez sur Ajouter un membre pour ajouter des numéros de téléphone ou
des filtres à la liste.
3. Sélectionnez une option dans la liste déroulante Masque de filtre. Vous
pouvez filtrer un numéro de répertoire ou les appels dont l'ID d'appelant est
restreint (Non disponible) ou anonyme (Confidentiel).
4. Si vous sélectionnez un numéro de répertoire dans la liste déroulante Masque
de filtre, saisissez un numéro de téléphone ou un filtre dans le champ Masque
NR. Vous pouvez utiliser les caractères génériques suivants pour définir un
filtre :
– X (majuscule ou minuscule) : correspond à un chiffre. Par exemple,
408555123X correspond à n'importe quel numéro compris entre
4085551230 et 4085551239.
– ! : correspond à un nombre indéfini de chiffres. Par exemple, 408!
correspond à tout numéro commençant par 408.
– # : remplace un chiffre pour créer une correspondance exacte.
5. Cliquez sur Enreg. pour ajouter ce membre à la liste d'accès.
6. Cliquez de nouveau sur Enreg. pour enregistrer la liste d'accès.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CMChapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Configuration de téléphones et de listes d'accès pour la connexion mobile
7-14
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Ajouter une
nouvelle
destination distante
1. Sélectionnez Options utilisateur > Paramètres de mobilité > Destinations
distantes.
2. Sélectionnez le périphérique dans la zone de liste déroulante Nom.
3. Cliquez sur Destinations distantes.
4. Cliquez sur Ajouter nouveau.
5. Sisissez les informations suivantes :
– Nom : saisissez un nom pour le téléphone portable (ou tout autre
téléphone).
– Numéro de destination : saisissez le numéro de votre téléphone portable.
– Minuteur de réponse précoce : Saisissez le délai (en millisecondes) à
observer avant la prise d'un appel sur le périphérique de destination
distante.
– Minuteur de réponse tardive : Saisissez le délai (en millisecondes) à
observer avant la prise d'un appel sur le périphérique de destination
distante.
– Indicateur de délai avant sonnerie : Saisissez le délai (en millisecondes)
à observer avant que la sonnerie ne retentisse sur le périphérique
de destination distante.
– Profil de destination distante : Sélectionnez un profil de destination
distante (contient les paramètres applicables à toutes vos destinations
distantes).
– Liste d'accès autorisé : Sélectionnez un numéro de téléphone ou une
règle qui autorise votre téléphone portable à sonner lorsqu'un appel
arrive sur votre téléphone de bureau. Vous pouvez sélectionner une liste
d'accès autorisé ou une liste d'accès bloqué, mais pas les deux.
– Liste d'accès bloqué : Sélectionnez un numéro de téléphone ou une règle
qui empêche votre téléphone portable de sonner lorsqu'un appel arrive
sur votre téléphone de bureau. Vous pouvez sélectionner une liste
d'accès autorisé ou une liste d'accès bloqué, mais pas les deux.
– Téléphone portable : Sélectionnez cette option pour que votre téléphone
portable accepte un appel composé à partir de votre téléphone de bureau.
– Activer la connexion mobile : Sélectionnez cette option pour que votre
téléphone portable sonne en même temps que votre téléphone de bureau.
Vous pouvez également configurer un calendrier de sonnerie.
6. Cliquez sur Enregistrer.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM7-15
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Utilisation de Cisco WebDialer
Utilisation de CiscoWebDialer
Cisco WebDialer permet d'appeler des contacts du répertoire Cisco IP
Communicator en cliquant sur les éléments d'un navigateur Web. Votre
administrateur système doit configurer cette fonction à votre place.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CM
Utiliser WebDialer
avec votre répertoire
Options utilisateur
1. Sélectionnez Options utilisateur > Répertoire et recherchez un collègue.
2. Cliquez sur le numéro à composer.
3. Si vous utilisez WebDialer pour la première fois, configurez vos
préférences et cliquez sur Soum. (voir la dernière ligne de ce tableau pour
plus de détails).
4. Si la page Passer un appel s'affiche, cliquez sur Compos. (Voir à la dernière
ligne de ce tableau la procédure permettant de ne plus afficher cette page
à l'avenir.)
L'appel est passé sur votre téléphone.
5. Cliquez sur Raccrocher ou raccrochez le combiné de votre téléphone pour
mettre fin à un appel.
Utiliser WebDialer
avec un autre
répertoire d'entreprise
en ligne (et non votre
répertoire Options
utilisateur)
1. Connectez-vous à un répertoire d'entreprise compatible avec WebDialer et
recherchez des collègues.
2. Cliquez sur le numéro à composer.
3. Lorsque vous y êtes invité, entrez votre ID utilisateur et votre mot de
passe.
4. Si vous utilisez WebDialer pour la première fois, configurez vos
préférences et cliquez sur Soum. (voir la dernière ligne de ce tableau pour
plus de détails).
5. Si la page Passer un appel s'affiche, cliquez surCompos. (Voir à la dernière
ligne de ce tableau la procédure permettant de ne plus afficher cette page
à l'avenir.)
L'appel est passé sur votre téléphone.
6. Cliquez sur Raccrocher ou raccrochez le combiné de votre téléphone pour
mettre fin à un appel.Chapitre 7 Personnalisation de Cisco IP Communicator à l'aide des options utilisateur Cisco Unified CM
Utilisation de Cisco WebDialer
7-16
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Rubriques connexes
• Connexion aux pages Web Options utilisateur Cisco Unified CM, page 7-2
Vous déconnecter de
WebDialer
Cliquez sur l'icône de déconnexion à la page Passer un appel ou Raccrocher.
Configurer, afficher
ou modifier des
préférences de
WebDialer
Accédez à la page Préférences.
La page Préférences s'affiche la première fois que vous utilisez WebDialer
(après avoir cliqué sur le numéro à composer).
Pour revenir aux préférences par la suite, cliquez sur l'icône Préférences des
pages Passer un appel ou Raccrocher.
La page Préférences contient les options suivantes :
• Langue souhaitée : détermine la langue utilisée pour les paramètres et les
invites de WebDialer.
• Utiliser un périphérique permanent : identifie le téléphone
IP Cisco Unified et le numéro de répertoire (ligne) à utiliser pour passer
des appels WebDialer. Si votre téléphone dispose d'une seule ligne, ce
téléphone et cette ligne sont sélectionnés automatiquement. Sinon,
choisissez un téléphone et/ou une ligne. Les téléphones sont indiqués par
leur nom d'hôte. (Pour afficher le nom système de votre téléphone, cliquez
sur le bouton Paramètres et sélectionnez Configuration réseau > Nom
d'hôte.)
• Utiliser la mobilité de poste : lorsque qu'elle est sélectionnée, cette
option invite WebDialer à utiliser le téléphone IP Cisco Unified associé à
votre profil de mobilité de poste (le cas échéant).
• Ne pas afficher la boîte de dialogue de confirmation d'appel : lorsque
qu'elle est sélectionnée, cette option invite WebDialer à supprimer la page
Passer un appel. Cette page s'affiche par défaut lorsque vous cliquez sur un
numéro de téléphone dans un répertoire en ligne compatible avec
WebDialer.
Pour...
Effectuez l'action suivante après avoir accédé à la page Web Options
utilisateur Cisco Unified CMC H A P I T R E
8-1
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
8
Dépannage Cisco IP Communicator
• Problèmes d'ordre général, page 8-1
• Problèmes de qualité vocale, page 8-5
• Utilisation de l'outil de génération de rapports sur la qualité pour résoudre les
problèmes de performance, page 8-10
• Activation de journaux détaillés, page 8-11
• Capture d'informations sur les problèmes, page 8-11
Problèmes d'ordre général
Problème La qualité audio est mauvaise lorsque je participe à des téléconférences
MeetingPlace et que j'utilise Cisco IP Communicator.
Solution Fermez les applications inutilisées lorsque vous participez à une
téléconférence. Si vous utilisez une connexion VPN, envisagez d'utiliser l'option
de connectivité de la console Cisco Unified MeetingPlace.
Vous pouvez également optimiser la bande passante de la session de
téléconférence en utilisant différentes connexions. Les utilisateurs de Cisco
Unified MeetingPlace disposent d'une option permettant de vérifier que leur
connexion est adéquate. Les détails sur l'optimisation de la bande passante dans
MeetingPlace sont fournis dans le Guide d'utilisation de Cisco Unified
MeetingPlace.Chapitre 8 Dépannage Cisco IP Communicator
Problèmes d'ordre général
8-2
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Problème Après le démarrage initial, aucun numéro de poste n'apparaît et la ligne
d'état affiche le libellé Enregistrement en cours.
Solution Vérifiez que vous avez sélectionné un serveur TFTP, le cas échéant. Si
vous devez définir une adresse TFTP, votre administrateur doit vous la fournir. Si
vous êtes un utilisateur distant, veillez à établir la connexion réseau avant de
lancer Cisco IP Communicator.
Rubriques connexes
• Configuration et enregistrement Cisco IP Communicator, page 1-9
• Paramètres réseau, page 4-7
Problème Après son démarrage, Cisco IP Communicator ne trouve pas votre carte
réseau et vous demande de l'insérer.
Solution Si possible, sélectionnez un autre périphérique d'interface réseau. Vous
pouvez par exemple remplacer une carte sans fil ou un adaptateur Ethernet USB
par un autre adaptateur.
Si vous avez lancé Cisco IP Communicator pour la première fois sur un ordinateur
portable connecté à une station d'accueil, essayez de connecter l'ordinateur à la
station. Si cela résoud le problème, demandez à votre administrateur système de
vous aider à configurer le nom du périphérique afin que Cisco IP Communicator
fonctionne sans qu'il ne soit nécessaire de connecter l'ordinateur à la station
d'accueil.
Si vous avez retiré ou désactivé définitivement l'adaptateur réseau qui avait été
sélectionné, contactez votre administrateur système avant de sélectionner un autre
adaptateur.
Rubriques connexes
• Configuration et enregistrement Cisco IP Communicator, page 1-9
• Paramètres réseau, page 4-7
Problème Votre périphérique audio n'apparaît pas dans le menu déroulant d'un
mode audio.
Solution Si le périphérique est un combiné USB, un casque USB ou une carte son,
vérifiez qu'il est correctement installé et redémarrez Cisco IP Communicator. Les
périphériques qui sont installés lorsque l'application est ouverte ne sont reconnus
qu'au lancement suivant de celle-ci.8-3
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 8 Dépannage Cisco IP Communicator
Problèmes d'ordre général
S'il s'agit d'un périphérique analogique, il n'apparaît pas dans les listes des modes
audio car ce type de périphérique est considéré comme une extension de votre
carte son. Dans ce cas, sélectionnez cette dernière.
Pour utiliser un périphérique pour la lecture du son et un autre (par exemple, un
microphone de caméra VT) pour l'enregistrement du son dans
Cisco IP Communicator, cliquez avec le bouton droit sur > Préférences >
onglet Audio. Sélectionnez Périphérique audio Windows par défaut dans la
liste déroulante pour un ou plusieurs paramètres, puis cliquez sur OK.
Rubriques connexes
• Installation de périphériques audio avant le lancement initial, page 1-3
• Affectation de modes audio, page 4-9
• Sélection d'un mode audio, page 4-9
• Suppression et réinstallation de périphériques audio, page 5-6
Problème Après son démarrage, Cisco IP Communicator n'affiche aucun numéro
de poste ou affiche un numéro de poste incorrect.
Solution Contactez votre administrateur système pour obtenir de l'aide.
Il se peut que vous ayez sélectionné une carte réseau incorrecte. Si vous disposez
de plusieurs cartes et si vous êtes invité à en sélectionner une immédiatement
après l'installation de Cisco IP Communicator, sélectionnez une carte susceptible
d'offrir une connexion ininterrompue ou une carte activée en permanence (même
si elle est débranchée). Contactez votre administrateur système pour savoir quelle
carte sélectionner.
Le paramètre de carte réseau permet à Cisco IP Communicator de s'identifier
auprès du réseau ; il n'est pas utilisé pour la transmission audio. C'est pourquoi
vous ne devez pas modifier ce paramètre une fois qu'il a été défini, à moins que
vous ne supprimiez ou désactiviez définitivement la carte réseau sélectionnée.
Dans ce cas, contactez votre administrateur système avant de sélectionner une
autre carte.
Rubriques connexes
• Configuration et enregistrement Cisco IP Communicator, page 1-9
• Paramètres réseau, page 4-7Chapitre 8 Dépannage Cisco IP Communicator
Problèmes d'ordre général
8-4
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Problème Rien ne se passe lorsque vous sélectionnez l'option Recherche rapide.
Solution Cliquez avec le bouton droit de la souris sur > Préférences > onglet
Répertoires, et saisissez le nom d'utilisateur et le mot de passe fournis par votre
administrateur système.
Rubriques connexes
• Paramètres de répertoire, page 4-15
• Utilisation du répertoire personnel, page 6-7
Problème La sonnerie de votre téléphone n'est pas audible ou est difficile à
entendre.
Solution Réglez le volume de votre sonnerie en cliquant sur le bouton Vo lume
lorsqu'aucun appel n'est actif.
• Si vous utilisez un combiné USB, ne le sélectionnez pas pour la sonnerie. De
manière générale, il est conseillé de sélectionner la carte son pour la sonnerie.
• Si votre carte son est sélectionnée pour le mode Sonnerie et qu'un casque est
connecté aux prises jack audio de l'ordinateur, vous devez porter le casque
pour entendre la sonnerie.
Rubriques connexes
• Installation de périphériques audio avant le lancement initial, page 1-3
• Affectation de modes audio, page 4-9
• Utilisation de l'Assistant de réglage audio, page 1-6
• Accès aux paramètres, page 4-1
• Problèmes de qualité vocale, page 8-58-5
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 8 Dépannage Cisco IP Communicator
Problèmes de qualité vocale
Problèmes de qualité vocale
Avant de commencer
• Si le problème concerne le volume, commencez par essayer de régler celui-ci
en cliquant sur Volume dans Cisco IP Communicator.
• Appelez d'autres personnes afin de déterminer si le problème est lié à
Cisco IP Communicator ou au téléphone de votre interlocuteur. Si vous
pensez que le problème provient du téléphone de votre interlocuteur, réglez
le volume dans Cisco IP Communicator. Évitez dans ce cas de modifier les
paramètres à l'aide de l'Assistant de réglage audio (ces modifications
risqueraient en effet de ne pas convenir à tous les appels).
• Votre administrateur système peut vous demander d'activer la journalisation
afin d'enregistrer des informations détaillées en vue du dépannage.
En cas de problème concernant le niveau du volume, procédez comme suit :
• Dans l'Assistant de réglage audio, commencez par régler le curseur de volume
principal. Ce paramètre s'applique à toutes les applications qui lisent des
données audio. Vous devez donc tester ce paramètre dans les autres
applications (telles que le Lecteur Microsoft Windows Media et RealPlayer)
afin de vérifier que les niveaux de volume sont corrects.
• Dans l'Assistant de réglage audio, réglez ensuite le curseur de volume Wave
afin d'atteindre un niveau d'écoute confortable pour les appels téléphoniques.
• Si vous avez modifié les paramètres de volume dans Microsoft Windows,
exécutez de nouveau l'Assistant de réglage audio (voir procédure ci-dessus)
afin de régler de nouveau les paramètres de volume principal et de volume
Wave.
Rubriques connexes
• Activation de journaux détaillés, page 8-11
Problème La voix de votre interlocuteur est trop forte.
Solution
• Essayez de régler le volume en cliquant sur le bouton Vo lume.
• Lancez l'Assistant de réglage audio et réglez le volume du haut-parleur du
périphérique audio en cours d'utilisation. Chapitre 8 Dépannage Cisco IP Communicator
Problèmes de qualité vocale
8-6
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Problème Votre interlocuteur vous indique que votre voix est trop forte.
Solution
• Essayez d'éloigner légèrement le microphone de votre bouche, en le
déplaçant vers votre menton si vous utilisez un casque.
• Si le problème persiste, lancez l'Assistant de réglage audio et diminuez le
volume du microphone pour le périphérique audio en cours d'utilisation.
• Si votre voix reste trop forte, désactivez la fonction Amplificateur de
microphone pour ce périphérique de l'Assistant de réglage audio.
Problème La voix de votre interlocuteur est trop faible.
Solution
• Essayez de régler le volume en cliquant sur le bouton Vo lume.
• Lancez l'Assistant de réglage audio et réglez le volume du haut-parleur du
périphérique audio en cours d'utilisation.
Problème Votre interlocuteur vous indique que votre voix est trop faible.
Solution
• Si vous utilisez un casque, vérifiez que Cisco IP Communicator fonctionne
en mode Casque et non en mode Haut-parleur. Le mode Casque est activé
lorsque le bouton Casque best allumé. Si ce bouton n'est pas allumé, cliquez
dessus.
• Si vous utilisez un casque, vérifiez que le microphone est correctement
positionné.
• Si le problème persiste, lancez l'Assistant de réglage audio et augmentez le
volume du microphone pour le périphérique audio en cours d'utilisation.
Avant de régler un périphérique audio disposant de sa propre commande de
volume (un casque USB avec des commandes de volume sur le cordon, par
exemple), augmentez au maximum le volume du périphérique.
• Si votre voix reste trop faible, activez la fonction Amplificateur de
microphone pour le périphérique audio dans l'Assistant de réglage audio.
Problème La voix de votre interlocuteur est assourdie. 8-7
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 8 Dépannage Cisco IP Communicator
Problèmes de qualité vocale
Solution
• Si vous utilisez Cisco IP Communicator à distance, activez l'option Optimiser
pour une bande passante étroite (clic droit > Préférences > onglet Audio).
• Si vous n'utilisez pas Cisco IP Communicator sur une connexion à distance,
désactivez l'option Optimiser pour une bande passante étroite.
• Demandez à votre interlocuteur de diminuer le volume de son microphone, si
cela est possible.
Rubriques connexes
• Paramètres audio, page 4-8
Problème Votre interlocuteur vous indique que votre voix est assourdie.
Solution
• Lancez l'Assistant de réglage audio et réglez le volume du microphone du
périphérique audio en cours d'utilisation.
• Si vous n'utilisez pas Cisco IP Communicator sur une connexion à distance,
désactivez l'option Optimiser pour une bande passante étroite.
Problème La voix de votre interlocuteur semble lointaine ou étrange.
Solution Si vous utilisez un casque, vérifiez que Cisco IP Communicator
fonctionne en mode Casque et non en mode Haut-parleur. (Le bouton Casque
devrait être allumé.)
Problème Votre interlocuteur vous indique que votre voix semble lointaine ou
étrange.
Solution Activez l'option Optimiser pour une bande passante étroite (clic droit >
Préférences > onglet Audio).
Rubriques connexes
• Paramètres audio, page 4-8
Problème La voix de votre interlocuteur est entrecoupée de silences ou hachée.Chapitre 8 Dépannage Cisco IP Communicator
Problèmes de qualité vocale
8-8
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Solution
• Fermez toutes les applications inutiles. Tenez compte du fait que le lancement
d'applications et les opérations qui sollicitent le réseau (envoi de courriers
électroniques, par exemple) peuvent avoir une incidence sur la qualité audio.
• Vérifiez que le mode Haut-parleur n'est pas activé.
• Sélectionnez un autre paramètre audio en choisissant Préférences > onglet
Audio > onglet Avancés.
• Si vous utilisez Cisco IP Communicator sur une connexion à distance (par
exemple, la connexion VPN de votre domicile ou d'un hôtel), vous risquez de
rencontrer des problèmes de qualité vocale en raison d'une bande passante
insuffisante. Activez l'option Optimiser pour une bande passante étroite (clic
droit > Préférences > onglet Audio.
• Vérifiez que votre carte son et vos pilotes audio sont correctement installés.
Remarque La transmission peut être interrompue par des bruits secs, des
craquements ou des silences en cas d'encombrement du réseau ou de
problèmes de trafic de données.
Problème Les bruits de fond vous empêchent d'entendre la voix de l'intervenant.
Solution Demandez à l'intervenant de :
• Se déplacer vers un endroit plus calme.
• Activer l'annulation du bruit ou augmenter le niveau d'agressivité de
l'annulation du bruit (clic droit > Préférences > onglet Audio > bouton
Avancés). L'annulation du bruit est appliquée au microphone (périphérique
d'entrée) pour empêcher la transmission du bruit vers la destination distante.
Lors d'une conférence téléphonique, demandez aux autres participants de couper
le son sur leur téléphone lorsqu'ils ne prennent pas la parole.
Problème Vous entendez un écho.
Solution
• Demandez à votre interlocuteur de diminuer le volume de son microphone ou
de son haut-parleur, si possible.
• Si votre interlocuteur utilise Cisco IP Communicator comme téléphone à
haut-parleur, demandez-lui de vérifier que le bouton Haut-parleur est
allumé.8-9
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 8 Dépannage Cisco IP Communicator
Problèmes de qualité vocale
• Vérifiez que votre carte son n'envoie pas les données audio du haut-parleur
vers le microphone. Procédez comme suit :
a. Réglez le volume (Panneau de configuration > Sons et multimédia >
onglet Audio).
b. Cliquez sur Lecture des sons bouton Volume.
c. Choisissez Options > Propriétés > Lecture et vérifiez que toutes les
cases à cocher figurant dans la partie inférieure de la fenêtre sont
sélectionnées, puis cliquez sur OK.
d. Dans la fenêtre Contrôle du volume, vérifiez que l'option Muet est
sélectionnée pour la colonne Balance du microphone. Certains
périphériques audio sont dotés de plusieurs entrées de microphone (par
exemple, interne et externe) pouvant capter le son provenant du
haut-parleur et créer un signal en retour.
Problème Votre interlocuteur entend un écho.
Solution
• Lancez l'Assistant de réglage audio et réduisez le volume du microphone du
périphérique audio en cours d'utilisation. Vérifiez que la fonction
Amplificateur de microphone est désactivée. Ensuite, vérifiez le nouveau
paramètre de volume en appelant un interlocuteur.
• Si vous utilisez votre ordinateur en tant que haut-parleur, laissez le bouton
Haut-parleur allumé.
• En dernier ressort, changez de périphérique audio.
• Si vous utilisez un ordinateur portable sans casque ni combiné, les trois
modes sont mappés sur la carte son et agissent comme des haut-parleurs.
Mettez le périphérique en mode Haut-parleur.
Problème Votre interlocuteur ne vous entend pas du tout (mais vous l'entendez).
Solution
• Vérifiez que vous n'avez pas activé l'option Muet à partir des commandes du
cordon du casque ou du combiné USB.
• Vérifiez que les fiches du haut-parleur et du microphone sont insérées dans
les prises jacks audio correctes de l'ordinateur.
• Vérifiez qu'aucune autre application n'utilise le microphone (un enregistreur
audio ou un autre téléphone logiciel, par exemple).Chapitre 8 Dépannage Cisco IP Communicator
Utilisation de l'outil de génération de rapports sur la qualité pour résoudre les problèmes de performance
8-10
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Problème Votre interlocuteur vous entend, mais vous ne l'entendez pas.
Solution
• Vérifiez que les fiches du haut-parleur et du microphone sont insérées dans
les prises jacks audio correctes de l'ordinateur.
• Vérifiez les paramètres de volume et de coupure du son des périphériques
audio système dans le Panneau de configuration.
• Vérifiez le réglage du volume de Cisco IP Communicator (le bouton Vo lume
et l'Assistant de réglage audio).
Problème Vous ne pouvez pas parler en même temps que votre interlocuteur.
Solution Vérifiez que vous utilisez une carte son duplex intégral.
Problème Vous n'entendez aucun son, pas même une tonalité.
Solution
• Si vous utilisez une station d'accueil et si votre périphérique audio est
connecté à celle-ci, vérifiez que l'ordinateur est connecté à la station
d'accueil.
• Redémarrez Cisco IP Communicator.
Utilisation de l'outil de génération de rapports sur la
qualité pour résoudre les problèmes de performance
L'administrateur système peut configurer temporairement votre téléphone à l'aide
de l'Outil de génération de rapports sur la qualité pour régler les problèmes de
performance. Vous pouvez cliquer sur QRT (vous devrez peut-être cliquer
plusieurs fois sur autres pour afficher la touche de fonction QRT) pour envoyer
des informations à votre administrateur système. Selon la configuration de votre
système, l'outil QRT permet de :
• signaler immédiatement un problème audio lors d'un appel en cours ;
• sélectionner un problème général dans une liste de types de problèmes et
choisir des codes de raison.
L'administrateur système peut également vous demander de capturer des
informations (journaux détaillés) pour aider à résoudre un problème.8-11
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 8 Dépannage Cisco IP Communicator
Activation de journaux détaillés
Rubriques connexes
• Utilisation de l'Assistant de réglage audio, page 1-6
• Accès aux paramètres, page 4-1
• Problèmes d'ordre général, page 8-1
• Capture d'informations sur les problèmes, page 8-11
Activation de journaux détaillés
Si vous rencontrez des problèmes lors de l'utilisation de Cisco IP Communicator
et si votre administrateur système vous y invite, activez la journalisation détaillée
(clic droit > Préférences > onglet Utilisateur et activez l'option Activer la
journalisation).
Remarque Votre paramétrage est conservé jusqu'à ce que vous le changiez, même après un
redémarrage. La journalisation détaillée pouvant affecter la performance,
désactivez-la dès que vous n'en avez plus besoin. Désactivez Activer la
journalisation pour désactiver cette fonctionnalité.
Rubriques connexes
• Capture d'informations sur les problèmes, page 8-11
Capture d'informations sur les problèmes
En cas de fermeture inopinée de Cisco IP Communicator, l'Outil de génération de
rapports de problèmes démarre automatiquement et capture les données
pertinentes en vue d'un dépannage. Utilisez cette procédure pour envoyer le
rapport à votre administrateur système. Chapitre 8 Dépannage Cisco IP Communicator
Capture d'informations sur les problèmes
8-12
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Étape 1 Suivez les instructions de l'Outil de génération de rapports de problèmes pour
décrire le problème. N'oubliez pas d'inclure les informations suivantes :
• Une description du problème.
• Une explication de l'action que vous accomplissiez lorsque le problème s'est
produit.
• Le périphérique audio utilisé quand le problème s'est produit.
• Tout autre détail pertinent.
Étape 2 Recherchez sur votre bureau un fichier appelé CIPC-ProblemReportxxx.zip, xxx
correspondant à un nombre.
Étape 3 Envoyez ce fichier par email à votre administrateur système avec les informations
suivantes :
Si vous rencontrez d'autres problèmes et si le rapport de problèmes n'est pas créé
automatiquement, votre administrateur système pourra vous demander de lui
fournir des fichiers journaux. Contrairement à QRT (qui signale la nature du
problème), ces journaux fournissent des informations détaillées qui aident à
résoudre le problème. Utilisez cette procédure pour collecter ces fichiers :
Étape 1 Activez la journalisation détaillée (clic droit > Préférences > onglet
Utilisateur, et activez l'option Activer la journalisation).
Étape 2 Tentez de reproduire le problème. Si vous ne parvenez pas à reproduire le
problème, les journaux ne contiendront pas d'informations détaillées.
Étape 3 Créez le rapport en sélectionnant Démarrer > Tous les programmes >
Cisco IP Communicator > Create CIPC Problem Report.
Étape 4 Suivez les instructions affichées pour décrire le problème. N'oubliez pas d'inclure
les informations suivantes :
• Une description du problème.
• Une explication de l'action que vous accomplissiez lorsque le problème s'est
produit.
• Le périphérique audio utilisé quand le problème s'est produit.
• Tout autre détail pertinent.
Étape 5 Avant de cliquer sur Terminer, notez le nom du fichier qui a été créé sur votre
bureau.
Étape 6 Envoyez ce fichier par email à votre administrateur système.8-13
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Chapitre 8 Dépannage Cisco IP Communicator
Capture d'informations sur les problèmes
Conseil À l'aide de l'Assistant de réglage audio, vous pouvez lancer l'Outil de génération
de rapports de problèmes pour signaler des problèmes audio. Cliquez dans le coin
supérieur gauche de la barre de titres de l'Assistant de réglage audio, et
sélectionnez Infos de dépannage... Un message intempestif vous invite à lancer
l'Outil de génération de rapports de problèmes.
Rubriques connexes
• Utilisation de l'outil de génération de rapports sur la qualité pour résoudre les
problèmes de performance, page 8-10
• Activation de journaux détaillés, page 8-11Chapitre 8 Dépannage Cisco IP Communicator
Capture d'informations sur les problèmes
8-14
Guide d'utilisation de Cisco IP Communicator version 7.0
OL-19177-01
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Command Reference, Cisco ACE
Application Control Engine
For the Cisco ACE Application Control Engine Module and
Cisco ACE 4700 Series Application Control Engine Appliance
Software Version A5(1.0)
September 2011
Text Part Number: OL-25339-01THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Command Reference, Cisco ACE Application Control Engine
Copyright © 2007-2011 Cisco Systems, Inc. All rights reserved.iii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
C O N T E N T S
Preface xxxi
Audience xxxi
How to Use This Guide xxxii
Related Documentation xxxii
Symbols and Conventions xxxv
Obtaining Documentation, Obtaining Support, and Security Guidelines xxxvi
C H A P T E R 2 CLI Commands 2-1
Exec Mode Commands 2-2
backup 2-3
capture 2-5
changeto 2-6
checkpoint 2-8
clear access-list 2-9
clear accounting log 2-10
clear acl-merge statistics 2-10
clear arp 2-11
clear buffer stats 2-12
clear capture 2-13
clear cde 2-14
clear cfgmgr internal history 2-14
clear conn 2-16
clear cores 2-17
clear crypto session-cache 2-19
clear dc 2-20
clear debug-logfile 2-20
clear fifo stats 2-21
clear ft 2-23
clear icmp statistics 2-24
clear interface 2-25
clear ip 2-26
clear ipv6 2-27
clear line 2-27
clear logging 2-29Contents
iv
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
clear netio stats 2-29
clear np 2-31
clear ntp statistics 2-32
clear probe 2-32
clear processes log 2-34
clear rserver 2-34
clear rtcache 2-35
clear screen 2-37
clear serverfarm 2-37
clear service-policy 2-38
clear ssh 2-40
clear startup-config 2-41
clear stats 2-42
clear sticky database 2-44
clear syn-cookie 2-46
clear tcp statistics 2-46
clear telnet 2-47
clear udp statistics 2-48
clear user 2-48
clear vnet stats 2-49
clear xlate 2-51
clock set 2-53
compare 2-54
configure 2-55
copy capture 2-56
copy checkpoint 2-57
copy core: 2-59
copy disk0: 2-60
copy ftp: 2-62
copy image: 2-63
copy licenses 2-65
copy probe: 2-66
copy running-config 2-68
copy startup-config 2-69
copy sftp: 2-70
copy tftp: 2-72
crypto crlparams 2-73
crypto delete 2-74
crypto export 2-75
crypto generate csr 2-76Contents
v
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
crypto generate key 2-77
crypto import 2-78
crypto verify 2-82
debug 2-83
delete 2-86
dir 2-87
dm 2-89
exit 2-90
format flash: 2-91
ft switchover 2-93
gunzip 2-94
invoke context 2-95
license 2-96
mkdir disk0: 2-97
move disk0: 2-98
np session 2-99
ping 2-101
reload 2-103
reprogram bootflash 2-104
restore 2-105
rmdir disk0: 2-107
setup 2-108
set dc 2-110
set sticky-ixp 2-111
show 2-112
show aaa 2-113
show access-list 2-114
show accounting log 2-115
show acl-merge 2-117
show action-list 2-118
show arp 2-119
show backup 2-121
show banner motd 2-122
show bootvar 2-123
show buffer 2-125
show capture 2-127
show cde 2-129
show cfgmgr 2-130
show checkpoint 2-132
show clock 2-134Contents
vi
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
show conn 2-135
show context 2-136
show copyright 2-137
show crypto 2-138
show dc 2-141
show debug 2-145
show domain 2-148
show download information 2-149
show eobc 2-150
show fifo 2-152
show file 2-153
show fragment 2-155
show ft 2-156
show hardware 2-158
show hyp 2-159
show icmp statistics 2-159
show interface 2-161
show inventory 2-163
show ip 2-164
show ipcp 2-167
show ipv6 2-168
show kalap udp load 2-170
show lcp event-history 2-172
show ldap-server 2-173
show license 2-174
show line 2-176
show logging 2-177
show login timeout 2-179
show nat-fabric 2-180
show netio 2-181
show nexus-device 2-182
show np 2-184
show ntp 2-188
show optimization-global 2-189
show parameter-map 2-190
show probe 2-191
show processes 2-192
show pvlans 2-193
show radius-server 2-194
show resource allocation 2-195Contents
vii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
show resource internal 2-196
show resource usage 2-198
show restore 2-201
show role 2-203
show rserver 2-204
show running-config 2-206
show scp 2-208
show script 2-209
show security internal event-history 2-211
show serverfarm 2-212
show service-policy 2-214
show snmp 2-216
show ssh 2-218
show startup-config 2-220
show stats 2-221
show sticky cookie-insert group 2-223
show sticky database 2-224
show sticky hash 2-227
show conn sticky 2-228
show syn-cookie 2-229
show system 2-230
show tacacs-server 2-232
show tcp statistics 2-233
show tech-support 2-234
show telnet 2-235
show terminal 2-236
show udp statistics 2-237
show user-account 2-238
show users 2-239
show version 2-240
show vlans 2-242
show vm-controller 2-243
show vnet 2-244
show xlate 2-245
ssh 2-246
system internal 2-248
system watchdog 2-249
tac-pac 2-251
telnet 2-253
terminal 2-254Contents
viii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
traceroute 2-255
undebug all 2-256
untar disk0: 2-258
write 2-259
xml-show 2-260
Configuration Mode Commands 2-262
(config) aaa accounting default 2-263
(config) aaa authentication login 2-265
(config) aaa group server 2-266
(config) access-group 2-267
(config) access-list ethertype 2-270
(config) access-list extended 2-272
(config) access-list remark 2-281
(config) access-list resequence 2-282
(config) action-list type modify http 2-283
(config) action-list type optimization http 2-285
(config) arp 2-287
(config) banner 2-289
(config) boot system image: 2-290
(config) buffer threshold 2-292
(config) class-map 2-294
(config) clock timezone 2-297
(config) clock summer-time 2-300
(config) config-register 2-301
(config) context 2-303
(config) crypto authgroup 2-304
(config) crypto chaingroup 2-305
(config) crypto crl 2-306
(config) crypto crlparams 2-307
(config) crypto csr-params 2-309
(config) crypto ocspserver 2-310
(config) crypto rehandshake enabled 2-312
(config) domain 2-313
(config) end 2-314
(config) exit 2-314
(config) ft auto-sync 2-315
(config) ft connection-sync disable 2-317
(config) ft group 2-318
(config) ft interface vlan 2-320
(config) ft peer 2-321Contents
ix
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config) ft track host 2-322
(config) ft track hsrp 2-323
(config) ft track interface 2-324
(config) hostname 2-325
(config) hw-module 2-326
(config) interface 2-327
(config) ip dhcp relay 2-330
(config) ip domain-list 2-332
(config) ip domain-lookup 2-333
(config) ip domain-name 2-335
(config) ip name-server 2-337
(config) ip route 2-338
(config) ipv6 nd interval 2-340
(config) ipv6 nd learned-interval 2-341
(config) ipv6 nd retries 2-342
(config) ipv6 nd sync disable 2-343
(config) ipv6 nd sync-interval 2-344
(config) kalap udp 2-345
(config) ldap-server host 2-346
(config) ldap-server port 2-347
(config) ldap-server timeout 2-348
(config) line console 2-349
(config) line vty 2-350
(config) login timeout 2-352
(config) logging buffered 2-353
(config) logging console 2-355
(config) logging device-id 2-357
(config) logging enable 2-359
(config) logging facility 2-360
(config) logging fastpath 2-361
(config) logging history 2-362
(config) logging host 2-364
(config) logging message 2-366
(config) logging monitor 2-368
(config) logging persistent 2-369
(config) logging queue 2-370
(config) logging rate-limit 2-371
(config) logging standby 2-373
(config) logging supervisor 2-374
(config) logging timestamp 2-375Contents
x
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config) logging trap 2-376
(config) nexus-device 2-377
(config) ntp 2-379
(config) object-group 2-380
(config) optimize 2-382
(config) parameter-map type 2-382
(config) peer hostname 2-385
(config) peer shared-vlan-hostid 2-386
(config) policy-map 2-388
(config) probe 2-392
(config) radius-server attribute nas-ipaddr 2-395
(config) radius-server deadtime 2-396
(config) radius-server host 2-397
(config) radius-server key 2-400
(config) radius-server retransmit 2-401
(config) radius-server timeout 2-402
(config) regex compilation-timeout 2-403
(config) resource-class 2-404
(config) role 2-405
(config) rserver 2-406
(config) script file name 2-407
(config) serverfarm 2-408
(config) service-policy 2-409
(config) shared-vlan-hostid 2-411
(config) snmp-server community 2-412
(config) snmp-server contact 2-414
(config) snmp-server enable traps 2-415
(config) snmp-server engineid 2-418
(config) snmp-server host 2-420
(config) snmp-server location 2-421
(config) snmp-server trap link ietf 2-422
(config) snmp-server trap-source vlan 2-423
(config) snmp-server unmask-community 2-424
(config) snmp-server user 2-425
(config) ssh key 2-428
(config) ssh maxsessions 2-429
(config) ssl-proxy service 2-430
(config) static 2-431
(config) sticky http-content 2-433
(config) sticky http-cookie 2-434Contents
xi
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config) sticky http-header 2-436
(config) sticky ip-netmask 2-438
(config) sticky layer4-payload 2-439
(config) sticky radius framed-ip 2-440
(config) sticky rtsp-header 2-441
(config) sticky sip-header 2-442
(config) switch-mode 2-443
(config) tacacs-server deadtime 2-445
(config) tacacs-server host 2-446
(config) tacacs-server key 2-448
(config) tacacs-server timeout 2-449
(config) telnet maxsessions 2-451
(config) timeout xlate 2-452
(config) udp 2-453
(config) username 2-454
(config) vm-controller 2-456
Action List Modify Configuration Mode Commands 2-457
(config-actlist-modify) description 2-458
(config-actlist-modify) header delete 2-459
(config-actlist-modify) header insert 2-461
(config-actlist-modify) header rewrite 2-462
(config-actlist-modify) ssl header-insert 2-464
(config-actlist-modify) ssl url rewrite location 2-473
Action List Optimization Configuration Mode Commands 2-474
(config-actlist-optm) appscope 2-475
(config-actlist-optm) cache 2-476
(config-actlist-optm) delta 2-478
(config-actlist-optm) description 2-479
(config-actlist-optm) dynamic etag 2-480
(config-actlist-optm) flashforward 2-481
(config-actlist-optm) flashforward-object 2-481
Authentication Group Configuration Mode Commands 2-483
(config-authgroup) cert 2-484
Chaingroup Configuration Mode Commands 2-485
(config-chaingroup) cert 2-486
Class Map Configuration Mode Commands 2-488
(config-cmap) description 2-490
(config-cmap) match access-list 2-491
(config-cmap) match any 2-493Contents
xii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-cmap) match anyv6 2-494
(config-cmap) match destination-address 2-495
(config-cmap) match port 2-497
(config-cmap) match port-v6 2-500
(config-cmap) match source-address 2-502
(config-cmap) match virtual-address 2-504
Class Map FTP Inspection Configuration Mode Commands 2-507
(config-cmap-ftp-insp) description 2-508
(config-cmap-ftp-insp) match request-method 2-509
Class Map Generic Configuration Mode Commands 2-510
(config-cmap-generic) description 2-511
(config-cmap-generic) match class-map 2-513
(config-cmap-generic) match layer4-payload 2-514
(config-cmap-generic) match source-address 2-516
Class Map HTTP Inspection Configuration Mode Commands 2-517
(config-cmap-http-insp) description 2-519
(config-cmap-http-insp) match content 2-520
(config-cmap-http-insp) match content length 2-522
(config-cmap-http-insp) match cookie secondary 2-523
(config-cmap-http-insp) match header 2-524
(config-cmap-http-insp) match header length 2-528
(config-cmap-http-insp) match header mime-type 2-530
(config-cmap-http-insp) match port-misuse 2-533
(config-cmap-http-insp) match request-method 2-534
(config-cmap-http-insp) match transfer-encoding 2-535
(config-cmap-http-insp) match url 2-537
(config-cmap-http-insp) match url length 2-538
Class Map HTTP Load Balancing Configuration Mode Commands 2-539
(config-cmap-http-lb) description 2-541
(config-cmap-http-lb) match class-map 2-542
(config-cmap-http-lb) match cipher 2-544
(config-cmap-http-lb) match http content 2-545
(config-cmap-http-lb) match http cookie 2-546
(config-cmap-http-lb) match http header 2-547
(config-cmap-http-lb) match http url 2-550
(config-cmap-http-lb) match source-address 2-552
Class Map Management Configuration Mode Commands 2-553
(config-cmap-mgmt) description 2-554
(config-cmap-mgmt) match protocol 2-556Contents
xiii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Class Map RADIUS Load Balancing Configuration Mode Commands 2-558
(config-cmap-radius-lb) description 2-560
(config-cmap-radius-lb) match radius attribute 2-561
Class Map RTSP Load Balancing Configuration Mode Commands 2-562
(config-cmap-rtsp-lb) description 2-564
(config-cmap-rtsp-lb) match class-map 2-565
(config-cmap-rtsp-lb) match rtsp header 2-566
(config-cmap-rtsp-lb) match rtsp url 2-567
(config-cmap-rtsp-lb) match source-address 2-570
Class Map SIP Inspection Configuration Mode Commands 2-571
(config-cmap-sip-insp) description 2-572
(config-cmap-sip-insp) match called-party 2-573
(config-cmap-sip-insp) match calling-party 2-575
(config-cmap-sip-insp) match content 2-577
(config-cmap-sip-insp) match im-subscriber 2-578
(config-cmap-sip-insp) match message-path 2-579
(config-cmap-sip-insp) match request-method 2-582
(config-cmap-sip-insp) match third-party registration 2-583
(config-cmap-sip-insp) match uri 2-585
Class Map SIP Load Balancing Configuration Mode Commands 2-586
(config-cmap-sip-lb) description 2-588
(config-cmap-sip-lb) match class-map 2-589
(config-cmap-sip-lb) match sip header 2-590
(config-cmap-sip-lb) match source-address 2-593
Console Configuration Mode Commands 2-595
(config-console) databits 2-596
(config-console) parity 2-597
(config-console) speed 2-598
(config-console) stopbits 2-599
Context Configuration Mode Commands 2-600
(config-context) allocate-interface 2-601
(config-context) description 2-603
(config-context) member 2-604
CSR Parameters Configuration Mode Commands 2-605
(config-csr-params) common-name 2-606
(config-csr-params) country 2-607
(config-csr-params) email 2-608
(config-csr-params) locality 2-609
(config-csr-params) organization-name 2-611Contents
xiv
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-csr-params) organization-unit 2-612
(config-csr-params) serial-number 2-613
(config-csr-params) state 2-614
DCI Configuration Mode Commands 2-615
(config-dci) credentials 2-616
(config-dci) ip-address 2-617
Domain Configuration Mode Commands 2-618
(config-domain) add-object 2-620
FT Group Configuration Mode Commands 2-622
(config-ft-group) associate-context 2-623
(config-ft-group) inservice 2-624
(config-ft-group) peer 2-625
(config-ft-group) peer priority 2-626
(config-ft-group) preempt 2-627
(config-ft-group) priority 2-628
FT Interface Configuration Mode Commands 2-629
(config-ft-intf) ip 2-630
(config-ft-intf) peer ip 2-632
(config-ft-intf) shutdown 2-633
FT Peer Configuration Mode Commands 2-634
(config-ft-peer) ft-interface vlan 2-635
(config-ft-peer) heartbeat 2-636
(config-ft-peer) query-interface 2-637
FT Track Host Configuration Mode Commands 2-638
(config-ft-track-host) peer priority 2-640
(config-ft-track-host) peer probe 2-641
(config-ft-track-host) peer track-host 2-643
(config-ft-track-host) priority 2-645
(config-ft-track-host) probe 2-646
(config-ft-track-host) track-host 2-647
FT Track HSRP Configuration Mode Commands 2-648
(config-ft-track-hsrp) peer priority 2-649
(config-ft-track-hsrp) peer track-hsrp 2-650
(config-ft-track-hsrp) priority 2-651
(config-ft-track-hsrp) track-hsrp 2-652
FT Track Interface Configuration Mode Commands 2-653
(config-ft-track-interface) peer priority 2-654
(config-ft-track-interface) peer track-interface vlan 2-655
(config-ft-track-interface) priority 2-656Contents
xv
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-ft-track-interface) track-interface vlan 2-657
Interface Configuration Mode Commands 2-658
(config-if) access-group 2-660
(config-if) alias 2-661
(config-if) arp 2-663
(config-if) arp inspection 2-664
(config-if) bridge-group 2-666
(config-if) carrier-delay 2-667
(config-if) channel-group 2-668
(config-if) description 2-669
(config-if) duplex 2-670
(config-if) fragment chain 2-671
(config-if) fragment min-mtu 2-672
(config-if) fragment timeout 2-673
(config-if) ft-port vlan 2-674
(config-if) icmp-guard 2-675
(config-if) ip address 2-677
(config-if) ip df 2-680
(config-if) ip dhcp relay enable 2-681
(config-if) ip dhcp relay server 2-682
(config-if) ip options 2-683
(config-if) ip route inject vlan 2-684
(config-if) ip ttl minimum 2-685
(config-if) ip verify reverse-path 2-686
(config-if) ipv6 dhcp relay enable 2-687
(config-if) ipv6 dhcp relay fwd-interface 2-688
(config-if) ipv6 dhcp relay server 2-689
(config-if) ipv6 enable 2-691
(config-if) ipv6 extension-header 2-692
(config-if) ipv6 fragment chain 2-693
(config-if) ipv6 fragment min-mtu 2-694
(config-if) ipv6 fragment timeout 2-695
(config-if) ipv6 icmp-guard 2-696
(config-if) ipv6 mtu 2-698
(config-if) ipv6 nd dad-attempts 2-699
(config-if) ipv6 nd managed-config-flag 2-700
(config-if) ipv6 nd ns-interval 2-701
(config-if) ipv6 nd other-config-flag 2-702
(config-if) ipv6 nd prefix 2-703
(config-if) ipv6 nd ra hop-limit 2-705Contents
xvi
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-if) ipv6 nd ra interval 2-706
(config-if) ipv6 nd ra lifetime 2-707
(config-if) ipv6 nd ra suppress 2-708
(config-if) ipv6 nd reachable-time 2-709
(config-if) ipv6 nd retransmission-time 2-710
(config-if) ipv6 neighbor 2-711
(config-if) ipv6 normalization 2-712
(config-if) ipv6 route inject vlan 2-714
(config-if) ipv6 verify reverse-path 2-715
(config-if) mac-address autogenerate 2-716
(config-if) mac-sticky enable 2-717
(config-if) mtu 2-719
(config-if) nat-pool 2-720
(config-if) normalization 2-721
(config-if) normalization send-reset 2-723
(config-if) peer ip address 2-723
(config-if) port-channel load-balance 2-726
(config-if) qos trust cos 2-727
(config-if) remove-eth-pad 2-728
(config-if) service-policy input 2-729
(config-if) shutdown 2-730
(config-if) speed 2-732
(config-if) switchport access vlan 2-734
(config-if) switchport trunk allowed vlan 2-736
(config-if) switchport trunk native vlan 2-738
(config-if) syn-cookie 2-739
(config-if) udp 2-741
KAL-AP UDP Configuration Mode Commands 2-743
(config-kalap-udp) ip address 2-744
LDAP Configuration Mode Commands 2-745
(config-ldap) attribute user-profile 2-746
(config-ldap) baseDN 2-748
(config-ldap) filter search-user 2-749
(config-ldap) server 2-750
Line Configuration Mode Commands 2-751
(config-line) session-limit 2-752
Object Group Configuration Mode Commands 2-753
(config-objgrp-netw) description 2-754
(config-objgrp-netw) host 2-755Contents
xvii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-objgrp-netw) ip_address 2-757
(config-objgrp-serv) description 2-759
(config-objgrp-serv) protocol 2-760
Optimize Configuration Mode Commands 2-767
(config-optimize) appscope-log 2-768
(config-optimize) concurrent-connections 2-769
(config-optimize) debug-level 2-770
Parameter Map Connection Configuration Mode Commands 2-772
(config-parammap-conn) description 2-774
(config-parammap-conn) exceed-mss 2-775
(config-parammap-conn) nagle 2-776
(config-parammap-conn) random-sequence-number 2-777
(config-parammap-conn) rate-limit 2-778
(config-parammap-conn) reserved-bits 2-779
(config-parammap-conn) set ip tos 2-780
(config-parammap-conn) set tcp ack-delay 2-781
(config-parammap-conn) set tcp buffer-share 2-782
(config-parammap-conn) set tcp mss 2-784
(config-parammap-conn) set tcp reassembly-timout 2-786
(config-parammap-conn) set tcp syn-retry 2-786
(config-parammap-conn) set tcp timeout 2-787
(config-parammap-conn) set tcp wan-optimization 2-788
(config-parammap-conn) set tcp window-scale 2-790
(config-parammap-conn) set timeout inactivity 2-791
(config-parammap-conn) slowstart 2-792
(config-parammap-conn) syn-data 2-793
(config-parammap-conn) tcp-options 2-794
(config-parammap-conn) urgent-flag 2-798
Parameter Map DNS Configuration Mode Commands 2-799
(config-parammap-dns) description 2-800
(config-parammap-dns) timeout query 2-801
Parameter Map Generic Configuration Mode Commands 2-801
(config-parammap-generi) case-insensitive 2-803
(config-parammap-generi) description 2-804
(config-parammap-generi) set max-parse-length 2-805
Parameter Map HTTP Configuration Mode Commands 2-806
(config-parammap-http) case-insensitive 2-808
(config-parammap-http) cookie-error-ignore 2-809
(config-parammap-http) description 2-810Contents
xviii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-parammap-http) compress 2-811
(config-parammap-http) header modify per-request 2-813
(config-parammap-http) length-exceed 2-815
(config-parammap-http) parsing non-strict 2-816
(config-parammap-http) persistence-rebalance 2-817
(config-parammap-http) server-conn reuse 2-819
(config-parammap-http) set content-maxparse-length 2-820
(config-parammap-http) set header-maxparse-length 2-822
(config-parammap-http) set secondary-cookie-delimiters 2-823
(config-parammap-http) set secondary-cookie-start 2-824
Parameter Map Optimization Configuration Mode Commands 2-825
(config-parammap-optmz) appscope optimize-rate-percent 2-826
(config-parammap-optmz) basefile anonymous-level 2-827
(config-parammap-optmz) cache key-modifier 2-828
(config-parammap-optmz) cache parameter 2-831
(config-parammap-optmz) cache ttl 2-833
(config-parammap-optmz) cache-policy request 2-834
(config-parammap-optmz) cache-policy response 2-835
(config-parammap-optmz) canonical-url 2-836
(config-parammap-optmz) clientscript-default 2-837
(config-parammap-optmz) description 2-838
(config-parammap-optmz) delta 2-839
(config-parammap-optmz) expires-setting 2-841
(config-parammap-optmz) extract meta 2-842
(config-parammap-optmz) flashforward refresh-policy 2-843
(config-parammap-optmz) ignore-server-content 2-844
(config-parammap-optmz) parameter-summary parameter-value-limit 2-845
(config-parammap-optmz) post-content-buffer-limit 2-846
(config-parammap-optmz) rebase 2-847
(config-parammap-optmz) request-grouping-string 2-848
(config-parammap-optmz) server-header 2-849
(config-parammap-optmz) server-load 2-850
(config-parammap-optmz) utf8 threshold 2-852
Parameter Map RTSP Configuration Mode Commands 2-852
(config-parammap-rtsp) case-insensitive 2-854
(config-parammap-rtsp) description 2-855
(config-parammap-rtsp) set header-maxparse-length 2-856
Parameter Map SCCP Configuration Mode Commands 2-857
(config-parammap-skinny) description 2-859Contents
xix
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-parammap-skinny) enforce-registration 2-860
(config-parammap-skinny) message-id max 2-861
(config-parammap-skinny) sccp-prefix-len 2-862
Parameter Map SIP Configuration Mode Commands 2-863
(config-parammap-sip) description 2-865
(config-parammap-sip) im 2-865
(config-parammap-sip) max-forward-validation 2-866
(config-parammap-sip) software-version 2-867
(config-parammap-sip) strict-header-validation 2-868
(config-parammap-sip) timeout 2-870
(config-parammap-sip) uri-non-sip 2-871
Parameter Map SSL Configuration Mode Commands 2-872
(config-parammap-ssl) authentication-failure 2-873
(config-parammap-ssl) cdp-errors ignore 2-876
(config-parammap-ssl) cipher 2-877
(config-parammap-ssl) close-protocol 2-879
(config-parammap-ssl) description 2-880
(config-parammap-ssl) expired-crl reject 2-881
(config-parammap-ssl) purpose-check disabled 2-882
(config-parammap-ssl) queue-delay timeout 2-883
(config-parammap-ssl) rehandshake enabled 2-884
(config-parammap-ssl) session-cache timeout 2-885
(config-parammap-ssl) version 2-887
Policy Map Configuration Mode Commands 2-888
(config-pmap) class 2-890
(config-pmap) description 2-891
Policy Map Class Configuration Mode Commands 2-892
(config-pmap-c) appl-parameter dns advanced-options 2-893
(config-pmap-c) appl-parameter generic advanced-options 2-894
(config-pmap-c) appl-parameter http advanced-options 2-895
(config-pmap-c) appl-parameter rtsp advanced-options 2-896
(config-pmap-c) appl-parameter sip advanced-options 2-897
(config-pmap-c) appl-parameter skinny advanced-options 2-898
(config-pmap-c) connection advanced-options 2-899
(config-pmap-c) inspect 2-900
(config-pmap-c) kal-ap primary-oos 2-904
(config-pmap-c) kal-ap-tag 2-906
(config-pmap-c) loadbalance policy 2-907
(config-pmap-c) loadbalance vip advertise 2-908Contents
xx
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-pmap-c) loadbalance vip icmp-reply 2-909
(config-pmap-c) loadbalance vip inservice 2-910
(config-pmap-c) loadbalance vip udp-fast-age 2-911
(config-pmap-c) nat dynamic 2-912
(config-pmap-c) nat static 2-913
(config-pmap-c) ssl-proxy 2-916
Policy Map FTP Inspection Configuration Mode Commands 2-917
(config-pmap-ftp-ins) class 2-919
(config-pmap-ftp-ins) description 2-920
(config-pmap-ftp-ins) match request-method 2-921
Policy Map FTP Inspection Class Configuration Mode Commands 2-922
(config-pmap-ftp-ins-c) deny 2-923
(config-pmap-ftp-ins-c) mask-reply 2-924
Policy Map FTP Inspection Match Configuration Mode Commands 2-924
(config-pmap-ftp-ins-m) deny 2-926
(config-pmap-ftp-ins-m) mask-reply 2-927
Policy Map Inspection HTTP Configuration Mode Commands 2-927
(config-pmap-ins-http) class 2-929
(config-pmap-ins-http) description 2-931
(config-pmap-ins-http) match content 2-932
(config-pmap-ins-http) match content length 2-934
(config-pmap-ins-http) match content-type-verification 2-935
(config-pmap-ins-http) match cookie secondary 2-936
(config-pmap-ins-http) match header 2-939
(config-pmap-ins-http) match header length 2-942
(config-pmap-ins-http) match header mime-type 2-944
(config-pmap-ins-http) match port-misuse 2-947
(config-pmap-ins-http) match request-method 2-948
(config-pmap-ins-http) match strict-http 2-950
(config-pmap-ins-http) match transfer-encoding 2-952
(config-pmap-ins-http) match url 2-953
(config-pmap-ins-http) match url length 2-955
Policy Map Inspection HTTP Class Configuration Mode Commands 2-956
(config-pmap-ins-http-c) passthrough log 2-957
(config-pmap-ins-http-c) permit 2-958
(config-pmap-ins-http-c) reset 2-959
Policy Map Inspection HTTP Match Configuration Mode Commands 2-959
(config-pmap-ins-http-m) passthrough log 2-961
(config-pmap-ins-http-m) permit 2-962Contents
xxi
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-pmap-ins-http-m) reset 2-963
Policy Map Inspection SIP Configuration Mode Commands 2-964
(config-pmap-ins-sip) class 2-966
(config-pmap-ins-sip) description 2-967
(config-pmap-ins-sip) match called-party 2-968
(config-pmap-ins-sip) match calling-party 2-969
(config-pmap-ins-sip) match content 2-970
(config-pmap-ins-sip) match im-subscriber 2-972
(config-pmap-ins-sip) match message-path 2-973
(config-pmap-ins-sip) match request-method 2-974
(config-pmap-ins-sip) match third-party registration 2-976
(config-pmap-ins-sip) match uri 2-978
Policy Map Inspection SIP Class Configuration Mode Commands 2-979
(config-pmap-ins-sip-c) drop 2-980
(config-pmap-ins-sip-c) log 2-980
(config-pmap-ins-sip-c) permit 2-981
(config-pmap-ins-sip-c) reset 2-982
Policy Map Inspection SIP Match Configuration Mode Commands 2-983
(config-pmap-ins-sip-m) drop 2-984
(config-pmap-ins-sip-m) permit 2-985
(config-pmap-ins-sip-m) reset 2-986
Policy Map Inspection Skinny Configuration Mode Commands 2-986
(config-pmap-ins-skinny) description 2-988
(config-pmap-ins-skinny) match message-id 2-989
Policy Map Inspection Skinny Match Configuration Mode Commands 2-990
(config-pmap-ins-skinny-m) reset 2-991
Policy Map Load Balancing Generic Configuration Mode Commands 2-992
(config-pmap-lb-generic) class 2-994
(config-pmap-lb-generic) description 2-996
(config-pmap-lb-generic) match layer4-payload 2-997
(config-pmap-lb-generic) match source-address 2-998
Policy Map Load Balancing Generic Class Configuration Mode Commands 2-999
(config-pmap-lb-generic-c) drop 2-1000
(config-pmap-lb-generic-c) forward 2-1001
(config-pmap-lb-generic-c) serverfarm 2-1002
(config-pmap-lb-generic-c) set ip tos 2-1003
(config-pmap-lb-generic-c) sticky-serverfarm 2-1004
Policy Map Load Balancing Generic Match Configuration Mode Commands 2-1004
(config-pmap-lb-generic-m) drop 2-1006Contents
xxii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-pmap-lb-generic-m) forward 2-1006
(config-pmap-lb-generic-m) serverfarm 2-1007
(config-pmap-lb-generic-m) set ip tos 2-1009
(config-pmap-lb-generic-m) sticky-serverfarm 2-1010
Policy Map Load Balancing HTTP Configuration Mode Commands 2-1011
(config-pmap-lb) class 2-1012
(config-pmap-lb) description 2-1013
(config-pmap-lb) match cipher 2-1014
(config-pmap-lb) match http content 2-1016
(config-pmap-lb) match http cookie 2-1017
(config-pmap-lb) match http header 2-1019
(config-pmap-lb) match http url 2-1023
(config-pmap-lb) match source-address 2-1024
Policy Map Load Balancing HTTP Class Configuration Mode Commands 2-1025
(config-pmap-lb-c) action 2-1026
(config-pmap-lb-c) compress 2-1027
(config-pmap-lb-c) drop 2-1029
(config-pmap-lb-c) forward 2-1030
(config-pmap-lb-c) insert-http 2-1031
(config-pmap-lb-c) nat dynamic 2-1032
(config-pmap-lb-c) serverfarm 2-1033
(config-pmap-lb-c) set ip tos 2-1035
(config-pmap-lb-c) ssl-proxy client 2-1036
(config-pmap-lb-c) sticky-serverfarm 2-1037
Policy Map Load Balancing HTTP Match Configuration Mode Commands 2-1038
(config-pmap-lb-m) action 2-1038
(config-pmap-lb-m) compress 2-1040
(config-pmap-lb-m) drop 2-1041
(config-pmap-lb-m) forward 2-1043
(config-pmap-lb-m) insert-http 2-1044
(config-pmap-lb-m) serverfarm 2-1045
(config-pmap-lb-m) set ip tos 2-1046
(config-pmap-lb-m) ssl-proxy client 2-1047
(config-pmap-lb-m) sticky-serverfarm 2-1048
Policy Map Load Balancing RADIUS Configuration Mode Commands 2-1049
(config-pmap-lb-radius) class 2-1051
(config-pmap-lb-radius) description 2-1053
(config-pmap-lb-radius) match radius attribute 2-1054
Policy Map Load Balancing RADIUS Class Configuration Mode Commands 2-1055Contents
xxiii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-pmap-lb-radius-c) drop 2-1056
(config-pmap-lb-radius-c) forward 2-1057
(config-pmap-lb-radius-c) serverfarm 2-1058
(config-pmap-lb-radius-c) set ip tos 2-1059
(config-pmap-lb-radius-c) sticky-serverfarm 2-1060
Policy Map Load Balancing RADIUS Match Configuration Mode Commands 2-1060
(config-pmap-lb-radius-m) drop 2-1062
(config-pmap-lb-radius-m) forward 2-1063
(config-pmap-lb-radius-m) serverfarm 2-1064
(config-pmap-lb-radius-m) set ip tos 2-1065
(config-pmap-lb-radius-m) sticky-serverfarm 2-1066
Policy Map Load Balancing RDP Configuration Mode Commands 2-1066
(config-pmap-lb-rdp) class 2-1068
(config-pmap-lb-rdp) description 2-1069
Policy Map Load Balancing RDP Class Configuration Mode Commands 2-1069
(config-pmap-lb-rdp-c) drop 2-1071
(config-pmap-lb-rdp-c) forward 2-1072
(config-pmap-lb-rdp-c) serverfarm 2-1073
(config-pmap-lb-rdp-c) set ip tos 2-1074
(config-pmap-lb-rdp-c) sticky-serverfarm 2-1075
Policy Map Load Balancing RTSP Configuration Mode Commands 2-1076
(config-pmap-lb-rtsp) class 2-1078
(config-pmap-lb-rtsp) description 2-1079
(config-pmap-lb-rtsp) match rtsp header 2-1080
(config-pmap-lb-rtsp) match rtsp source-address 2-1082
(config-pmap-lb-rtsp) match rtsp url 2-1083
Policy Map Load Balancing RTSP Class Configuration Mode Commands 2-1084
(config-pmap-lb-rtsp-c) drop 2-1085
(config-pmap-lb-rtsp-c) forward 2-1086
(config-pmap-lb-rtsp-c) serverfarm 2-1087
(config-pmap-lb-rtsp-c) set ip tos 2-1088
(config-pmap-lb-rtsp-c) sticky-serverfarm 2-1089
Policy Map Load Balancing RTSP Match Configuration Mode Commands 2-1090
(config-pmap-lb-rtsp-m) drop 2-1091
(config-pmap-lb-rtsp-m) forward 2-1092
(config-pmap-lb-rtsp-m) serverfarm 2-1093
(config-pmap-lb-rtsp-m) set ip tos 2-1094
(config-pmap-lb-rtsp-m) sticky-serverfarm 2-1095
Policy Map Load Balancing SIP Configuration Mode Commands 2-1095Contents
xxiv
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-pmap-lb-sip) class 2-1097
(config-pmap-lb-sip) description 2-1099
(config-pmap-lb-sip) match sip header 2-1100
(config-pmap-lb-sip) match source-address 2-1101
Policy Map Load Balancing SIP Class Configuration Mode Commands 2-1102
(config-pmap-lb-sip-c) drop 2-1103
(config-pmap-lb-sip-c) forward 2-1104
(config-pmap-lb-sip-c) serverfarm 2-1105
(config-pmap-lb-sip-c) set ip tos 2-1106
(config-pmap-lb-sip-c) sticky-serverfarm 2-1107
Policy Map Load Balancing SIP Match Configuration Mode Commands 2-1108
(config-pmap-lb-sip-m) drop 2-1109
(config-pmap-lb-sip-m) forward 2-1110
(config-pmap-lb-sip-m) serverfarm 2-1111
(config-pmap-lb-sip-m) set ip tos 2-1112
(config-pmap-lb-sip-m) sticky-serverfarm 2-1113
Policy Map Management Configuration Mode Commands 2-1113
(config-pmap-mgmt) class 2-1115
(config-pmap-mgmt) description 2-1117
Policy Map Management Class Configuration Mode Commands 2-1117
(config-pmap-mgmt-c) deny 2-1118
(config-pmap-mgmt-c) permit 2-1119
Policy Map Optimization Configuration Mode Commands 2-1119
(config-pmap-optmz) class 2-1121
(config-pmap-optmz) description 2-1122
(config-pmap-optmz) match http cookie 2-1123
(config-pmap-optmz) match http header 2-1124
(config-pmap-optmz) match http url 2-1127
Policy Map Optimization Class Configuration Mode Commands 2-1128
(config-pmap-optmz-c) action 2-1128
Policy Map Optimization Match Configuration Mode Commands 2-1129
(config-pmap-optmz-m) action 2-1130
Probe Configuration Mode Commands 2-1132
(config-probe-probe_type) append-port-hosttag 2-1135
(config-probe-probe_type) community 2-1137
(config-probe-probe_type) connection term 2-1138
(config-probe-probe_type) credentials 2-1139
(config-probe-probe_type) description 2-1140
(config-probe-probe_type) domain 2-1142Contents
xxv
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-probe-probe_type) expect address 2-1143
(config-probe-probe_type) expect regex 2-1145
(config-probe-probe_type) expect status 2-1147
(config-probe-probe_type) faildetect 2-1148
(config-probe-probe_type) hash 2-1149
(config-probe-probe_type) header 2-1150
(config-probe-probe_type) interval 2-1153
(config-probe-probe_type) ip address 2-1154
(config-probe-probe_type) nas ip address 2-1156
(config-probe-probe_type) oid 2-1157
(config-probe-probe_type) open 2-1159
(config-probe-probe_type) passdetect 2-1160
(config-probe-probe_type) port 2-1162
(config-probe-probe_type) receive 2-1164
(config-probe-probe_type) request command 2-1165
(config-probe-probe_type) request method 2-1166
(config-probe-probe_type) script 2-1167
(config-probe-probe_type) send-data 2-1168
(config-probe-probe_type) ssl cipher 2-1169
(config-probe-probe_type) ssl version 2-1171
(config-probe-probe_type) version 2-1171
(config-probe-sip-udp) rport enable 2-1173
Probe SNMP OID Configuration Mode Commands 2-1174
(config-probe-snmp-oid) threshold 2-1176
(config-probe-snmp-oid) type absolute max 2-1178
(config-probe-snmp-oid) weight 2-1180
Probe VM Configuration Mode Commands 2-1181
(config-probe-vm) interval 2-1182
(config-probe-vm) load 2-1183
(config-probe-vm) vm-controller 2-1185
RADIUS Configuration Mode Commands 2-1186
(config-radius) deadtime 2-1188
(config-radius) server 2-1189
Real Server Host Configuration Mode Commands 2-1190
(config-rserver-host) conn-limit 2-1191
(config-rserver-host) description 2-1193
(config-rserver-host) fail-on-all 2-1194
(config-rserver-host) inservice 2-1195
(config-rserver-host) ip address 2-1196Contents
xxvi
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-rserver-host) probe 2-1198
(config-rserver-host) rate-limit 2-1199
(config-rserver-host) weight 2-1201
Real Server Redirect Configuration Mode Commands 2-1202
(config-rserver-redir) conn-limit 2-1204
(config-rserver-redir) description 2-1206
(config-rserver-redir) inservice 2-1207
(config-rserver-redir) probe 2-1208
(config-rserver-redir) rate-limit 2-1209
(config-rserver-redir) webhost-redirection 2-1210
Resource Configuration Mode Commands 2-1212
(config-resource) limit-resource 2-1213
Role Configuration Mode Commands 2-1216
(config-role) description 2-1217
(config-role) rule 2-1218
Server Farm Host Configuration Mode Commands 2-1221
(config-sfarm-host) description 2-1223
(config-sfarm-host) dws 2-1224
(config-sfarm-host) failaction 2-1225
(config-sfarm-host) fail-on-all 2-1228
(config-sfarm-host) inband-health check 2-1230
(config-sfarm-host) partial-threshold 2-1233
(config-sfarm-host) predictor 2-1234
(config-sfarm-host) probe 2-1240
(config-sfarm-host) retcode 2-1242
(config-sfarm-host) rserver 2-1244
(config-sfarm-host) transparent 2-1245
Serverfarm Host Predictor Configuration Mode Commands 2-1246
(config-sfarm-host-predictor) autoadjust 2-1248
(config-sfarm-host-predictor) weight connection 2-1250
Server Farm Host Real Server Configuration Mode Commands 2-1251
(config-sfarm-host-rs) backup-rserver 2-1253
(config-sfarm-host-rs) conn-limit 2-1254
(config-sfarm-host-rs) cookie-string 2-1255
(config-sfarm-host-rs) description 2-1257
(config-sfarm-host-rs) fail-on-all 2-1258
(config-sfarm-host-rs) inservice 2-1260
(config-sfarm-host-rs) probe 2-1262
(config-sfarm-host-rs) rate-limit 2-1263Contents
xxvii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-sfarm-host-rs) weight 2-1264
Server Farm Redirect Configuration Mode Commands 2-1265
(config-sfarm-redirect) description 2-1267
(config-sfarm-redirect) failaction 2-1268
(config-sfarm-redirect) predictor 2-1270
(config-sfarm-redirect) probe 2-1276
(config-sfarm-redirect) rserver 2-1277
Serverfarm Redirect Predictor Configuration Mode Commands 2-1279
(config-sfarm-redirect-predictor) autoadjust 2-1281
(config-sfarm-redirect-predictor) weight connection 2-1283
Server Farm Redirect Real Server Configuration Mode Commands 2-1284
(config-sfarm-redirect-rs) backup-rserver 2-1286
(config-sfarm-redirect-rs) conn-limit 2-1287
(config-sfarm-redirect-rs) inservice 2-1288
(config-sfarm-host-rs) probe 2-1290
(config-sfarm-redirect-rs) rate-limit 2-1291
(config-sfarm-redirect-rs) weight 2-1292
SSL Proxy Configuration Mode Commands 2-1294
(config-ssl-proxy) authgroup 2-1295
(config-ssl-proxy) cert 2-1297
(config-ssl-proxy) chaingroup 2-1299
(config-ssl-proxy) crl 2-1300
(config-ssl-proxy) key 2-1302
(config-ssl-proxy) ocspserver 2-1304
(config-ssl-proxy) revcheckprio 2-1306
(config-ssl-proxy) ssl advanced-options 2-1308
Sticky HTTP Cookie Configuration Mode Commands 2-1309
(config-sticky-cookie) cookie insert 2-1310
(config-sticky-cookie) cookie 2-1311
(config-sticky-cookie) cookie secondary 2-1312
(config-sticky-cookie) replicate sticky 2-1313
(config-sticky-cookie) serverfarm 2-1314
(config-sticky-cookie) static cookie-value 2-1315
(config-sticky-cookie) timeout 2-1316
Sticky HTTP Content Configuration Mode Commands 2-1317
(config-sticky-content) content 2-1318
(config-sticky-content) replicate sticky 2-1320
(config-sticky-content) serverfarm 2-1321
(config-sticky-content) static content 2-1323Contents
xxviii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-sticky-content) timeout 2-1324
Sticky HTTP Header Configuration Mode Commands 2-1325
(config-sticky-header) header 2-1327
(config-sticky-header) replicate sticky 2-1329
(config-sticky-header) serverfarm 2-1330
(config-sticky-header) static header-value 2-1332
(config-sticky-header) timeout 2-1333
Sticky IP Configuration Mode Commands 2-1334
(config-sticky-ip) replicate sticky 2-1336
(config-sticky-ip) serverfarm 2-1337
(config-sticky-ip) static client source 2-1338
(config-sticky-ip) timeout 2-1341
Sticky Layer 4 Payload Configuration Mode Commands 2-1342
(config-sticky-l4payloa) layer4-payload 2-1344
(config-sticky-l4payloa) replicate sticky 2-1346
(config-sticky-l4payloa) response sticky 2-1347
(config-sticky-l4payloa) serverfarm 2-1348
(config-sticky-l4payloa) static layer4-payload 2-1349
(config-sticky-l4payloa) timeout 2-1350
Sticky RADIUS Configuration Mode Commands 2-1351
(config-sticky-radius) replicate sticky 2-1353
(config-sticky-radius) serverfarm 2-1354
(config-sticky-radius) timeout 2-1355
Sticky RTSP Header Configuration Mode Commands 2-1356
(config-sticky-header) header 2-1358
(config-sticky-header) replicate sticky 2-1360
(config-sticky-header) serverfarm 2-1361
(config-sticky-header) static header-value 2-1362
(config-sticky-header) timeout 2-1363
Sticky SIP Header Configuration Mode Commands 2-1364
(config-sticky-header) replicate sticky 2-1366
(config-sticky-header) serverfarm 2-1367
(config-sticky-header) static header-value 2-1368
(config-sticky-header) timeout 2-1369
TACACS+ Configuration Mode Commands 2-1371
(config-tacacs+) deadtime 2-1372
(config-tacacs+) server 2-1374
VM Configuration Mode Commands 2-1376
(config-vm) credentials 2-1377Contents
xxix
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-vm) url 2-1378
C L I C O M M A N D
SU M M A R Y B Y
MO D EContents
xxx
Command Reference, Cisco ACE Application Control Engine
OL-25339-01xxxi
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Preface
This guide provides the command-line interface (CLI) information of the following products:
• Cisco ACE Application Control Engine Module (ACE module) in the Catalyst 6500 series switch or
Cisco 7600 series router, hereinafter referred to as the switch or router, respectively
• Cisco ACE 4700 Series Application Control Engine Appliance (ACE appliance)
The information in this guide applies to both the ACE module and the ACE appliance unless otherwise
noted. This information includes the following:
• How to use the CLI.
• The CLI commands, including syntax, options, and related commands.
This preface contains the following major sections:
• Audience
• How to Use This Guide
• Related Documentation
• Symbols and Conventions
• Obtaining Documentation, Obtaining Support, and Security Guidelines
Audience
This guide is intended for the following trained and qualified service personnel who are responsible for
configuring the ACE:
• Web master
• System administrator
• System operatorxxxii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Preface
How to Use This Guide
This guide is organized alphabetically by command mode, as follows:
Related Documentation
In addition to this document, the ACE documentation set includes the following:
Chapter Description
Chapter 1, Using the
Command-Line
Interface
Describes how to use the command-line interface (CLI) on the ACE.
Chapter 1, CLI
Commands
Provides detailed information for the following types of CLI commands for
the ACE:
• Commands that you can enter after you log in to the ACE.
• Configuration mode commands that allow you to access global
configuration mode and its subset of modes after you log in to the ACE.
Document Title Description
Administration Guide, Cisco ACE
Application Control Engine
Describes how to perform the following administration tasks on
the ACE:
• Setting up the ACE
• Establishing remote access
• Managing software licenses
• Configuring class maps and policy maps
• Managing the ACE software
• Configuring SNMP
• Configuring redundancy
• Configuring the XML interface
• Upgrading the ACE software
Application Acceleration and
Optimization Guide, Cisco ACE
4700 Series Application Control
Engine Appliance
(ACE appliance only) Describes how to configure the web
optimization features of the ACE appliance. This guide also
provides an overview and description of those features.
Cisco Application Control Engine
(ACE) Configuration Examples Wiki
Provides examples of common configurations for load
balancing, security, SSL, routing and bridging, virtualization,
and so on.
Cisco Application Control Engine
(ACE) Troubleshooting Wiki
Describes the procedures and methodology in wiki format to
troubleshoot the most common problems that you may
encounter during the operation of your ACE.
Command Reference, Cisco ACE
Application Control Engine
Provides an alphabetical list and descriptions of all CLI
commands by mode, including syntax, options, and related
commands.xxxiii
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Preface
CSM-to-ACE Conversion Tool
Guide, Cisco ACE Application
Control Engine Module
(ACE module only) Describes how to use the CSM-to-ACE
module conversion tool to migrate Cisco Content Switching
Module (CSM) running- or startup-configuration files to the
ACE.
CSS-to-ACE Conversion Tool Guide,
Cisco ACE Application Control
Engine
Describes how to use the CSS-to-ACE conversion tool to
migrate Cisco Content Services Switches (CSS)
running-configuration or startup-configuration files to the ACE.
Device Manager Guide, Cisco ACE
4700 Series Application Control
Engine Appliance
(ACE appliance only) Describes how to use the Device Manager
GUI, which resides in flash memory on the ACE appliance, to
provide a browser-based interface for configuring and managing
the appliance.
Getting Started Guide, Cisco ACE
Application Control Engine Module
(ACE module only) Describes how to perform the initial setup
and configuration tasks for the ACE module.
Getting Started Guide, Cisco ACE
4700 Series Application Control
Engine Appliance
(ACE appliance only) Describes how to use the ACE appliance
Device Manager GUI and CLI to perform the initial setup and
configuration tasks.
Hardware Installation Guide, Cisco
ACE 4710 Application Control
Engine Appliance
(ACE appliance only) Provides information for installing the
ACE appliance.
Installation Note, Cisco ACE
Application Control Engine ACE30
Module
(ACE module only) Provides information for installing the ACE
module into the Catalyst 6500 series switch or a
Cisco 7600 series router.
Regulatory Compliance and Safety
Information, Cisco ACE 4710
Application Control Engine
Appliance
(ACE appliance only) Regulatory compliance and safety
information for the ACE appliance.
Release Note, Cisco ACE 4700
Series Application Control Engine
Appliance
(ACE appliance only) Provides information about operating
considerations, caveats, and command-line interface (CLI)
commands for the ACE appliance.
Release Note, Cisco ACE
Application Control Engine Module
(ACE module only) Provides information about operating
considerations, caveats, and command-line interface (CLI)
commands for the ACE module.
Routing and Bridging Guide, Cisco
ACE Application Control Engine
Describes how to perform the following routing and bridging
tasks on the ACE:
• (ACE appliance only) Ethernet ports
• VLAN interfaces
• IPv6, including transitioning IPv4 networks to IPv6, IPv6
header format, IPv6 addressing, and suported protocols.
• Routing
• Bridging
• Dynamic Host Configuration Protocol (DHCP)
Document Title Descriptionxxxiv
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Preface
Security Guide, Cisco ACE
Application Control Engine
Describes how to perform the following ACE security
configuration tasks:
• Security access control lists (ACLs)
• User authentication and accounting using a Terminal Access
Controller Access Control System Plus (TACACS+),
Remote Authentication Dial-In User Service (RADIUS), or
Lightweight Directory Access Protocol (LDAP) server
• Application protocol and HTTP deep packet inspection
• TCP/IP normalization and termination parameters
• Network Translation (NAT)
Server Load-Balancing Guide,
Cisco ACE Application Control
Engine
Describes how to configure the following server load-balancing
features on the ACE:
• Real servers and server farms
• Class maps and policy maps to load balance traffic to real
servers in server farms
• Server health monitoring (probes)
• Stickiness
• Dynamic workload scaling (DWS)
• Firewall load balancing
• TCL scripts
SSL Guide, Cisco ACE Application
Control Engine
Describes how to configure the following Secure Sockets Layer
(SSL) features on the ACE:
• SSL certificates and keys
• SSL initiation
• SSL termination
• End-to-end SSL
System Message Guide, Cisco ACE
Application Control Engine
Describes how to configure system message logging on the ACE.
This guide also lists and describes the system log (syslog)
messages generated by the ACE.
Upgrade/Downgrade Guide, Cisco
ACE 4700 Series Application
Control Engine Appliance
(ACE appliance only) Describes how to perform an ACE
appliance software upgrade or downgrade.
User Guide, Cisco Application
Networking Manager
Describes how to use Cisco Application Networking Manager
(ANM), a networking management application for monitoring
and configuring network devices, including the ACE.
Virtualization Guide, Cisco ACE
Application Control Engine
Describes how to operate your ACE in a single context or in
multiple contexts.
Document Title Descriptionxxxv
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Preface
Symbols and Conventions
This publication uses the following conventions:
Notes use the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Cautions use the following conventions:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
For additional information about CLI syntax formatting, see Chapter 1, Using the Command-Line
Interface.
Convention Description
boldface font Commands, command options, and keywords are in boldface. Bold text also indicates
a command in a paragraph.
italic font Arguments for which you supply values are in italics. Italic text also indicates the first
occurrence of a new term, book title, emphasized text.
{ } Encloses required arguments and keywords.
[ ] Encloses optional arguments and keywords.
{ x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars.
[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the string or the
string will include the quotation marks.
screen font Terminal sessions and information the system displays are in screen font.
boldface
screen font
Information you must enter in a command line is in boldface screen font.
italic screen
font
Arguments for which you supply values are in italic screen font.
^ The symbol ^ represents the key labeled Control—for example, the key combination
^D in a screen display means hold down the Control key while you press the D key.
< > Nonprinting characters, such as passwords are in angle brackets.xxxvi
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Preface
Obtaining Documentation, Obtaining Support, and Security
Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly
What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlC H A P T E R
1-1
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
1
CLI Commands
This chapter provides detailed information for the following types of CLI commands for the ACE:
• Commands that you can enter after you log in to the ACE.
• Configuration mode commands that allow you to access configuration mode and its subset of modes
after you log in to the ACE.
The description of each command includes the following:
• The syntax of the command
• Any related commands, when appropriate1-2
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Exec Mode Commands
You can access Exec mode commands immediately after you log in to an ACE. Many of these commands
are followed by keywords that make them distinct commands (for example, show aaa, show access-list,
show accounting, and so on). To increase readability of command syntax, these commands are presented
separately in this command reference.
You can also execute Exec mode commands from any of the configuration modes using the do command.
For example, to display the ACE running configuration from the Exec mode, use the show
running-config command. To execute the same command from the configuration mode, use the do show
running-config command.1-3
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
backup
To backup the configuration files and dependent files in a context or in all contexts, use the backup
command.
backup [all] [pass-phrase text_string] [exclude component]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The backup command has the following configuration guidelines and limitations:
• Use the Admin context for an ACE-wide backup and the corresponding context for a user context
backup.
• When you back up the running-configuration file, the ACE uses the output of the show
running-configuration command as the basis for the archive file.
• The ACE backs up only exportable certificates and keys.
• License files are backed up only when you back up the Admin context.
all (Optional) Specifies that the ACE should back up the configuration files and
dependencies in all contexts. You can specify this keyword only in the Admin
context.
exclude
component
(Optional) Specifies the components that you do not wish to back up.You can enter
any of the following components in any order separated by a comma if you enter
more than one:
• checkpoints—Excludes all checkpoints
• ssl-files—Excludes SSL certificate files and key files
pass-phrase
text_string
(Optional) Passphrase that you specify to encrypt the backed up SSL keys. Enter the
passphrase as an unquoted text string with no spaces and a maximum of 40
alphanumeric characters. You must enter the pass-phrase keyword before the
exclude keyword. If you enter a passphrase and then exclude the SSL files from the
archive, the ACE does not use the passphrase.
ACE Module Release Modification
A2(3.0) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.1-4
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
• Use a passphrase to back up SSL keys in encrypted form. Remember the passphrase or write it down
and store it in a safe location. When you restore the encrypted keys, you must enter the passphrase
to decrypt the keys. If you use a passphrase when you back up the SSL keys, the ACE encrypts the
keys with AES-256 encryption using OpenSSL software.
• If you imported SSL certificates or keys with a crypto passphrase, you must use the pass-phrase
option to encrypt the crypto passphrase when you back up these files.
• Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the
probe: directory are always available. When you perform a backup, the ACE automatically identifies
and backs up the scripts in disk0: that are required by the configuration.
• The ACE does not resolve any other dependencies required by the configuration during a backup
except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL
proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds
as if the certificates still existed.
• To perform a backup or a restore operation, you must have the admin RBAC feature in your user role.
Examples To back up all contexts in the ACE, enter:
host1/Admin# backup all pass-phrase MY_PASS_PHRASE
Related Commands restore
show backup1-5
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
capture
To enable the context packet capture function for packet sniffing and network fault isolation, use the
capture command. As part of the packet capture process, you specify whether to capture packets from
all interfaces or an individual VLAN interface.
capture buffer_name {{all | {interface vlan number}} access-list name [bufsize buf_size
[circular-buffer]]} | remove | start | stop
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
buffer_name Name of the packet capture buffer. The buffer_name argument associates the packet
capture with a name. Specify an unquoted text string with no spaces from 1 to 80
alphanumeric characters.
all Specifies that packets from all input interfaces are captured.
interface Specifies a particular input interface from which to capture packets.
vlan number Specifies the VLAN identifier associated with the interface.
access-list name Selects packets to capture based on a specific access list. A packet must pass the
access list filters before the packet is stored in the capture buffer. Specify a
previously created access list identifier. Enter an unquoted text string with a
maximum of 64 characters.
Note Ensure that the access list is for an input interface; input is considered with
regards to the direction of the session that you wish to capture. If you
configure the packet capture on the output interface, the ACE will fail to
match any packets.
bufsize buf_size (Optional) Specifies the buffer size, in kilobytes (KB), used to store the packet
capture. The range is from 1 to 5000 KB.
circular-buffer (Optional) Enables the packet capture buffer to overwrite itself, starting from the
beginning, when the buffer is full.
remove Clears the packet capture configuration.
start Starts the packet capture function and displays the messages on the session console
as the ACE receives the packets. The CLI prompt returns and you can type other
commands at the same time that the ACE is capturing packets. To stop the capture
process, use the stop option. The packet capture function automatically stops when
the buffer is full unless you enable the circular buffer function.
stop Stops the packet capture process after a brief delay.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(5) The buffer size was limited to 5000 KB.
A2(1.0) The stop option was introduced.1-6
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The packet capture function enables access control lists (ACLs) to control which packets are captured
by the ACE on the input interface. If the ACLs are selecting an excessive amount of traffic for the packet
capture operation, the ACE will see a heavy load, which can cause a degradation in performance. We
recommend that you avoid using the packet capture function when high network performance is critical.
To capture packets for both IPv6 and IPv4 in the same buffer, configure the capture command twice:
once with an IPv6 ACL and once with an IPv4 ACL.
Under high traffic conditions, you may observe up to 64 packets printing on the console after you enter
the stop keyword. These additional messages can occur because the packets were in transit or buffered
before you entered the stop keyword.
The capture packet function works on an individual context basis. The ACE traces only the packets that
belong to the context where you execute the capture command. You can use the context ID, which is
passed with the packet, to isolate packets that belong to a specific context. To trace the packets for a
single specific context, use the changeto command and enter the capture command for the new context.
The ACE does not automatically save the packet capture in a configuration file. To copy the capture
buffer information as a file in flash memory, use the copy capture command.
Examples To start the packet capture function for CAPTURE1, enter:
host1/Admin# capture CAPTURE1 interface vlan50 access-list ACL1
host1/Admin# capture CAPTURE1 start
To stop the packet capture function for CAPTURE1, enter:
host1/Admin# capture CAPTURE1 stop
Related Commands clear icmp statistics
copy capture
show capture
changeto
To move from one context on the ACE to another context, use the changeto command.
changeto context_name
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) The stop option was introduced.
context_name Name of an existing context. This argument is case sensitive.1-7
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the changeto feature in your user role, and as found in all of the predefined user
roles. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide,
Cisco ACE Application Control Engine.
Only users authorized in the admin context or configured with the changeto feature can use the changeto
command to navigate between the various contexts. Context administrators without the changeto feature,
who have access to multiple contexts, must explicitly log in to the other contexts to which they have
access.
The command prompt indicates the context that you are currently in (see the following example).
The predefined user role that is enforced after you enter the changeto command is that of the Admin
context and not that of the non-Admin context.
You cannot add, modify, or delete objects in a custom domain after you change to a non-Admin context.
• If you originally had access to the default-domain in the Admin context prior to moving to a
non-Admin context, the ACE allows you to configure any object in the non-Admin context.
• If you originally had access to a custom domain in the Admin context prior to moving to a
non-Admin context, any created objects in the non-Admin context will be added to the
default-domain. However, an error message will appear when you attempt to modify existing objects
in the non-Admin context.
User-defined roles configured with the changeto feature retain their privileges when accessing different
contexts.
Examples To change from the Admin context to the context CTX1, enter:
host1/Admin# changeto CTX1
host1/CTX1#
Related Commands exit
show context
(config) context
(config-role) rule
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.3) You can apply the changeto feature to a rule for a user-defined role.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) You can apply the changeto feature to a rule for a user-defined role.1-8
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
checkpoint
To create or modify a checkpoint (snapshot) of the running configuration, use the checkpoint command.
checkpoint {create | delete | rollback} name
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin role. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If the running-configuration file has the no ft auto-sync command configured and the checkpoint has
the ft auto-sync command configured, a checkpoint rollback will fail with the following message:
Warning : 'no ft auto-sync' & 'ft auto-sync' conflict detected - Rollback will fail
Failing Scenario - running config has 'no ft auto-sync' / checkpoint has 'ft auto-sync'
Examples To create the checkpoint CP102305, enter:
host1/Admin# checkpoint create CP102305
Related Commands compare
copy checkpoint
show checkpoint
create Creates a new checkpoint with the value of name.
delete Deletes the existing checkpoint with the value of name.
rollback Reverts back to the checkpoint with the value of name.
name Name of a new or existing checkpoint. Enter a text string from 1 to 50 alphanumeric
characters (no spaces).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-9
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear access-list
To clear access control list (ACL) statistics, use the clear access-list command.
clear access-list name
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the access-list feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the access control list ACL1, enter:
host1/Admin# clear access-list ACL1
Related Commands show access-list
(config) access-list ethertype
(config) access-list extended
name Name of an existing ACL.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-10
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear accounting log
To clear the accounting log, use the clear accounting log command.
clear accounting log
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the accounting log, enter:
host1/Admin# clear accounting log
Related Commands show accounting log
(config) aaa accounting default
clear acl-merge statistics
To clear the ACL-merge statistics, use the clear acl-merge statistics command.
clear acl-merge statistics
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-11
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the ACL-merge statistics, enter:
host1/Admin# clear acl-merge statistics
Related Commands show acl-merge
(config) access-list extended
clear arp
To clear the Address Resolution Protocol (ARP) entries in the ARP table or statistics with ARP
processes, use the clear arp command.
clear arp [no-refresh | {statistics [vlan number] [interface_name]}]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.5) This command was introduced.
no-refresh (Optional) Removes the learned ARP entries from the ARP table without
refreshing the ARP entries.
statistics [vlan number] (Optional) Clears ARP statistics counters globally or for the specified VLAN,
vlan number.
[interface_name] (Optional, ACE appliance only) Clears ARP statistics counters globally or for
the specified interface, interface_name.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised with the vlan option.1-12
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you enter the clear arp command with no option, it clears all learned ARP entries and then refreshes
the ARP entries.
Examples To clear the ARP statistics, enter:
host1/Admin# clear arp statistics
To clear the ARP learned entries and then refresh the ARP entries, enter:
host1/Admin# clear arp
Related Commands show arp
(config) arp
clear buffer stats
To clear the control plane buffer statistics, use the clear buffer stats command.
clear buffer stats
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin context only
Command History
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised with the vlan option.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-13
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To clear the control plane buffer statistics, enter:
host1/Admin# clear buffer stats
Related Commands show buffer
clear capture
To clear an existing capture buffer, use the clear capture command.
clear capture name
Syntax Description
Command Modes Exec
Admin and user context
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the dir command to view the capture files that you copied to the disk0: file system using the copy
capture command.
Examples To clear the capture buffer CAPTURE1, enter:
host1/Admin# clear capture CAPTURE1
Related Commands capture
copy capture
name Name of an existing capture buffer.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-14
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
dir
show capture
clear cde
(ACE module only) To clear the classification and distribution engine (CDE) statistics and interrupt
counts, use the clear cde command.
clear cde {interrupt | stats}
Syntax Description
Command Modes Exec
Admin context
Command History
Usage Guidelines This command requires the Admin role. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To clear the CDE interrupt counts, enter:
host1/Admin# clear cde interrupt
Related Commands show cde
clear cfgmgr internal history
To clear the Configuration Manager internal history, use the clear cfgmgr internal history command.
clear cfgmgr internal history
Syntax Description This command has no keywords or arguments.
interrupt Clears the CDE interrupt counts.
stats Clears the CDE statistics.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-15
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To clear the Configuration Manager internal history, enter:
host1/Admin# clear cfgmgr internal history
Related Commands show cfgmgr
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-16
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear conn
To clear a connection that passes through, terminates, or originates with the ACE, use the clear conn
command.
clear conn [all | flow {prot_number | icmp | tcp | udp {source_ip | source_port | dest_ip |
dest_port}} | id number np number | rserver name [port_number] serverfarm sfarm_name]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
all (Optional) Clears all connections that go through the ACE, originate with the ACE,
or terminate with the ACE.
flow (Optional) Clears the connection that matches the specified flow descriptor.
prot_number Protocol number of the flow.
icmp Specifies the flow types using ICMP.
tcp Specifies the flow types using TCP.
udp Specifies the flow types using UDP.
source_ip Source IP address of the flow.
source_port Source port of the flow.
dest_ip Destination IP address of the flow.
dest_port Destination port of the flow.
id number (Optional) Clears the connection with the specified connection ID number as
displayed in the output of the show conn command.
np number Clears all the connections to the specified network processor with the specified
connection ID.
rserver name (Optional) Clears all connections to the specified real server.
port_number (Optional) Port number associated with the specified real server. Enter an integer
from 1 to 65535.
serverfarm
sfarm_name
(Optional) Clears all connections to the specified real server associated with this
server farm.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.1-17
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the loadbalance, inspect, NAT, connection, or SSL feature in your user role. For
details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE
Application Control Engine.
To clear only the connections that go through the ACE (flows that pass through the ACE between the
originating network host and the terminating network host), use the clear conn command without any
keywords. When you do not include any keywords, the connections that terminate or originate with the
ACE are not cleared.
Examples To clear the connections for the real server RSERVER1, enter:
host1/Admin# clear conn rserver RSERVER1
Related Commands show conn
clear cores
To clear all of the core dumps stored in the core: file system, use the clear cores command.
clear cores
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin role. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Note The ACE creates a core dump when it experiences a fatal error. Core dump information is for Cisco
Technical Assistance Center (TAC) use only. We recommend that you contact TAC for assistance in
interpreting the information in the core dump.
To view the list of core files in the core: file system, use the dir core: command.
To save a copy of a core dump to a remote server before clearing it, use the copy capture command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-18
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
To delete a specific core dump file from the core: file system, use the delete core: command.
Examples To clear all core dumps, enter:
host1/Admin# clear cores
Related Commands copy capture
delete
dir1-19
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear crypto session-cache
To clear the session cache information in the context, use the clear crypto session-cache command.
clear crypto session-cache [all]
Syntax Description
Command Modes Exec
Admin and user context. The all option is available in the Admin context only.
Command History
Usage Guidelines This command has no usage guidelines.
Examples To clear the session cache information in the context, enter:
host1/Admin# clear crypto session-cache
Related Commands This command has no related commands.
all (Optional) Clears the session cache information for all contexts. This option
is available in the Admin context only.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.1-20
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear dc
(ACE module only) To clear the daughter card interrupt and register statistics on the ACE module, use
the clear dc command.
clear dc dc_number {controller {interrupts | stats} | interrupt}
Syntax Description
Command Modes Exec
Admin context only.
Command History
Usage Guidelines This command requires the Admin user role in the Admin context. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To clear the daughter card 1 controller interrupt statistics, enter:
host1/Admin# clear dc 1 controller interrupts
Related Commands set dc
show dc
clear debug-logfile
To remove a debug log file, use the clear debug-logfile command.
clear debug-logfile filename
Syntax Description
Command Modes Exec
Admin and user contexts
dc_number Number of the daughter card (1 or 2).
controller Specifies the daughter card controller.
interrupts Clears the specified daughter card controller interrupt statistics.
stats Clears the specified daughter card cumulative controller statistics.
interrupt Clears the specified daughter card interrupt count.
ACE Module Release Modification
A4(1.0) This command was introduced.
filename Name of an existing debug log file.1-21
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE debug commands are intended for use by trained Cisco personnel only. Entering these
commands may cause unexpected results. Do not attempt to use these commands without guidance from
Cisco support personnel.
Examples To clear the debug log file DEBUG1, enter:
host1/Admin# clear debug-logfile DEBUG1
Related Commands debug
show debug
clear fifo stats
To clear the control plane packet first in, first out (FIFO) statistics, use the clear fifo stats command.
clear fifo stats
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-22
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To clear the control plane FIFO statistics, enter:
host1/Admin# clear fifo stats
Related Commands show fifo1-23
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear ft
To clear the various fault-tolerant (FT) statistics, use the clear ft command.
clear ft {all | ha-stats | hb-stats | history {cfg_cntlr | ha_dp_mgr | ha_mgr} | track-stats [all]}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the fault-tolerant feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear all fault-tolerant statistics, enter:
host1/Admin# clear ft all
Related Commands show ft
all Clears all redundancy statistics, including all TL, heartbeat, and tracking counters.
ha-stats Clears all transport layer-related counters that the ACE displays as part of the show
ft peer detail command output.
hb-stats Clears all heartbeat-related statistics. When you enter this command for the first
time, the ACE sets the heartbeat statistics counters to zero and stores a copy of the
latest statistics locally. From that point on, when you enter the show ft hb-stats
command, the ACE displays the difference between the statistics that are stored
locally and the current statistics.
history Clears the redundancy history statistics.
track-stats Clears tracking-related statistics for the Admin FT group only, a user context FT
group only, or for all FT groups that are configured in the ACE.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was extensively revised. This version of software
introduced the all, ha-stats, hb-stats, history, and track-stats
keywords, and removed the original stats keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was extensively revised. This version of software
introduced the all, ha-stats, hb-stats, history, and track-stats
keywords, and removed the original stats keyword.1-24
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
(config) ft auto-sync
(config) ft group
(config) ft interface vlan
(config) ft peer
(config) ft track host
(ACE module only) (config) ft track hsrp
(config) ft track interface
clear icmp statistics
To clear the Internet Control Message Protocol (ICMP) statistics, use the clear icmp statistics
command.
clear icmp statistics
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the ICMP statistics, enter:
host1/Admin# clear icmp statistics
Related Commands show icmp statistics
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-25
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear interface
To clear the interface statistics, use the clear interface command.
clear interface [bvi number | vlan number | gigabitEthernet slot_number/port_number]
Syntax Description
Command Modes Exec
BVI and VLAN—Admin and user contexts
(ACE appliance only) Ethernet data port—Admin context only
Command History
Usage Guidelines This command requires the interface feature in your user role. In addition, the Ethernet data port
interface command requires the Admin user role. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To clear all of the interface statistics, enter the clear interface command without using the optional
VLAN and BVI keywords.
Examples ACE Module Example
To clear all of the interface statistics for VLAN 212, enter:
host1/Admin# clear interface vlan 212
bvi number (Optional) Clears the statistics for the specified Bridge Group Virtual Interface
(BVI).
vlan number (Optional) Clears the statistics for the specified VLAN.
gigabitEthernet
slot_number/
port_number
(Optional, ACE appliance only) Clears the statistics for the specified Gigabit
Ethernet slot and port.
• The slot_number represents the physical slot on the ACE containing the
Ethernet ports. This selection is always 1.
• The port_number represents the physical Ethernet port on the ACE. Valid
selections are 1 through 4.
This keyword is available in the Admin context only.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-26
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
ACE Appliance Example
To clear the statistics for Ethernet port 3, enter:
host1/Admin# clear interface gigabitEthernet 1/3
Related Commands show interface
(config) interface
clear ip
To clear the IP and Dynamic Host Configuration Protocol (DHCP) relay statistics, use the clear ip
command.
clear ip [dhcp relay statistics | statistics]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the DHCP feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To clear the IP and DHCP relay statistics, execute the clear ip command without using the optional
keywords.
Examples To clear all of the IP normalization, fragmentation, and reassembly statistics, enter:
host1/Admin# clear ip statistics
Related Commands show ip
dhcp relay statistics (Optional) Clears all of the DHCP relay statistics.
statistics (Optional) Clears all of the statistics associated with IP normalization,
fragmentation, and reassembly.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-27
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear ipv6
To clear the Dynamic Host Configuration Protocol (DHCP) relay and neighbor discovery statistics, use
the clear ipv6 command.
clear ipv6 {dhcp relay statistics | {neighbors [no-refresh | vlan vlan_id ipv6_address
[no-refresh] | ipv6_address [no-refresh]]}}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the DHCP feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear all the DHCPv6 statistics, enter:
host1/Admin# clear ipv6 dhcp relay statistics
Related Commands show ipv6
clear line
To close a specified virtual terminal (VTY) session, use the clear line command.
clear line vty_name
dhcp relay statistics Clears all the DHCPv6 relay statistics.
neighbors Clears all the statistics associated with neighbor discovery.
no-refresh (Optional) The ACE deletes the neighbor information from the cache and
does not perform a refresh
vlan vlan_id (Optional) Deletes the neighbor information associated with the specified
VLAN interface
ipv6_address (Optional) Deletes the neighbor information associated with the specified
IPv6 address.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.1-28
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To terminate the VTY session VTY1, enter:
host1/Admin# clear line VTY1
Related Commands (ACE module only) (config) line console
(config) line vty
vty_name Name of a VTY session. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-29
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear logging
To clear information stored in the logging buffer, use the clear logging command.
clear logging [disabled | rate-limit]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To clear all of the information stored in the logging buffer, enter the clear logging command without
using either of the optional keywords.
Examples To clear all of the information stored in the logging buffer, enter:
host1/Admin# clear logging
Related Commands show logging
(config) logging buffered
clear netio stats
To clear the control plane network I/O statistics, use the clear netio stats command.
clear netio stats
Syntax Description This command has no keywords or arguments.
disabled (Optional) Clears the logging buffer of “disabled” messages.
rate-limit (Optional) Clears the logging buffer of “rate-limit configuration” messages.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-30
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To clear the control plane network I/O statistics, enter:
host1/Admin# clear netio stats
Related Commands show netio
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-31
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear np
To clear the network processor interrupt error statistics that appear when you enter the show np number
interrupts command, use the clear np command.
clear np number interrupts
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the network processor interrupt error statistics, enter:
host1/Admin# clear np 1 interrupts
Related Commands show np
number Specifies the number of the network processor whose interrupt statistics you
want to clear. Enter an integer from 1 to 4.
interrupts Clears the interrupt statistics. of the network processor that you specify.
Release Modification
A4(1.0) This command was introduced.1-32
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear ntp statistics
(ACE appliance only) To clear the NTP statistics that display when you enter the show ntp command,
use the clear ntp command.
clear ntp statistics {all-peers | io | local | memory}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the NTP memory statistics, enter:
host1/Admin# clear ntp statistics memory
Related Commands (config) ntp
clear probe
To clear the probe statistics displayed through the show probe command, use the clear probe command.
clear probe name
Syntax Description
Command Modes Exec
Admin and user contexts
all-peers Clears all peer statistics.
io Clears the I/O statistics.
local Clears the local statistics.
memory Clears the memory statistics.
ACE Appliance Release Modification
A1(7) This command was introduced.
name Name of an existing probe.1-33
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear all the statistics for the probe HTTP1, enter:
host1/Admin# clear probe HTTP1
Related Commands show probe
(config) probe
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-34
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear processes log
To clear the statistics for the processes log, use the clear processes log command.
clear processes log {all | pid id}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To display the list of process identifiers assigned to each of the processes running on the ACE, use the show
processes command.
Examples To clear all the statistics for the processes log, enter:
host1/Admin# clear processes log all
Related Commands show processes
clear rserver
To clear the real server statistics of all instances of a particular real server regardless of the server farms
that it is associated with, use the clear rserver command.
clear rserver name
Syntax Description
all Clears all statistics for the processes logs.
pid id Specifies the processes log to clear.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
name Name of the real server.1-35
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the rserver feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you have redundancy configured, then you need to explicitly clear real-server statistics on both the
active and the standby ACEs. Clearing statistics on the active ACE only will leave the standby ACE’s
statistics at the old values.
Examples To clear the statistics for the real server RS1, enter:
host1/Admin# clear rserver RS1
Related Commands show rserver
(config) rserver
clear rtcache
To clear the route cache, use the clear rtcache command.
clear rtcache
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-36
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the route cache, enter:
host1/Admin# clear rtcache
Related Commands This command has no related commands.
ACE Appliance Release Modification
A1(7) This command was introduced.1-37
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear screen
To clear the display screen, use the clear screen command.
clear screen
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the display screen, enter:
host1/Admin# clear screen
Related Commands This command has no related commands.
clear serverfarm
To clear the statistics for all real servers in a specific server farm, use the clear serverfarm command.
clear serverfarm name [inband | predictor | retcode]
Syntax Description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
name Name of an existing server farm.
inband (Optional) Resets the inband health monitoring Total failure counters for
the specified server farm, as displayed by the show serverfarm name
inband command. 1-38
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the serverfarm feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the statistics for the server farm SFARM1, enter:
host1/Admin# clear serverfarm SFARM1
Related Commands show serverfarm
(config) serverfarm
clear service-policy
To clear the service policy statistics, use the clear service-policy command.
clear service-policy policy_name
Syntax Description
predictor (Optional) Resets the average bandwidth field for each real server in the
specified server farm, as displayed by the show serverfarm name detail
command.
retcode (Optional) Clears the return-code statistics for the server farm.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A2(1.3) The predictor option was added.
A4(1.0) The inband option was added.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised. The predictor option was added.
A4(1.0) The inband option was added.
policy_name Name of an existing policy map that is currently in service (applied to an
interface).1-39
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the statistics for the service policy HTTP1, enter:
host1/Admin# clear service-policy HTTP1
Related Commands show service-policy
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-40
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear ssh
To clear a Secure Shell (SSH) session or clear the public keys of all SSH hosts, use the clear ssh
command.
clear ssh {session_id | hosts}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To obtain the specific SSH session ID value, use the show ssh session-info command.
Examples To clear the SSH session with the identifier 345, enter:
host1/Admin# clear ssh 345
Related Commands clear telnet
show ssh
(config) ssh key
(config) ssh maxsessions
session_id Identifier of the SSH session to clear, terminating the session.
hosts Clears the public keys of all trusted SSH hosts. This keyword is available to
all users in all contexts.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-41
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear startup-config
To clear the startup configuration of the current context, use the clear startup-config command.
clear startup-config
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Clearing the startup configuration does not affect the context running-configuration.
The clear startup-config command does not remove license files or crypto files (certs and keys) from
the ACE. To remove license files, see the license uninstall command. To remove crypto files, see the
crypto delete command.
To clear the startup configuration, you can also use the write erase command.
Before you clear a startup configuration, we recommend that you back up your current startup
configuration to a file on a remote server using the copy startup-config command. Once you clear the
startup configuration, you can perform one of the following processes to recover a copy of an existing
configuration:
• Use the copy running-config startup-config command to copy the contents of the running
configuration to the startup configuration.
• Upload a backup of a previously saved startup-configuration file from a remote server using the
copy startup-config command.
Examples To clear the startup configuration, enter:
host1/Admin# clear startup-config
Related Commands copy capture
show startup-config
write
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-42
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear stats
To clear the statistical information stored in the ACE buffer, use the clear stats command.
clear stats {all | connection | {crypto [client | server [alert | authentication | cipher |
termination]]} | http | inspect | kalap | loadbalance [radius | rdp | rtsp | sip] | optimization
| probe | resource-usage | sticky}
Syntax Description
Command Modes Exec
Admin and user contexts
all Clears all statistical information in a context. The all keyword also clears the
resource usage counters.
connection Clears connection statistical information.
crypto Clears TLS and SSL statistics from the context. If you do not enter the client or
server option, the ACE clears both the client and server statistics.
client (Optional) Clears the complete TLS and SSL client statistics for the current context.
server (Optional) Clears the complete TLS and SSL server statistics for the current context.
alert (Optional) Clears the back-end SSL alert statistics.
authentication (Optional) Clears the back-end SSL authentication statistics.
cipher (Optional) Clears the back-end SSL cipher statistics.
termination (Optional) Clears the back-end SSL termination statistics.
http Clears HTTP statistical information.
inspect Clears HTTP inspect statistical information.
kalap Clears the global server load-balancing (GSLB) statistics.
loadbalance Clears load-balancing statistical information.
radius (Optional) Clears Remote Authentication Dial-In User Service (RADIUS)
load-balancing statistical information.
rdp (Optional) Clears Reliable Datagram Protocol (RDP) load-balancing statistical
information.
rtsp (Optional) Clears Real-Time Streaming Protocol (RTSP) load-balancing statistical
information.
sip (Optional) Clears Session Initiation Protocol (SIP) load-balancing statistical
information.
optimization (ACE appliance only) Clears HTTP optimization statistics
probe Clears probe statistical information.
resource-usage Clears resource usage-related context statistics
sticky Clears sticky statistical information.1-43
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command requires the loadbalance, inspect, NAT, connection, sticky, or SSL feature in your user
role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide,
Cisco ACE Application Control Engine.
If you have redundancy configured, then you need to explicitly clear sticky statistics on both the active
and the standby ACEs. Clearing statistics on the active ACE only will leave the standby ACE’s statistics
at the old values.
Examples To clear sticky statistics, enter:
host1/Admin# clear stats sticky
Related Commands show stats
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The crypto keyword and client | server [alert | authentication |
cipher | termination] options were added.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) The resource-usage keyword was added.
A3(2.1) The crypto keyword and client | server [alert | authentication |
cipher | termination] options were added.1-44
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear sticky database
To clear dynamic sticky database entries, use the clear sticky database command.
clear sticky database {active-conn-count min value1 max value2 | all | group group_name |
time-to-expire min value3 max value4 | type {hash-key value5 | http-cookie value6 |
ip-netmask {both {source ip_address2 destination ip_address3} | destination ip_address4 |
source ip_address5}}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
active-conn-cou
nt min value1
max value2
Clears the sticky database entries within the specified connection count range.
all Clears all dynamic sticky database entries in a context.
group name Clears all dynamic sticky database entries for the specified sticky group.
time-to-expire
min value3 max
value4
Clears the sticky database entries within the specified time to expire range.
type {hash-key
value5 |
http-cookie
value6 |
ip-netmask
{both {source
ip_address1
destination
ip_address2} |
destination
ip_address3 |
source
ip_address4}}
Clears sticky database entries for one of the following sticky group types:
– hash-key value
– http-cookie value
– ip-netmask {both {source ip_address2 destination ip_address3} |
destination ip_address4 | source ip_address5}
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-45
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
This command does not clear static sticky database entries. To clear static sticky database entries, use
the no form of the appropriate sticky configuration mode command. For example, enter
(config-sticky-cookie) static cookie-value or (config-sticky-header) static header-value.
Examples To clear all dynamic sticky database entries in the Admin context, enter:
host1/Admin# clear sticky database all
Related Commands show sticky database1-46
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear syn-cookie
To clear the SYN cookie statistics, use the clear syn-cookie command. To clear SYN cookie statistics
for all VLANs that are configured in the current context, enter the command with no arguments.
clear syn-cookie [vlan number]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To clear SYN cookie statistics for VLAN 100, enter:
host1/C1# clear syn-cookie vlan 100
Related Commands show syn-cookie
clear tcp statistics
To clear all of the TCP connections and normalization statistics, use the clear tcp statistics command.
clear tcp statistics
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
vlan number (Optional) Instructs the ACE to clear SYN cookie statistics for the specified
interface. Enter an integer from 2 to 2024.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.1-47
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the TCP statistics, enter:
host1/Admin# clear tcp statistics
Related Commands show tcp statistics
clear telnet
To clear a Telnet session, use the clear telnet command.
clear telnet session_id
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To obtain the specific Telnet session identification number, use the show telnet command.
Examples To clear the Telnet session with the identification number of 236, enter:
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
session_id Identifier of the Telnet session to clear, terminating the session.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-48
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
host1/Admin# clear telnet 236
Related Commands clear ssh
show telnet
telnet
clear udp statistics
To clear the User Datagram Protocol (UDP) connection statistics, use the clear udp statistics command.
clear udp statistics
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To clear the UDP statistics, enter:
host1/Admin# clear udp statistics
Related Commands show udp statistics
clear user
To clear a user session, use the clear user command.
clear user name
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-49
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To display the list of users that are currently logged in to the ACE, use the show users command.
Examples To log out the user USER1, enter:
host1/Admin# clear user USER1
Related Commands show users
(config) username
clear vnet stats
To clear control plane virtual network (VNET) device statistics, use the clear vnet stats command.
clear vnet stats
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin context only
Command History
name Name of the user to log out.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-50
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To clear the VNET statistics, enter:
host1/Admin# clear vnet stats
Related Commands show vnet
ACE Appliance Release Modification
A1(7) This command was introduced.1-51
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clear xlate
To clear the global address to the local address mapping information based on the global address, global
port, local address, local port, interface address as global address, and NAT type, use the clear xlate
command.
clear xlate [{global | local} start_ip [end_ip [netmask netmask]]] [{gport | lport} start_port
[end_port]] [interface vlan number] [state static] [portmap]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the NAT feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you enter this command, the ACE releases sessions that are using the translations (Xlates).
If you configure redundancy, then you need to explicitly clear Xlates on both the active and the standby
ACEs. Clearing Xlates on the active ACE does not clear Xlates in the standby ACE.
global (Optional) Clears the active translation by the global IP address.
local (Optional) Clears the active translation by the local IP address.
start_ip Global or local IP address or the first IP address in a range of addresses.
Enter an IP address in dotted-decimal notation (for example, 172.27.16.10).
end_ip (Optional) Last IP address in a global or local range of IP addresses. Enter
an IP address in dotted-decimal notation (for example, 172.27.16.10).
netmask netmask (Optional) Specifies the network mask for global or local IP addresses. Enter
a mask in dotted-decimal notation (for example, 255.255.255.0).
gport (Optional) Clears active translations by the global port.
lport (Optional) Clears active translations by the local port.
start_port Global or local port number.
end_port (Optional) Last port number in a global or local range of ports.
interface vlan number (Optional) Clears active translations by the VLAN number.
state static (Optional) Clears active translations by the state.
portmap (Optional) Clears active translations by the port map.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-52
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To clear all static translations, enter:
host1/Admin# clear xlate state static
Related Commands show xlate1-53
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
clock set
(ACE appliance only) To set the time and the date for an ACE, use the clock set command in Exec mode.
clock set hh:mm:ss DD MONTH YYYY
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you enter this command, the ACE displays the current configured date and time.
If you want to use the Network Time Protocol (NTP) to automatically synchronize the ACE system clock
to an authoritative time server (such as a radio clock or an atomic clock), see Chapter 1, Setting Up the
ACE, in the Administration Guide, Cisco ACE Application Control Engine. In this case, the NTP time
server automatically sets the ACE system clock.
hh:mm:ss Current time to which the ACE clock is being reset.
Specify one or two digits for the hour, minutes, and
seconds.
DD MONTH YYYY Current date to which the ACE clock is being reset.
Specify the full name of the month, one or two digits
for the day, and four digits for the year. The following
month names are recognized:
• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December
ACE Appliance Release Modification
A1(7) This command was introduced.1-54
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
If you previously configured NTP on an ACE, the ACE prevents you from using the clock set command
and displays an error message. To manually set the ACE system clock, remove the NTP peer and NTP
server from the configuration before setting the clock on an ACE.
Examples For example, to specify a time of 1:38:30 and a date of October 7, 2008, enter:
host1/Admin# clock set 01:38:30 7 Oct 2008
Wed Oct 7 01:38:30 PST 2008
Related Commands show clock
(config) clock timezone
(config) clock summer-time
compare
To compare an existing checkpoint with the running-configuration file, use the compare command.
compare checkpoint_name
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If the checkpoint configuration is the same as the running-config, the output of this command is:
Checkpoint config is same as running config
If the checkpoint configuration is different from the running-config, the output will be the difference
between the two configurations.
Examples To compare the CHECKPOINT_1 checkpoint with the running-config, enter the following command:
host1/Admin# compare CHECKPOINT_1
checkpoint_name Specifies the name of an existing checkpoint. The compare function defaults to
comparing the specified checkpoint with the running-config.
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.1-55
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands checkpoint
copy checkpoint
show checkpoint
configure
To change from the Exec mode to the configuration mode, use the configure command.
configure [terminal]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires one or more features assigned to your user role, such as the AAA, interface, or
fault-tolerant features. For details about role-based access control (RBAC) and user roles, see the
Virtualization Guide, Cisco ACE Application Control Engine.
To return to the Exec mode from the configuration mode, use the exit command.
To execute an Exec mode command from any of the configuration modes, use the do version of the
command.
Examples To change to the configuration mode from the Exec mode, enter:
host1/Admin# configure
host1/Admin(config)#
Related Commands exit
terminal (Optional) Enables you to configure the system from the terminal.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-56
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy capture
To copy an existing context packet capture buffer as the source file in the ACE compact flash to another
file system, use the copy capture command.
copy capture capture_name disk0: [path/]destination_name
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
After you copy a capture file to a remote server, you can use the delete disk0:filename command to
delete the file from the ACE and free memory.
Examples To copy the packet capture buffer to a file in disk0: called MYCAPTURE1, enter:
host1/Admin# copy capture CAPTURE1 disk0:MYCAPTURE1
Related Commands clear capture
show capture
capture_name Name of the packet capture buffer on the disk0: file system. Enter an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
disk0: Specifies that the buffer is copied to the disk0: file system.
[path/]destination_name Destination path (optional) and name for the packet capture buffer. Specify
a text string from 1 to 80 alphanumeric characters. If you do not provide the
optional path, the ACE copies the file to the root directory on the disk0: file
system.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-57
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy checkpoint
To copy a checkpoint file to a remote server, use the copy checkpoint command.
copy checkpoint:filename disk0:[path/]filename | image:image_name | startup-config |
{ftp://server/path[/filename] | sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE does the following:
• Prompts you for your username and password if the destination file system requires user
authentication.
• Prompts you for the server information if you do not provide the information with the command.
filename Filename of the checkpoint file residing on the ACE in
flash memory.
disk0:[path/]filename Specifies that the file destination is the disk0: directory of
the current context and the filename for the checkpoint. If
you do not provide the optional path, the ACE copies the
file to the root directory on the disk0: file system.
image:image_name Specifies that the file destination is an image in the image:
directory.
startup-config Specifies that the destination file is the
startup-configuration file.
ftp://server/path[/filename] Specifies the File Transfer Protocol (FTP) network server
and optional renamed checkpoint file.
sftp://[username@]server/path[/filename] Specifies the Secure File Transfer Protocol (SFTP)
network server and optional renamed checkpoint file.
tftp://server[:port]/path[/filename] Specifies the Trivial File Transfer Protocol (TFTP)
network server and optional renamed checkpoint file.
ACE Module Release Modification
A2(1.6) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.1-58
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
• Copies the file to the root directory of the destination file system if you do not provide the path
information.
Examples To copy a checkpoint file from the ACE to a remote FTP server, enter:
host1/Admin# copy checkpoint:CHECKPOINT1.txt ftp://192.168.1.2
Enter the destination filename[]? [CHECKPOINT1.txt]
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Note The bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii
file transfer mode is intended for transferring text files, such as config files. The default selection of bin
should be sufficient in all cases when copying files to a remote FTP server.
Related Commands checkpoint
compare
show checkpoint1-59
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy core:
To copy a core file to a remote server, use the copy core: command.
copy core:filename disk0:[path/]filename | {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To display the list of available core files, use the dir core: command. Copy the complete filename (for
example, 0x401_vsh_log.25256.tar.gz) into the copy core: command.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE does the following:
• Prompts you for your username and password if the destination file system requires user
authentication.
• Prompts you for the server information if you do not provide the information with the command.
• Copies the file to the root directory of the destination file system if you do not provide the path
information.
filename1 Filename of the core dump residing on the ACE in flash
memory. Use the dir core: command to view the core
dump files available in the core: file system.
disk0:[path/]filename2 Specifies that the file destination is the disk0: directory of
the current context and the filename for the core. If you do
not provide the optional path, the ACE copies the file to
the root directory on the disk0: file system.
ftp://server/path[/filename] Specifies the File Transfer Protocol (FTP) network server
and optional renamed core dump.
sftp://[username@]server/path[/filename] Specifies the Secure File Transfer Protocol (SFTP)
network server and optional renamed core dump.
tftp://server[:port]/path[/filename] Specifies the Trivial File Transfer Protocol (TFTP)
network server and optional renamed core dump.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-60
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To copy a core file from the ACE to a remote FTP server, enter:
host1/Admin# copy core:np0_crash.txt ftp://192.168.1.2
Enter the destination filename[]? [np0_crash.txt]
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Note The bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii
file transfer mode is intended for transferring text files, such as config files. The default selection of bin
should be sufficient in all cases when copying files to a remote FTP server.
Related Commands dir
copy disk0:
To copy a file from one directory in the disk0: file system of flash memory to another directory in disk0: or a
network server, use the copy disk0: command.
copy disk0:[path/]filename1 {disk0:[path/]filename2 | ftp://server/path[/filename] |
image:image_filename | sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename] | running-config | startup-config}
Syntax Description disk0:[path/]filename1 Specifies the name of the file to copy in the disk0: file
system. Use the dir disk0: command to view the files
available in disk0:. If you do not provide the optional path,
the ACE copies the file from the root directory on the
disk0: file system.
disk0:[path/]filename2 Specifies that the file destination is the disk0: directory of
the current context and the filename for the core. If you do
not provide the optional path, the ACE copies the file to
the root directory on the disk0: file system.
ftp://server/path[/filename] Specifies the File Transfer Protocol (FTP) network server
and optional renamed file.
image:image_filename Specifies the image: filesystem and the image filename.
sftp://[username@]server/path[/filename] Specifies the Secure File Transfer Protocol (SFTP)
network server and optional renamed file.
ftp://server[:port]/path[/filename] Specifies the Trivial File Transfer Protocol (TFTP)
network server and optional renamed file.
running-config Specifies to replace the running-configuration file that
currently resides on the ACE in volatile memory.
startup-config Specifies to replace the startup-configuration file that
currently resides on the ACE in flash memory.1-61
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE does the following:
• Prompts you for your username and password if the destination file system requires user
authentication.
• Prompts you for the server information if you do not provide the information with the command.
• Copies the file to the root directory of the destination file system if you do not provide the path
information.
Examples To copy the file called SAMPLEFILE to the MYSTORAGE directory in flash memory, enter:
host1/Admin# copy disk0:samplefile disk0:MYSTORAGE/SAMPLEFILE
Related Commands dir
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-62
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy ftp:
To copy a file, software image, running-configuration file, or startup-configuration file from a remote
File Transfer Protocol (FTP) server to a location on the ACE, use the copy ftp: command.
copy ftp://server/path[/filename] {disk0:[path/]filename | image:[image_name] | running-config |
startup-config}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To copy a startup-configuration file from a remote FTP server to the ACE, enter:
host1/Admin# copy ftp://192.168.1.2/startup_config_Adminctx startup-config
Related Commands show running-config
show startup-config
ftp://server/path[/filename] Specifies the FTP network server and optional file to copy.
disk0:[path/]filename Specifies that the file destination is the disk0: directory of the current
context and the filename. If you do not provide the optional path, the
ACE copies the file to the root directory on the disk0: file system.
image: [image_name] Specifies to copy a system software image to flash memory. Use the
boot system command in configuration mode to specify the BOOT
environment variable. The BOOT environment variable specifies a list
of image files on various devices from which the ACE can boot at
startup. The image: keyword is available only in the Admin context.
The image_name argument is optional. If you do not enter a name, the
ACE uses the source filename.
running-config Specifies to replace the running-configuration file that currently resides
on the ACE in RAM (volatile memory).
startup-config Specifies to replace the startup-configuration file that currently resides
on the ACE in flash memory (nonvolatile memory).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-63
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy image:
To copy an ACE software system image from flash memory to a remote server using File Transfer
Protocol (FTP), Secure File Transfer Protocol (SFTP), or Trivial File Transfer Protocol (TFTP), use the
copy image: command.
copy image:image_filename {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE does the following:
• Prompts you for your username and password if the destination file system requires user
authentication.
• Prompts you for the server information if you do not provide the information with the command.
• Copies the file to the root directory of the destination file system if you do not provide the path
information.
Examples ACE Module Example
To save a software system image to a remote FTP server, enter:
host1/Admin# copy image:sb-ace.NOV_11 ftp://192.168.1.2
image_filename Name of the ACE system software image. Use the dir
image: command or the show version command to view
the software system images available in flash memory.
ftp://server/path[/filename] Specifies the FTP network server and optional renamed
image.
sftp://[username@]server/path[/filename] Specifies the SFTP network server and optional renamed
image.
tftp://server[:port]/path[/filename] Specifies the TFTP network server and optional renamed
image.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-64
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
ACE Appliance Example
To save a software system image to a remote FTP server, enter:
host1/Admin# copy image:c4710ace-mz.A3_1_0.bin ftp://192.168.1.2
Related Commands dir
show version1-65
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy licenses
To create a backup license file for the ACE licenses in the .tar format and copy it to the disk0: file system,
use the copy licenses command.
copy licenses disk0:[path/]filename.tar
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To copy the installed software licenses to the disk0: file system, enter:
host1/Admin# copy licenses disk0:mylicenses.tar
Related Commands show license
untar disk0:
disk0: Specifies that the backup license file is copied to the disk0: file system.
[path/]filename.tar Specifies the destination filename for the backup licenses. The destination
filename must have a .tar file extension. If you do not provide the optional path,
the ACE copies the file to the root directory on the disk0: file system.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-66
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy probe:
To copy scripted probe files from the probe: directory to the disk0: file system on the ACE or a remote
server using File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), or Trivial File Transfer
Protocol (TFTP), use the copy probe: command.
copy probe:probe_filename {disk0:[path/]filename | ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE does the following:
• Prompts you for your username and password if the destination file system requires user
authentication.
• Prompts you for the server information if you do not provide the information with the command.
• Copies the file to the root directory of the destination file system if you do not provide the path
information.
Examples To copy a probe file to a remote FTP server, enter:
host1/Admin# copy probe:IMAP_PROBE ftp://192.168.1.2
probe_filename Name of the scripted probe file. Use the dir probe:
command to view the files available in flash memory.
disk0: Specifies that the probe file is copied to the disk0: file
system.
ftp://server/path[/filename] Specifies the FTP network server and optional renamed
image.
sftp://[username@]server/path[/filename] Specifies the SFTP network server and optional renamed
image.
tftp://server[:port]/path[/filename] Specifies the TFTP network server and optional renamed
image.
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.1-67
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands dir1-68
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy running-config
To copy the contents of the running configuration file in RAM (volatile memory) to the startup configuration
file in flash memory (nonvolatile memory) or a network server, use the copy running-config command.
copy running-config {disk0:[path/]filename | startup-config | ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE does the following:
• Prompts you for your username and password if the destination file system requires user
authentication.
• Prompts you for the server information if you do not provide the information with the command.
• Copies the file to the root directory of the destination file system if you do not provide the path
information.
To copy the running configuration to the startup configuration, you can also use the write memory
command.
disk0:[path/]filename Specifies that the running configuration is copied to a file
on the disk0: file system. If you do not provide the
optional path, the ACE copies the file to the root
directory on the disk0: file system.
startup-config Copies the running configuration file to the startup
configuration file.
ftp://server/path[/filename] Specifies the File Transfer Protocol (FTP) network
server and optional renamed file.
sftp://[username@]server/path[/filename] Specifies the Secure File Transfer Protocol (SFTP)
network server and optional renamed file.
tftp://server[:port]/path[/filename] Specifies the Trivial File Transfer Protocol (TFTP)
network server and optional renamed file.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-69
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To save the running-configuration file to the startup-configuration file in flash memory on the ACE,
enter:
host1/Admin# copy running-config startup-config
Related Commands show running-config
show startup-config
write
copy startup-config
To merge the contents of the startup configuration file into the running configuration file or copy the startup
configuration file to a network server, use the copy startup-config command.
copy startup-config {disk0:[path/]filename | running-config | ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
disk0:[path/]filename Specifies that the startup configuration is copied to a file
on the disk0: file system. If you do not provide the
optional path, the ACE copies the file to the root directory
on the disk0: file system.
running-config Merges contents of the startup configuration file into the
running configuration file.
ftp://server/pat[/filename] Specifies the File Transfer Protocol (FTP) network server
and optional renamed file.
sftp://[username@]server/path[/filename] Specifies the Secure File Transfer Protocol (SFTP)
network server and optional renamed file.
tftp://server[:port]/path[/filename] Specifies the Trivial File Transfer Protocol (TFTP)
network server and optional renamed file.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-70
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE does the following:
• Prompts you for your username and password if the destination file system requires user
authentication.
• Prompts you for the server information if you do not provide the information with the command.
• Copies the file to the root directory of the destination file system if you do not provide the path
information.
Examples To merge the contents of the startup-configuration file into the running-configuration file in flash
memory, enter:
host1/Admin# copy startup-config running-config
Related Commands show startup-config
copy sftp:
To copy a file, software image, running-configuration file, or startup-configuration file from a remote
Secure File Transfer Protocol (SFTP) server to a location on the ACE, use the copy sftp: command.
copy sftp://[username@]server/path[/filename] {disk0:[path/]filename| image:[image_name] |
running-config | startup-config}
Syntax Description
Command Modes Exec
sftp://[username@]server/path[/filename] Specifies the SFTP network server and optional renamed
file.
disk0:[path/]filename Specifies that the file destination is the disk0: directory of
the current context and the filename. If you do not provide
the optional path, the ACE copies the file to the root
directory on the disk0: file system.
image: [image_name] Specifies to copy a system software image to flash
memory. Use the boot system command in configuration
mode to specify the BOOT environment variable. The
BOOT environment variable specifies a list of image files
on various devices from which the ACE can boot at
startup. The image: keyword is available only in the
Admin context. The image_name argument is optional. If
you do not enter a name, the ACE uses the source
filename.
running-config Specifies to replace the running-configuration file that
currently resides on the ACE in RAM (volatile memory).
startup-config Specifies to replace the startup-configuration file that
currently resides on the ACE in flash memory
(nonvolatile memory).1-71
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To copy a startup-configuration file from a remote SFTP server to the ACE, enter:
host1/Admin# copy sftp://192.168.1.2/startup_config_Adminctx startup-config
Related Commands show running-config
show startup-config
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-72
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
copy tftp:
To copy a file, software image, running-configuration file, or startup-configuration file from a remote
Trivial File Transfer Protocol (TFTP) server to a location on the ACE, use the copy tftp: command.
copy tftp://server[:port]/path[/filename] {disk0:[path/]filename | image:[image_name] |
running-config | startup-config}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the config-copy feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To copy a startup-configuration file from a remote TFTP server to the ACE, enter:
host1/Admin# copy tftp://192.168.1.2/startup_config_Adminctx startup-config
tftp://server[:port]/path[/filename] Specifies the TFTP network server and optional renamed file.
disk0:[path/]filename Specifies that the file destination is the disk0: directory of the
current context and the filename. If you do not provide the
optional path, the ACE copies the file to the root directory on the
disk0: file system.
image: [image_name] Specifies to copy a system software image to flash memory. Use
the boot system command in configuration mode to specify the
BOOT environment variable. The BOOT environment variable
specifies a list of image files on various devices from which the
ACE can boot at startup. The image: keyword is available only
in the Admin context. The image_name argument is optional. If
you do not enter a name, the ACE uses the source filename.
running-config Specifies to replace the running-configuration file that currently
resides on the ACE in RAM (volatile memory).
startup-config Specifies to replace the startup-configuration file that currently
resides on the ACE in flash memory (nonvolatile memory).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-73
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands show running-config
show startup-config
crypto crlparams
To configure signature verification on a Certificate Revocation List (CRL) to determine that it is from a
trusted certificate authority, use the crypto crlparams command.
crypto crlparams crl_name cacert ca_cert_filename
no crypto crlparams crl_name
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure signature verification on a CRL, enter:
host1/Admin(config)# crypto crlparams CRL1 cacert MYCERT.PEM
To remove signature verification from a CRL, enter:
host1/Admin(config)# no crypto crlparams CRL1
Related Commands (config-ssl-proxy) crl
crl_name Name of an existing CRL.
ca_cert_filename Name of the CA certificate file used for signature verification.
ACE Module Release Modification
A2(1.4) and A2(2.1) This command was introduced.
ACE Appliance Release Modification
A3(2.2) This command was introduced.1-74
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
crypto delete
To delete a certificate and key pair file from the ACE that is no longer valid, use the crypto delete
command.
crypto delete {filename | all}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The all option does not delete the preinstalled sample certificate and key files. When you use the all
keyword, the ACE prompts you with the following message to verify the deletion:
This operation will delete all crypto files for this context from the disk, but will not
interrupt existing SSL services. If new SSL files are not applied SSL services will be
disabled upon next vip inservice or device reload.
Do you wish to proceed? (y/n) [n]
To view the list of the certificate and key pair files stored on the ACE for the current context, use the
show crypto files command.
You cannot delete the ACE cisco-sample-key and cisco-sample-cert files.
Examples To delete the key pair file MYRSAKEY.PEM, enter:
host1/Admin# crypto delete MYRSAKEY.PEM
Related Commands crypto export
crypto import
show crypto
filename Name of a specific certificate or key pair file to delete. Enter an unquoted text
string with no spaces and a maximum of 40 alphanumeric characters.
all Deletes all of the certificate and key pair files.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-75
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
crypto export
To export a copy of a certificate or key pair file from the ACE to a remote server or the terminal screen,
use the crypto export command.
crypto export local_filename {ftp | sftp | tftp | terminal} ip_addr username remote_filename
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You cannot export a certificate or key pair file that you marked as nonexportable when you imported the
file to the ACE.
The remote server variables listed after the terminal keyword in the “Syntax Description” are used by
the ACE only when you select a transport type of ftp, sftp, or tftp (the variables are not used for
terminal). We recommend using SFTP as it provides the most security.
To view the list of the certificate and key pair files stored on the ACE for the current context, use the
show crypto files command.
local_filename Name of the file stored on the ACE to export. Enter an unquoted text string with
no spaces and a maximum of 40 alphanumeric characters.
ftp Specifies the File Transfer Protocol (FTP) file transfer process.
sftp Specifies the Secure File Transfer Protocol (SFTP) file transfer process.
tftp Specifies the Trivial File Transfer Protocol (TFTP) file transfer process.
terminal Displays the file content on the terminal for copy and paste purposes. Use the
terminal keyword when you need to cut and paste certificate or private key
information from the console. You can only use the terminal method to display
PEM files, which are in ASCII format.
ip_addr IP address or name of the remote server. Enter an IP address in dotted-decimal
notation (for example, 172.27.16.10).
username Username required to access the remote server. The ACE prompts you for your
password when you enter the command.
remote_filename Name to save the file to on the remote server. Enter an unquoted text string with
no spaces and a maximum of 40 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-76
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To use SFTP to export the key file MYKEY.PEM from the ACE to a remote SFTP server, enter:
host1/Admin# crypto export MYKEY.PEM sftp 192.168.1.2 JOESMITH /USR/KEYS/MYKEY.PEM
User password: ****
Writing remote file /usr/keys/mykey.pem
host1/Admin#
Related Commands crypto delete
crypto import
show crypto
crypto generate csr
To generate a Certificate Signing Request (CSR) file, use the crypto generate csr command.
crypto generate csr csr_params key_filename
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The crypto generate csr command generates the CSR in PKCS10 encoded in PEM format and outputs
it to the screen. Most major certificate authorities have web-based applications that require you to cut
and paste the certificate request to the screen. If necessary, you can also cut and paste the CSR to a file.
csr_params CSR parameters file that contains the distinguished name attributes. The ACE applies
the distinguished name attributes contained in the CSR parameters file to the CSR.
To create a CSR parameters file, use the (config) crypto csr-params command in the
configuration mode.
key_filename RSA key pair filename that contains the key on which the CSR is built. Enter an
unquoted text string with no spaces and a maximum of 40 alphanumeric characters.
It is the public key that the ACE embeds in the CSR. Ensure that the RSA key pair
file is loaded on the ACE for the current context. If the appropriate key pair does not
exist, the ACE logs an error message.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-77
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Note The ACE does not save a copy of the CSR locally.
After submitting your CSR to the CA, you will receive your signed certificate in one to seven business
days. When you receive your certificate, use the crypto import command to import the certificate to the
ACE.
Examples To generate a CSR that is based on the CSR parameter set CSR_PARAMS_1 and the RSA key pair in
the file MYRSAKEY_1.PEM, enter:
host1/Admin# crypto generate csr CSR_PARAMS_1 MYRSAKEY_1.PEM
Related Commands crypto import
(config) crypto csr-params
crypto generate key
To generate an RSA key pair file, use the crypto generate key command.
crypto generate key [non-exportable] bitsize filename
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
non-exportable (Optional) Marks the key pair file as nonexportable, which means that you cannot
export the key pair file from the ACE.
bitsize Key pair security strength. The number of bits in the key pair file defines the size
of the RSA key pair used to secure web transactions. Longer keys produce a more
secure implementation by increasing the strength of the RSA security policy.
Available entries (in bits) are as follows:
• 512 (least security)
• 768 (normal security)
• 1024 (high security, level 1)
• 1536 (high security, level 2)
• 2048 (high security, level 3
filename Name that you assign to the generated RSA key pair file. Enter an unquoted text
string with no spaces and a maximum of 40 alphanumeric characters.The key pair
filename is used only for identification purposes by the ACE.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-78
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To generate the RSA key pair file MYRSAKEYS.PEM with a bit size of 1536, enter:
host1/Admin# crypto generate key 1536 MYRSAKEYS.PEM
Related Commands crypto delete
crypto export
crypto generate csr
crypto import
crypto verify
show crypto
crypto import
To import certificate or key pair files to the ACE or terminal screen from a remote server, use the crypto
import command.
crypto import [non-exportable] {bulk sftp [passphrase passphrase] ip_addr username
remote_url} | {{ftp | sftp} [passphrase passphrase] ip_addr username remote_filename
local_filename} | {tftp [passphrase passphrase] ip_addr remote_filename local_filename} |
terminal local_filename [passphrase passphrase]
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
non-exportable (Optional) Specifies that the ACE marks the imported file as nonexportable, which
means that you cannot export the file from the ACE.
bulk Specifies the importing of multiple certificate or key pair files simultaneously.
sftp Specifies the Secure File Transfer Protocol (SFTP) file transfer process.
ftp Specifies the File Transfer Protocol (FTP) file transfer process.
passphrase
passphrase
(Optional) Indicates that the file was created with a passphrase, which you must
submit with the file transfer request in order to use the file. The passphrase
pertains only to encrypted PEM files and PKCS files.
ip_addr IP address or name of the remote server. Enter an IP address in dotted-decimal
notation (for example, 172.27.16.10).
username Username required to access the remote server. The ACE prompts you for your
password when you enter the command.1-79
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Because a device uses its certificate and corresponding public key together to prove its identity during
the SSL handshake, be sure to import both corresponding file types: the certificate file and its
corresponding key pair file.
The remote server variables listed after the passphrase variable in the Syntax Description table are only
used by the ACE when you select a transport type of ftp, sftp, or tftp (the variables are not used for
terminal). If you select one of these transport types and do not define the remote server variables, the
ACE prompts you for the variable information. We recommend using SFTP because it provides the most
security.
The ACE supports the importation of PEM-encoded SSL certificates and keys with a maximum line
width of 130 characters using the terminal. If an SSL certificate or key is not wrapped or it exceeds 130
characters per line, use a text editor such as the visual (vi) editor or Notepad to manually wrap the
remote_url Path to the certificate or key pair files that reside on the remote server to import.
The ACE matches only files specified by the URL. Enter a file path including
wildcards (for example, /remote/path/*.pem). To fetch all files from a remote
directory, specify a remote URL that ends with a wildcard character (for example,
/remote/path/*).
The ACE module fetches all files on the remote server that matches the wildcard
criteria. However, it imports only files with names that have a maximum of
40 characters. If the name of a file exceeds 40 characters, the ACE module does
not import the file and discards it.
remote_filename Name of the certificate or key pair file that resides on the remote server to import.
Enter an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters.
local_filename Name to save the file to when imported to the ACE. Enter an unquoted text string
with no spaces and a maximum of 40 alphanumeric characters.
tftp Specifies the Trivial File Transfer Protocol (TFTP) file transfer process.
terminal Allows you to import a file using cut and paste by pasting the certificate and key
pair information to the terminal display. You can only use the terminal method to
display PEM files, which are in ASCII format.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(2.0) The bulk keyword was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The bulk keyword was introduced.1-80
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
certificate or key to less than 130 characters per line. Alternatively, you can import the certificate or key
by using SFTP, FTP, or TFTP with no regard to line width. Of these methods, we recommend SFTP
because it is secure.
This bulk keyword imports files with the names that they have on the remote server and does not allow
you to rename the files.
If you attempt to import a file that has the same filename of an existing local file, the ACE module does
not overwrite the existing file. Before importing the updated file, you must either delete the local file or
rename the imported file.
The ACE supports 4096 certificates and 4096 keys.
The ACE allows a maximum public key size of 4096 bits. The maximum private key size is 2048 bits.
To view the list of the certificate and key pair files stored on the ACE for the current context, use the
show crypto files command.
Examples To import the RSA key file MYRSAKEY.PEM from an SFTP server, enter:
host1/Admin# crypto import non-exportable sftp 1.1.1.1 JOESMITH /USR/KEYS/MYRSAKEY.PEM
MYKEY.PEM
Password: ********
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
#
Successfully imported file from remote server.
host1/Admin#
This example shows how to use the terminal keyword to allow pasting of the certificate information to
the file MYCERT.PEM:
host1/Admin# crypto import terminal MYCERT.PEM
Enter PEM formatted data ending with a blank line or “quit” on a line by itself
--------BEGIN CERTIFICATE-----------------------
MIIC1DCCAj2gAwIBAgIDCCQAMA0GCSqGSIb3DQEBAgUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMTA3
-----------END CERTIFICATE------------------------
QUIT
host1/Admin#
This example shows how to use the bulk keyword to import all of the RSA key files from an SFTP server:
host1/Admin# crypto import bulk sftp 1.1.1.1 JOESMITH /USR/KEYS/*.PEM
Initiating bulk import. Please wait, it might take a while...
Connecting to 1.1.1.1...
Password: password
...
Bulk import complete. Summary:
Network errors: 0
Bad file URL: 0
Specified local files already exists: 0
Invalid file names: 1
Failed reading remote files: 5
Failed reading local files: 0
Failed writing local files: 0
Unknown errors: 0
Successfully imported: 10
host1/Admin#1-81
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands crypto delete
crypto export
crypto verify
show crypto1-82
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
crypto verify
To compare the public key in a certificate with the public key in a key pair file, and to verify that they
are identical, use the crypto verify command.
crypto verify key_filename cert_filename
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If the public key in the certificate does not match the public key in the key pair file, the ACE logs an
error message.
To view the list of the certificate and key pair files stored on the ACE for the current context, use the
show crypto files command.
Examples To verify that the public keys in the Admin context files MYRSAKEY.PEM and MYCERT.PEM match,
enter:
host1/Admin# crypto verify MYRSAKEY.PEM MYCERT.PEM
keypair in myrsakey.pem matches certificate in mycert.pem
This example shows what happens when the public keys do not match:
host1/Admin# crypto verify MYRSAKEY2.PEM MYCERT.PEM
Keypair in myrsakey2.pem does not match certificate in mycert.pem
host1/Admin#
Related Commands crypto import
key_filename Name of the key pair file (stored on the ACE) that the ACE uses to verify against
the specified certificate. Enter an unquoted text string with no spaces and a
maximum of 40 alphanumeric characters.
cert_filename Name of the certificate file (stored on the ACE) that the ACE uses to verify against
the specified key pair. Enter an unquoted text string with no spaces and a
maximum of 40 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-83
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show crypto
debug
To enable the ACE debugging functions, use the debug command.
debug {aaa | access-list | accmgr | arpmgr | bpdu | buffer | cfg_cntlr | cfgmgr [rhi-info] | clock
| fifo | fm | gslb | ha_dp_mgr | ha_mgr | hm | ifmgr | ip | ipcp | lcp | ldap | license | logfile |
mtsmon | nat-download | netio | ntp | pfmgr | pktcap | portmgr | radius | routemgr | scp |
scripted_hm | security | sme | snmp | ssl | syslogd | system | tacacs+ | time | tl | virtualization
| vnet}
Syntax Description aaa Enables debugging for authentication, authorization, and accounting
(AAA).
access-list Enables access-list debugging.
accmgr Loglevel options for application acceleration CM.
arpmgr Enables Address Resolution Protocol (ARP) manager debugging.
bpdu Enables bridge protocol data unit (BPDU) debugging.
buffer Configures debugging of CP buffer manager.
cfg_cntlr Enables configuration controller debugging.
cfgmgr Enables configuration manager debugging.
rhi-info (Optional, ACE module only) Enables route health injection (RHI)
debugging.
clock (ACE module only) Enables clock module debugging.
fifo Configures debugging of the packet first in, first out (FIFO) driver.
fm Enables ACE feature manager debugging.
gslb Enables GSLB protocol debugging.
ha_dp_mgr Enables HA-DP debugging.
ha_mgr Enables HA debugging.
hm Enables HM debugging.
ifmgr Enables interface manager debugging.
ip Enables IP service debugging.
ipcp Enables interprocess control protocol debugging.
lcp (ACE module only) Enables the debugging of the line card processor.
ldap Configures debugging for Lightweight Directory Access Protocol
(LDAP).
license Enables the debugging of licensing.
logfile Directs the debug output to a log file.
mtsmon Enables MTS monitor debugging.
nat-download Enables Network Address Translation (NAT) download debugging.
netio Enables the debugging of the CP network I/O.
ntp (ACE appliance only) Debugs the Network Time Protocol (NTP)
module.1-84
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command is available to roles that allow debugging and to network monitor or technician users. For
details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE
Application Control Engine.
pfmgr Enables the debugging of the platform manager.
pktcap Enables packet capture debugging.
portmgr (ACE appliance only) Debugs the port manager.
radius Configures debugging for the Remote Authentication Dial-In User
Service (RADIUS) daemon.
routemgr Enables route manager debugging.
ipcp Enables the debugging of the kernel IPCP component.
scp (ACE module only) Configures debugging for the Switch Module
Control protocol.
scripted_hm Enables scripted health monitoring debugging.
security Enables the debugging for security and accounting.
sme Enables the debugging for the System Manager Extension.
snmp Configures Simple Network Management Protocol (SNMP) server
debugging.
ssl Enables ACE SSL manager debugging.
syslogd Enables syslogd debugging.
system Enables debugging of the system components.
tacacs+ Configures debugging for Terminal Access Controller Access Control
System Plus (TACACS+).
tl Configures debugging of TL driver.
virtualization Enables virtualization debugging.
vnet Configures debugging of virtual net-device driver.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A4(1.0) The rhi-info option was added.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A4(1.0) The hardware and optimize options was removed.1-85
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
The ACE debug commands are intended for use by trained Cisco personnel only. Entering these
commands may cause unexpected results. Do not attempt to use these commands without guidance from
Cisco support personnel.
Examples To enable access-list debugging, enter:
host1/Admin# debug access-list
Related Commands clear debug-logfile
show debug1-86
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
delete
To delete a specified file in an ACE file system, use the delete command.
delete {core:filename | disk0:[path/]filename | image:filename | volatile:filename}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you do not specify a filename with the file system keyword, the ACE prompts you for a filename.
To display the list of files that reside in a file system, use the dir command.
Examples To delete the file 0x401_VSH_LOG.25256.TAR.GZ from the core: file system, enter:
host1/Admin# delete core:0x401_VSH_LOG.25256.TAR.GZ
Related Commands dir
core:filename Deletes the specified file from the core: file system.
disk0:[path/]filename Deletes the specified file from the disk0: file system. If you do not
specify the optional path, the ACE looks for the file in the root directory
of the disk0: file system.
image:filename Deletes the specified file from the image: file system.
volatile:filename Deletes the specified file from the volatile: file system.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-87
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
dir
To display the contents of a specified ACE file system, use the dir command.
dir {core: | disk0:[path/][filename] | image:[filename] | probe:[filename] | volatile:[filename]}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To delete a file from a file system, use the delete command.
To delete all core dumps, use the clear cores command.
Examples ACE Module Example
To display the contents of the disk0: file system, enter:
host1/Admin# dir disk0:
core: Displays the contents of the core: file system.
disk0:[path/] Displays the contents of the disk0: file system. Specify the optional path to
display the contents of a specific directory on the disk0: file system.
image: Displays the contents of the image: file system.
probe: Displays the contents of the probe: file system. This directory contains the
Cisco-supplied scripts. For more information about these scripts, see the
Server Load-Balancing Guide, Cisco ACE Application Control Engine.
volatile: Displays the contents of the volatile: file system.
filename (Optional) Specified file to display. Displays information, such as the file
size and the date that it was created. You can use wildcards in the filename.
A wildcard character (*) matches all patterns. Strings after a wildcard are
ignored.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) The probe: option was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) The probe: option was introduced.1-88
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
ACE Appliance Example
To display the contents of the image: file system, enter:
switch/Admin# dir image:
176876624 Aug 08 2008 14:15:31 c4710ace-mz.A3_1_0.bin
176876624 Jun 9 14:15:31 2008 c4710ace-mz.A1_8_0A.bin
Usage for image: filesystem
896978944 bytes total used
11849728 bytes free
908828672 bytes total
Related Commands clear cores
delete
show file1-89
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
dm
(ACE Appliance only) To verify the state of the Device Manager (DM), restart it when it is inoperative,
or upload a lifeline file to a TFTP server, use the dm command.
dm {help | {lifeline tftp host port}| reload | status}
Syntax Description
Command Modes Exec
Admin context
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display the status of the DM, enter:
host1/Admin# dm status
Related Commands This command has no related commands.
help Displays the list of keywords that are available for use on the dm
command.
lifeline tftp host port Creates and uploads a lifeline (anm-lifeline.tar.gz) file through TFTP.
reload Restarts the DM with a reinitialized database.
status Displays the status of the DM.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.6) This command is no longer hidden1-90
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
exit
To exit out of Exec mode and log out the CLI session, use the exit command.
exit
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To log out of an active CLI session, enter:
host1/Admin# exit
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-91
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
format flash:
To erase all data stored in the Flash memory and reformat it with the ACE module FAT16 filesystem or
the ACE appliance third extended filesystem (ext3) as the base file system, use the format flash:
command. All user-defined configuration information is erased and the ACE returns to the
factory-default settings.
format flash:
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
(ACE appliance only) The ACE performs the following verification sequence prior to reformatting Flash
memory:
• If the system image (the current loaded image) is present in the GNU GRand Unified Bootloader
(GRUB) boot loader, the ACE automatically performs a backup of that image and then performs the
reformat of Flash memory.
• If the system image is not present in the GRUB boot loader, the ACE prompts you for the location
of an available image to backup prior to reformatting the Flash memory.
• If you choose not to backup an available image file, the ACE searches for the
ACE-APPLIANCE-RECOVERY-IMAGE.bin image in the Grub partition of Flash memory.
ACE-APPLIANCE-RECOVERY-IMAGE.bin is the recovery software image that the ACE uses if
the disk partition in Flash memory is corrupted.
– If ACE-APPLIANCE-RECOVERY-IMAGE.bin is present, the ACE continues with the Flash
memory reformat. The CLI prompt changes to “switch(RECOVERY-IMAGE)/Admin#” as a
means for you to copy the regular ACE software image.
– If ACE-APPLIANCE-RECOVERY-IMAGE.bin is not present, the ACE stops the Flash memory
reformat because there is no image to boot after format.
Before you reformat the Flash memory, you should save a copy of the following ACE operation and
configuration attributes to a remote server:
• ACE software image (use the copy image: command)
ACE Module Release Modification
A4(1.0) This command was introduced and replaced the format disk0:
command.
ACE Appliance Release Modification
A1(7) This command was introduced.1-92
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
• ACE license (use the copy licenses command)
• Startup configuration of each context (use the copy startup-config command)
• Running configuration of each context (use the copy running-config command)
• Core dump files of each context (use the copy core: command)
• Packet capture buffers of each context (use the copy capture command)
• Secure Sockets Layer (SSL) certificate and key pair files of each context (use the crypto export
command)
After you reformat the Flash memory, perform the following actions:
• Copy the ACE software image to the image: file system using the copy ftp:, copy tftp:, or copy
sftp: command
• Reinstall the ACE license using the license command
• Import the following configuration files into the associated context using the copy disk0: command:
– Startup-configuration file
– Running-configuration file
• Import the following SSL files into the associated context using the crypto import command:
– SSL certificate files
– SSL key pair files
Examples For example, to erase all information in Flash memory and reformat it, enter:
host1/Admin# format flash:
Warning!! This will erase everything in the compact flash including startup configs for
all the contexts and reboot the system!!
Do you wish to proceed anyway? (yes/no) [no] yes
If the ACE fails to extract a system image from the Grub bootloader, it prompts you to provide the
location of an available system image to backup:
Failed to extract system image Information from Grub
backup specific imagefile? (yes/no) [no] yes
Enter Image name: scimi-3.bin
Saving Image [scimi-3.bin]
Formatting the cf.....
Unmounting ext3 filesystems...
Unmounting FAT filesystems...
Unmounting done...
Unmounting compact flash filesystems...
format completed successfully
Restoring Image backupimage/scimi-3.bin
kjournald starting. Commit interval 5 seconds
REXT3 FS on hdb2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
starting graceful shutdown
switch/Admin# Unmounting ext3 filesystems...
Unmounting FAT filesystems...
Unmounting done...1-93
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands copy capture
copy ftp:
copy tftp:
copy sftp:
crypto export
crypto import
dir
license
ft switchover
To purposely cause a failover to make a particular context active, use the ft switchover command.
ft switchover [all [force] | force | group_id [force]]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the fault-tolerant feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By using the ft switchover command, you direct the standby group member to statefully become the
active member of the FT group, which forces a switchover.
all (Optional) Causes a switchover of all FT groups configured in the ACE
simultaneously.
force (Optional) Causes a switchover of the Admin context if you enter the command in
the Admin context and do not specify a group ID, or the specified FT group, while
ignoring the state of the standby member. Use this option only when the
fault-tolerant (FT) VLAN is down.
group_id (Optional) Causes a switchover of the specified FT group. Enter the ID of an
existing FT group as an integer from 1 to 255.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) Added the all keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) Added the all keyword.
A3(2.2) This command is disabled by default for the network-monitor role.1-94
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
You may need to force a switchover when you want to make a particular context the standby (for
example, for maintenance or a software upgrade on the currently active context). If the standby group
member can statefully become the active member of the FT group, a switchover occurs. To use this
command, you must configure the no preempt command in FT group configuration mode.
The ft switchover command exhibits the following behavior, depending on whether you enter the
command from the Admin context or a user context:
• Admin context—If you specify an FT group ID, then the FT group specified by the group ID
switches over. If you do not specify a group ID, then the Admin context switches over.
• User context—Because you cannot specify an FT group ID in a user context, the context in which
you enter the command switches over.
When you specify the ft switchover command, there may be brief periods of time when the
configuration mode is enabled on the new active group member to allow the administrator to make
configuration changes. However, these configuration changes are not synchronized with the standby
group member and will exist only on the active group member. We recommend that you refrain from
making any configuration changes after you enter the ft switchover command until the FT states
stabilize to ACTIVE and STANDBY_HOT. Once the FT group reaches the steady state of ACTIVE and
STANDBY_HOT, any configuration changes performed on the active group member will be
incrementally synchronized to the standby group member, assuming that configuration synchronization
is enabled.
Examples To cause a switchover from the active ACE to the standby ACE of FT group1, enter:
host1/Admin# ft switchover 1
Related Commands (config-ft-group) preempt
gunzip
To uncompress (unzip) LZ77 coded files residing in the disk0: file system (for example, zipped probe
script files), use the gunzip command.
gunzip disk0:[path/]filename.gz
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
disk0:[path/]filename.gz Specifies the name of the compressed file on the disk0: file system. The
filename must end with a .gz extension. If you do not specify the
optional path, the ACE looks for the file in the root directory.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-95
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is useful in uncompressing large files. The filename must end with a .gz extension for the
file to be uncompressed using the gunzip command. The .gz extension indicates a file that is zipped by
the gzip (GNU zip) compression utility.
To display a list of available zipped files on disk0:, use the dir command.
Examples To unzip a compressed series of probe script files from the file PROBE_SCRIPTS in the disk0: file
system, enter:
host1/Admin# gunzip disk0:PROBE_SCRIPTS.gz
Related Commands dir
invoke context
To display the context running configuration information from the Admin context, use the invoke context
command.
invoke context context_name show running-config
Syntax Description
Command Modes Exec
Admin context
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
ACE Appliance Release Modification
A1(7) This command was introduced.
context_name Name of user-created context. This argument is case sensitive.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-96
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display the running configuration for the C1 user context from the Admin context, enter:
host1/Admin# invoke context C1 show running-config
Related Commands This command has no related commands.
license
To install, update, or uninstall licenses on the ACE, use the license command.
license {install disk0:[path/]filename [target_filename] | uninstall {name | all} |
update disk0:[path/]permanent_filename demo_filename}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
install
disk0:[path/]filename
Installs a demo or permanent license from the disk0: file system into
flash memory on the ACE. The filename is the name of the license on
the disk0: file system. If you do not specify the optional path, the ACE
looks for the file in the root directory.
target_filename (Optional) Target filename for the license file.
uninstall name Uninstalls the specified license file. Enter the license name as an
unquoted text string with no spaces.
all Uninstalls all installed licenses in the ACE.
update disk0: Updates an installed demo license with a permanent license.
[path/]permanent_filename Filename for the permanent license.
demo_filename Filename for the demo license.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) Added the all keyword to the uninstall option
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) Added the all keyword to the uninstall option1-97
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
After you receive a demo or permanent software license key in an e-mail from Cisco Systems, you must
copy the license file to a network server and then use the copy tftp command in Exec mode to copy the
file to the disk0: file system on the ACE.
To update an installed demo license with a permanent license, use the license update command. The
demo license is valid for 60 days. To view the expiration of the demo license, use the show license usage
command.
To back up license files, use the copy licenses command
Caution When you remove a demo or permanent virtual context license, the ACE removes all user contexts from
the Admin running configuration. By removing the user contexts, their running and startup
configurations are also removed from the ACE. Before removing any virtual context license, back up the
Admin running configuration and the user context running configurations to a remote server.
For more information about the types of ACE licenses available and how to manage the licenses on your
ACE, see the Administration Guide, Cisco ACE Application Control Engine.
Examples To install a new permanent license, enter:
host1/Admin# license install disk0:ACE-VIRT-020.LIC
To uninstall a license, enter:
host1/Admin# license uninstall ACE-VIRT-20.LIC
ACE Module Example
To update the demo license with a permanent license, enter:
host1/Admin# license update disk0:ACE-VIRT-250.LIC ACE-VIRT-250-demo.LIC
ACE Appliance Example
To update the demo license with a permanent license, enter:
host1/Admin# license update disk0:ACE-AP-VIRT-020.lic ACE-AP-VIRT-020-DEMO.lic
Related Commands copy licenses
copy tftp:
show license
mkdir disk0:
To create a new directory in disk0:, use the mkdir disk0: command.
mkdir disk0:[path/]directory_name
Syntax Description [path/]directory_name Name that you assign to the new directory. Specify the optional path if you
want to create a directory within an existing directory.1-98
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If a directory with the same name already exists, the ACE does not create the new directory and the
“Directory already exists” message appears.
Examples To create a directory in disk0: called TEST_DIRECTORY, enter:
host1/Admin# mkdir disk0:TEST_DIRECTORY
Related Commands dir
rmdir disk0:
move disk0:
To move a file between directories in the disk0: file system, use the move disk0: command.
move disk0:[source_path/]filename disk0:[destination_path/]filename
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
disk0: Indicates the disk0: file system of the current context.
source_path/ (Optional) Path of the source directory.
destination_path/ (Optional) Path of the destination directory.
filename Name of the file to move in the disk0: file system.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-99
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If a file with the same name already exists in the destination directory, that file is overwritten by the file
that you move.
Examples To move the file called SAMPLEFILE in the root directory of disk0: to the MYSTORAGE directory in
disk0:, enter:
host1/Admin# move disk0:SAMPLEFILE disk0:MYSTORAGE/SAMPLEFILE
Related Commands dir
np session
(ACE module only) To execute network processor-related commands, use the np session command.
np session {disable | enable}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To enable sessions to the network processor from the supervisor engine, enter:
host1/Admin# np session enable
ACE Appliance Release Modification
A1(7) This command was introduced.
disable Disables sessions to the network processor from the supervisor engine.
enable Enables sessions to the network processor from the supervisor engine.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-100
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands This command has no related commands.1-101
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
ping
To verify the connectivity of a remote host or server by sending echo messages from the ACE, use the
ping command.
ping [ip | ipv6 [system_address [count count [size size [timeout time]]]]]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ping command sends an echo request packet to an address from the current context on the ACE and
then awaits a reply. The ping output can help you evaluate path-to-host reliability, delays over displaying
the name of the current directory and the path, and whether the host can be reached or is functioning.
To terminate a ping session before it reaches its timeout value, press Ctrl-C.
ip | ipv6 (Optional) Specifies the IPv4 or IPv6 protocol. If you do not specify the IP protocol,
it is inferred from the address.
system_address (Optional) IP address of the remote host to ping. Enter an IP address in
dotted-decimal notation (for example, 172.27.16.10). If you do not specify the IP
address of the remote host, the CLI prompts you for the information.
count count (Optional) Repeat count. Enter the repeat count as an integer from 1 to 65000. The
default is 5.
size size (Optional) Datagram size. Enter the datagram size as an integer from 36 to 1440.
The default is 100.
timeout time (Optional) Timeout in seconds. Enter the timeout value as an integer from 0 to 3600.
The default is 2.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The size option was increased from 452 to 1440.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.5) At the datagram size prompt for the extended ping command, the size
was increased from 452 to 1400.
A3(2.6) The size option was increased from 452 to 1440.
A5(1.0) Added IPv6 support.1-102
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples IPv6 Example
To send a ping to the IPv6 loopback address 0:0:0:0:0:0:0:1, enter the following command:
host1/Admin# ping ::1
PING 0:0:0:0:0:0:0:1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=255 time=0.039 ms
64 bytes from ::1: icmp_seq=2 ttl=255 time=0.000 ms
64 bytes from ::1: icmp_seq=3 ttl=255 time=0.000 ms
64 bytes from ::1: icmp_seq=4 ttl=255 time=0.108 ms
64 bytes from ::1: icmp_seq=5 ttl=255 time=0.126 ms
--- 0:0:0:0:0:0:0:1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 8002ms
rtt min/avg/max/mdev = 0.000/0.054/0.126/0.053 ms
To abnormally terminate a ping session, press Ctrl-C.
IPv4 Example
To ping the FTP server with an IP address of 196.168.1.2 using the default ping session values, enter:
host1/Admin# ping 196.168.1.2
Related Commands traceroute1-103
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
reload
To reload the configuration on the ACE, use the reload command.
reload
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The reload command reboots the ACE and performs a full power cycle of both the hardware and
software. The reset process can take several minutes. Any open connections with the ACE are dropped
after you enter the reload command.
Caution Configuration changes that are not written to flash memory are lost after a reload. Before rebooting,
enter the copy running-conf startup-config command to save a copy of the running configuration to
the startup configuration in flash memory. If you fail to save your running configuration changes, the
ACE reverts to the last saved version of the startup configuration upon restart.
Examples To execute a soft reboot, enter:
host1/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]
Related Commands copy capture
show running-config
show startup-config
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-104
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
reprogram bootflash
(ACE module only) To reprogram the field upgradable (FUR) partition of the ROM monitor (rommon)
image on the ACE, use the reprogram bootflash command.
reprogram bootflash {default-image {disk0:[path/]filename | image:[path/]filename} |
fur-image {disk0:[path/]filename | image:[path/]filename} | invalidate-fur-image |
validate-fur-image}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The reprogram bootflash command is intended for use by trained Cisco personnel only. Entering this
command may cause unexpected results. Do not attempt to use the reprogram bootflash command
without guidance from Cisco support personnel.
Examples To reprogram the rommon image FUR partition on the image: file system, enter:
host1/Admin# reprogram bootflash fur-image image:sb-ace.NOV_11
Related Commands This command has no related commands.
default-image Reprograms the rommon image default partition.
fur-image Reprograms the rommon image FUR partition.
disk0:[path/]filename Specifies a file stored on the disk0: file system.
image:[path/]filename Specifies the rommon image stored on the image: file system.
invalidate-fur-image Invalidates the rommon image FUR partition.
validate-fur-image Validates the rommon image FUR partition.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-105
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
restore
To restore the configuration files and dependent files in a context or in all contexts, use the restore
command.
restore {[all] disk0:archive_filename} [pass-phrase text_string] [exclude {licenses | ssl-files}]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The restore command has the following configuration guidelines and limitations:
• The restore command will cause an interruption in service for the two contexts in a redundant
configuration. We recommend that you schedule the restoration of a backup archive on a redundant
pair during a maintenance window.
• When you instruct the ACE to restore the archive for the entire ACE in the Admin context, it restores
the Admin context completely first, and then it restores the other contexts. The ACE restores all
dependencies before it restores the running context. The order in which the ACE restores
dependencies is as follows:
– License files
all Specifies that the ACE should restore the configuration files and dependencies in all
contexts. You can specify this keyword only in the Admin context.
disk0:archive_
filename
Name of the archive file that you want to restore.
exclude licenses
| ssl-files
(Optional) Excludes licenses or SSL certificates and keys from the restoration. Use
this option only if you want to keep the license or SSL files already present in your
ACE and ignore the license or SSL files in the backup archive, if any.
pass-phrase
text_string
Passphrase that you used to encrypt the backed up SSL keys in the archive. Enter the
passphrase as an unquoted text string with no spaces and a maximum of 40
alphanumeric characters. If you used a passphrase when you backed up the SSL
keys, the ACE encrypted the keys with AES-256 encryption using OpenSSL
software. To restore the SSL keys, you must enter that same passphrase.
Note If you forget your passphrase, import the required SSL files first. Then, use
the exclude option of the restore command to restore e the backup archive.
ACE Module Release Modification
A2(3.0) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.1-106
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
– SSL certificates and key files
– Health-monitoring scripts
– Checkpoints
– Startup-configuration file
– Running-configuration file
• After you restore license files, previously installed license files are uninstalled and the restored files
are installed in their place.
• In a redundant configuration, if the archive that you want to restore is different from the peer
configurations in the FT group, redundancy may not operate properly after the restoration.
• You can restore a single context from an ACE-wide backup archive provided that:
– You enter the restore command in the context that you want to restore
– All files dependencies for the context exist in the ACE-wide backup archive
• If you upgrade to software version A4(1.0) or later from a release before A4(1.0), the ACE cannot
install the earlier license files because they are unsupported. The ACE ignores these license files and
keeps the existing licenses.
• If you enter the exclude option first, you cannot enter the pass-phrase option.
Examples To restore a backup archive in the Admin context, enter:
host1/Admin# restore disk0:switch_Admin_07_July_2009_11_08_04_AM.tgz pass-phrase
MY_PASS_PHRASE
Related Commands backup
show restore1-107
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
rmdir disk0:
To remove a directory from the disk0: file system, use the rmdir disk0: command.
rmdir disk0:directory
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To remove a directory from disk0:, the directory must be empty. To view the contents of a directory, use
the dir command. To delete files from a directory, use the delete command.
Examples To remove the directory TEST_DIRECTORY from disk0:, enter:
host1/Admin# rmdir disk0:TEST-DIRECTORY
Related Commands delete
dir
mkdir disk0:
directory Name of the directory to remove.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-108
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
setup
(ACE appliance only) To initiate a special setup script that guides you through the basic process of
configuring an Ethernet port on the ACE as the management port to access the Device Manager GUI,
use the setup command.
setup
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The setup script is intended primarily as the means to guide you though a basic configuration of the ACE
to quickly access the Device Manager. Use the setup command when the ACE boots without a
startup-configuration file. This situation may occur when the ACE is new and the appliance was not
configured upon initial startup. The setup script guides you through configuring a management VLAN
on the ACE through one of its Gigabit Ethernet ports.
After you specify a gigabit Ethernet port, the port mode, and management VLAN, the setup script
automatically applies the following default configuration:
• Management VLAN allocated to the specified Ethernet port.
• VLAN 1000 assigned as the management VLAN interface.
• GigabitEthernet port mode configured as VLAN access port.
• Extended IP access list that allows IP traffic originating from any other host addresses.
• Traffic classification (class map and policy map) created for management protocols HTTP, HTTPS,
ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated for connectivity with the Device
Manager GUI.
• VLAN interface configured on the ACE and a policy map assigned to the VLAN interface.
The ACE provides a default answer in brackets [ ] for each question in the setup script. To accept a
default configuration prompt, press Enter, and the ACE accepts the setting. To skip the remaining
configuration prompts, press Ctrl-C any time during the configuration sequence.
When completed, the setup script prompts you to apply the configuration settings.
Examples To run the setup script from the CLI, enter:
host1/Admin# setup
ACE Appliance Release Modification
A1(7) This command was introduced.1-109
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
This script will perform the configuration necessary for a user to manage the ACE
Appliance using the ACE Device Manager.The management port is a designated Ethernet port
which has access to the same network as your management tools including the ACE Device
Manager. You will be prompted for the Port Number, IP Address, Netmask and Default Route
(optional). Enter 'ctrl-c' at any time to quit the script
Would you like to enter the basic configuration (yes/no): y
Enter the Ethernet port number to be used as the management port (1-4):? [1]: 3
Enter the management port IP Address (n.n.n.n): [192.168.1.10]: 192.168.1.10
Enter the management port Netmask(n.n.n.n): [255.255.255.0]: 255.255.255.2
Enter the default route next hop IP Address (n.n.n.n) or to skip this step:
172.16.2.1
Summary of entered values:
Management Port: 3
Ip address 192.168.1.10
Netmask: 255.255.255.2
Default Route: 172.16.2.1
Submit the configuration including security settings to the ACE Appliance?
(yes/no/details): [y]: d
Detailed summary of entered values:
interface gigabit/Ethernet 1/3
switchport access vlan 1000
no shut
access-list ALL extended permit ip any any class-map type management match-any
remote_access
match protocol xml-https any
match protocol dm-telnet any
match protocol icmp any
match protocol telnet any
match protocol ssh any
match protocol http any
match protocol https any
match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 192.168.1.10 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ssh key rsa
ip route 0.0.0.0 0.0.0.0 172.16.2.1
Submit the configuration including security settings to the ACE Appliance?
(yes/no/details): [y]: y
Configuration successfully applied. You can now manage this ACE Appliance by entering the
url 'https://192.168.1.10' into a web browser to access the Device Manager GUI.
Related Commands This command has no related commands.1-110
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
set dc
(ACE module only) To set the daughter card console access to the master or the slave network processor,
use the set dc command.
set dc dc_number console {master | slave}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role in the Admin context. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To set the daughter card 1 console access to the slave network processor, enter:
host1/Admin# set dc 1 console slave
Switched the console access to slave network processor
Related Commands clear dc
show dc
dc_number Specifies the daughter card on the ACE module. Enter either 1 or 2.
console Sets the console access to the specified network processor.
master | slave Specifies the master or the slave network processor on the specified daughter card
for console access. The default is master.
ACE Module Release Modification
A4(1.0) This command was introduced.1-111
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
set sticky-ixp
(ACE module only) This command has been deprecated in software version A4(1.0).
Command History ACE Module Release Modification
A2(1.0) This command was introduced.
A4(1.0) This command was removed from the software.1-112
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show
To display ACE statistical and configuration information, use the show command.
show keyword [| {begin pattern | count | end | exclude pattern | include pattern | next | prev}]
[> {filename | {disk0:| volatile}:[path/][filename] | ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}]
Syntax Description
Command Modes Exec
Command History
keyword Keyword associated with the show command. See the show
commands that follow.
| (Optional) Enables an output modifier that filters the command
output.
begin pattern Begins with the line that matches the pattern that you specify.
count Counts the number of lines in the output.
end pattern Ends with the line that matches the pattern that you specify.
exclude pattern Excludes the lines that match the pattern that you specify.
include pattern Includes the lines that match the pattern that you specify.
next Displays the lines next to the matching pattern that you specify.
prev Displays the lines before the matching pattern that you specify.
> (Optional) Enables an output modifier that redirects the
command output to a file.
filename Name of the file that the ACE saves the output to on the volatile:
file system.
disk0: Specifies that the destination is the disk0: file system on the
ACE flash memory.
volatile: Specifies that the destination is the volatile: file system on the
ACE.
[path/][filename] (Optional) Path and filename to the disk0: or volatile: file
system. This path is optional because the ACE prompts you for
this information if you omit it.
ftp://server/path[/filename] Specifies the File Transfer Protocol (FTP) network server and
optional filename.
sftp://[username@]server/path
[/filename]
Specifies the Secure File Transfer Protocol (SFTP) network
server and optional filename.
tftp://server[:port]/path[/filename] Specifies the Trivial File Transfer Protocol (TFTP) network
server and optional filename.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-113
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines The features required in your user role to execute a specific show command are described in the “Usage
Guidelines” section of the command. For details about role-based access control (RBAC) and user roles,
see the Virtualization Guide, Cisco ACE Application Control Engine.
Most commands have an associated show command. For example, the associated show command for the
interface command in configuration mode is the show interface command. Use the associated show
command to verify changes that you make to the running configuration.
The output of the show command may vary depending on the context that you enter the command from.
For example, the show running-config command displays the running-configuration for the current
context only.
To convert show command output from the ACE to XML for result monitoring by an NMS, use the
xml-show command.
Examples To display the current running configuration, enter:
host1/Admin# show running-config
Related Commands xml-show
show aaa
To display AAA accounting and authentication configuration information for the current context, use the
show aaa command.
show aaa {accounting | authentication [login error-enable] | groups} [|] [>]
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
accounting Displays accounting configuration information.
authentication Displays authentication configuration information.
login
error-enable
(Optional) Displays the status of the login error message configuration.
groups Displays the configured server groups.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.1-114
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show aaa command output, see the Security Guide, Cisco ACE
Application Control Engine.
Examples To display the accounting configuration information, enter:
host1/Admin# show aaa accounting
default: local
Related Commands show accounting log
(config) aaa accounting default
(config) aaa authentication login
show access-list
To display statistics associated with a specific access control list (ACL), use the show access-list command.
show access-list name [detail] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
name Name of an existing ACL. Enter the name as an unquoted text string.
detail Displays detailed information for the specified ACL.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering
the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the options
available for redirecting the command output, see the show command.1-115
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command requires the access-list feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACL information that the ACE displays when you enter the show access-list command includes the
ACL name, the number of elements in the ACL, the operating status of the ACL (ACTIVE or NOT
ACTIVE), any configured remarks, the ACL entry, and the ACL hit count.
For information about the fields in the show access-list command output, see the Security Guide, Cisco
ACE Application Control Engine.
Examples To display statistical and configuration information for the ACL ACL1, enter:
host1/Admin# show access-list ACL1
Related Commands clear access-list
show running-config
(config) access-list ethertype
(config) access-list extended
(config) access-list remark
(config) access-list resequence
show accounting log
To display AAA accounting log information, use the show accounting log command.
show accounting log [size] [all] [|] [>]
Syntax Description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised with the detail option.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised with the detail option.
size (Optional) Size (in bytes) of the local accounting file. Enter a value from 0 to
250000. The default is 250000 bytes.
all (Optional) Displays the accounting logs of all contexts in the ACE. This option is
available only in the Admin context.1-116
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show accounting log command output, see the Security Guide,
Cisco ACE Application Control Engine.
Examples To display the contents of the accounting log file, enter:
host1/Admin# show accounting log
Related Commands show aaa
(config) aaa accounting default
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The all option was added.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The all option was added.1-117
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show acl-merge
The ACE merges individual ACLs into one large ACL called a merged ACL. The ACL compiler then
parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can
result in multiple actions. To display statistics related to merged ACLs, use the show acl-merge command.
show acl-merge {acls {vlan number | internal vlan 1 | 4095} {in | out} [summary]} |
{event-history} | {match {acls {vlan number | internal vlan 1 | 4095} {in | out} ip_address1
ip_address2 protocol src_port dest_port}} | {merged-list {acls {vlan number | internal vlan 1
| 4095}{in | out} [non-redundant | summary]}} | {statistics} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
acls Displays various feature ACLs and their entries before the merge.
vlan number Specifies the interface on which the ACL was applied.
internal vlan 1 | 4095 Displays the ACL merge information for internal VLAN 1 or 4095
(ACE appliance).
in | out Specifies the direction in which the ACL was applied to network
traffic: incoming or outgoing.
summary (Optional) Displays summary information before or after the merge.
event-history Displays the ACL merge event-history log.
match Displays the ACL entry that matches the specified tuple.
ip_address1 Source IP address. Enter an IP address in dotted-decimal notation (for
example, 172.27.16.10).
ip_address2 Destination IP address. Enter an IP address in dotted-decimal notation
(for example, 172.27.16.10).
protocol Protocol specified in the ACL.
src_port Source port specified in the ACL.
dest_port Destination port specified in the ACL.
merged-list (Optional) Displays the merged ACL.
non-redundant (Optional) Displays only those ACL entries that have been
downloaded to a network processor.
statistics Displays ACL merge node failure statistics and other merge and
compiler errors.
| (Optional) Pipe character (|) for enabling an output modifier that filters
the command output. For a complete description of the options
available for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete description
of the options available for redirecting the command output, see the
show command.1-118
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command requires the acl-merge feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
The ACL merge list number (instance ID) is locally generated (not synchronized) on each ACE in a
redundant configuration. The number assigned depends on the order in which the ACLs are applied to
the VLANs. This number can be different on the two ACEs. The ACL merged list could be different on
the two ACEs depending on when redundancy is enabled.
Examples To display the ACL merge information for VLAN 401, enter:
host1/Admin# show acl-merge acls vlan 401 in summary
Related Commands This command has no related commands.
show action-list
To display information about an action list configuration, use the show action-list command in Exec
mode. The show action-list command output displays all modify HTTP and ACE appliance optimization
action list configurations and configured values.
show action-list [list_name] [|] [>]
Syntax Description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.5) and A2(2.1) This command was revised to include the internal vlan 1 keywords.
A4(1.0) This command was revised to include the event-history and
statistics keywords.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.3) This command was revised to include the internal vlan 1 | 4095
keywords.
A3(2.5) This command was revised to include the event-history and
statistics keywords.
list_name (Optional) Identifier of an existing action list as an unquoted text string with a
maximum of 64 alphanumeric characters. If you do not enter an action list name, the
ACE displays all configured action lists.1-119
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show action-list command output, see the Application
Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance
and the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To display configuration information for the ACT_LIST1 action list, enter:
host1/Admin# show action-list ACT_LIST1
Related Commands show running-config
(config) action-list type modify http
(ACE appliance only) (config) action-list type optimization http
show arp
To display the current active IP address-to-MAC address mapping in the Address Resolution Protocol
(ARP) table, statistics, or inspection or timeout configuration, use the show arp command.
show arp [inspection | internal event-history dbg | statistics [vlan vlan_number] | timeout] [|] [>]
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.3) The Description field has been added to the show action-list
command output. This field displays the previously entered summary
about the specific parameter map. 1-120
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the routing feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The show arp command without options displays the active IP address-to-MAC address mapping in the
ARP table.
For information about the fields in the show arp command output, see the Routing and Bridging Guide,
Cisco ACE Application Control Engine.
Examples To display the current active IP address-to-MAC address mapping in the ARP table, enter:
host1/Admin# show arp
Related Commands clear arp
(config) arp
inspection (Optional) Displays the ARP inspection configuration.
internal event-history dbg (Optional) Displays the ARP internal event history. The ACE debug
commands are intended for use by trained Cisco personnel only. Do not
attempt to use these commands without guidance from Cisco support
personnel.
statistics (Optional) Displays the ARP statistics for all VLAN interfaces.
vlan vlan_number (Optional) Displays the statistics for the specified VLAN number.
timeout (Optional) Displays the ARP timeout values.
| (Optional) Pipe character (|) for enabling an output modifier that filters
the command output. For a complete description of the options available
for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete description
of the options available for redirecting the command output, see the
show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-121
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show backup
To display backup errors (in the case of a failed backup) or the backup status, use the show backup
command.
show backup errors | status [details] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display the status of an ongoing backup, enter:
host1/Admin# show backup status detail
Backup Archive: host1_2010_09_16_21_34_03.tgz
Type : Full
Start-time : Thu Sep 16 21:34:03 2010
Finished-time : Thu Sep 16 21:34:18 2010
Status : SUCCESS
Current vc : ct3
Completed : 4/4
------------------------+---------------+--------------------------+------------
Context component Time Status
------------------------+---------------+--------------------------+------------
errors Displays errors that may occur during a backup operation. For information about
backup system messages, see the System Message Guide, Cisco ACE Application
Control Engine.
status [details] Displays the status of the last backup operation. Backup status details are not stored
across reboots.
Possible values in the Status column are as follows:
• SUCCESS—The component was successfully backed up
• FAILED—The component failed to be backed up
• N/A—The component (for example, a checkpoint or probe script) being backed
up contains 0 files
ACE Module Release Modification
A2(3.0) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.1-122
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Admin Running-cfg Thu Sep 16 21:34:04 2010 SUCCESS
Admin Startup-cfg Thu Sep 16 21:34:04 2010 SUCCESS
Admin Checkpoints Thu Sep 16 21:34:07 2010 SUCCESS
Admin Cert/Key Thu Sep 16 21:34:07 2010 SUCCESS
Admin License Thu Sep 16 21:34:07 2010 SUCCESS
Admin Probe script Thu Sep 16 21:34:07 2010 N/A
ct1 Running-cfg Thu Sep 16 21:34:12 2010 SUCCESS
ct1 Startup-cfg Thu Sep 16 21:34:12 2010 SUCCESS
ct1 Checkpoints Thu Sep 16 21:34:12 2010 N/A
ct1 Cert/Key Thu Sep 16 21:34:12 2010 SUCCESS
ct1 Probe script Thu Sep 16 21:34:12 2010 N/A
ct2 Running-cfg Thu Sep 16 21:34:13 2010 SUCCESS
ct2 Startup-cfg Thu Sep 16 21:34:13 2010 SUCCESS
ct2 Checkpoints Thu Sep 16 21:34:13 2010 N/A
ct2 Cert/Key Thu Sep 16 21:34:13 2010 SUCCESS
ct2 Probe script Thu Sep 16 21:34:13 2010 N/A
ct3 Running-cfg Thu Sep 16 21:34:13 2010 SUCCESS
ct3 Startup-cfg Thu Sep 16 21:34:13 2010 SUCCESS
ct3 Checkpoints Thu Sep 16 21:34:13 2010 N/A
ct3 Cert/Key Thu Sep 16 21:34:13 2010 SUCCESS
ct3 Probe script Thu Sep 16 21:34:13 2010 N/A
Related Commands backup
show banner motd
To display the configured banner message of the day, use the show banner motd command.
show banner motd [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-123
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To configure the banner message, use the banner command in the configuration mode.
For information about the fields in the show banner motd command output, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To display the message of the day, enter:
host1/Admin# show banner motd
Related Commands (config) banner
show bootvar
To display the current BOOT environment variable and configuration register setting, use the show
bootvar command. This command is available only in the Admin context.
show bootvar [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To set the BOOT environment variable, use the boot system image: command in the configuration
mode.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-124
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
For information about the fields in the show bootvar command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples ACE Module Example
To display the current BOOT environment variable and configuration register setting, enter:
host1/Admin# show bootvar
BOOT variable = "disk0:c6ace-t1k9-mzg.3.0.0_A0_2.48.bin"
Configuration register is 0x1
ACE Appliance Example
To display the current BOOT environment variable and configuration register setting, enter:
host1/Admin# show bootvar
BOOT variable = “disk0:c4710ace-mz.A5_1_0.bin”
Configuration register is 0x1
Related Commands This command has no related commands.1-125
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show buffer
To display the buffer manager module messages, use the show buffer command.
show buffer {events-history | stats | usage} [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display the control plane buffer event history, enter:
host1/Admin# show buffer events-history
1) Event:E_DEBUG, length:72, at 477729 usecs after Sat Jan 1 00:01:29 2000
[102] headers=0xd2369000, ctrl_blocks=0xd280a040, data_blocks=0xd5403aa0
2) Event:E_DEBUG, length:50, at 477707 usecs after Sat Jan 1 00:01:29 2000
[102] total blocks=151682 (ctrl=75841, data=75841)
events-history Displays a historic log of the most recent messages generated by the buffer manager
event history.
stats Displays detailed counters for various buffer manager event occurrences.
usage Displays the number of buffers currently being held (allocated but not freed) by each
buffer module. The usage keyword also shows an estimate of the number of times a
particular buffer module has freed the same buffer more than once (this condition
indicates a software error). Displays the Hi watermark field which allows more
visibility for buffer usage when monitoring high watermarks
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-126
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands clear buffer stats1-127
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show capture
To display the packet information that the ACE traces as part of the packet capture function, use the show
capture command.
show capture buffer_name [detail [connid connection_id | range packet_start packet_end] |
status] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For all types of received packets, the console display is in tcpdump format.
To copy the capture buffer information as a file in flash memory, use the copy capture command.
For information about the fields in the show capture command output, see the Administration Guide,
Cisco ACE Application Control Engine.
buffer_name Name of the packet capture buffer. Specify an unquoted text string with no spaces
from 1 to 80 alphanumeric characters.
detail (Optional) Displays additional protocol information for each packet.
connid
connection_id
(Optional) Displays protocol information for a specified connection identifier.
range
packet_start
packet_end
(Optional) Displays protocol information for a range of captured packets.
status (Optional) Displays capture status information for each packet.
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-128
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display the captured packet information contained in packet capture buffer CAPTURE1, enter:
switch/Admin# show capture CAPTURE1
Related Commands copy capture1-129
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show cde
(ACE module only) To display the classification and distribution engine (CDE) interface statistics,
health, and register values, use the show cde command. This command includes statistics for the CDE
daughter card interface, the CDE control plane interface, and the CDE switch fabric interface.
show cde {all | count | dist | hash index_number | health | interrupts | reg cde_number register |
stats {cumulative | stats} | vlan vlan_number} [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
all Displays all CDE register values.
count Displays the cumulative count of the CDE interrupts.
dist Displays the CDE distribution type.
hash index_number Displays the hash distribution table. Enter a value from 0 to 63.
health Displays the CDE health, including the daughter card statistics.
interrupts Displays the CDE interrupts.
reg Displays the specified CDE register.
cde_number CDE number (0 or 1).
register Register value. Enter a hexadecimal value from 0x0 to 0x1d9.
stats Displays the specified CDE statistics.
cumulative Displays the cumulative CDE statistics from the last invocation of the show cde
command.
delta Displays the delta CDE statistics from the last invocation of the show cde
command.
vlan vlan_number Displays the VLAN distribution table for the specified VLAN. Enter the desired
VLAN number from 0 to 4096.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering
the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the options
available for redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-130
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display all of the CDE register values, enter:
host1/Admin# show cde all
Related Commands clear cde
show cfgmgr
To display the Configuration Manager internal information, use the show cfgmgr command.
show cfgmgr internal {history | {table {access-group | ace name| acl name| action-list | arp |
class-map | context | icmp-vip | if-zone | interface | l2-ace | l2-acl | l3-rule| match-item | nat
| nat-dynamic | nat-pool | nat-pool-data | nat-static | og name | og-data name | og-exp name
| parameter-map | policy-map | probe | probe-instance | rserver | script-file | script-task |
sfarm | sfarm-real | slb-policy | ssl-proxy | sticky-grp | sticky-static-grp | time-range |
track-probe | vip} [all | context name | detail]} [|] [>]
Syntax Description history Displays the Configuration Manager debug log.
table Displays the specified Configuration Manager internal table.
access-group Displays the access group table.
ace name Displays the specified ACE table.
acl name Displays the specified ACL table.
action-list Displays the action-list table.
arp Displays the ARP table.
class-map Displays the class map table.
context Displays the context table.
icmp-vip Displays the ICMP state in VIP table.
if-zone Displays the if zone table.
interface Displays the interface table.
l2-ace Displays the Layer 2 ACE table.
l2-acl Displays the Layer 2 ACL table.
l3-rule Displays the Layer 3 rule table.
match-item Displays the match-item table.
nat Displays the NAT table.
nat-dynamic Displays the NAT dynamic table.
nat-pool Displays the NAT pool table.
nat-pool-data Displays the NAT pool data table.
nat-static Displays the NAT static table.
og name Displays the specified Object Group table.
og-data name Displays the specified Object Group Data table.
og-exp name Displays the specified Object Group Expanded table.
parameter-map Displays the parameter map table.
policy-map Displays the policy map table.1-131
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
probe Displays the probe table.
probe-instance Displays the probe instance table.
rserver Displays the real server table.
script-file Displays the script file table.
script-task Displays the script task table.
sfarm Displays the server farm table.
sfarm-real Displays the server farm and real server table.
slb-policy Displays the server load-balancing policy table.
ssl-proxy Displays the SSL proxy table.
sticky-grp Displays the sticky group table.
sticky-static-grp Displays the static sticky table.
time-range Displays the time-range table.
track-probe Displays the track probe table.
vip Display the VIP table.
all Displays the internal table information for all the contexts.
context name Displays the internal table information for the specified context.
detail Displays the detailed Configuration Manager table information.
| (Optional) Pipe character (|) for enabling an output modifier that
filters the command output. For a complete description of the options
available for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete
description of the options available for redirecting the command
output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-132
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display real server table information, enter:
host1/Admin# show cfgmgr internal table rserver
Related Commands clear cfgmgr internal history
show checkpoint
To display information relating to the configured checkpoints, use the show checkpoint command.
show checkpoint {all | detail name} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show checkpoint command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display the running configuration for the checkpoint MYCHECKPOINT, enter:
host1/Admin# show checkpoint detail MYCHECKPOINT
all Displays a list of all existing checkpoints. The show output includes checkpoint time
stamps.
detail name Displays the running configuration of the specified checkpoint.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-133
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands checkpoint1-134
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show clock
To display the current date and time settings of the system clock, use the show clock command.
show clock [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To configure the system clock setting, use the clock command in the configuration mode.
For information about the fields in the show clock command output, see the Administration Guide, Cisco
ACE Application Control Engine.
Examples To display the current clock settings, enter:
host1/Admin# show clock
Fri Feb 24 20:08:14 UTC 2006
Related Commands (config) clock summer-time
(config) clock timezone
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-135
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show conn
To display the connection statistics, use the show conn command.
show conn {address ip_address1 [ip_address2] [/prefix_length | netmask mask]] [detail]} | count
| detail | {port number1 [number2] [detail]} | {protocol {tcp | udp} [detail]} | {rserver
rs_name [port_number] [serverfarm sfarm_name1] [detail]} | {serverfarm sfarm_name2
[detail]} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
address ip_address1
[ip_address2]
Displays connection statistics for a single source or destination IPv4 or IPv6
address or, optionally, for a range of source or destination IPv4 or IPv6
addresses. To specify a range of IP addresses, enter an IP address for the lower
limit of the range and a second IP address for the upper limit of the range.
/prefix_length Displays connection statistics for the IPv6 address or range of IPv6 addresses
that you specify. Enter an IPv6 prefix (for example, /64).
netmask mask Specifies the network mask for the IPv4 address or range of IPv4 addresses that
you specify. Enter a network mask in dotted-decimal notation (for example,
255.255.255.0).
count Displays the total current connections to the ACE.
Note The total current connections is the number of connection objects.
There are two connection objects for each flow and complete
connection.
detail Displays detailed connection information.
Note The total current connections is the number of connection objects.
There are two connection objects for each flow and complete
connection.
port number1
[number2]
Displays connection statistics for a single source or destination port or
optionally, for a range of source or destination ports.
protocol {tcp | udp} Displays connection statistics for TCP or UDP.
rserver rs_name Displays connection statistics for the specified real server.
port_number (Optional) Port number associated with the specified real server. Enter an
integer from 1 to 65535.
serverfarm
sfarm_name1
(Optional) Displays connection statistics for the specified real server
associated with this server farm.
serverfarm
sfarm_name2
Displays connection statistics for the real servers associated with the specified
server farm.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show command.1-136
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show conn command output, see the Security Guide, Cisco ACE
Application Control Engine.
Examples IPv6 Example
To display connection statistics for a range of IP addresses, enter:
host1/C1# show conn address 2001:DB8:1::15 2001:DB8:1::35/64
IPv4 Example
To display connection statistics for a range of IP addresses, enter:
host1/C1# show conn address 192.168.12.15 192.168.12.35 netmask 255.255.255.0
Related Commands clear conn
show context
To display the context configuration information, use the show context command.
show context [context_name | Admin] [|] [>]
Syntax Description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.4) and A2(2.1) This detail option was added for a specified address, port, protocol,
real server, or server farm.
A5(1.0) Added support for IPv6.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) This detail option was added for a specified address, port, protocol,
real server, or server farm.
A5(1.0) Added support for IPv6.
context_name (Optional) Name of user-created context. The ACE displays just the specified
context configuration information. The context_name argument is case sensitive.
and is visible only from the admin context.
Admin (Optional) Displays just the admin context configuration information. This keyword
is visible only from the admin context.1-137
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE displays different information for this command depending on the context that you are in when
executing the command:
• Admin context—When you are in the Admin context and use the show context command without
specifying a context, the ACE displays the configuration information for the admin context and all
user-created contexts.
• user-created context—When you are in a user-created context and enter the show context command,
the ACE displays only the configuration information of the current context.
For information about the fields in the show context command output, see the Virtualization Guide,
Cisco ACE Application Control Engine.
Examples To display the Admin context and all user-context configuration information, enter:
host1/Admin# show context
To display the configuration information for the user context CTX1, enter:
host1/Ctx1# show context
Related Commands changeto
(config) context
show copyright
To display the software copyright information for the ACE, use the show copyright command.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-138
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show copyright [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show copyright command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display the ACE software copyright information, enter:
host1/Admin# show copyright
Related Commands This command has no related commands.
show crypto
To display the summary and detailed reports on files containing Secure Sockets Layer (SSL) certificates,
key pairs, chain and authentication groups, and statistics, use the show crypto command.
show crypto { aia-errors | authgroup {group_name| all} | cdp-errors | certificate {filename | all}
| chaingroup {filename | all} | {crl {filename [detail]} | all | best-effort} | csr-params
{filename | all} | files | key {filename | all} | ocspserver {name [detail] | all | best-effort} |
session}} [|] [>]
| (Optional) Pipe character (|) for enabling an output modifier that filters the command output.
For a complete description of the options available for filtering the command output, see the
show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects the
command output to a file. For a complete description of the options available for redirecting
the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-139
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
aia-errors Displays the AuthorityInfoAccess (AIA) extension error statistics.
authgroup Specifies the authentication group file type.
group_name Name of the specific authentication group file.
all Displays the summary report that lists all the files of the specified file type or
certificates for each authentication group, or certificate revocation lists (CRLs) in
the context.
cdp-errors Displays the statistics for discrepancies in CRL Distribution Points (CDPs) for the
certificates on the ACE; not context specific. A CDP indicates the location of the
CRL in the form of a URL. CDP parsing in the certificate occurs only when best
effort CRL is in use. The statistics include incomplete, malformed and missing
information, and unrecognized transports and the number of times that the ACE
ignores CDP errors as related to the (config-parammap-ssl) cdp-errors ignore
command.
certificate Specifies the certificate file type.
filename Name of a specific file. The ACE displays the detailed report for the specified file.
Enter an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters.
chaingroup Specifies the chaingroup file type.
crl Specifies the certificate revocation list configured in the context.
detail (Optional) Displays detailed statistics for the downloading of the CRL including
failure counters.
best-effort Displays summarized information for all best-effort CRLs in ACE (a maximum of
16 CRLs).
csr-params Specifies the Certificate Signing Request (CSR) parameter set.
files Displays the summary report listing all of the crypto files loaded on the ACE,
including certificate, chaingroup, and key pair files. The summary report also shows
whether the file contains a certificate, a key pair, or both.
key Specifies the key pair file type.
ocspserver
name
Identifier of a configured OCSP server. The ACE displays Online Certificate Status
Protocol (OCSP) information. You can use OCSP as an alternative to CRLs.
detail Instructs the ACE to display detailed statistics for the specified OCSP server.
all Displays statistics for all configured OCSP servers.
best-effort Displays statistics for OCSP servers that were obtained on a best-effort basis by
extracting the server information from the client packets.
session Displays the number of cached TLS and SSL client and server session entries in the
current context.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.1-140
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When using the show crypto certificate command and the certificate file contains a chain, the ACE
displays only the bottom level certificate (the signers are not displayed).
For information about the fields in the show crypto command output, see the SSL Guide, Cisco ACE
Application Control Engine.
Examples To display the summary report that lists all of the crypto files, enter:
host1/Admin# show crypto files
To display
Related Commands crypto delete
crypto export
crypto import
crypto verify
(config) crypto csr-params
(config-parammap-ssl) cdp-errors ignore
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(6.2a) This command was revised with the hardware and stats keywords.
A2(1.0) This command was revised with the authgroup, csr-params, crl,
and session keywords.
A2(2.0) This command was revised with the cdp-errors, detail, and
best-effort keywords.
A2(2.1) This command was revised to include the Best Effort CDP Errors
Ignored field displayed with the cdp-errors keyword.
A5(1.0) Added the aia-errors and the ocspserver keywords and arguments.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised with the authgroup, csr-params, crl,
and session keywords.
A3(2.2) The cdp-errors keyword and the detail option were added.
A3(2.3) The best-effort keyword was added.
A5(1.0) Added the aia-errors and the ocspserver keywords and arguments.1-141
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show dc
(ACE module only) To display the statistics for the daughter card hardware on the ACE ACE, use the show
dc command.
show dc dc_number {console | controller {all | health | interrupts | reg register_number | stats
{cumulative | delta}} | interrupts} [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
dc_number Number of the daughter card (1 or 2).
console Displays whether the master or the slave network processor console is directed to
the base board front panel for the specified daughter card. For example, if the master
network processor is directed to the front panel, the following message appears:
“mCPU console is directed to base board front panel.” See the related set dc
dc_number console command.
controller Displays the register values for the specified daughter card CPU and the specified
controller area.
all Displays all controller register values for the specified daughter card CPU
health Displays the controller health and statistics for the specified daughter card.
interrupts Displays the controller interrupt statistics for the specified daughter card.
reg
register_number
Displays the description, value, and register type for the specified controller register
in the specified daughter card.
stats Displays the controller statistics registers for the specified daughter card. You can
instruct the ACE to display either cumulative stats since the last reboot or the change
in stats since the last time you entered this command.
cumulative Displays accumulated controller statistics since the last time you rebooted the ACE
or entered the clear dc command.
delta Displays the difference in controller statistics since the last time you entered this
command.
interrupts Displays the interrupt statistics for the specified daughter card.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
A4(1.0) This command was introduced.1-142
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the Admin feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
For information about the fields in the show dc command output, see the Administration Guide, Cisco
ACE Application Control Engine.
Examples To display the cumulative daughter card controller statistics, enter:
host1/Admin# show dc 1 controller stats cumulative
Tnrpc call for INFO_VERN_REGISTERS Success
SNO Verni Register Name Address Value
---------------------------------------------------------
0 VERNI_TXDCCTRLBPCNT_REG_ADDR 0x0024 0
1 VERNI_TXBCMBPCNT_REG_ADDR 0x0028 0
2 VERNI_CSR_CNTL_REG_ADDR 0x0080 0
3 VERNI_DCRX0_BYTCNT_L_REG_ADDR 0x3104 0
4 VERNI_DCRX0_BYTCNT_H_REG_ADDR 0x3100 0
5 VERNI_DCRX1_BYTCNT_L_REG_ADDR 0x3114 26857913
6 VERNI_DCRX1_BYTCNT_H_REG_ADDR 0x3110 0
7 VERNI_DCRX2_BYTCNT_L_REG_ADDR 0x3124 2984041857
8 VERNI_DCRX2_BYTCNT_H_REG_ADDR 0x3120 0
9 VERNI_DCRX3_BYTCNT_L_REG_ADDR 0x3134 0
10 VERNI_DCRX3_BYTCNT_H_REG_ADDR 0x3130 0
11 VERNI_DCRX4_BYTCNT_L_REG_ADDR 0x3144 0
12 VERNI_DCRX4_BYTCNT_H_REG_ADDR 0x3140 0
13 VERNI_DCRX5_BYTCNT_L_REG_ADDR 0x3154 10182426
14 VERNI_DCRX5_BYTCNT_H_REG_ADDR 0x3150 0
15 VERNI_DCRX6_BYTCNT_L_REG_ADDR 0x3164 461907
16 VERNI_DCRX6_BYTCNT_H_REG_ADDR 0x3160 0
17 VERNI_DCRX7_BYTCNT_L_REG_ADDR 0x3174 0
18 VERNI_DCRX7_BYTCNT_H_REG_ADDR 0x3170 0
19 VERNI_DCRX0_PKTCNT_REG_ADDR 0x3200 0
20 VERNI_DCRX1_PKTCNT_REG_ADDR 0x3204 270400
21 VERNI_DCRX2_PKTCNT_REG_ADDR 0x3208 33181066
22 VERNI_DCRX3_PKTCNT_REG_ADDR 0x320c 0
23 VERNI_DCRX4_PKTCNT_REG_ADDR 0x3210 0
24 VERNI_DCRX5_PKTCNT_REG_ADDR 0x3214 120311
25 VERNI_DCRX6_PKTCNT_REG_ADDR 0x3218 4946
26 VERNI_DCRX7_PKTCNT_REG_ADDR 0x321c 0
27 VERNI_DCRX0_EPKTCNT_REG_ADDR 0x3300 0
28 VERNI_DCRX1_EPKTCNT_REG_ADDR 0x3304 0
29 VERNI_DCRX2_EPKTCNT_REG_ADDR 0x3308 0
30 VERNI_DCRX3_EPKTCNT_REG_ADDR 0x330c 0
31 VERNI_DCRX4_EPKTCNT_REG_ADDR 0x3310 0
32 VERNI_DCRX5_EPKTCNT_REG_ADDR 0x3314 0
33 VERNI_DCRX6_EPKTCNT_REG_ADDR 0x3318 0
34 VERNI_DCRX7_EPKTCNT_REG_ADDR 0x331c 0
35 VERNI_DCRX0_FCCNT_REG_ADDR 0x3400 0
36 VERNI_DCRX0_DROPCNT_REG_ADDR 0x3420 0
37 VERNI_DCRX1_FCCNT_REG_ADDR 0x3404 0
38 VERNI_DCRX1_DROPCNT_REG_ADDR 0x3424 0
39 VERNI_DCRX2_DROPCNT_REG_ADDR 0x3408 0
40 VERNI_DCRX3_DROPCNT_REG_ADDR 0x340c 0
41 VERNI_DCRX4_FCCNT_REG_ADDR 0x3410 0
42 VERNI_DCRX4_DROPCNT_REG_ADDR 0x3428 0
43 VERNI_DCRX5_FCCNT_REG_ADDR 0x3414 0
44 VERNI_DCRX5_DROPCNT_REG_ADDR 0x342c 0
45 VERNI_DCRX6_DROPCNT_REG_ADDR 0x3418 0
46 VERNI_DCRX7_DROPCNT_REG_ADDR 0x341c 01-143
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
47 VERNI_DCTX0_BYTCNT_L_REG_ADDR 0x4104 0
48 VERNI_DCTX0_BYTCNT_H_REG_ADDR 0x4100 0
49 VERNI_DCTX1_BYTCNT_L_REG_ADDR 0x4114 29588774
50 VERNI_DCTX1_BYTCNT_H_REG_ADDR 0x4110 0
51 VERNI_DCTX2_BYTCNT_L_REG_ADDR 0x4124 15457403
52 VERNI_DCTX2_BYTCNT_H_REG_ADDR 0x4120 0
53 VERNI_DCTX3_BYTCNT_L_REG_ADDR 0x4134 0
54 VERNI_DCTX3_BYTCNT_H_REG_ADDR 0x4130 0
55 VERNI_DCTX4_BYTCNT_L_REG_ADDR 0x4144 0
56 VERNI_DCTX4_BYTCNT_H_REG_ADDR 0x4140 0
57 VERNI_DCTX5_BYTCNT_L_REG_ADDR 0x4154 7139354
58 VERNI_DCTX5_BYTCNT_H_REG_ADDR 0x4150 0
59 VERNI_DCTX6_BYTCNT_L_REG_ADDR 0x4164 82
60 VERNI_DCTX6_BYTCNT_H_REG_ADDR 0x4160 0
61 VERNI_DCTX7_BYTCNT_L_REG_ADDR 0x4174 0
62 VERNI_DCTX7_BYTCNT_H_REG_ADDR 0x4170 0
63 VERNI_DCTX0_PKTCNT_REG_ADDR 0x4200 0
64 VERNI_DCTX1_PKTCNT_REG_ADDR 0x4204 345107
65 VERNI_DCTX2_PKTCNT_REG_ADDR 0x4208 150138
66 VERNI_DCTX3_PKTCNT_REG_ADDR 0x420c 0
67 VERNI_DCTX4_PKTCNT_REG_ADDR 0x4210 0
68 VERNI_DCTX5_PKTCNT_REG_ADDR 0x4214 77580
69 VERNI_DCTX6_PKTCNT_REG_ADDR 0x4218 1
70 VERNI_DCTX7_PKTCNT_REG_ADDR 0x421c 0
71 VERNI_DCTX0_EPKTCNT_REG_ADDR 0x4300 0
72 VERNI_DCTX1_EPKTCNT_REG_ADDR 0x4304 0
73 VERNI_DCTX2_EPKTCNT_REG_ADDR 0x4308 0
74 VERNI_DCTX3_EPKTCNT_REG_ADDR 0x430c 0
75 VERNI_DCTX4_EPKTCNT_REG_ADDR 0x4310 0
76 VERNI_DCTX5_EPKTCNT_REG_ADDR 0x4314 0
77 VERNI_DCTX6_EPKTCNT_REG_ADDR 0x4318 0
78 VERNI_DCTX7_EPKTCNT_REG_ADDR 0x431c 0
79 VERNI_DCTX0_CRCECNT_REG_ADDR 0x4400 0
80 VERNI_DCTX1_CRCECNT_REG_ADDR 0x4404 0
81 VERNI_DCTX2_CRCECNT_REG_ADDR 0x4408 0
82 VERNI_DCTX3_CRCECNT_REG_ADDR 0x440c 0
83 VERNI_DCTX4_CRCECNT_REG_ADDR 0x4410 0
84 VERNI_DCTX5_CRCECNT_REG_ADDR 0x4414 0
85 VERNI_DCTX6_CRCECNT_REG_ADDR 0x4418 0
86 VERNI_DCTX7_CRCECNT_REG_ADDR 0x441c 0
87 VERNI_SOP_ILL_CNT_REG_ADDR 0x4420 0
88 VERNI_SNKCH0_BYTCNT_L_REG_ADDR 0x5104 0
89 VERNI_SNKCH0_BYTCNT_H_REG_ADDR 0x5100 0
90 VERNI_SNKCH1_BYTCNT_L_REG_ADDR 0x5114 29589286
91 VERNI_SNKCH1_BYTCNT_H_REG_ADDR 0x5110 0
92 VERNI_SNKCH2_BYTCNT_L_REG_ADDR 0x5124 15466363
93 VERNI_SNKCH2_BYTCNT_H_REG_ADDR 0x5120 0
94 VERNI_SNKCH3_BYTCNT_L_REG_ADDR 0x5134 0
95 VERNI_SNKCH3_BYTCNT_H_REG_ADDR 0x5130 0
96 VERNI_SNKCH4_BYTCNT_L_REG_ADDR 0x5144 0
97 VERNI_SNKCH4_BYTCNT_H_REG_ADDR 0x5140 0
98 VERNI_SNKCH5_BYTCNT_L_REG_ADDR 0x5154 7141402
99 VERNI_SNKCH5_BYTCNT_H_REG_ADDR 0x5150 0
100 VERNI_SNKCH6_BYTCNT_L_REG_ADDR 0x5164 82
101 VERNI_SNKCH6_BYTCNT_H_REG_ADDR 0x5160 0
102 VERNI_SNKCH7_BYTCNT_L_REG_ADDR 0x5174 0
103 VERNI_SNKCH7_BYTCNT_H_REG_ADDR 0x5170 0
104 VERNI_SNKCH0_PKTCNT_REG_ADDR 0x5200 0
105 VERNI_SNKCH1_PKTCNT_REG_ADDR 0x5210 345107
106 VERNI_SNKCH2_PKTCNT_REG_ADDR 0x5220 150138
107 VERNI_SNKCH3_PKTCNT_REG_ADDR 0x5230 0
108 VERNI_SNKCH4_PKTCNT_REG_ADDR 0x5240 0
109 VERNI_SNKCH5_PKTCNT_REG_ADDR 0x5250 75532
110 VERNI_SNKCH6_PKTCNT_REG_ADDR 0x5260 11-144
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
111 VERNI_SNKCH7_PKTCNT_REG_ADDR 0x5270 0
112 VERNI_SNKCH0_EPKTCNT_REG_ADDR 0x5300 0
113 VERNI_SNKCH1_EPKTCNT_REG_ADDR 0x5310 0
114 VERNI_SNKCH2_EPKTCNT_REG_ADDR 0x5320 0
115 VERNI_SNKCH3_EPKTCNT_REG_ADDR 0x5330 0
116 VERNI_SNKCH4_EPKTCNT_REG_ADDR 0x5340 0
117 VERNI_SNKCH5_EPKTCNT_REG_ADDR 0x5350 0
118 VERNI_SNKCH6_EPKTCNT_REG_ADDR 0x5360 0
119 VERNI_SNKCH7_EPKTCNT_REG_ADDR 0x5370 0
120 VERNI_SNK_GERRCNT_REG_ADDR 0x5400 0
121 VERNI_SRCCH0_BYTCNT_L_REG_ADDR 0x6104 0
122 VERNI_SRCCH0_BYTCNT_H_REG_ADDR 0x6100 0
123 VERNI_SRCCH1_BYTCNT_L_REG_ADDR 0x6114 26857913
124 VERNI_SRCCH1_BYTCNT_H_REG_ADDR 0x6110 0
125 VERNI_SRCCH2_BYTCNT_L_REG_ADDR 0x6124 2984065605
126 VERNI_SRCCH2_BYTCNT_H_REG_ADDR 0x6120 0
127 VERNI_SRCCH3_BYTCNT_L_REG_ADDR 0x6134 0
128 VERNI_SRCCH3_BYTCNT_H_REG_ADDR 0x6130 0
129 VERNI_SRCCH4_BYTCNT_L_REG_ADDR 0x6144 0
130 VERNI_SRCCH4_BYTCNT_H_REG_ADDR 0x6140 0
131 VERNI_SRCCH5_BYTCNT_L_REG_ADDR 0x6154 10182426
132 VERNI_SRCCH5_BYTCNT_H_REG_ADDR 0x6150 0
133 VERNI_SRCCH6_BYTCNT_L_REG_ADDR 0x6164 461907
134 VERNI_SRCCH6_BYTCNT_H_REG_ADDR 0x6160 0
135 VERNI_SRCCH7_BYTCNT_L_REG_ADDR 0x6174 0
136 VERNI_SRCCH7_BYTCNT_H_REG_ADDR 0x6170 0
137 VERNI_SRCCH0_PKTCNT_REG_ADDR 0x6200 0
138 VERNI_SRCCH1_PKTCNT_REG_ADDR 0x6210 270400
139 VERNI_SRCCH2_PKTCNT_REG_ADDR 0x6220 33181387
140 VERNI_SRCCH3_PKTCNT_REG_ADDR 0x6230 0
141 VERNI_SRCCH4_PKTCNT_REG_ADDR 0x6240 0
142 VERNI_SRCCH5_PKTCNT_REG_ADDR 0x6250 120311
143 VERNI_SRCCH6_PKTCNT_REG_ADDR 0x6260 4946
144 VERNI_SRCCH7_PKTCNT_REG_ADDR 0x6270 0
145 VERNI_SRCCH0_EPKTCNT_REG_ADDR 0x6300 0
146 VERNI_SRCCH1_EPKTCNT_REG_ADDR 0x6310 0
147 VERNI_SRCCH2_EPKTCNT_REG_ADDR 0x6320 0
148 VERNI_SRCCH3_EPKTCNT_REG_ADDR 0x6330 0
149 VERNI_SRCCH4_EPKTCNT_REG_ADDR 0x6340 0
150 VERNI_SRCCH5_EPKTCNT_REG_ADDR 0x6350 0
151 VERNI_SRCCH6_EPKTCNT_REG_ADDR 0x6360 0
152 VERNI_SRCCH7_EPKTCNT_REG_ADDR 0x6370 0
153 CH0_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6400 8
154 CH1_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6410 0
155 CH2_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6420 0
156 CH3_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6430 0
157 CH4_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6440 0
158 CH5_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6450 0
159 CH6_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6460 0
160 CH7_OCTEON_FLOWCTRL_CNT_REG_ADDR 0x6470 0
Related Commands set dc
clear dc1-145
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show debug
To display the debug flags, use the show debug command.
show debug {aaa | access-list | arpmgr | ascii-cfg | bpdu | buffer | cfg_cntlr | cfgmgr | clock | dhcp
| fifo | fm | fs-daemon | ha_dp_mgr | ha_mgr | hm | ifmgr | ipcp | lcp | ldap | license | logfile
| nat-download | netio | pfmgr | pktcap | radius | routemgr | scp | security | sme | snmp | ssl
| syslogd | system | tacacs+ | tl | ttyd | virtualization | vnet | vshd} [|] [>]
Syntax Description aaa Displays the 301 debug flags.
access-list Displays the access-list debug flags.
arpmgr Displays the Address Resolution Protocol (ARP) manager debug flags.
ascii-cfg Displays the ASCII cfg debug flags.
bpdu Displays the bridge protocol data unit (BPDU) debug flags.
buffer Displays the CP buffer debug flags.
cfg_cntlr Displays the configuration controller debug flags.
cfgmgr Displays the configuration manager debug flags.
clock (ACE module only) Displays the state of clock debug settings.
dhcp Displays the Dynamic Host Configuration Protocol (DHCP) debug
flags.
fifo Displays the show packet first in, first out (FIFO) debug flags.
fm Displays the feature manager debug flags.
fs-daemon Displays the FS daemon debug flags.
ha_dp_mgr Displays the high availability (HA) dataplane manager debug flags.
ha_mgr Displays the HA manager debug flags.
hm Displays the HM debug flags.
ifmgr Displays the interface manager debug flags.
ipcp Displays the kernel IP Control Protocol (IPCP) debug flags.
lcp (ACE module only) Displays the LCP debug flags.
ldap Displays the Lightweight Directory Access Protocol (LDAP) debug
flags.
license Displays the licensing debug flags.
logfile Displays the contents of the logfile.
nat-download Displays the Network Address Translation (NAT) download debug flags.
netio Displays the CP net I/O debug flags.
pfmgr Displays the platform manager debug flags.
pktcap Displays the packet capture debug flags.
radius Displays the Remote Authentication Dial-In User Service (RADIUS)
debug flags.
routemgr Displays the route manager debug flags.
scp (ACE module only) Displays the Secure Copy Protocol (SCP) debug
flags.1-146
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the debug feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE debug commands are intended for use by trained Cisco personnel only. Entering these
commands may cause unexpected results. Do not attempt to use these commands without guidance from
Cisco support personnel.
Examples To display the VSHD debug flags, enter:
host1/Admin# show debug vshd
security Displays the security/accounting debug flags.
sme Displays the System Manager Extension (SME) debug flags.
snmp Displays the Simple Network Management Protocol (SNMP) server
debug flags.
ssl Displays the Secure Sockets Layer (SSL) manager debug flags.
syslogd Displays the syslogd debug flags.
system Displays the system debug flags.
tacacs+ Displays the Terminal Access Controller Access Control System Plus
(TACACS+) debug flags.
tl Displays the CP buffer debug flags.
ttyd Displays the TTYD debug flags.
virtualization Displays the virtualization debug flags.
vnet Displays the virtual network (VNET) driver debug flags.
vshd Displays the VSHD debug flags.
| (Optional) Pipe character (|) for enabling an output modifier that filters
the command output. For a complete description of the options available
for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete description
of the options available for redirecting the command output, see the
show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-147
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands debug
clear debug-logfile1-148
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show domain
To display the information about the configured domains in the ACE, use the show domain command.
show domain [name] [|] [>]
Syntax Description
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To display the complete domain configuration report that lists all of the configured domains, enter the
show domain command without including the name argument.
For information about the fields in the show domain command output, see the Virtualization Guide,
Cisco ACE Application Control Engine.
Examples To display the domain configuration report for the domain D1, enter:
host1/Admin# show domain D1
Related Commands (config) domain
name (Optional) Name of an existing context domain. Specify a domain name to display
the detailed configuration report that relates to the specified domain.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-149
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show download information
To display the state of the configuration download for each interface on the context, use the show
download information command.
show download information [all] [summary]} [|] [>]
Syntax Description
Command Modes Exec
Admin context for the all option.
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If no option is included with this command, the status information for all interfaces in the current context
is displayed.
You can execute the show download information command to monitor the progress of the download.
When you apply changes to a configuration file, the ACE downloads the configuration to its data plane.
When you perform incremental changes, such as copying and pasting commands in a configuration, the
ACE immediately performs the configuration download and does not display any terminal messages at
the start or end of the download.
all Displays the configuration download status for all interfaces on all contexts (Admin
context only).
summary Displays the summary status of the download information for the context. When you
include the all option with the summary option, this command displays the
download summary status for all contexts.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
A2(3.0) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.7) only This command displays the regex download optimization status,
enabled or disabled through the debug cfgmgr limit-regex-dnld
command.1-150
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
However, in the following situations, the ACE defers the configuration download until the entire
configuration is applied to the context:
• The startup configuration at boot time
• Copying of the configuration to the running-config file
• A checkpoint rollback
We recommend that you do not execute any configuration commands during the deferred download. The
ACE does not deny you from entering configuration changes. But the changes will not occur until the
download is completed. If the command times out during the download, the following message appears:
Config application in progress. This command is queued to the system.
The ACE does not queue the command immediately, however, the ACE processes and executes the
command when the download is completed even if the command times out.
Examples To display the configuration download status for all contexts, enter:
host1/Admin# show download information all
Related Commands This command has no related commands.
show eobc
(ACE module only) To display the Ethernet Out-of-Band Channel (EOBC) registers and statistics on the
ACE, use the show eobc command.
show eobc {registers | stats} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
registers Displays the EOBC registers.
stats Displays the EOBC statistics.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
A2(2.3) This command was introduced.
A2(3.1) This command was introduced.1-151
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display the EOBC statistics, enter:
host1/Admin# show eobc stats
Related Commands This command has no related commands.1-152
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show fifo
To display the packet first in, first out (FIFO) statistics for the Pkt-Fifo module, use the show fifo command.
show fifo {event-history | registers | stats} [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display the control plane packet FIFO registers, enter:
host1/Admin# show fifo registers
Related Commands clear fifo stats
event-history Displays a historic log of the most recent debug messages generated by the Pkt-Fifo
module.
registers Displays the state of all the registers associated with the transmit and receive
hardware engines.
stats Displays detailed counters for the various Pkt-Fifo module event occurrences.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(5) Interrupt statistics were added to the output of the stats keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.1-153
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show file
To display the contents of a specified file in a directory in persistent memory (flash memory) or volatile
memory (RAM), use the show file command.
show file {disk0: | volatile:}[directory/]filename [cksum | md5sum] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show file command output, see the Administration Guide, Cisco
ACE Application Control Engine.
Examples To display the contents of the file FILE1 stored in the directory MYFILES in disk0:, enter:
host1/Admin# show file disk0:MYFILES/FILE1
disk0: Specifies the disk0 file system in persistent memory.
volatile: Specifies the file system in volatile memory.
[directory/]filename Path and name of the specified file.
cksum (Optional) Displays the cyclic redundancy check (CRC) checksum for the file.
The checksum values compute a CRC for each named file. Use this command
to verify that the files are not corrupted. You compare the checksum output for
the received file against the checksum output for the original file.
md5sum (Optional) Displays the MD5 checksum (electronic fingerprint) for the file.
MD5 is the latest implementation of the Internet standards described in RFC
1321 and is useful for data security and integrity.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-154
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands dir
clear cores
delete1-155
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show fragment
To display the IPv4 an IPv6 fragmentation and reassembly statistics for all interfaces in the ACE or the
specified interface, use the show fragment command.
show fragment [vlan vlan_id] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you omit the vlan vlan_id optional keyword and argument, you can display statistics for all interfaces
in the ACE.
For information about the fields in the show fragment command output, see the Security Guide, Cisco
ACE Application Control Engine.
Examples To display the IPv4 and IPv6 fragmentation and reassembly statistics for VLAN 210, enter:
host1/Admin# show fragment vlan 210
Related Commands show vlans
vlan vlan_id (Optional) Specifies an existing interface.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.1-156
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show ft
To display the fault-tolerant (ft), or redundancy, statistics per context, use the show ft command.
show ft {config-error [context_name]} | {group {brief | {[group_id] {detail | status |
summary}}}} | {history {cfg_cntlr | ha_dp_mgr | ha_mgr}} | {idmap} | {memory [detail]}
| {peer peer_id {detail | status | summary}} | {stats group_id} | {track group_id {detail |
status | summary}} [|] [>]
Syntax Description config-error
[context_name]
Displays the commands that fail on the standby ACE during bulk synchronization
in a redundant configuration. If all commands succeed on the standby ACE, the
command displays the following message:
No bulk config apply errors
In the Admin context, the optional context_name argument is the name of a user
context. If you do not enter the argument, the command uses the Admin context. In
a user context, this argument is not available.
group group_id Displays FT group statistics for the specified FT group. In the Admin context, this
keyword displays statistics for all FT groups in the ACE. Also, in the Admin
context, you can specify an FT group number to display statistics for an individual
group. In a user context, this keyword displays statistics only for the FT group to
which the user context belongs.
brief Displays the group ID, local state, peer state, context name, context ID of all the FT
groups that are configured in the ACE, and the configuration synchronization status.
detail Displays detailed information for the specified FT group or peer, including the
configuration synchronization status of the running- and the startup-configuration
files.
status Displays the current operating status for the specified FT group or peer.
summary Displays summary information for the specified FT group or peer.
history Displays a history of internal redundancy software statistics (Admin context only).
cfg_cntlr Displays the configuration controller debug log.
ha_dp_mgr Displays the high availability (HA) dataplane manager debug log.
ha_mgr Displays the HA manager debug log.
idmap Displays the IDMAP table for all object types. In a redundancy configuration, the
IDMAP table is used to map objects between the active and the standby ACEs for
use in config sync and state replication.
memory [detail] Displays summary HA manager memory statistics or optional detailed HA manager
memory statistics (Admin context only).
peer peer_id Specifies the identifier of the remote standby member of the FT group.
stats group_id Displays redundancy statistics for the specified FT group.
track group_id Displays redundancy statistics related to tracked items for all FT groups.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering
the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.1-157
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the fault-tolerant feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The show ft {history | memory} command is available to users configured with a custom role in both
the Admin context and a user-configured context, as well as the predefined Admin and Network-Monitor
roles. Because these commands are not context specific, we recommend that you issue them from the
Admin context only. If you issue these commands in a user context, they may not display any data if
other user context information could be displayed.
For detailed information about the fields in the show ft command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display the detailed statistics for FT group GROUP1, enter:
host1/Admin# show ft group GROUP1 detail
Related Commands clear ft
(config) ft auto-sync
(config) ft group
(config) ft interface vlan
(config) ft peer
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(5) The brief and idmap keywords were added to this command. The
status of config sync was added to the output of the detail keyword.
A2(2.1) The config-error keyword and context_name option were added to
this command.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) The config-error keyword and context_name option were added to
this command.
A3(2.6) The show ft {history | memory} command is now available to users
configured with a custom role in both the Admin context and a
user-configured context, as well as the predefined Admin and
Network-Monitor roles. See the “Usage Guidelines” section for more
information.
A4(1.0) The brief and detail options were added to the show ft group
command.1-158
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
(config) ft track host
(ACE module only) (config) ft track hsrp
(config) ft track interface
show hardware
To display the ACE hardware details, such as the serial number and the hardware revision level of the
ACE and the ACE module daughter card, use the show hardware command.
show hardware [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show hardware command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display ACE hardware information, enter:
host1/Admin# show hardware
Related Commands show inventory
show tech-support
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) Added daughter card information.
ACE Appliance Release Modification
A1(7) This command was introduced.1-159
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show hyp
(ACE module only) To display the Hyperion backplane ASIC register values and statistics, use the show
hyp command.
show hyp [reg reg_number | stats] [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display the Hyperion backplane ASIC statistics, enter:
host1/Admin# show hyp stats
Related Commands This command has no related commands.
show icmp statistics
To display the Internet Control Message Protocol (ICMP) statistics, use the show icmp statistics command.
show icmp statistics [|] [>]
reg reg_number (Optional) Displays the specified Hyperion backplane ASIC register values. Enter a
hexadecimal value from 0x0 to 0x6db.
stats (Optional) Displays the Hyperion backplane ASIC statistics.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-160
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the clear icmp-statistics command to clear the ICMP statistics.
For information about the fields in the show icmp statistics command output, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To display ICMP statistics, enter:
host1/Admin# show icmp statistics
Related Commands clear icmp statistics
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-161
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show interface
To display the interface information, use the show interface command.
show interface [bvi number | eobc | gigabitEthernet slot_number/port_number [counters] |
internal {event-history {dbg | mts} | iftable [name] | port-vlantable | seciptable | vlantable
[number]} port-channel channel_number | vlan number] [|] [>]
Syntax Description bvi number (Optional) Displays the information for the specified Bridge Group Virtual Interface
(BVI).
eobc (Optional, ACE module only) Displays the interface information for the Ethernet
Out-of-Band channel (EOBC).
gigabitEthernet
slot_number/por
t_number
(Optional, ACE appliance only) Displays the statistics for the specified gigabit
Ethernet slot and port.
• The slot_number represents the physical slot on the ACE containing the
Ethernet ports. This selection is always 1.
• The port_number represents the physical Ethernet port on the ACE. Valid
selections are 1 through 4.
This keyword is available in the Admin context only.
counters (ACE appliance only) Displays a summary of interface counters for the specified
Ethernet data port related to the receive and transmit queues.
internal (Optional) Displays the internal interface manager tables and events.
event-history Displays event history information.
dbg Displays debug history information.
mts Displays message history information.
iftable Displays the master interface table (Admin context only).
name (Optional) Interface table name. If you specify an interface table name, the ACE
displays the table information for that interface.
port-vlantable (Optional, ACE appliance only) Displays the Ethernet port manager VLAN table.
seciptable Displays the interface manager's (ifmgr) view of a logical interface and displays all
the configured secondary IP addresses under an interface
vlantable Displays the VLAN table (Admin context only).
number (Optional) VLAN number. If you specify an interface number, the ACE displays the
table information for that interface.
port-channel
channel_number
(Optional, ACE appliance only) Displays the channel number assigned to a
port-channel interface. Valid values are from 1 to 255. This keyword is available in
the Admin context only.
vlan number (Optional) Displays the statistics for the specified VLAN.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.1-162
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
BVI and VLAN interface—Admin and user contexts
(ACE appliance only) Ethernet data port, Ethernet management port, and port-channel
interface—Admin context only
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
(ACE appliance only) In addition, the Ethernet data port, Ethernet management port, and port-channel
interface command functions require the Admin user role.
(ACE appliance only) You can configure flow control on each Ethernet port of a Catalyst 6500 series
switch. However, the ACE does not support flow control. If you connect an ACE to a Catalyst 6500 series
switch, the flow control functionality is disabled on the ACE. The output of the show interface
gigabitEthernet command on the ACE displays the “input flow-control is off, output flow control is off”
flow-control status line as shown in the example above regardless of the state of flow control on the
Catalyst 6500 series switch port to which the ACE is connected.
To display all of the interface statistical information, enter the show interface command without using
any of the optional keywords.
The internal keyword and options are intended for use by trained Cisco personnel for troubleshooting
purposes only.
For information about the fields in the show interface command output, see the Routing and Bridging
Guide, Cisco ACE Application Control Engine.
Examples To display all of the interface statistical information, enter:
host1/Admin# show interface
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.1) Added the seciptable option.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.5) The command output includes the reason for an UP transition,
timestamp for the last change, number for transitions since creation,
and the last three previous states including the timestamp and the
transition reasons.
If you do not configure a load-balance scheme on the interface, the
load-balance scheme field through the port-channel option displays
src-dst-mac, which is the default load-balance scheme on the source
or destination MAC address.
A4(1.0) Added the seciptable option.1-163
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
ACE Appliance Example
To view the configuration status for Ethernet data port 4, enter:
host1/Admin# show interface gigabitEthernet 1/4
Related Commands clear interface
show inventory
To display the system hardware inventory, use the show inventory command.
show inventory [raw] [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the show inventory command to display information about the field-replaceable units (FRUs) in the
ACE, including product IDs, serial numbers, and version IDs.
If you do not include the raw keyword, the ACE displays the hardware inventory report only.
For information about the fields in the show inventory command output, see the Administration Guide,
Cisco ACE Application Control Engine.
raw (Optional) Displays the hardware inventory report and information about each
temperature sensor in the ACE.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-164
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display the hardware inventory report, enter:
host1/Admin# show inventory
To display the hardware inventory report and information about each temperature sensor, enter:
host1/Admin# show inventory raw
Related Commands show hardware
show ip
To display the IP statistics, use the show ip command.
show ip {dhcp relay {conf | information policy | statistics} | fib [np number {dest-ip
ip_address}} | summary | wr dest-ip ip_address] | interface brief {[bvi | gigabitEthernet |
port-channel | vlan] number} | route [summary | internal {event-history dbg | memory}] |
traffic} [|] [>]
Syntax Description dhcp relay Specifies the Dynamic Host Configuration Protocol (DHCP) configuration
information.
conf Displays the DHCP relay configuration information.
information policy Displays the relay agent information and the reforwarding policy status.
statistics Displays the DHCP relay statistics.
fib Displays the Forwarding Information Base (FIB) table for the context. This
table contains information that the forwarding processors require to make IP
forwarding decisions. This table is derived from the route and ARP tables.
np number dest-ip
ip_address
(Optional) Displays the FIB information for a destination address on the
specified ACE NP (network processor). For the number argument:
• For the ACE module, enter an integer from 1 to 4.
• For the ACE appliance, enter 1.
For the ip_address argument, enter the IPV4 address in dotted-decimal
notation (for example, 172.27.16.10).
summary (Optional) Displays the FIB table or route summary for the current context.
wr dest-ip ip_address (Optional) Displays the FIB information for the specified wire region (0
only) and destination IP address. Enter the IPv4 address in dotted-decimal
notation (for example, 172.27.16.10).
interface brief Displays a brief configuration and status summary of all interfaces, a
specified bridge group virtual interface (BVI), or a virtual LAN (VLAN),
including the interface number, IP address, status, and protocol.
bvi Displays the information for a specified BVI.
gigabitEthernet Displays the information for an existing gigabit Ethernet (GE) port. Enter 1.
port-channel Displays the information for an existing port-channel.
vlan Displays the statistics for a specified VLAN number. 1-165
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The internal and fib keywords and options are intended for use by trained Cisco personnel for
troubleshooting purposes only.
number Number of the existing BVI, gigabit Ethernet (GE) port, port-channel, or
VLAN. For a BVI, enter an integer from 1 to 4090. For a GE port, enter 1.
For a port channel, enter an integer from 1 to 255. For a VLAN, enter an
integer from 2 to 4090.
route Displays the route entries.
internal (Optional) Specifies the internal route entries.
event-history dbg Displays the event history statistics.
memory Displays the mtrack output statistics.
traffic Displays the IPv4 and IPv6 protocol statistics.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) Added the interface brief and related keywords.
A5(1.0) Added IPv6 support for the traffic keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) Added the interface brief and related keywords.
A3(2.5) Added the gigabitEthernet and port-channel keywords.
The interface brief option displays the hardware interfaces along
with the logical interfaces. It also supports the individual output of
each physical interface. For FT interfaces, (ft) appears after the
VLAN ID in the output. This change is only applicable in the Admin
context.
A5(1.0) Added IPv6 support for the traffic keyword.1-166
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
For information about the fields in the show ip command output, see the Security Guide, Cisco ACE
Application Control Engine and the Routing and Bridging Guide, Cisco ACE Application Control
Engine.
Examples To display all IP route entries, enter:
host1/Admin# show ip route
Related Commands clear ip1-167
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show ipcp
To display the Interprocess Communication Protocol (IPCP) statistics, use the show ipcp command. The
ACE module uses the Interprocess Communication Protocol for communication between the control plane
processor and the dataplane processors.
show ipcp {cde | clients | event-history | peek_poke} [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
cde Displays the following statistics:
• ACE module—IPCP messages that were sent over the classification and
distribution engine (CDE) interface.
• ACE appliance—Displays IPCP statistical information.
clients Displays the following statistics:
• ACE module—Displays the IPCP statistics of the service access points
(SAPs).
• ACE appliance—Displays IPCP message queue information.
event-history Displays the following statistics:
• ACE module—Displays the history of error messages (usually none) in
the IPCP driver.
• ACE appliance—Displays IPCP event history information.
peek_poke Displays the following statistics:
• ACE module—Displays the statistics of the special queue that is used to
read from or write to the network processor or the control plane
processor memory from the control plane.
• ACE appliance—Displays IPCP peek poke message queue information.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
A2(1.0) This command was introduced.1-168
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the Admin role. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display IPCP statistics for the CDE interface, enter the following command:
host1/Admin# show ipcp cde
Related Commands This command has no related commands.
show ipv6
To display the IPv6 statistics, use the show ipv6 command.
show ipv6 {dhcp relay [statistics]} | {fib [{np number dest-ip ip_address} | summary | wr dest-ip
ip_address]} | {interface [brief] [[bvi | vlan] number]} | neighbors | {route [summary |
internal ktable]} [|] [>]
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The pci option was removed.
dhcp relay Specifies the Dynamic Host Configuration Protocol (DHCP) configuration
information.
statistics (Optional) Displays the DHCP relay statistics.
fib Displays the Forwarding Information Base (FIB) table for the context. This
table contains information that the forwarding processors require to make IP
forwarding decisions. This table is derived from the route and ARP tables.
np number dest-ip
ip_address
(Optional) Displays the FIB information for a destination address on the
specified ACE NP (network processor). For the number argument:
• For the ACE module, enter an integer from 1 to 4.
• For the ACE appliance, enter 1.
For the ip_address argument, enter the IP address in dotted-decimal notation
(for example, 172.27.16.10).
summary (Optional) Displays the FIB table or route summary for the current context.
wr dest-ip ip_address (Optional) Displays the FIB information for the specified wire region (0
only) and destination IP address. Enter the IP address in dotted-decimal
notation (for example, 172.27.16.10).
interface Displays the configuration and status of all interfaces, including the interface
number, IP address, status, and protocol.1-169
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
brief Displays a brief configuration and status summary of all interfaces, a
specified bridge group virtual interface (BVI), or a virtual LAN (VLAN),
including the interface number, IP address, status, and protocol.
bvi Displays the configuration and status information for a specified BVI.
vlan Displays the configuration and status information for a specified VLAN
number.
number Number of the existing BVI, gigabit Ethernet (GE) port, port-channel, or
VLAN. For a BVI, enter an integer from 1 to 4090. For a GE port, enter 1.
For a port channel, enter an integer from 1 to 255. For a VLAN, enter an
integer from 2 to 4090.
neighbors Displays information about the IPv6 neighbors, including the IPv6 address,
MAC address, status (Up or Down), and more.
route Displays the route entries.
internal (Optional) Specifies the internal route entries.
ktable Displays the IPv6 kernel route table entries.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) Added the interface brief and related keywords.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) Added the interface brief and related keywords.
A3(2.5) Added the gigabitEthernet and port-channel keywords.
The interface brief option displays the hardware interfaces along
with the logical interfaces. It also supports the individual output of
each physical interface. For FT interfaces, (ft) appears after the
VLAN ID in the output. This change is only applicable in the Admin
context.
A5(1.0) Added IPv6 support.1-170
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The internal and fib keywords and options are intended for use by trained Cisco personnel for
troubleshooting purposes only.
For information about the fields in the show ipv6 command output, see the Routing and Bridging Guide,
Cisco ACE Application Control Engine.
Examples To display IPv6 interface summary information for VLAN 300, enter:
host1/Admin# show ipv6 interface brief vlan 300
Related Commands
show kalap udp load
To display the latest load information for a VIP address, VIP-based tag, or a domain name provided to
the KAL-AP request, use the show kalap udp load command in Exec mode.
show kalap udp load {all | domain domain | vip {ip_address | tag name}} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
all Displays the latest load information for all VIP addresses, and
VIP-based tags and domains with their associated VIP addresses and
port numbers.
domain domain Displays the latest load information for the specified domain name.
vip ip_address | tag name Displays the latest load information for the specified VIP address or VIP
tag name. For the ip_address argument, enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
| (Optional) Pipe character (|) for enabling an output modifier that filters
the command output. For a complete description of the options available
for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete description
of the options available for redirecting the command output, see the
show command.1-171
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines The output fields for the show kalap udp load all command display the VIP address, VIP tag with its
associated VIP address and port number, or domain name with its associated VIP address and port
number, its load value, and the time stamp.
Examples To display the latest load information to the KAL-AP request for VIP address 10.10.10.10, enter:
host1/Admin# show kalap udp load vip 10.10.10.10
To display the latest load information to the KAL-AP request for domain KAL-AP-TAG1, enter:
host1/Admin# show kalap udp load domain KAL-AP-TAG1
To display the latest load information to the KAL-AP request for the VIP KAL-AP-TAG2 tag, enter:
host1/Admin# show kalap udp load vip tag KAL-AP-TAG2
Related Commands (config-pmap-c) kal-ap-tag
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(2.0) The all keyword was added.
The vip tag name keyword and argument were added.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A4(1.0) The tag name keyword and argument were added.1-172
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show lcp event-history
(ACE module only) To display the Line Card Process (LCP) debug event history information, use the show
lcp event-history command.
show lcp event-history [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display LCP debug event history information, enter:
host1/Admin# show lcp event-history
Related Commands This command has no related commands.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-173
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show ldap-server
To display the configured Lightweight Directory Access Protocol (LDAP) server and server group
parameters, use the show ldap-server command.
show ldap-server [groups] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show ldap-server command output, see the Security Guide, Cisco
ACE Application Control Engine.
Examples To display the configured LDAP server groups, enter:
host1/Admin# show ldap-server groups
Related Commands (config) aaa group server
(config) ldap-server host
(config) ldap-server port
(config) ldap-server timeout
groups (Optional) Displays configured LDAP server group information.
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-174
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show license
To display your ACE license information, use the show license command.
show license [brief | file filename | internal event-history | status | usage] [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Entering the show license command without any options and arguments displays all of the installed ACE
license files and their contents.
For information about the fields in the show license command output, see the Administration Guide,
Cisco ACE Application Control Engine.
To manage the licenses on your ACE, use the license command.
brief (Optional) Displays a filename list of currently installed licenses.
file filename (Optional) Displays the file contents of the specified license.
internal
event-history
(Optional) Displays a history of licensing-related events.
status (Optional) Displays the status of licensed features.
usage (Optional) Displays the usage table for all licenses.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.3) The Count value for Web Optimization in the show license status
command output has been modified from “cps” to “concurrent
connections.”1-175
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display all of the installed ACE license files and their contents, enter:
host1/Admin# show license
Related Commands copy capture
license1-176
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show line
To display all of the configured console and virtual terminal line sessions, use the show line command.
show line [console [connected]] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show line command output, see the Administration Guide, Cisco
ACE Application Control Engine.
Examples To display all configured console and virtual terminal line sessions, enter:
host1/Admin# show line
ACE Module Example
To display the configured console settings for the ACE, enter:
host1/Admin# show line console
Related Commands clear line
(ACE module only) (config) line console
console (Optional) Displays the configured console settings for the ACE.
connected (Optional) Displays the physical connection status.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-177
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show logging
To display the current severity level and state of all syslog messages stored in the logging buffer, or to
display information related to specific syslog messages, use the show logging command.
show logging [history | internal {event-history dbg | facility} | message [syslog_id | all | disabled]
| persistent | queue | rate-limit | statistics] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
history (Optional) Displays the logging history file.
internal (Optional) Displays syslog internal messages.
event-history
dbg
Displays the debug history for the syslog server.
facility Displays the registered internal facilities for the syslog server.
message (Optional) Displays a list of syslog messages that have been modified from the
default settings. These are messages that have been assigned a different severity
level or messages that have been disabled.
syslog_id (Optional) Identifier of a specific system log message to display, specified by message
ID, and identifies whether the message is enabled or disabled.
all (Optional) Displays all system log message IDs and identifies whether they are
enabled or disabled.
disabled (Optional) Displays a complete list of suppressed syslog messages.
persistent (Optional) Displays statistics for the log messages sent to flash memory on the ACE.
queue (Optional) Displays statistics for the internal syslog queue.
rate-limit (Optional) Displays the current syslog rate-limit configuration.
statistics (Optional) Displays syslog statistics.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-178
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the show logging command, you must have the ACE buffer enabled as a logging output location.
By default, logging to the local buffer on the ACE is disabled. To enable system logging to a local buffer
and to limit the messages sent to the buffer based on severity, use the logging buffered configuration
command from the desired context.
The show logging command lists the current syslog messages and identifies which logging command
options are enabled.
To clear the ACE buffer of the logging information currently stored, use the clear logging command.
For information about the fields in the show logging command output, see the Security Guide, Cisco
ACE Application Control Engine.
Examples To display a complete list of disabled syslog messages, enter:
host1/Admin# show logging message disabled
To display the contents of the logging history buffer, enter:
host1/Admin# show logging history
To display the contents of the internal facility messages buffer, enter:
host1/Admin# show logging internal facility
To display statistics for the log messages sent to flash memory on the ACE, enter:
host1/Admin# show logging persistent
To display statistics for the internal syslog queue, enter:
host1/Admin# show logging queue
To display the current syslog rate-limit configuration, enter:
host1/Admin# show logging rate-limit
To display the current syslog statistics, enter:
host1/Admin# show logging statistics
Related Commands clear logging
(config) logging buffered1-179
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show login timeout
To display the login session idle timeout value, use the show login timeout command.
show login timeout [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To configure the login timeout value, use the login timeout command in configuration mode.
For information about the fields in the show login timeout command output, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To display the login timeout value, enter:
host1/Admin# show login timeout
Related Commands (config) login timeout
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-180
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show nat-fabric
To display the Network Address Translation (NAT) policy and pool information for the current context, use
the show nat-fabric command.
show nat-fabric {policies | src-nat policy_id mapped_if | dst-nat static_xlate_id | nat-pools |
implicit-pat| global-static} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the NAT feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
policies Displays the NAT policies.
src-nat policy_id
mapped_if
Displays the specified source NAT policy information. To obtain the values
for the policy_id and mapped_if arguments, view the policy_id and
mapped_if fields displayed by the show nat-fabric policies command.
dst-nat static_xlate_id Displays the static address translation for the specified static XLATE ID. To
obtain the value for the static_xlate_id argument, view the static_xlate_id
field displayed by the show nat-fabric policies command.
nat-pools Displays NAT pool information for a dynamic NAT policy.
implicit-pat Displays the implicit PAT policies.
global-static Displays global static NAT information when the static command in global
configuration mode is configured.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised with the global-static keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised with the global-static keyword.1-181
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
To obtain the values for the policy_id, mapped_if, and static_xlate_id arguments, view their respective
fields displayed by the show nat-fabric policies command.
Examples To display the implicit PAT policies, enter:
host1/Admin# show nat-fabric implicit-pat
Related Commands (ACE module only) (config) static
show netio
To display the control plane network I/O information, use the show netio command.
show netio {clients | event-history | stats} [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
clients Displays statistics for the applications that are transmitting and receiving packets
through the Netio module.
event-history Displays a historic log of the most recent debug network I/O messages.
stats Displays detailed counters for various Netio event occurrences.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-182
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display control plane network I/O client information, enter:
host1/Admin# show netio event-history
1) Event:E_DEBUG, length:73, at 921762 usecs after Sat Jan 1 00:04:55 2000
[105] ed_request_encap: Sending ARP_RESOLUTION for 75.0.0.6, in context 0
2) Event:E_DEBUG, length:78, at 921752 usecs after Sat Jan 1 00:04:55 2000
[105] ed_egress_route_lookup: Route lookup failure -96 for 75.0.0.6, context 0
Related Commands clear netio stats
show nexus-device
To display the Nexus device connection statistics, use the show nexus-device command.
show nexus-device [name][detail]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display the Nexus device connection information, enter the following command:
host1/Admin# show nexus-device DC1
name Configured identifier of the Nexus device. Enter the name of an existing Nexus
device as an unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
detail Displays an additional field for the IP address of the Nexus device.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.1-183
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands (config) nexus-device1-184
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show np
To display the hardware information stored on the four network processors (NPs), use the show np
command.
show np np_number {access-list {node vlan vlan_number {in node_address | out node_address} |
resource | root vlan vlan_number {in | out} | syslog {lineno-table [index_1 index_2 | all] |
name-table [index_3 index_4 | all]} | trace vlan vlan_number in protocol prot_number |
source source_ip source_port | destination dest_ip dest_port} | {adjacency [lower_index
upper_index [all]} | {buffer stats {event-history | stats | usage}} | {cpu | internal
[lower_index upper_index]] | reap]} | {interface {icmlookup [all] | iflookup}} | {interrupts}
| {lb-stats {option}} | {mac-address-table} | {me-stats ucdump_option} | {memory} | {mtrie
dest-ip dest_ip} | {nat {bitmap map_id | dst_nat policy_id | implicit-pat | policies | src-nat
policy_id interface_id} | {reg} | {status} [|] [>]
Syntax Description np_number Network processor number, as follows:
• ACE module—Enter one of the following processor identifier
numbers:
– 1—Octeon network processor (NP) 1
– 2—Octeon network processor (NP) 2
– 3—Octeon network processor (NP) 3
– 4—Octeon network processor (NP) 4
• ACE appliance—Enter one of the following processor identifier
numbers:
– 0—x86 processor
– 1—Octeon processor
access-list Displays information related to the access control list (ACL).
node Displays the contents of the hardware ACL node that is identified by the
vlan_number.
vlan vlan_number Specifies the number of the VLAN.
in Specifies the inbound traffic flow.
out Specifies the outbound traffic flow.
node_address Address of the node.
resource Displays information about the ACL resource usage.
root Displays the hardware address of the root of the downloaded, aggregated
ACL, identified by the vlan_number.
syslog Displays the ACL syslog tables.
lineno-table Displays the ACl syslog line-number table.
index_1 index_2 Range of indices to display. Enter an integer from 0 to 262143 for
index_1 and index_2.
all Specifies whether to display invalid entries.
name-table Displays the ACL syslog namestring table.
index_3 index_4 Range of indices to display. Enter an integer from 0 to 16383 for index_3
and index_4.1-185
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
trace Traces a packet through a specific ACL.
protocol prot_number Specifies a protocol number.
source Specifies the source of the flow.
source_ip Source IP address.
source_port Source port number.
destination Specifies the destination of a flow.
dest_ip Destination IP address.
dest_port Destination port number.
adjacency Displays information related to the adjacent nodes.
lower_index Lower index value. Enter a value from 1 to 32767.
upper_index Upper index value. Enter a value from 1 to 32767.
all Displays all entries, including invalid entries.
internal Displays the internal information for adjacency structures.
buffer Displays NP buffer usage available and status of ft switchover.
event-history Displays control plane buffer event history.
stats Displays control plane buffer statistics.
usage Displays control plane buffer usage.
cpu Displays information about the CPU processes. This command option is
available only for a user with the Admin role in any context.
reap (Optional, ACE appliance only) Retrieves the encap reap statistics.
interface Displays information related to the interface tables.
icmlookup Displays the ICM/OCM interface table from the CP (0) or the specified
NP.
iflookup Displays the fast path interface lookup table from the CP (0) or the
specified NP.
Note The iflookup keyword presents information from the fast path
interface lookup table. If you wish to verify the configured
shared VLAN host ID value, enter the show running-config |
include shared command.
interrupts (ACE module only) Displays the network processor interrupt error
counters (for example, PIP, L2D, L2T, DRAM, and so on).
lb-stats Displays load-balancing statistics similar to the LbInspectTool.
mac-address-table Displays the MAC address table.
me-stats Displays Micro Engine statistics for the network processors. This
command option is available only for a user with the Admin role in any
context.
ucdump_option Options for the ucdump utility. The ucdump utility is a binary on Xscale
which returns information about Micro Engine statistics. Specify --help
as the ucdump_option argument to list all of the supported ucdump
utility options. Enter up to 80 alphanumeric characters.
Note The following ucdump utility options are disabled from show np
me-stats: -C, -f, and -i.
memory Displays information about the memory processes. This command
option is available only for a user with the Admin role in any context.1-186
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command and its options require the access-list or interface feature in your user role, except for the
cpu, me-stats, and memory options. These three options require that you have the Admin user role in
any context. For details about role-based access control (RBAC) and user roles, see the Virtualization
Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
mtrie dest-ip dest_ip Displays Mtrie entry for the specified destination IP address.
nat Displays information related to the network processor Network Address
Translation (NAT) tables.
bitmap map_id Specifies the NAT-pool bit-map table in the network processor.
dst_nat policy_id Specifies the destination NAT policy.
implicit-pat Specifies the implicit Port Address Translation (PAT) policy table.
policies Specifies the full NAT policy table.
src-nat Specifies the source NAT policy.
policy_id Policy identifier number. Enter a value from 0 to 65535.
interface_id Mapped interface identifier. Enter a value from 0 to 65535.
reg (ACE module only) Displays information related to the network
processor registers.
status (ACE appliance only) Displays status information related to the
specified network processor. You can only display the statistics for
network processor 1.
| (Optional) Pipe character (|) for enabling an output modifier that filters
the command output. For a complete description of the options available
for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete description
of the options available for redirecting the command output, see the
show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The value of 0 was removed from the network processor np_number
argument range.
A4(1.1) Added the buffer keyword and options.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.1) Added the buffer keyword and options.1-187
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
(ACE appliance only) The show np 1 {me-stats | memory | status} is now available to users configured
with a custom role in both the Admin context and a user-configured context, as well as the predefined
Admin and Network-Monitor roles. Because these commands are not context specific, we recommend
that you issue them from the Admin context only. If you issue these commands in a user context, they
may not display any data if other user context information could be displayed.
Examples To display the access list information from the hardware using the network processor 1, enter:
host1/Admin# show np 1 access-list
To display Micro Engine statistics for a ucdump utility (-b, which instructs the ACE to dump fastpath
buffer memory), enter:
host1/Admin# show np me-stats -b
Fastpath thread buffers
=================================
ME:1 thread:0 addr:0x0010 particle:0x00000000 len:78 rx_seq=7
0018 0x8500004e 0x00608034 0x0000001e 0x00101e07 ...N .`.4 .... ....
001c 0x0000ffff 0xffffffff 0x00059a3b 0x9a390800 .... .... ...; .9..
0020 0x4500002c 0xa4540000 0xff11fd64 0x0c010105 E.., .T.. ...d ....
0024 0x0c010101 0xc350c352 0x00185db6 0x000100f0 .... .P.R ..]. ....
0028 0x00000008 0x00000000 0x00000064 0x00000000 .... .... ...d ....
Related Commands clear np
show processes1-188
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show ntp
(ACE appliance only) To display information about the Network Time Protocol (NTP) statistics, use the
show ntp command.
show ntp {peer-status | peers | statistics [io | local | memory | peer ip_address]} [|] [>]
Syntax Description
Command Modes Exec
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display the status for all configured NTP servers and peers, enter:
host1/Admin# show peer-status
To display a listing of all peers, enter:
switch/Admin# show ntp peers
Related Commands (config) ntp
peer-status Displays the status for all configured NTP servers and peers.
peers Displays a listing of all peers.
statistics Displays the NTP statistics.
io (Optional) Displays information the input/output statistics.
local (Optional) Displays the counters maintained by the local NTP.
memory (Optional) Displays the statistical counters related to the memory code.
peer (Optional) Displays the peer-peer statistical counters of the specified peer.
ip_address Peer statistics for the specified IP address.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering
the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the options
available for redirecting the command output, see the show command.
ACE Appliance Release Modification
A1(7) This command was introduced.1-189
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show optimization-global
To display information about the global optimization statistics, use the show optimization-global
command.
show optimization-global [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display global optimization statistics, enter:
host1/Admin# show optimization-global
Related Commands (config) optimize
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Appliance Release Modification
A1(7) This command was introduced.1-190
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show parameter-map
To display the detailed configuration information for a specified parameter map, use the show
parameter-map command.
show parameter-map [parammap_name] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the connection feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display the configuration for the parameter map SSL_PARAMMAP, enter:
host1/Admin# show parameter-map SSL_PARAMMAP
Related Commands show running-config
parammap_name (Optional) Name of an existing parameter map. Enter the name as an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering
the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the options
available for redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The persistence rebalance field now displays the enabled strict state
when you configure the persistence-rebalance strict command.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.3) The Description field has been added to the show parameter-map
command output. This field displays the previously entered summary
about the specific parameter map.1-191
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show probe
To display the probe information including script probes, use the show probe command.
show probe [probe_name] [detail] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you enter the show probe command without specifying a probe name, the ACE displays a summary
report that includes all configured probes.
For information about the fields in the show probe command output, see the Server Load-Balancing
Guide, Cisco ACE Application Control Engine.
Examples To display the probe summary report, enter:
host1/Admin# show probe
Related Commands clear probe
(config) probe
probe_name (Optional) Name of an existing probe.
detail (Optional) Displays a detailed probe report that includes configuration information
and statistics for all configured probes.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.7). Not applicable for
A4(1.0) or A4(2.0).
The regex cache-length field was added to display the configured
cache length.1-192
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show processes
To display the general information about all of the processes running on the ACE, use the show processes
command. The show processes command displays summary CPU information for the ACE module SiByte
1250 Processor or ACE appliance Pentium processor.
show processes [cpu | log [details | pid process_id] | memory] [|] [>]
Syntax Description
Command Modes Exec
Admin users (users with an Admin role), across all contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The show processes command is available only to Admin users (users with an Admin role) across all
contexts. The displayed system processes information is at the CPU system level (the total CPU usage) and
is not on a per-context level.
For information about the fields in the show processes command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display information about the memory processes, enter:
host1/Admin# show processes memory
cpu (Optional) Displays information about the CPU processes.
log (Optional) Displays information about the process logs.
details (Optional) Displays detailed process log information for all process identifiers.
pid process_id (Optional) Displays process information about a specific process identifier. Enter a
value from 0 to 2147483647.
memory (Optional) Displays information about the memory processes.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-193
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands clear processes log
show np
show tech-support
show pvlans
(ACE module only) To display the private VLANs on the ACE downloaded from the supervisor engine in
the Catalyst 6500 series switch, use the show pvlans command.
show pvlans [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show pvlans command output, see the Routing and Bridging
Guide, Cisco ACE Application Control Engine.
Examples To display the private VLANs on the ACE downloaded from the supervisor engine, enter:
host1/Admin# show pvlans
Related Commands This command has no related commands.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-194
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show radius-server
To display the configured Remote Authentication Dial-In User Service (RADIUS) server and group
parameters, use the show radius-server command.
show radius-server [groups | sorted] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show radius-server command output, see the Security Guide,
Cisco ACE Application Control Engine.
Examples To display configured RADIUS server parameters, enter:
host1/Admin# show radius-server
To display the configured RADIUS server groups, enter:
host1/Admin# show radius-server groups
To display the sorted RADIUS servers, enter:
host1/Admin# show radius-server sorted
groups (Optional) Displays configured RADIUS server group information.
sorted (Optional) Displays RADIUS server information sorted by name.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-195
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands (config) aaa group server
(config) radius-server attribute nas-ipaddr
(config) radius-server deadtime
(config) radius-server host
(config) radius-server key
(config) radius-server retransmit
show resource allocation
To display the allocation for each resource across all resource classes and class members, use the show
resource allocation command.
show resource allocation [|] [>]
Syntax Description
Command Modes Exec
(ACE module) Admin context only
ACE appliance) Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command shows the resource allocation but does not show the actual resources being used. To
display information about actual resource usage, use the show resource usage command.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.6) This command is now available to users configured with a custom
role in both the Admin context and a user-configured context, as well
as the predefined Admin and Network-Monitor roles. See the “Usage
Guidelines” section for more information.1-196
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
(ACE appliance only) The show resource allocation command is now available to users configured with
a custom role in both the Admin context and a user-configured context, as well as the predefined Admin
and Network-Monitor roles. Because these commands are not context specific, we recommend that you
issue them from the Admin context only. If you issue these commands in a user context, they may not
display any data if other user context information could be displayed.
For information about the fields in the show resource allocation command output, see the
Administration Guide, Cisco ACE Application Control Engine.
Examples To display the allocation for each resource, enter:
host1/Admin# show resource allocation
Related Commands show resource usage
show resource internal
To display internal resource-related functions, use the show resource internal command.
show resource internal {appmap | regexp | socket}[|] [>]
Syntax Description
Command Modes Exec
(ACE module) Admin context only
(ACE Appliance) Admin and user contexts
Command History
appmap Displays the resource driver application map.
regexp Displays the current memory usage for the virtual server ID.
socket Displays the current socket resources.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The regexp keyword was added.1-197
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
(ACE appliance only) The show resource internal command is now available to users configured with
a custom role in both the Admin context and a user-configured context, as well as the predefined Admin
and Network-Monitor roles. Because these commands are not context specific, we recommend that you
issue them from the Admin context only. If you issue these commands in a user context, they may not
display any data if other user context information could be displayed.
Examples To display the memory used by the virtual server IDs, enter:
host1/Admin# show resource internal regexp
Related Commands show resource usage
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.6) This command is now available to users configured with a custom
role in both the Admin context and a user-configured context, as well
as the predefined Admin and Network-Monitor roles. See the “Usage
Guidelines” section for more information.
A4(1.0) The regexp keyword was added.1-198
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show resource usage
To display the resource usage for each Network Processor (NP) or each context, use the show resource
usage command.
show resource usage [np {1 | number |current |denied | peak}] [all | [[context context_name |
summary] [resource {acc-connections | acl-memory | all | conc-connections |
mgmt-connections | probes | proxy-connections | rate {bandwidth | connections | http-comp
| inspect-conn | mac-miss | mgmt-traffic | ssl-connections | syslog} | regexp | sticky |
syslogbuffer | xlates}]]] [counter [all | current | denied | peak [count_threshold]]] [|] [>]
Syntax Description np (Optional) Displays the resource usage for the NP.
1 (ACE appliance only) Displays all resource usage statistics for the NP.
Enter 1.
number (ACE module only) Network Processor (NP) number. Enter a number from
1 to 4. Since the ACE divides all resources equally between all NPs, this
argument allows you to monitor the resource usage for each NP
independently in case it reaches a limit. When an NP reaches a limit, it can
deny a connection even though the limit is not reached in the other NPs.
current Displays the active concurrent instances or the current rate of the resource
for the NPs.
denied Displays the number of denied uses of the resource for the NPs since the
resource statistics were last cleared.
peak Displays the peak concurrent instances, or the peak rate of the resource for
the NPs since the statistics were last cleared, either using the clear
resource usage command or because the device rebooted.
all (Optional) Displays the resource usage for each context individually. This
is the default setting. This option is available in the Admin context only.
context context_name (Optional) Displays the resource usage for the specified context. The
context_name argument is case sensitive. This option is available in the
Admin context only.
summary (Optional) Displays the total resource usage for all contexts together. For
example, the denied column shows the items that have been denied for each
context limit. This option is available in the Admin context only.
top number (Optional) Displays the greatest n users of a single resource arranged from
the highest to the lowest percentage of resources used. You must specify a
single resource type and cannot use the resource all keywords with this
option. This option is available in the Admin context only.
resource (Optional) Displays statistics for one of the following specified resources.
This option is available for the np option in the Admin context only.
acc-connections (ACE appliance only) Displays the number of application acceleration
connections.
acl-memory Displays the ACL memory usage.
all Displays the resource usage for all resources used by the specified context
or contexts.
conc-connections Displays the resource usage for simultaneous connections.
mgmt-connections Displays the resource usage for management connections.1-199
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Defaults None
Command Modes Exec
probes Displays the resource usage for probes.
proxy-connections Displays the resource usage for proxy connections.
rate Displays the rate per second for the specified connections or syslog
messages.
bandwidth Displays the bandwidth in bytes per second.
connections Displays connections per second.
http-comp Displays the HTTP compression rate in bytes per second. To convert the
value to bits per second, multiply the displayed value by 8.
inspect-conn Displays all inspection connections per second.
mac-miss Displays MAC miss traffic that was punted to the CP packets per second.
mgmt-traffic Displays management traffic bytes per second.
ssl-connections Displays Secure Sockets Layer (SSL) connections.
syslog Displays the syslog message buffer usage.
regexp Displays resource usage for regular expressions.
sticky Displays resource usage for sticky entries.
syslogbuffer Displays resource usage for the syslog buffer.
xlates Displays resource usage by Network Address Translation (NAT) and Port
Address Translation (PAT) entries.
counter (Optional) Displays all statistics. You can specify one of the following
options:
all (Optional) Displays all statistics. This is the default setting.
current (Optional) Displays the active concurrent instances or the current rate of
the resource.
denied (Optional) Displays the number of denied uses of the resource since the
resource statistics were last cleared.
peak (Optional) Displays the peak concurrent instances, or the peak rate of the
resource since the statistics were last cleared, either using the clear
resource usage command or because the device rebooted.
count_threshold (Optional) Number above which resources are shown. Enter an integer
from 0 to 4294967295. The default is 1. If the usage of the resource is
below the number you set, then the resource is not shown. If you specify
all for the counter name, then the count_threshold applies to the current
usage. To show all resources, set the count_threshold to 0.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.1-200
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show resource usage command output, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To display the resource usage for context C1, enter:
host1/Admin# show resource usage context C1 resource
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) This command was modified to include the np option and http-comp
keywords for compression.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) This command was modified to include the np option.1-201
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show restore
To display restore errors or the restore status, use the show restore command.
show restore errors | status [details] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display the details of a restore operation in the Admin context, enter:
host1/Admin# show restore status details
Backup Archive: fusion_2010_09_16_21_34_03.tgz
Type : Full
Start-time : Thu Sep 16 23:27:53 2010
Finished-time : Thu Sep 16 23:28:19 2010
Status : SUCCESS
Current vc : ct3
Completed : 4/4
------------------------+---------------+--------------------------+------------
Context component Time Status
------------------------+---------------+--------------------------+------------
Admin License Thu Sep 16 23:28:03 2010 SUCCESS
Admin Cert/Key Thu Sep 16 23:28:03 2010 SUCCESS
Admin Probe script Thu Sep 16 23:28:03 2010 SUCCESS
Admin Checkpoints Thu Sep 16 23:28:06 2010 SUCCESS
Admin Startup-cfg Thu Sep 16 23:28:07 2010 SUCCESS
Admin Running-cfg Thu Sep 16 23:28:07 2010 SUCCESS
ct1 Cert/Key Thu Sep 16 23:28:17 2010 SUCCESS
ct1 Probe script Thu Sep 16 23:28:17 2010 SUCCESS
errors Displays errors that may occur during a backup operation. For information about
backup system messages, see the System Message Guide, Cisco ACE Application
Control Engine.
status [details] Displays errors that occur during a restore operation. For information about restore
system messages, see the System Message Guide, Cisco ACE Application Control
Engine.
ACE Module Release Modification
A2(3.0) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.1-202
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
ct1 Checkpoints Thu Sep 16 23:28:17 2010 SUCCESS
ct1 Startup-cfg Thu Sep 16 23:28:17 2010 SUCCESS
ct1 Running-cfg Thu Sep 16 23:28:18 2010 SUCCESS
ct2 Cert/Key Thu Sep 16 23:28:18 2010 SUCCESS
ct2 Probe script Thu Sep 16 23:28:18 2010 SUCCESS
ct2 Checkpoints Thu Sep 16 23:28:18 2010 SUCCESS
ct2 Startup-cfg Thu Sep 16 23:28:18 2010 SUCCESS
ct2 Running-cfg Thu Sep 16 23:28:18 2010 SUCCESS
ct3 Cert/Key Thu Sep 16 23:28:19 2010 SUCCESS
ct3 Probe script Thu Sep 16 23:28:19 2010 SUCCESS
ct3 Checkpoints Thu Sep 16 23:28:19 2010 SUCCESS
ct3 Startup-cfg Thu Sep 16 23:28:19 2010 SUCCESS
ct3 Running-cfg Thu Sep 16 23:28:19 2010 SUCCESS
Related Commands restore1-203
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show role
To display the configured user roles (predefined and user-configured roles), use the show role command.
show role [role_name] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To configure roles, use the role command in configuration mode.
For information about the fields in the show role command output, see the Administration Guide, Cisco
ACE Application Control Engine.
Examples To display all of the available user roles, enter:
host1/Admin# show role
Related Commands (config) role
role_name (Optional) Name of an existing role.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-204
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show rserver
To display the IPv6 or IPv4 summary or detailed statistics for a named real server or for all real servers,
use the show rserver command.
show rserver [rserver_name] [detail] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the rserver feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show rserver command output, see the Server Load-Balancing
Guide, Cisco ACE Application Control Engine.
For the Total Conn-failures output field of the show rserver detail command, the following conditions
apply:
For Layer 4 traffic with normalization on, the count increments if the three-way handshake fails to be
established for either of the following reasons:
• A RST comes from the client or the server after a SYN-ACK.
• The server does not reply to a SYN. The connection times out.
For Layer 4 traffic with normalization off, the count does not increment.
rserver_name (Optional) Identifier of an existing real server.
detail (Optional) Displays detailed statistics for the real server name that you enter or for
all real servers. If you do not include the detail keyword, the summary report is
displayed.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support1-205
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
For L7 traffic (normalization is always on), the count increments if the three-way handshake fails to be
established for either of the following reasons:
• A RST comes from the server after the front-end connection is established
• The server does not reply to a SYN. The connection times out.
Examples To display detailed statistics for all configured real servers, enter:
host1/Admin# show rserver detail
Related Commands clear rserver
(config) rserver1-206
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show running-config
To display the running configuration information associated with the current context, use the show
running-config command.
show running-config [aaa | access-list | action-list | class-map | context | dhcp | domain | ft |
interface | object-group | parameter-map | policy-map | probe | resource-class | role |
rserver | serverfarm | sticky [name]] [|] [>]
Syntax Description
Command Modes Exec
aaa (Optional) Displays authentication, authorization, and accounting (AAA)
information.
access-list (Optional) Displays access control list (ACL) information.
action-list (Optional) Displays action-list information.
class-map (Optional) Displays the list of all class maps configured for the current context. The
ACE also displays configuration information for each class map listed.
context (Optional) Displays the list of contexts configured on the ACE. The ACE also
displays the resource class (member) assigned to each context. The context keyword
only works from within the admin context.
dhcp (Optional) Displays Dynamic Host Configuration Protocol (DHCP) information.
domain (Optional) Displays the list of domains configured for the current context. The ACE
also displays configuration information for each domain listed.
ft (Optional) Displays the list of redundancy or fault-tolerance (ft) configurations
configured for the current context. The ACE also displays configuration information
for each ft configuration listed.
interface (Optional) Displays interface information.
object-group (Optional) Displays object-group information.
parameter-map (Optional) Displays parameter map information.
policy-map (Optional) Displays policy map information.
probe (Optional) Displays probe information.
resource-class (Optional) Displays resource class information.
role (Optional) Displays the list of roles configured for the current context. The ACE also
displays configuration information for each role on the list.
rserver (Optional) Displays rserver information.
serverfarm (Optional) Displays server farm information.
sticky (Optional) Displays sticky information.
name (Optional) Object name to display.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.1-207
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The show running-config command is a context-sensitive command. The ACE creates a running
configuration for each context that you create; therefore, to display the running-config file of a specific
context, you must enter the show running-config command from within the desired context. If you need
to change to another context before executing the show running-config command, use the changeto
command or log directly in to the desired context.
Use the copy capture command to do the following:
• Save a copy of the running configuration to a file on one or more destination locations.
• Save the running configuration as the startup configuration.
• Save the startup configuration as the running configuration.
For information about the fields in the show running-config command output, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To display the entire running configuration, enter:
host1/Admin# show running-config
Related Commands copy capture
show startup-config
show tech-support
write
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A4(1.1) Added the optional name argument.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A3(2.7). Not applicable for
A4(1.0) and A4(2.0).
The name option was added.1-208
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show scp
(ACE module only) To display the Switch Command Control Protocol (SCP) statistics, use the show scp
command.
show scp {debugs | event-history | stats} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display the SCP statistics, enter:
host1/Admin# show scp stats
Related Commands This command has no related commands.
debugs Displays SCP debug filter settings.
event-history Displays a historic log of the most recent SCP debug messages.
stats Displays detailed counters for SCP events.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.1-209
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show script
To display the statistics for a script file that is active on the ACE including exit codes and exit messages,
use the show script command.
show script {script_name probe_name [rserver_name [port_number] [serverfarm sfarm_name]] |
code script_name} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show script command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display the script file code for the script in the file MYSCRIPT, enter:
host1/Admin# show script code MYSCRIPT
script_name Name of a loaded script.
probe_name Name of a probe containing an association with the specified script.
rserver_name (Optional) Name of a real server that contains an association with the
specified probe.
port_number (Optional) Port number on the specified real server.
serverfarm sfarm_name (Optional) Specifies the server farm containing an association with the
specified real server.
code script_name Displays the code for the specified script.
| (Optional) Pipe character (|) for enabling an output modifier that filters
the command output. For a complete description of the options available
for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-210
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands (config) script file name
(config-probe-probe_type) script1-211
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show security internal event-history
To display information about the security event history, use the show security internal event-history
command.
show security internal event-history {errors | msgs} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display the error logs of the security manager, enter:
host1/Admin# show security internal event-history errors
Related Commands This command has no related commands.
errors Displays the debug error logs of the security manager.
msgs Displays the message logs of the security manager.
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-212
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show serverfarm
To display a summary or detailed statistics about a specified server farm, use the show serverfarm
command.
show serverfarm [name [retcode]] [detail] [NPn] [|] [>]
show serverfarm [name [inband]] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
name (Optional) Detailed report for the specified server farm. If you do not specify a server
farm name, the summary report is displayed.
retcode (Optional) Displays the HTTP return codes statistics for configured real server and
retcode map combinations only if the return code hit count is greater than 0. All
return code hit counts are an aggregate of the counts of both network processors.
Displays the HTTP return codes associated with the server farm.
detail (Optional) Displays detailed statistics for the specified server farm, including the
current and total connections stuck to each real server due to sticky. When used after
the retcode option, the detail option displays return code statistics even if the value
is 0.
inband (Optional) Displays the number of inband health monitoring connection failures for
each real server in a server farm.
NPn (Optional) Indicates which network processor (NP) handled a connection for a
particular real server. Use this field to troubleshoout real server connections when
only some connections are dropped.
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(4) This command was revised. The Out-of-Rotation Count field was
added to the show command output.
A4(1.0) This command was revised to include the inband option.
A4(1.1) Added the NPn option.1-213
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the serverfarm feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
In software version A4(1.1) and later, the ACE retains the retcode and inband health monitoring statistics
of a server farm when a real server transitions from the OPERATIONAL state to the INACTIVE state.
For information about the fields in the show serverfarm command output, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To display a summary report about the server farm, enter:
host1/Admin# show serverfarm
Related Commands clear serverfarm
(config) serverfarm
(config-sfarm-host) inband-health check
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.3)) This command with the name or detail option was revised to include
the real server description field as defined by the description
command in the serverfarm host real server configuration mode.
A4(1.0) This command was revised to include the inband option.
A4(1.1) Added the NPn option.1-214
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show service-policy
To display the statistics for all policy maps or a specific policy map that is currently in service, use the
show service-policy command. This command also allows you to display statistics for a specific class
map in a policy or the hit counts for match HTTP URL statements in a Layer 7 HTTP policy map. If you
do not enter an option with this command, the ACE displays all enabled policy statistics.
show service-policy [policy_name [class-map class_name]] [detail [dad] | summary |
url-summary] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
policy_name (Optional) Identifier of an existing policy map that is currently in service (applied
to an interface) as an unquoted text string with a maximum of 64 alphanumeric
characters. If you do not enter the name of an existing policy map, the ACE displays
information and statistics for all policy maps.
class-map
class_name
(Optional) Displays the statistics for the specified class map associated with the
policy.
detail (Optional) Displays a more detailed listing of policy map or class map statistics and
status information.
dad (Optional) Displays the IPv6 duplicate address detection (DAD) information,
including the DAD status of the VIP.
summary (Optional) Displays a summary of policy map or class map statistics and status
information.
url-summary (Optional) Displays the number of times that a connection is established based on a
match HTTP URL statement for a class map in a Layer 7 HTTP policy map.
The URL hit counter is per match statement per load-balancing Layer 7 policy. If
you are using the same combination of Layer 7 policy and class maps with URL
match statements in different VIPs, the count is combined. If the ACE configuration
exceeds 64K URL and load-balancing policy combinations, this counter displays
NA.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(4) Command syntax was changed to allow the display of all service
policies that are configured in the ACE.
A2(1.2) The class-map class_name and summary options were added.1-215
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The show service-policy command displays the following information:
• VLAN to which the policy is applied
• Class map associated with the policy
• Status of any NAT operations
• Status of any load-balancing operations
• Status of any compression operations
• Dynamic Workload Scaling (DWS) status of the VIP
• DAD status of IPv6 VIPs
The ACE updates the counters that the show service-policy command displays after the applicable
connections are closed.
For information about the fields in the show service-policy command output, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To display detailed statistics and current status of the service policy MGMT_POLICYMAP, enter:
host1/Admin# show service-policy MGMT_POLICYMAP detail
Related Commands clear service-policy
show running-config
(config) service-policy
A2(2.0) The url-summary option was added.
A2(3.3) The regex dnld status field was added.
A4(2.0) Added VIP DWS state output field
A5(1.0) Added optional dad keyword and associated output fields for IPv6.
ACE Module Release Modification
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.1) The class-map class_name and summary options were added.
A3(2.5) Compression counter fields were added.
A3(2.6) The regex dnld status field was added.
A4(1.0) The url-summary option was added.
A4(2.0) Added VIP DWS state output field
A5(1.0) Added optional dad keyword and associated output fields for IPv6.1-216
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show snmp
To display the Simple Network Management Protocol (SNMP) statistics and configured SNMP
information, use the show snmp command.
show snmp [community | engineID | group | host | sessions | user] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, this command displays the ACE contact, the ACE location, the packet traffic information,
community strings, and the user information. You can instruct the ACE to display specific SNMP
information by including the appropriate keyword.
For information about the fields in the show snmp command output, see the Security Guide, Cisco ACE
Application Control Engine.
community (Optional) Displays SNMP community strings.
engineID (Optional) Displays the identification of the local SNMP engine and all remote
engines that have been configured on the ACE.
group (Optional) Displays the names of groups on the ACE, the security model, the status
of the different views, and the storage type of each group.
host (Optional) Displays the configured SNMP notification recipient host, the User
Datagram Protocol (UDP) port number, the user, and the security model.
sessions (Optional) Displays the IP address of the targets for which traps or informs have
been sent.
user (Optional) Displays SNMPv3 user information.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-217
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To display SNMP statistics and configured SNMP information, enter:
host1/Admin# show snmp
Related Commands (config) snmp-server community
(config) snmp-server contact
(config) snmp-server enable traps
(config) snmp-server host
(config) snmp-server location
(config) snmp-server trap link ietf
(config) snmp-server trap-source vlan
(config) snmp-server user1-218
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show ssh
To display the information about the Secure Shell (SSH) keys and sessions, use the show ssh command.
show ssh {key [dsa | rsa | rsa1] | maxsessions [context_name] | session-info [context_name]} [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
From the Admin context, this argument allows you to display only the SSH information associated with
a specific user-created context.
key Displays the host key pair details for all SSH keys.
dsa (Optional) Displays only the details of the DSA key pair for the SSH version 2
protocol.
rsa (Optional) Displays only the details of the RSA key pair for the SSH version 2
protocol.
rsa1 (Optional) Displays only the details of the RSA1 key pair for the SSH version 1
protocol.
maxsessions Displays the maximum number of SSH sessions that the ACE allows. Context
administrators may also view SSH session information associated with a particular
context.
context_name (Optional) Name of an existing context that contains the SSH session information
that the context administrator wants to view. Only the global administrator can view
Telnet information associated with a particular context. The context_name argument
is case sensitive and is visible only from the admin context.
session-info Displays session information, including the session ID, the remote host IP address,
and the active time.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-219
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
For information about the fields in the show ssh command output, see the Security Guide, Cisco ACE
Application Control Engine.
Examples To display all of the loaded SSH keys, enter:
host1/Admin# show ssh key
To display the maximum number of SSH sessions that the ACE permits for the context C2, enter:
host1/Admin # show ssh maxsessions C2
Maximum Sessions Allowed is 2(SSH Server is enabled)
Related Commands clear ssh
(config) class-map
(config) ssh key
(config) ssh maxsessions1-220
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show startup-config
To display information about the startup configuration that is associated with the current context, use the
show startup-config command.
show startup-config [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To clear the startup configuration, use the clear startup-config command.
To copy the running configuration to the startup configuration, or copy the startup configuration to the
running configuration, use the copy running-config command.
For information about the fields in the show startup-config command output, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To display information about the startup configuration, enter:
host1/Admin# show startup-config
Related Commands clear startup-config
copy capture
show running-config
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-221
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show stats
To display statistics about the ACE operation, use the show stats command.
show stats [connection | {crypto {client [alert | authentication | cipher | termination]} | {server
[alert | authentication | cipher | insert | redirect | termination]}} | http | inspect [ftp | http |
rtsp]| kalap [all] | loadbalance [radius | rdp | rtsp | sip] | optimization http | probe [type
probe_type] | sticky] [|] [>]
Syntax Description connection (Optional) Displays global connection statistics associated with the current context.
crypto (Optional) Displays the back-end (client keyword) and front-end (server keyword)
SSL statistics for the current context.
client Displays the back-end SSL client statistics for the current context. If you do not enter
any options with this keyword, this command displays alert, authentication, cipher,
and termination statistics.
alert (Optional) Displays SSL alert statistics.
authentication (Optional) Displays the SSL authentication statistics.
cipher (Optional) Displays the SSL cipher statistics.
termination (Optional) Displays the back-end SSL termination statistics.
server Displays the front-end SSL server statistics for the current context. If you do not enter
any options with this keyword, this command displays alert, authentication, cipher,
header insertion, redirect, and termination statistics.
insert (Optional) Displays the header insertion statistics.
redirect (Optional) Displays the redirect statistics.
http (Optional) Displays global HTTP statistics associated with the current context.
inspect [ftp |
http | rtsp]
(Optional) Displays global FTP, HTTP, or RTSP inspect statistics associated with the
current context. If you do not include any options with the inspect keyword, the ACE
displays the global HTTP statistics.
kalap (Optional) Displays global server load-balancing (GSLB) statistics associated with
the current context.
all (Optional) In the admin context, displays the total number of KAL-AP statistics for
all contexts. These statistics are followed by the statistics for the admin context and
then all other contexts.
loadbalance (Optional) Displays global load-balancing statistics associated with the current
context.
radius (Optional) Displays Remote Authentication Dial-In User Service (RADIUS)
load-balancing statistics associated with the current context.
rdp (Optional) Displays Reliable Datagram Protocol (RDP) load-balancing statistics
associated with the current context.
rtsp (Optional) Displays Real-Time Streaming Protocol (RTSP) load-balancing statistics
associated with the current context.
sip (Optional) Displays Session Initiation Protocol (SIP) load-balancing statistics
associated with the current context.
optimization
http
(Optional, ACE appliance only) Displays HTTP optimization global statistics
associated with the current context.1-222
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Command HistoryA
Usage Guidelines This command requires the loadbalance, inspect, NAT, connection, or SSL feature in your user role. For
details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE
Application Control Engine.
To display the statistics for a specific probe type (for example, scripted), include the type probe_type
keyword and argument.
Examples To display all of the statistics about the ACE operation, enter:
host1/Admin# show stats
To see a list of probe types, enter:
host1/Admin# show stats probe type ?
probe [type
probe_type]
(Optional) Displays global probe statistics associated with the current context.
sticky (Optional) Displays global sticky statistics associated with the current context.
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised to add the crypto, radius, and rtp
keywords.
A2(1.1) This command was revised to add the rtsp and sip keywords.
A2(2.0) This command was revised to add the all keyword.
This command was revised to add counters for SSL redirect and
header insertion.
A4(1.0) This command was revised to add the alert, authentication, cipher,
insert, redirect, and termination options.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A3(2.1) The alert, authentication, cipher, and termination options were
added.1-223
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands clear stats
show sticky cookie-insert group
To display the inserted cookie information for the specified sticky group, use the show sticky
cookie-insert group command.
show sticky cookie-insert group sticky_group_name
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command displays information that correlates the inserted cookie, the sticky entry, and the final
destination for the cookie insert configuration. For information about the fields in the show sticky
cookie-insert command output, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
Examples To display the inserted cookie information for the sticky group, enter:
host1/Admin# show sticky cookie-insert group STICKY-TEST
Related Commands (config-sticky-cookie) cookie insert
sticky_group_name The name of the configured sticky group
| (Optional) Pipe character (|) for enabling an output modifier that
filters the command output. For a complete description of the options
available for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete description
of the options available for redirecting the command output, see the
show command.
ACE Module Release Modification
A2(1.4) and A2(2.1) This command was introduced.
ACE Appliance Release Modification
A3(2.2) This command was introduced.1-224
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show sticky database
To display the sticky statistics, use the show sticky database command.
show sticky database [static] [active-conn-count min value1 max value2 | client ip_address1 |
group name1 | http-content value3 | http-cookie value24 | http-header value5 | ip-netmask
{both {source ip_address2 destination ip_address3} | destination ip_address4 | source
ip_address5} | layer4-payload value6 | rserver name2 [port] serverfarm name3 | rtsp-header
value7 | sip-header value8 | time-to-expire min value9 max value10 | type {http-content |
http-cookie | http-header | ip-netmask {both | destination | source} | layer4-payload | radius
{calling-id | framed-ip | username} | rtsp-header | sip-header} [count | detail]]
Syntax Description static (Optional) Displays static sticky database entries. If you do not use an
optional keyword to specify the type of static sticky database entry to
display, all entries are displayed.
active-conn-count min
value1 max value2
(Optional) Displays sticky database entries within the specified
connection count range.
client ip_address (Optional) Displays sticky database entries for the source IPv6 or IPv4
address of a client that you specify.
group name1 (Optional) Displays sticky database entries for the sticky group name
that you specify.
http-content value3 (Optional) Displays sticky database entries for the HTTP content
value that you specify.
http-cookie value4 (Optional) Displays sticky database entries for the HTTP cookie value
that you specify.
http-header value5 (Optional) Displays sticky database entries for the HTTP header value
that you specify.
ip-netmask {both {source
ip_address2 destination
ip_address3} | destination
ip_address4 | source
ip_address5}
(Optional) Displays sticky database entries for both the source and
destination addresses, the destination address only, or the source
address only.
layer4-payload value6 (Optional) Displays sticky database entries for the Layer 4 payload
value that you specify.
rserver name2 (Optional) Displays sticky database entries for the real-server name
that you specify.
port (Optional) Real server port number.
serverfarm name3 Specifies a server farm associated with the real server.
rtsp-header value7 (Optional) Displays sticky database entries for the RTSP header value
that you specify.
sip-header value8 (Optional) Displays sticky database entries for the SIP header value
that you specify.
time-to-expire min value9
max value10
(Optional) Displays the sticky database entries within the specified
time to expire range.
type (Optional) Displays sticky database entries for one of the following
sticky group types:
http-content Specifies HTTP content sticky database entries.1-225
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
http-cookie Specifies HTTP cookie sticky database entries.
http-header Specifies HTTP header sticky database entries.
ip-netmask Specifies IP netmask sticky database entries.
both Specifies both source and destination IP netmasks.
destination Specifies the destination IP netmask.
source Specifies the source IP netmask.
radius Specifies RADIUS attribute sticky database entries.
calling-id Specifies RADIUS calling-ID attribute sticky database entries.
framed-ip Specifies RADIUS framed-IP attribute sticky database entries.
username Specifies RADIUS username attribute sticky database entries.
rtsp-header Specifies RTSP header sticky database entries.
sip-header Specifies SIP header sticky database entries.
count (Optional) Displays the count for the sticky databae entries.
detail (Optional) Displays detailed statistics for the specified sticky database
component. The detail option output includes the sticky-hit-count
field to display the total number of times that a sticky entry is hit.
| (Optional) Pipe character (|) for enabling an output modifier that
filters the command output. For a complete description of the options
available for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier
that redirects the command output to a file. For a complete description
of the options available for redirecting the command output, see the
show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A2(1.3) The show sticky database static http-cookie value2 command no
longer displays the hash key.
A4(1.1) Added the active-conn-count, ip-netmask, time-to-expire, count,
and deatil options.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A4(1.1) Added the active-conn-count, ip-netmask, time-to-expire, count,
and deatil options.1-226
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show sticky command output, see the Server Load-Balancing
Guide, Cisco ACE Application Control Engine.
Examples To display sticky statistics for the client with a source IP address of 192.168.12.15, enter:
host1/Admin# show sticky database client 192.168.12.15
Related Commands (config-sfarm-host-rs) cookie-string
A3(2.2) When you enable cookie insertion through the cookie insert
command in sticky-cookie configuration mode, the show sticky
database static http-cookie command no longer displays the hash
key.
A3(2.6) This command displays the source and destination addresses in
dotted-decimal notation instead of the hexadecimal equivalent.
ACE Appliance Release Modification1-227
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show sticky hash
To correlate a known cookie or URL value with its corresponding sticky database entry (hash), use the
show sticky hash command. This command allows you to generate the hash value from a known cookie
or URL value using the same algorithm that is used by the URL and cookie hashing function.
show sticky hash text
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To generate the hash value for the cookie value 1.1.1.10, enter the following command:
host1/Admin# show sticky hash 1.1.1.10
Hash: 0x8a0937592c500bfb - 9946542108159511547
Now you can display the sticky database for a particular sticky group and match the generated hash with
the sticky entry (hash) in the sticky database.
For example, to display the sticky database for the group STICKY_GROUP1, enter the following
command:
host1//Admin# show sticky database group STICKY_GROUP1
sticky group : STICKY_GROUP1
type : HTTP-COOKIE
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
--------------------+----------------+----------------+-------+
9946542108159511547 SERVER1:80 86390 -
Related Commands show sticky database
text Cookie or URL text for which you want to calculate the hash value. Enter the cookie
or URL value as an unquoted text string with no spaces and with a maximum of 1024
alphanumeric characters. If you want to include spaces in the text string, enclose the
text string in quotation marks (“ ”)
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.1-228
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show conn sticky
To display all the connections that are linked to a sticky entry, use the show conn sticky internal_id
command. This command is useful in identifying why a sticky entry does not timeout.
show conn sticky internal_id
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples The following example shows how to use the two above-mentioned commands to display all the
connections associated with a particular sticky entry.
To obtain the internal IDs of sticky database entries, enter the following command:
switch/Admin# show sticky database static detail | i internal
internal entry-id: 0x200006
internal entry-id: 0x200007
After you have obtained an internal sticky id, use the show conn sticky command to display all the
connections linked to that sticky entry as follows:
switch/Admin# show conn sticky 0x200006
conn-id np dir proto vlan source destination state
-------+--+---+-----+----+-------------------+----------------+------+
242 1 in TCP 20 192.168.20.45:44425192.168.20.15:80 ESTAB
243 1 out TCP 40 192.168.40.28:80 192.168.20.45:44425 ESTAB
switch/Admin# show conn sticky 0x200007
conn-id np dir proto vlan source destination state
-------+--+---+-----+----+-----------------+-----------------+------+
switch/Admin#
Related Commands show sticky database
internal_id internal identifier of a sticky entry in the sticky database.
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.1-229
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show syn-cookie
To display SYN cookie statistics, use the show syn-cookie command. To display SYN cookie statistics
for all VLANs that are configured in the current context, enter the command with no arguments.
show syn-cookie [vlan number]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To display SYN cookie statistics for VLAN 100, enter:
host1/C1# show syn-cookie vlan 100
Related Commands clear syn-cookie
vlan number Instructs the ACE to display SYN cookie statistics for the specified interface. Enter
an integer from 2 to 2024.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-230
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show system
To display the ACE system information, use the show system command.
show system {cpuhog} | {error-id {hex_id | list} | internal {aaa {event-history {errors | msgs}
| mem-stats} | dmesg | log {boot {kickstart | system} | install [details]} | mts {buffers [age
seconds | details | node name | order | sap number | sap_all | summary] | memory | opcode}
| radius event-history {errors | msgs} | sysmgr {event-history {errors | msgs} | service {all
[detail] | local [detail] | name service_name [dependencies | policies | seqnotbl] | not-running
[details] | pid id [config | dependencies | log] | running [details] | uuid hex_id [config |
dependencies]} | startup-config {locks | state} | state | time} | tacacs+ event-history {errors
| msgs} | urifs | vshd {config-intro | feature-list | license-info | log {running-config |
tree-table} | subtype-table | tree-table}} | kcache | kmem | kmemtrack | resources | skbtrack
| uptime | watchdog [lcp | memory | scp]} [|] [>]
Syntax Description cpuhog Displays the largest amount of time that a driver was executing in the
kernel. This keyword is intended for use by trained Cisco personnel for
troubleshooting purposes only.
error-id Displays description about errors. This keyword is available in all user
contexts.
hex_id Error ID in hexadecimal format. The range is from 0x0 to 0xffffffff.
list Specifies all error IDs.
internal Displays Cisco internal system-related functions. The internal keywords
and related keywords, options, and arguments are intended for use by
trained Cisco personnel for troubleshooting purposes only. This option is
available in the Admin context only.
kcache Displays Linux kernel cache statistics.
kmem Displays Linux kernel memory statistics.
kmemtrack Displays how the kernel memory is being currently used. This keyword
is intended for use by trained Cisco personnel for troubleshooting
purposes only.
resources Displays system-related CPU and memory statistics.
skbtrack Displays the allocation and deallocation of network buffers in the drivers.
This keyword is intended for use by trained Cisco personnel for
troubleshooting purposes only.
uptime Displays how long the ACE has been up and running. This keyword is
available in all user contexts.1-231
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin context
User contexts (error-id and uptime keywords only)
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show system command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display system resource information, enter:
host1/Admin# show system resources
watchdog [lcp | memory |
scp]
Displays whether the watchdog is enabled or disabled, and its timeout.
When you enter this keyword without an option, all watchdogs are
displayed. To display a specific watchdog, enter one of the following
options:
• lcp—(ACE module only) Displays the LCP process watchdog
• memory—Displays whether the low memory watchdog is enabled or
disabled, and its timeout.
• scp—(ACE module only) Displays the watchdog for SCP keepalive
messages from the hardware timer interrupt level
The system watchdog command allows you to configure the Memory
watchdog timeout.
(ACE module only) The LCP and SCP timeouts are not configurable.
| (Optional) Pipe character (|) for enabling an output modifier that filters
the command output. For a complete description of the options available
for filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The watchdog keyword was added.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The dmseg and watchdog memory keywords were added.1-232
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands system watchdog
show tacacs-server
To display the configured Terminal Access Controller Access Control System Plus (TACACS+) server and
server group parameters, use the show tacacs-server command.
show tacacs-server [groups | sorted] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show tacacs-server command output, see the Security Guide,
Cisco ACE Application Control Engine.
Examples To display the configured TACACS+ server parameters, enter:
host1/Admin# show tacacs-server
To display the configured TACACS+ server groups, enter:
host1/Admin# show tacacs-server groups
To display the sorted TACACS+ servers, enter:
host1/Admin# show tacacs-server sorted
groups (Optional) Displays configured TACACS+ server group information.
sorted (Optional) Displays TACACS+ server information sorted by name.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-233
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands (config) aaa group server
(config) tacacs-server deadtime
(config) tacacs-server host
(config) tacacs-server key
(config) radius-server timeout
show tcp statistics
To display the Transmission Control Protocol (TCP) statistics, use the show tcp statistics command.
show tcp statistics [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the connection feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show tcp statistics command output, see the Security Guide,
Cisco ACE Application Control Engine.
Examples To display TCP statistics, enter:
host1/Admin# show tcp statistics
Related Commands clear tcp statistics
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-234
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show tech-support
To display information that is useful to technical support when reporting a problem with your ACE, use
the show tech-support command.
show tech-support [details] [|] [>]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The show tech-support command is useful when collecting a large amount of information about your
ACE for troubleshooting purposes with Cisco technical support. The output of this command can be
provided to technical support representatives when reporting a problem.
details (Optional) Provides detailed information for each of the show commands described
below in the “Usage Guidelines” section.
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) This command no longer displays the following:
• All show acl-merge acls vlan command output
• All show acl-merge merge-list vlan number out command
output
It also now displays a maximum of four VLANs.
A3(2.6) This command no longer executes the following commands:
• show optimization-debug
• show np 1 me-stats “-W number”1-235
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
The show tech-support command displays the output of several show commands at once. The output
from this command varies depending on your configuration. The default output of the show
tech-support command includes the output of the following commands:
• show hardware—See the show hardware command.
• show interface—See the show interface command.
• show process—See the show processes command.
• show running-config—See the show running-config command.
• show system internal dmesg—See the show system command.
• show version—See the show version command.
Explicitly set the terminal length command to 0 (zero) to disable autoscrolling and enable manual
scrolling. Use the show terminal command to view the configured terminal size. After obtaining the
output of this command, reset your terminal length as required.
You can save the output of this command to a file by appending > filename to the show tech-support
command. If you save this file, verify that you have sufficient space to do so as each of these files may
take about 1.8 MB.
For information about the fields in the show tech-support command output, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To display the summary version of the technical support report, enter:
host1/Admin# show tech-support
Related Commands show fifo
show hardware
show interface
show processes
show running-config
show terminal
show version
show telnet
To display the information about the Telnet session, use the show telnet command.
show telnet [maxsessions] [context_name] [|] [>]
Syntax Description maxsessions (Optional) Displays the maximum number of enabled Telnet sessions.
context_name (Optional) Name of an existing context. Use the context_name argument to
display Telnet information that pertains only to the specified context. The
context_name argument is case sensitive.1-236
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you do not include the optional maxsessions keyword, the ACE displays the following Telnet
information:
• Session ID—Unique session identifier for the Telnet session
• Remote host—IP address and port of the remote Telnet client
• Active time—Time since the Telnet connection request was received by the ACE
For information about the fields in the show telnet command output, see the Security Guide, Cisco ACE
Application Control Engine.
Examples To display the current Telnet information, enter:
host1/Admin# show telnet
Related Commands clear telnet
telnet
(config) class-map
show terminal
To display the console terminal settings, use the show terminal command.
show terminal [internal info] [|] [>]
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-237
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show terminal command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display the console terminal settings, enter:
host1/Admin# show terminal
Related Commands terminal
show udp statistics
To display the User Datagram Protocol (UDP) statistics, use the show udp statistics command.
show udp statistics [|] [>]
internal info (Optional) Displays terminal internal information.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-238
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the connection feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show udp statistics command output, see the Security Guide,
Cisco ACE Application Control Engine.
Examples To display UDP statistics, enter:
host1/Admin# show udp statistics
Related Commands clear udp statistics
show user-account
To display user account information, use the show user-account command.
show user-account [user_name] [|] [>]
Syntax Description
| (Optional) Pipe character (|) for enabling an output modifier that filters the command
output. For a complete description of the options available for filtering the command
output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects the
command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
user_name (Optional) Name of user.1-239
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command Modes Exec
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To display the user account information for all users, do not specify a user with the optional user_name
argument.
For information about the fields in the show user-account command output, see the Administration
Guide, Cisco ACE Application Control Engine.
The Account Expiry field for this command displays the date, if any, when the user account expires. This
date is based on Coordinated Universal Time (UTC/GMT), which the ACE keeps internally. If you use
the clock timezone command to configure a UTC offset, this field displays the UTC date and does not
reflect the date with the offset as displayed by the show clock command.
Examples To display the account information for all users, enter:
host1/Admin# show user-account
Related Commands show users
(config) username
show users
To display the information for users that are currently logged in to the ACE, use the show users
command.
show users [user_name] [|] [>]
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-240
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To display the information for all users that are currently logged in to the ACE, do not specify a user
with the optional user_name argument.
For information about the fields in the show users command output, see the Administration Guide, Cisco
ACE Application Control Engine.
Examples To display information for all users that are currently logged in to the ACE, enter:
host1/Admin# show users
Related Commands clear user
show user-account
(config) username
show version
To display the version information of system software that is loaded in flash memory and currently
running on the ACE, use the show version command.
show version [|] [>]
user_name (Optional) Name of user.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-241
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The show version command also displays information related to the following ACE hardware
components:
• (ACE module only) Slot number—Slot number that the ACE occupies on the Catalyst 6500 series
chassis.
• CPU—Number of CPUs and type and model
• Memory—Total and shared volatile memory
• Flash memory—Total and used flash memory
Use the show version command to verify the software version on the ACE before and after an upgrade.
For information about the fields in the show version command output, see the Administration Guide,
Cisco ACE Application Control Engine.
Examples To display the software version information, enter:
host1/Admin# show version
Related Commands show tech-support
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-242
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show vlans
To display the VLANs on the ACE, use the show vlans command. For the ACE module, they are
downloaded from the supervisor engine in the Catalyst 6500 series switch
show vlans [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show vlans command output, see the Routing and Bridging
Guide, Cisco ACE Application Control Engine.
Examples To display the VLANs on the ACE, enter:
host1/Admin# show vlans
Related Commands This command has no related commands.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-243
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show vm-controller
To display the VM controller connection statistics, use the show vm-controller command.
show vm-controller [name] [detail]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To display detailed VM controller statistics, enter:
host1/Admin# show vm-controller VCENTER1 detail
Related Commands (config) vm-controller
name Configured identifier of the VM controller. Enter the name of an existing
VM controller as an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
detail Displays additional fields for the vendor and the URL location of the VM
controller.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.1-244
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show vnet
To display information about the virtual network (VNET) device, use the show vnet command.
show vnet {event-history | stats} [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To display VNET device statistics for the control plane, enter:
host1/Admin# show vnet stats
Related Commands clear vnet stats
event-history Displays a historic log of the most recent debug VNET messages.
stats Displays detailed counters for various VNET events.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for
filtering the command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that
redirects the command output to a file. For a complete description of the
options available for redirecting the command output, see the show
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-245
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
show xlate
To display information about the IP and port translation (XLATE), use the show xlate command.
show xlate [global {ip_address1 [ip_address2 [/prefix-length | netmask mask1]]}] [local
{ip_address3 [ip_address4 [/prefix-length2 | netmask mask2]]}] [gport port1 [port2]] [lport
port1 [port2]] [|] [>]
Syntax Description
Command Modes Exec
Admin context only
Command History
global
ip_address1
ip_address2
(Optional) Displays information for a global IPv6 or IPv4 address or a range of
global IPv6 or IPv4 addresses to which the ACE translates source addresses for
static and dynamic NAT. To specify a range of IP addresses, enter a second IP
address.
/prefix-length IPv6 prefix length that specifies the number of bytes used for the network identifier.
netmask mask (Optional) Specifies a subnet mask for the specified IP addresses.
local
ip_address3
ip_address4
(Optional) Displays information for a local IP address or a range of local IP
addresses. To specify a range of local IP addresses, enter a second IP address.
gport port1
port2
(Optional) Displays information for a global port or a range of global ports to which
the ACE translates source ports for static port redirection and dynamic PAT. Enter a
port number as an integer from 0 to 65535. To specify a range of port numbers, enter
a second port number.
lport port1
port2
(Optional) Displays information for a local port or a range of local ports. Enter a port
number as an integer from 0 to 65535. To specify a range of port numbers, enter a
second port number.
| (Optional) Pipe character (|) for enabling an output modifier that filters the
command output. For a complete description of the options available for filtering the
command output, see the show command.
> (Optional) Greater-than character (>) for enabling an output modifier that redirects
the command output to a file. For a complete description of the options available for
redirecting the command output, see the show command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-246
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Usage Guidelines This command requires the NAT feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the fields in the show xlate command output, see the Security Guide, Cisco ACE
Application Control Engine.
Examples To display IP and XLATE information, enter:
host1/Admin# show xlate global 172.27.16.3 172.27.16.10 netmask 255.255.255.0 gport 100
200
Related Commands clear xlate
ssh
To initiate a Secure Shell (SSH) session with another device, use the ssh command.
ssh {hostname | user@hostname}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To initiate an SSH session with the host 196.168.12.10, enter:
host1/Admin# ssh 196.168.12.10
To initiate an SSH session with USER1 on HOST1, enter:
host1/Admin# ssh USER1@HOST1
hostname Name or IP address of the host to access. If no username is specified, the default is
“admin.” Enter up to 64 alphanumeric characters.
user Username on a host.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-247
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands clear ssh
show ssh
(config) class-map
(config) login timeout
(config) ssh key
(config) ssh maxsessions1-248
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
system internal
To generate a debug snapshot of a service, use the system internal command.
system internal snapshot service {name}
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin role in the Admin context. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only.
Examples To take a snapshot of a service, enter:
host1/Admin# system internal snapshot service
Related Commands This command has no related commands.
snapshot
service
Specifies debug snapshots of a service.
name Name of a system service for which you want to take a snapshot. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-249
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
system watchdog
To enable all system watchdogs or the specific system watchdog, use the system watchdog command.
When you enter this command without an option, all watchdogs are enabled. By default, the watchdogs
are enabled.
Use the no form of this command to disable the system watchdogs. When you disable the low memory
watchdog, its timeout is reset to its default.
system watchdog [lcp | memory [timeout seconds] | scp]
system no watchdog [lcp | memory | scp]
Syntax Description
Command Modes Exec
Admin context only
Command History
Usage Guidelines This command requires the Admin role in the Admin context. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is intended for use by trained Cisco personnel for troubleshooting purposes only. When
you are troubleshooting the ACE, disable the watchdog timeout to prevent the ACE from rebooting.
lcp (Optional, ACE module only) Enables the watchdog for the LCP process.
The current SCP watchdog watches this process. However, if the LCP
process is not scheduled on time, this watchdog reboots the ACE.
memory (Optional) Enables the low memory watchdog when the ACE memory
reaches 99 percent.
timeout seconds (Optional) Configures the low memory watchdog timeout in seconds. Enter
a number from 5 to 180. The default is 90. To change the timeout, reenter
the system watchdog memory timeout seconds command. When reenable
a disabled watchdog, the timeout is reset to its default value.
scp (Optional, ACE module only) Enables the watchdog that monitors the SCP
keepalive messages from the hardware timer interrupt level.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(2.4) The lcp, memory and scp options were added.
The system watchdog command now enables all watchdogs.
Previously, it enabled only the SCP watchdog timer.
ACE Appliance Release Modification
A4(1.0) This command was introduced.1-250
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To enable the low memory system watchdog after it has been disabled, enter:
host1/Admin# system watchdog memory
To disable the low memory system watchdog, enter:
host1/Admin# system no watchdog memory
Related Commands show system1-251
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
tac-pac
To save Technical Assistance Center (TAC) information to a local or remote location, use the tac-pac
command.
tac-pac [ftp://server/path[/filename] | scp://server/path[/filename] |
sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename] |
disk0:[path/]filename]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The TAC information that the ACE saves when using the tac-pac command is the same information that
you can display using the show tech-support command.
If you do not specify a directory on a file system, the default is the root directory.
The output of the show tech-support command is in gzip format. We recommend that you include the
.gz extension in the filename so that it can be easily unzipped from the destination filesystem.
Examples To save TAC information and send the output of the show tech-support command to a remote FTP
server, enter:
host1/Admin# tac-pac ftp://192.168.1.2/tac-output_10-7-07.gz
ftp: (Optional) Specifies the File Transfer Protocol network server as the destination.
scp: (Optional) Specifies the Secure Copy network server as the destination.
sftp: (Optional) Specifies the Secure File Transfer Protocol network server as the
destination.
tftp: (Optional) Specifies the Trivial File Transfer Protocol network server as the
destination.
disk0: (Optional) Specifies the disk0: file system in flash memory on the ACE as the
destination.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-252
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Related Commands This command has no related commands.1-253
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
telnet
To initiate a Telnet session with another network device, use the telnet command.
telnet ip_address [port]
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To open a Telnet session with another network device, enter:
host1/Admin# telnet 192.126.2.1
Related Commands clear telnet
show telnet
(config) class-map
(config) login timeout
ip_address IP address of the network host. Enter an IP address in dotted-decimal notation (for
example, 172.16.1.10).
port (Optional) Port number on network host. The range is from 0 to 2147483647.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-254
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
terminal
To configure the terminal display settings, use the terminal command.
terminal {length lines | monitor | no | session-timeout minutes | terminal-type text |
width characters}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the show terminal command to display the current terminal settings.
length lines Sets the number of lines displayed on the current terminal screen. This command is
specific to the console port only. Telnet and Secure Shell (SSH) sessions set the
length automatically. Valid entries are from 0 to 511. The default is 24 lines. A value
of 0 instructs the ACE to scroll continuously (no pausing) and overrides the terminal
width command.
monitor Displays the syslog output on the terminal for the current terminal and session. To
enable the various levels of syslog messages to the terminal, use the logging
monitor command in configuration command mode.
no Negates a command or sets it back to its default value.
session-timeout
minutes
Specifies the session timeout value in minutes to configure the automatic logout time
for the current terminal session on the ACE. When you exceed the time limit
configured by this command, the ACE closes the session and exits. The range is 0 to
525600. The default is 5 minutes. You can set the terminal session-timeout value
to 0 to disable this feature so that the terminal remains active until you choose to exit
the ACE. The ACE does not save this change in the configuration file.
terminal-type
text
Specifies the name and type of the terminal used to access the ACE. If a Telnet or
SSH session specifies an unknown terminal type, the ACE uses the VT100 terminal
by default. Specify a text string from 1 to 80 alphanumeric characters.
width
characters
Sets the number of characters displayed on the current terminal screen. This
command is specific to only the console port. Telnet and SSH sessions set the width
automatically. Valid entries are from 24 to 512. The default is 80 columns.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-255
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
All terminal parameter-setting commands are set locally and do not remain in effect after you end a
session. You must perform this task at the Exec prompt at each session to see the debugging messages.
Examples To specify the VT100 terminal, set the number of screen lines to 35, and set the number of characters to
250, enter:
host1/Admin# terminal terminal-type vt220
host1/Admin# terminal length 35
host1/Admin# terminal width 250
To specify a terminal timeout of 600 minutes for the current session, enter
host1/Admin# terminal session-timeout 600
To set the width to 100 columns, enter:
host1/Admin# terminal width 100
To set the width to its default of 80 columns, enter:
host1/Admin# terminal no width
To start the current terminal monitoring session, enter:
host1/Admin# terminal monitor
To stop the current terminal monitoring session, enter:
host1/Admin# terminal no monitor
Related Commands show terminal
(config) login timeout
traceroute
To trace the route that an IP packet takes to a network host from the ACE, use the traceroute command.
traceroute [ip | ipv6 [ip_address [size packet]]
Syntax Description
Command Modes Exec
Admin and user contexts
ip | ipv6 (Optional) Specifies the IPv4 or IPv6 protocol. If you do not specify the IP protocol,
it is inferred from the address.
ip_address (Optional) IP address of the network host. Enter an IP address in dotted-decimal
notation (for example, 172.27.16.10).
size packet (Optional) Specifies the packet size. Enter a number from 40 to 452. The default is 40.1-256
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command traces the route that an IP packet follows to an Internet host by launching User Datagram
Protocol (UDP) probe packets with a small time to live (TTL), and then listening for an Internet Control
Message Protocol (ICMP) “time exceeded” reply from a gateway.
Examples IPv6 Example
To trace the IPv6 address 2001:DB8:1::2, enter the following command:
host1/Admin# traceroute ipv6 2001:DB8:1::2
To terminate a traceroute session, press Ctrl-C.
IPv4 Example
To display the route that a packet takes from the ACE to a network host with the IP address 196.126.1.2,
enter:
host1/Admin# traceroute 196.126.1.2
Related Commands ping
undebug all
To disable all debugging, use the undebug all command.
undebug all
Syntax Description This command has no keywords or arguments.
Command Modes Exec
Admin and user contexts
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.1-257
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Command History
Usage Guidelines This command is available to all user roles that allow debugging and is not available to network monitor
or technician users. For details about role-based access control (RBAC) and user roles, see the
Virtualization Guide, Cisco ACE Application Control Engine.
The ACE debug commands are intended for use by trained Cisco personnel only. Entering these
commands may cause unexpected results. Do not attempt to use these commands without guidance from
Cisco support personnel.
Examples To disable all debugging, enter:
host1/Admin# undebug all
Related Commands debug
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-258
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
untar disk0:
To untar a single file with a .tar extension in the disk0: file system, use the untar command.
untar disk0:[path/]filename
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The copy licenses disk0: command creates backup .tar license files on the ACE. If a license becomes
corrupted or lost, or you accidently remove the license on the ACE, you can untar the license and
reinstall it.
You must use the untar command in the Admin context to untar a backup tar license file.
Examples To untar the mylicense.tar file on disk0, enter:
host1/Admin# untar disk0:mylicenses.tar
Related Commands copy licenses
gunzip
[path/]filename Name of the .tar file on the disk0: file system. The filename must end with a .tar
extension.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-259
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
write
To manage persistent and nonpersistent configuration information, use the write command.
write {erase | memory [all] | terminal}
Syntax Description
Exec
Admin and user contexts
Command History
Usage Guidelines For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco
ACE Application Control Engine.
The different versions of this command require the following user role or feature in your user role:
• write erase—Admin user
• write memory—config-copy feature
• write all—Admin user
The write erase command does not remove license files or crypto files (certs and keys) from the ACE.
To remove license files, see the license uninstall command. To remove crypto files, see the crypto
delete command.
If you intend to use the write memory command to save the contents of the running-configuration file
for the current context to the startup-configuration file, you must also specify this command in the
Admin context. Saving changes to the Admin context startup-configuration file is important because the
Admin context startup-configuration file contains all configurations that are used to create each user
context.
To write the running configuration to the startup configuration, you can also use the
copy running-config startup-config command. To erase the startup configuration, you can also use the
clear startup-config command. To display the running configuration, use the show running-config
command.
erase Erases the entire startup configuration with the exception of any configuration that
affects the loader functionality. The startup configuration then reverts back to the
factory-default values. The running configuration is not affected.
memory Writes the running configuration to the startup configuration.
all (Optional) Writes configurations for all existing contexts. This keyword is available
only in the Admin context.
terminal Writes the running configuration to the terminal.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-260
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
Examples To write running configuration to the startup configuration, enter:
host1/Admin# write memory
Related Commands clear startup-config
show running-config
xml-show
To enable the display of raw XML request show command output in XML format, use the xml-show
command.
xml show {off | on | status}
Syntax Description
Command Modes Exec
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, XML responses will automatically appear in XML format if the corresponding CLI show
command output supports the XML format. However, if you are running commands on the CLI console
or you are running raw XML responses from NMS, the XML responses appear in regular CLI display
format.
You can enable the display of raw XML request show command output in XML format by performing
one of the following actions:
• Specifying the xml-show on command in Exec mode from the CLI, or
• Including the xml-show on command in the raw XML request itself (CLI commands included in an
XML wrapper).
Specification of the xml-show on command is not required if you are running true XML.
off Displays CLI show command output in regular CLI display output, not in XML
format.
on Displays CLI show command output in XML format unless a specific show
command is not implemented to display its output in XML format.
status Displays the current setting of the xml-show command (on or off).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.1-261
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 1 CLI Commands
Exec Mode Commands
For details on the show command output supported in XML format, consult the ACE schema file,
schema.xsd for the ACE module or for the ACE appliance, that is included as part of the software image
(see the Administration Guide, Cisco ACE Application Control Engine). The ACE schema File contains
the information on the XML attributes for those show output commands that support XML format.
The off and on keywords affect only the current CLI session in use; they are session-based functions.
Examples To enable the display of raw XML request show command output in XML format from the CLI, enter:
host1/Admin# xml-show on
Related Commands This command has no related commands.2-262
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Configuration Mode Commands
Configuration mode commands allow you to configure global ACE parameters that affect the following
contexts:
• All contexts, when configured in the Admin context
• A single user context, when configured in that context
Configuration mode also allows you to access all the ACE subordinate configuration modes. These
modes provide parameters to configure the major features of the ACE, including access control lists
(ACLs), application protocol inspection, fragmentation and reassembly, interfaces, Network Address
Translation (NAT), persistence (stickiness), protocols, redundancy, routing, scripts, Secure Sockets
Layer (SSL), server load balancing (SLB), TCP/IP normalization, users, and virtualization.
To access configuration mode, use the config command. The CLI prompt changes to (config).
See the individual command descriptions of all the configuration mode commands on the following
pages.
Command Modes Exec mode
Admin and user contexts
Command History
Usage Guidelines This command requires one or more features assigned to your user role that allow configuration, such as
AAA, interface, or fault-tolerant. For details about role-based access control (RBAC) and user roles, see
the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To access configuration mode, enter:
host1/Admin# config
host1/Admin(config)#
Related Commands show running-config
show startup-config
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-263
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) aaa accounting default
To configure the default accounting method, use the aaa accounting default command. You specify
either a previously created AAA server group that identifies separate groups of Terminal Access
Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service
(RADIUS) servers or the local database on the ACE. Use the no form of this command to remove the
accounting method.
aaa accounting default {group group_name} {local} {none}
no aaa accounting default {group group_name} {local} {none}
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To enable user accounting to be performed using remote TACACS+ servers, followed by local login as
the fallback method, enter:
host1/Admin(config)# aaa accounting default group TacServer local
Related Commands show aaa
show accounting log
(config) aaa authentication login
group group_name Associates the accounting method with a TACACS+ or RADIUS server defined
previously through the aaa group server command. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
local Specifies to use the local database on the ACE as the accounting method.
none Specifies that the ACE does not perform password verification, which disables
password verification. If you configure this option, users can log in without
providing a valid password.
Note Only users with an Admin role can configure the none keyword.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-264
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) aaa group server2-265
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) aaa authentication login
To configure the authentication method used for login to the ACE CLI, use the aaa authentication login
command. Use the no form of this command to disable the authentication method.
aaa authentication login {{console | default} {{group group_name} {local} {none}}} |
error-enable
no aaa authentication login {{console | default} {{group group_name} {local} {none}}} |
error-enable
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the error-enable option cautiously. If you specify none, any user will be able to access the ACE at
any time.
console Specifies the console port login authentication method, identified by the
specified server group.
default Specifies the default login authentication method (by console or by Telnet or
Secure Shell [SSH] session) that is identified by the specified server group.
group group_name Associates the login authentication process with a Terminal Access Controller
Access Control System Plus (TACACS+), Remote Authentication Dial-In User
Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server
defined through the aaa group server command. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
local Specifies to use the local database on the ACE as the login authentication
method. If the server does not respond, then the local database is used as the
fallback authentication method.
none Specifies that the ACE does not perform password verification. If you configure
this option, users can log in to the ACE without providing a valid password.
Note Only users with an Admin role can configure the none keyword.
error-enable Enables the display of the login error message when the remote AAA servers
fail to respond.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-266
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To view the current display status, use the show aaa authentication login error-enable command.
When a user attempts to log in, and the remote AAA servers do not respond to the authentication request,
the ACE processes the login sequence by switching to local user database.
Examples To enable console authentication using the TACSERVER server group, followed by local login as the
fallback method, enter:
host1/Admin(config)# aaa authentication login console group TACSERVER local
Password verification remains enabled for login authentication.
To turn off password validation, enter:
host1/Admin(config)# aaa authentication login console group TACSERVER local none
Related Commands show aaa
(config) aaa accounting default
(config) aaa group server
(config) aaa group server
To configure independent server groups of Terminal Access Controller Access Control System Plus
(TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access
Protocol (LDAP) servers, use the aaa group server command. Use the no form of this command to
remove a server group.
aaa group server {ldap | radius | tacacs+} group_name
no aaa group server {ldap | radius | tacacs+} group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
ldap Specifies an LDAP directory server group. For information about the commands in
the LDAP server configuration mode, see the “LDAP Configuration Mode
Commands” section.
radius Specifies a RADIUS server group. For information about the commands in the
RADIUS server configuration mode, see the “RADIUS Configuration Mode
Commands” section.
tacacs+ Specifies a TACACS+ server group. For information about the commands in the
TACACS+ server configuration mode, see the “TACACS+ Configuration Mode
Commands” section.
group_name Name for the LDAP, RADIUS, or TACACS+ server group. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.2-267
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A server group is a list of server hosts of a particular type. The ACE allows you to configure multiple
TACACS+, RADIUS, and LDAP servers as a named server group. You group the different AAA server
hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them
within a group. You can configure a maximum of 10 server groups for each context in the ACE.
You can configure server groups at any time, but they take effect only when you apply them to the AAA
service using the aaa authentication login or the aaa accounting default commands.
To create a AAA server group and access one of the three AAA server group configuration modes, enter
the aaa group server ldap, aaa group server radius, or aaa group server tacacs+ command in
configuration mode. The CLI prompt changes to (config-ldap), (config-radius), or (config-tacacs+). In
this mode, you specify the IP address of one or more previously configured servers that you want added
to or removed from the server group.
Examples To create a RADIUS server group and add a previously configured RADIUS server, enter:
(config)# aaa group server radius RAD_Server_Group1
host1/Admin(config-radius)# server 192.168.252.1
host1/Admin(config-radius)# server 192.168.252.2
host1/Admin(config-radius)# server 192.168.252.3
Related Commands show aaa
show running-config
(config) aaa accounting default
(config) aaa authentication login
(config) access-group
To apply an IPv4 or IPv6 access control list (ACL) to the inbound direction on all VLAN interfaces in a
context and make the ACL active, use the access-group command. Use the no form of this command to
remove an ACL from all interfaces in a context.
access-group input acl_name
no access-group input acl_name
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-268
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the access-list feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use this command to apply an IPv6 or an IPv4 ACL to a single interface or all interfaces in a context.
You must apply an ACL to an interface to allow the passing of traffic on that interface. This command
enables you to apply an ACL to all interfaces in a context in the inbound direction only and to allow
traffic on all interfaces simultaneously. The following considerations apply:
• You can use the access-group command in configuration mode only if there are no interfaces in the
context to which you have applied an ACL previously using the (config-if) access-group command
in interface configuration mode.
• If you have applied an ACL globally to all interfaces in a context, you cannot apply an ACL to an
individual interface using the (config-if) access-group command in interface configuration mode.
• You can apply one Layer 2 ACL and one Layer 3 ACL globally to all interfaces in a context.
• You can apply both a Layer 3 and a Layer 2 ACL to all Layer 2 bridge-group virtual interfaces
(BVIs) in a context.
• On Layer 3 virtual LAN (VLAN) interfaces, you can apply only Layer 3 ACLs. You can apply one
IPv6 and one IPv4 ACL in each direction on a Layer 3 VLAN interface.
• In a redundant configuration, the ACE does not apply a global ACL to the FT VLAN. For details
about redundancy, see the Administration Guide, Cisco ACE Application Control Engine.
For complete details on ACLs, see the Security Guide, Cisco ACE Application Control Engine.
Examples To apply an ACL named INBOUND to the inbound direction of all interfaces in the Admin context,
enter:
host1/Admin(config)# access-group input INBOUND
To remove an ACL from all interfaces in the Admin context, enter:
input Specifies the inbound direction of all interfaces in a context on which
you want to apply the ACL
acl_name Identifier of an existing ACL that you want to apply to an interface
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-269
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
host1/Admin(config)# no access-group input INBOUND
Related Commands (config-if) access-group
show access-list2-270
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) access-list ethertype
To configure an EtherType access control list (ACL), use the access-list ethertype command. Use the
no form of this command to remove the ACL from the configuration.
access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
no access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the access-list feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol
identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support
802.3-formatted frames because they use a length field instead of a type field. Bridge protocol data units
(BPDUs) are exceptions because they are SNAP-encapsulated, and the ACE is designed to specifically
handle BPDUs.
You can permit or deny BPDUs. By default, all BPDUs are denied. The ACE receives trunk port (Cisco
proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside
the payload, so the ACE modifies the payload with the outgoing VLAN if you permit BPDUs. BPDU
packets are not subjected to bandwidth policing in a bridge-mode configuration.
You can configure an EtherType ACL only on a Layer 2 interface in the inbound direction.
name Unique identifier of the ACL. Enter an unquoted text string with a maximum of
64 alphanumeric characters.
ethertype Specifies a subprotocol of type: any, bpdu, ipv6, or mpls.
deny Blocks connections on the assigned interface.
permit Allows connections on the assigned interface.
any Specifies any EtherType.
bpdu Specifies bridge protocol data units.
ipv6 Specifies Internet Protocol version 6.
mpls Specifies Multiprotocol Label Switching.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(2.4) BPDU packets are not subjected to bandwidth policing in a
bridge-mode configuration.
ACE Appliance Release Modification
A1(7) This command was introduced.2-271
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
When you specify the mpls keyword in an EtherType ACL, the ACE denies or permits both
MPLS-unicast and MPLS-multicast traffic.
Examples To configure an ACL that controls traffic based on its EtherType, enter:
(config)# access-list INBOUND ethertype permit mpls
Related Commands clear access-list
show access-list2-272
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) access-list extended
To create an extended ACL, use the access-list extended command. The two major types of extended
ACLs are as follows:
• Non-ICMP ACLs
• ICMP ACLs
Use the no form of this command to delete the ACL.
IPv6 Syntax
For a non-ICMP extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit}
{protocol {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length
| object-group net_obj_grp_name} [operator port1 [port2]] {anyv6 | host dest_ipv6_address |
dest_ipv6_address/prefix_length | object-group net_obj_grp_name} [operator port3 [port4]]}
| {object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length | object-group net_obj_grp_name} {anyv6 | host
dest_ipv6_address | dest_ipv6_address/prefix_length | object-group net_obj_grp_name}
no access-list name [line number] extended {deny | permit}
{protocol {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length
| object-group net_obj_grp_name} [operator port1 [port2]] {anyv6 | host dest_ipv6_address |
dest_ipv6_address/prefix_length | object-group net_obj_grp_name} [operator port3 [port4]]}
| {object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length | object-group net_obj_grp_name} {anyv6 | host
dest_ipv6_address | dest_ipv6_address/prefix_length | object-group net_obj_grp_name}
For an ICMP-extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit}
{icmpv6 {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length| object_group
net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length|
object_group network_grp_name} [icmp_type [code operator code1 [code2]]]}
| {object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length| object-group net_obj_grp_name} {anyv6 | host
dest_ipv6_address | dest_ipv6_address/prefix_length| object-group net_obj_grp_name}
no access-list name [line number] extended {deny | permit}
{icmpv6 {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length| object_group
net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length|
object_group network_grp_name} [icmp_type [code operator code1 [code2]]]}
| {object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length| object-group net_obj_grp_name} {anyv6 | host
dest_ipv6_address | dest_ipv6_address/prefix_length| object-group net_obj_grp_name}
IPv4 Syntax
For a non-ICMP extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit}
{protocol {any | host src_ip_address | src_ip_address netmask | object-group
net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address
netmask | object-group net_obj_grp_name} [operator port3 [port4]]}2-273
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask |
object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask |
object-group net_obj_grp_name}
no access-list name [line number] extended {deny | permit}
{protocol {any | host src_ip_address | src_ip_address netmask | object-group
net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address
netmask | object-group net_obj_grp_name} [operator port3 [port4]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask |
object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask |
object-group net_obj_grp_name}
For an ICMP-extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit}
{icmp {any | host src_ip_address | src_ip_address netmask | object_group
net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group
network_grp_name} [icmp_type [code operator code1 [code2]]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask |
object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask |
object-group net_obj_grp_name}
no access-list name [line number] extended {deny | permit}
{icmp {any | host src_ip_address | src_ip_address netmask | object_group
net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group
network_obj_grp_name} [icmp_type [code operator code1 [code2]]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask |
object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask |
object-group net_obj_grp_name}
Syntax Description name Unique identifier of the ACL. Enter an unquoted text string with a maximum of
64 alphanumeric characters.
line number (Optional) Specifies the line number position where you want the entry that you
are configuring to appear in the ACL. The position of an entry affects the lookup
order of the entries in an ACL. If you do not configure the line number of an
entry, the ACE applies a default increment and a line number to the entry and
appends it at the end of the ACL.2-274
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
extended Specifies an extended ACL. Extended ACLs allow you to specify the destination
IP address and subnet mask and other parameters not available with a standard
ACL.
deny Blocks connections on the assigned interface.
permit Allows connections on the assigned interface.
protocol Name or number of an IP protocol. Enter a protocol name or an integer from 0 to
255 that represents an IP protocol number from the following:
• ah—(51) Authentication Header
• eigrp—(88) Enhanced IGRP
• esp—(50) Encapsulated Security Payload
• gre—(47) Generic Routing Encapsulation
• icmp—(1) Internet Control Message Protocol (See Table 1-1 for optional
ICMPv4 messaging types)
• icmpv6—(58) Internet Control Message Protocol (See Table 1-2 for
optional ICMPv6 messaging types)
• igmp—(2) Internet Group Management Protocol
• ip—(0) Internet Protocol
• ip-in-ip—(4) IP-in-IP Layer 3 tunneling protocol
• ospf—(89) Open Shortest Path First
• pim—(103) Protocol Independent Multicast
• tcp—(6) Transmission Control Protocol
• udp—(17) User Datagram Protocol
any Specifies the network traffic from any IPv4 source.
anyv6 Specifies the network traffic from any IPv6 source.
host
src_ipv6_address
Specifies the IPv6 address of the host from which the network traffic originates.
Use this keyword and argument to specify the network traffic from a single IPv6
address.
host
src_ip_address
Specifies the IP address of the host from which network traffic originates. Use
this keyword and argument to specify the network traffic from a single IP
address.
src_ipv6_address/
prefix_length
Traffic from a source defined by the IPv6 address and the prefix length. Use these
arguments to specify network traffic from a range of IPv6 source addresses.
src_ip_address
netmask
Traffic from a source defined by the IP address and the network mask. Use these
arguments to specify the network traffic from a range of source IP addresses.
object-group
network_obj_grp_
name
Specifies the identifier of an existing source network object group. To use object
groups in an ACL, replace the normal network (source_address, mask, and so
on), service (protocol operator port) or ICMP type (icmp_type) arguments with
an object-group name. 2-275
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
operator (Optional) Operand used to compare source and destination port numbers for
TCP, TCP-UDP, and UDP protocols. The operators are as follows:
• eq—Equal to.
• gt—Greater than.
• lt—Less than.
• neq—Not equal to.
• range—An inclusive range of port values. If you entered the range operator,
enter a second port number value to define the upper limit of the range.
port1 [port2] TCP or UDP source port name or number from which you permit or deny services
access. Enter an integer from 0 to 65535. To enter an inclusive range of ports,
enter two port numbers. Port2 must be greater than or equal to port1. See
Table 1-3 for a list of well-known TCP port names and numbers and Table 1-4
for a list of well-known UDP port names and numbers.
dest_ipv6_address/
prefix_length
IPv6 address of the network or host to which the packet is being sent and the
prefix length of the IPv6 destination address. Use these arguments to specify a
range of IPv6 destination addresses.
dest_ip_address
netmask
Specifies the IP address of the network or host to which the packet is being sent
and the network mask bits that are to be applied to the destination IP address. Use
these arguments to specify a range of destination IP addresses.
anyv6 Specifies the network traffic that goes to any IPv6 destination.
any Specifies the network traffic going to any destination.
host
dest_ipv6_address
Specifies the IPv6 address of the destination of the packets in a flow. Use this
keyword and argument to specify the network traffic destined to a single IPv6
address.
host destination_
address
Specifies the IP address and subnet mask of the destination of the packets in a
flow. Use this keyword and argument to specify the network traffic destined to a
single IP address.
operator (Optional) Operand used to compare source and destination port numbers for
TCP, TCP-UDP, and UDP protocols. The operators are as follows:
• lt—Less than.
• gt—Greater than.
• eq—Equal to.
• neq—Not equal to.
• range—An inclusive range of port values. If you enter this operator, enter a
second port number value to define the upper limit of the range.
port3 [port4] TCP or UDP destination port name or number to which you permit or deny access
to services. To enter an optional inclusive range of ports, enter two port numbers.
Port4 must be greater than or equal to port3. See Table 1-3 for a list of
well-known ports.
icmp_type (Optional) Type of ICMP messaging. Enter either an integer that corresponds to
the ICMP code number or one of the ICMP types as described in Table 1-1.
code (Optional) Specifies that a numeric operator and ICMP code follows. 2-276
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the access-list feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the
destination addresses as “any” and do not specify ports in an extended ACL.
For the source IP address and destination IP address netmasks, the ACE supports only standard subnet
mask entries in an ACL. Wildcard entries and non-standard subnet masks are not supported.
For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to
allow returning traffic, because the ACE allows all returning traffic for established connections.
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can
also apply the same ACL on multiple interfaces.You can apply EtherType ACLs only in the inbound
direction and only on Layer 2 interfaces.
operator An operator that the ACE applies to the ICMP code number that follows. Enter
one of the following operators:
• lt—Less than.
• gt—Greater than.
• eq—Equal to.
• neq—Not equal to.
• range—An inclusive range of ICMP code values. When you use this
operator, specify two code numbers to define the range.
code1, code2 ICMP code number that corresponds to an ICMP type. See Table 1-3. If you
entered the range operator, enter a second ICMP code value to define the upper
limit of the range.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised with the object-group keyword and
associated keywords and arguments.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A2(1.0) This command was revised with the object-group keyword and
associated keywords and arguments.
A5(1.0) Added IPv6 support.2-277
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
If you create an ICMP extended ACL, you can optionally specify the type of ICMP messaging. Enter
either an integer that corresponds to the ICMP code number or one of the ICMP messaging types as
described in Table 1-1 (ICMPv4) and Table 1-2 (ICMPv6).
ACLs have no effect on neighbor discovery (ND) packets and they are always permitted to and through
the ACE. For more information about ND, see the Routing and Bridging Guide, Cisco ACE Application
Control Engine.
Ta b l e 1-1 ICMPv4 Types
ICMPv4 Code Number ICMPv4 Type
0 echo-reply
3 unreachable
4 source-quench
5 redirect
6 alternate-address
8 echo
9 router-advertisement
10 router-solicitation
11 time-exceeded
12 parameter-problem
13 timestamp-request
14 timestamp-reply
15 information-request
16 information-reply
17 mask-request
18 mask-reply
30 traceroute
31 conversion-error
32 mobile-redirect
Ta b l e 1-2 ICMPv6 Types
ICMPv6 Code Number ICMPv6 Type
1 unreachable
3 time-exceeded
4 parameter-problem
30 traceroute
128 echo
129 echo-reply
137 redirect2-278
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
139 information-request
140 information-reply
Ta b l e 1-3 Well-Known TCP Port Numbers and Key Words
Keyword Port Number Description
aol 5190 America-Online
bgp 179 Border Gateway Protocol
chargen 19 Character Generator
citrix-ica 1494 Citrix Independent Computing Architecture
protocol
cmd 514 Same as exec, with automatic
authentication
ctiqbe 2748 Computer Telephony Interface Quick
Buffer Encoding
daytime 13 Daytime
discard 9 Discard
domain 53 Domain Name System
echo 7 Echo
exec 512 Exec (RSH)
finger 79 Finger
ftp 21 File Transfer Protocol
ftp-data 20 FTP data connections
gopher 70 Gopher
hostname 101 NIC hostname server
http 80 Hyper Text Transfer Protocol
https 443 HTTP over TLS/SSL
ident 113 Ident Protocol
imap4 143 Internet Message Access Protocol,
version 4
irc 194 Internet Relay Chat
kerberos 88 Kerberos
klogin 543 Kerberos Login
kshell 544 Kerberos Shell
ldap 389 Lightweight Directory Access Protocol
ldaps 636 LDAP over TLS/SSL
login 513 Login (rlogin)
lotusnotes 1352 IBM Lotus Notes
Table 1-2 ICMPv6 Types (continued)
ICMPv6 Code Number ICMPv6 Type2-279
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
lpd 515 Printer Service
matip-a 350 Mapping of Airline Traffic over Internet
Protocol (MATIP) Type A
netbios-ssn 139 NetBIOS Session Service
nntp 119 Network News Transport Protocol
pcanywhere-data 5631 PC Anywhere data
pim-auto-rp 496 PIM Auto-RP
pop2 109 Post Office Protocol v2
pop3 110 Post Office Protocol v3
pptp 1723 Point-to-Point Tunneling Protocol, RFC
2637
rtsp 554 Real Time Streaming Protocol
sip 5060 Session Initiation Protocol
skinny 2000 Cisco Skinny Client Control Protocol
(SCCP)
smtp 25 Simple Mail Transfer Protocol
sqlnet 1521 Structured Query Language Network
ssh 22 Secure Shell
sunrpc 111 Sun Remote Procedure Call
tacacs 49 Terminal Access Controller Access Control
System
talk 517 Talk
telnet 23 Telnet
time 37 Time
uucp 540 UNIX-to-UNIX Copy Program
whois 43 Nicname
www 80 World Wide Web (HTTP)
Ta b l e 1-4 Well-Known UDP Key Words and Port Numbers
Keyword Port Number Description
biff 512 Mail notification
bootpc 68 Bootstrap Protocol client
bootps 67 Bootstrap Protocol server
discard 9 Discard
dnsix 195 DNSIX Security protocol auditing
(dn6-nlm-aud)
domain 53 Domain Name System
Table 1-3 Well-Known TCP Port Numbers and Key Words (continued)
Keyword Port Number Description2-280
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples IPv6 Examples
To configure an IPv6 TCP extended ACL, enter:
host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 2001:DB8:1::1/64 gt
1024 2001:DB8:2::1 lt 4000
To remove an entry from an extended ACL, enter:
echo 7 Echo
isakmp 500 Internet Security Association Key
Management Protocol
kerberos 88 Kerberos
mobile-ip 434 Mobile IP registration
nameserver 42 Host Name Server
netbios-dgm 138 NetBIOS datagram service
netbios-ns 137 NetBIOS name service
netbios-ssn 139 NetBIOS Session Service
ntp 123 Network Time Protocol
pcanywherestatus
5632 PC Anywhere status
radius 1812 Remote Authentication Dial-in User
Service
radius-acct 1813 RADIUS Accounting
rip 520 Routing Information Protocol
snmp 161 Simple Network Management Protocol
snmptrap 162 SNMP Traps
sunrpc 111 Sun Remote Procedure Call
syslog 514 System Logger
tacacs 49 Terminal Access Controller Access Control
System
talk 517 Talk
tftp 69 Trivial File Transfer Protocol
time 37 Time
who 513 Who service (rwho)
wsp 9200 Connectionless Wireless Session Protocol
wsp-wtls 9202 Secure Connectionless WSP
wsp-wtp 9201 Connection-based WSP
wsp-wtp-wtls 9203 Secure Connection-based WSP
xdmcp 177 X Display Manager Control Protocol
Table 1-4 Well-Known UDP Key Words and Port Numbers (continued)
Keyword Port Number Description2-281
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
host1/Admin(config)# no access-list INBOUND line 10
To control a ping, specify echo (128) (host to ACE).
To allow an external host with IP address 2001:DB8:1::2 to ping a host behind the ACE with an IP
address of FC00:ABCD:1:2::5, enter:
host1/Admin(config)# access-list INBOUND extended permit icmpv6 host 2001:DB8:1::2 host
FC00:ABCD:1:2::5 echo code eq 0
To remove an entry from an ICMP ACL, enter:
host1/Admin(config)# no access-list INBOUND extended permit icmpv6 host 2001:DB8:1::2
echo
IPv4 Examples
To configure a TCP extended ACL, enter:
host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0
255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000
To remove an entry from an extended ACL, enter:
host1/Admin(config)# no access-list INBOUND line 10
To allow an external host with IP address 192.168.12.5 to be able to ping a host behind the ACE with an
IP address of 10.0.0.5, enter:
(config)# access-list INBOUND extended permit icmp host 192.168.12.5 host 10.0.0.5 echo
code eq 0
To remove an entry from an ICMP ACL, enter:
(config)# no access-list INBOUND extended permit icmp host 192.168.12.5 echo
To use object groups for all available parameters, enter:
ISM/Admin(config)# access-list acl_name extended {deny | permit} object-group
service_grp_name object-group network_grp_name object-group network_grp_name
Related Commands clear access-list
show access-list
(config) access-list remark
You can add comments about an access control list (ACL) to clarify the function of the ACL. To add a
comment to an ACL, use the access-list remark command. You can enter only one comment per ACL
and the comment appears at the top of the ACL. Use the no form of this command to remove an ACL
remark.
access-list name remark text
no access-list name remark text2-282
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the access-list feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you delete an ACL using the no access-list name command, then the remarks are also removed.
Examples To add an entry comment to an ACL, enter:
host1/Admin(config)# access-list INBOUND remark This is a remark
To remove entry comments from an ACL, enter:
(config)# no access-list INBOUND line 200 remark
Related Commands clear access-list
show access-list
(config) access-list resequence
To resequence the entries in an extended access control list (ACL) with a specific starting number and
interval, use the access-list resequence command. Use the no form of this command to reset the number
assigned to an ACL entry to the default of 10.
access-list name resequence number1 number2
no access-list name resequence number1 number2
name Unique identifier of the ACL. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
line number (Optional) Specifies the line number position where you want the comments to appear
in the ACL. If you do not specify a line number, the ACE applies a default increment
and a line number to the remark and appends it at the end of the ACL.
remark text Specifies any comments that you want to include about the ACL. Comments appear
at the top of the ACL. Enter an unquoted text string with a maximum of
100 alphanumeric characters. You can enter leading spaces at the beginning of the
text. Trailing spaces are ignored.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-283
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the access-list feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ability to resequence entries in an ACL is supported only for extended ACLs.
Examples For example, to assign the number 5 to the first entry in the access list INBOUND and then number each
succeeding entry by adding 15 to the preceding entry line number, enter:
host1/Admin(config)# access-list INBOUND resequence 5 15
Related Commands clear access-list
show access-list
(config) action-list type modify http
Action list modify configuration mode commands allow you to configure ACE action lists. An action list
is a named group of actions that you associate with a Layer 7 HTTP class map in a Layer 7 HTTP policy
map. You can create an action list to modify an HTTP header or to rewrite an HTTP redirect URL for
SSL. For information about the commands in action list modify configuration mode, see the “Action List
Modify Configuration Mode Commands” section.
To create an action list, use the action-list type modify http command. The CLI prompt changes to
(config-actlist-modify). Use the no form of this command to remove the action list from the
configuration.
action-list type modify http name
name Unique identifier of the ACL. Enter an unquoted text string with a maximum of
64 alphanumeric characters.
resequence Specifies the renumbering of the entries in an ACL.
number1 Number assigned to the first entry in the ACL. Enter any integer. The default is 10.
number2 Number added to each entry in the ACL after the first entry. Enter any integer. The
default is 10.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-284
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
no action-list type modify http name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To create an action list, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)#
To remove the action list from the configuration, enter:
host1/Admin(config)# no action-list type modify http HTTP_MODIFY_ACTLIST
Related Commands show running-config
show stats
name Unique name for the action list. Enter an unquoted text string with a maximum of
64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-285
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) action-list type optimization http
(ACE appliance only) Action list optimization configuration mode commands allow you to configure
ACE action lists. An action list is a named group of actions that you associate with a Layer 7 HTTP
optimization policy map. The action-list type command allows you to configure a series of application
acceleration and optimization statements. After you enter this command, the system enters the action list
optimization configuration mode.
For information about the commands in action list optimization configuration mode, see the “Action List
Optimization Configuration Mode Commands” section.
To create an optimization action map for performing application acceleration and optimization, use the
action-list type command in global configuration mode. The CLI prompt changes to
(config-actlist-optm). Use the no form of this command to remove an action list from the ACE.
action-list type optimization http list_name
no action-list type optimization http list_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
After you configure the action list, you associate it with a specific statement in a Layer 7 HTTP
optimization policy map. The Layer 7 optimization HTTP policy map activates an optimization HTTP
action list that allows you to configure the specified optimization actions.
For information about the commands in action list optimization configuration mode, see the “Action List
Optimization Configuration Mode Commands” section. For details about configuring the commands in
the action list optimization configuration mode, see the Cisco 4700 Series Application Control Engine
Appliance Application Acceleration and Optimization Configuration Guide.
optimization http Specifies an optimization HTTP action list. After you create the
optimization HTTP type action list, you configure application
acceleration and optimization functions in the action list optimization
configuration mode. For information about the commands in action list
optimization configuration mode, see the “Action List Optimization
Configuration Mode Commands” section.
list_name Name assigned to the action list. Enter a unique name as an unquoted
text string with a maximum of 64 alphanumeric characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-286
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To create an optimization HTTP action list, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)#
To remove the action list from the configuration, enter:
host1/Admin(config)# no action-list type optimization http ACT_LIST1
Related Commands show action-list
show running-config
(config) parameter-map type
(config) policy-map2-287
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) arp
To configure the Address Resolution Protocol (ARP) on the ACE to manage and map IP to Media Access
Control (MAC) information to forward and transmit packets, use the arp command. Use the no form of
this command to remove the ARP entry or reset a default value.
arp {ip_address mac_address | interval seconds | inspection enable [flood | no flood] |
learned-interval seconds | learned-mode enable | rate seconds | ratelimit pps | retries number
| sync disable | sync-interval seconds}
no arp {ip_address mac_address | interval | inspection enable | learned-interval | learned-mode
enable | rate | ratelimit | retries | sync disable | sync-interval}
Syntax Description
Command Modes Configuration mode
ip_address mac_address Static ARP entry in the ARP table that allows ARP responses from an IP
address to a MAC address. Enter the IP address in dotted-decimal notation
(for example, 172.16.56.76). Enter the MAC address in dotted-hexadecimal
notation (for example, 00.60.97.d5.26.ab).
interval seconds Specifies the interval in seconds that the ACE sends ARP requests to the
configured hosts. Enter a number from 15 to 31526000. The default is 300.
inspection enable Enables ARP inspection, preventing malicious users from impersonating
other hosts or routers, known as ARP spoofing. The default is disabled.
flood (Optional) Enables ARP forwarding of nonmatching ARP packets. The
ACE forwards all ARP packets to all interfaces in the bridge group. This is
the default setting.
no flood (Optional) Disables ARP forwarding for the interface and drops
non-matching ARP packets.
learned-interval
seconds
Sets the interval in seconds when the ACE sends ARP requests for learned
hosts. Enter a number from 60 to 31536000. The default is 14400.
learned-mode enable Enables the ACE to learn MAC addresses if the command has been
disabled. By default, for bridged traffic, the ACE learns MAC addresses
from all traffic. For routed traffic, the ACE learns MAC addresses only from
ARP response packets or from packets that are destined to the ACE (for
example, a ping to a VIP or a ping to a VLAN interface).
rate seconds Specifies the time interval in seconds between ARP retry attempts to hosts.
Enter a number from 1 to 60. The default is 10.
ratelimit pps Specifies the rate limit in packets per second for gratuitous ARPs sent by
the ACE. Enter a number from 100 to 8192. The default is 512. Note that
this keyword applies to the entire ACE.
retries number Specifies the number of ARP attempts before the ACE flags the host as
down. Enter a number from 2 to 15. The default is 3.
sync disable Disables the replication of ARP entries. By default, ARP entry replication
is enabled.
sync-interval seconds Specifies the time interval between ARP sync messages for learned hosts.
Enter an integer from 1 to 3600 seconds (1 hour). The default is 5 seconds.2-288
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Admin and user contexts. The ratelimit keyword is available in the Admin context only.
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The static arp command in configuration mode now allows the configuration of the multicast MAC
address for a host. The ACE uses this multicast MAC address while sending packets to the host. This
enhancement allows the support of deployments that involve clustering (for example Checkpoint
clustering). A host can be assigned an multicast MAC address with the arp command. The ACE does not
learn the multicast MAC addresses for a host.
ARP inspection operates only on ingress bridged interfaces. By default, ARP inspection is disabled on
all interfaces, allowing all ARP packets through the ACE. When you enable ARP inspection, the ACE
uses the IP address and interface ID (ifID) of an incoming ARP packet as an index into the ARP table.
The ACE then compares the MAC address of the ARP packet with the MAC address in the indexed static
ARP entry in the ARP table and takes the following actions:
• If the IP address, source ifID, and MAC address match a static ARP entry, the inspection succeeds
and the ACE allows the packet to pass.
• If the IP address and interface of the incoming ARP packet match a static ARP entry, but the MAC
address of the packet does not match the MAC address that you configured in that static ARP entry,
ARP inspection fails and the ACE drops the packet.
• If the ARP packet does not match any static entries in the ARP table or there are no static entries in
the table, then you can set the ACE to either forward the packet out all interfaces (flood) or to drop
the packet (no-flood). In this case, the source IP address to MAC address mapping is new to the
ACE. If you enter the flood option, the ACE creates a new ARP entry and marks it as LEARNED.
If you enter the no-flood option, the ACE drops the ARP packet.
The ARP rate limit applies to all gratuitous ARPs sent for local addresses on new configurations, ACE
reboot, and on MAC address changes.
When you change the ARP request internal for learned hosts and configured hosts, the new timeout does
not take effect until the existing time is reached. If you want the new timeout to take effect immediately,
enter the clear arp command to apply the new ARP interval (see the clear arp command).
For more information, see the Routing and Bridging Guide, Cisco ACE Application Control Engine
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(3) This command was revised with the sync disable and sync-interval
keywords.
3.0(0)A1(6.2a) This command was revised with the ratelimit keyword.
A2(3.2) The static arp this command now allows the configuration of a
multicast MAC address.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.6) The static arp this command now allows the configuration of a
multicast MAC address. 2-289
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter:
host1/contexta(config)# arp 10.1.1.1 00.02.9a.3b.94.d9
To remove a static ARP entry, enter:
host1/contexta(config)# no arp 10.1.1.1 00.02.9a.3b.94.d9
To enable ARP inspection and to drop all nonmatching ARP packets, enter:
host1/contexta(config)# arp inspection enable no-flood
To configure the retry attempt interval of 15 seconds, enter:
host1/contexta(config)# arp rate 15
To reset the retry attempt interval to the default of 10 seconds, enter:
host1/contexta(config)# no arp rate
To disable the replication of ARP entries, enter:
host1/contexta(config)# sync disable
Related Commands clear arp
show arp
(config) banner
Use the banner command to specify a message to display as the message-of-the-day banner when a user
connects to the ACE CLI. Use the no form of this command to delete or replace a banner or a line in a
multiline banner.
banner motd text
no banner motd text
Syntax Description
Command Modes Configuration mode
Admin and user contexts
motd Configures the system to display as the message-of-the-day banner when a user connects to
the ACE.
text Line of message text to be displayed as the message-of-the-day banner. The text string
consists of all characters that follow the first space until the end of the line (carriage return
or line feed). The # character functions as the delimiting character for each line. For the
banner text, spaces are allowed but tabs cannot be entered at the CLI. Multiple lines in a
message-of-the-day banner are handled by entering a new banner command for each line
that you wish to add.
The banner message is a maximum of 80 alphanumeric characters per line, up to a
maximum of 3000 characters (3000 bytes) total for a message-of-the-day banner. This
maximum value includes all line feeds and the last delimiting character in the message.2-290
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To replace a banner or a line in a multiline banner, use the no banner motd command before adding the new
lines.
To add multiple lines in a message-of-the-day banner, precede each line by the banner motd command.
The ACE appends each line to the end of the existing banner. If the text is empty, the ACE adds a carriage
return (CR) to the banner.
You can include tokens in the form $(token) in the message text. Tokens will be replaced with the
corresponding configuration variable, as follows:
• $(hostname)—Displays the hostname for the ACE during run time.
• $(line)—Displays the tty (teletypewriter) line or name (for example, /dev/console, /dev/pts/0, or 1).
To use the $(hostname) in single line banner motd input, include double quotation marks (“) around the
$(hostname) so that the $ is interpreted to a special character for the beginning of a variable in the single
line. An example is as follows:
switch/Admin(config)# banner motd #Welcome to “$(hostname)”...#
Do not use the double quotation mark (“) or the percent sign (%) as a delimiting character in a single
line message string. Do not use the delimiting character in the message string.
For multiline input, double quotation marks (“) are not required for the token because the input mode is
different from the signal line mode. The ACE treats the double quotation mark (“) as a regular character
when you operate in multiline mode.
Examples To add a message-of-the-day banner, enter:
host1/Admin(config)# banner motd #Welcome to the “$(hostname)”.
host1/Admin(config)# banner motd Contact me at admin@admin.com for any
host1/Admin(config)# banner motd issues.#
Related Commands show banner motd
(config) boot system image:
To set the BOOT environment variable, use the boot system image: command. Use the no form of this
command to remove the name of the system image file.
boot system image:filename
no boot system image:filename
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-291
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can add several images to the BOOT environment variable to provide a fail-safe boot configuration.
If the first file fails to boot the ACE, subsequent images that are specified in the BOOT environment
variable are tried until the ACE boots or there are no additional images to attempt to boot. If there is no
valid image to boot, the ACE enters ROM-monitor mode where you can manually specify an image to
boot.
The ACE stores and executes images in the order in which you added them to the BOOT environment
variable. If you want to change the order in which images are tried at startup, you can either prepend and
clear images from the BOOT environment variable to attain the desired order or you can clear the entire
BOOT environment variable and then redefine the list in the desired order.
If the file does not exist (for example, if you entered the wrong filename), then the filename is appended
to the boot string, and this message displays:
Warning: File not found but still added in the bootstring.
If the file does exist, but is not a valid image, the file is not added to the bootstring, and this message
displays:
Warning: file found but it is not a valid boot image.
Examples ACE Module Example
To set the BOOT environment variable, enter:
host1/Admin(config)# boot system image:sb-ace.REL_1_0_0
ACE Appliance Example
To set the BOOT environment variable, enter:
host1/Admin(config)# boot system image:ace-t1k9-mzg.3.1.0.bin
Related Commands show bootvar
(config) config-register
filename Name of the system image file.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-292
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) buffer threshold
To set threshold levels for the NP buffers in the active and the standby ACEs and cause the active ACE
to reboot if the thresholds are reached or exceeded, use the buffer threshold command. Use the no form
of this command to .
buffer threshold active number1 standby number2 action reload
no buffer threshold active number1 standby number2 action reload
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE checks the status of NP buffer usage every five seconds to initiate the reload action if the buffer
threshold is configured and reached, and to generate syslogs if necessary. If the buffer threshold
command is configured and if the NP buffer usage reaches or exceeds the threshold, the ACE reloads. In
a redundant configuration, a switchover occurs and the former standby ACE becomes the active ACE. In
the absence of this command, the automatic reload feature is disabled. You can also use this command
in a stand-alone ACE.
Examples To specify the active NP buffer utilization threshold as 88 percent and the standby NP buffer utilization
threshold as 40 percent, enter the following command:
active number1 Specifies the buffer threshold for the active redundant ACE or stand-alone ACE as
a percentage. Enter 50, 75, 88, 95, or 100. There is no default value. In a redundant
configuration, if the buffer usage of any NP reaches or exceeds the threshold and
each of the NP’s buffer usage in the standby ACE is below the configured standby
threshold, the active ACE reboots and a switchover occurs. For a standalone ACE,
if any of the NP’s buffer usage exceeds the active value, then the ACE reboots.
standby number Specifies the buffer threshold for the standby redundant ACE. Enter 10, 20, 30, 40,
50. There is no default value. In a redundant configuration, if the active ACE buffer
usage reaches or exceeds the configured active threshold and the standby ACE
buffer usage reaches or exceeds the standby threshold, the active ACE does not
reboot and no switchover occurs. For a reload and a switchover to occur, the standby
buffer usage of all NPs must be less than the configured standby threshold value.
action reload Specifies that the ACE reloads when the buffer utilization exceeds the configured
threshold. In a redundant configuration, a switchover occurs upon reload of the
active ACE.
ACE Release Modification
A5(1.0) This command was introduced.2-293
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
host1/Admin(config)# buffer threshold active 88 standby 40 action reload
Related Commands show np2-294
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) class-map
To create a Layer 3 and Layer 4 or a Layer 7 class map, use the class-map command. Use the no form
of the command to remove a class map from the ACE.
class-map [match-all | match-any] map_name
class-map type {ftp inspect match-any | generic {match-all | match-any}} map_name
class-map type {http {inspect | loadbalance} | management | radius loadbalance |
rtsp loadbalance | sip {inspect | loadbalance}} [match-all | match-any] map_name
no class-map [match-all | match-any] map_name
no class-map type {ftp inspect match-any | generic {match-all | match-any}} map_name
no class-map type {http {inspect | loadbalance} | management | radius loadbalance |
rtsp loadbalance | sip {inspect | loadbalance}} [match-all | match-any] map_name
Syntax Description match-all Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when
multiple match criteria exist in a class map. The class map is considered a match if
all the match criteria listed in the class map match the network traffic class in the
class map (typically, match commands of different types). The default setting is to
meet all of the match criteria (match-all) in a class map.
match-any Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when
multiple match criteria exist in a class map. The class map is considered a match if
only one of the match criteria listed in the class map matches the network traffic class
in the class map (typically, match commands of the same type). The default setting
is to meet all of the match criteria (match-all) in a class map.
map_name Name assigned to the class map. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters. For a Layer 3 and Layer 4 class map, you
enter the class map configuration mode and the prompt changes to (config-cmap).
type Specifies the class map type that is to be defined. When you specify a class map type,
you enter its corresponding class map configuration mode (for example, HTTP
inspection configuration mode).
ftp inspect Specifies a Layer 7 class map for the inspection of File Transfer Protocol (FTP)
request commands. For information about commands in FTP inspection
configuration mode, see the “Class Map FTP Inspection Configuration Mode
Commands” section.
generic Specifies a Layer 7 class map for generic TCP or UDP data parsing. For information
about commands in class map generic configuration mode, see the “Class Map
Generic Configuration Mode Commands” section.
http inspect |
loadbalance
Specifies a Layer 7 class map for HTTP server load balancing (loadbalance
keyword) or a Layer 7 class map for the HTTP deep packet application protocol
inspection (inspect keyword) of traffic through the ACE.
For information about commands in class map HTTP inspection configuration mode,
see the “Class Map HTTP Inspection Configuration Mode Commands” section. For
information about commands in class map HTTP server load-balancing configuration
mode, see the “Class Map HTTP Load Balancing Configuration Mode Commands”
section.2-295
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the inspect, loadbalance, NAT, connection, SSL, or vip feature in your user role,
depending on the type of class map that you want to configure. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the class map configuration mode commands to create class maps that classify inbound network
traffic destined to, or passing through, the ACE based on a series of flow match criteria specified in the
class map. The CLI prompt changes correspondingly to the selected class map configuration mode, for
example, (config-cmap), (config-cmap-ftp-insp), (config-cmap-http-lb), or (config-cmap-mgmt).
A Layer 3 and Layer 4 class map contains match criteria that classifies the following:
• Network traffic that can pass through the ACE based on source or destination IP address, source or
destination port, or IP protocol and port
management Specifies a Layer 3 and Layer 4 class map to classify the IP network management
protocols received by the ACE. For information about commands in class map
management configuration mode, see the “Class Map Management Configuration
Mode Commands” section.
radius
loadbalance
Specifies a Layer 7 class map for RADIUS server load balancing of traffic through
the ACE. For information about commands in RADIUS server load-balancing
configuration mode, see the “Class Map RADIUS Load Balancing Configuration
Mode Commands” section.
rtsp
loadbalance
Specifies a Layer 7 class map for RTSP server load balancing of traffic through the
ACE. For information about commands in RTSP server load-balancing configuration
mode, see the “Class Map RTSP Load Balancing Configuration Mode Commands”
section.
sip inspect |
loadbalance
Specifies a Layer 7 class map for SIP server load balancing (loadbalance keyword)
or a Layer 7 class map for the SIP deep packet application protocol inspection
(inspect keyword) of traffic through the ACE.
For information about commands in class map SIP inspection configuration mode,
see the “Class Map SIP Inspection Configuration Mode Commands” section. For
information about commands in class map SIP server load-balancing configuration
mode, see the “Class Map SIP Load Balancing Configuration Mode Commands”
section.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-296
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
• Network management traffic that can be received by the ACE based on the HTTP, HTTPS, ICMP,
SNMP, SSH, or Telnet protocols
A Layer 7 class map contains match criteria that classifies specific Layer 7 protocol information. The
match criteria enables the ACE to do the following:
• Perform server load balancing based on the HTTP cookie, the HTTP header, the HTTP URL,
protocol header fields, or source IP addresses
• Perform deep packet inspection of the HTTP protocol
• Perform FTP request command filtering
The ACE supports a system-wide maximum of 8192 class maps.
For details about creating a class map, see the Administration Guide, Cisco ACE Application Control
Engine.
When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the
match-any or match-all keywords. If you specify match-any, the traffic that is evaluated must match
one of the specified criteria (typically, match commands of the same type). If you specify match-all,
the traffic that is evaluated must match all of the specified criteria (typically, match commands of
different types).
Examples To create a Layer 3 and Layer 4 class map named L4VIP_CLASS that specifies the network traffic that
can pass through the ACE for server load balancing, enter:
host1/Admin(config)# class-map match-all L4VIP_CLASS
host1/Admin(config-cmap)#
To create a Layer 3 and Layer 4 class map named MGMT-ACCESS_CLASS that classifies the network
management protocols that can be received by the ACE, enter:
host1/Admin(config)# class-map type management match-any MGMT-ACCESS_CLASS
host1/Admin(config-cmap-mgmt)#
To create a Layer 7 class map named L7SLB_CLASS that performs HTTP server load balancing, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLB_CLASS
host1/Admin(config-cmap-http-lb)#
To create a Layer 7 class map named HTTP_INSPECT_L7CLASS that performs HTTP deep packet
inspection, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)#
To create a Layer 7 class map named FTP_INSPECT_L7CLASS that performs FTP command
inspection, enter:
host1/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS
host1/Admin(config-cmap-ftp-insp)#
Related Commands show startup-config
(config) policy-map
(config) service-policy2-297
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) clock timezone
To set the time zone, use the clock timezone command. Use the no form of this command to configure
independent server groups of Terminal Access Controller Access Control System Plus (TACACS+),
Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol
(LDAP) servers.
clock timezone {zone_name {+ | –} hours minutes} | {standard time_zone}
no clock timezone
Syntax Description
Command Modes Configuration mode
Admin context only
zone_name 8-letter name of the time zone (for example, PDT) to be displayed when the time zone is
in effect. See Table 1-5 in the “Usage Guidelines” section for a list of the common time
zone acronyms used for this argument.
hours Hours offset from Coordinated Universal Time (UTC).
minutes Minutes offset from UTC. Range is from 0 to 59 minutes.
standard
time_zone
Sets the time to a standard time zone that include an applicable UTC hours offset. Enter
one of the following well-known time zones:
• ACST—Australian Central Standard Time as UTC + 9.5 hours
• AKST—Alaska Standard Time as UTC –9 hours
• AST—Atlantic Standard Time as UTC –4 hours
• BST—British Summer Time as UTC + 1 hour
• CEST—Central Europe Summer Time as UTC + 2 hours
• CET—Central Europe Time as UTC + 1 hour
• CST—Central Standard Time as UTC –6 hours
• EEST—Eastern Europe Summer Time as UTC + 3 hours
• EET—Eastern Europe Time as UTC + 2 hours
• EST—Eastern Standard Time as UTC –5 hours
• GMT—Greenwich Mean Time as UTC
• HST—Hawaiian Standard Time as UTC –10 hours
• IST—Irish Summer Time as UTC + 1 hour
• MSD—Moscow Summer Time as UTC + 4 hours
• MSK—Moscow Time as UTC + 3 hours
• MST—Mountain Standard Time as UTC –7 hours
• PST—Pacific Standard Time as UTC –8 hours
• WEST—Western Europe Summer Time as UTC + 1 hour
• WST—Western Standard Time as UTC + 8 hours2-298
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines The ACE keeps time internally in Universal Time Coordinated (UTC) offset, so this command is used
only for display purposes and when the time is set manually.
This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Table 1-5 lists common time zone acronyms used for the zone_name argument.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) The ACST keyword was introduced. It replaced the CST keyword, as
UTC +9.5 hours.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) The ACST keyword was introduced. It replaced the CST keyword, as
UTC +9.5 hours.
Ta b l e 1-5 Time Zone Acronyms
Acronym Time Zone Name and UTC Offset
Europe
BST British Summer Time as UTC + 1 hour
CET Central Europe Time as UTC + 1 hour
CEST Central Europe Summer Time as UTC + 2 hours
EET Eastern Europe Time as UTC + 2 hours
EEST Eastern Europe Summer Time as UTC + 3 hours
GMT Greenwich Mean Time as UTC
IST Irish Summer Time as UTC + 1 hour
MSK Moscow Time as UTC + 3 hours
MSD Moscow Summer Time as UTC + 4 hours
WET Western Europe Time as UTC
WEST Western Europe Summer Time as UTC + 1 hour
United States and Canada
AST Atlantic Standard Time as UTC –4 hours
ADT Atlantic Daylight Time as UTC –3 hours
CT Central Time, either as CST or CDT, depending on the place and time of
the year
CST Central Standard Time as UTC –6 hours
CDT Central Daylight Saving Time as UTC –5 hours
ET Eastern Time, either as EST or EDT, depending on the place and time of
the year2-299
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To set the time zone to PST and to set an UTC offset of –8 hours, enter:
host1/Admin(config)# clock timezone PST -8 0
To remove the clock time-zone setting, enter:
host1/Admin(config)# no clock timezone PST -8 0
Related Commands (ACE appliance only) clock set
show clock
(config) clock summer-time
EST Eastern Standard Time as UTC –5 hours
EDT Eastern Daylight Saving Time as UTC –4 hours
MT Mountain Time, either as MST or MDT, depending on the place and time
of the year
MDT Mountain Daylight Saving Time as UTC –6 hours
MST Mountain Standard Time as UTC –7 hours
PT Pacific Time, either as PST or PDT, depending on the place and time of the
year
PDT Pacific Daylight Saving Time as UTC –7 hours
PST Pacific Standard Time as UTC –8 hours
AKST Alaska Standard Time as UTC –9 hours
AKDT Alaska Standard Daylight Saving Time as UTC –8 hours
HST Hawaiian Standard Time as UTC –10 hours
Australia
CST Central Standard Time as UTC + 9.5 hours
EST Eastern Standard/Summer Time as UTC + 10 hours (+11 hours during
summer time)
WST Western Standard Time as UTC + 8 hours
Table 1-5 Time Zone Acronyms (continued)
Acronym Time Zone Name and UTC Offset2-300
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) clock summer-time
To configure the ACE to change the time automatically to summer time (daylight saving time), use the
clock summer-time command. Use the no form of this command to remove the clock summer-time
setting.
clock summer-time {daylight_timezone_name start_week start_day start_month start_time
end_week end_day end_month end_time daylight_offset | standard time_zone}
no clock summer-time
Syntax Description
Command Modes Configuration mode
Admin context only
daylight_timezone_name 8-letter name of the time zone (for example, PDT) to be displayed when
summer time is in effect. For a list of the common time zone acronyms
used for this argument, see the “Usage Guidelines” section for the
(config) clock timezone command.
start_week Start week for summer time, ranging from 1 through 5.
start_day Start day for summer time, ranging from Sunday through Saturday.
start_month Start month for summer time, ranging from January through December.
start_time Start time (military time) in hours and minutes.
end_week End week for summer time, ranging from 1 through 5.
end_day End day for summer time, ranging from Sunday through Saturday.
end_month End month for summer time, ranging from January through December.
end_time End time (military format) in hours and minutes.
daylight_offset Number of minutes to add during summer time. Valid entries are from
1 to 1440. The default is 60.
standard time_zone Sets the daylight time to a standard time zone that includes an
applicable daylight time start and end range along with a daylight offset.
Enter one of the following well-known time zones:
• ADT—Atlantic Daylight Time: 2 a.m. first Sunday in April—2
a.m. last Sunday in October, + 60 minutes
• AKDT—Alaska Standard Daylight Time: 2 a.m. first Sunday in
April—2 a.m. last Sunday in October, + 60 minutes
• CDT—Central Daylight Time: 2 a.m. first Sunday in April—2 a.m.
last Sunday in October, + 60 minutes
• EDT—Eastern Daylight Time: 2 a.m. first Sunday in April—2 a.m.
last Sunday in October, + 60 minutes
• MDT—Mountain Daylight Time: 2 a.m. first Sunday in April—
2 a.m. last Sunday in October, + 60 minutes
• PDT—Pacific Daylight Time: 2 a.m. first Sunday in April—2 a.m.
last Sunday in October, + 60 minutes2-301
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The first part of the command specifies when summer time begins, and the second part of the command
specifies when summer time ends. All times are relative to the local time zone; the start time is relative
to standard time and the end time is relative to summer time. If the starting month is after the ending
month, the ACE assumes that you are located in the southern hemisphere.
Examples To specify that summer time begins on the first Sunday in April at 02:00 and ends on the last Sunday in
October at 02:00, with a daylight offset of 60 minutes, enter:
host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60
To remove the clock summer-time setting, enter:
host1/Admin(config)# no clock summer-time
Related Commands show clock
(config) clock timezone
(config) config-register
To change the configuration register settings, use the config-register configuration command. Use the
no form of this command to reset the config-register to its default setting.
config-register value
no config-register value
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-302
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can modify the boot method that the ACE uses at the next startup by setting the boot field in the
software configuration register. The configuration register identifies how the ACE should boot.
For the ACE module, it also identifies where the system image is stored. You can modify the boot field
to force the ACE to boot a particular system image at startup instead of using the default system image.
The config-register command affects only the configuration register bits that control the boot field and
leaves the remaining bits unaltered.
value Configuration register value that you want to use the next time that you restart the ACE.
• For the ACE module, the supported value entries are as follows:
– 0—(default) Upon reboot, the ACE boots to ROM monitor. The ACE remains in
ROM monitor mode at startup.
– 1—Upon reboot, the ACE boots the system image identified in the BOOT
environment variable (see the (config) boot system image: command). The BOOT
environment variable specifies a list of image files on various devices from which
the ACE can boot at startup. If the ACE encounters an error or if the image is not
valid, it will try the second image (if one is specified). If the second image also fails
to boot, the ACE returns to ROM monitor.
• For the ACE appliance, the supported value entries are as follows:
– 0x0—Upon reboot, the ACE boots to the GNU GRand Unified Bootloader (GRUB).
From the GRUB boot loader, you specify the system boot image to use to boot the
ACE. Upon startup, the ACE loads the startup-configuration file stored in Flash
memory (nonvolatile memory) to the running-configuration file stored in RAM
(volatile memory).
– 0x1—(default) Upon reboot, the ACE boots the system image identified in the
BOOT environment variable (see (config) boot system image:). The BOOT
environment variable specifies a list of image files on various devices from which
the ACE can boot at startup. If the ACE encounters an error or if the image is not
valid, it will try the second image (if one is specified). Upon startup, the ACE loads
the startup-configuration file stored in Flash memory (nonvolatile memory) to the
running-configuration file stored in RAM (volatile memory).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-303
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples ACE Module Example
To set the boot field in the configuration register to boot the system image identified in the BOOT
environment variable upon reboot, enter:
host1/Admin(config)# config-register 1
ACE Appliance Example
To set the boot field in the configuration register to boot the system image identified in the BOOT
environment variable upon reboot and to load the startup-configuration file stored in Flash memory,
enter:
host1/Admin(config)# config-register 0x1
Related Commands (config) boot system image:
(config) context
To create a context, use the context command. The CLI prompt changes to (config-context). A context
provides a user view into the ACE and determines the resources available to a user. Use the no form of
this command to remove a context.
context name
no context name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
name Name that designates a context. Enter an unquoted text string with no spaces and a maximum
of 64 alphanumeric characters. Do not configure a context name that contains opening
braces, closing braces, white spaces, or any of the following characters: ` $ % & * ( ) \ | ; ' "
< > / ?
Do not start the context name with the following characters: - . # ~
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(2.3) This command no longer supports you from configuring a context
name that contains opening braces, closing braces, white spaces, or
any of the following symbols: ` $ % & * ( ) \ | ; ' " < > / ? 2-304
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, the ACE allows you to create and use five user-configured contexts plus the default Admin
context. To use a maximum of 251 contexts (Admin context plus 250 user contexts), you must purchase
an additional license from Cisco Systems.
Examples To create a context called C1, enter:
host1/Admin(config)# context C1
host1/Admin(config-context)#
To remove the context from the configuration, enter:
host1/Admin(config)# no context C1
Related Commands changeto
show context
show user-account
show users
(config) crypto authgroup
To create a certificate authentication group, use the crypto authgroup command. Once you create an
authentication group, the CLI enters into the authentication group configuration mode, where you add
the required certificate files to the group. Use the no form of this command to delete an existing
authentication group.
crypto authgroup group_name
no crypto authgroup group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.3) This command no longer supports you from configuring a context
name that contains opening braces, closing braces, white spaces, or
any of the following symbols: ` $ % & * ( ) \ | ; ' " < > / ?
group_name Name that you assign to the authentication group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. 2-305
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
By creating an authentication group, you can implement a group of certificates that are trusted as
certificate signers on the ACE. After creating the authentication group and assigning its certificates, you
can configure client authentication on an SSL-proxy service by assigning the authentication group to the
service. You include an authentication group in the handshake process by configuring the SSL
proxy-service with the authentication group (see the (config) ssl-proxy service command).
You can configure an authentication group with up to ten certificates.
Examples To create the authentication group AUTH-CERT1, enter:
host1/Admin(config)# crypto authgroup AUTH-CERT
Related Commands (config) ssl-proxy service
(config) crypto chaingroup
To create a certificate chain group, use the crypto chaingroup command. Once you create a chain group,
the CLI enters into the chaingroup configuration mode, where you add the required certificate files to
the group. Use the no form of this command to delete an existing chain group.
crypto chaingroup group_name
no crypto chaingroup group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
ACE Module Release Modification
A2(1.0) This command was introduced.
A4(1.0) The number of certificates in an authentication group was increased
from 4 to 10.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The number of certificates in an authentication group was increased
from 4 to 10.
group_name Name that you assign to the chain group. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters. 2-306
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
A chain group specifies the certificate chains that the ACE sends to its peer during the handshake
process. A certificate chain is a hierarchal list of certificates that includes the subject’s certificate, the
root CA certificate, and any intermediate CA certificates. You include a chain group in the handshake
process by configuring the SSL proxy service with the chain group (see the (config) ssl-proxy service
command).
Each context on the ACE can contain up to eight chain groups.
Examples To create the chain group MYCHAINGROUP, enter:
host1/Admin(config)# crypto chaingroup MYCHAINGROUP
Related Commands (config) ssl-proxy service
(config) crypto crl
To download a certificate revocation list (CRL) to the ACE, use the crypto crl command. Use the no
form of this command to remove a CRL.
crypto crl crl_name url
no crypto crl crl_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
crl_name Name that you assign to the CRL. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
url URL where the ACE retrieves the CRL. Enter the URL full path including the
CRL filename in an unquoted alphanumeric string with a maximum of
255 characters. Both HTTP and LDAP URLs are supported. Start the URL with
the http:// prefix or the ldap:// prefix. 2-307
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
You can use a CRL downloaded to the ACE for client or server authentication on an SSL proxy service.
After you download the CRL, you can assign it to an SSL proxy service for either client or server
authentication (see (config-ssl-proxy) crl for more information).
The ldap:/// prefix is not considered a valid LDAP CRL link in the CDP portion of the server certificate.
Valid formats for LDAP URLs are as follows:
• ldap://10.10.10.1:389/dc=cisco,dc=com?o=bu?certificateRevocationList
• ldap://10.10.10.1/dc=cisco,dc=com?o=bu?certificateRevocationList
• ldap://ldapsrv.cisco.com/dc=cisco,dc=com?o=bu?certificateRevocationList
• ldap://ldapsrv.cisco.com:389/dc=cisco,dc=com?o=bu?certificateRevocationList
To use a question mark (?) character as part of the URL, press Ctrl-v before entering it. Otherwise the
ACE interprets the question mark as a help command.
You can configure up to eight CRLs per context.
Examples To download a CRL that you want to name CRL1 from http://crl.verisign.com/class1.crl, enter:
host1/Admin(config)# crypto crl CRL1 http://crl.verisign.com/class1.crl
To remove the CRL, enter:
host1/Admin(config)# no crypto crl CRL1
Related Commands (config) ssl-proxy service
(config) crypto crlparams
To configure signature verification on a Certificate Revocation List (CRL) to determine that it is from a
trusted certificate authority or to configure a timeoute for CRL downloads to specify the maximum wait
time for the ACE to retrieve the CRL data from a server, use the crypto crlparams command. Use the
no form of this command to remove the CRL global parameters.
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(2.0) This command was revised to support LDAP URLs and increased the
number of CRLs per context from four to eight.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A4(1.0) This command was revised to support LDAP URLs and increased the
number of CRLs per context from four to eight.2-308
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
crypto crlparams crl_name {cacert ca_cert_filename | timeout number}
no crypto crlparams crl_name {cacert ca_cert_filename | timeout number}
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the PKI feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
In the absence of the timeout keyword, if the ACE does not receive the complete certificate revocation
list (CRL) in a timely manner from a CRL server or the server does not close the connection, the ACE
continues to wait for the data to arrive. While it is waiting for the CRL data, the ACE keeps the socket
connection with the server open until the TCP connection with the server is closed because of inactivity.
The TCP inactivity timer value could be as large as an hour. There is no way to clear this already
established connection with the CRL server even if the static CRL is removed from the configuration.
Examples To download a CRL that you want to name CRL1 from http://crl.verisign.com/class1.crl, enter:
host1/Admin(config)# crypto crl CRL1 http://crl.verisign.com/class1.crl
To remove the CRL, enter:
host1/Admin(config)# no crypto crl CRL1
to configure a 200-second CRL download timeout for CRL1, enter the following command:
crl_name Name that you assign to the CRL. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
cacert
ca_cert_filename
Name of the CA certificate file used for signature verification.
timeout number Specifies the time in seconds that the ACE waits for the CRL data before closing
the connection with the server. For static CRLs, enter an integer from 2 to 300.
For best-effort CRLs, the timeout is 60 seconds and not user-configurable. If the
ACE does not receive the entire CRL data within the timeout limit, the ACE closes
the socket connection with the server. For static CRLs, you can abort the CRL data
download by removing the static CRL from the configuration.
ACE Module Release Modification
A2(1.4) and A2(2.1) This command was introduced.
A4(1.1) Added the timeout number keyword and argument.
ACE Appliance Release Modification
A3(2.2) This command was introduced.
A4(1.1) Added the timeout number keyword and argument.2-309
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
host1/Admin(config)# crypto crl-params CRL1 timeout 200
When the CRL data download timeout expires and the download is aborted, the ACE generates a syslog
to log the event as follows:
%ACE-6-253008: CRL crl_name could not be retrieved, reason: crl data dnld timeout error
The crl_name variable indicates the name of an existing CRL whose download was aborted because the
CRL download timeout expired.
To return the behavior of the ACE to the default of waiting until the entire CRL is downloaded before
closing the SSL connection or waiting for the TCP inactivity timeout to close the TCP connection, enter
the following command:
host1/Admin(config)# no crypto crl-params CRL1 timeout 200
Related Commands (config) ssl-proxy service
(config) crypto csr-params
To create a Certificate Signing Request (CSR) parameter set to define a set of distinguished name
attributes, use the crypto csr-params command. Use the no form of this command to remove an existing
CSR parameter set.
crypto csr-params csr_param_name
no crypto csr-params csr_param_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
csr_param_name Name that designates a CSR parameter set. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-310
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
A CSR parameter set defines the distinguished name attributes that the ACE applies to the CSR during
the CSR-generating process. The distinguished name attributes provide the CA with the information that
it needs to authenticate your site. Creating a CSR parameter set allows you to generate multiple CSRs
with the same distinguished name attributes. You can create up to eight CSR parameter sets per context.
When you use the crypto csr-params command to specify a CSR parameter set, the prompt changes to
the csr-params configuration mode (for more information on this mode and commands, see the “CSR
Parameters Configuration Mode Commands” section), where you define each of the distinguished name
attributes. The ACE requires that you define the following attributes:
Country name
• State or province
• Common name
• Serial number
If you do not configure the required attributes, the ACE displays an error message when you attempt to
generate a CSR using the incomplete CSR parameter set.
Examples To create the CSR parameter set CSR_PARAMS_1, enter:
host1/Admin(config)# crypto csr-params CSR_PARAMS_1
host1/Admin(config-csr-params)
Related Commands crypto generate csr
show crypto
(config) crypto ocspserver
To configure an Online Certificate Status Protocol (OCSP) server that the ACE uses for revocation
checks, use the crypto ocspserver command. By default, SSL rehandshake is disabled in all ACE
contexts. Use the no form of this command to reset the default behavior.
crypto ocspserver ocsp_server_name url [conninactivitytout timeout] [nonce enable | disable]
[reqsigncert signer_cert_filename {reqsignkey signer_key_filename}] [respsigncert
response_signer_cert]
no crypto ocspserver ocsp_server_name url [conninactivitytout timeout] [nonce enable | disable]
[reqsigncert signer_cert_filename {reqsignkey signer_key_filename}] [respsigncert
response_signer_cert]
Syntax Description ocsp_server_name Identifier of the OCSP server. You use this name to apply the OCSP server to an
SSL proxy service. Enter an unquoted text string with no spaces and a maximum
of 64 alphanumeric characters.
url HTTP URL in the form: http://ocsphost.com:port_id/. The port ID is optional. If
you do not specify a port, the default value of 2560 is used. You can specify either
an IPv4- or an IPv6-based URL. Enter an unquoted text string with no spaces and
a maximum of 255 alphanumeric characters.
conninactivitytout
timeout
(Optional) TCP connection inactivity timeout. in seconds. Enter an integer from 2
to 3600. The default is 300 seconds.2-311
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
All contexts
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
OCSP has the following configurations guidelines and restrictions:
• You can configure a maximum of 64 OCSP servers in the ACE.
• You can configure a maximum of 10 OCSP servers in an SSL proxy service.
• The ACE can handle a maximum of 64 OCSP server connections with both static and best effort
OCSP servers combined.
• If you configure best-effort OCSP servers and best-effort CRLs in the same proxy list, the ACE
extracts a maximum of four AIAs and four CDPs to conserve resources.
• Client authentication may be delayed when you configure OCSP servers and CRLs in the same SSL
proxy service.
• The ACE does not perform authentication and revocation checks on response signer certificates.
Examples To configure an OCSP server that the ACE uses to check the revocation status of SSL certificates, enter
the following command:
host1/Admin(config)# crypto ocspserver OCSP_SSERVER1 http://10.10.10.10/ nonce enable
conninactivitytout 60
To remove an OCSP server from the configuration, enter the following command:
nonce enable |
disable
(Optional) Enables or disables the use of a nonce. By default, nonce is disabled. A
nonce is a unique string that is used to bind OCSP requests and responses. When a
nonce is enabled, the ACE includes a unique string in the requests that is sends to
the OCSP server. The server must include the string in its responses to the ACE to
verify the response.
reqsigncert
signer_cert_filename
(Optional) Signer’s certificate filename to sign outgoing requests to the OCSP
server. By default, the request is not signed.
reqsignkey
signer_key_filename
(Optional) Signer’s private key filename to sign outgoing requests to the OCSP
server. By default, the request is not signed. If you enter the reqsigncert option,
you must enter the reqsignkey option.
respsigncert
response_signer_cert
(Optional) Certificate to verify the signature of the OCSP server responses. By
default, the signature in the response from the OCSP server are not verified.
ACE Module Release Modification
A5(1.0) This command was introduced.
ACE Appliance Release Modification
A5(1.0) This command was introduced.2-312
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
host1/Admin(config)# no crypto ocspserver OCSP_SSERVER1
Related Commands show crypto
(config) crypto rehandshake enabled
To enable SSL rehandshake for all VIPs in a context, use the crypto rehandshake enabled command in
configuration mode. By default, SSL rehandshake is disabled in all ACE contexts. Use the no form of
this command to reset the default behavior.
crypto rehandshake enabled
no crypto rehandshake enabled
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
All contexts
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The crypto rehandshake enabled configuration mode command overrides the rehandshake enable
parameter map command that you can configure individually in an SSL proxy service.
Examples To enable SSL rehandshake for all VIPs in a context, enter:
host1/Admin(config)# crypto rehandshake enabled
To return the ACE behavior to the default of rehandshake being disabled, enter:
host1/Admin(config)# no crypto rehandshake enabled
Related Commands show crypto
(config-parammap-ssl) rehandshake enabled
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.2-313
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) domain
To create a domain, use the domain command. The CLI prompt changes to (config-domain). See the
“Domain Configuration Mode Commands” section for details. Use the no form of this command to
remove a domain from the configuration.
domain name
no domain name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can configure a maximum of 63 domains in each context.
A domain does not restrict the context configuration that you can display using the show running-config
command. You can still display the running configuration for the entire context. However, you can
restrict your access to the configurable objects within a context by adding to the domain only a limited
subset of all the objects available to a context. To limit a user’s ability to manipulate the objects in a
domain, you can assign a role to that user. For more information about domains and user roles, see the
Virtualization Guide, Cisco ACE Application Control Engine.
You can configure KAL-AP TAGs as domains. For the domain load calculation, the ACE considers the
Layer 3 class map, server farm, and real server objects. All other objects under the domain are ignored
during the calculation.
Examples To create a domain named D1, enter:
host1/Admin(config)# domain D1
host1/Admin(config-domain)#
name Name for the domain. Enter an unquoted text string with no spaces and a maximum of
76 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(2.0) The length of the name argument changes from 64 to 76 characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-314
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands (config) context
show user-account
show users
(config) end
To exit from configuration mode and return to Exec mode, use the end command.
end
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can also press Ctrl-Z or enter the exit command to exit configuration mode.
Examples To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# end
host1/Admin#
Related Commands This command has no related commands.
(config) exit
To exit from the current configuration mode and return to the previous mode, use the exit command.
exit
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-315
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description This command has no keywords or arguments.
Command Modes All configuration modes
Admin and user contexts
Command History
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
In configuration mode, the exit command transitions to the Exec mode.
In all other configuration modes, the exit command transitions to the previous configuration mode.
You can also press Ctrl-Z, enter the (config) end command, or enter the exit command to exit
configuration mode.
Examples To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# exit
host1/Admin#
To exit from interface configuration mode and return to configuration mode, enter:
host1/Admin(config-if)# exit
host1/Admin(config)#
Related Commands This command has no related commands.
(config) ft auto-sync
To enable automatic synchronization of the running-configuration and the startup-configuration files in
a redundancy configuration, use the ft auto-sync command. Use the no form of this command to disable
the automatic synchronization of the running-configuration or the startup-configuration file.
ft auto-sync {running-config | startup-config}
no ft auto-sync {running-config | startup-config}
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-316
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the fault-tolerant feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, the ACE automatically updates the running configuration on the standby context of an FT
group with any changes that occur to the running configuration of the active context. If you disable the
ft auto-sync command, you need to update the configuration of the standby context manually. For more
information about configuration synchronization and configuring redundancy, see the Administration Guide,
Cisco ACE Application Control Engine.
Caution Toggling ft auto-sync running-config in the Admin context may have undesirable side effects if the
same command is also disabled in an active user context. If the ft auto-sync running-config command
is disabled in the active Admin context and in an active user context, and you subsequently enable the ft
auto-sync running-config command in the active Admin context first, the entire configuration of the
standby user context will be lost. Always enter the ft auto-sync running-config command in the active
user context first, and then enable the command in the active Admin context.
The ACE does not copy or write changes in the running-configuration file to the startup-configuration
file unless you enter the copy running-config startup-config command or the write memory command
for the current context. To write the contents of the running-configuration file to the
startup-configuration file for all contexts, use the write memory all command. At this time, if the ft
auto-sync startup-config command is enabled, the ACE syncs the startup-configuration file on the
active ACE to the standby ACE.
The ACE does not synchronize the SSL certificates and key pairs that are present in the active context
with the standby context of an FT group. If the ACE performs a configuration synchronization and does
not find the necessary certs and keys in the standby context, config sync fails and the standby context
enters the STANDBY_COLD state.
running-config Enables autosynchronization of the running-configuration file. The default is
enabled.
startup-config Enables autosynchronization of the startup-configuration file. The default is
enabled.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-317
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Caution Do not enter the no inservice command followed by the inservice command on the active context of an
FT group when the standby context is in the STANDBY_COLD state. Doing so may cause the standby
context running-configuration file to overwrite the active context running-configuration file.
To copy the certs and keys to the standby context, you must export the certs and keys from the active
context to an FTP or TFTP server using the crypto export command, and then import the certs and keys
to the standby context using the crypto import command. For more information about importing and
exporting certs and keys, see the SSL Guide, Cisco ACE Application Control Engine.
To return the standby context to the STANDBY_HOT state in this case, ensure that you have imported
the necessary SSL certs and keys to the standby context, and then perform a bulk sync of the active
context configuration by entering the following commands in configuration mode in the active context
of the FT group:
1. no ft auto-sync running-config
2. ft auto-sync running-config
Examples To enable autosynchronization of the running-configuration file in the C1 context, enter:
host1/C1(config)# ft auto-sync running-config
Related Commands (config) ft group
(config) ft interface vlan
(config) ft peer
(config) ft track host
(ACE module only) (config) ft track hsrp
(config) ft track interface
(config) ft connection-sync disable
By default, connection replication is enabled. There may be times when you want to disable it. To disable
connection replication, use the ft connection-sync disable command. The syntax of this command is as
follows:
ft connection-sync disable
no ft connection-sync disable
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts2-318
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the fault-tolerant feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Initially, after you disable connection replication, the active ACE does not synchronize connections to
the standby ACE. After a bulk sync:
• New connections are not synchronized
• Connections are not updated in a periodic scan
• Connections that are already synchronized on the standby are not torn down
If you enable connection replication after a bulk sync occurs, the ACE takes the following actions:
• New connections are synced immediately
• Existing connections are synced in the next periodic cycle (in approximately 3 to 4 minutes)
Sticky replication is disabled by default and you can configure it on a per sticky group basis. The
replicate sticky command takes precedence over the ft connection-sync disable command, so new
client connections can be load balanced to the same server even when connection replication is disabled.
Note the following caveats with stickiness when connection replication is disabled:
• The sticky database is not always in sync on the standby. With connection replication disabled,
sticky connections on the active close normally, but on the standby the connections time out
according to the idle timeout setting.
• When sticky entries are approaching their expiration time, it is possible to have a zero
active-conns-count on the standby and still have active connections on the active ACE. This
condition can lead to sticky entries that are not present after a switchover.
Examples To disable connection replication in the C1 context, enter the following command:
host1/C1(config)# ft connection-sync disable
To reenable connection replication after you have disabled it, enter the following command:
host1/Admin(config)# no ft connection-sync disable
Related Commands (config) ft auto-sync
(config) ft group
To create a fault-tolerant (FT) group for redundancy, use the ft group command. After you enter this
command, the system enters the FT group configuration mode. Use the no form of this command to remove
an FT group from the configuration.
ACE Module Release Modification
A4(1.1) This command was introduced.
ACE Appliance Release Modification
A4(1.1) This command was introduced.2-319
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
ft group group_id
no ft group group_id
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You must configure the same group ID on both peer ACEs.
On each ACE, you can create multiple FT groups:
• For ACE module, up to a maximum of 251 (250 contexts and 1 Admin context)
• For ACE appliance, up to a maximum of 64 groups
Each group consists of a maximum of two members (contexts): one active context on one ACE and one
standby context on the peer ACE.
For information about the commands in FT group configuration mode, see the “FT Group Configuration
Mode Commands” section.
Examples To configure an FT group, enter:
host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)#
To remove the group from the configuration, enter:
host1/Admin(config)# no ft group 1
Related Commands (config) ft auto-sync
(config) ft interface vlan
group-id Unique identifier of the FT group.
• For the ACE module, enter an integer from 1 to 255.
• For the ACE appliance, enter an integer from 1 to 64.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.6) The number of FT groups increased from 21 to 64.2-320
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ft peer
(config) ft track host
(ACE module only) (config) ft track hsrp
(config) ft track interface
(config) ft interface vlan
To create a dedicated fault-tolerant (FT) VLAN over which two redundant peers communicate, use the ft
interface vlan command. After you enter this command, the system enters the FT interface configuration
mode. Use the no form of this command to remove an FT VLAN from the configuration.
ft interface vlan vlan_id
no ft interface vlan vlan_id
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Peer ACEs communicate with each other over a dedicated FT VLAN. These redundant peers use the FT
VLAN to transmit and receive heartbeat packets and state and configuration replication packets. You
must configure the same VLAN on each peer ACE. You cannot use this VLAN for normal network traffic
and the FT VLAN does not support IPv6.
To remove an FT VLAN, first remove it from the FT peer using the no ft interface vlan command in FT
peer configuration mode. See the (config-ft-peer) ft-interface vlan command for more information.
(ACE appliance only) To configure one of the Ethernet ports or a port-channel interface on the ACE for
fault tolerance using a dedicated FT VLAN for communication between the members of an FT group,
use the ft-port vlan command in interface configuration mode. See the (config-if) ft-port vlan
command for more information.
(ACE appliance only) On both peer ACE appliances, you must configure the same Ethernet port or
port-channel interface as the FT VLAN port. For example:
vlan_id Unique identifier for the FT VLAN. Enter an integer from 2 to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-321
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
• If you configure ACE appliance 1 to use Ethernet port 4 as the FT VLAN port, then be sure to configure
ACE appliance 2 to use Ethernet port 4 as the FT VLAN port.
• If you configure ACE appliance 1 to use port-channel interface255 as the FT VLAN port, then be sure
to configure ACE appliance 2 to use port-channel interface 255 as the FT VLAN.
Examples To configure an FT VLAN, enter:
host1/Admin(config)# ft interface vlan 200
host1/Admin(config-ft-intf)#
To remove the FT VLAN from the redundancy configuration, enter:
host1/Admin(config)# no ft interface vlan 200
Related Commands (config) ft auto-sync
(config) ft group
(config) ft peer
(config) ft track host
(ACE module only) (config) ft track hsrp
(config) ft track interface
(ACE appliance only) (config-if) ft-port vlan
(config) ft peer
On both peer ACEs, configure an FT peer definition. To create an FT peer, use the ft peer command.
After you enter this command, the system enters the FT peer configuration mode. You can configure a
maximum of two ACEs as redundancy peers. Use the no form of this command to remove the FT peer
from the configuration.
ft peer peer_id
no ft peer peer_id
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
peer_id Unique identifier of the FT peer. Enter 1.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-322
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Each ACE ACE can have one FT peer. FT peers are redundant ACE ACEs that communicate with each other
over a dedicated FT VLAN.
Before you can remove an FT peer from the configuration, remove the peer from the FT group using the
no peer command in FT group configuration mode.
For information about the commands in FT peer configuration mode, see the “FT Peer Configuration
Mode Commands” section.
Examples To configure an FT peer, enter:
host1/Admin(config)# ft peer 1
host1/Admin(config-ft-peer)#
Related Commands (config) ft auto-sync
(config) ft group
(config) ft interface vlan
(config) ft track host
(ACE module only) (config) ft track hsrp
(config) ft track interface
(config) ft track host
To create a tracking and failure detection process for a gateway or host, use the ft track host command.
After you enter this command, the system enters FT track host configuration mode. Use the no form of this
command to remove the gateway-tracking process.
ft track host name
no ft track host name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
name Unique identifier of the tracking process for a gateway or host. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-323
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the fault-tolerant (FT) feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
For information about commands in FT track host configuration mode, see the “FT Track Host
Configuration Mode Commands” section.
For details about configuring redundant ACE ACEs, see the Administration Guide, Cisco ACE
Application Control Engine.
Examples To create a tracking process for a gateway, enter:
host1/Admin(config)# ft track host TRACK_GATEWAY1
host1/Admin(config-ft-track-host)#
To remove the gateway-tracking process, enter:
host1/Admin(config)# no ft track host TRACK_GATEWAY1
Related Commands (ACE module only) (config) ft track hsrp
(config) ft track interface
(config) ft track hsrp
(ACE module only) To configure failure detection and tracking for a Hot Standby Router Protocol
(HSRP) group, use the ft track hsrp command. After you enter this command, the system enters FT track
hsrp configuration mode. Use the no form of this command to stop tracking for an HSRP group.
ft track hsrp name
ft track hsrp name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the fault-tolerant (FT) feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
name Unique identifier of the tracking process for an HSRP group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-324
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
You must configure the HSRP group on the supervisor engine on the Catalyst 6500 series switch before
you configure HSRP tracking on the ACE. Failure to do so may result in erroneous state information for
the HSRP group being displayed in the show ft track detail command output in Exec mode. For
information about commands in FT track hsrp configuration mode, see the “FT Track Interface
Configuration Mode Commands” section.
For details about configuring redundant ACE ACEs, see the Administration Guide, Cisco ACE
Application Control Engine.
Examples To configure FT tracking for an HSRP group, enter:
host1/Admin(config)# ft track hsrp TRACK_HSRP_GRP1
host1/Admin(config-ft-track-hsrp)#
To remove the HSRP group-tracking process, enter:
host1/Admin(config)# no ft track hsrp TRACK_HSRP_GRP1
Related Commands (config) ft auto-sync
(config) ft group
(config) ft interface vlan
(config) ft peer
(config) ft track host
(config) ft track interface
(config) ft track interface
To create a tracking and failure detection process for a critical interface, use the ft track interface
command. After you enter this command, the system enters FT track interface configuration mode. Use the
no form of this command to stop tracking for an interface.
ft track interface name
no ft track interface name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
name Unique identifier of the tracking process for a critical interface. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-325
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the fault-tolerant (FT) feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure
the FT VLAN for tracking.
For information about commands in FT track interface configuration mode, see the “FT Track Interface
Configuration Mode Commands” section.
For details about configuring redundant ACE ACEs, see the Administration Guide, Cisco ACE
Application Control Engine.
Examples To configure a tracking and failure detection process for an interface, enter:
host1/Admin(config)# ft track interface TRACK_VLAN100
To remove the interface-tracking process, enter:
host1/Admin(config)# no ft track interface TRACK_VLAN100
Related Commands (config) ft auto-sync
(config) ft group
(config) ft interface vlan
(config) ft peer
(config) ft track host
(ACE module only) (config) ft track hsrp
(config) hostname
To specify a hostname for the ACE, use the hostname command. The hostname is used for the command
line prompts and default configuration filenames. If you establish sessions to multiple devices, the
hostname helps you track where you enter commands. Use the no form of this command to reset the
hostname to the default of switch.
hostname name
no hostname name
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
name New hostname for the ACE. Enter a case-sensitive text string that contains from 1 to
32 alphanumeric characters (with no spaces). The underscore (_) character is not supported
in the hostname for the ACE.2-326
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, the hostname for the ACE is switch.
Examples To change the hostname of the ACE from switch to ACE1, enter:
switch/Admin(config)# hostname ACE1
ACE1/Admin(config)#
Related Commands (config) peer hostname
(config) hw-module
(ACE module only) To configure hardware module parameters in the ACE, use the hostname command.
Use the no form of this command to reset to the default behavior.
hw-module {cde-same-port-hash | optimize-lookup}
no hw-module {cde-same-port-hash | optimize-lookup}
Syntax Description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) Underscores (_) in the host name for an ACE are not supported.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) Underscores (_) in the host name for an ACE are not supported.
cde-same-port-hash Configures the classification and distribution engine (CDE) to perform the
hash function using the ports when the TCP or UDP packets are equal. When
this command is configured, the ACE also disables implicit PAT on packets
so that the source port does not change. This command is available only in
the Admin context.
optimize-lookup Disables the egress MAC address lookup that the ACE normally performs.
Use this command when you have multiple ACEs installed in a chassis with
heavy traffic to improve performance.2-327
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, when the source and destination ports of a TCP or UDP packet are equal, the CDE uses the
source IP address and destination IP address to perform the hash function. When they are not equal, the
CDE only uses the ports. When the cde-same-port-hash command is configured and the ports are equal,
the CDE uses a slightly different hash method from the default method.
If you have multiple ACEs installed in a Catalyst 6500 Series Switch or in a Cisco Catalyst 7600 Router,
you may experience lower performance than expected with very high rates of traffic. If you fail to
achieve the advertised performance of the ACE, you can disable the egress MAC address lookup using
the hw-module optimize-lookup command.
Do not use the hw-module optimize-lookup command if you have intelligent modules with distributed
forwarding cards (DFCs) installed in the Catalyst 6500 Series Switch or the Cisco Catalyst 7600 Router.
Using this command with such modules will cause the Encoded Address Recognition Logic (EARL)
units on these modules and on the Supervisor to become unsynchronized.
Examples To configure the CDE to perform the hash function using the ports when the TCP or UDP packets are
equal, enter:
switch/Admin(config)# hw-module cde-same-port-hash
To reset the default behavior, enter:
switch/Admin(config)# no hw-module cde-same-port-hash
Related Commands show cde
(config) interface
To configure a bridge-group virtual interface (BVI), VLAN interface, and for the ACE appliance, the
Ethernet port, or port-channel interface, use the interface command. The CLI prompt changes to
(config-if). Use the no form of this command to remove the interface.
interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel
channel_number | vlan number}
no interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel
channel_number | vlan number}
ACE Module Release Modification
3.0(0)A1(6.2a) This command was introduced.
A2(1.0) This command was revised with the optimize-lookup keyword.2-328
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
BVI and VLAN—Admin and user contexts
(ACE appliance only) Ethernet port and port-channel interface—Admin context only
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about commands in interface configuration mode, see the “Interface Configuration
Mode Commands” section. For details about configuring a BVI interface, Ethernet port, port-channel
interface, or VLAN interface, see the Routing and Bridging Guide, Cisco ACE Application Control
Engine.
To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that
represents a corresponding bridge group. You should configure an IP address in the same subnet on the
BVI. This address is used for management traffic and as a source IP address for traffic from the ACE,
similar to ARP requests.
You can configure one or more VLAN interfaces in any user context before you assign those VLAN
interfaces to the associated user contexts through the (config-context) allocate-interface command in
the Admin context.
The ACE supports a maximum of 4093 VLAN interfaces with a maximum of 1024 shared VLANs.
bvi
group_number
Creates a BVI for a bridge group and accesses interface configuration mode
commands for the BVI. The group_number argument is the bridge-group number
configured on a VLAN interface.
gigabitEthernet
slot_number/
port_number
(ACE appliance only) Specifies one of the four Ethernet ports on the rear panel of
the ACE as follows:
• slot_number—The physical slot on the ACE containing the Ethernet ports.
This selection is always 1, the location of the daughter card in the ACE. The
daughter card includes the four Layer 2 Ethernet ports to perform Layer 2
switching.
• port_number—The physical Ethernet port on the ACE. Valid selections are 1
through 4, which specifies one of the four Ethernet ports (1, 2, 3, or 4)
associated with the slot 1 (daughter card) selection.
port-channel
channel_number
(ACE appliance only) Specifies the channel number assigned to this port-channel
interface. Valid values are from 1 to 255.
vlan number Assigns the VLAN to the context and accesses interface configuration mode
commands for the VLAN. The number argument is the number for a VLAN
assigned to the ACE.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-329
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Each ACE supports a maximum of 8192 interfaces that includes VLANs, shared VLANs, and BVI
interfaces.
ACE Appliance Guidelines
In addition, the Ethernet port and port-channel interface command functions require the Admin user role.
The four Ethernet ports provide physical Ethernet ports to connect servers, PCs, routers, and other
devices to the ACE. You can configure the four Ethernet ports to provide an interface for connecting to
10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate,
full-duplex, or half-duplex operation on an Ethernet LAN and can carry traffic within a designated
VLAN.
You can group physical ports together on the ACE to form a logical Layer 2 interface called the
EtherChannel (or port channel). You must configure all the ports that belong to the same port channel
with the same values (such as port parameters, VLAN membership, and trunk configuration). Only one
port channel in a channel group is allowed, and a physical port can belong to only to a single port-channel
interface.
Examples To assign VLAN interface 200 to the Admin context and access interface configuration mode, enter:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)#
To remove a VLAN, enter:
host1/Admin(config)# no interface vlan 200
To create a BVI for bridge group 15, enter:
host1/Admin(config)# interface bvi 15
host1/Admin(config-if)#
To delete a BVI for bridge group 15, enter:
host1/Admin(config)# no interface bvi 15
ACE Appliance Example
To configure Ethernet port 3 and access interface configuration mode, enter:
host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)#
To create a port-channel interface with a channel number of 255, enter:
host1/Admin(config)# interface port-channel 255
host1/Admin(config-if)#
Related Commands clear interface
show interface2-330
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ip dhcp relay
To configure a Dynamic Host Configuration Protocol (DHCP) relay agent on the ACE, use the ip dhcp
relay command. When you configure the ACE as a DHCP relay agent, it is responsible for forwarding
the requests and responses negotiated between the DHCP clients and the server. You must configure a
DHCP server when you enable the DHCP relay. Use the no form of this command to disable a DHCP
relay agent setting.
ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
no ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the DHCP feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The DHCP relay agent can be configured at both the context and interface level of the ACE. Note the
following configuration considerations:
• If you configure the DHCP relay agent at the context level, the configuration is applicable to all
interfaces associated with the context.
enable Accepts DHCP requests from clients on the associated context or interface and
enables the DHCP relay agent. The DHCP relay starts forwarding packets to the
DHCP server address specified in the ip dhcp relay server command for the
associated interface or context.
information policy Configures a relay agent information reforwarding policy on the DHCP server to
identify what the DHCP server should do if a forwarded message already
contains relay information.
keep Indicates that existing information is left unchanged on the DHCP relay agent.
This is the default setting.
replace Indicates that existing information is overwritten on the DHCP relay agent.
server Specifies the IP address of a DHCP server to which the DHCP relay agent
forwards client requests.
ip_address IP address of the DHCP server. Enter the address in dotted-decimal IP notation
(for example, 192.168.11.1).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-331
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
• If you configure the DHCP relay agent at the interface level, the configuration is applicable to that
particular interface only; the remaining interfaces fallback to the context level configuration.
Examples To set the IP address of a DHCP server at the context level, enter:
host1/Admin# changeto C1
host1/C1# config
Enter configuration commands, one per line. End with CNTL/Z
host1/C1(config)# ip dhcp relay enable
host1/C1(config)# ip dhcp relay server 192.168.20.1
To specify the DHCP relay at the interface level, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip dhcp relay enable
host1/Admin(config-if)# ip dhcp relay server 192.168.20.1
To remove the IP address of the DHCP server, enter:
host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1
Related Commands clear ip
show ip2-332
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ip domain-list
To configure a domain name search list, use the ip domain-list command. The domain name list can
contain a maximum of three domain names. Use the no form of this command to remove a domain name
from the list.
ip domain-list name
no ip domain-list name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the domain name feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can configure a Domain Name System (DNS) client on the ACE to communicate with a DNS server
to provide hostname-to-IP-address translation for hostnames in CRLs for the client authentication
feature. For unqualified hostnames (hostnames that do not contain a domain name), you can configure a
default domain name or a list of domain names that the ACE can use to:
• Complete the hostname
• Attempt a hostname-to-IP-address resolution with a DNS server
If you configure both a domain name list and a default domain name, the ACE uses only the domain name
list and not the single default name. After you have enabled domain name lookups and configured a
domain name list, the ACE uses each domain name in turn until it can resolve a single domain name into
an IP address.
Examples For example, to configure a domain name list, enter:
host1/Admin(config)# ip domain-list cisco.com
host1/Admin(config)# ip domain-list foo.com
host1/Admin(config)# ip domain-list xyz.com
To remove a domain name from the list, enter:
host1/Admin(config)# no ip domain-list xyz.com
name Domain name. Enter an unquoted text string with no spaces and a maximum of
85 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-333
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands show running-config
(config) ip domain-lookup
(config) ip domain-name
(config) ip domain-lookup
To enable the ACE to perform a domain lookup (host-to-address translation) with a DNS server, use the
ip domain-lookup command. By default, this command is disabled. Use the no form of this command
to return the state of domain lookups to the default value of disabled.
ip domain-lookup
no ip domain-lookup
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the Domain Name feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can configure a Domain Name System (DNS) client on the ACE to communicate with a DNS server
to provide hostname-to-IP-address translation for hostnames in CRLs for the client authentication
feature.
Before you configure a DNS client on the ACE, ensure that one or more DNS name servers are properly
configured and are reachable. Otherwise, translation requests (domain lookups) from the DNS client will
be discarded. You can configure a maximum of three name servers. The ACE attempts to resolve the
hostnames with the configured name servers in order until the translation succeeds. If the translation
fails, the ACE reports an error.
For unqualified hostnames (hostnames that do not contain a domain name), you can configure a default
domain name or a list of domain names that the ACE can use to do the following:
• Complete the hostname
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-334
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
• Attempt a hostname-to-IP-address resolution with a DNS server
Examples For example, to enable domain lookups, enter:
host1/Admin(config)# ip domain-lookup
To return the state of domain lookups to the default value of disabled, enter:
host1/Admin(config)# no ip domain-lookup
Related Commands show running-config
(config) ip domain-list
(config) ip domain-name
(config) ip name-server2-335
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ip domain-name
To configure a default domain name, use the ip domain-name command. The domain name list can
contain a maximum of three domain names. Use the no form of this command to remove a domain name
from the list.
ip domain-list name
no ip domain-list name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the domain name feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The DNS client feature allows you to configure a default domain name that the ACE uses to complete
unqualified hostnames. An unqualified hostname does not contain a domain name (any name without a
dot). When domain lookups are enabled and a default domain name is configured, the ACE appends a
dot (.) and the configured default domain name to the unqualified host name and attempts a domain
lookup.
Examples For example, to specify a default domain name of cisco.com, enter:
host1/Admin(config)# ip domain-name cisco.com
In the above example, the ACE appends cisco.com to any unqualified host name in a CRL before the
ACE attempts to resolve the host name to an IP address using a DNS name server.
To remove the default domain from the configuration, enter:
host1/Admin(config)# no ip domain-name cisco.com
name Default domain name. Enter an unquoted text string with no spaces and a
maximum of 85 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-336
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands show running-config
(config) ip domain-list
(config) ip domain-lookup2-337
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ip name-server
To configure a DNS name server on the ACE, use the ip name-server command. You can configure a
maximum of three DNS name servers. Use the no form of this command to remove a name server from
the list.
ip name-server ip_address
no ip name-server ip_address
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the domain name feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To translate a hostname to an IP address, you must configure one or more (maximum of three) existing
DNS name servers on the ACE. Ping the IP address of each name server before you configure it to ensure
that the server is reachable.
Examples For example, to configure three name servers for the DNS client feature, enter:
host1/Admin(config)# ip name-server 192.168.12.15 192.168.12.16 192.168.12.17
To remove a name server from the list, enter:
host1/Admin(config)# no ip name-server 192.168.12.15
Related Commands show running-config
(config) ip domain-lookup
ip_address IP address of a name server. Enter the address in dotted decimal notation (for
example, 192.168.12.15). You can enter up to three name server IP addresses in
one command line.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-338
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ip route
To configure a default or static IP route, use the ip route command. Use the no form of this command
to remove a default or static IP route from the configuration.
ip route ipv6_dest_address/prefix_length {global_nexthop_address | {bvi number | vlan number
{link_local_address}}} | {ipv4_dest_address netmask gateway_ip_address}
no ip route dest_ip_prefix netmask gateway_ip_address
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
ipv6_dest_address IPv6 destination address for the route. The address that you specify for the static
route is the address that is in the packet before entering the ACE and performing
network address translation.
/prefix_length Specifies how many of the most significant bits (MSBs) of the IPv6 address are
used for the network identifier. Enter a a forward slash character (/) followed by
an integer from 1 to 128. The default is /128.
global_nexthop_add
ress
IP address of the gateway router (the next-hop address for this route). The
gateway address must be in the same network as specified in the ip address
command for a VLAN interface. For information on configuring the address, see
the Routing and Bridging Guide, Cisco ACE Application Control Engine.
bvi number Forward bridged VLAN interface for the link-local address.
link_local_address Link-local address of the interface.
vlan number Forward VLAN interface for the link-local address.
ipv4_dest_address IPv4 destination address for the route. The address that you specify for the static
route is the address that is in the packet before entering the ACE and performing
network address translation.
netmask Subnet mask for the route.
gateway_ip_address IP address of the gateway router (the next-hop address for this route). The
gateway address must be in the same network as specified in the ip address
command for a VLAN interface.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-339
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the routing feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The default route identifies the router IP address to which the ACE sends all IP packets for which it does
not have a route.
Admin and user contexts do not support dynamic routing. You must use static routes for any networks
to which the ACE is not directly connected; for example, use a static route when there is a router between
a network and the ACE.
The ACE supports up to eight equal cost routes on the same interface for load balancing.
Routes that identify a specific destination address take precedence over the default route.
See the Routing and Bridging Guide, Cisco ACE Application Control Engine for more information about
configuring default or static routes.
Examples IPv6 Examples
To configure a static route to send all traffic destined to 2001:DB8:1::1/64 to the next-hop router at
2001:DB8:1::10, enter the following command:
host1/Admin(config)# ip route 2001:DB8:1::1/64 2001:DB8:1::10
To configure a default route, set the IPv6 address for the route to ::/0, the IPv6 equivalent of “any.” For
example, if the ACE receives traffic that does not have a route and you want the ACE to send the traffic
out the interface to the router at 2001:DB8:1::10/64, enter:
host1/Admin(config)# ip route ::/0 2001:DB8:1::10
To remove a default or static route, use the no form of the command as follows:
host1/Admin(config)# no ip route 2001:DB8:1::1/64 2001:DB8:1::10
IPv4 Examples
To configure a default route, set the IP address and the subnet mask for the route to 0.0.0.0. For example,
if the ACE receives traffic that it does not have a route, it sends the traffic out the interface to the router
at 192.168.4.8. Enter:
host1/Admin(config)# ip route 0.0.0.0 0.0.0.0 192.168.4.8
Related Commands (config-if) ip address2-340
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ipv6 nd interval
To configure the refresh interval for existing neighbor discovery (ND) entries of configured hosts, use
the ipv6 nd interval command in configuration mode. Use the no form of this command to reset the ND
refresh interval to the default value of 300 seconds.
ipv6 nd interval number
no ipv6 nd interval number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines You configure this command for each context.
Examples To configure an NS message interval of 600 seconds (10 minutes), enter the following command:
host1/Admin(config)# ipv6 nd interval 600
To reset the NS message interval to the default of 300 seconds, enter the following command;
host1/Admin(config)# no ipv6 nd interval 600
Related Commands (config-if) ipv6 nd ns-interval
interval Indicates the frequency of the neighbor solicitation (NS) messages that are sent
by the ACE.
number Specifies the time interval in seconds between NS messages for configured
hosts. Enter an integer from 15 to 31536000. The default is 300 seconds
(5 minutes).
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-341
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ipv6 nd learned-interval
To configure the refresh interval for ND entries of learned hosts, use the ipv6 nd learned-interval
command. Use the no form of this command to reset the ND refresh interval of learned hosts to the
default value of 300 seconds.
ipv6 nd learned-interval number
no ipv6 nd learned-interval number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines You configure this command for each context.
Examples To configure a learned neighbor interval of 600 seconds (10 minutes), enter the following command:
host1/Admin(config)# ipv6 nd learned-interval 600
To reset the learned neighbor interval to the default of 300 seconds, enter the following command;
host1/Admin(config)# no ipv6 nd learned-interval 600
Related Commands (config-if) ipv6 nd ns-interval
learned-interval Indicates the refresh interval for ND entries of learned hosts.
number Specifies the time interval in seconds between NS messages for learned
neighbor entries. Enter an integer from 60 to 31536000. The default is 300
seconds (5 minutes).
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-342
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ipv6 nd retries
To configure the number of NS attempts before the ACE considers a host as down, use the ipv6 nd
retries command. Use the no form of this command to reset the number of retries to the default value of
3.
ipv6 nd retries number
no ipv6 nd retries number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines You configure this command for each context.
Examples To configure the ACE to resend NS messages five times before marking the host as down, enter the
following command:
host1/Admin(config)# ipv6 nd retries 5
To reset the number of retries to the default value of 3, enter the following command;
host1/Admin(config)# no ipv6 nd retries 5
Related Commands (config-if) ipv6 nd ns-interval
(config) ipv6 nd interval
number Specifies the number of times that the ACE resends the NS messages before
considering a host as down. Enter an integer from 1 to 15. The default is 3.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-343
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ipv6 nd sync disable
To disable the replication of ND entries from the active to the standby in a redundant configuration, use
the ipv6 nd sync disable command. Use the no form of this command to reset the ACE behavior to the
default of replicating ND entries to the standby in a redundant configuration.
ipv6 nd sync disable
no ipv6 nd sync disable
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines You configure this command for each context.
Examples To disable ND entry replication for the current context, enter the following command:
host1/Admin(config)# ipv6 nd sync disable
To reenable the replication of ND entries, enter the following command;
host1/Admin(config)# no ipv6 nd sync disable
Related Commands (config-if) ipv6 nd ns-interval
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-344
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ipv6 nd sync-interval
To configure the time interval between neighbor discovery (ND) synchronization messages for learned
hosts, use the ipv6 nd sync-interval command. Use the no form of this command to reset the interval
to the default value of 5 seconds.
ipv6 nd sync-interval number
no ipv6 nd sync-interval number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines You configure this command for each context.
Examples To specify a time intervall between ND synchronization messages for learned hosts of 100 seconds,
enter:
host1/Admin(config)# ipv6 nd sync-interval 100
To restore the default value of 5 seconds, enter the following command:
host1/Admin(config)# no ipv6 nd sync-interval
Related Commands (config-if) ipv6 nd ns-interval
number Specifies the time interval between ND synchronization messages. Enter an
integer from 1 to 3600 seconds (1 hour). The default is 5 seconds.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-345
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) kalap udp
To configure secure KAL-AP on the ACE, use the kalap udp command to access KAL-AP UDP
configuration mode. The CLI prompt changes to (config-kalap-udp). Use the no form of this command
to return to configuration mode (or use the exit command).
kalap udp
no kalap udp
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports secure KAL-AP for MD5 encryption of data between the ACE and the Global Site
Selector (GSS). For encryption, you must configure a shared secret as a key for authentication between
the GSS and the ACE context. For information about the commands in KAL-AP UDP configuration
mode, see the “KAL-AP UDP Configuration Mode Commands” section.
Examples To enter KAL-AP UDP configuration mode, enter:
host1/Admin(config)# kalap udp
host1/Admin(config-kalap-udp)#
Related Commands show kalap udp load
show running-config
(config-kalap-udp) ip address
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-346
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ldap-server host
To specify the Lightweight Directory Access Protocol (LDAP) server IP address, the destination port,
and other options, use the ldap-server host command. You can enter multiple ldap-server host
commands to configure multiple LDAP servers. Use the no form of this command to revert to a default
LDAP server authentication setting.
ldap-server host ip_address [port port_number] [timeout seconds] [rootDN “DN_string”
[password bind_password]]
no ldap-server host ip_address [port port_number] [timeout seconds] [rootDN “DN_string”
[password bind_password]]
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
ip_address IP address for the LDAP server. Enter the address in dotted-decimal IP notation
(for example, 192.168.11.1).
port port_number (Optional) Specifies the TCP destination port for communicating authentication
requests to the LDAP directory server. The port_number argument specifies the
LDAP + port number. Enter an integer from 1 to 65535.
timeout seconds (Optional) Specifies the time in seconds to wait for a response from the LDAP
server before the ACE can declare a timeout failure with the LDAP server. Use
this option to change the time interval that the ACE waits for the LDAP server to
reply to an authentication request. Enter an integer from 1 to 60. The default is
5 seconds.
rootDN
“DN_string”
(Optional) Defines the distinguished name (DN) for a user who is unrestricted by
access controls or administrative limit parameters to perform operations on the
LDAP server directory. The rootDN user can be thought of as the root user for
the LDAP server database. Enter a quoted string with a maximum of
63 alphanumeric characters. The default is an empty string.
password
bind_password
(Optional) Defines the bind password (rootpw) applied to the rootDN of the
LDAP server directory. Enter an unquoted string with a maximum of 63
alphanumeric characters. The default is an empty string.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-347
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
By default, the LDAP server port is 389. If your LDAP server uses a port other than 389, use the port
keyword to configure an appropriate port before starting the LDAP service. The ldap-server port
command overrides the global setting for the specified server.
By default, the ACE waits 5 seconds for the LDAP server to reply to an authentication request before the
ACE declares a timeout failure and attempts to contact the next server in the group. The ldap-server
timeout command overrides the global setting for the specified server.
Examples To configure LDAP server authentication parameters, enter:
host1/Admin(config)# ldap-server host 192.168.2.3 port 2003
host1/Admin(config)# ldap-server host 192.168.2.3 timeout 60
host1/Admin(config)# ldap-server host 192.168.2.3 rootDN “cn=manager,dc=cisco,dc=com"
password lab
To remove the LDAP server authentication setting, enter:
host1/Admin(config)# no ldap-server host 192.168.2.3 timeout 60
Related Commands show aaa
(config) aaa group server
(config) ldap-server port
(config) ldap-server timeout
(config) ldap-server port
To globally configure a TCP port (if your LDAP server uses a port other than the default port 389) before
you start the LDAP service, use the ldap-server port command. This global port setting will be applied
to those LDAP servers for which a TCP port value is not individually configured by the ldap-server host
command. Use the no form of this command to revert to the default of TCP port 389.
ldap-server port port_number
no ldap-server port port_number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
port_number Destination port to the LDAP server. Enter an integer from 1 to 65535. The default is
TCP port 389.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-348
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To override the global TCP port setting (specified by the ldap-server port command) for a specific
server, use the ldap-server host port command.
Examples To globally configure the TCP port, enter:
host1/Admin(config)# ldap-server port 2003
To revert to the default of TCP port 389, enter:
host1/Admin(config)# no ldap-server port 2003
Related Commands show aaa
(config) aaa group server
(config) ldap-server host
(config) ldap-server timeout
(config) ldap-server timeout
To globally change the time interval that the ACE waits for the LDAP server to reply to a response before
it declares a timeout failure, use the ldap-server timeout command. By default, the ACE waits 5 seconds
to receive a response from an LDAP server before it declares a timeout failure and attempts to contact
the next server in the group. The ACE applies this global timeout value to those LDAP servers for which
a timeout value is not individually configured by the ldap-server host command. Use the no form of this
command to revert to the default of 5 seconds between transmission attempts.
ldap-server timeout seconds
no ldap-server timeout seconds
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
seconds Timeout value in seconds. Enter an integer from 1 to 60. The default is 5 seconds.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-349
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To override the global TCP timeout setting (specified by the ldap-server timeout command) for a
specific server, use the ldap-server host timeout command.
Examples To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# ldap-server timeout 30
To change to the default of 5 seconds between transmission attempts, enter:
host1/Admin(config)# no ldap-server timeout 30
Related Commands show aaa
(config) aaa group server
(config) ldap-server host
(config) ldap-server port
(config) line console
(ACE module only) To configure the console interface settings, use the line console configuration mode
command. When you enter this command, the prompt changes (config-console) and you enter the
console configuration mode. Use the no form of this command to reset the console configuration mode
parameters to their default settings.
line console
no line console
Syntax Description There are no keywords or arguments for this command.
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The console port is an asynchronous serial port on the Catalyst 6500 series switch that enables the ACE
to be set up for initial configuration through a standard RS-232 port with an RJ-45 connector. Any device
connected to this port must be capable of asynchronous transmission. Connection to a terminal requires
a terminal emulator to be configured as 9600 baud, 8 data bits, 1 stop bit, no parity.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-350
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
For information about the commands in console configuration mode, see the “Console Configuration
Mode Commands” section.
Examples To enter console configuration mode, enter:
host1/Admin(config)# line console
host1/Admin(config-console)#
Related Commands clear line
show line
(config) line vty
To configure the virtual terminal line settings, use the line vty configuration mode command. When you
enter this command, the prompt changes (config-line) and you enter the line configuration mode. Use
the no form of this command to reset the line configuration mode parameter to its default setting.
line vty
no line vty
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about the commands in line configuration mode, see the “Line Configuration Mode
Commands” section.
Examples To enter the line configuration mode, enter:
host1/Admin(config)# line vty
host1/Admin(config-line)#
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-351
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands clear line
show line2-352
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) login timeout
To modify the length of time that a user can be idle before the ACE terminates the console, Telnet, or
Secure Shell (SSH) session, use the login timeout command. By default, the inactivity timeout value is
5 minutes. Use the no form of this command to restore the default timeout value of 5 minutes.
login timeout minutes
no login timeout
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To specify a timeout period of 10 minutes, enter:
host1/Admin(config)# login timeout 10
To restore the default timeout value of 5 minutes, enter.
host1/Admin(config)# no login timeout
Related Commands telnet
(config-cmap-mgmt) match protocol
minutes Length of time in minutes. Enter a value from 0 to 60 minutes. A value of 0 instructs the
ACE never to time out. The default is 5 minutes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-353
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging buffered
To enable system logging to a local buffer and to limit the messages sent to the buffer based on severity,
use the logging buffered command. By default, logging to the local buffer on the ACE is disabled. New
messages are appended to the end of the buffer. The first message displayed is the oldest message in the buffer.
When the log buffer fills, the ACE deletes the oldest message to make space for new messages. Use the
no form of this command to disable message logging.
logging buffered severity_level
no logging buffered
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To set the logging buffer level to 3 for logging error messages, enter:
host1/Admin(config)# logging buffered 3
To disable message logging, enter:
host1/Admin(config)# no logging buffered
severity_level Maximum level for system log messages sent to the buffer. The severity level that
you specify indicates that you want syslog messages at that level and below.
Allowable entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-354
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands (config) logging enable2-355
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging console
To enable the logging of syslog messages during console sessions and to limit the display of messages
based on severity, use the logging console command. By default, the ACE does not display syslog
messages during console sessions. Use the no form of this command to disable logging to the console.
logging console severity_level
no logging console
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Logging to the console can degrade system performance. Use the logging console command only when
you are testing and debugging problems, or when there is minimal load on the network. We recommend
that you use the lowest severity level possible because logging at a high rate may affect ACE
performance. Do not use this command when the network is busy.
Examples To enable system logging to the console for messages with severity levels of 2, 1, and 0:
host1/Admin(config)# logging console 2
severity_level Maximum level for system log messages sent to the console. The severity level that
you specify indicates that you want to log messages at that level and below.
Allowable entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-356
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands (config) logging enable2-357
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging device-id
To specify that the device ID of the ACE is included in the syslog message, use the logging device-id
command. If enabled, the ACE displays the device ID in all non-EMBLEM-formatted syslog messages.
The device ID specification does not affect the syslog message text that is in the EMBLEM format. Use
the no form of this command to disable device ID logging for the ACE in the syslog message.
logging device-id {context-name | hostname | ipaddress interface_name | string text}
no logging device-id
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The device ID part of the syslog message is viewed through the syslog server only and not directly on
the ACE. The device ID does not appear in EMBLEM-formatted messages, Simple Network
Management Protocol (SNMP) traps, or on the ACE console, management session, or buffer.
Examples To instruct the ACE to use the hostname of the ACE to uniquely identify the syslog messages, enter:
host1/Admin(config)# logging device-id hostname
context-name Specifies the name of the current context as the device ID to uniquely identify the
syslog messages sent from the ACE.
hostname Specifies the hostname of the ACE as the device ID to uniquely identify the
syslog messages sent from the ACE.
ipaddress
interface_name
Specifies the IP address of the interface as the device ID to uniquely identify the
syslog messages sent from the ACE. You can specify the IP address of a VLAN
interface or BVI as the device ID. If you use the ipaddress keyword, syslog
messages sent to an external server contain the IP address of the interface
specified, regardless of which interface the ACE uses to send the log data to the
external server. Enter an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
string text Specifies a text string to uniquely identify the syslog messages sent from the
ACE. The maximum length is 64 alphanumeric characters without spaces. You
cannot use the following characters: & (ampersand), ‘ (single quotation mark),
“ (double quotation marks), < (less than), > (greater than), or ? (question mark).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-358
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To disable the use of the hostname of the ACE, enter:
host1/Admin(config)# no logging device-id
Related Commands (config) logging enable2-359
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging enable
To enable message logging, use the logging enable command. Message logging is disabled by default.
You must enable logging if you want to send messages to one or more output locations. Use the no form
of this command to stop message logging to all output locations.
logging enable
no logging enable
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Message logging is disabled by default. When enabled, log messages are sent to a logging process, which
logs messages to designated locations asynchronously to the processes that generated the messages. You
must set a logging output location to view any logs.
Examples To enable message logging to all output locations, enter:
host1/Admin(config)# logging enable
To stop message logging to all output locations, enter:
host1/Admin(config)# no logging enable
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-360
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging facility
To change the logging facility to a value other than the default of 20 (LOCAL4), use the logging facility
command. Most UNIX systems expect the messages to use facility 20. The ACE allows you to change
the syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. Use the no
form of this command to set the syslog facility to its default of 20.
logging facility number
no logging facility number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The syslog daemon uses the specified syslog facility to determine how to process messages. Each
logging facility configures how the syslog daemon on the host handles a message. Syslog servers file
messages based on the facility number in the message. For more information on the syslog daemon and
facility levels, see your syslog daemon documentation.
Examples To set the syslog facility as 16 (LOCAL0) in syslog messages, enter:
host1/Admin(config)# logging facility 16
To change the syslog facility back to the default of LOCAL4, enter:
host1/Admin(config)# no logging facility 16
Related Commands (config) logging enable
number Syslog facility. Enter an integer from 16 (LOCAL0) to 23 (LOCAL7). The default is
20 (LOCAL4).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-361
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging fastpath
To enable the logging of connection setup and teardown messages through the fastpath, use the logging
fastpath command. By default, the ACE logs connection setup and teardown syslog messages through
the control plane. Use the no form of this command to disable the logging of connection setup and
teardown syslog messages.
logging fastpath
no logging fastpath
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Because of the large number of syslog messages that are generated by connection setup and teardown,
you can instruct the ACE to send these syslogs through the fast path instead of the control plane. The
fast path supports a much higher rate of syslogs than the control plane does. When you instruct the ACE
to send these syslogs through the fast path, the message formatting changes (different message spacing)
and the syslog IDs change from 106023, 302022, 302023, 302024, and 302025 to 106028, 302028,
302029, 302030, and 302031, respectively.
Examples To configure the ACE to log connection setup and teardown syslog messages, enter:
host1/Admin(config)# logging fastpath
To disable the ACE from logging connection setup and teardown syslog messages, enter:
host1/Admin(config)# no logging fastpath
Related Commands (config) logging enable
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-362
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging history
To set the Simple Network Management Protocol (SNMP) message severity level when sending log
messages to a network management system (NMS), use the logging history command. Use the no form
of this command to disable logging of informational system messages to an NMS.
logging history severity_level
no logging history
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To enable or disable all SNMP syslog message logging, use the logging history command without the
severity_level argument.
We recommend that you use the debugging (7) level during initial setup and during testing. After setup,
set the level from debugging (7) to a lower value for use in your network.
Examples To send informational system message logs to an SNMP NMS, enter:
host1/Admin(config)# logging history 6
severity_level Maximum level system log messages sent as traps to the NMS. The severity level that
you specify indicates that you want to log messages at that level and below.
Allowable entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-363
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To disable logging to an SNMP NMS, enter:
host1/Admin(config)# no logging history
Related Commands (config) logging enable2-364
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging host
To specify a host (the syslog server) that receives the syslog messages sent by the ACE, use the logging
host command. You can use multiple logging host commands to specify additional servers to receive the
syslog messages. Use the no form of this command to disable logging to a syslog server. By default,
logging to a syslog server on a host is disabled on the ACE.
logging host ip_address [tcp | udp [/port#] | [default-udp] | [format emblem]]
no logging host ip_address
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you choose to send log messages to a host, the ACE sends those messages using either UDP or TCP.
The host must run a program (known as a server) called syslogd, a daemon that accepts messages from
other applications and the network, and writes them out to system wide log files. UNIX provides the
syslog server as part of its operating system. If you are running Microsoft Windows, you must obtain a
syslog server for the Windows operating system.
ip_address IP address of the host to be used as the syslog server.
tcp (Optional) Specifies to use TCP to send messages to the syslog server. A server
can only be specified to receive either UDP or TCP, not both.
udp (Optional) Specifies to use UDP to send messages to the syslog server. A
server can only be specified to receive either UDP or TCP, not both.
/port# (Optional) Port that the syslog server listens to for syslog messages. Enter an
integer from 1025 to 65535. The default protocol and port are UDP/514. The
default TCP port, if specified, is 1470.
default-udp (Optional) Instructs the ACE to default to UDP if the TCP transport fails to
communicate with the syslog server.
format emblem (Optional) Enables EMBLEM-format logging for each syslog server. The
Cisco Resource Management Environment (RME) is a network management
application that collects syslogs. RME can process syslog messages only if
they are in EMBLEM format.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-365
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
If you use TCP as the logging transport protocol, the ACE denies new network access sessions if the
ACE is unable to reach the syslog server, if the syslog server is misconfigured, if the TCP queue is full,
or if the disk is full.
The format emblem keywords allow you to enable EMBLEM-format logging for each syslog server.
EMBLEM-format logging is available for either TCP or UDP syslog messages. If you enable
EMBLEM-format logging for a particular syslog host, then the messages are sent to that host. If you also
enable the logging timestamp command, the messages are sent to the syslog server with a time stamp.
For example, the EMBLEM format for a message with a time stamp appears as follows:
ipaddress or dns name [Dummy Value/Counter]: [mmm dd hh:mm:ss TimeZone]:
%FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: [vtl-ctx: context id] Message-text
Examples To send log messages to a syslog server, enter:
host1/Admin(config)# logging host 192.168.10.1 tcp/1025 format emblem default-udp
To disable logging to a syslog server, enter:
host1/Admin(config)# no logging host 192.168.10.1
Related Commands (config) logging enable
(config) logging timestamp2-366
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging message
To control the display of a specific system logging message or to change the severity level associated
with the specified system logging message, use the logging message command. Use the no form of this
command to disable logging of the specified syslog message.
logging message syslog_id [level severity_level]
no logging message syslog_id
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can use the show logging command to determine the level currently assigned to a message and
whether the message is enabled.
For information on syslog messages and their IDs, see the System Message Guide, Cisco ACE
Application Control Engine.
syslog_id Specific message that you want to disable or to enable.
level
severity_level
(Optional) Changes the severity level associated with a specific system log
message. For example, the %-4-411001 message listed in the syslog has the
default assigned severity level of 4 (warning message). You can change the
assigned default severity level to a different level.
Allowable entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-367
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To disable the %-6-615004 syslog message (VLAN available for configuring an interface), enter:
host1/Admin(config)# no logging message 615004
To resume logging of the disabled syslog message, enter:
host1/Admin(config)# logging message 615004 level 6
To change the severity level of the 615004 syslog message from the default of 6 (informational) to a
severity level of 5 (notification), enter:
(config)# logging message 615004 level 5
To return the severity level of the 615004 syslog message to the default of 6, enter:
host1/Admin(config)# no logging message 615004
Related Commands (config) logging enable2-368
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) logging monitor
To display syslog messages as they occur when accessing the ACE through a Secure Shell (SSH) or a
Telnet session, use the logging monitor command. You can limit the display of messages based on
severity. By default, logging to a remote connection using the SSH or Telnet is disabled on the ACE. Use
the no form of this command to disable system message logging to the current Telnet or SSH session.
logging monitor severity_level
no logging monitor
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Note Before you can use this command, you must enable remote access on the ACE and establish a remote
connection using the SSH or Telnet protocols from a PC.
severity_level Maximum level for system log messages displayed during the current SSH or Telnet
session. The severity level that you specify indicates that you want to log messages at
that level and below. Allowable entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-369
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To display logs during the SSH or Telnet session, use the terminal monitor Exec mode command. This
command enables syslog messages for all sessions in the current context. The logging monitor
command sets the logging preferences for all SSH and Telnet sessions, while the terminal monitor
command controls logging for each individual Telnet session. However, in each session, the terminal
monitor command controls whether syslog messages appear on the terminal during the session.
Examples To send informational system message logs to the current Telnet or SSH session, enter:
host1/Admin# terminal monitor
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# logging monitor 6
To disable system message logging to the current Telnet or SSH session, enter:
host1/Admin(config)# no logging monitor
Related Commands (config) logging enable
(config) logging persistent
To send specific log messages to compact flash on the ACE, use the logging persistent command. By
default, logging to compact flash is disabled on the ACE. The ACE allows you to specify the system
message logs that you want to keep after a system reboot by saving them to compact flash. Use the no
form of this command to disable logging to compact flash.
logging persistent severity_level
no logging persistent
Syntax Description
Command Modes Configuration mode
Admin and user contexts
severity_level Maximum level for system log messages sent to compact flash. The severity level that
you specify indicates that you want to log messages at that level and below. Allowable
entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)2-370
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
We recommend that you use a lower severity level, such as severity level 3, because logging at a high
rate to flash memory on the ACE might affect performance.
Examples To send informational system message logs to flash memory on the ACE, enter:
host1/Admin(config)# logging persistent 6
To disable logging to flash memory on the ACE, enter:
host1/Admin(config)# no logging persistent
Related Commands (config) logging enable
(config) logging queue
To change the number of syslog messages that can appear in the message queue, use the logging queue
command. By default, the ACE can hold 80 syslog messages in the message queue while awaiting
processing. Use the no form of this command to reset the logging queue size to the default of
100 messages.
logging queue queue_size
no logging queue queue_size
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
queue_size Queue size for storing syslog messages. Enter an integer from 1 to 8192. The default is
80 messages.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-371
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Set the queue size before the ACE processes syslog messages. When traffic is heavy, messages might get
discarded.
Examples To set the size of the syslog message queue to 1000, enter:
host1/Admin(config)# logging queue 1000
To reset the logging queue size to the default of 80 messages, enter:
host1/Admin(config)# no logging queue 0
Related Commands (config) logging enable
(config) logging rate-limit
To limit the rate at which the ACE generates messages in the syslog, use the logging rate-limit
command. You can limit the number of syslog messages generated by the ACE for specific messages.
Use the no form of this command to disable rate limiting for message logging in the syslog.
logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level
severity_level | message syslog_id}}
no logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level
severity_level | message syslog_id}}
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
num Number at which the syslog is to be rate limited.
interval Time interval in seconds over which the system message logs should be limited. The
default time interval is 1 second.2-372
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Disabled rate limiting is the default setting. In this case, the logging rate-limit unlimited command will
not be displayed in the ACE running-configuration file.
The severity level you enter indicates that you want all syslog messages at the specified level to be
rate-limited. For example, if you specify a severity level of 7, the ACE applies a rate limit only to level 7
(debugging messages). If you want to apply a logging rate limit on a different severity level, you must
configure the logging rate-limit level command for that level as well.
If you configure rate limiting for syslogs 302028 through 302031 (connection setup and teardown
syslogs that are formatted in the data plane), the ACE always rate-limits these syslogs at level 6. Even
if you change the logging level to a different value using the logging message command and the new
logging level appears on the syslog server or other destination, the ACE will continue to rate-limit these
syslogs at level 6.
For information on syslog messages and their IDs, see the System Message Guide, Cisco ACE
Application Control Engine.
level
severity_level
Specifies the syslog level that you want to rate limit. Allowable entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
message
syslog_id
Identifies the ID of the specific message you want to suppress reporting.
unlimited Disables rate limiting for messages in the syslog.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-373
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To limit the syslog rate to a 60-second time interval for informational messages (level 6), enter:
host1/Admin(config)# logging rate-limit 42 60 level 6
To suppress reporting of system message 302022, enter:
host1/Admin(config)# logging rate-limit 42 60 302022
To disable rate limiting, enter:
host1/Admin(config)# no logging rate-limit 42 60 level 6
Related Commands (config) logging enable
(config) logging standby
To enable logging on the standby ACE in a redundant configuration, use the logging standby command.
When enabled, the standby ACE syslog messages remain synchronized should a failover occur. When
enabled, this command causes twice the message traffic on the syslog server. Use the no form of this
command to disable logging on the standby ACE.
logging standby
no logging standby
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is disabled by default.
Examples To enable logging on the failover standby ACE:
host1/Admin(config)# logging standby
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-374
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To disable logging on the standby ACE, enter:
host1/Admin(config)# no logging standby
Related Commands (config) logging enable
(config) logging supervisor
(ACE module only) To set the severity level at which syslog messages are sent to the supervisor engine,
use the logging supervisor command. The ACE can forward syslog messages to the supervisor engine
on the Catalyst 6500 series switch. Use the no form of this command to disable system message logging
to the supervisor engine.
logging supervisor severity_level
no logging supervisor
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
severity_level Maximum level for system log messages. The severity level that you specify indicates
that you want to log messages at that level and below. Allowable entries are as
follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-375
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To send informational system message logs to the supervisor engine on the Catalyst 6500 series switch,
enter:
host1/Admin(config)# logging supervisor 6
To disable system message logging to the supervisor engine, enter:
host1/Admin(config)# no logging supervisor 3
Related Commands (config) logging enable
(config) logging timestamp
To specify that syslog messages should include the date and time that the message was generated, use
the logging timestamp command. By default, the ACE does not include the date and time in syslog
messages. Use the no form of this command to specify that the ACE not include the date and time when
logging syslog messages.
logging timestamp
no logging timestamp
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is disabled by default.
Examples To enable the time stamp on system logging messages, enter:
host1/Admin(config)# logging timestamp
To disable the time stamp from syslog messages, enter:
host1/Admin(config)# no logging timestamp
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-376
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands (config) logging enable
(config) logging trap
To identify which messages are sent to a syslog server, use the logging trap command. This command
limits the logging messages sent to a syslog server based on severity. Use the no form of this command
to return the trap level to the default (information messages).
logging trap severity_level
no logging trap
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the syslog feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To send logging messages to a syslog server, use the logging host command to specify the name or IP
address of the host to be used as the syslog server.
severity_level Maximum level for system log messages. The severity level that you specify indicates
that you want to log messages at that level and below. Allowable entries are as
follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-377
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To send informational system message logs to the syslog server, enter:
host1/Admin(config)# logging trap 6
To disable sending message logs to the syslog server, enter:
host1/Admin(config)# no logging trap 6
Related Commands (config) logging enable
(config) logging host
(config) nexus-device
To create the DCI device (Nexus 7000 series switch) for the dynamic workload scaling (DWS) feature,
use the nexus-device command. The CLI prompt changes to (config-dci). See the “DCI Configuration
Mode Commands” section for details. Use the no form of this command to remove the DCI device from
the configuration.
nexus-device name
no nexus-device name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The DCI device provides the locality information (local or remote) of the virtual machines (VMs) only.
You can configure one DCI device per ACE.
Examples To create a DCI device named DCI_DEVICE1, enter:
host1/Admin(config)# nexus-device DCI_DEVICE1
host1/Admin(config-dci)#
To remove the DCI device from the configuration, enter:
host1/Admin(config)# no nexus-device DCI_DEVICE1
name Name of the DCI device that the ACE queries for the locality information of the VMs. Enter
an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-378
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands show nexus-device2-379
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ntp
(ACE appliance only) To configure the ACE system clock to synchronize a peer (or to be synchronized
by a peer) or to be synchronized by a time server, use the ntp command. Use the no form of the command
to remove an NTP peer or server from the configuration.
ntp {peer ip_address1 [prefer] | server ip_address2 [prefer]}
no ntp {peer ip_address1 [prefer] | server ip_address2 [prefer]}
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
An NTP association can be a peer association, which means that the ACE is willing to synchronize to
the other system or to allow the other system to synchronize to the ACE. An NTP association can also
be a server association, which means that only this system will synchronize to the other system, not the
other way around. You can identify multiple servers; the ACE uses the most accurate server.
To send logging messages to a syslog server, use the logging host command to specify the name or IP
address of the host to be used as the syslog server.
Examples To specify multiple NTP server IP addresses and identify a preferred server, enter:
host1/Admin(config)# ntp server 192.168.10.10 prefer
host1/Admin(config)# ntp server 192.168.4.143
host1/Admin(config)# ntp server 192.168.5.10
peer Configures the ACE system clock to synchronize a peer or to be synchronized by a
peer. You can specify multiple associations.
ip_address1 IP address of the peer providing or being provided by the clock synchronization.
prefer (Optional) Makes this peer the preferred peer that provides synchronization. Using
the prefer keyword reduces switching back and forth between peers.
server Configures the ACE system clock to be synchronized by a time server. You can
specify multiple associations.
ip_address2 IP address of the time server that provides the clock synchronization.
prefer (Optional) Makes this server the preferred server that provides synchronization. Use
the prefer keyword to set this NTP server as the preferred server if multiple servers
have similar accuracy. NTP uses an algorithm to determine which server is the most
accurate and synchronizes to that one. If servers have similar accuracy, then the
prefer keyword specifies which of those servers to use.
ACE Appliance Release Modification
A1(7) This command was introduced.2-380
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To form a peer association with a preferred peer, enter:
host1/Admin(config)# ntp peer 192.168.10.0 prefer
To remove an NTP peer or server from the configuration, enter:
host1/Admin(config)# no ntp peer 192.168.10.0
Related Commands clear np
show clock
(config) object-group
To create an object group, use the object-group command. Object groups allow you to streamline the
creation of multiple ACL entries in an ACL. Use the no form of this command to remove the object group
from the configuration.
object-group [network | service] name
no object-group [network | service] name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines You can create either network or service object groups. After you create these groups, you can use a
single ACL entry to allow trusted hosts to make specific service requests to a group of public servers.
If you add new members to an existing object group that is already in use by an entry in a large ACL,
recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In
some cases, making this change can cause the ACE to devote over an hour to committing the ACL, during
which time you cannot access the terminal. We recommend that you first remove the ACL entry that
refers to the object group, make your change, and then add the ACL entry back into the ACL.
network Specifies a group of hosts or subnet IP addresses.
service Specifies a group of TCP or UDP port specifications.
name Unique identifier for the object group. Enter the object group name as an
unquoted, alphanumeric string from 1 to 64 characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-381
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To create a network object group, enter:
host1/Admin(config)# object-group network NET_OBJ_GROUP1
Related Commands (config-objgrp-netw) ip_address
(config-objgrp-netw) host2-382
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) optimize
(ACE appliance only) To configure the global optimization settings on the ACE, enter the optimize
command. The CLI prompt changes to (config-optimize). To remove an optimize mode selection, use
the no form of the command.
optimize
no optimize
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
For information about commands in optimize configuration mode, see the “Optimize Configuration
Mode Commands” section. For details about configuring the commands in the optimize configuration
mode, see the Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application
Control Engine Appliance.
Examples To access the optimize configuration mode, enter:
host1/Admin(config)# optimize
host1/Admin(config-optimize)#
Related Commands show optimization-global
(config) parameter-map type
To create a connection-, HTTP- or SSL-type parameter map, use the parameter-map type command.
For the ACE appliance only, you can also create an optimization HTTP-type parameter map. Use the no
form of this command to remove a parameter map from the ACE.
parameter-map type {connection | generic | http | optimization http | rtsp | sip | skinny | ssl}
name
no parameter-map type {connection | generic | http | optimization http | rtsp | sip | skinny | ssl}
name
ACE Appliance Release Modification
A1(7) This command was introduced.2-383
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description connection Specifies a connection-type parameter map. After you create the
connection-type parameter map, you configure TCP, IP, and other
settings for the map in the parameter map connection configuration
mode. For information about the commands in parameter map
connection configuration mode, see the “Parameter Map Connection
Configuration Mode Commands” section.
dns Specifies a DNS parameter map. After you create a DNS parameter
map, you configure settings for the map in the parameter map DNS
configuration mode. For information about the commands in
parameter map DNS configuration mode, see the “Parameter Map
DNS Configuration Mode Commands” section.
generic Specifies a generic Layer 7 parameter map. After you create the
generic Layer 7 parameter map, you configure settings for the map in
the parameter map generic configuration mode. For information about
the commands in parameter map generic configuration mode, see the
“Parameter Map HTTP Configuration Mode Commands” section.
http Specifies an HTTP-type parameter map. After you create the
HTTP-type parameter map, you configure HTTP settings for the map
in the parameter map HTTP configuration mode. For information
about the commands in parameter map HTTP configuration mode,
see the “Parameter Map HTTP Configuration Mode Commands”
section.
optimization http (ACE appliance only) Specifies an optimization HTTP-type
parameter map and define its application acceleration and
optimization settings. After you create the optimization HTTP-type
parameter map, you configure settings for the map in the parameter
map optimization HTTP configuration mode. For information about
the commands in parameter map HTTP connection configuration
mode, see the “Parameter Map Optimization Configuration Mode
Commands” section.
rtsp Specifies an RTSP-type parameter map. After you create the
RTSP-type parameter map, you configure RTSP settings for the map
in the parameter map RTSP configuration mode. For information about
the commands in parameter map RTSP configuration mode, see the
“Parameter Map RTSP Configuration Mode Commands” section.
sip Specifies a SIP-type parameter map. After you create the SIP-type
parameter map, you configure SIP settings for the map in the
parameter map SIP configuration mode. For information about the
commands in parameter map SIP configuration mode, see the
“Parameter Map SIP Configuration Mode Commands” section.
skinny Specifies a Skinny Client Control Protocol (SCCP) type parameter
map. After you create the SCCP-type parameter map, you configure
SCCP settings for the map in the parameter map SCCP configuration
mode. For information about the commands in parameter map SCCP
configuration mode, see the “Parameter Map SCCP Configuration
Mode Commands” section.2-384
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The connection and http commands requires the connection feature in your user role. The ssl commands
in this mode require the connection or SSL feature.
(ACE appliance only) The optimization http commands in this mode require the loadbalance feature in
your user role.
For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco
ACE Application Control Engine.
The parameter-map type command allows you to configure a series of Layer 3 and Layer 4 statements
that instruct the ACE how to handle TCP termination, normalization and reuse, SSL termination, and
advanced HTTP behavior for server load-balancing connections. After you enter this command, the system
enters the corresponding parameter map configuration mode.
To access one of the parameter-map configuration modes, enter the appropriate parameter-map type
command. For example, enter parameter-map type connection, parameter-map type http, or
parameter-map type ssl. The CLI prompt changes to the corresponding mode, for example,
(config-parammap-conn), (config-parammap-http), or (config-parammap-ssl).
After you configure the parameter map, you associate it with a specific action statement in a policy map.
Examples To create a connection-type parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type connection TCP_MAP
host1/Admin(config-parammap-conn)#
To create an HTTP-type parameter map called HTTP_MAP, enter:
host1/Admin(config)# parameter-map type http HTTP_MAP
host1/Admin(config-parammap-http)#
ssl Specifies an SSL-type parameter map. After you create the SSL-type
parameter map, you configure SSL settings for the map in the
parameter map SSL configuration mode. For information about the
commands in parameter map SSL connection configuration mode,
see the “Parameter Map SSL Configuration Mode Commands”
section.
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-385
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To create an SSL-type parameter map called SSL_MAP, enter:
host1/Admin(config)# parameter-map type ssl SSL_MAP
host1/Admin(config-parammap-ssl)#
ACE Appliance Example
To create an optimization HTTP parameter map called OPTIMIZE_MAP, enter:
host1/Admin(config)# parameter-map type optimization http OPTIMIZE_MAP
host1/Admin(config-parammap-optmz)#
Related Commands show running-config
(config) policy-map
(config) peer hostname
To specify a hostname for the peer ACE in a redundant configuration, use the peer hostname command.
The hostname is used for the command line prompts and default configuration filenames. If you establish
sessions to multiple devices, the hostname helps you track where you enter commands. Use the no form
of this command to reset the hostname of the peer to the default of switch.
peer hostname name
no peer hostname name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, the hostname for the ACE is switch.
name New hostname for the peer ACE. Enter a case-sensitive text string that contains from 1 to
32 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-386
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To change the hostname of the peer ACE from switch to ACE_1, enter:
switch/Admin(config)# peer hostname ACE_1
ACE_1/Admin(config)#
Related Commands (config) hostname
(config) peer shared-vlan-hostid
To configure a specific bank of MAC addresses for a peer ACE in a redundant configuration, use the
peer shared-vlan-hostid command. Use the no form of this command to remove the configured bank
of MAC addresses.
peer shared-vlan-hostid number
no peer shared-vlan-hostid
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure bank 3 for a peer ACE, enter:
host1/Admin(config)# peer shared-vlan-hostid 3
To remove the configured bank of MAC addresses, enter:
host1/Admin(config)# no peer shared-vlan-hostid
number Bank of MAC addresses that the ACE uses. Enter a number from 1 to
16. Be sure to configure different bank numbers for multiple ACEs.
ACE Module Release Modification
3.0(0)A1(6.2a) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-387
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands (config) arp
(config) shared-vlan-hostid2-388
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) policy-map
Use the policy-map command to create a Layer 3 and Layer 4 or Layer 7 policy map. To access one of
the policy map configuration modes, use the policy-map command. Use the no form of this command
to remove a policy map from the ACE.
policy-map multi-match map_name
policy-map type inspect {ftp first-match | http all-match | sip all-match | skinny} map_name
policy-map type loadbalance {first-match | generic first-match | http first-match |
radius first-match | rdp first-match | rtsp first-match | sip first-match} map_name
policy-map type management first-match map_name
policy-map type optimization http first-match map_name
no policy-map multi-match map_name
no policy-map type inspect {ftp first-match | http all-match | sip all-match | skinny} map_name
no policy-map type loadbalance {first-match | generic first-match | http first-match |
radius first-match | rdp first-match | rtsp first-match | sip first-match} map_name
no policy-map type management first-match map_name
Syntax Description multi-match Configures a Layer 3 and Layer 4 policy map that defines the
different actions applied to traffic passing through the ACE. The ACE
attempts to match multiple classes within the Layer 3 and Layer 4
policy map to allow a multifeature Layer 3 and Layer 4 policy map.
The ACE executes the action for only one matching class within each
of the class sets. The definition of which classes are in the same class
set depends on the actions applied to the classes; the ACE associates
each policy map action with a specific set of classes.
For information about the commands in policy map configuration
mode, see the “Policy Map Configuration Mode Commands” section.
map_name Name assigned to the policy map. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
type Specifies the type of policy map to be defined. When you specify a
policy map type, you enter its corresponding policy map
configuration mode (for example, RADIUS load balancing).
inspect ftp first-match Specifies a Layer 7 policy map that defines the inspection of File
Transfer Protocol (FTP) commands by the ACE. The ACE executes
the action for the first matching classification. For a list of classes in
a policy map, the actions associated with the first class that matches
the packet are the actions that the ACE executes on the packet. For
information about the commands in policy map FTP inspection
configuration mode, see the “Policy Map FTP Inspection
Configuration Mode Commands” section.2-389
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
inspect http all-match Specifies a Layer 7 policy map that defines the deep packet
inspection of the HTTP protocol by the ACE. The ACE attempts to
match all specified conditions against the matching classification and
executes the actions of all matching classes until it encounters a deny
for a match request. For information about the commands in policy
map inspection HTTP configuration mode, see the “Policy Map
Inspection HTTP Configuration Mode Commands” section.
inspect sip all-match Specifies a Layer 7 policy map that defines the inspection of SIP
protocol packets by the ACE. The ACE attempts to match all
specified conditions against the matching classification and executes
the actions of all matching classes until it encounters a deny for a
match request. For information about the commands in policy map
inspection SIP configuration mode, see the “Policy Map Inspection
SIP Configuration Mode Commands” section.
inspect skinny Specifies a Layer 7 policy map that defines the inspection of SCCP
or skinny protocol packets by the ACE. The ACE uses the SCCP
inspection policy to filter traffic based on message ID and to perform
user-configurable actions on that traffic. For information about the
commands in policy map inspection SIP configuration mode, see the
“Policy Map Inspection Skinny Configuration Mode Commands”
section.
loadbalance first-match Specifies a Layer 7 policy map that defines Layer 7 HTTP server
load-balancing decisions. The ACE executes the action for the first
matching classification. For a list of classes in a policy-map, the
actions associated with the first class that matches the packet are the
actions that the ACE executes on the packet. For information about
the commands in policy map load balance configuration mode, see
the “Policy Map Load Balancing HTTP Configuration Mode
Commands” section.
loadbalance generic
first-match
Specifies a Layer 7 policy map that defines Layer 7 HTTP server
load-balancing decisions. The ACE executes the action for the first
matching classification. For a list of classes in a policy-map, the
actions associated with the first class that matches the packet are the
actions that the ACE executes on the packet. For information about
the commands in policy map load balance configuration mode, see
the “Policy Map Load Balancing Generic Configuration Mode
Commands” section.
loadbalance http first-match Specifies a Layer 7 policy map that defines Layer 7 HTTP server
load-balancing decisions. The ACE executes the action for the first
matching classification. For a list of classes in a policy-map, the
actions associated with the first class that matches the packet are the
actions that the ACE executes on the packet. For information about
the commands in policy map load balance configuration mode, see
the “Policy Map Load Balancing HTTP Configuration Mode
Commands” section.2-390
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
loadbalance radius
first-match
Specifies a Layer 7 policy map that defines Layer 7 HTTP server
load-balancing decisions. The ACE executes the action for the first
matching classification. For a list of classes in a policy-map, the
actions associated with the first class that matches the packet are the
actions that the ACE executes on the packet. For information about
the commands in policy map load balance configuration mode, see
the “Policy Map Load Balancing RADIUS Configuration Mode
Commands” section.
loadbalance rdp first-match Specifies a Layer 7 policy map that defines Layer 7 HTTP server
load-balancing decisions. The ACE executes the action for the first
matching classification. For a list of classes in a policy-map, the
actions associated with the first class that matches the packet are the
actions that the ACE executes on the packet. For information about
the commands in policy map load balance configuration mode, see
the “Policy Map Load Balancing RDP Configuration Mode
Commands” section.
loadbalance rtsp first-match Specifies a Layer 7 policy map that defines Layer 7 HTTP server
load-balancing decisions. The ACE executes the action for the first
matching classification. For a list of classes in a policy-map, the
actions associated with the first class that matches the packet are the
actions that the ACE executes on the packet. For information about
the commands in policy map load balance configuration mode, see
the “Policy Map Load Balancing RDP Configuration Mode
Commands” section.
loadbalance sip first-match Specifies a Layer 7 policy map that defines Layer 7 HTTP server
load-balancing decisions. The ACE executes the action for the first
matching classification. For a list of classes in a policy-map, the
actions associated with the first class that matches the packet are the
actions that the ACE executes on the packet. For information about
the commands in policy map load balance configuration mode, see
the “Policy Map Load Balancing SIP Configuration Mode
Commands” section.
management first-match Specifies a Layer 3 and Layer 4 policy map that defines the IP
management protocols that can be received by the ACE. The ACE
executes the specified action only for traffic that meets the first
matching classification with a policy map. For information about the
commands in policy map management configuration mode, see the
“Policy Map Management Configuration Mode Commands” section.
optimization http
first-match
(ACE appliance only) Specifies a Layer 7 policy map that defines
Layer 7 HTTP optimization operations. The Layer 7 optimization
HTTP policy map associates an HTTP optimization action list and
parameter map to configure the specified optimization actions. The
ACE executes the action for the first matching classification. For a
list of classes in a policy-map, the actions associated with the first
class that matches the packet are the actions that the ACE executes on
the packet. For information about the commands in policy map
optimization configuration mode, see the “Policy Map Optimization
Configuration Mode Commands” section.2-391
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines This command requires the inspect, loadbalance, NAT, connection, or SSL feature in your user role. For
details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE
Application Control Engine.
Use the policy map configuration mode commands to configure a series of Layer 3 and Layer 4 or
Layer 7 policies. Each policy map defines a series of actions (functions) that you apply to a set of
classified inbound traffic. The CLI prompt changes correspondingly to the selected policy map
configuration mode: config-pmap, config-pmap-c, config-pmap-insp-http, config-pmap-insp-http-c,
config-pmap-insp-http-m, config-pmap-lb, config-pmap-lb-c, config-pmap-lb-m, config-pmap-mgmt,
and config-pmap-mgmt-c.
(ACE appliance only) In addition, the prompt include config-pmap-optmz and config-pmap-optmz-c.
For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions
that configure the following:
• Network management traffic received by the ACE (HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet)
• Server load balancing based on Layer 3 and Layer 4 connection information (virtual IP address)
• Secure Sockets Layer (SSL) security services between a web browser (the client) and the HTTP
connection (the server)
• Static or dynamic Network Address Translation (NAT)
• Application protocol inspection (also known as protocol fixup)
• TCP termination, normalization, and reuse
• IP normalization and fragment reassembly
For a Layer 7 traffic classification, you create policy maps with actions that configure the following:
• Server load balancing based on the Layer 7 HTTP-related information (such as HTTP headers,
cookies, and URLs), or the client IP address
• (ACE appliance only) Application acceleration and optimization functions
• Deep packet inspection of the HTTP protocol
• FTP command inspection
The ACE supports a system-wide maximum of 4096 policy maps.
For details about creating a policy map, see the Administration Guide, Cisco ACE Application Control
Engine.
Examples To create a Layer 3 and Layer 4 server load-balancing policy map named L4_SLB_POLICY, enter:
host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-392
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
host1/Admin(config-pmap)#
To create a Layer 3 and Layer 4 management protocol policy map named
L4_MGMT-ACCESS_POLICY, enter:
host1/Admin(config)# policy-map type management match-any L4_MGMT-ACCESS_CLASS
host1/Admin(config-pmap-mgmt)#
(ACE appliance only) To create a Layer 7 optimization HTTP policy map named
L7OPTIMIZATION_POLICY, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host/Admin(config-pmap-optmz)#
To create a Layer 7 HTTP server load-balancing policy map named L7_SLB_POLICY, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICY
host1/Admin(config-pmap-lb)#
To create a Layer 7 HTTP deep packet inspection policy map named L7_HTTP_INSPECT_POLICY,
enter:
host/Admin(config) # policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host/Admin(config-pmap-ins-http)#
To create a Layer 7 FTP command inspection policy map named L7_FTP_INSPECT_POLICY, enter:
host1/Admin(config)# class-map type ftp inspect match-any L7_FTP_INSPECT_POLICY
host1/Admin(config-pmap-ftp-ins)#
Related Commands show startup-config
(config) class-map
(config) parameter-map type
(config) service-policy
(config) probe
To define a probe and access its configuration mode, use the probe command. The CLI prompt changes
to (config-probe_type). Use the no form of this command to delete the probe.
probe probe_type probe_name
no probe probe_type probe_name
Syntax Description probe_type Probe types. The probe type determines what the probe sends to the
real server. Enter one of the following keywords:
• dns—Sends a request to a DNS server giving it a configured
domain. To determine if the server is up, the ACE must receive
the configured IP address for that domain.
• echo {tcp | udp}—Sends a string to the server and compares the
response to the original string. If the response string matches the
original string, the server is marked as passed. Otherwise, the
ACE retries a configured number of times and time interval
before the server is marked as failed.2-393
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
• finger—Sends a Finger probe to a server to verify that a defined
username is a username on the server. Use the Finger protocol to
configure the username string.
• ftp—Initiates an FTP session. By default, this probe is for an
anonymous login with the option of configuring a user ID and
password. The ACE performs an FTP GET or LS to determine
the outcome of the probe. This probe supports only active
connections.
• http—Sets up a TCP connection and issues an HTTP request.
The default request is an HTTP 1.1 GET request with the URL /.
Any valid HTTP response causes the probe to mark the real
server as passed. You can also configure an HTTP response
value.
• https—Similar to the HTTP probe, but this probe uses SSL to
generate encrypted data.
• icmp—Sends an ICMP request and listens for a response. If the
server returns a response, the ACE marks the real server as
passed. If there is no response and the time times out, or an ICMP
standard error such as DESTINATION_UNREACHABLE
occurs, the ACE marks the real server as failed.
• imap—Identical to POP/POP3 probe, but uses IMAP.
• pop—Initiates a POP session, using a configured user ID and
password. Then, the probe attempts to retrieve e-mail from the
server and validates the result of the probe based on the return
codes received from the server.
• radius—Connects to a RADIUS server and logs in to it to
determine whether the server is up.
• rtsp—Establishes a TCP connection and sends a request packet
to the RTSP server to determine whether the server is up.
• scripted—Executes probes from a configured script to perform
health probing. You can author specific scripts with features not
present in standard health probes.
• sip {tcp | udp}— Establishes a TCP or UDP connection and
sends an OPTIONS request packet to the user agent on the SIP
server to determine whether the server is up.
• smtp—Initiates an SMTP session by logging in to the server.
• snmp—Establishes a UDP connection and sends a maximum of
eight SMNP OID queries to probe the server.
• tcp—Initiates a TCP handshake and expects a response. By
default, a successful response causes the probe to mark the server
as passed, and then the probe sends a FIN to end the session. If
the response is not valid or if there is no response, the probe
marks the real server as failed.
• telnet—Establishes a connection to the real server and verifies
that a greeting from the application was received.2-394
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For information about commands in probe configuration mode, see the “Probe Configuration Mode
Commands” section.
Examples To define a TCP probe named PROBE1 and access its mode, enter:
host1/Admin(config)# probe tcp PROBE1
host1/Admin(config-probe-tcp)#
To delete a TCP probe named PROBE1, enter:
host1/Admin(config)# no probe tcp PROBE1
• udp—Sends a UDP packet to a real server. The probe marks the
server as failed only if an ICMP Port Unreachable message is
returned. Optionally, you can configure this probe to send
specific data and expect a specific response to mark the real
server as passed.
• vm—Polls the local VM load information from the VM
controller (vCenter) for the dynamic workload scaling (DWS)
feature. The ACE calculates the average aggregate load
information as a percentage of CPU usage or memory usage to
determine when to burst traffic to the remote data center. If the
server farm consists of both physical servers and VMs, the ACE
considers load information only from the VMs. After you
configure the VM probe and its attributes, you associate it with a
VM controller and a server farm.
probe_name Identifier for the probe. The probe name associates the probe to the
real server. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A4(2.0) Added the VM probe type.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A4(2.0) Added the VM probe type.2-395
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands clear probe
show probe
(config) radius-server attribute nas-ipaddr
To specify a RADIUS NAS-IP-Address attribute, use the radius-server attribute nas-ipaddr
command. Use the no form of this command to delete the RADIUS NAS-IP-Address and return to the
default configuration.
radius-server attribute nas-ipaddr nas_ip_address
no radius-server attribute nas-ipaddr nas_ip_address
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, the NAS-IP-Address is not configured. The ACE performs a route lookup on the Remote
Authentication Dial-In User Service (RADIUS) server IP address and uses the result.
The RADIUS NAS-IP-Address attribute allows you to configure an arbitrary IP address to be used as
RADIUS attribute 4, NAS-IP-Address for each context.
The radius-server attribute nas-ipaddr command allows the ACE to behave as a single RADIUS client
from the perspective of the RADIUS server. The configured NAS-IP-Address will be encapsulated in all
outgoing RADIUS authentication request and accounting packets.
Examples To specify a RADIUS NAS-IP-Address, enter:
host1/Admin(config)# radius-server attribute nas-ipaddr 192.168.1.1
nas_ip_address IP address that is used as the RADIUS NAS-IP-Address, attribute 4.
Enter the address in dotted-decimal IP notation (for example,
192.168.11.1).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-396
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To delete the RADIUS NAS-IP-Address and return to the default configuration, enter:
host1/Admin(config)# no radius-server attribute nas-ipaddr 192.168.1.1
Related Commands show aaa
(config) aaa group server
(config) radius-server host
(config) radius-server deadtime
To globally set the time interval in which the ACE verifies whether a nonresponsive server is operational,
use the radius-server deadtime command. Use the no form of this command to reset the Remote
Authentication Dial-In User Service (RADIUS) server dead-time request to the default of 0.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use of this command causes the ACE to mark as “dead” any RADIUS servers that fail to respond to
authentication requests. This action avoids the wait for the request to time out before trying the next
configured server. The ACE skips a RADIUS server that is marked as dead by sending additional
requests for the duration of minutes.
The dead-time interval starts when the server does not respond to the number of authentication request
transmissions configured through the radius-server retransmit command. When the server responds to
a probe access-request packet, the ACE transmits the authentication request to the server.
minutes Length of time that the ACE skips a nonresponsive RADIUS server
for transaction requests. Enter an integer from 0 to 1440 (24 hours).
The default is 0.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-397
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To globally configure a 15-minute dead-time for RADIUS servers that fail to respond to authentication
requests, enter:
host1/Admin(config)# radius-server deadtime 15
To set the RADIUS server dead-time request to 0, enter:
host1/Admin(config)# no radius-server deadtime 15
Related Commands show aaa
(config) aaa group server
(config) radius-server host
(config) radius-server host
To designate and configure a host for RADIUS server functions, use the radius-server host command.
You can define multiple radius-server host commands to configure multiple Remote Authentication
Dial-In User Service (RADIUS) servers. Use the no form of this command to remove the RADIUS
server from the configuration.
radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]] [auth-port
port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds]
[retransmit count]
no radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]]
[auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout
seconds] [retransmit count]
Syntax Description ip_address IP address for the RADIUS server. Enter the address in
dotted-decimal IP notation (for example, 192.168.11.1).
key (Optional) Enables an authentication key for communication
between the ACE and the RADIUS daemon running on the RADIUS
server. The key is a text string that must match the encryption key
used on the RADIUS server.
shared_secret Key that is used to authenticate communication between the
RADIUS client and server. The shared secret must match the one
configured on the RADIUS server. Enter the shared secret as a
case-sensitive string with no spaces with a maximum of 63
alphanumeric characters.
0 (Optional) Configures a key specified in clear text (indicated by 0) to
authenticate communication between the RADIUS client and server.
7 (Optional) Configures a key specified in encrypted text (indicated by
7) to authenticate communication between the RADIUS client and
server.
auth-port port_number (Optional) Specifies the UDP destination port for communicating
authentication requests to the RADIUS server. By default, the
RADIUS authentication port is 1812 (as defined in RFC 2138 and
RFC 2139). The port_number argument specifies the RADIUS port
number. Valid values are from 1 to 65535.2-398
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The key option overrides the global setting of the radius-server key command. If you do not specify a
key, the global value is used. RADIUS keys are always stored in encrypted form in persistent storage.
The running configuration also displays keys in encrypted form.
If neither the authentication nor the accounting options are specified, the RADIUS server is used for
both accounting and authentication.
If your RADIUS server uses a port other than 1813, use the acct-port keyword to configure the ACE for
the appropriate port before starting the RADIUS service.
acct-port port_number (Optional) Specifies the UDP destination port for communicating
accounting requests to the RADIUS server. By default, the RADIUS
accounting port is 1813 (as defined in RFC 2138 and RFC 2139). The
port_number argument specifies the RADIUS port number. Valid
values are from 1 to 65535.
authentication (Optional) Specifies that the RADIUS server is used only for
authentication purposes.
If neither the authentication nor the accounting options are specified,
the RADIUS server is used for both accounting and authentication
purposes.
accounting (Optional) Specifies that the RADIUS server is used only for
accounting purposes.
If neither the authentication nor the accounting options are specified,
the RADIUS server is used for both accounting and authentication
purposes.
timeout seconds (Optional) Specifies the time interval that the ACE waits for the
RADIUS server to reply to an authentication request before
retransmitting a request. Valid entries are from 1 to 60 seconds. The
default is 1 second.
retransmit count (Optional) Specifies the number of times that the ACE retransmits an
authentication request to a timed-out RADIUS server before
declaring the server to be unresponsive and contacting the next server
in the group. Valid entries are from 1 to 5 attempts. The default is one
attempt.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-399
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
If your RADIUS server uses a port other than 1812, use the auth-port keyword to configure the ACE
for the appropriate port before starting the RADIUS service.
The retransmit and timeout options override the global settings assigned for the specified server when
you enter the radius-server retransmit and radius-server timeout commands.
Examples To configure RADIUS server authentication parameters, enter:
host1/Admin(config)# radius-server host 192.168.2.3 key HostKey
host1/Admin(config)# radius-server host 192.168.2.3 key 7 secret_1256
host1/Admin(config)# radius-server host 192.168.2.3 auth-port 1645
host1/Admin(config)# radius-server host 192.168.2.3 acct-port 1646
host1/Admin(config)# radius-server host 192.168.2.3 authentication
host1/Admin(config)# radius-server host 192.168.2.3 accounting
host1/Admin(config)# radius-server host 192.168.2.3 timeout 25
host1/Admin(config)# radius-server host 192.168.2.3 retransmit 3
To revert to a default RADIUS server authentication setting, enter:
host1/Admin(config)# no radius-server host 192.168.2.3 acct-port 1646
Related Commands show aaa
(config) aaa group server
(config) radius-server attribute nas-ipaddr2-400
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) radius-server key
To globally configure an authentication key for communication between the ACE and the Remote
Authentication Dial-In User Service (RADIUS) daemon running on each RADIUS server, use the
radius-server key command. Use the no form of this command to remove the global RADIUS server
key setting from the configuration.
radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}
no radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The key is a text string that must match the encryption key used on the RADIUS server. RADIUS keys
are always stored in encrypted form in persistent storage on the ACE. This global key will be applied to
those RADIUS servers in a named server group for which a shared secret is not individually configured
by the (config) radius-server host command.
Examples To globally configure an authentication key to be sent in encrypted text (indicated by 7) to the RADIUS
server, enter:
host1/Admin(config)# radius-server key 7 abe4DFeeweo00o
To delete the key, enter:
host1/Admin(config)# no radius-server key 7 abe4DFeeweo00o
shared_secret Key used to authenticate communication between the RADIUS client
and the server. The shared secret must match the one configured on
the RADIUS server. Enter the shared secret as a case-sensitive string
with no spaces and a maximum of 63 alphanumeric characters.
0 Configures a key specified in clear text (indicated by 0) to
authenticate communication between the RADIUS client and server.
7 Configures a key specified in encrypted text (indicated by 7) to
authenticate communication between the RADIUS client and server.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-401
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands show aaa
(config) aaa group server
(config) radius-server host
(config) radius-server retransmit
To globally change the number of times that the ACE sends an authentication request to a Remote
Authentication Dial-In User Service (RADIUS) server, use the radius-server retransmit command.
Use the no form of this command to revert to the default of one transmission attempt.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE applies this global retransmission value to those RADIUS servers for which a value is not
individually configured by the (config) radius-server host command.
If all servers in the group are unavailable for authentication and accounting, the ACE tries the local
database if you configure a local fallback method by entering the aaa authentication login or the aaa
accounting default commands. If you do not have a fallback method, the ACE continues to contact one
of the AAA servers listed in the server group.
Examples To globally configure the number of retransmissions to 3, enter:
host1/Admin(config)# radius-server retransmit 3
To revert to the default of one transmission attempt, enter:
host1/Admin(config)# no radius-server retransmit 3
count Number of times that the ACE attempts to connect to a RADIUS
server(s) before trying to contact the next available server. Enter an
integer from 1 to 5. The default is 1.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-402
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands show aaa
(config) aaa group server
(config) radius-server host
(config) radius-server timeout
To globally change the time interval that the ACE waits for the Remote Authentication Dial-In User
Service (RADIUS) server to reply before retransmitting an authentication request to the RADIUS server,
use the radius-server timeout command. Use the no form of this command to revert to the default of
one second between transmission attempts.
radius-server timeout seconds
no radius-server timeout seconds
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE applies this global timeout value to those RADIUS servers for which a timeout value is not
individually configured by the (config) radius-server host command.
Examples To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# radius-server timeout 30
To revert to the default of one second between transmission attempts, enter:
host1/Admin(config)# no radius-server timeout 30
Related Commands show aaa
(config) aaa group server
seconds Time in seconds between retransmissions to the RADIUS server.
Enter an integer from 1 to 60 seconds. The default is 1 second.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-403
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) radius-server host
(config) regex compilation-timeout
(ACE appliance only) To configure the timeout for regex compilation, use the regex
compilation-timeout command. When you configure a regex and its compilation is longer than the
configured timeout, the ACE stops the regex compilation. Use the no form of this command to revert to
the default of 60 minutes.
regex compilation-timeout minutes
no regex compilation-timeout
Syntax Description
Command Modes Configuration mode
Admin context
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
This command is applicable across all contexts.
Examples To configure a compilation timeout of 80 minutes, enter the following command:
host/Admin(config)# regex compilation-timeout 80
To reset the regex compilation timeout to the default value of 60 minutes, enter the following command:
host/Admin(config)# no regex compilation-timeout
Related Commands This command has no related commands.
minutes Timeout value in minutes. Enter an integer from 1 to 500. The default timeout is
60 minutes.
ACE Appliance Release Modification
A3(2.7). Not applicable for
A4(1.0) and A4(2.0).
This command was introduced.2-404
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) resource-class
Caution The no resource-class command will remove all resources from any context to which the specified
resource class is assigned. Be sure that you want to do this before you enter the command.
To create a resource class and enter resource configuration mode, use the resource-class command. The
CLI prompt changes to (config-resource). Configure a resource class to limit the use of system resources
by one or more contexts. Use the no form of this command to remove the resource-class setting.
resource-class name
no resource-class name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use a resource class to allocate and limit system resources among contexts in your ACE. The default
resource class allocates 100 percent of all configurable system resources to each context. By creating a
resource class, you can prevent oversubscription by limiting the percentage of resources available to
each context. After you create and configure a resource class, use the (config-context) member
command in context configuration mode to assign a context to the class.
To use the stickiness feature, you must allocate a minimum percentage of resources to the feature.
Otherwise, stickiness will not work. For more details, see the Virtualization Guide, Cisco ACE
Application Control Engine.
For information about the commands in the resource configuration mode, see the “Resource
Configuration Mode Commands” section.
name Name assigned to the resource class. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. You
can also use the resource class called default.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-405
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To create a resource class called RC1, enter:
host1/C1(config)# resource-class RC1
host1/C1(config-resource)
To remove the resource class from the configuration, enter:
host1/C1(config)# no resource-class RC1
Related Commands show resource allocation
show resource usage
show user-account
show users
(config-context) member
(config) role
To assign a user role to a user and enter role configuration mode, use the role command. The CLI prompt
changes to (config-role). User roles determine the privileges that a user has, the commands that a user
can enter, and the actions that a user can perform in a particular context. You can apply the roles that you
create only in the context in which you create them. See the “Role Configuration Mode Commands”
section for details. Use the no form of this command to remove the user role assignment.
role name
no role name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
name Identifier associated with a user role. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-406
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
If you do not assign a user role to a new user, the default user role is Network-Monitor. For users that
you create in the Admin context, the default scope of access is the entire device. For users that you create
in other contexts, the default scope of access is the entire context. If you need to restrict a user’s access,
you must assign a role-domain pair using the (config) username command.
For information about the commands in the role configuration mode, see the “Role Configuration Mode
Commands” section.
For information about configuring roles and assigning them to users, see the Virtualization Guide, Cisco
ACE Application Control Engine
Examples To assign a role, enter:
host1/C1(config)# role TECHNICIAN
host1/C1(config-role)#
To remove the role from the configuration, enter:
host1/C1(config)# no role TECHNICIAN
Related Commands show role
show user-account
show users
(config) username
(config) rserver
To create a real server for server load balancing (SLB) and enter real server configuration mode, use the
rserver command. The CLI prompt changes to (config-host-rserver) or (config-redirect-rserver),
depending on the type of real server that you create. You can create a maximum of 16,384 real servers.
Use the no form of this command to remove the real server from the configuration.
rserver [host | redirect] name
no rserver [host | redirect] name
Syntax Description host (Optional) Specifies a typical real server that provides content and
services to clients. This is the default setting. For details on the
commands in real server host configuration mode, see the “Real
Server Host Configuration Mode Commands” section.
redirect (Optional) Specifies a real server used to redirect traffic to a new
location as specified in the relocn-string argument of the
webhost-redirection command. For details on the commands in real
server redirect configuration mode, see the “Real Server Redirect
Configuration Mode Commands” section.
name Identifier for the real server. Enter an unquoted text string with no
spaces and maximum of 64 alphanumeric characters.2-407
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the rserver feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
All servers in a server farm must be of the same type: host or redirect. You can create a maximum of
4096 real servers in each ACE.
Examples To create a real server of type host, enter:
host1/Admin(config)# rserver server1
To remove the real server of type host from the configuration, enter:
host1/Admin(config)# no rserver server1
Related Commands (config-rserver-redir) webhost-redirection
clear rserver
show rserver
(config) script file name
To load a script into memory on the ACE and enable it for use, use the script file name command. Use
the no form of this command to remove a script from memory and the running configuration.
script file name script_name
no script file name script_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
script_name Name of the script on the disk0: filesystem. The script name must be
unique across the context. You will use the filename when you
configure the probe.2-408
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To run a script or create a health probe using a script, you must see the script name, not the script file
from which the script was loaded.
Examples To load a script into memory, enter:
host1/Admin(config)# script file name ftp1.tcl
To remove the script, enter:
host1/Admin(config)# no script file name ftp1.tcl
Related Commands show script
(config) serverfarm
To create a new server farm or modify an existing server farm and enter the serverfarm configuration
mode, use the serverfarm command. You can configure a maximum of 4096 server farms on each ACE.
Use the no form of this command to remove the server farm from the configuration.
serverfarm [host | redirect] name
no serverfarm [host | redirect] name
Syntax Description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
host (Optional) Specifies a typical server farm that consists of real servers
that provide content and services to clients. This is the default. For
details on the commands in the serverfarm host configuration mode,
see the “Server Farm Host Configuration Mode Commands” section.
redirect (Optional) Specifies that the server farm consist only of real servers
that redirect client requests to alternate locations specified by the
relocation string or port number in the real server configuration. For
details on the commands in the serverfarm redirect host configuration
mode, see the “Server Farm Redirect Configuration Mode
Commands” section.
name Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.2-409
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the server-farm feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
After you create a server farm, you configure the other server farm attributes and add real servers to the
farm. You can configure a maximum of 4096 server farms in each ACE.
Examples To create a server farm of type host called SFARM1, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)#
To remove a server farm called SFARM1, enter:
host1/Admin(config)# no serverfarm SFARM1
host1/Admin(config-sfarm-host)#
Related Commands (config-rserver-redir) webhost-redirection
clear serverfarm
show serverfarm
(config) service-policy
To apply a previously created policy map and attach the traffic policy to a specific VLAN interface or
globally to all VLAN interfaces in the same context, use the service-policy command. Use the no form
of this command to remove a service policy.
service-policy input policy_name
no service-policy input policy_name
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-410
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Note the following when creating a service policy:
• Policy maps, applied globally in a context, are internally applied on all interfaces existing in the
context.
• You can apply the policy in an input direction only.
• A policy activated on an interface overwrites any specified global policies for overlapping
classification and actions.
• The ACE allows only one policy of a specific feature type to be activated on a given interface.
Examples To specify an interface VLAN and apply the Layer 3 and Layer 4 SLB policy map to the VLAN, enter:
host1/C1(config)# interface vlan50
host1/C1(config-if)# mtu 1500
host1/C1(config-if)# ip address 172.20.1.100 255.255.0.0
host1/C1(config-if)# service-policy input L4SLBPOLICY
To globally apply the Layer 3 and Layer 4 SLB policy map to the entire context:
host1/C1(config)# service-policy input L4SLBPOLICY
To globally detach a traffic policy from a context, enter:
host1/C1(config)# no service-policy input L4SLBPOLICY
Related Commands clear service-policy
show service-policy
(config-if) service-policy input
input Specifies that the traffic policy is to be attached to the input
direction of an interface. The traffic policy evaluates all traffic
received by that interface.
policy_name Name of a previously defined policy map, configured with a
previously created policy-map command. The name can be a
maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-411
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) shared-vlan-hostid
To configure a specific bank of MAC addresses for an ACE, use the shared-vlan-hostid command. Use
the no form of this command to remove a configured bank of MAC addresses.
shared-vlan-hostid number
no shared-vlan-hostid
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context.
The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All
ACE ACEs derive these addresses from a global pool of 16k MAC addresses. This pool is divided into
16 banks, each containing 1,024 addresses. An ACE supports only 1,024 shared VLANs, and would use
only one bank of MAC addresses out of the pool.
By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However,
if you configure two ACE ACEs in the same Layer 2 network and they are using shared VLANs, the
ACEs may select the same address bank and use the same MAC addresses. To avoid this conflict, you
need to configure the bank that the ACEs will use.
Examples To configure bank 2 of MAC addresses, enter:
host1/Admin(config)# shared-vlan-hostid 2
To remove the configured bank of MAC addresses, enter:
host1/Admin(config)# no shared-vlan-hostid
number Bank of MAC addresses that the ACE uses. Enter a number from 1 to
16. Be sure to configure different bank numbers for multiple ACEs.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-412
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands (config) arp
(config) peer shared-vlan-hostid
(config) snmp-server community
To create or modify Simple Network Management Protocol (SNMP) community names and access
privileges, use the snmp-server community command. Each SNMP device or member is part of a
community. An SNMP community determines the access rights for each SNMP device. SNMP uses
communities to establish trust between managers and agents. Use the no form of this command to
remove an SNMP community.
snmp-server community community_name [group group_name | ro]
no snmp-server community community_name [group group_name | ro]
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Caution If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become
invalid. You must recreate all SNMP users by using the snmp-server community command in
configuration mode.
Command History
community_name SNMP community name for this system. Enter an unquoted text
string with no space and a maximum of 32 alphanumeric characters.
group group_name (Optional) Identifies the role group to which the user belongs. Enter
Network-Monitor, the default group name and the only role that is
supported.
Note Only network monitoring operations are supported through
the ACE implementation of SNMP. In this case, all SNMP
users are automatically assigned the system-defined default
group of Network-Monitor. For details on creating users, see
the Virtualization Guide, Cisco ACE Application Control
Engine.
ro (Optional) Allows read-only access for this community.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-413
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
After you create or modify a community, all SNMP devices assigned to that community as members have
the same access rights (as described in RFC 2576). The ACE allows read-only access to the MIB tree for
devices included in this community. The read-only community string allows a user to read data values,
but prevents that user from modifying modify the data.
SNMP communities are applicable only for SNMPv1 and SNMPv2c. SNMPv3 requires user
configuration information such as specifying the role group that the user belongs to, authentication
parameters for the user, authentication password, and message encryption parameters.
Examples To specify an SNMP community called SNMP_Community1, which is a member of the user group, with
read-only access privileges for the community, enter:
host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor
To remove an SNMP community, enter:
host1/Admin(config)# no snmp-server community SNMP_Community1 group Network-Monitor
Related Commands (config) snmp-server host2-414
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) snmp-server contact
To specify the contact information for the Simple Network Management Protocol (SNMP) system, use
the snmp-server contact command. You can specify information for only one contact name. Use the no
form of this command to remove an SNMP contact.
snmp-server contact contact_information
no snmp-server contact
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can specify only one contact name per SNMP system.
Examples To specify SNMP system contact information, enter:
host1/Admin(config)# snmp-server contact “User1 user1@cisco.com”
To remove the specified SNMP contact information, enter:
host1/Admin(config)# no snmp-server contact
Related Commands (config) snmp-server host
contact_information SNMP contact information for this system. Enter a text string with a
maximum of 240 alphanumeric characters, including spaces. If the
string contains more than one word, enclose the string in quotation
marks (“ ”). You can include information on how to contact the
person; for example, you can include a phone number or an e-mail
address.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-415
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) snmp-server enable traps
To enable the ACE to send Simple Network Management Protocol (SNMP) traps and informs to the
network management system (NMS), use the snmp-server enable traps command. This command
enables both traps and inform requests for the specified notification types. Use the no form of this
command to disable the sending of SNMP traps and inform requests.
snmp-server enable traps [notification_type [notification_option]]
no snmp-server enable traps [notification_type [notification_option]]
Syntax Description
Command Modes Configuration mode
notification_type (Optional) Type of notification to enable. If no type is specified, the
ACE sends all notifications. Specify one of the following keywords:
• license—Sends SNMP license manager notifications. This
keyword appears only in the Admin context.
• slb—Sends server load-balancing notifications. When you
specify the slb keyword, you can specify a notification_option
value.
• snmp—Sends SNMP notifications. When you specify the snmp
keyword, you can specify a notification_option value.
• syslog—Sends error message notifications (Cisco Syslog MIB).
Specify the level of messages to be sent with the logging history
command.
• virtual-context—Sends virtual context change notifications.
This keyword appears only in the Admin context.
notification_option (Optional) One of the following SNMP notifications to enable:
• When you specify the snmp keyword, specify the
authentication, coldstart, linkdown, or linkup keyword to
enable SNMP notifications. This selection generates a
notification if the community string provided in SNMP request
is incorrect, or when a VLAN interface is either up or down. The
coldstart keyword appears only in the Admin context.
• When you specify the slb keyword, specify the real, serverfarm,
or vserver keyword to enable server load-balancing
notifications. This selection generates a notification if one of the
following occurs:
– The real server changes state (up or down) due to such
occurrences as user intervention, ARP failures, and probe
failures.
– The virtual server changes state (up or down). The virtual
server represents the servers behind the content switch in the
ACE to the outside world and consists of the following
attributes: destination address (can be a range of IP
addresses), protocol, destination port, incoming VLAN.2-416
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The notification types used in the snmp-server enable traps command all have an associated MIB
object that globally enables or disables them. However, not all of the notification types available in the
snmp-server host command have notificationEnable MIB objects, so some of the notification types
cannot be controlled using the snmp-server enable traps command.
To configure the ACE to send the SNMP notifications, specify at least one snmp-server enable traps
command. To enable multiple types of notifications, you must enter a separate snmp-server enable
traps command for each notification type and notification option. If you enter the command without any
keywords, the ACE enables all notification types and traps.
The snmp-server enable traps command is used with the snmp-server host command. The
snmp-server host command specifies which host receives the SNMP notifications. To send
notifications, you must configure at least one SNMP server host.
(ACE appliance only) The supported SNMP notifications (traps) in the CISCO-ENHANCED-SLB-MIB
for the serverfarm option are as follows:
• esRealServerStateUpRev1 State of a real server configured in a server farm is up due to user
intervention.The notification is sent with the following varbinds:
– cesRealServerName
– cesServerFarmRserverBackupPort
– cesServerFarmName
– cesServerFarmRserverAdminStatus
– cesServerFarmRserverOperStatus
– cesRserverIpAddressType
– cesRserverIpAddress
– cesServerFarmRserverDescr
• cesRealServerStateDownRev1 State of a real server configured in a server farm is down due to user
intervention. The notification is sent with the following varbinds:
– cesRealServerName
– cesServerFarmRserverBackupPort
– cesServerFarmName
– cesServerFarmRserverAdminStatus
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.4) The serverfarm option was added to this command.2-417
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
– cesServerFarmRserverOperStatus
– cesServerFarmRserverStateDescr
– cesRserverIpAddressType
– cesRserverIpAddress
– cesServerFarmRserverDescr
• cesRealServerStateChangeRev1 State of a real server configured in a server farm changed to a new
state as a result of something other than a user intervention. This notification is sent for situations
such as ARP failures, probe failures, and so on. The notification is sent with the following varbinds:
– cesRealServerName
– cesServerFarmRserverBackupPort
– cesServerFarmName
– cesServerFarmRserverAdminStatus
– cesServerFarmRserverOperStatus
– cesServerFarmRserverStateDescr
– cesRserverIpAddressType
– cesRserverIpAddress
– cesProbeName
– cesServerFarmRserverDescr
Examples To enable the ACE to send server load-balancing traps to the host myhost.cisco.com using the
community string public, enter:
host1/Admin(config)# snmp-server host myhost.cisco.com
host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor
host1/Admin(config)# snmp-server enable traps slb real
To disable SNMP server notifications, enter:
host1/Admin(config)# no snmp-server enable traps slb real
Related Commands (config) snmp-server host2-418
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) snmp-server engineid
To configure the SNMP engine ID for an ACE context, use the snmp-server engineid command. Use
the no form of this command to reset the default engine ID for the context.
snmp-server engineid number
no snmp-server engineid number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Caution If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become
invalid and all SNMP communities are deleted. You must recreate all SNMP users by using the
snmp-server user command in configuration mode. You must recreate all SNMP communities by using
the snmp-server community command in configuration mode.
Command History
Usage Guidelines The ACE allows you to configure an SNMP engine ID for the Admin or user context. By default, the
ACE automatically creates an SNMP engine ID for the Admin context and each user context. The SNMP
engine represents a logically separate SNMP agent. The IP address for an ACE context provides access
to only one SNMP engine ID.
For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco
ACE Application Control Engine.
Examples To configure an engine ID 88439573498573888843957349857388 for the Admin context, enter:
host1/Admin(config)# snmp-server engineID 88439573498573888843957349857388
To reset the default engine ID for the Admin context, enter:
host1/Admin(config)# no snmp-server engineID
contact_information SNMPv3 engine ID that you want to configure. Enter a range of 10
to 64 hexadecimal digits.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-419
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To display the engine ID for a context, use the show snmp engineID command in Exec mode for the
context. For example, to display the engine ID for the Admin context, enter:
host1/Admin# show snmp engineID
Related Commands (config) snmp-server host
(config) snmp-server community
(config) snmp-server user2-420
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) snmp-server host
To specify which host receives Simple Network Management Protocol (SNMP) notifications, use the
snmp-server host command. To send notifications, you must configure at least one SNMP host using
the snmp-server host command. Use the no form of this command to remove the specified host.
snmp-server host host_address [informs | traps] [version {1 | 2c | {3 auth | noauth | priv}]
community-string_username [udp-port number]
no snmp-server host host_address [informs | traps] [version {1 | 2c | {3 auth | noauth | priv}]
community-string_username [udp-port number]
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
host_address IP address of the host (the targeted recipient). Enter the address in
dotted-decimal IP notation (for example, 192.168.11.1).
informs (Optional) Sends SNMP inform requests to the identified host, which
allows for manager-to-manager communication. Inform requests can
be useful when you need more than one NMS in the network.
traps (Optional) Sends SNMP traps to the identified host. An agent uses a
trap to tell the NMS that a problem has occurred. The trap originates
from the agent and is sent to the trap destination, as configured within
the agent itself. The trap destination is typically the IP address of the
NMS.
version (Optional) Specifies the version of SNMP used to send the traps.
SNMPv3 is the most secure model because it allows packet
encryption with the priv keyword.
1 Specifies SNMPv1.
2c Specifies SNMPv2C.
3 Specifies SNMPv3.
auth Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA)
packet authentication.
noauth Specifies the noAuthNoPriv security level.
priv Enables Data Encryption Standard (DES) packet encryption
(privacy).
community-string_username SNMP community string or username with the notification operation
to send. Enter an unquoted text string with no space and a maximum
of 32 alphanumeric characters.
udp-port number (Optional) Specifies the port UDP port of the host to use. The default
is 162. Enter a number from 0 to 65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-421
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports a maximum of 10 SNMP hosts per context.
Examples To specify the recipient of an SNMP notification, enter:
host1/Admin(config)# snmp-server host 192.168.1.1 traps version 2c abcddsfsf udp-port 500
To remove the specified host, enter:
host1/Admin(config)# no snmp-server host 192.168.1.1 traps version 2c abcddsfsf udp-port
500
Related Commands (config) snmp-server enable traps
(config) snmp-server location
To specify the Simple Network Management Protocol (SNMP) system location, use the snmp-server
location command. You can specify only one location. Use the no form of this command to remove the
SNMP system location.
snmp-server location location
no snmp-server location
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
ACE Appliance Release Modification
A1(7) This command was introduced.
location Physical location of the system. Enter a text string with a maximum
of 240 alphanumeric characters, including spaces. If the string
contains more than one word, enclose the string in quotation marks
(“ ”).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-422
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can specify only one location per SNMP system.
Examples To specify SNMP system location information, enter:
host1/Admin(config)# snmp-server location “Boxborough MA”
To remove the specified SNMP system location information, enter:
host1/Admin(config)# no snmp-server location
Related Commands (config) snmp-server community
(config) snmp-server trap link ietf
To instruct the ACE to send the linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863)
variable bindings that consist of ifIndex, ifAdminStatus, and ifOperStatus, use the snmp-server trap
link ietf command. Use the no form of this command to revert to the Cisco implementation of linkUp
and linkDown traps.
snmp-server trap link ietf
no snmp-server trap link ietf
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
ACE Appliance Release Modification
A1(7) This command was introduced.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-423
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
By default, the ACE sends the Cisco implementation of linkUp and linkDown traps to the NMS. The
ACE sends the Cisco Systems IF-MIB variable bindings that consist of ifIndex, ifAdminStatus,
ifOperStatus, ifName, ifType, clogOriginID, and clogOriginIDType. You can configure the ACE to send
the IETF standards-based implementation for linkUp and linkDown traps (as outlined in RFC 2863).
The Cisco var-binds are sent by default. To receive RFC 2863-compliant traps, you must specify the
snmp-server trap link ietf command.
Examples To configure the linkUp and linkDown traps to be compliant with RFC 2863, enter:
host1/Admin(config)# snmp-server trap link ietf
To revert to the Cisco implementation of linkUp and linkDown traps, enter:
host1/Admin(config)# no snmp-server trap link ietf
Related Commands (config) snmp-server enable traps
(config) snmp-server trap-source vlan
To specify the use of the IP address configured on a VLAN as the trap-source address in the SNMPv1
trap PDU, use the snmp-server trap-source vlan command. If the VLAN interface does not contain a
valid IP address, the sending of notifications fails for SNMPv1 traps. Use the no form of this command
to remove the specified VLAN as the source address in the SNMPv1 trap PDU and reset the default
behavior.
snmp-server trap-source vlan number
no snmp-server trap-source vlan number
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
number VLAN number of the configured interface. Enter a value from 2 to
4094 for an existing VLAN.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-424
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines By default, the ACE uses the trap source IP address from the internal routing table, depending on the
destination host address, where the ACE will send the notification.
For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco
ACE Application Control Engine.
(ACE appliance only) The ACE restricts you from selecting the VLAN number of the FT VLAN
interface that has been specified between redundant ACE appliances as the trap source address contained
in the SNMP v1 trap PDU.
Examples To specify VLAN 50 in the VLAN interface as the source address in the SNMPv1 trap PDUs, enter:
host1/Admin(config)# snmp-server trap-source vlan 50
To remove the specified VLAN as the source address in the SNMPv1 trap PDU and reset the default
behavior, enter:
host1/Admin(config)# no snmp-server trap-source
Related Commands (config) snmp-server enable traps
(config) snmp-server unmask-community
To unmask the snmpCommunityName and snmpCommunitySecurityName OIDs of the
SNMP-COMMUNITY-MIB, use the snmp-server unmask-community command. By default, these
OIDs are masked. Use the no form of this command to mask these OIDs.
snmp-server unmask-community
no snmp-server unmask-community
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
A3(2.1) You can no longer select the VLAN number of the FT VLAN interface
that has been specified between redundant ACE appliances as the trap
source address contained in the SNMP v1 trap PDU.
ACE Appliance Release Modification
ACE Module Release Modification
A2(1.5) This command was introduced.2-425
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To assign multiple roles to a user, enter multiple snmp-server user commands.
You can create a maximum of 28 SNMP users for each context.
User configuration through the snmp-server user command is applicable only for SNMPv3; SNMPv1
and SNMPv2c use a community string match for user authentication.
The ACE synchronizes the interactions between a user created with the username command and the
same user specified using the snmp-server user command; updates made to a user configuration in the
ACE CLI are automatically reflected in the SNMP server. For example, when you delete a user, the user
is automatically deleted from both the SNMP server and the CLI. In addition, user-role mapping changes
are synchronized in SNMP and CLI.
Only network monitoring operations are supported through the ACE implementation of SNMP where all
SNMP users are automatically assigned to the system-defined default group of Network-Monitor.
Examples To set the user information, enter:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# snmp-server user joe Network-Monitor auth sha abcd1234
host1/Admin(config)# snmp-server user sam Network-Monitor auth md5 abcdefgh
host1/Admin(config)# snmp-server user Bill Network-Monitor auth sha abcd1234 priv abcdefgh
To disable the SNMP user configuration or to remove an SNMP user, enter:
host1/Admin(config)# no snmp-server user Bill Network-Monitor auth sha abcd1234 priv
abcdefgh
Related Commands This command has no related commands.
(config) snmp-server user
To configure Simple Network Management Protocol (SNMP) user information, use the snmp-server
user command. Use the no form of this command to disable the SNMP user configuration or to remove
an SNMP user.
snmp-server user user_name [group_name] [auth {md5 | sha} password1 [priv [aes-128]
password2] [localizedkey]]
no snmp-server user user_name [group_name] [auth {md5 | sha} password1 [priv [aes-128]
password2] [localizedkey]]
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-426
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description user_name Username. Enter an unquoted text string with no spaces and a
maximum of 24 alphanumeric characters.
group_name • (Optional) User role group to which the user belongs. Enter
Network-Monitor, the default group name and the only role that
is supported.
Note Only network monitoring operations are supported through
the ACE implementation of SNMP. In this case, all SNMP
users are automatically assigned the system-defined default
group of Network-Monitor. For details on creating users, see
the Virtualization Guide, Cisco ACE Application Control
Engine.
auth (Optional) Sets authentication parameters for the user.
Authentication determines that the message is from a valid source.
md5 Specifies the HMAC Message Digest 5 (MD5) encryption algorithm
for user authentication.
sha Specifies the HMAC Secure Hash Algorithm (SHA) encryption
algorithm for user authentication.
password1 User authentication password. Enter an unquoted text string with no
space and a maximum of 130 alphanumeric characters. The ACE
automatically synchronizes the SNMP authentication password as
the password for the CLI user. The ACE supports the following
special characters in a password:
, . / = + - ^ @ ! % ~ # $ * ( )
Note that the ACE encrypts clear text passwords in the
running-config.
priv (Optional) Specifies encryption parameters for the user. The priv
option and the aes-128 option indicate that this privacy password is
for generating a 128-bit AES key.
aes-128 (Optional) Specifies the 128-byte Advanced Encryption Standard
(AES) algorithm for privacy. AES is a symmetric cipher algorithm and
is one of the privacy protocols for SNMP message encryption. It
conforms with RFC 3826.
password2 Encryption password for the user. The AES priv password can have a
minimum of eight alphanumeric characters. If the passphrases are
specified in clear text, you can specify a maximum of 64
alphanumeric characters. If you use the localized key, you can
specify a maximum of 130 alphanumeric characters. Spaces are not
allowed. The ACE supports the following special characters in a
password:
, . / = + - ^ @ ! % ~ # $ * ( )
Note that the ACE encrypts clear text passwords in the
running-config.
localizedkey (Optional) Specifies that the password is in a localized key format for
security encryption.2-427
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Note If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become
invalid. You must recreate all SNMP users by using the snmp-server user command in configuration
mode.
Command History
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To assign multiple roles to a user, enter multiple snmp-server user commands.
You can create a maximum of 28 SNMP users for each context.
User configuration through the snmp-server user command is applicable only for SNMPv3; SNMPv1
and SNMPv2c use a community string match for user authentication.
The ACE synchronizes the interactions between a user created with the username command and the
same user specified using the snmp-server user command; updates made to a user configuration in the
ACE CLI are automatically reflected in the SNMP server. For example, when you delete a user, the user
is automatically deleted from both the SNMP server and the CLI. In addition, user-role mapping changes
are synchronized in SNMP and CLI.
Only network monitoring operations are supported through the ACE implementation of SNMP where all
SNMP users are automatically assigned to the system-defined default group of Network-Monitor.
Examples To set the user information, enter:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# snmp-server user joe Network-Monitor auth sha abcd1234
host1/Admin(config)# snmp-server user sam Network-Monitor auth md5 abcdefgh
host1/Admin(config)# snmp-server user Bill Network-Monitor auth sha abcd1234 priv abcdefgh
To disable the SNMP user configuration or to remove an SNMP user, enter:
host1/Admin(config)# no snmp-server user Bill Network-Monitor auth sha abcd1234 priv
abcdefgh
Related Commands (config) snmp-server community
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-428
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) ssh key
To generate the Secure Shell (SSH) private key and the corresponding public key for use by the SSH
server, use the ssh key command. Use the no form of this command to remove an SSH key pair.
ssh key {dsa | rsa | rsa1} [bits [force]]
no ssh key {dsa | rsa | rsa1}
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Before you generate the key, set the hostname. This setting is used in the generation of the key.
The global administrator performs the key generation in the Admin context. All contexts associated with
the ACE share the common key. There is only a single host-key pair.
If you are the administrator or another user authorized in the Admin context, use the changeto command
in exec mode to move to the Admin context. An administrator can perform all allowable functions within
the Admin context.
Ensure that you have an SSH host key pair with the appropriate version before you enable the SSH
service. The SSH service accepts three types of key pairs for use by SSH versions 1 and 2. Generate the
SSH host key pair according to the SSH client version used.
dsa Generates the DSA key pair for the SSH version 2 protocol.
rsa Generates the RSA key pair for the SSH version 2 protocol.
rsa1 Generates the RSA1 key pair for the SSH version 1 protocol.
bits (Optional) Number of bits for the key pair. For DSA, enter an integer
from 768 to 2048. For RSA and RSA1, enter an integer from 768 to
4096. The greater the number of bits that you specify, the longer it
takes to generate the key. The default is 1024.
force (Optional) Forces the generation of a DSA or RSA key even when
previous keys exist. If the SSH key pair option is already generated
for the required version, use the force option to overwrite the
previously generated key pair.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-429
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To generate an RSA1 key pair in the Admin context, enter:
host1/Admin(config)# ssh key rsa1 768
generating rsa1 key(768 bits).....
.
generated rsa1 key
To remove the SSH host key pair, enter:
host1/Admin(config)# no ssh key rsa1
Related Commands (config) ssh maxsessions
(config-cmap-mgmt) match protocol
(config) ssh maxsessions
To control the maximum number of Secure Shell (SSH) sessions allowed for each context, use the ssh
maxsessions command. By default, the ACE supports four concurrent SSH management sessions for
each user context and 16 concurrent SSH management sessions for the Admin context. Use the no form
of this command to revert to the default number of SSH sessions.
ssh maxsessions max_sessions
no ssh maxsessions
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports a total maximum of 256 concurrent SSH sessions.
max_sessions Maximum number of concurrent SSH sessions allowed for the associated context. The
range is from 1 to 4 SSH sessions per user context and from 1 to 16 SSH sessions for
the Admin context. The defaults are 4 (user context) and 16 (Admin context).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-430
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To set the maximum number of concurrent SSH sessions in the Admin context to 3, enter:
host1/Admin(config)# ssh maxsessions 3
To revert to the default of 16 SSH sessions for the Admin context, enter:
host1/Admin(config)# no ssh maxsessions
Related Commands (config) ssh key
(config-cmap-mgmt) match protocol
(config) ssl-proxy service
To create a Secure Sockets Layer (SSL) proxy service, use the ssl-proxy service command. For SSL
termination, you configure the ACE with an SSL proxy server service because the ACE acts as an SSL
server. Once you create an SSL proxy service, the CLI enters into the ssl-proxy configuration mode,
where you define each of the proxy service attributes that the ACE uses during the SSL handshake. Use
the no form of this command to delete an existing SSL proxy service.
ssl-proxy service pservice_name
no ssl-proxy service pservice_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you create a SSL proxy service, the CLI prompt changes to the ssl-proxy configuration mode,
where you define the following SSL proxy service attributes:
• Authentication group
• Certificate
• Key pair
pservice_name Name of the SSL proxy service. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-431
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
• Chain group
• Parameter map
For information about the commands in SSL proxy configuration mode, see the “SSL Proxy
Configuration Mode Commands” section.
Examples To create the SSL proxy service PSERVICE_SERVER, enter:
host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)#
To delete an existing SSL proxy service, enter:
host1/Admin(config)# no ssl-proxy PSERVICE_SERVER
Related Commands (config-ssl-proxy) cert
(config-ssl-proxy) authgroup
(config-ssl-proxy) chaingroup
(config-ssl-proxy) key
(config-ssl-proxy) ssl advanced-options
(config) static
(ACE module only) To configure the static NAT overwrite feature, use the static command. This feature
allows a maximum number of 400 K static NATs. By default, the ACE allows you to configure a
maximum 8 K static NAT configurations. Use the no form of this command to reset the default behavior.
static vlan mapped_vlan_id vlan real_vlan_id mapped_ip_address {real_ip_address [netmask
mask]}
no static vlan mapped_vlan_id vlan real_vlan_id mapped_ip_address {real_ip_address [netmask
mask]}
Syntax Description mapped_vlan_id The VLAN ID of the interface connected to the mapped IP address network.
In a context, the mapped interface must be the same in each static NAT
configuration.
real_vlan_id The VLAN ID of the interface connected to the real IP address network.
mapped_ip_address The translated IP address for the real address. Enter an IP address in
dotted-decimal notation (for example, 172.27.16.10). In a context, the
mapped IP address must be different in each static NAT configuration.
real_ip_address The real server IP address for translation. Enter an IP address in
dotted-decimal notation (for example, 172.27.16.10). In a context, you must
configure a different address for configurations that have the same real
server interface.
netmask mask (Optional) Specifies the subnet mask for the real server address. Enter a
subnet mask in dotted-decimal notation (for example, 255.255.255.0).2-432
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the NAT feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE creates static connections that contain the NATs as soon as the configuration is applied.
Because these connections exist before the packets are received, no ACL is required to permit flows that
will be translated.
When using the static command, consider the following restrictions:
• The ACE supports this configuration only in routed mode.
• The ACE allows only one mapped interface in a context. However, each static NAT configuration
must have a different mapped IP address.
• The ACE does not support bidirectional NAT, source address and destination address translation for
the same flow.
• You must limit the number of real server IP addresses on the same subnet as the real interface to less
than 1 K. Also, limit the number of mapped IP addresses on the same subnet as the mapped interface
to less than 1 K.
• You must not configure more than one next-hop at any point on the mapped interface.
It is not recommended that you configure MPC-based NAT for the same context in which you configure
the static command.
Examples To create a static NAT configuration for the mapped interface VLAN 176, real server interface VLAN
171, and real server IP address of 10.181.0.2 255.255.255.255 to be translated to the mapped address
5.6.7.4, enter:
host1/C1(config)# static vlan 176 vlan 171 5.6.7.4 10.81.0.2 netmask 255.255.255.255
To remove this configuration, enter:
host1/C1(config)# no static vlan 176 vlan 171 5.6.7.4 10.81.0.2 netmask 255.255.255.255
Related Commands show nat-fabric
show running-config
ACE Module Release Modification
A2(1.0) This command was introduced.2-433
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) sticky http-content
To create a sticky group for HTTP content stickiness, use the sticky http-content command. The prompt
changes to the sticky HTTP content configuration mode (config-sticky-content). Use the no form of this
command to remove the sticky group from the configuration.
sticky http-content name
no sticky http-content name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. For more information about allocating resources, see the
Virtualization Guide, Cisco ACE Application Control Engine.
For information about the commands in sticky HTTP content configuration mode, see the “Sticky HTTP
Content Configuration Mode Commands” section.
Examples To create a sticky group for HTTP packet content stickiness, enter:
host1/Admin(config)# sticky http-content HTTP_CONTENT_GROUP
host1/Admin(config-sticky-content)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky http-content HTTP_CONTENT_GROUP
Related Commands show running-config
show sticky database
name Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-434
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) sticky http-cookie
To configure the ACE to use HTTP cookies for stickiness and enter sticky cookie configuration mode,
use the sticky http-cookie command. The CLI prompt changes to (config-sticky-cookie). The ACE uses
the learned cookie to provide stickiness between a client and a server for the duration of a transaction.
Use the no form of this command to remove the sticky group from the configuration.
sticky http-cookie name1 name2
no sticky http-cookie name1 name2
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. For more information about allocating resources, see the
Virtualization Guide, Cisco ACE Application Control Engine.
For information about the commands in sticky cookie configuration mode, see the “Sticky HTTP Cookie
Configuration Mode Commands” section.
Examples To create a sticky group for cookie stickiness, enter:
host1/Admin(config)# sticky http-cookie cisco.com GROUP3
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky http-cookie cisco.com GROUP3
http-cookie name1 Specifies that the ACE learn the cookie value from the HTTP header of the client
request or from the Set-Cookie message from the server. Enter a unique identifier
for the cookie as an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
name2 Unique identifier of the sticky group. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-435
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands show running-config
show sticky database2-436
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) sticky http-header
To create an HTTP header sticky group to enable the ACE to stick client connections to the same real
server based on HTTP headers, use the sticky http-header command. The prompt changes to the
sticky-header configuration mode (config-sticky-header). Use the no form of this command to remove
the sticky group from the configuration.
sticky http-header name1 name2
no sticky http-header name1 name2
Syntax Description
Command Modes Configuration mode
Admin and user contexts
name1 HTTP header name. Enter the HTTP header name as an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
Alternatively, you can select one of the following standard headers:
• Accept
• Accept-Charset
• Accept-Encoding
• Accept-Language
• Authorization
• Cache-Control
• Connection
• Content-MD5
• Expect
• From
• Host
• If-Match
• Pragma
• Referer
• Transfer-Encoding
• User-Agent
• Via
See the Server Load-Balancing Guide, Cisco ACE Application
Control Engine for a definition of each standard header.
name2 Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.2-437
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. For more information about allocating resources, see the
Virtualization Guide, Cisco ACE Application Control Engine.
For information about the commands in HTTP sticky header configuration mode, see the “Sticky HTTP
Header Configuration Mode Commands” section.
Examples To create a group for HTTP header stickiness, enter:
host1/Admin(config)# sticky http-header Host GROUP4
host1/Admin(config-sticky-header)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky http-header Host GROUP4
Related Commands show running-config
show sticky database
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-438
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) sticky ip-netmask
To create a sticky group for IP address stickiness, use the sticky-ip netmask command. The prompt
changes to the sticky-IP configuration mode (config-sticky-ip). You can create a maximum of 4096
sticky groups on an ACE. Use the no form of this command to remove the sticky group from the
configuration.
sticky ip-netmask netmask address {both | destination | source} name
no sticky ip-netmask netmask address {both | destination | source} name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. For more information about allocating resources, see the
Virtualization Guide, Cisco ACE Application Control Engine.
netmask Network mask that the ACE applies to the IP address. Enter a
network mask in dotted-decimal notation (for example,
255.255.255.0).
address {both | destination |
source}
Specifies the IP address used for stickiness. Enter one of the
following options after the address keyword:
• both—Specifies that the ACE use both the source IP address and
the destination IP address to stick the client to a server.
• destination—Specifies that the ACE use the destination address
specified in the client request to stick the client to a server. You
typically use this keyword in caching environments.
• source—Specifies that the ACE use the client source IP address
to stick the client to a server. You typically use this keyword in
web application environments.
name Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-439
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
For information about the commands in sticky IP configuration mode, see the “Sticky IP Configuration
Mode Commands” section.
Examples To create a sticky group that uses IP address stickiness based on both the source IP address and the
destination IP address, enter:
host1/Admin(config)# sticky ip-netmask 255.255.255.0 address both GROUP1
host1/Admin(config-sticky-ip)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky ip-netmask 255.255.255.0 address both GROUP1
Related Commands show running-config
show sticky database
(config) sticky layer4-payload
To create a sticky group for Layer 4 payload stickiness, use the sticky layer4-payload command. The
prompt changes to the sticky Layer 4 payload configuration mode (config-sticky-l4payloa). Use the no
form of this command to remove the sticky group from the configuration.
sticky layer4-payload name
no sticky layer4-payload name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
name Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-440
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. You can create a maximum of 4096 sticky groups on an ACE.For
more information about allocating resources, see the Virtualization Guide, Cisco ACE Application
Control Engine.
For information about the commands in sticky Layer 4 payload configuration mode, see the “Sticky
Layer 4 Payload Configuration Mode Commands” section.
Examples To create a sticky group that uses Layer 4 payload stickiness, enter:
host1/Admin(config)# sticky layer4-payload L4_PAYLOAD_GROUP
host1/Admin(config-sticky-l4payloa)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky layer4-payload L4_PAYLOAD_GROUP
Related Commands show running-config
show sticky database
(config) sticky radius framed-ip
To create a sticky group for RADIUS attribute stickiness, use the sticky radius framed-ip command.
The prompt changes to the sticky RADIUS configuration mode (config-sticky-radius). Use the no form
of this command to remove the sticky group from the configuration.
sticky radius framed-ip [calling-station-id | username] name
no sticky radius framed-ip [calling-station-id | username] name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
calling-station-id (Optional) Specifies stickiness based on the RADIUS framed IP
attribute and the calling station ID attribute.
username (Optional) Specifies stickiness based on the RADIUS framed IP
attribute and the username attribute.
name Unique identifier of the RADIUS sticky group. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.2-441
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. For more information about allocating resources, see the
Virtualization Guide, Cisco ACE Application Control Engine.
For information about the commands in sticky RADIUS configuration mode, see the “Sticky RADIUS
Configuration Mode Commands” section.
Examples To create a sticky group for RADIUS attribute stickiness, enter:
host1/Admin(config)# sticky radius framed-ip calling-station-id RADIUS_GROUP
host1/Admin(config-sticky-radius)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky radius framed-ip calling-station-id RADIUS_GROUP
Related Commands show running-config
show sticky database
(config) sticky rtsp-header
To create an RTSP header sticky group to enable the ACE to stick client connections to the same real
server based on the RTSP Session header field, use the sticky rtsp-header command. The prompt
changes to the sticky header configuration mode prompt (config-sticky-header). Use the no form of this
command to remove the sticky group from the configuration.
sticky rtsp-header name1 name2
no sticky rtsp-header name1 name2
Syntax Description
Command Modes Configuration mode
Admin and user contexts
ACE Appliance Release Modification
A3(1.0) This command was introduced.
name1 RTSP header field. The ACE supports only the RTSP Session header
field for stickiness. Enter Session.
name2 Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.2-442
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. For more information about allocating resources, see the
Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports only the RTSP Session header field for stickiness.
For information about the commands in RTSP sticky header configuration mode, see the “Sticky RTSP
Header Configuration Mode Commands” section.
Examples To create a group for RTSP header stickiness, enter:
host1/Admin(config)# sticky rtsp-header Session RTSP_GROUP
host1/Admin(config-sticky-header)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky rtsp-header Session RTSP_GROUP
Related Commands show running-config
show sticky database
(config) sticky sip-header
To create a SIP header sticky group to enable the ACE to stick client connections to the same real server
based on the SIP Call-ID header field, use the sticky sip-header command. The prompt changes to the
sticky header configuration mode prompt (config-sticky-header). Use the no form of this command to
remove the sticky group from the configuration.
sticky sip-header name1 name2
no sticky sip-header name1 name2
Syntax Description
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
name1 SIP header field. The ACE supports only the SIP Call-ID header field
for stickiness. Enter Call-ID.
name2 Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.2-443
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the sticky feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness.
Otherwise, the feature will not work. For more information about allocating resources, see the
Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports only the SIP Call-ID header field for stickiness.
For information about the commands in SIP sticky header configuration mode, see the “Sticky SIP
Header Configuration Mode Commands” section.
Examples To create a group for SIP header stickiness, enter:
host1/Admin(config)# sticky sip-header Call-ID SIP_GROUP
host1/Admin(config-sticky-header)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky sip-header Call-ID SIP_GROUP
Related Commands show running-config
show sticky database
(config) switch-mode
To change the way that the ACE handles TCP and UDP connections that are not destined to a particular
VIP and those connections that do not have any policies associated with their traffic, use the
switch-mode command. When you enable this command, the ACE still creates connection objects for
those TCP sessions that are not destined to the VIP. The ACE processes these connections as stateless
connections, which means that they do not undergo any TCP normalization checks (for example, TCP
window, TCP state, TCP sequence number, and other normalization checks).
switch-mode [timout seconds]
no switch-mode
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-444
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines If you configure switch mode and you configure any connection parameter-map commands (for example,
set tcp buffer-share, rate-limit, exceed-mss, nagle, random-sequence-number, reserved-bits, set
tcp wan-optimization, timeout inactivity, slowstart, and so on) either locally on a specific interface or
globally on all interfaces, switch mode will override these commands for certain types of traffic. This
behavior applies only to non-VIP, non-inspection, non-NATed, and non-management traffic. The ACE
continues to apply local, global, and VIP-specific connection parameter maps to load-balanced (VIP),
inspected, NATed, and management traffic. For details about switch mode, see the “Parameter Map
Connection Configuration Mode Commands” section.
Examples To enable the switch mode feature, enter the following command:
host1/Admin(config)# switch-mode
To enable the switch mode feature with a timeout of 300 seconds (5 minutes), enter the following
command:
host1/Admin(config)# switch-mode timeout 300
To reset the switch-mode timeout to the default value of 8100 seconds after you have enabled switch
mode and configured a timeout, enter the following command:
host1/Admin(config)# switch-mode
To disable the switch mode feature, enter the following command:
host1/Admin(config)# no switch-mode
Related Commands This command has no related commands.
timeout seconds Length of time in seconds that the ACE waits before removing the
switch mode connection. Enter an integer from 0 to 1440 (24 hours).
The default is 0.
ACE Module Release Modification
A2(3.0) This command was introduced.
A4(1.0) The timeout option was added.
ACE Appliance Release Modification
A4(1.0) This command was introduced.2-445
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) tacacs-server deadtime
To globally set the time interval in which the ACE verifies whether a nonresponsive server is operational,
use the tacacs-server deadtime command. Use the no form of this command to reset the Terminal
Access Controller Access Control System Plus (TACACS+) server dead-time request to the default of 0.
tacacs-server deadtime minutes
no tacacs-server deadtime minutes
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The dead-time interval starts when the server does not respond to an authentication request transmission.
When the server responds to a probe access-request packet, the ACE retransmits the authentication
request to the server.
Using this command causes the ACE to mark as dead any TACACS+ servers that fail to respond to
authentication requests. This action avoids the wait for the request to time out before trying the next
configured server. The ACE skips a TACACS+ server that is marked as dead by additional requests for
the duration of minutes.
Examples To globally configure a 15-minute dead time for TACACS+ servers that fail to respond to authentication
requests, enter:
host1/Admin(config)# tacacs-server deadtime 15
To set the TACACS+ server dead-time request to 0, enter:
host1/Admin(config)# no tacacs-server deadtime 15
minutes Length of time in minutes that the ACE skips a nonresponsive
TACACS+ server for transaction requests. Enter an integer from 0 to
1440 (24 hours). The default is 0.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-446
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Related Commands show aaa
(config) aaa group server
(config) tacacs-server host
(config) tacacs-server host
To specify the Terminal Access Controller Access Control System Plus (TACACS+) server IP address,
encrypted key, destination port, and other options, use the tacacs-server host command. You can enter
multiple tacacs-server host commands to configure multiple TACACS+ servers. Use the no form of this
command to revert to the default TACACS+ server authentication setting.
tacacs-server host ip_address [key [0 | 7] shared_secret]] [port port_number] [timeout seconds]
no tacacs-server host ip_address [key [0 | 7] shared_secret]] [port port_number] [timeout
seconds]
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
ip_address IP address for the TACACS+ server. Enter the address in dotted-decimal IP
notation (for example, 192.168.11.1).
key (Optional) Enables an authentication key for communication between the
ACE and the daemon running on the TACACS+ server.
0 (Optional) Configures a key specified in clear text (indicated by 0) to
authenticate communication between the TACACS+ client and server.
7 (Optional) Configures a key specified in encrypted text (indicated by 7) to
authenticate communication between the TACACS+ client and server.
shared_secret Key used to authenticate communication between the TACACS+ client and
server. The shared secret must match the one configured on the TACACS+
server. Enter the shared secret as a case-sensitive string with no spaces with
a maximum of 63 alphanumeric characters.
port port_number (Optional) Specifies the TCP destination port for communicating
authentication requests to the TACACS+ server. By default, the TACACS+
authentication port is 1812 (as defined in RFC 2138 and RFC 2139). If your
TACACS+ server uses a port other than 1812, use the port keyword to
configure the ACE for the appropriate port before starting the TACACS+
service. The port_number argument specifies the TACACS+ port number.
Enter an integer from 1 to 65535.
timeout seconds (Optional) Specifies the time interval that the ACE waits for the TACACS+
server to reply to an authentication request. Enter an integer from 1 to 60.
The default is 1 second.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-447
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The key shared_secret text string must match the encryption key used on the TACACS+ server. This key
overrides the global setting of the (config) tacacs-server key command. If you do not specify a key, the
global value is used. TACACS+ keys are always stored in encrypted form in persistent storage. The
running configuration also displays keys in encrypted form.
For the specified server, the timeout keyword used with the tacacs-server host command overrides the
global setting assigned using the (config) tacacs-server timeout command.
By default, the ACE waits 1 second for the TACACS+ server to reply to an authentication request before
it declares a timeout and attempts to contact the next server in the group. If all servers in the group are
unavailable for authentication and accounting, the ACE tries the local database if you configure the
database as the local fallback method by entering the (config) aaa authentication login or the (config)
aaa accounting default command.
Examples To configure TACACS+ server authentication parameters, enter:
host1/Admin(config)# tacacs-server host 192.168.3.2 key HostKey
host1/Admin(config)# tacacs-server host 192.168.3.2 tacacs3 key 7 1234
host1/Admin(config)# tacacs-server host 192.168.3.2 port 1645
host1/Admin(config)# tacacs-server host 192.168.3.2 timeout 5
To revert to a default TACACS+ server authentication setting, enter:
host1/Admin(config)# no tacacs-server host 192.168.3.2 tacacs3 key 7 1234
Related Commands show aaa
(config) aaa group server
ACE Appliance Release Modification
A1(7) This command was introduced.2-448
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) tacacs-server key
To globally configure an authentication key for communication between the ACE and the Terminal
Access Controller Access Control System Plus (TACACS+) daemon running on each TACACS+ server,
use the tacacs-server key command. Use the no form of this command to delete the key.
tacacs-server key [0 | 7] shared_secret [timeout seconds]
no tacacs-server key [0 | 7] shared_secret [timeout seconds]
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The key is a text string that must match the encryption key used on the TACACS+ server. TACACS+ keys
are always stored in encrypted form in persistent storage on the ACE. This global key will be applied to
those TACACS+ servers in a named server group for which a shared secret is not individually configured
using the (config) tacacs-server host command.
0 (Optional) Configures a key specified in clear text (indicated by 0) to
authenticate communication between the TACACS+ client and server.
7 (Optional) Configures a key specified in encrypted text (indicated by 7) to
authenticate communication between the TACACS+ client and server.
shared_secret Key used to authenticate communication between the TACACS+ client and
server. The shared secret must match the one configured on the TACACS+
server. Enter the shared secret as a case-sensitive string with no spaces with
a maximum of 63 alphanumeric characters or you can include spaces if you
enclose the entire key with quotation marks (for example, “my key”).
timeout seconds (Optional) Globally configures the time interval that the ACE waits for the
TACACS+ server to reply before retransmitting an authentication request to
the TACACS+ server. The seconds argument is the timeout value in
seconds. Valid entries are from 1 to 60 seconds. By default, the ACE waits
1 second to receive a response from a TACACS+ server before it declares a
timeout failure and attempts to contact the next server in the group. This
option configures the same time interval as the tacacs-server timeout
command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-449
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To globally configure an authentication key in encrypted text (indicated by 7) to authenticate
communication between the TACACS+ client and server, enter:
host1/Admin(config)# tacacs-server key 7 abe4DFeeweo00o
To delete the key, enter:
host1/Admin(config)# no tacacs-server key 7 abe4DFeeweo00o
Related Commands show aaa
(config) aaa group server
(config) tacacs-server host
(config) tacacs-server timeout
To globally change the time interval that the ACE waits for the Terminal Access Controller Access
Control System Plus (TACACS+) server to reply before retransmitting an authentication request to the
TACACS+ server, use the tacacs-server timeout command. The ACE applies the global timeout value
to those TACACS+ servers for which a timeout value is not individually configured using the (config)
tacacs-server host command. Use the no form of this command to revert to the default of 1 second
between transmission attempts.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the AAA feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
seconds Timeout value in seconds. Valid entries are from 1 to 60 seconds. The
default is 1 second.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-450
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Examples To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# tacacs-server timeout 30
To revert to the default of 1 second between transmission attempts, enter:
host1/Admin(config)# no tacacs-server timeout 30
Related Commands show aaa
(config) aaa group server
(config) tacacs-server host2-451
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) telnet maxsessions
To control the maximum number of Telnet sessions allowed for each context, use the telnet maxsessions
command. By default, the ACE supports 4 concurrent Telnet management sessions for each user context
and 16 concurrent Telnet management sessions for the Admin context. Use the no form of this command
to revert to the default number of Telnet sessions.
telnet maxsessions sessions
no telnet maxsessions
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports a total maximum of 256 concurrent Telnet sessions.
Examples To set the maximum number of concurrent Telnet sessions to 3 in the Admin context, enter:
host1/Admin(config)# telnet maxsessions 3
To revert to the default of 16 Telnet sessions for the Admin context, enter:
host1/Admin(config)# no telnet maxsessions
Related Commands telnet
clear telnet
show telnet
(config-cmap-mgmt) match protocol
sessions Maximum number of concurrent Telnet sessions allowed for the associated
context. The range is from 1 to 4 Telnet sessions per user context and from
1 to 16 Telnet sessions for the Admin context. The defaults are 4 (user
context) and 16 (Admin context).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-452
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) timeout xlate
To configure an idle timeout for Network Address Translation (NAT), use the timeout xlate command.
Use the no form of this command to reset the idle timeout to the default of 10800 seconds (3 hours).
timeout xlate seconds
no timeout xlate
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the NAT feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To specify an idle timeout of 120 seconds (2 minutes), enter:
host1/Admin(config)# timeout xlate 120
To reset the NAT idle timeout to the default value of 10800 seconds (3 hours), enter:
host1/Admin(config)# no timeout xlate
Related Commands (config) policy-map
(config-pmap-c) nat dynamic
(config-pmap-c) nat static
seconds Time in seconds that the ACE waits to free the Xlate slot after it becomes
idle. Enter an integer from 60 to 2147483. The default is 10800 seconds (3
hours).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-453
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) udp
(ACE module only) To configure the UDP booster feature, use the udp command. Use this feature when
your application requires very high UDP connection rates.
Use the no form of this command to disable the UDP booster feature.
udp {ip-source-hash | ip-destination-hash}
no udp
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the interface feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To use this feature, you must configure both keywords on the appropriate interfaces, and configure
standard load balancing on the ACE. For details about configuring load balancing and more information
about this command, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
We recommend that you do not configure this feature with per-packet UDP load balancing (also called
UDP fast-age) using the (config-pmap-c) loadbalance vip udp-fast-age command. Otherwise,
unexpected results may occur.
To configure the UDP booster feature on a the ACE, enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# udp ip-source-hash
host1/Admin(config-if)# exit
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# udp ip-destination-hash
To disable the UDP booster feature, enter the following command:
host1/Admin(config-if)# no udp
Related Commands This command has no related commands.
ip-source-hash Instructs the ACE to hash the source IP address of UDP packets that hit a
source-hash VLAN interface prior to performing a connection match.
Configure this keyword on a client-side interface.
ip-destination-hash Instructs the ACE to hash the destination IP address of UDP packets that hit
a destination-hash VLAN interface prior to performing a connection match.
Configure this keyword on a server-side interface.
ACE Module Release Modification
A2(1.0) This command was introduced.2-454
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) username
To change the default username and password, use the username command. Use the no form of this
command to remove the username from the configuration.
username name1 [password [0 | 5] password] [expire date] [role name2] [domain name3 name4 .
. . namen]
no username name1 [password [0 | 5] password] [expire date] [role name2] [domain name3
name4 . . . namen]
Syntax Description
Command Modes Configuration mode
Admin and user contexts
name1 Identifier of the user that you are creating. Enter an unquoted text string
with no spaces and a maximum of 24 alphanumeric characters.
The ACE supports the following non-alphanumeric characters in a
username:
- _ @ \
The ACE does not support the following characters:
$ / ; ! #
Note The “.” character is not supported on the local database but a
username with this character is authenticated when it is configured
on an ACS server.
password (Optional) Indicates that a password follows.
0 (Optional) Specifies a clear text password.
5 (Optional) Specifies an MD5-hashed strong encryption password.
password Password in clear text, encrypted text, or MD5 strong encryption,
depending on the numbered option that you enter. If you do not enter a
numbered option, the password is in clear text by default. If you enter the
password keyword, you must enter a password. Enter a password as an
unquoted text string with a maximum of 64 alphanumeric characters. The
ACE supports the following special characters in a password:
, . / = + - ^ @ ! % ~ # $ * ( )
Note that the ACE encrypts clear text passwords in the running-config.
expire date (Optional) Specifies the expiration date of the user account. Enter the
expiration date in the format yyyy-mm-dd. Be aware that the ACE applies
the configured UTC offset to this date.
role name2 (Optional) Specifies an existing role that you want to assign to the user.
domain name3 name4
. . . namen
(Optional) Specifies the domains in which the user can operate. You can
enter multiple domain names up to a maximum of 10, including
default-domain.2-455
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
Command History
Usage Guidelines This command requires the context Admin user role. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE creates the following default user accounts at startup:
• The admin user is the global administrator and cannot be deleted.
• (ACE appliance only) The dm user is for accessing the Device Manager GUI and cannot be deleted.
The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE CLI.
Note Do not modify the dm user password from the ACE CLI. If the password is changed, the Device
Manager GUI will become inoperative. If this occurs, restart the Device Manager using the dm
reload command (you must be the global administrator to access the dm reload command).
Note that restarting the Device Manager does not impact ACE functionality; however, it may
take a few minutes for the Device Manager to reinitialize as it reads the ACE CLI configuration.
• The www user account is used by the ACE for the XML interface.
If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create
in the Admin context, the default scope of access is the entire device. For users that you create in other
contexts, the default scope of access is the entire context. If you need to restrict a user’s access, you must
assign a role-domain pair. For more information about creating users, see the Virtualization Guide, Cisco
ACE Application Control Engine.
Examples To change the default username, enter:
host1/Admin(config)# username USER1 password MYSECRET expire 2005-12-31 role TECHNICIAN
domain D1 default-domain
host1/Admin(config)# username USER2 password HERSECRET expire 2005-12-31 role Admin
domain default-domain D2
To remove a username from the configuration, enter:
host1/Admin(config)# no username USER1
Related Commands clear user
show role
show user-account
show users
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-456
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Configuration Mode Commands
(config) vm-controller
To configure the VM controller (vCenter) that the ACE queries for VM load information for the dynamic
workload scaling (DWS) feature, use the vm-controller command. Use the no form of this command to
remove the username from the configuration.
vm-controller name
no vm-controller name
Syntax Description
Command Modes Configuration mode
Admin context
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure a VM controller, enter:
host1/Admin(config)# vm-controller VCENTER1
To remove a VM controller from the configuration, enter:
host1/Admin(config)# no vm-controller VCENTER1
Related Commands show vm-controller
name Name of an existing VM controller (vCenter) that the ACE queries for VM
load information. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-457
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Action List Modify Configuration Mode Commands
Action list modify configuration mode commands allow you to configure ACE action lists. An action list
is a named group of actions that you associate with a Layer 7 HTTP class map in a Layer 7 HTTP policy
map. You can create an action list to modify an HTTP header or to rewrite an HTTP redirect URL for
Secure Sockets Layer (SSL).
To create an action list, use the action-list type modify http command. The CLI prompt changes to
(config-actlist-modify). Use the no form of this command to remove the action list from the
configuration.
action-list type modify http name
no action-list type modify http name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To create an action list, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)#
To remove the action list from the configuration, enter:
host1/Admin(config)# no action-list type modify http HTTP_MODIFY_ACTLIST
Related Commands show running-config
show stats
name Unique name for the action list. Enter an unquoted text string with a maximum
of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-458
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
(config-actlist-modify) description
(ACE appliance only) To add a description about the action list, use the description command. Use the
no form of this command to remove the description from the action list.
description text_string
no description
Syntax Description
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
Usage Guidelines After you create an action list and associate actions with it, you must associate the action list with a
Layer 7 policy map. For details, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
Examples To add a description for the action list, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)# description action - delete request
To remove the description from the action list, enter:
host1/Admin(config-actlist-modify)# no description
Related Commands show action-list
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-459
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
(config-actlist-modify) header delete
To delete an HTTP header from a client request, a server response, or from both, use the header delete
command in action list modify configuration mode. Use the no form of this command to remove the
HTTP header delete action from the action list.
header delete {request | response | both} header-name
no header delete {request | response | both} header-name
Syntax Description
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
Usage Guidelines After you create an action list and associate actions with it, you must associate the action list with a
Layer 7 policy map. For details, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
Examples To delete the Host header from request packets only, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)# header delete request Host
To remove the header delete action from the action list, enter:
host1/Admin(config-actlist-modify)# no header delete request Host
Related Commands (config) action-list type modify http
(config-actlist-modify) header insert
request Specifies that the ACE delete the header from HTTP request packets from
clients.
response Specifies that the ACE delete the header from HTTP response packets from
servers.
both Specifies that the ACE delete the header from both HTTP request packets and
response packets.
header-name Identifier of the HTTP header that you want to delete. Enter an unquoted text
string with a maximum of 255 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-460
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
(config-actlist-modify) header rewrite2-461
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
(config-actlist-modify) header insert
When the ACE uses NAT to translate the source IP address of a client to a VIP address, servers need a
way to identify that client for the TCP and IP return traffic. To identify a client whose source IP address
has been translated using NAT, you can instruct the ACE to insert a generic header and string value in
the client HTTP request.
To insert a header name and value in an HTTP request from a client, a response from a server, or both,
use the header insert command in action list modify configuration mode. Use the no form of this
command to remove the HTTP header insert action from the action list.
header insert {request | response | both} header-name header-value expression
no header insert {request | response | both} header-name header-value expression
Syntax Description
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
request Specifies that the ACE insert an HTTP header in HTTP request packets from
clients.
response Specifies that the ACE insert an HTTP header in HTTP response packets from
servers.
both Specifies that the ACE insert an HTTP header in both HTTP request packets and
response packets.
header-name Identifier of an HTTP header. Enter an unquoted text string with a maximum of
255 alphanumeric characters.
header-value
expression
Specifies the value of the HTTP header that you want to insert in request packets,
response packets, or both. Enter an unquoted text string with no spaces and a
maximum of 255 alphanumeric characters. You can also use the following
dynamic replacement strings:
• %is—Insert the source IP address in the HTTP header.
• %id—Insert the destination IP address in the HTTP header.
• %ps—Insert the source port in the HTTP header.
• %pd—Insert the destination port in the HTTP header.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-462
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Usage Guidelines After you create an action list and associate actions with it, you must associate the action list with a
Layer 7 policy map. For details, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
With either TCP server reuse or persistence rebalance enabled, the ACE inserts a header in every client
request. For information about TCP server reuse, see the Server Load-Balancing Guide, Cisco ACE
Application Control Engine.
Examples To include a header insert action for both request and response packets in an action list, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)# header insert both Host header-value www.cisco.com
To remove the insert action from the action list, enter:
host1/Admin(config-actlist-modify)# no header insert both Host header-value www.cisco.com
Related Commands (config) action-list type modify http
(config-actlist-modify) header delete
(config-actlist-modify) header rewrite
(config-actlist-modify) ssl header-insert
(config-actlist-modify) header rewrite
To rewrite an HTTP header value in request packets from a client, response packets from a server, or
both, use the header rewrite command in action list modify configuration mode. Use the no form of this
command to remove the HTTP header rewrite action from the action list.
header rewrite {request | response | both} header-name header-value expression replace pattern
no header rewrite {request | response | both} header-name header-value expression
replace pattern
Syntax Description request Specifies that the ACE rewrite an HTTP header string in HTTP request packets
from clients.
response Specifies that the ACE rewrite an HTTP header string in HTTP response packets
from servers.
both Specifies that the ACE rewrite an HTTP header string in both HTTP request
packets and response packets.
header-name Identifier of the HTTP header that you want to rewrite. Enter an unquoted text
string with a maximum of 255 alphanumeric characters.2-463
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
Usage Guidelines After you create an action list and associate actions with it, you must associate the action list with a
Layer 7 policy map. For details, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
Examples To include a header replace action for HTTP request packets in an action list, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)# header rewrite request Host header-value www.cisco.com
replace ?
To remove the replace action from the action list, enter:
host1/Admin(config-actlist-modify)# no header rewrite request Host header-value
www.cisco.com replace ?
Related Commands (config) action-list type modify http
(config-actlist-modify) header delete
(config-actlist-modify) header insert
header-value
expression
Specifies the value of the HTTP header that you want to replace in request
packets, response packets, or both. Enter a text string from 1 to 255 alphanumeric
characters. The ACE supports the use of regular expressions for matching data
strings. Use parenthesized expressions for dynamic replacement using %1 and
%2 in the replacement pattern.
Note When matching data strings, the period (.) and question mark (?)
characters do not have a literal meaning in regular expressions. Use
brackets ([]) to match these symbols (for example, enter
www[.]xyz[.]com instead of www.xyz.com). You can also use a
backslash (\) to escape a dot (.) or a question mark (?).
replace pattern Specifies the pattern string that you want to substitute for the header value
regular expression. For dynamic replacement of the first and second
parenthesized expressions from the header value, use %1 and %2, respectively.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-464
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
(config-actlist-modify) ssl header-insert
To insert HTTP headers containing SSL session information when the ACE receives an HTTP request
during a session, use the ssl header-insert command. When a client sends encrypted traffic to the ACE
in an SSL termination configuration, the ACE terminates the SSL traffic and then sends clear text to the
server, which is unaware of the encrypted traffic flowing between the client and the ACE. Using an
action list associated with a Layer 7 HTTP load-balancing policy map, you can instruct the ACE to
provide the server with the following SSL session information by inserting HTTP headers into the HTTP
requests that it receives over the connection:
• Session Parameters—SSL session parameters that the ACE and client negotiate during the SSL
handshake.
• Server Certificate Fields—Information regarding the SSL server certificate that resides on the ACE.
• Client Certificate Fields—Information regarding the SSL client certificate that the ACE retrieves
from the client when you configure the ACE to perform client authentication.
Use the no form of this command to remove the HTTP header insert information.
ssl header-insert {client-cert specific_field | server-cert specific_field | session specific_field}
[prefix prefix_string | rename new_field_name]
no ssl header-insert {client-cert specific_field | server-cert specific_field | session specific_field}
[prefix prefix_string | rename new_field_name]
Syntax Description client-cert
specific_field
Specifies a client certificate (ClientCert) field name to insert into the HTTP
header. See Table 1-6 for a list of the valid client certificate field names.
server-cert
specific_field
Specifies a server certificate (ServerCert) field name to insert into the HTTP
header. See Table 1-7 for a list of the valid server certificate field names.
session
specific_field
Specifies a session field name to insert into the HTTP header. See Table 1-8 for
a list of the valid session field names.
prefix prefix_string (Optional) Inserts a prefix string before the specified field name. For example, if
you specify the prefix Acme-SSL for the Authority-Key-Id server certificate
field, then the ACE adds the field name as
Acme-SSL-ServerCert-Authority-Key-Id.
Enter a quoted text string. The maximum combined number of prefix string and
field name characters that the ACE permits is 32.
rename
new_field_name
(Optional) Assigns a new name to the specified field name. Enter an unquoted
text string with no spaces. The maximum combined number of field name and
prefix string characters that the ACE permits is 32.2-465
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Table 1-6 lists the supported SSL client certificate fields. Depending on how the certificate was
generated and what key algorithm was used, all of these fields may not be present for the certificate.
Ta b l e 1-6 SSL Session Information: SSL Client Certificate Fields
ClientCert Field Description
Authority-Key-Identifier X.509 authority key identifier.
Format: ASCII string of hexadecimal bytes separated by colons for the
X.509 version 3 Authority Key Identifier.
Example: ClientCert-Authority-Key-Identifier:
16:13:15:97:FD:8E:16:B9:D2:99
Basic-Constraints X.509 basic constraints.
Format: String that indicates if the certificate subject can act as a
certificate authority. Possible values are CA=TRUE or CA=FALSE
basic constraints.
Example: ClientCert-Basic-Constraints: CA=TRUE
Certificate-Version X.509 certificate version.
Format: Numerical X.509 version (3, 2, or 1), followed by the ASN.1
defined value for X.509 version (2, 1, or 0) in parentheses.
Example: ClientCert-Certificate-Version: 3 (0x2)
Data-Signature-Algorithm X.509 hashing and encryption method.
Format: md5WithRSAEncryption, sha1WithRSAEncryption, or
dsaWithSHA1 algorithm used to sign the certificate and algorithm
parameters.
Example: ClientCert-Signature-Algorithm: md5WithRSAEncryption
Fingerprint SHA1 hash of the certificate.
Format: ASCII string of hexadecimal bytes separated by colons.
Example: ClientCert-Fingerprint:
64:75:CE:AD:9B:71:AC:25:ED:FE:DB:C7:4B:D4:1:BA
Issuer X.509 certificate issuer's distinguished name.
Format: String of characters representing the certificate authority that
issued the certificate.
Example: ClientCert-Issuer: CN=Example CA, ST=Virginia,
C=US/Email=ca@exampleca.com, 0=Root
Issuer-CN X.509 certificate issuer's common name.
Format: String of characters representing the common name of the
certificate issuer.
Example: ClientCert-Issuer-CN: www.exampleca.com
Not-After Date after which the certificate is not valid.
Format: Universal time string or generalized time string in the Not After
date of the Validity field.
Example: ClientCert-Not-After: Dec 12 22:45:13 2014 GMT2-466
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Not-Before Date before which the certificate is not valid.
Format: Universal time string or generalized time string in the Not
Before date of the Validity field.
Example: ClientCert-Not-Before: Dec 12 22:45:13 2011 GMT
Public-Key-Algorithm Algorithm used for the public key.
Format: rsaEncryption, rsa, or dsaEncryption public key algorithm used
to create the public key in the certificate.
Example: ClientCert-Public-Key-Algorithm: rsaEncryption
RSA-Modulus RSA algorithm modulus.
Format: RSA algorithm modulus (n) printed in big-endian format
hexadecimal, without leading 0x, and lowercase alphanumeric
characters separated by a colon (:) character. Together with the exponent
(e), this modulus forms the public key portion in the RSA certificate
Example: ClientCert-RSA-Modulus:
+00:d8:1b:94:de:52:a1:20:51:b1:77
RSA-Exponent Public RSA exponent.
Format: Printed as a whole integer for the RSA algorithm exponent (e).
Example: ClientCert-RSA-Exponent: 65537
RSA-Modulus-Size Size of the RSA public key.
Format: Number of bits as a whole integer of the RSA modulus
(typically 512, 1024, or 2048) followed by the word bit.
Example: ClientCert-RSA-Modulus-Size: 1024 bit
Serial-Number Certificate serial number.
Format: Whole integer value assigned by the certificate authority; this
can be any arbitrary integer value.
Example:
ClientCert-Serial-Number: 2
Signature Certificate signature.
Format: Secure hash of the other fields in the certificate and a digital
signature of the hash printed in big-endian format hexadecimal, without
leading 0x, and lowercase alphanumeric characters separated by a colon
(:) character.
Example: ClientCert-Signature: 33:75:8e:a4:05:92:65
Signature-Algorithm Certificate signature algorithm.
Format: md5WithRSAEncryption, sha1WithRSAEncryption, or
dsaWithSHA1 for the secure hash algorithm.
Example: ClientCert-Signature-Algorithm: md5WithRSAEncryption
Table 1-6 SSL Session Information: SSL Client Certificate Fields (continued)
ClientCert Field Description2-467
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Table 1-7 lists the supported SSL server certificate fields. Depending on how the certificate was
generated and what key algorithm was used, all of these fields may not be present for the certificate.
Subject X.509 subject's distinguished name.
Format: String of characters representing the subject that owns the
private key being certified.
Example: ClientCert-Subject: CN=Example, ST=Virginia,
C=US/Email=ca@example.com, 0=Root
Subject-CN X.509 subject's common name.
Format: String of characters that represent the common name of the
subject to whom the certificate has been issued.
Example: ClientCert-Subject-CN: www.cisco.com
Subject-Key-Identifier X.509 subject key identifier.
Format: ASCII string of hexadecimal bytes separated by colons for the
X.509 version 3 subject key identifier.
Example: ClientCert-Subject-Key-Identifier:
16:13:15:97:FD:8E:16:B9:D2:99
Table 1-6 SSL Session Information: SSL Client Certificate Fields (continued)
ClientCert Field Description
Ta b l e 1-7 SSL Session Information: Server Certificate Fields
ServerCert Field Description
Authority-Key-Id X.509 authority key identifier.
Format: ASCII string of hex bytes separated by colons for the X.509
version 3 Authority Key Identifier.
Example:
ServerCert-Authority-Key-Identifier:16:13:15:97:FD:8E:16:B9:D2:
99
Basic-Constraints X.509 basic constraints.
Format: String listing whether the certificate subject can act as a
certificate authority. Possible values are CA=TRUE or CA=FALSE.
Example: ServerCert-Basic-Constraints: CA=TRUE
Certificate-Version X.509 certificate version.
Format: Numerical X.509 version (3, 2, or 1), followed by the ASN.1
defined value for X.509 version (2, 1, or 0) in parentheses.
Example: ServerCert-Certificate-Version: 3 (0x2)
Data-Signature-Alg X.509 hashing and encryption method.
Format: md5WithRSAEncryption, sha1WithRSAEncryption, or
dsaWithSHA1 algorithm used to sign the certificate and algorithm
parameters.
Example: ServerCert-Signature-Algorithm:
md5WithRSAEncryption2-468
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Fingerprint SHA1 hash output of the certificate.
Format: ASCII string of hexadecimal bytes separated by colons.
Example: ServerCert-Fingerprint:
64:75:CE:AD:9B:71:AC:25:ED:FE:DB:C7:4B:D4:1A:BA
Issuer X.509 certificate issuer's distinguished name.
Format: String of characters representing the certificate authority
that issued this certificate.
Example: ServerCert-Issuer: CN=Example CA, ST=Virginia,
C=US/Email=ca@exampleca.com, 0=Root
Issuer-CN X.509 certificate issuer’s common name.
Format: String of characters representing the common name of the
certificate issuer.
Example: ServerCert-Issuer-CN: www.exampleca.com
Not-After Date after which the certificate is not valid.
Format: Universal time string or generalized time string in the Not
After date of the Validity field.
Example: ServerCert-Not-After: Dec 12 22:45:13 2014 GMT
Not-Before Date before which the certificate is not valid.
Format: Universal time string or generalized time string in the Not
Before date of the Validity field.
Example: ServerCert-Not-Before: Dec 12 22:45:13 2011 GMT
Public-Key-Algorithm Algorithm used for the public key.
Format: rsaEncryption, rsa, or dsaEncryption public key algorithm
used to create the public key in the certificate.
Example: ServerCert-Public-Key-Algorithm: rsaEncryption
RSA-Exponent Public RSA exponent.
Format: Whole integer representing the RSA algorithm exponent (e).
Example: ServerCert-RSA-Exponent: 65537
RSA-Modulus RSA algorithm modulus.
Format: RSA algorithm modulus (n) printed in big-endian format
hexadecimal, without leading 0x, and lowercase alphanumeric
characters separated by a colon (:) character. Together with the
exponent (e), this modulus forms the public key portion in the RSA
certificate.
Example: ServerCert-RSA-Modulus: + 00:d8:1b:94:de:52:a1:20:51:
b1:77
Table 1-7 SSL Session Information: Server Certificate Fields (continued)
ServerCert Field Description2-469
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
RSA-Modulus-Size Size of the RSA public key.
Format: Number of bits as a whole integer of the RSA modulus
(typically 512, 1024, or 2048), followed by the word bit.
Example: ServerCert-RSA-Modulus-Size: 1024 bit
Serial-Number Certificate serial number.
Format: Whole integer value assigned by the certificate authority;
this can be any arbitrary integer value.
Example: ServerCert-Serial-Number: 2
Signature Certificate signature.
Format: Secure hash of the other fields in the certificate and a digital
signature of the hash printed in big-endian format hexadecimal,
without leading 0x, and lowercase alphanumeric characters and
separated by a colon (:) character.
Example: ServerCert-Signature: 33:75:8e:a4:05:92:65
Signature-Algorithm Certificate signature algorithm.
Format: md5WithRSAEncryption, sha1WithRSAEncryption, or
dsaWithSHA1 for the secure hash algorithm.
Example: ServerCert-Signature-Algorithm:
nmd5WithRSAEncryption
Subject X.509 subject's distinguished name.
Format: String of characters representing the subject that owns the
private key being certified.
Example: ServerCert-Subject: CN=Example, ST=Virginia,
C=US/Email=ca@example.com, 0=Root
Subject-CN X.509 subject's common name.
Format: String of characters that represents the common name of the
certificate issuer.
Example: ServerCert-Subject-CN: CN=Example, ST=Virginia,
C=US/Email=ca@example.com, 0=Root
Subject-Key-Id X.509 subject key identifier.
Format: ASCII string of hexadecimal bytes separated by colons for
the X.509 version 3 subject key identifier.
Example: ServerCert-Subject-Key-Identifier: 16:13:15:97:
FD:8E:16:B9:D2:99
Table 1-7 SSL Session Information: Server Certificate Fields (continued)
ServerCert Field Description2-470
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Table 1-8 lists the supported SSL session fields.
Ta b l e 1-8 SSL Session Information: SSL Session Fields
Session Field Description
Cipher-Key-Size Symmetric cipher key size.
Format: Whole integer that specifies the length in bytes of the public
key.
Example: Session-Cipher-Key-Size: 32
Cipher-Name Symmetric cipher suite name.
Format: OpenSSL version name of the cipher suite negotiated during
the session.
Example: Session-Cipher-Name: EXP1024-RC4-SHA
Cipher-Use-Size Symmetric cipher use size.
Format: Whole integer that specifies the length in bytes of the key used
for symmetric encryption during this session.
Example: Session-Cipher-Use-Size: 7
Id SSL Session ID. The default is 0.
Format: 32-byte session ID negotiated during this session if a session
ID is or has been negotiated, printed in big-endian format;
hexadecimal without leading 0x and lowercase alphanumeric
characters separated by a colon (:).
Example: Session-Id: 75:45:62:cf:ee:71:de:ad:be:ef:00:33:ee:23:89:
25:75:45:62:cf:ee:71:de:ad:be:ef:00:33:ee:23:89:25
Protocol-Version Version of SSL or TLS.
Format: String that indicates whether SSL or TLS protocol is used
followed by a version number.
Example: Session-Protocol-Version: TLSv12-471
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
Step-Up Use of SGC or StepUp cryptography.
Format: String (yes/no) that indicates whether or not the ACE used
Server Gated Cryptography (SGC) or StepUp cryptography to increase
the level of security by using 128-bit encryption.
Example: Session-Step-Up: YES
Verify-Result SSL session verify result.
Format: String value that indicates the SSL session verify result.
Possible values are as follows:
• ok—The SSL session is established.
• certificate is not yet valid—The client certificate is not yet valid.
• certificate is expired—The client certificate has expired.
• bad key size—The client certificate has a bad key size.
• invalid not before field—The client certificate notBefore field is
in an unrecognized format.
• invalid not after field—The client certificate notAfter field is in an
unrecognized format.
• certificate has unknown issuer—The client certificate issuer is
unknown.
• certificate has bad signature—The client certificate contains a bad
signature.
• certificate has bad leaf signature—The client certificate contains
a bad leaf signature.
• unable to decode issuer public key—The ACE is unable to decode
the issuer public key.
• unsupported certificate—The client certificate is not supported.
• certificate revoked— The client certificate has been revoked.
• internal error—An internal error exists.
Example: Session-Verify-Result: ok
Table 1-8 SSL Session Information: SSL Session Fields (continued)
Session Field Description
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.2-472
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
Usage Guidelines When you instruct the ACE to insert SSL session information, by default the ACE inserts the HTTP
header information into the first HTTP request only that it receives over the client connection. When the
ACE and client need to renegotiate their connection, the ACE updates the HTTP header information that
it send to the server to reflect the new session parameters. You can also instruct the ACE to insert the
session information into every HTTP request that it receives over the connection by creating an HTTP
parameter map with either the header modify per-request or persistence-rebalance command enabled.
You then reference the parameter map in the policy map that the ACE applies to the traffic. For
information about creating an HTTP parameter map, see the Server Load-Balancing Guide, Cisco ACE
Application Control Engine.
To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the
headers that it is going to insert into the HTTP request.
The maximum amount of data that the ACE can insert is 512 bytes. The ACE truncates the data if it
exceeds this limit.
Examples To insert the session Id field with the prefix SSL-, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)# ssl header-insert session Id prefix SSLTo insert the server certificate Issuer field, enter:
host1/Admin(config-actlist-modify)# ssl header-insert server-cert Issuer
To insert the client certificate Serial_Number field and rename it Client-Serial-Number, enter:
host1/Admin(config-actlist-modify)# ssl header-insert client-cert Serial-Number rename
Client-Serial-Number
Related Commands show stats
(config) action-list type modify http
(config-actlist-modify) header insert2-473
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Modify Configuration Mode Commands
(config-actlist-modify) ssl url rewrite location
To specify the SSL URL, SSL port, and clear port for rewrite, use the ssl url rewrite location command.
SSL URL rewrite changes the redirect URL from http:// to https:// in the Location response header from
the server before sending the response to the client. By doing so, it allows you to avoid nonsecure HTTP
redirects because all client connections to the web server will be SSL, thus ensuring the secure delivery
of HTTPS content back to the client. Use the no form of this command to remove the SSL rewrite
specification from the configuration.
ssl url rewrite location expression [clearport number] [sslport number]
no ssl url rewrite location expression [clearport number] [sslport number]
Syntax Description
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
location expression Specifies the rewriting of the URL in the Location response header based on a
URL regular expression match. If the URL in the Location header matches the
URL regular expression string that you specify, the ACE rewrites the URL from
http:// to https:// and rewrites the port number.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters. You can enter a text string with spaces if you
enclose the entire string in quotation marks (“). The ACE supports the use of
regular expressions for matching data strings.
Note When matching data strings, the period (.) and question mark (?)
characters do not have a literal meaning in regular expressions. Use
brackets ([]) to match these symbols (for example, enter
www[.]xyz[.]com instead of www.xyz.com). You can also use a
backslash (\) to escape a dot (.) or a question mark (?).
clearport number1 (Optional) Specifies the clear port number to which the ACE translates the SSL
port number before sending a server redirect response to the client. Enter an
integer from 1 to 65535. The default is 80.
sslport number (Optional) Specifies the SSL port number from which the ACE translates a clear
port number before sending the server redirect response to the client. Enter an
integer from 1 to 65535. The default is 443.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-474
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
Usage Guidelines After you create an action list and configure an HTTP redirect URL for SSL, you must associate the
action list with a Layer 3 and Layer 4 policy map. For details, see the Server Load-Balancing Guide,
Cisco ACE Application Control Engine.
Examples To specify SSL URL rewrite using the default SSL port of 443 and clear port of 80, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)# ssl url rewrite location www\.website\.com
In this case, the ACE rewrites all HTTP redirects to http://www.website.com/ as
https://www.website.com/ and forwards them to the client.
Related Commands (config) action-list type modify http
Action List Optimization Configuration Mode Commands
(ACE appliance only) The action list optimization mode allows you to configure a series of application
acceleration and optimization statements. An action list groups a series of individual application
acceleration and optimization functions that apply to a specific type of operation. After you enter this
command, the system enters the corresponding action list configuration mode.
To access the action list optimization mode, enter the action-list type optimization http command. The
CLI prompt changes to (config-actlist-optm). To remove an action list optimization selection, use the no
form of the command. For details about using the commands in the action list optimization mode, see
the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization
Configuration Guide.
action-list type optimization http list_name
no action-list type optimization http list_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
list_name Name assigned to the action list. Enter a unique name as an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-475
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
The action-list type command allows you to configure a series of statements. An action list groups a
series of individual functions that apply to a specific type of application acceleration and optimization
operation. After you enter this command, the system enters the corresponding action list configuration
mode.
After you configure the action list, you associate it with a specific statement in a Layer 7 HTTP
optimization policy map. The Layer 7 optimization HTTP policy map activates an optimization HTTP
action list that allows you to configure the specified optimization actions.
Examples To create an optimization HTTP action list, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)#
To remove the action list from the configuration, enter:
host1/Admin(config)# no action-list type optimization http ACT_LIST1
Related Commands show action-list
show running-config
(config) parameter-map type
(config) policy-map
(config-actlist-optm) appscope
(ACE appliance only) To enable AppScope performance monitoring by the optional Cisco AVS 3180A
Management Station for use with the ACE, use the appscope command. Use the no form of this
command to disable the AppScope function from the action list.
appscope
no appscope
Syntax Description This command has no keywords or arguments.
Command Modes Action list optimization mode
Admin and user contexts
Command History ACE Appliance Release Modification
A1(7) This command was introduced.2-476
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
Usage Guidelines The statistical log contains an entry for each ACE optimization request to the server and is used for
statistical analysis by the optional Cisco AVS 3180A Management Station. The ACE collects statistical
log and sends it to the Cisco AVS 3180A Management Station for loading into the database. For details
about the use of the Cisco AVS 3180A Management Station for database, management, and reporting
features for the ACE optimization functionality, including AppScope reporting, see the Cisco 4700
Series Application Control Engine Appliance Application Acceleration and Optimization Configuration
Guide.
To control the AppScope features that measure application acceleration and optimization performance,
use the appscope commands in parameter map optimization configuration mode. See the “Parameter
Map Optimization Configuration Mode Commands” section for details.
To specify the host (the syslog server on the Management Station) that receives the syslog messages sent
by the ACE, use the logging host configuration command. See the (config) logging host command. This
command allows you to identify the IP address of the Management Station that will be used as the syslog
server. You can specify that the host uses either UDP or TCP to send messages to the syslog server.
Examples For example, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)# appscope
To disable the AppScope function from the action list, enter:
host1/Admin(config-actlist-optm)# no appscope
Related Commands (config) logging host
(config-parammap-optmz) appscope optimize-rate-percent
(config-parammap-optmz) parameter-summary parameter-value-limit
(config-parammap-optmz) request-grouping-string
(config-actlist-optm) cache
(ACE appliance only) To enable cache optimization for the corresponding URLs, use the cache
command. Use the no form of this command to disable the cache function from the action list.
cache {dynamic | forward | forward-with-wait}
no cache {dynamic | forward | forward-with-wait}
Syntax Description dynamic Enables Adaptive Dynamic Caching for the corresponding URLs, even if the
expiration settings in the response indicate that the content is dynamic. The
expiration of cache objects is controlled by the cache expiration settings based on the
time or server load (performance assurance).2-477
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
Command Modes Action list optimization mode
Admin and user contexts
Command History
Usage Guidelines You define the ACE cache object key, cache freshness, and cache request/response policy settings by
configuring the cache and cache-policy commands in parameter map optimization configuration mode.
See “Parameter Map Optimization Configuration Mode Commands” section for details.
The ACE restricts you from enabling Adaptive Dynamic Caching if you have previously specified either
the delta command (see “(config-actlist-optm) delta”) or the dynamic etag command (see
“(config-actlist-optm) dynamic etag”).
Examples For example, to enable the cache forward feature for the corresponding URLs, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)# cache forward
To disable the cache function from the action list, enter:
host1/Admin(config-actlist-optm)# no cache forward
Related Commands (config-parammap-optmz) cache key-modifier
(config-parammap-optmz) cache parameter
(config-parammap-optmz) cache ttl
(config-parammap-optmz) cache-policy request
(config-parammap-optmz) cache-policy response
forward Enables the cache forward feature for the corresponding URLs. This keyword allows
the ACE to serve the object from its cache (static or dynamic) even when the object
has expired if the maximum cache TTL time period has not yet expired (set using the
cache ttl command in parameter map optimization mode). At the same time, the ACE
sends an asynchronous request to the origin server to refresh its cache of the object.
forward-withwait
Enables the cache forward with wait feature for the corresponding URLs. If the
object has expired but the maximum cache TTL time period has not expired (set using
the cache ttl command in parameter map optimization mode), the ACE sends a
request to the origin server for the object. The rest of the users requesting this page
will still continue to receive the content from the cache during this time. When the
fresh object is returned, it is sent to the requesting user and the cache is also updated.
This keyword is similar to the forward keyword, except that a single user must wait
for the object to be updated before the request is satisfied. This keyword is useful in
situations where you are unable to specify the forward keyword because the
application requires a context for processing and an asynchronous update process is
not appropriate.
ACE Appliance Release Modification
A1(7) This command was introduced.2-478
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
(config-actlist-optm) delta
(ACE appliance only) To enable delta optimization to condense corresponding URLs, use the delta
command. Use the no form of this command to disable delta optimization from the action list.
delta
no delta
Syntax Description This command has no keywords or arguments.
Command Modes Action list optimization mode
Admin and user contexts
Command History
Usage Guidelines The ACE restricts you from enabling delta optimization if you have previously specified either the cache
dynamic command (see “(config-actlist-optm) cache”) or the dynamic etag command (see
“(config-actlist-optm) dynamic etag”).
Examples For example, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)# delta
To disable delta optimization from the action list, enter:
host1/Admin(config-actlist-optm)# no delta
Related Commands (config-parammap-optmz) delta
ACE Appliance Release Modification
A1(7) This command was introduced.2-479
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
(config-actlist-optm) description
(ACE appliance only) To add a description about the action list, use the description command. Use the
no form of this command to remove the description from the action list.
description text_string
no description
Syntax Description
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
Usage Guidelines After you create an action list and associate actions with it, you must associate the action list with a
Layer 7 policy map. For details, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
Examples To add a description for the action list, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)# description action - delta
To remove the description from the action list, enter:
host1/Admin(config-actlist-optm)# no description
Related Commands show action-list
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-480
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
(config-actlist-optm) dynamic etag
(ACE appliance only) To enable just-in-time object acceleration for the corresponding URLs, use the
dynamic etag command. Use the no form of this command to disable just-in-time object acceleration
from the action list.
dynamic etag
no dynamic etag
Syntax Description This command has no keywords or arguments.
Command Modes Action list optimization mode
Admin and user contexts
Command History
Usage Guidelines The ACE restricts you from enabling just-in-time object acceleration if you have previously specified
either the cache dynamic command (see “(config-actlist-optm) cache”) or the delta command (see
“(config-actlist-optm) delta”).
Examples For example, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)# dynamic etag
To disable just-in-time object acceleration from the action list, enter:
host1/Admin(config-actlist-optm)# no dynamic etag
Related Commands This command has no related commands.
ACE Appliance Release Modification
A1(7) This command was introduced.2-481
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
(config-actlist-optm) flashforward
(ACE Appliance only) To enable FlashForward for the corresponding URLs and to transform embedded
objects, use the flashforward command. Use the no form of this command to disable FlashForward from
the action list.
flashforward
no flashforward
Syntax Description This command has no keywords or arguments.
Command Modes Action list optimization mode
Admin and user contexts
Command History
Usage Guidelines The flashforward and flashforward-object commands cannot be configured in the same optimization
action list; these two commands are mutually exclusive.
Examples For example, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)# flashforward
To disable FlashForward from the action list, enter:
host1/Admin(config-actlist-optm)# no flashforward
Related Commands (config-actlist-optm) flashforward-object
(config-parammap-optmz) flashforward refresh-policy
(config-parammap-optmz) rebase
(config-actlist-optm) flashforward-object
(ACE appliance only) To enable FlashForward static caching for the corresponding URLs, use the
flashforward-object command. Use the no form of this command to disable FlashForward static
caching from the action list.
flashforward-object
no flashforward-object
Syntax Description This command has no keywords or arguments.
Command Modes Action list optimization mode
ACE Appliance Release Modification
A1(7) This command was introduced.2-482
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Action List Optimization Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines The flashforward-object and flashforward commands cannot be configured in the same optimization
action list; these two commands are mutually exclusive.
Examples For example, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)# flashforward-object
To disable FlashForward static caching from the action list, enter:
host1/Admin(config-actlist-optm)# no flashforward-object
Related Commands (config-actlist-optm) flashforward
(config-parammap-optmz) flashforward refresh-policy
(config-parammap-optmz) rebase
ACE Appliance Release Modification
A1(7) This command was introduced.2-483
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Authentication Group Configuration Mode Commands
Authentication Group Configuration Mode Commands
Authentication group configuration mode commands allow you to configure client authentication on a
Secure Sockets Layer (SSL)-proxy service by assigning the authentication group to the service.
To create an authentication group and access authgroup configuration mode, use the crypto authgroup
command. The CLI prompt changes to (config-authgroup). Use the no form of this command to delete
an existing authentication group.
crypto authgroup group_name
no crypto authgroup group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
During the flow of a normal SSL handshake, the server send its certificate to the client. The client
verifies the identity of the server through the certificate. However, the client does not send any
identification of its own to the server. When the client authentication feature is enabled on the ACE, it
requires that the client send a certificate to the server.
On the ACE, you can implement a group of certificates that are trusted as certificate signers by creating
an authentication group.
Examples To create the authentication group AUTH-CERT1, enter:
host1/Admin(config)# crypto authgroup AUTH-CERT1
Related Commands (config) ssl-proxy service
group_name Name that you assign to the certificate authentication group. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-484
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Authentication Group Configuration Mode Commands
(config-authgroup) cert
To add certificate files to the authentication group, use the cert command. You can configure an
authentication group with up to ten certificates. Use the no form of this command to remove a certificate
file from the authentication group.
cert cert_filename
no cert cert_filename
Syntax Description
Command Modes Chaingroup configuration mode
Admin and user contexts
Command History
Usage Guidelines It is not necessary to add the certificates in any type of hierarchical order because the device that verifies
the certificates determines the correct order.
Examples To add the certificate files MYCERTS.PEM and MYCERTS_2.PEM to the authentication group, enter:
host1/Admin(config-authgroup)# cert MYCERTS.PEM
host1/Admin(config-authgroup)# cert MYCERTS_2.PEM
To remove the certificate file MYCERTS_2.PEM from the authentication group, enter:
host1/Admin(config-authgroup)# no cert MYCERTS_2.PEM
Related Commands (config) crypto authgroup
cert_filename Name of an existing certificate file stored on the ACE. Enter an unquoted text string
with no spaces and a maximum of 40 alphanumeric characters. To display a list of
available certificate files, use the do show crypto files command.
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(3.0) The number of certificates in an authentication group increased from
4 to 10.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A4(1.0) The number of certificates in an authentication group increased from
4 to 10.2-485
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Chaingroup Configuration Mode Commands
Chaingroup Configuration Mode Commands
Chaingroup configuration mode commands allow you to add Secure Sockets Layer (SSL) certificate files
to a chain group.
To create a new chain group (or modify an existing chain group) and access chaingroup configuration
mode, use the crypto chaingroup command. The CLI prompt changes to (config-chaingroup). Use the
no form of the command to delete an existing chain group.
crypto chaingroup group_name
no crypto chaingroup group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A chain group specifies the certificate chains that the ACE sends to its peer during the handshake
process. A certificate chain is a hierarchical list of certificates that includes the subject’s certificate, the
root CA certificate, and any intermediate CA certificates. You include a chain group in the handshake
process by configuring the SSL proxy-service with the chain group (see the (config) ssl-proxy service
command).
The ACE supports the following certificate chain group capabilities:
• A chain group can contain up to eight certificate chains.
• Each context on the ACE can contain up to eight chain groups.
• The maximum size of a chain group is 16 KB.
Examples To create the chain group MYCHAINGROUP, enter:
host1/Admin(config)# crypto chaingroup MYCHAINGROUP
group_name Name that you assign to the chain group. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-486
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Chaingroup Configuration Mode Commands
Related Commands (config) ssl-proxy service
(config-chaingroup) cert
To add certificate files to a chain group, use the cert command. Use the no form of the command to
remove a certificate file from a chain group.
cert cert_filename
no cert cert_filename
Syntax Description
Command Modes Chaingroup configuration mode
Admin and user contexts
Command History
Usage Guidelines It is not necessary to add the certificates in any type of hierarchical order because the device verifying
the certificates determines the correct order.
The ACE supports the following certificate chain group capabilities:
• A chain group can contain up to eight certificate chains.
• Each context on the ACE can contain up to eight chain groups.
• The maximum size of a chain group is 16 KB.
Examples To add the certificate files MYCERTS.PEM, MYCERTS_2.PEM, and MYCERTS_3.PEM to the chain
group, enter:
host1/Admin(config-chaingroup)# cert MYCERTS.PEM
host1/Admin(config-chaingroup)# cert MYCERTS_2.PEM
host1/Admin(config-chaingroup)# cert MYCERTS_3.PEM
To remove the certificate file MYCERTS_2.PEM from the chain group, enter:
host1/Admin(config-chaingroup)# no cert MYCERTS_2.PEM
cert_filename Name of an existing certificate file stored on the ACE. Enter an unquoted text string
with no spaces and a maximum of 40 alphanumeric characters. To display a list of
available certificate files, use the do show crypto files command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-487
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Chaingroup Configuration Mode Commands
Related Commands (config) crypto chaingroup2-488
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
Class Map Configuration Mode Commands
Class-map configuration mode commands allow you to create and configure a Layer 3 and Layer 4 class
map to classify network traffic that passes through the ACE. To create a Layer 3 and Layer 4 class map
and access class map configuration mode, use the class-map command. The prompt changes to
(config-cmap). Use the no form of this command to remove a Layer 3 and Layer 4 class map from the
ACE.
class-map [match-all | match-any] map_name
no class-map [match-all | match-any] map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The features required in your user role to execute a specific class map configuration command is
described in the “Usage Guidelines” section of the command. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports a system-wide maximum of 8192 class maps.
Examples To create a Layer 3 and Layer 4 class map named L4VIP_CLASS to identify the network traffic that can
pass through the ACE for server load balancing, enter:
host1/Admin(config)# class-map match-all L4VIP_CLASS
match-all |
match-any
(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network traffic
when multiple match criteria exist in a class map. The class map is considered a
match if the match commands meet one of the following conditions:
• match-all—(Default) All of the match criteria listed in the class map are
satisfied to match the network traffic class in the class map, typically, match
commands of different types.
• match-any—Only one of the match criteria listed in the class map is satisfied
to match the network traffic class in the class map, typically, match commands
of the same type.
map_name Name assigned to the Layer 3 and Layer 4 class map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-489
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
host1/Admin(config-cmap)#
Related Commands (config) policy-map2-490
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) description
To provide a brief summary about a Layer 3 and Layer 4 class map, use the description command. Use
the no form of this command to remove the Layer 3 and Layer 4 class map description from the class
map.
description text
no description
Syntax Description
Command Modes Class map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To add a description that the class map is to filter network traffic based on the source IP address, enter:
host1/Admin(config)# class-map L4_SOURCE_IP_CLASS
host1/Admin(config-cmap)# description match on source IP address of incoming traffic
Related Commands This command has no related commands.
text Description about a Layer 3 and Layer 4 class map. Enter a
description as an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-491
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) match access-list
To configure the Layer 3 and Layer 4 class map to filter network traffic using a predefined access control
list, use the match access-list command. When a packet matches an entry in an access list, and if it is a
permit entry, the ACE allows the matching result. If it is a deny entry, the ACE blocks the matching
result. Use the no form of this command to clear the access control list match criteria from the class map.
[line_number] match access-list name
no [line_number] match access-list name
Syntax Description
Command Modes Class map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no user role restrictions. For details about role-based access control (RBAC) and user
roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A single class map can have multiple match access-list commands. You can combine multiple match
access-list, match source-address, match destination-address, and match port commands in a class
map.
See the Security Guide, Cisco ACE Application Control Engine for details about the creating access
control lists in the ACE.
Examples To specify that the class map is to match on the access control list INBOUND, enter:
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 255 as the line
number.
• For the ACE appliance, enter an integer from 2 to 255 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
name Previously created access list identifier. Enter an unquoted text string
with a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-492
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
host1/Admin(config)# class-map match-any L4_FILTERTRAFFIC_CLASS
host1/Admin(config-cmap)# match access-list INBOUND
Related Commands (config-cmap) description2-493
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) match any
To instruct the ACE to perform a match on any network traffic that passes through the device, use the
match any command. Use the no form of this command to remove the match any criteria from the class
map.
[line_number] match any
no [line_number] match any
Syntax Description
Command Modes Class map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can include only one match any command within a class map, and you cannot combine the match
any command with other types of match commands in a class map because the match criteria will be
ignored.
Examples To specify that the class map is to match on any network traffic, enter:
host1/Admin(config)# class-map match-any L4_MATCHANYTRAFFIC_CLASS
host1/Admin(config-cmap)# match any
Related Commands (config-cmap) description
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 255 as the line
number.
• For the ACE appliance, enter an integer from 2 to 255 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-494
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) match anyv6
To instruct the ACE to perform a match on any IPv6 network traffic that passes through the device, use
the match anyv6 command. Use the no form of this command to remove the match any criteria from the
class map.
[line_number] match anyv6
no [line_number] match anyv6
Syntax Description
Command Modes Class map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can include only one match anyv6 command within a class map, and you cannot combine the
match anyv6 command with other types of match commands in a class map because the match criteria
will be ignored.
Examples To specify that the class map is to match on any network traffic, enter:
host1/Admin(config)# class-map match-any L4_MATCHANYTRAFFIC_CLASS
host1/Admin(config-cmap)# match anyv6
Related Commands (config-cmap) description
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 255 as the line
number.
• For the ACE appliance, enter an integer from 2 to 255 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-495
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) match destination-address
To specify the destination IP address and subnet mask as the network traffic matching criteria, use the
match destination-address command. Use the no form of this command to clear the destination IP
address and subnet mask match criteria from the class map.
[line_number] match destination-address ipv6_address [/prefix_length] | ip_address [mask]
no [line_number] match destination-address ipv6_address /prefix_length | ip_address [mask]
Syntax Description
Command Modes Class map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 255 as the line
number.
• For the ACE appliance, enter an integer from 2 to 255 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
ipv6_address IPv6 address of the destination.
/prefix_length (Optional) Specifies the length of the IPv6 prefix.
ip_address Destination IPv4 address. Enter the IP address in dotted-decimal
notation (for example, 192.168.11.1).
mask (Optional) Subnet mask entry in dotted-decimal notation (for
example, 255.255.255.0).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-496
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
A single class map can have multiple match destination-address commands. You can combine multiple
match destination-address, match access-list, match source-address, and match port commands in
a class map.
An entry of 0.0.0.0 0.0.0.0 indicates a wildcard match for any destination IPv4 address and subnet mask.
Examples IPv6 Example
The following example specifies that the network traffic must match destination IPv6 address
2001:DB8:1::7/64:
host1/C1(config)# class-map match-any IP_CLASS
host1/C1(config-cmap)# match destination-address 2001:DB8:1::7/64
To remove the destination IPv6 address match criteria from the class map, enter:
host1/C1(config-cmap)# no match destination-address 2001:DB8:1::7/64
IPv4 Example
The following example specifies that the network traffic must match destination IP address 172.27.16.7:
host1/C1(config)# class-map match-any IP_CLASS
host1/C1(config-cmap)# match destination-address 172.27.16.7
To remove the destination IP address match criteria from the class map, enter:
host1/C1(config-cmap)# no match destination-address 172.27.16.7
Related Commands (config-cmap) description2-497
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) match port
To specify a TCP or UDP port number or port range as the IPv4 network traffic matching criteria, use
the match port command. Use the no form of this command to clear the TCP or UDP port number match
criteria from the class map.
[line_number] match port {tcp | udp} {any | eq {port_number} | range port1 port2}
no [line_number] match {port | port-v6} {tcp | udp} {any | eq {port_number} | range port1
port2}
Syntax Description line_number (Optional) Line number that allows you to edit or delete individual match
commands.
• For the ACE module, enter an integer from 1 to 255 as the line number.
• For the ACE appliance, enter an integer from 2 to 255 as the line number.
You can enter no line_number to delete long match commands instead of entering
the entire line. The line numbers do not indicate a priority for the match statements.
tcp | udp Specifies the protocol: TCP or UDP.
any Specifies that any TCP or UDP port number can match the specified value.2-498
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
Command Modes Class map configuration mode
Admin and user contexts
Command History
eq port_number Specifies that the TCP or UDP port number must match the specified value. Enter an
integer from 0 to 65535. A value of 0 instructs the ACE to include all ports.
Alternatively, you can enter the name of a well-known TCP or UDP port as follows:
• TCP port—Specify one of the following names or well-known port numbers:
– domain—Specifies the Domain Name Service (53)
– ftp—Specifies the File Transfer Protocol (21)
– ftp-data—Specifies the File Transfer Protocol Data (20)
– http—Specifies the Hypertext Transfer Protocol (80)
– https—Specifies the HTTP over SSL protocol (443)
– irc—Specifies the Internet Relay Chat protocol (194)
– matip-a—Specifies the Matip Type A protocol (350)
– nntp—Specifies the Network News Transport Protocol (119)
– pop2—Specifies the Post Office Protocol v2 (109)
– pop3—Specifies the Post Office Protocol v3 (110)
– rtsp—Specifies the Real Time Streaming Protocol (554)
– sip—Specifies the Session Initiation Protocol (5060)
– skinny—Specifies the Cisco Skinny Client Protocol (2000)
– smtp—Specifies the Simple Mail Transfer Protocol (25)
– sunrpc—Specifies the Sun Remote Procedure Call (111)
– telnet—Specifies the Telnet protocol (23)
– www—Specifies the World Wide Web (80)
– xot—Specifies X25 over TCP (1998)
• UDP port—Specify one of the following protocols:
– domain—Specifies the Domain Name Service (53)
– sip—Specifies the Session Initiation Protocol (5060)
– wsp—Specifies the Connectionless Wireless Session Protocol (9200)
– wsp-wtls—Specifies the Secure Connectionless WSP (9202)
– wsp-wtp—Specifies the Connection-based WSP (9201)
– wsp-wtp-wtls—Specifies the Secure Connection-based WSP (9203)
range port1
port2
Specifies a port range to use for the TCP or UDP port. Valid port ranges are from 0
to 65535. A value of 0 (for port1and port2) instructs the ACE to match all ports.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-499
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A single class map can have multiple match port commands. You can combine multiple match port,
match access-list, match source-address, and match destination-address commands in a class map.
Examples To specify a port to match, enter the following command:
switch/Admin(config)# class-map match-all TCP_ANY
switch/Admin(config-cmap)# match port tcp any
Related Commands (config-cmap) description
ACE Appliance Release Modification
A1(7) This command was introduced.2-500
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) match port-v6
To specify a TCP or UDP port number or port range as the IPv6 network traffic matching criteria, use
the match port-v6 command. Use the no form of this command to clear the TCP or UDP port number
match criteria from the class map.
[line_number] match port-v6 {tcp | udp} {any | eq {port_number} | range port1 port2}
no [line_number] match port-v6 {tcp | udp} {any | eq {port_number} | range port1 port2}
Syntax Description line_number (Optional) Line number that allows you to edit or delete individual match
commands.
• For the ACE module, enter an integer from 1 to 255 as the line number.
• For the ACE appliance, enter an integer from 2 to 255 as the line number.
You can enter no line_number to delete long match commands instead of entering
the entire line. The line numbers do not indicate a priority for the match statements.
tcp | udp Specifies the protocol: TCP or UDP.
any Specifies that any TCP or UDP port number can match the specified value.2-501
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
Command Modes Class map configuration mode
Admin and user contexts
Command History
eq port_number Specifies that the TCP or UDP port number must match the specified value. Enter an
integer from 0 to 65535. A value of 0 instructs the ACE to include all ports.
Alternatively, you can enter the name of a well-known TCP or UDP port as follows:
• TCP port—Specify one of the following names or well-known port numbers:
– domain—Specifies the Domain Name Service (53)
– ftp—Specifies the File Transfer Protocol (21)
– ftp-data—Specifies the File Transfer Protocol Data (20)
– http—Specifies the Hypertext Transfer Protocol (80)
– https—Specifies the HTTP over SSL protocol (443)
– irc—Specifies the Internet Relay Chat protocol (194)
– matip-a—Specifies the Matip Type A protocol (350)
– nntp—Specifies the Network News Transport Protocol (119)
– pop2—Specifies the Post Office Protocol v2 (109)
– pop3—Specifies the Post Office Protocol v3 (110)
– rtsp—Specifies the Real Time Streaming Protocol (554)
– sip—Specifies the Session Initiation Protocol (5060)
– skinny—Specifies the Cisco Skinny Client Protocol (2000)
– smtp—Specifies the Simple Mail Transfer Protocol (25)
– sunrpc—Specifies the Sun Remote Procedure Call (111)
– telnet—Specifies the Telnet protocol (23)
– www—Specifies the World Wide Web (80)
– xot—Specifies X25 over TCP (1998)
• UDP port—Specify one of the following protocols:
– domain—Specifies the Domain Name Service (53)
– sip—Specifies the Session Initiation Protocol (5060)
– wsp—Specifies the Connectionless Wireless Session Protocol (9200)
– wsp-wtls—Specifies the Secure Connectionless WSP (9202)
– wsp-wtp—Specifies the Connection-based WSP (9201)
– wsp-wtp-wtls—Specifies the Secure Connection-based WSP (9203)
range port1
port2
Specifies a port range to use for the TCP or UDP port. Valid port ranges are from 0
to 65535. A value of 0 (for port1and port2) instructs the ACE to match all ports.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-502
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A single class map can have multiple match port-v6 commands. You can combine multiple match
port-v6, match access-list, match source-address, and match destination-address commands in a
class map.
Examples To specify that the class map is to match on TCP port number 23 (Telnet client), enter:
host1/Admin(config)# class-map L4_TCPPORT_CLASS
host1/Admin(config-cmap)# match port-v6 tcp eq 23
Related Commands (config-cmap) description
(config-cmap) match source-address
To specify a client source host IP address and subnet mask from which the ACE accepts traffic as the
network traffic matching criteria, use the match source-address command. You configure the associated
policy map to permit or restrict management traffic to the ACE from the specified source network or
host. Use the no form of this command to clear the source IP address and subnet mask match criteria
from the class map.
[line_number] match source-address ipv6_address [/prefix_length] | ip_address mask
no [line_number] match source-address ipv6_address [/prefix_length] | ip_address mask
Syntax Description
Command Modes Class map configuration mode
Admin and user contexts
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 255 as the line
number.
• For the ACE appliance, enter an integer from 2 to 255 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
ipv6_address Source IPv6 address of the client.
/prefix_length
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
mask Subnet mask of the client entry in dotted-decimal notation (for
example, 255.255.255.0).2-503
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
Command History
Usage Guidelines This command has no user role feature restrictions. For details about role-based access control (RBAC)
and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A single class map can have multiple match source-address commands. You can combine multiple
match source-address, match access-list, match destination-address, and match port commands in
a class map.
An entry of 0.0.0.0 0.0.0.0 indicates a wildcard match for any source IP address and subnet mask.
Examples To specify that the class map match on the source IP address 192.168.11.2 255.255.255.0, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-http-lb)# match source-address 192.168.11.2 255.255.255.0
Related Commands (config-cmap) description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-504
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
(config-cmap) match virtual-address
To define a 3-tuple flow of the virtual IP (VIP) address, protocol, and port as matching criteria for server
load balancing, use the match virtual-address command. You can configure multiple match criteria
statements to define the VIPs for server load balancing. Use the no form of this command to remove the
VIP match statement from the class map.
[line_number] match virtual-address vip_address {{/prefix_length | [netmask]} protocol_number
| any | {tcp | udp {any | eq port_number | range port1 port2}}}
no [line_number] match virtual-address vip_address {{/prefix_length | [netmask]}
protocol_number | any | {tcp | udp {any | eq port_number | range port1 port2}}}
Syntax Description line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 255 as the line
number.
• For the ACE appliance, enter an integer from 2 to 255 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
vip_address VIP server IP address of the ACE, specified in dotted-decimal format
(for example, 192.168.1.2).
netmask (Optional) Subnet mask for the VIP address, specified in
dotted-decimal format (for example, 255.255.255.0).
protocol_number (Optional) Number of an IP protocol. Enter an integer from 1 to 255
that represents the IP protocol number.
any Specifies the wildcard value that allows connections from any IP
protocol.
tcp | udp Specifies the protocol: TCP or UDP.
any Specifies the wildcard value for the TCP or UDP port number. With
any used in place of either the eq or range values, packets from any
incoming port match.2-505
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
eq port_number Specifies that the TCP or UDP port number must match the specified
value. Enter an integer from 0 to 65535. A value of 0 instructs the
ACE to include all ports. Alternatively, you can enter the name of a
well-known TCP port or a well-known UDP port as follows:
• TCP port—Specify one of the following names or well-known
port numbers:
– domain—Specifies the Domain Name Service (53)
– ftp—Specifies the File Transfer Protocol (21)
– ftp-data—Specifies the File Transfer Protocol Data (20)
– http—Specifies the Hypertext Transfer Protocol (80)
– https—Specifies the HTTP over SSL protocol (443)
– irc—Specifies the Internet Relay Chat protocol (194)
– matip-a—Specifies the Matip Type A protocol (350)
– nntp—Specifies the Network News Transport Protocol
(119)
– pop2—Specifies the Post Office Protocol v2 (109)
– pop3—Specifies the Post Office Protocol v3 (110)
– rdp—Specifies the Remote Desktop Protocol (3389)
– rtsp—Specifies the Real-Time Streaming Protocol (554)
– sip—Specifies the Session Initiation Protocol (5060)
– skinny—Specifies the Skinny Client Control protocol
(2000)
– smtp—Specifies the Simple Mail Transfer Protocol (25)
– telnet—Specifies the Telnet protocol (23)
– www—Specifies the World Wide Web (80)
– xot—Specifies X25 over TCP (1998)
• UDP port—Specify one of the following protocols:
– domain—Specifies the Domain Name Service (53)
– radius-acct—Specifies the Remote Authentication Dial-In
User Service (accounting) (1813)
– radius-auth—Specifies the Remote Authentication Dial--In
User Service (server) (1812)
– sip—Specifies the Session Initiation Protocol (5060)
– wsp—Specifies the Connectionless Wireless Session
Protocol (9200)
– wsp-wtls—Specifies the Secure Connectionless WSP (9202)
– wsp-wtp—Specifies the Connection-based WSP (9201)
– wsp-wtp-wtls—Specifies the Secure Connection-based
WSP (9203)2-506
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Configuration Mode Commands
Command Modes Class map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the VIP feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You can specify multiple match virtual-address commands within a class map.
The match virtual-address command cannot be combined with other types of match commands.
For KAL-AP, the ACE verifies whether the VIP addresses are active in all Layer 3 class maps that are
configured with the addresses. It ignores all other protocol-specific information for the VIP addresses.
The ACE does not allow you to configure a class-map VIP address that overlaps with an ACE interface
IP address. If you do, the ACE displays the following warning:
Error: Entered VIP address is not the first address in the VIP range
See the Server Load-Balancing Guide, Cisco ACE Application Control Engine for details about
configuring the ACE to perform server load balancing.
Examples To specify that the class map L4VIPCLASS matches traffic destined to VIP address 192.168.1.10 and
TCP port number 80, enter:
host1/Admin(config)# class-map L4VIPCLASS
host1/Admin(config-cmap)# match virtual-address 192.168.1.10 tcp port eq 80
Related Commands (config-cmap) description
range port1 port2 Specifies a port range to use for the TCP or UDP port. Valid port
ranges are from 0 to 65535. A value of 0 (for port1and port2)
instructs the ACE to match all ports.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A3(2.2) The ACE no longer allows the configuration of a class-map VIP
address that overlaps with an ACE interface IP address.2-507
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map FTP Inspection Configuration Mode Commands
Class Map FTP Inspection Configuration Mode Commands
Class map File Transfer Protocol (FTP) inspection configuration mode commands allow you to create
and configure a Layer 7 class map to be used for the inspection of FTP request commands. To create this
class map and access class map FTP inspection configuration mode, use the class-map type ftp inspect
command. The prompt changes to (config-cmap-ftp-insp). Use the no form of this command to remove
the class map from the ACE.
class-map type ftp inspect match-any map_name
no class-map type ftp inspect match-any map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
Examples To create a Layer 7 class map named FTP_INSPECT_L7CLASS that performs FTP command
inspection, enter:
host1/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS
host1/Admin(config-cmap-ftp-insp)#
Related Commands (config) policy-map
match-any Determines how the ACE inspects FTP request commands when
multiple match criteria exist in a class map. The FTP request
commands being inspected must match only one of the match criteria
listed in the class map.
map_name Name assigned to the Layer 7 FTP command request class map. Enter
an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-508
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map FTP Inspection Configuration Mode Commands
(config-cmap-ftp-insp) description
To provide a brief summary about the Layer 7 File Transfer Protocol (FTP) command inspection class
map, use the description command. Use the no form of this command to remove the description from
the class map.
description text
no description text
Syntax Description
Command Modes Class map FTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the class map is to perform FTP command inspection, enter:
host1/Admin(config-cmap-ftp-insp)# description FTP command inspection of incoming traffic
To remove a description from the FTP class map, enter:
host1/Admin(config-cmap-ftp-insp)# no description FTP command inspection of incoming
traffic
Related Commands This command has no related commands.
text Description about the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-509
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map FTP Inspection Configuration Mode Commands
(config-cmap-ftp-insp) match request-method
To define File Transfer Protocol (FTP) command inspection decisions by the ACE, use the match
request-method command. The match command identifies the FTP commands that you want filtered
by the ACE. Use the no form of this command to clear the FTP inspection request method from the class
map.
[line_number] match request-method ftp_command
no [line_number] match request-method ftp_command
Syntax Description
Command Modes Class map FTP inspection configuration mode
Admin and user contexts
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
ftp_command FTP command in the class map to be subjected to FTP inspection by
the ACE. The possible FTP commands are as follows:
• appe—Append to a file.
• cd—Change to the specified directory.
• cdup—Change to the parent of the current directory.
• dele—Delete a file at the server side.
• get—Retrieve a file.
• help—Help information from the server.
• mkd—Create a directory.
• put—Store a file.
• rmd—Remove a directory.
• rnfr—Rename from.
• rnto—Rename to.
• site—Specify the server-specific command.
• stou—Store a file with a unique name.
• syst—Get system information.2-510
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Generic Configuration Mode Commands
Command History
Usage Guidelines You can specify multiple match request-method commands within a class map.
Examples To specify FTP_INSPECT_L7CLASS as the name of a class map and identify that at least one FTP
inspection command in the class map must be satisfied for the ACE to indicate a match, enter:
(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS
host1/Admin(config-cmap-ftp-insp)# match request-method cdup
host1/Admin(config-cmap-ftp-insp)# match request-method get
host1/Admin(config-cmap-ftp-insp)# match request-method stou
host1/Admin(config-cmap-ftp-insp)# match request-method put
Related Commands (config-cmap-ftp-insp) description
Class Map Generic Configuration Mode Commands
Generic TCP and UDP data parsing allows you to perform regular expression (regex) matches on packets
from protocols that the ACE does not explicitly support. Such regex matches can be based on a custom
protocol configuration. To accomplish this task, you create a Layer 7 class map for generic TCP or UDP
data parsing and then instruct the ACE to perform a policy-map action based on the payload of a TCP
stream or UDP packet.
To create a class map for generic TCP or UDP data parsing and access class map generic configuration
mode, use the class-map type generic command in configuration mode. Use the no form of this
command to remove a generic class map from the ACE.
class-map type generic {match-all | match-any} map_name
no class-map type generic {match-all | match-any} map_name
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.2-511
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Generic Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To create a class map named GENERIC_L7_CLASS, enter:
host1/Admin(config)# class-map type generic match-any GENERIC_L7_CLASS
host1/Admin(config-cmap-generic)#
To remove the class map from the configuration, enter:
host1/Admin(config)# no class-map type generic match-any GENERIC_L7_CLASS
Related Commands (config) class-map
(config-cmap-generic) description
To provide a brief description of the Layer 7 class map for generic TCP and UDP data parsing, use the
description command. Use the no form of this command to remove the description from the class map.
description text
no description
match-all | match-any Determines how the ACE evaluates Layer 3 and Layer 4 network traffic
when multiple match criteria exist in a class map.
• match-all—Network traffic needs to satisfy all of the match criteria
(implicit AND) to match the class map.
• match-any—Network traffic needs to satisfy only one of the match
criteria (implicit OR) to match the class map.
map_name Name assigned to the Layer 7 class map for generic TCP and UDP data
parsing. Enter an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-512
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Generic Configuration Mode Commands
Syntax Description
Command Modes Class map generic configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the generic class map, enter:
host1/Admin(config-cmap-generic)# description GENERIC TCP UDP CLASS MAP
To remove a description from a generic class map, enter:
host1/Admin(config-cmap-generic)# no description
Related Commands This command has no related commands.
text Description of the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-513
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Generic Configuration Mode Commands
(config-cmap-generic) match class-map
To identify one Layer 7 generic class map as a matching criterion for another Layer 7 generic class map,
use the match class-map command. Use the no form of this command to remove the nested class map
from the generic class map.
[line_number] match class-map name
no [line_number] match class-map name
Syntax Description
Command Modes Class map generic configuration mode
Admin and user contexts
Command History
Usage Guidelines The match class-map command allows you to combine the use of the match-any and match-all
keywords in the same class map. To combine match-all and match-any characteristics in a class map,
create a class map that uses one match command (either match-any or match-all) and then use this class
map as a match statement in a second class map that uses a different match type.
The ACE restricts the nesting of class maps to two levels to prevent you from including a nested class
map under another class map. The nesting of class maps allows you to achieve complex logical
expressions for Layer 7 server load balancing.
Examples To combine the characteristics of two class maps, one with match-any and one with match-all
characteristics, into a single class map, enter:
(config)# class-map type generic match-all GENERIC_CLASS3
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
name Name of an existing Layer 7 generic class map.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-514
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Generic Configuration Mode Commands
(config-cmap-generic)# 100 match layer4-payload offset 500 regex abc123.*
(config-cmap-generic)# exit
(config)# class-map type generic match-any GENERIC_CLASS4
(config-cmap-generic)# 10 match class-map GENERIC_CLASS3
(config-cmap-generic)# 20 match source-address 192.168.11.2
(config-cmap-generic)# 30 match source-address 192.168.11.3
(config-cmap-generic)# exit
Related Commands (config-cmap-generic) description
(config-cmap-generic) match layer4-payload
To define match criteria for Layer 4 payloads, use the match layer4-payload command in class map
generic configuration mode. Use the no form of this command to remove the Layer 4 payload match
criteria from the class map.
[line_number] match layer4-payload [offset number] regex expression
no [line_number] match layer4-payload [offset number] regex expression
Syntax Description
Command Modes Class map generic configuration mode
Admin and user contexts
Command History
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
offset number (Optional) Specifies an absolute offset in the data where the Layer 4
payload expression search string starts. The offset starts at the first
byte of the TCP or UDP body. Enter an integer from 0 to 999. The
default is 0.
regex expression Specifies the Layer 4 payload expression that is contained within the
TCP or UDP entity body. The range is from 1 to 255 alphanumeric
characters. For a list of the supported characters that you can use in
regular expression strings, see Table 1-9.
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(2.1) This command supports the “\xST” metacharacter.2-515
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Generic Configuration Mode Commands
Usage Guidelines You cannot configure more than one match layer4-payload command in the same match-all class map.
Generic data parsing begins at Layer 4 with the TCP or UDP payload, which allows you the flexibility
to match Layer 5 data (in the case of LDAP or DNS) or any Layer 7 header or payload (for example,
HTTP).
Examples To configure match criteria for generic Layer 4 data parsing, enter:
ACE Appliance Release Modification
A3(1.0) This command was introduced.
Ta b l e 1-9 Characters Supported in Regular Expressions
Convention Description
.* Zero or more characters.
. Exactly one character.
\ . Escaped character.
\xhh Any ASCII character as specified in two-digit hex notation.
() Expression grouping.
Bracketed range [for
example, 0-9]
Matches any single character from the range.
A leading ^ in a range
[^charset]
Does not match any character in the range; all other characters represent
themselves.
(expr1 | expr2) OR of expressions.
(expr)* 0 or more of expressions.
(expr)+ 1 or more of expressions.
(expr{m,n} Matches the previous item between m and n times; valid entries are from 1
to 255.
(expr{m} Matches the previous item exactly m times; valid entries are from 1 to 255.
(expr{m,} Matches the previous item m or more times; valid entries are from 1 to 255.
\a Alert (ASCII 7).
\b Backspace (ASCII 8).
\f Form-feed (ASCII 12).
\n New line (ASCII 10).
\r Carriage return (ASCII 13).
\t Tab (ASCII 9).
\v Vertical tab (ASCII 11).
\0 Null (ASCII 0).
.\\ Backslash.
\xST (ACE module only) Stop metacharacter. 2-516
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Generic Configuration Mode Commands
host1/Admin(config)# class-map type generic match-any GENERIC_L4_CLASS
host1/Admin(config-cmap-generic)# 10 match layer4-payload offset 500 regex abc123.*
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-generic)# no 10
Related Commands (config-cmap-generic) description
(config-cmap-generic) match source-address
To configure the generic class map to filter traffic based on a client source IP address, use the match
source-address command. Use the no form of this command to remove the source IP address match
statement from the class map.
[line_number] match source-address ip_address [netmask]
no [line_number] match source-address ip_address [netmask]
Syntax Description
Command Modes Class map generic configuration mode
Admin and user contexts
Command History
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.2).
netmask (Optional) Subnet mask of the IP address. Enter the netmask in
dotted-decimal notation (for example, 255.255.255.0). The default is
255.255.255.255.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-517
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Usage Guidelines You cannot configure more than one match source-address command in the same match-all class map.
Examples To specify that the class map match on source IP address 192.168.11.2 255.255.255.0, enter:
host1/Admin(config)# class-map type generic match-any GENERIC_L7_CLASS
host1/Admin(config-cmap-generic)# 50 match source-address 192.168.11.2 255.255.255.0
To remove the source IP address match statement from the class map, enter:
host1/Admin(config-cmap-generic)# no 50
Related Commands (config-cmap-generic) description
Class Map HTTP Inspection Configuration Mode Commands
Class map HTTP inspection configuration mode commands allow you to create a Layer 7 HTTP deep
packet inspection class map. To create this class map and access class map HTTP inspection
configuration mode, use the class-map type http inspect command. The prompt changes to
(config-cmap-http-insp). Use the no form of this command to remove an HTTP deep packet inspection
class map from the ACE.
class-map type http inspect [match-all | match-any] map_name
no class-map type http inspect [match-all | match-any] map_name2-518
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
Examples To create a Layer 7 class map named HTTP_INSPECT_L7CLASS that performs HTTP deep packet
inspection, enter:
match-all | match-any (Optional) Determines how the ACE performs the deep packet
inspection of HTTP traffic when multiple match criteria exist in a
class map. The class map is considered a match if the match
commands meet one of the following conditions:
• match-all —(Default) Specifies that network traffic needs to
satisfy all of the match criteria (implicit AND) to match the
Layer 7 HTTP deep packet inspection class map. The match-all
keyword is applicable only for match statements of different
HTTP deep packet inspection types. For example, specifying a
match-all condition for URL, HTTP header, and URL content
statements in the same class map is valid. However, specifying a
match-all condition for multiple HTTP headers with the same
names or multiple URLs in the same class map is invalid.
• match-any—Network traffic needs to satisfy only one of the
match criteria (implicit OR) to match the Layer 7 HTTP deep
packet inspection class map. The match-any keyword is
applicable for match statements of different Layer 7 HTTP deep
packet inspection type or multiple instances of the same type
with different names. For example, the ACE allows you to
specify a match-any condition for cookie, HTTP header, and
URL content statements in the same class map, but it does not
allow you to specify a match-any condition for URL length,
HTTP header length, and content length statements in the same
class map.
map_name Name assigned to the Layer 7 HTTP deep packet inspection class
map. Enter an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-519
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)#
Related Commands (config) policy-map
(config-cmap-http-insp) description
To provide a brief summary about the Layer 7 HTTP inspection class map, use the description
command. Use the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the class map is to perform HTTP deep packet inspection, enter:
host1/Admin(config-cmap-http-insp)# description HTTP protocol deep inspection of incoming
traffic
Related Commands This command has no related commands.
text Description about the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-520
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
(config-cmap-http-insp) match content
To define HTTP application inspection decisions based on content expressions contained within the
HTTP entity body, use the match content command. Use the no form of this command to clear content
expression checking match criteria from the class map.
[line_number] match content expression [offset number]
no [line_number] match content expression [offset number]
Syntax Description
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression Content expression contained within the HTTP entity body.
• For the ACE module, enter a range of 1 to 1024 alphanumeric
characters.
• For the ACE appliance, enter a range of 2 to 1024 alphanumeric
characters.
For a list of the supported characters that you can use in regular
expressions, see Table 1-9.
offset number (Optional) Provides an absolute offset where the content expression
search string starts. The offset starts at the first byte of the message
body, after the empty line (CR, LF, CR, LF) between the headers and
the body of the message. The offset value is from 1 to 4000 bytes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-521
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Examples To specify a content expression contained within the entity body sent with an HTTP request, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match content .*newp2psig
Related Commands (config-cmap-http-insp) description2-522
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
(config-cmap-http-insp) match content length
To configure the class map to define application inspection decisions on HTTP traffic up to the
configured maximum content parse length, use the match content length command. Messages that meet
the specified criteria will be either allowed or denied based on the Layer 7 HTTP deep packet inspection
policy map action. Use the no form of this command to clear the HTTP content length match criteria
from the class map.
[line_number] match content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
no [line_number] match content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
Syntax Description
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
eq bytes Specifies a value for the content parse length in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with a content length size equal to the specified
value. Valid entries are from 1 to 65535 bytes.
gt bytes Specifies a minimum value for the content parse length in an HTTP
message received by the ACE. Based on the policy map action, the
ACE allows or denies messages with a content length size greater
than the specified value. Valid entries are from 1 to 65535 bytes.
lt bytes Specifies a maximum value for the content parse length in an HTTP
message received by the ACE. Based on the policy map action, the
ACE allows or denies messages with a content length size less than
the specified value. Valid entries are from 1 to 65535 bytes.
range bytes1 bytes Specifies a size range for the content parse length in an HTTP
message received by the ACE. Based on the policy map action, the
ACE allows or denies messages with a content length size within this
range. The range is from 1 to 65535 bytes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-523
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Usage Guidelines This command has no usage guidelines.
Examples To identify content parse length in an HTTP message that can be received by the ACE, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match content length eq 3495
Related Commands (config-cmap-http-insp) description
(config-cmap-http-insp) match cookie secondary
To configure a class map to define HTTP inspection decisions based on the name or prefix and value of
a secondary cookie (URL query string), use the match cookie secondary command. Use the no form of
this command to clear secondary cookie match criteria from the class map.
[line_number] match cookie secondary [name cookie_name | prefix prefix_name] value
expression
no [line_number] match cookie secondary [name cookie_name | prefix prefix_name] value
expression
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
name cookie_name Identifier of the secondary cookie to match. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
prefix prefix_name Prefix of the secondary cookie to match. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
value expression Regular expression of the secondary cookie to match. Enter an
unquoted text string with no spaces and a maximum of 255
alphanumeric characters.2-524
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines The following configuration guidelines apply when you configure a secondary cookie match statement
for HTTP inspection:
• Ensure that secondary cookie names do not overlap with other secondary cookie names in the same
match-all class map. For example, the following configuration is not allowed because the two match
statements have overlapping cookie names:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match cookie secondary prefix id value .*
host1/Admin(config-cmap-http-insp)# match cookie secondary name identity value bob
• When you configure a secondary cookie value match across all secondary cookie names in a
match-all class map, you cannot configure any other secondary cookie match in the same class map.
That is because a secondary cookie match on value alone is equivalent to a wildcard match on name.
In the following example, the second match statement is not allowed:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match cookie secondary value bob
host1/Admin(config-cmap-http-insp)# match cookie secondary name identity value jane
Examples To match a secondary cookie called “matchme” with a regular expression value of .*abc123, enter the
following commands:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match cookie secondary name matchme value .*abc123
Related Commands (config-pmap-ins-http) match cookie secondary
(config-cmap-http-insp) match header
To configure the class map to define application inspection decisions based on the name and value in an
HTTP header, use the match header command. The ACE performs regular expression matching against
the received packet data from a particular connection based on the HTTP header expression. Use the no
form of this command to clear an HTTP header match criteria from the class map.
[line_number] match header {header_name | header_field} header-value expression
no [line_number] match header {header_name | header_field} header-value expression
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-525
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Syntax Description line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
header_name Name of the HTTP header to match (for example,
www.example1.com.) The range is from 1 to 64 alphanumeric
characters.
Note The header_name argument cannot include the colon in the
name of the HTTP header; the ACE rejects the colon as an
invalid token. 2-526
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
header_field Standard HTTP/1.1 header field. Valid selections include
request-header fields, general-header fields, and entity-header fields.
Selections also include two lower-level header-matching commands:
“length” and “mime-type.” The supported selections are as follows:
• Accept—Semicolon-separated list of representation schemes
(content type metainformation values) that will be accepted in
the response to the request.
• Accept-Charset—Character sets that are acceptable for the
response. This field allows clients capable of understanding
more comprehensive or special-purpose character sets to signal
that capability to a server that can represent documents in those
character sets.
• Accept-Encoding—Restricts the content encoding that a user
will accept from the server.
• Accept-Language—ISO code for the language in which the
document is written. The language code is an ISO 3316 language
code with an optional ISO639 country code to specify a national
variant.
• Authorization—Specifies that the user agent wants to
authenticate itself with a server, usually after receiving a 401
response.
• Cache-Control—Directives that must be obeyed by all caching
mechanisms along the request/response chain. The directives
specify behavior intended to prevent caches from adversely
interfering with the request or response.
• Connection—Allows the sender to specify connection options.
• Content-MD5—MD5 digest of the entity body that provides an
end-to-end integrity check. Only a client or an origin server can
generate this header field.
• Expect—Used by a client to inform the server about the
behaviors that the client requires.
• From—Contains the e-mail address of the person that controls
the requesting user agent.
• Host—Internet host and port number of the resource being
requested, as obtained from the original URL given by the user
or referring resource. The Host field value must represent the
naming authority of the origin server or gateway given by the
original URL.2-527
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
• If-Match—Used with a method to make it conditional. A client
that has one or more entities previously obtained from the
resource can verify that one of those entities is current by
including a list of their associated entity tags in the If-Match
header field. This feature allows efficient updates of cached
information with a minimum amount of transaction overhead. It
is also used on updating requests to prevent inadvertent
modification of the wrong version of a resource. As a special
case, the value “*” matches any current entity of the resource.
• length—See the (config-cmap-http-insp) match header length
command.
• mime-type—See the (config-cmap-http-insp) match header
mime-type command.
• Pragma—Pragma directives that are understood by servers to
whom the directives are relevant. The syntax is the same as for
other multiple-value fields in HTTP. For example, the accept
field is a comma-separated list of entries for which the optional
parameters are separated by semicolons.
• Referer—Address (URI) of the resource from which the URI in
the request was obtained.
• Transfer-Encoding—Indicates what (if any) type of
transformation has been applied to the message body in order to
safely transfer it between the sender and the recipient.
• User-Agent—Information about the user agent (for example, a
software program that originates the request). This information
is for statistical purposes, the tracing of protocol violations, and
automated recognition of user agents.
• Via—Used by gateways and proxies to indicate the intermediate
protocols and recipients between the user agent and the server on
requests and between the origin server and the client on
responses.
header-value expression Specifies the header value expression string to compare against the
value in the specified field in the HTTP header. The range is from 1
to 255 alphanumeric characters. Table 1-9 lists the supported
characters that you can use in regular expressions.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-528
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Usage Guidelines The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces, provided that the spaces are
escaped or quoted. Table 1-9 lists the supported characters that you can use in regular expressions.
Examples To filter on content and allow HTTP headers that contain the expression html, enter:
host1/Admin(config)# class-map type http inspect match-all L7_CLASSFLTRHTML1
host1/Admin(config-cmap-http-insp)# match header accept header-value html
Related Commands (config-cmap-http-insp) description
(config-cmap-http-insp) match header length
To limit the HTTP traffic allowed through the ACE based on the length of the entity body in the HTTP
message, use the match header length command. Messages will be either allowed or denied based on
the Layer 7 HTTP deep packet inspection policy map action. Use the no form of this command to clear
an HTTP header length match criteria from the class map.
[line_number] match header length {request | response} {eq bytes | gt bytes | lt bytes | range
bytes1 bytes 2}
no [line_number] match header length {request | response} {eq bytes | gt bytes | lt bytes | range
bytes1 bytes 2}
Syntax Description line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
request Specifies the size of the HTTP header request message that can be
received by the ACE.
response Specifies the size of the HTTP header response message sent by the
ACE.
eq bytes Specifies a value for the entity body in an HTTP message received by
the ACE. Based on the policy map action, the ACE allows or denies
messages with an entity body size equal to the specified value. Valid
entries are from 1 to 65535 bytes.
gt bytes Specifies a minimum value for the entity body in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with an entity body size greater than the specified
value. Valid entries are from 1 to 65535 bytes.2-529
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, the maximum header length for HTTP deep packet inspection is 2048 bytes.
Examples To specify that the class map match on HTTP traffic received with a length less than or equal to 3600
bytes in the entity body of the HTTP message, enter:
(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match header length request eq 3600
Related Commands This command has no related commands.
lt bytes Specifies a maximum value for the entity body in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with an entity body size less than the specified
value. Valid entries are from 1 to 65535 bytes.
range bytes1 bytes 2 Specifies a size range for the entity body in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with a entity body size within this range. The
range is from 1 to 65535 bytes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-530
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
(config-cmap-http-insp) match header mime-type
To specify a subset of the Multipurpose Internet Mail Extension (MIME)-type messages that the ACE
permits or denies based on the actions in the policy map, use the match header mime-type command.
MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages,
non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.
Use the no form of this command to deselect the specified MIME message match criteria from the class
map.
[line_number] match header mime-type mime_type
no [line_number] match header mime-type mime_type
Syntax Description [line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not dictate a
priority or sequence for the match statements.
mime_type MIME-type message. The ACE includes a predefined list of
mime-types, such as image\Jpeg, text\html, application\msword,
audio\mpeg. Choose whether only the mime-types included in this
list are permitted through the ACE firewall or whether all mime-types
are acceptable. The default behavior is to allow all mime-types.
The following lists the supported mime-types:
• application\msexcel
• application\mspowerpoint
• application\msword
• application\octet-stream2-531
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
• application\pdf
• application\postscript
• application\x-gzip
• application\x-java-archive
• application\x-java-vm
• application\x-messenger
• application\zip
• audio\*
• audio\basic
• audio\midi
• audio\mpeg
• audio\x-adpcm
• audio\x-aiff
• audio\x-ogg
• audio\x-wav
• image \*
• image\gif
• image\jpeg
• image\png
• image\tiff
• image\x-3ds
• image\x-bitmap
• image\x-niff
• image\x-portable-bitmap
• image\x-portable-greymap
• image\x-xpm
• text\*
• text\css
• text\html
• text\plain
• text\richtext
• text\sgml
• text\xmcd
• text\xml2-532
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines To define MIME type messages in addition to what is supported under the match header mime-type
command, use the match header command. For example, to define a match for a new MIME-type
audio\myaudio, you could enter the following match statement: match header Content-type
header-value audio\myaudio.
Examples To specify the MIME-type audio\midi and audio\mpeg messages permitted through the ACE, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match header mime-type audio\midi
host1/Admin(config-cmap-http-insp)# match header mime-type audio\mpeg
Related Commands This command has no related commands.
• video\*
• video\flc
• video\mpeg
• video\quicktime
• video\sgi
• video\x-fli
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-533
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
(config-cmap-http-insp) match port-misuse
To configure the class map to define application inspection compliance decisions that restrict certain
HTTP traffic from passing through the ACE, use the match port-misuse command. This class map
detects the misuse of port 80 (or any other port running HTTP) for tunneling protocols such as
peer-to-peer (p2p) applications, tunneling applications, and instant messaging. Use the no form of this
command to clear the HTTP restricted application category match criteria from the class map.
[line_number] match port-misuse {im | p2p | tunneling}
no [line_number] match port-misuse {im | p2p | tunneling}
Syntax Description
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines You can specify multiple match port-misuse commands within a class map. Each match port-misuse
command configures a single application type.
The port misuse application inspection process requires a search of the entity body of the HTTP
message, which may degrade performance of the ACE.
The ACE disables the match port-misuse command by default. If you do not configure a restricted
HTTP application category, the default action by the ACE is to allow the applications without generating
a log.
line_number (Optional) Line number that allows you to edit or delete individual match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line number.
You can enter no line_number to delete long match commands instead of entering the
entire line. The line numbers do not dictate a priority or sequence for the match
statements.
im Defines the instant messaging application category. The ACE checks for the Yahoo
Messenger instant messaging application.
p2p Defines the peer-to-peer application category. The applications checked include Kazaa
and Gnutella. For the ACE appliance, the GoToMyPC application is included.
tunneling Defines the tunneling application category. The applications checked include:
HTTPort/HTTHost, GNU Httptunnel, GotoMyPC, Firethru, and Http-tunnel.com
Client.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-534
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Examples To identify that peer-to-peer applications are restricted HTTP traffic, enter:
(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match port-misuse p2p
Related Commands (config-cmap-http-insp) description
(config-cmap-http-insp) match request-method
To configure the class map to define application inspection compliance decisions based on the request
methods defined in RFC 2616 and by HTTP extension methods, use the match request-method
command. If the HTTP request method or extension method compliance checks fails, the ACE denies or
resets the specified HTTP traffic based on the policy map action. Use the no form of this command to
clear the HTTP request method match criteria from the class map.
[line_number] match request-method {ext method | rfc method}
no [line_number] match request-method {ext method | rfc method}
Syntax Description
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not dictate a
priority or sequence for the match statements.
ext method Specifies an HTTP extension method. If the RFC request messages
does not contain one of the RFC 2616 HTTP request methods, the
ACE verifies if it is an extension method. The ACE supports the
inspection of the following HTTP request extension methods: bcopy,
bdelete, bmove, bpropfind, bproppatch, copy, edit, getattr,
getattrname, getprops, index, lock, mkdir, mkcol, move,
propfind, proppatch, revadd, revlabel, revlog, revnum, save,
search, setattr, startrev, stoprev, unedit, and unlock.
(ACE module only) The ACE also supports the inspection of the
following HTTP request extension methods: notify, poll, subscribe,
unsubscribe, and x-ms-emumatts.
rfc method Specifies a RFC 2616 HTTP request method that you want to perform
an RFC compliance check on. The ACE supports the inspection of the
following RFC 2616 HTTP request methods: connect, delete, get,
head, options, post, put, and trace. 2-535
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Command History
Usage Guidelines You can specify multiple match request-method commands within a class map.Each match
request-method command configures a single request method.
For unsupported HTTP request methods, include the inspect http strict command as an action in the
Layer 3 and Layer 4 policy map.
The ACE disables the match request-method command by default. If you do not configure a request
method, the default action by the ACE is to allow the RFC 2616 HTTP request method without
generating a log. By default, the ACE allows all request and extension methods.
Examples To identify that the connect, get, head, and index HTTP RFC 2616 protocols are to be used for
application inspection, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match request-method rfc connect
host1/Admin(config-cmap-http-insp)# match request-method rfc get
host1/Admin(config-cmap-http-insp)# match request-method rfc head
host1/Admin(config-cmap-http-insp)# match request-method ext index
Related Commands (config-cmap-http-insp) description
(config-cmap-http-insp) match transfer-encoding
To configure the class map to define application inspection decisions that limit the HTTP
transfer-encoding types that can pass through the ACE, use the match transfer-encoding command. The
transfer-encoding general-header field indicates the type of transformation, if any, that has been applied
to the HTTP message body to safely transfer it between the sender and the recipient. When an HTTP
request message contains the configured transfer-encoding type, the ACE performs the configured action
in the policy map. Use the no form of this command to clear the HTTP transfer-encoding match criteria
from the class map.
[line_number] match transfer-encoding {chunked | compressed | deflate | gzip | identity}
no [line_number] match transfer-encoding {chunked | compressed | deflate | gzip | identity}
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.2-536
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Syntax Description
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines You can specify multiple match transfer-encoding commands within a class map. Each match
transfer-encoding command configures a single application type.
The ACE disables the match transfer-encoding command by default. If you do not configure a
transfer-encoding type, the default action by the ACE is to allow the HTTP transfer-encoding types
without generating a log.
Examples To specify a chunked HTTP transfer encoding type to limit the HTTP traffic that flows through the ACE,
enter:
(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match transfer-encoding chunked
line_number (Optional) Line number to assist you in editing or deleting individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not dictate a
priority or sequence for the match statements.
chunked Transfers the message body as a series of chunks.
compressed Defines the encoding format produced by the common UNIX file
compression program “compress”. This format is an adaptive
Lempel-Ziv-Welch coding (LZW).
deflate Defines the .zlib format defined in RFC 1950 in combination with the
deflate compression mechanism described in RFC 1951.
gzip Defines the encoding format produced by the file compression
program gzip (GNU zip) as described in RFC 1952. This format is a
Lempel-Ziv coding (LZ77) with a 32 bit CRC.
identity Defines the default (identity) encoding, which does not require the
use of transformation.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-537
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
Related Commands (config-cmap-http-insp) description
(config-cmap-http-insp) match url
To configure the class map to define application inspection decisions based on URL name and,
optionally, HTTP method, use the match url command. HTTP performs regular expression matching
against the received packet data from a particular connection based on the URL expression. Use the no
form of this command to clear a URL match criteria from the class map.
[line_number] match url expression
no [line_number] match url expression
Syntax Description
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines Include only the portion of the URL following www.hostname.domain in the match statement. For
example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
To match the www.anydomain.com portion, the URL string can take the form of a URL regular
expressions. The ACE supports the use of regular expressions for matching.
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not dictate a
priority or sequence for the match statements.
expression URL or portion of a URL to match. The URL string range is from 1 to
255 characters. Include only the portion of the URL following
www.hostname.domain in the match statement. For a list of the
supported characters that you can use in regular expressions, see
Table 1-9.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-538
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Inspection Configuration Mode Commands
When matching URLs, the period (.) character does not have a literal meaning in regular expressions.
Use either the brackets ([ ]) or the slash (/) character classes to match this symbol, for example, specify
www[.]xyz[.]com instead of www.xyz.com.
Examples To specify that the Layer 7 class map is to match and perform application inspection on a specific URL,
enter:
(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match url whatsnew/latest.*
To use regular expressions to emulate a wildcard search to match on any .gif or .html file, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match url .*.gif
host1/Admin(config-cmap-http-insp)# match url .*.html
Related Commands (config-cmap-http-insp) description
(config-cmap-http-insp) match url length
To limit the HTTP traffic allowed through the ACE by specifying the maximum length of a URL in a
request message that can be received by the ACE, use the match url length command. Messages will be
either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action. Use the
no form of this command to clear a URL length match criteria from the class map.
[line_number] match url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
no [line_number] match url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
Syntax Description line_number (Optional) Line number to assist you in editing or deleting individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not dictate a
priority or sequence for the match statements.
eq bytes Specifies a value for the HTTP URL length received by the ACE.
Based on the policy map action, the ACE allows or denies messages
with an HTTP URL length equal to the specified value. Valid entries
are from 1 to 65535 bytes.
gt bytes Specifies a minimum value for the HTTP URL length received by the
ACE. Based on the policy map action, the ACE allows or denies
messages with an HTTP URL length greater than the specified value.
Valid entries are from 1 to 65535 bytes.2-539
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Command Modes Class map HTTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify that the class map is to match on a URL with a length equal to 10000 bytes in the request
message, enter:
(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match url length eq 10000
Related Commands (config-cmap-http-insp) description
Class Map HTTP Load Balancing Configuration Mode
Commands
Class map HTTP load balancing configuration mode commands allow you to create a Layer 7 HTTP
server load balancing (SLB) class map. To create this class map and access class map HTTP load
balancing configuration mode, use the class-map type http loadbalance command. The prompt changes
to (config-cmap-http-lb). Use the no form of this command to remove an HTTP SLB class map from the
ACE.
class-map type http loadbalance [match-all | match-any] map_name
no class-map type http loadbalance [match-all | match-any] map_name
lt bytes Specifies a maximum value for the HTTP URL length received by the
ACE. Based on the policy map action, the ACE allows or denies
messages with an HTTP URL length less than the specified value.
Valid entries are from 1 to 65535 bytes.
range bytes1 bytes Specifies a size range for the HTTP URL length received by the ACE.
Based on the policy map action, the ACE allows or denies messages
with an HTTP URL length within this range. The range is from 1 to
65535 bytes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-540
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To create a Layer 7 class map named L7SLB_CLASS that performs server load balancing, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLB_CLASS
match-all | match-any (Optional) Determines how the ACE evaluates Layer 7 HTTP SLB
operations when multiple match criteria exist in a class map. The
class map is considered a match if the match commands meet one of
the following conditions:
• match-all —(Default) Specifies that network traffic needs to
satisfy all of the match criteria (implicit AND) to match the
Layer 7 load-balancing class map. The match-all keyword is
applicable only for match statements of different Layer 7
load-balancing types. For example, specifying a match-all
condition for URL, HTTP header, and URL cookie statements in
the same class map is valid. However, specifying a match-all
condition for multiple HTTP headers or multiple cookies with
the same names or multiple URLs in the same class map is
invalid.
• match-any—Specifies that network traffic needs to satisfy only
one of the match criteria (implicit OR) to match the HTTP
load-balancing class map. The match-any keyword is applicable
only for match statements of the same Layer 7 load-balancing
type. For example, the ACE does not allow you to specify a
match-any condition for URL, HTTP header, and URL cookie
statements in the same class map but does allow you to specify a
match-any condition for multiple URLs, or multiple HTTP
headers or multiple cookies with different names in the same
class map.
map_name Name assigned to the Layer 7 HTTP SLB class map. Enter an
unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-541
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
host1/Admin(config-cmap-http-lb)#
Related Commands (config) policy-map
(config-cmap-http-lb) description
To provide a brief summary about the Layer 7 HTTP SLB class map, use the description command. Use
the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the class map is to perform server load balancing, enter:
host1/Admin(config-cmap-http-lb)# description HTTP LOAD BALANCE PROTOCOL 1
Related Commands This command has no related commands.
text Description about the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-542
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
(config-cmap-http-lb) match class-map
To identify one Layer 7 HTTP SLB class map as a matching criterion for another Layer 7 HTTP SLB
class map, use the match class-map command. Use the no form of this command to remove the nested
class map from the HTTP SLB class map.
[line_number] match class-map name
no [line_number] match class-map name
Syntax Description
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines The match class map command allows you to combine the use of the match-any and match-all
keywords in the same class map. To combine match-all and match-any characteristics in a class map,
create a class map that uses one match command (either match-any or match-all) and then use this class
map as a match statement in a second class map that uses a different match type.
The nesting of class maps allows you to achieve complex logical expressions for Layer 7 HTTP-based
server load balancing. The ACE restricts the nesting of class maps to two levels to prevent you from
including a nested class map under another class map.
See the Server Load-Balancing Guide, Cisco ACE Application Control Engine for details about
configuring the ACE to perform server load balancing.
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
name Name of an existing Layer 7 load-balancing class map.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-543
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Examples To combine the characteristics of two class maps, one with match-any and one with match-all
characteristics, into a single class map, enter:
(config)# class-map type http loadbalance match-all class3
(config-cmap-http-lb)# 100 match http cookie testcookie1 cookie-value 123456
(config-cmap-http-lb)# 200 match http header Host header-value XYZ
(config-cmap-http-lb)# exit
(config)# class-map type http loadbalance match-any class4
(config-cmap-http-lb)# 10 match class-map class3
(config-cmap-http-lb)# 20 match source-address 192.168.11.2
(config-cmap-http-lb)# 30 match source-address 192.168.11.3
(config-cmap-http-lb)# exit
Related Commands (config-cmap-http-lb) description2-544
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
(config-cmap-http-lb) match cipher
(ACE appliance only) To make server load-balancing (SLB) decisions based on a specific SSL cipher or
cipher strength used to initiate a connection, use the match cipher command. Use the no form of this
command to remove an SSL cipher content match statement from the class map.
match cipher {equal-to cipher | less-than cipher_strength}
no match cipher {equal-to cipher | less-than cipher_strength}
Syntax Description
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
Command History
equal-to cipher Specifies the SSL cipher. The possible values for cipher are as
follows:
• RSA_EXPORT1024_WITH_DES_CBC_SHA
• RSA_EXPORT1024_WITH_RC4_56_MD5
• RSA_EXPORT1024_WITH_RC4_56_SHA
• RSA_EXPORT_WITH_DES40_CBC_SHA
• RSA_EXPORT_WITH_RC4_40_MD5
• RSA_WITH_3DES_EDE_CBC_SHA
• RSA_WITH_AES_128_CBC_SHA
• RSA_WITH_AES_256_CBC_SHA
• RSA_WITH_DES_CBC_SHA
• RSA_WITH_RC4_128_MD5
• RSA_WITH_RC4_128_SHA
less-than cipher_strength Specifies a noninclusive minimum SSL cipher bit strength. For
example, if you specify a cipher strength value of 128, any SSL
cipher that was no greater than 128 would hit the traffic policy. If the
SSL cipher was 128-bit or greater, the connection would miss the
policy.
The possible values for cipher_strength are as follows:
• 128
• 168
• 256
• 56
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-545
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Usage Guidelines This command has no usage guidelines.
Examples To specify that the Layer 7 SLB class map load balances on a specific SSL cipher, enter:
host1/Admin(config)# class-map type http loadbalance http match-all L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 10 match cipher equal-to RSA_WITH_RC4_128_CBC_SHA
To specify that the Layer 7 SLB class map load balances on a specific minimum SSL cipher bit strength,
enter:
host1/Admin(config)# class-map type http loadbalance http match-all L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 100 match cipher less-than 128
Related Commands This command has no related commands.
(config-cmap-http-lb) match http content
To configure a class map to make Layer 7 SLB decisions based on the HTTP packet content, use the
match http content command. Use the no form of this command to remove an HTTP content match
statement from the class map.
[line_number] match http content expression [offset number]
no [line_number] match http content expression [offset number]
Syntax Description
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression Regular expression content to match. Enter a string from 1 to 255
alphanumeric characters. The ACE supports the use of regular
expressions for matching data strings. For a list of the supported
characters that you can use in regular expressions, see Table 1-9.
offset number (Optional) Specifies the byte at which the ACE begins parsing the
packet data. Enter an integer from 0 to 999. The default is 0.2-546
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Command History
Usage Guidelines The ACE can perform regular expression matching against the received packet data from a particular
connection based on a regular expression string in HTTP packet data (not the header).
When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning
in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com
instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).
Examples To specify that the Layer 7 class map performs SLB based on a specific HTTP header string, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7_HTTP_CLASS
host1/Admin(config-cmap-http-lb)# 10 match http content abc*123 offset 50
Related Commands (config-cmap-http-lb) description
(config-cmap-http-lb) match http cookie
To configure the class map to make Layer 7 server load-balancing (SLB) decisions based on the name
and string of a cookie, use the match http cookie command. The ACE performs regular expression
matching against the received packet data from a particular connection based on the cookie expression.
You can configure a maximum of five cookie names per VIP. Use the no form of this command to remove
an HTTP cookie match statement from the class map.
[line_number] match http cookie {name | secondary name} cookie-value expression
no [line_number] match http cookie {name | secondary name} cookie-value expression
Syntax Description
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
name Unique cookie name. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.2-547
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify that the Layer 7 class map load balances on a cookie with the name of testcookie1 or
testcookie2, enter:
(config)# class-map type http loadbalance match-any L7SLBCLASS
(config-cmap-http-lb)# 100 match http cookie testcookie1 cookie-value 123456
(config-cmap-http-lb)# 200 match http cookie testcookie2 cookie-value 789987
Related Commands (config-cmap-http-lb) description
(config-cmap-http-lb) match http header
To configure a class map to make Layer 7 SLB decisions based on the name and value of an HTTP
header, use the match http header command. The ACE performs regular expression matching against
the received packet data from a particular connection based on the HTTP header expression. You can
configure a maximum of 10 HTTP header names and cookie names per class. Use the no form of this
command to remove all HTTP header match criteria from the class map.
[line_number] match http header header_name header-value expression
no [line_number] match http header header_name header-value expression
secondary name Specifies a cookie in a URL string. You can specify the delimiters for
cookies in a URL string using a command in an HTTP parameter
map. For more information, see the “Parameter Map HTTP
Configuration Mode Commands” section.
cookie-value expression Specifies a unique cookie value expression. Enter an unquoted text
string with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports the use of regular expressions for
matching string expressions. For a list of the supported characters
that you can use for matching string expressions, see Table 1-9.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-548
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Syntax Description
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. For a list of the supported characters that you can use for regular expressions, see Table 1-9.
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
header_name Name of the field in the HTTP header. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). You can enter any header field name, including
a standard HTTP header field name or any user-defined header field
name. Valid selections include request-header fields, general-header
fields, and entity-header fields.
Note The header_name argument cannot include the colon in the
name of the HTTP header; the ACE rejects the colon as an
invalid token.
For a list of the standard HTTP/1.1 header field names, see
Table 1-10.
header-value expression Specifies the header value expression string to compare against the
value in the specified field in the HTTP header. Enter a text string
from 1 to 255 alphanumeric characters. For a list of the supported
characters that you can use for regular expressions, see Table 1-9.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-549
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Table 1-10 lists the standard HTTP header fields that you can use in an HTTP load-balancing class map.
Ta b l e 1-10 Standard HTTP Header Fields
Field Name Description
Accept Semicolon-separated list of representation schemes (content type
metainformation values) that will be accepted in the response to the request.
Accept-Charset Character sets that are acceptable for the response. This field allows clients
capable of understanding more comprehensive or special-purpose character
sets to signal that capability to a server that can represent documents in those
character sets.
Accept-Encoding Restricts the content encoding that a user will accept from the server.
Accept-Language ISO code for the language in which the document is written. The language
code is an ISO 3316 language code with an optional ISO 639 country code
to specify a national variant.
Authorization Specifies that the user agent wants to authenticate itself with a server, usually
after receiving a 401 response.
Cache-Control Directives that must be obeyed by all caching mechanisms along the
request/response chain. The directives specify behavior intended to prevent
caches from adversely interfering with the request or response.
Connection Allows the sender to specify connection options.
Content-MD5 MD5 digest of the entity-body that provides an end-to-end integrity check.
Only a client or an origin server can generate this header field.
Expect Used by a client to inform the server about what behaviors the client
requires.
From E-mail address of the person that controls the requesting user agent.
Host Internet host and port number of the resource being requested, as obtained
from the original URI given by the user or referring resource. The Host field
value must represent the naming authority of the origin server or gateway
given by the original URL.
If-Match Used with a method to make it conditional. A client that has one or more
entities previously obtained from the resource can verify that one of those
entities is current by including a list of their associated entity tags in the
If-Match header field. This feature allows efficient updates of cached
information with a minimum amount of transaction overhead. It is also used
on updating requests to prevent inadvertent modification of the wrong
version of a resource. As a special case, the asterisk (*) value matches any
current entity of the resource.
Pragma Pragma directives understood by servers to whom the directives are relevant.
The syntax is the same as for other multiple-value fields in HTTP, for
example, the accept field, a comma-separated list of entries, for which the
optional parameters are separated by semicolons.
Referer Address (URI) of the resource from which the URI in the request was
obtained.
Transfer-Encoding What (if any) type of transformation has been applied to the message body
in order to safely transfer it between the sender and the recipient.2-550
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Examples To specify that the Layer 7 class map performs SLB on an HTTP header named Host, enter:
(config)# class-map type http loadbalance match-any L7SLBCLASS
(config-cmap-http-lb)# 100 match http header Host header-value .*cisco.com
To use regular expressions in a class map to emulate a wildcard search to match the header value
expression string, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 10 match http header Host header-value .*cisco.com
host1/Admin(config-cmap-http-lb)# 20 match http header Host header-value .*yahoo.com
To specify that the Layer 7 class map performs SLB on an HTTP header named Via, enter:
host1/Admin(config)# class-map type http loadbalance match-all L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 30 match http header Via header-value 192.*
Related Commands (config-cmap-http-lb) description
(config-cmap-http-lb) match http url
To configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the
HTTP method, use the match http url command. The ACE performs regular expression matching
against the received packet data from a particular connection based on the HTTP URL string. Use the
no form of this command to remove a URL match statement from the class map.
[line_number] match http url expression [method name]
no [line_number] match http url expression [method name]
User-Agent Information about the user agent, for example, a software program
originating the request. This information is for statistical purposes, the
tracing of protocol violations, and automated recognition of user agents to
customize responses to avoid particular user agent limitations.
Via Used by gateways and proxies to indicate the intermediate protocols and
recipients between the user agent and the server on requests and between the
origin server and the client on responses.
Table 1-10 Standard HTTP Header Fields (continued)
Field Name Description2-551
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
Syntax Description
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines Include only the portion of the URL that follows www.hostname.domain in the match statement. For
example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
To match the www.anydomain.com portion, the URL string can take the form of a URL regular
expression. The ACE supports the use of regular expressions for matching URL strings. For a list of the
supported characters that you can use for regular expressions, see Table 1-9.
When matching URLs, note that the period (.) and question mark (?) characters do not have a literal
meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter
www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a
question mark (?).
Examples To specify that the Layer 7 class map performs SLB on a specific URL, enter:
host1/Admin(config)# class-map type http loadbalance L7SLBCLASS
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression URL, or portion of a URL, to match. Enter a URL string from 1 to
255 alphanumeric characters. Include only the portion of the URL
that follows www.hostname.domain in the match statement. For a list
of the supported characters that you can use for regular expressions,
see Table 1-9.
method name (Optional) Specifies the HTTP method to match. Enter a method
name as an unquoted text string with no spaces and a maximum of
15 alphanumeric characters. The method can either be one of the
standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST,
PUT, DELETE, TRACE, or CONNECT) or a text string that must be
matched exactly (for example, CORVETTE).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-552
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map HTTP Load Balancing Configuration Mode Commands
host1/Admin(config-cmap-http-lb)# 10 match http url whatsnew/latest.*
To use regular expressions to emulate a wildcard search to match on any .gif or .html file, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
host1/Admin(config-cmap-http-lb)# 200 match http url .*.html
Related Commands (config-cmap-http-lb) description
(config-cmap-http-lb) match source-address
To configure the class map to make Layer 7 SLB decisions based on a client source IP address, use the
match source-address command. Use the no form of this command to remove the source IP address
match statement from the class map.
[line_number] match source-address ip_address [netmask]
no [line_number] match source-address ip_address [netmask]
Syntax Description
Command Modes Class map HTTP load balancing configuration mode
Admin and user contexts
Command History
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.2).
netmask (Optional) Subnet mask of the IP address. Enter the netmask in
dotted-decimal notation (for example, 255.255.255.0). The default is
255.255.255.255.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-553
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Management Configuration Mode Commands
Usage Guidelines This command has no usage guidelines.
Examples To specify that the class map match on source IP address 192.168.11.2 255.255.255.0, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 50 match source-address 192.168.11.2 255.255.255.0
Related Commands (config-cmap-http-lb) description
Class Map Management Configuration Mode Commands
Class map management configuration mode allows you to create a Layer 3 and Layer 4 class map to
classify the IP network management traffic received by the ACE. To create this class map and access
class map management configuration mode, use the class-map type management configuration
command. The prompt changes to (config-cmap-mgmt). This command permits network management
traffic by identifying the incoming IP management protocols that the ACE can receive as well as the
client source host IP address and subnet mask as the matching criteria. A class map of type management
provides access for one or more of the following management protocols: HTTP, HTTPS, ICMP, SNMP,
SSH, or Telnet.
Use the no form of this command to remove a network management class map.
class-map type management [match-all | match-any] map_name
no class-map type management [match-all | match-any] map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
match-all | match-any (Optional) Determines how the ACE evaluates Layer 3 and Layer 4
network management traffic when multiple match criteria exist in a
class map. The class map is considered a match if the match
commands meet one of the following conditions.
• match-all—(Default) Traffic being evaluated must match all of
the match criteria listed in the class map (typically, match
commands of different types).
• match-any—Traffic being evaluated must match one of the
match criteria listed in the class map (typically, match
commands of the same type).
map_name Name assigned to the Layer 3 and Layer 4 network management
protocol class map. Enter an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.2-554
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Management Configuration Mode Commands
Command History
Usage Guidelines The commands in this mode require the context Admin user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To create a Layer 3 and Layer 4 class map named MGMT-ACCESS_CLASS that classifies the network
management protocols that can be received by the ACE, enter:
host1/Admin# class-map type management match-any MGMT-ACCESS_CLASS
host1/Admin(config-cmap-mgmt)#
Related Commands This command has no related commands.
(config-cmap-mgmt) description
To provide a brief summary about the Layer 3 and Layer 4 management class map, use the description
command. Use the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Class map management configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
text Description about the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-555
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Management Configuration Mode Commands
Examples To add a description that the class map is to allow remote Telnet access, enter:
host1/Admin# class-map type management TELNET-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow Telnet access to the ACE
Related Commands This command has no related commands.2-556
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Management Configuration Mode Commands
(config-cmap-mgmt) match protocol
To configure the class map to identify the network management protocols that can be received by the
ACE, use the match protocol command. You configure the associated policy map to permit access to
the ACE for the specified management protocols. As part of the network management access traffic
classification, you also specify either a client source host IP address and subnet mask as the matching
criteria or instruct the ACE to allow any client source address for the management traffic classification.
Use the no form of this command to deselect the specified network management protocol match criteria
from the class map.
[line_number] match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet |
xml-https} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}
no [line_number] match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet |
xml-https} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}
Syntax Description line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
http Specifies the Hypertext Transfer Protocol (HTTP).
https Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP).
(ACE appliance only) Specifies the secure (SSL) Hypertext Transfer
Protocol (HTTP) for connectivity with the Device Manager GUI on
the ACE using port 443.
icmp Specifies the Internet Control Message Protocol (ping).
icmpv6 Specifies the Internet Control Message Protocol Version 6 messages
to the ACE.
kalap-udp Specifies the keepalive-appliance protocol (KAL-AP) over UDP.
snmp Specifies the Simple Network Management Protocol (SNMP).
ssh Specifies a Secure Shell (SSH) connection to the ACE.
telnet Specifies a Telnet connection to the ACE.
xml-https (ACE appliance only) Specifies HTTPS as transfer protocol to send
and receive XML documents between the ACE and a Network
Management System (NMS). Communication is performed using
port 10443.
any Specifies any client source IPv4 address for the management traffic
classification.
anyv6 Specifies any client source IPv6 address for the management traffic
classification.2-557
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map Management Configuration Mode Commands
Command Modes Class map management configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify that the class map allows SSH access to the ACE from the source IP address 192.168.10.1
255.255.255.0, enter:
host1/Admin# class-map type management SSH-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol ssh source-address 192.168.10.1
255.255.255.0
Related Commands (config-cmap-mgmt) description
source-address Specifies a client source host IP address and subnet mask as the
network traffic matching criteria. As part of the classification, the
ACE implicitly obtains the destination IP address from the interface
on which you apply the policy map.
ipv6_address Source IPv6 address of the client.
/prefix_length Prefix length of the client entry (for example, /64).
ipv4_address Source IPv4 address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
mask Subnet mask of the client entry in dotted-decimal notation (for
example, 255.255.255.0).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A5(1.0) Added the anyv6 and icmpv6 keywords.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
Added the anyv6 and icmpv6 keywords.2-558
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RADIUS Load Balancing Configuration Mode Commands
Class Map RADIUS Load Balancing Configuration Mode
Commands
The ACE performs Layer 7 Remote Authentication Dial-In User Service (RADIUS) load balancing
based on the calling-station-ID or the username RADIUS attribute. To create a RADIUS load-balancing
class map and access class map RADIUS load balancing configuration mode, use the class-map type
radius loadbalance command. The prompt changes to (config-cmap-radius-lb). Use the no form of this
command to remove a RADIUS load-balancing class map from the configuration.
class-map type radius loadbalance [match-all | match-any] map_name
no class-map type radius loadbalance [match-all | match-any] map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To create a class map named RADIUS_L7_CLASS, enter:
host1/Admin(config)# class-map type radius loadbalance match-any RADIUS_L7_CLASS
host1/Admin(config-cmap-radius-lb)#
To remove the RADIUS class map from the configuration, enter:
host1/Admin(config)# no class-map type radius loadbalance match-any RADIUS_L7_CLASS
match-all | match-any (Optional) Determines how the ACE evaluates RADIUS network traffic
when multiple match criteria exist in a class map.
• match-all—(Default) Network traffic needs to satisfy all of the match
criteria (implicit AND) to match the RADIUS load-balancing class map.
• match-any—Network traffic needs to satisfy only one of the match
criteria (implicit OR) to match the RADIUS load-balancing class map.
map_name Unique identifier assigned to the RADIUS load-balancing class map. Enter
an unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-559
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RADIUS Load Balancing Configuration Mode Commands
Related Commands (config) class-map
(config-cmap-radius-lb) description
(config-cmap-radius-lb) match radius attribute2-560
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RADIUS Load Balancing Configuration Mode Commands
(config-cmap-radius-lb) description
To provide a brief description of the RADIUS load-balancing class map, use the description command.
Use the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Class map RADIUS load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the RADIUS load-balancing class map, enter:
host1/Admin(config)# class-map type radius loadbalance match-any RADIUS_L7_CLASS
host1/Admin(config-cmap-radius-lb)# description RADIUS CLASS MAP
To remove a description from a RADIUS load-balancing class map, enter:
host1/Admin(config-cmap-radius-lb)# no description
Related Commands (config-cmap-radius-lb) match radius attribute
text Description of the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-561
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RADIUS Load Balancing Configuration Mode Commands
(config-cmap-radius-lb) match radius attribute
To specify the RADIUS attribute match criteria for the class map, use the match radius attribute
command. Use the no form of this command to remove the match statement from the RADIUS attribute
class map.
[line_number] match radius attribute {calling-station-id | username} expression
no [line_number] match radius attribute {calling-station-id | username} expression
Syntax Description
Command Modes Class map RADIUS load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE performs Layer 7 RADIUS load balancing based on the calling-station-ID or username
RADIUS attribute.
Examples To configure RADIUS match criteria based on the calling station ID attribute, enter:
host1/Admin(config)# class-map type radius loadbalance match-any RADIUS_L7_CLASS
host1/Admin(config-cmap-radius-lb)# 10 match radius attribute calling-station-id 122*
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
calling-station-id Specifies the unique identifier of the calling station.
username Specifies the name of the RADIUS user who initiated the connection.
expression Calling station ID or username to match. Enter a string from 1 to 64
alphanumeric characters. The ACE supports the use of regular
expressions for matching strings. For a list of the supported
characters that you can use in regular expressions, see Table 1-9.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-562
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
To remove the RADIUS attribute match statement from the RADIUS_L7_CLASS class map, enter:
host1/Admin(config-cmap-radius-lb)# no 10
Related Commands (config-cmap-radius-lb) description
Class Map RTSP Load Balancing Configuration Mode
Commands
Class map Real-Time Streaming Protocol (RTSP) load balancing configuration mode commands allow
you to create a Layer 7 RTSP server load-balancing class map. To create an RTSP load-balancing class
map and access class map RTSP load balancing configuration mode, use the class-map type rtsp
loadbalance command. The prompt changes to (config-cmap-rtsp-lb). Use the no form of this command
to remove an RTSP load-balancing class map from the configuration.
class-map type rtsp loadbalance [match-all | match-any] map_name
no class-map type rtsp loadbalance [match-all | match-any] map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
match-all | match-any (Optional) Determines how the ACE evaluates RTSP network traffic when
multiple match criteria exist in a class map.
• match-all—(Default) Network traffic needs to satisfy all of the match
criteria (implicit AND) to match the RTSP load-balancing class map.
• match-any—Network traffic needs to satisfy only one of the match
criteria (implicit OR) to match the RTSP load-balancing class map.
map_name Unique identifier assigned to the RTSP load-balancing class map. Enter an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-563
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
Examples To create a class map named RTSP_L7_CLASS, enter:
host1/Admin(config)# class-map type rtsp loadbalance match-any RTSP_L7_CLASS
host1/Admin(config-cmap-rtsp-lb)#
To remove the RTSP class map from the configuration, enter:
host1/Admin(config)# no class-map type rtsp loadbalance match-any RTSP_L7_CLASS
Related Commands (config) class-map
(config-cmap-sip-lb) description2-564
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
(config-cmap-rtsp-lb) description
To provide a brief description of the RTSP load-balancing class map, use the description command. Use
the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Class map RTSP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the RTSP load-balancing class map, enter:
host1/Admin(config)# class-map type rtsp loadbalance match-any RTSP_L7_CLASS
host1/Admin(config-cmap-rtsp-lb)# description RTSP CLASS MAP
To remove the description from an RTSP load-balancing class map, enter:
host1/Admin(config-cmap-rtsp-lb)# no description
Related Commands This command has no related commands.
text Description of the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-565
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
(config-cmap-rtsp-lb) match class-map
To identify one RTSP load-balancing class map as a matching criterion for another RTSP load-balancing
class map, use the match class-map command. Use the no form of this command to remove the nested
class map from an RTSP load-balancing class map.
[line_number] match class-map name
no [line_number] match class-map name
Syntax Description
Command Modes Class map RTSP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines The match class-map command allows you to combine the use of the match-any and match-all
keywords in the same class map. To combine match-all and match-any characteristics in a class map,
create a class map that uses one match command (either match-any or match-all) and then use this class
map as a match statement in a second class map that uses the other match type.
The nesting of class maps allows you to achieve complex logical expressions for Layer 7 server load
balancing. The ACE restricts the nesting of class maps to two levels to prevent you from including a
nested class map under another class map.
Examples To combine the characteristics of two class maps, one with match-any and one with match-all
characteristics, into a single class map, enter:
host1/Admin(config)# class-map type rtsp loadbalance match-any CLASS3
host1/Admin(config-cmap-rtsp-lb)# 100 match rtsp url .*.gif
host1/Admin(config-cmap-rtsp-lb)# 200 match rtsp header Host header-value XYZ
host1/Admin(config-cmap-rtsp-lb)# exit
line_number (Optional) Line number that you can use to edit or delete individual match
commands.
• For the ACE module, enter an integer from 1 to 1024 as the line number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line number.
You can enter no line_number to delete long match commands instead of entering the
entire line. The line numbers do not indicate any priority for the match statements.
name Name of an existing RTSP load-balancing class map.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-566
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
host1/Admin(config)# class-map type rtsp loadbalance match-all CLASS4
host1/Admin(config-cmap-rtsp-lb)# 10 match class-map CLASS3
host1/Admin(config-cmap-rtsp-lb)# 20 match source-address 192.168.11.2
host1/Admin(config-cmap-rtsp-lb)# exit
To remove the nested class map from the RTSP class map, enter:
host1/Admin(config-cmap-rtsp-lb)# no 10
Related Commands (config-cmap-sip-lb) description
(config-cmap-rtsp-lb) match rtsp header
To configure a class map to make RTSP SLB decisions based on the name and value of an RTSP header,
use the match rtsp header command. Use the no form of this command to remove an RTSP header
match statement from the RTSP load-balancing class map.
[line_number] match rtsp header name header-value expression
no [line_number] match rtsp header name header-value expression
Syntax Description line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
name Name of the field in the RTSP header. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). You can enter any header field name, including
a standard RTSP header field name or any user-defined header field
name. Because RTSP is similar in syntax and operation to HTTP/1.1,
you can use any HTTP header listed in Table 1-10 if the RTSP server
supports it. For a complete list of RTSP headers, see RFC 2326.
expression Header value expression string to compare against the value in the
specified field in the RTSP header. Enter a text string with a
maximum of 255 alphanumeric characters. The ACE supports the use
of regular expressions for header matching. Expressions are stored in
a header map in the form header-name: expression. Header
expressions allow spaces if the entire string that contains spaces is
quoted. If you use a match-all class map, all headers in the header
map must be matched. For a list of the supported characters that you
can use in regular expressions, see Table 1-9.2-567
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
Command Modes Class map RTSP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines When the ACE receives an RTSP session request, the load-balancing decision is based on the first
request message. All subsequent request and response message exchanges are forwarded to the same
server. When you configure header match criteria, ensure that the header is included in the first request
message by a media player.
The ACE can perform regular expression matching against the received packet data from a particular
connection based on the RTSP header expression. You can configure a maximum of 10 RTSP header
names per class map.
Examples To configure an RTSP class map to load balance based on an RTSP header named Session, enter:
host1/Admin(config)# class-map type rtsp loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-rtsp-lb)# 10 match rtsp header Session header-value abc123
To configure an RTSP class map to load balance based on an RTSP header named Via, enter:
host1/Admin(config)# class-map type rtsp loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-rtsp-lb)# 20 match rtsp header Via header-value 192.*
To remove the RTSP header match criteria from the L7SLBCLASS class map, enter:
host1/Admin(config-cmap-rtsp-lb)# no 10
host1/Admin(config-cmap-rtsp-lb)# no 20
Related Commands (config-cmap-sip-lb) description
(config-cmap-rtsp-lb) match rtsp url
To configure a class map to make RTSP SLB decisions based on the URL name and optionally, the RTSP
method, use the match rtsp url command. Use the no form of this command to remove an RTSP URL
match statement from the RTSP load-balancing class map.
[line_number] match rtsp url expression [method name]
no [line_number] match rtsp url expression [method name]
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-568
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
Syntax Description
Command Modes Class map RTSP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines When matching URLs, the period (.) and question mark (?) characters do not have a literal meaning in
regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com
instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).
Examples To configure an RTSP class map to load balance based on a specific URL, enter:
host1/Admin(config)# class-map type rtsp loadbalance L7SLBCLASS
host1/Admin(config-cmap-rtsp-lb)# 10 match rtsp url /whatsnew/latest.*
To configure a URL match criterion that emulates a wildcard search to match on any .wav or .mpg file,
enter:
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
expression URL, or portion of a URL, to match. The ACE performs matching on
whatever URL string appears after the RTSP method, regardless of
whether the URL includes the hostname. The ACE supports the use
of regular expressions for matching URL strings. For a list of the
supported characters that you can use for regular expressions, see
Table 1-9.
method name (Optional) Specifies the RTSP method to match. Enter a method
name as an unquoted text string with no spaces and a maximum of
64 alphanumeric characters. The method can either be one of the
standard RTSP method names (DESCRIBE, ANNOUNCE,
GET_PARAMETER, OPTIONS, PAUSE, PLAY, RECORD,
REDIRECT, SETUP, SET_PARAMETER, TEARDOWN) or a text
string that must be matched exactly (for example, STINGRAY).
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-569
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
host1/Admin(config)# class-map type rtsp loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-rtsp-lb)# 100 match rtsp url .*.wmv
host1/Admin(config-cmap-rtsp-lb)# 200 match rtsp url .*.mpg
To remove a URL match statement from the L7SLBCLASS class map, enter:
host1/Admin(config-cmap-rtsp-lb)# no 100
Related Commands (config-cmap-sip-lb) description2-570
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map RTSP Load Balancing Configuration Mode Commands
(config-cmap-rtsp-lb) match source-address
To configure the class map to make RTSP SLB decisions based on a client source IP address, use the
match source-address command. Use the no form of this command to remove the source IP address
match statement from the class map.
[line_number] match source-address ip_address [netmask]
no [line_number] match source-address ip_address [netmask]
Syntax Description
Command Modes Class map RTSP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify that the class map match on source IP address 192.168.11.2 255.255.255.0, enter:
host1/Admin(config)# class-map type rtsp loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-rtsp-lb)# 50 match source-address 192.168.11.2 255.255.255.0
To remove the source IP address match statement from the class map, enter:
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
Yo u ca n e n ter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.2).
netmask (Optional) Subnet mask of the IP address. Enter the netmask in
dotted-decimal notation (for example, 255.255.255.0). The default is
255.255.255.255.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-571
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
host1/Admin(config-cmap-rtsp-lb)# no 50
Related Commands (config-cmap-sip-lb) description
Class Map SIP Inspection Configuration Mode Commands
SIP inspection configuration mode commands allow you to create a Layer 7 SIP inspection class map.
The ACE uses class maps to filter SIP traffic based on a variety of parameters such as, called party,
calling party, and media type. To create this class map and access class map SIP inspection configuration
mode, use the class-map type sip inspect command. The prompt changes to (config-cmap-sip-insp).
Use the no form of this command to remove the SIP inspection class map from the ACE.
class-map type sip inspect [match-all | match-any] map_name
no class-map type sip inspect [match-all | match-any] map_name
Syntax Description
Command Modes Configuration mode
match-all | match-any (Optional) Determines how the ACE performs the inspection of SIP
traffic when multiple match criteria exist in a class map. The class
map is considered a match if the match commands meet one of the
following conditions:
• match-all —(Default) Network traffic needs to satisfy all of the
match criteria (implicit AND) to match the Layer 7 SIP
inspection class map. The match-all keyword is applicable only
for match statements of different SIP inspection types. For
example, specifying a match-all condition for SIP URI, SIP
header, and SIP content statements in the same class map is
valid. However, specifying a match-all condition for multiple
SIP headers with the same names or multiple URLs in the same
class map is invalid.
• match-any—Network traffic needs to satisfy only one of the
match criteria (implicit OR) to match the Layer 7 SIP inspection
class map. The match-any keyword is applicable only for match
statements of the same Layer 7 SIP inspection type. For example,
the ACE allows you to specify a match-any condition for SIP
URI, SIP header, and SIP content statements in the same class
map and allows you to specify a match-any condition for
multiple URLs, multiple SIP headers, or multiple SIP content
statements in the same class map as long as the statements are
logical. For example, you could not have two match uri sip
length statements in the same class map, but you could have one
match uri sip length and one match uri tel length statement in
one class map.
map_name Name assigned to the class map. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.2-572
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines To classify the SIP application inspection of traffic for evaluation by the ACE, include one or more of
the following commands to configure the match criteria for the Layer 7 class map:
• (config-cmap-sip-insp) match called-party
• (config-cmap-sip-insp) match calling-party
• (config-cmap-sip-insp) match content
• (config-cmap-sip-insp) match im-subscriber
• (config-cmap-sip-insp) match message-path
• (config-cmap-sip-insp) match request-method
• (config-cmap-sip-insp) match third-party registration
• (config-cmap-sip-insp) match uri
You may include multiple match commands in the class map.
Examples To specify SIP_INSPECT_L7CLASS as the name of a class map and identify that all commands in the
Layer 7 SIP application inspection class map must be satisfied for the ACE to indicate a match, enter:
(config)# class-map type sip inspect match-all SIP_INSPECT_L7CLASS
host1/Admin(config-cmap-sip-insp)# match calling-id .*ABC123
host1/Admin(config-cmap-sip-insp)# match im-subscriber JOHN_Q_PUBLIC
host1/Admin(config-cmap-sip-insp)# match content type sdp
To remove the SIP inspection class map from the ACE, enter:
(config)# no class-map type sip inspect match-any SIP_INSPECT_L7CLASS
Related Commands (config) policy-map
(config-cmap-sip-insp) description
(config-cmap-sip-insp) description
To provide a brief summary about the Layer 7 SIP inspection class map, use the description command.
Use the no form of this command to remove the description from the class map.
description text
no description
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-573
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description to the SIP inspection class map, enter:
host1/Admin(config-cmap-sip-insp)# description SIP inspection class map
To remove the description from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no description
Related Commands This command has no related commands.
(config-cmap-sip-insp) match called-party
To filter SIP traffic based on the called party, use the match called-party command. Use the no form of
this command to remove the match statement from the class map.
[line_number] match called-party expression
no [line_number] match called-party expression
text Description about the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-574
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines You can filter SIP traffic based on the called party (callee or destination) as specified in the URI of the
SIP To header. The ACE does not include the display name or tag part of the field.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. Table 1-9 lists the supported characters that you can use in regular expressions.
Examples To identify the called party in the SIP To header, enter:
host1/Admin(config-cmap-sip-insp)# match called-party sip:some-user@somenetwork.com
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match called-party sip:some-user@somenetwork.com
Related Commands (config-cmap-sip-insp) match calling-party
(config-cmap-sip-insp) match content
(config-cmap-sip-insp) match im-subscriber
(config-cmap-sip-insp) match message-path
(config-cmap-sip-insp) match request-method
(config-cmap-sip-insp) match third-party registration
(config-cmap-sip-insp) match uri
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression Calling party in the URI of the To header. Enter a regular expression
from 1 to 255 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-575
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
(config-cmap-sip-insp) match calling-party
To filter SIP traffic based on the calling party, use the match calling-party command. Use the no form
of this command to remove the description from the class map.
[line_number] match calling-party expression
no [line_number] match calling-party expression
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines You can filter SIP traffic based on the calling party (caller or source) as specified in the URI of the SIP
From header. The ACE does not include the display name or tag part of the field.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-9 for a list of the supported characters that you can use in regular expressions.
Examples To identify the calling party in the SIP From header, enter:
host1/Admin(config-cmap-sip-insp)# match calling-party
sip:this-user@thisnetwork.com;tag=745g8
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression Calling party in the URI of the SIP From header. Enter a regular
expression from 1 to 255 alphanumeric characters. The ACE supports
the use of regular expressions for matching.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-576
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match calling-party
sip:this-user@thisnetwork.com;tag=745g8
Related Commands (config-cmap-sip-insp) match called-party
(config-cmap-sip-insp) match content
(config-cmap-sip-insp) match im-subscriber
(config-cmap-sip-insp) match message-path
(config-cmap-sip-insp) match request-method
(config-cmap-sip-insp) match third-party registration
(config-cmap-sip-insp) match uri2-577
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
(config-cmap-sip-insp) match content
To define SIP content checks, use the match content command. Use the no form of this command to
remove the match statement from the class map.
[line_number] match content {length gt number} | {type sdp | expression}
no [line_number] match content {length gt number} | {type sdp | expression}
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
length Specifies the SIP message body length.
gt Greater than operator.
number Maximum size of a SIP message body that the ACE allows. Enter an
integer from 0 to 65534 bytes. If the message body is greater than the
configured value, the ACE performs the action that you configure in
the policy map.
type Specifies a content type check.
sdp Specifies that the traffic must be of type Session Description Protocol
(SDP) to match the class map.
expression Regular expression that identifies the content type in the SIP message
body that is required to match the class map. Enter a regular
expression from 1 to 255 alphanumeric characters. The ACE supports
the use of regular expressions for matching. See Table 1-9 for a list
of the supported characters that you can use in regular expressions.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-578
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Usage Guidelines You can configure the ACE to perform SIP content checks based on the content length or content type.
By default, the ACE allows all content types.
Examples To configure the ACE to drop SIP packets that have content with a length greater than 4000 bytes in
length, enter:
host1/Admin(config)# class-map type sip inspect match-all SIP_INSP_CLASS
host1/Admin(config-cmap-sip-insp)# match content length gt 200
host1/Admin(config)# policy-map type sip inspect all-match SIP_INSP_POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSP_CLASS
host1/Admin(config-pmap-ins-sip-c)# deny
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match content length gt 200
Related Commands (config-cmap-sip-insp) match called-party
(config-cmap-sip-insp) match calling-party
(config-cmap-sip-insp) match im-subscriber
(config-cmap-sip-insp) match message-path
(config-cmap-sip-insp) match request-method
(config-cmap-sip-insp) match third-party registration
(config-cmap-sip-insp) match uri
(config-cmap-sip-insp) match im-subscriber
To filter SIP traffic based on the Instant Messaging (IM) subscriber, use the match im-subscriber
command. Use the no form of this command to remove the description from the class map.
[line_number] match im-subscriber expression
no [line_number] match im-subscriber expression
Syntax Description [line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression Calling party. Enter a regular expression from 1 to 255 alphanumeric
characters. The ACE supports the use of regular expressions for
matching. 2-579
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-9 for a list of the supported characters that you can use in regular expressions.
Examples To filter SIP traffic based on the IM subscriber, John Q. Public, enter:
host1/Admin(config-cmap-sip-insp)# match im-subscriber John_Q_Public
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match im-subscriber John_Q_Public
Related Commands (config-cmap-sip-insp) match called-party
(config-cmap-sip-insp) match calling-party
(config-cmap-sip-insp) match content
(config-cmap-sip-insp) match message-path
(config-cmap-sip-insp) match request-method
(config-cmap-sip-insp) match third-party registration
(config-cmap-sip-insp) match uri
(config-cmap-sip-insp) match message-path
To filter SIP traffic based on the message path, use the match message-path command. Use the no form
of this command to remove the match statement from the class map.
[line_number] match message-path expression
no [line_number] match message-path expression
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-580
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines SIP inspection allows you to filter messages coming from or transiting through certain SIP proxy servers.
The ACE maintains a list of unauthorized SIP proxy IP addresses or URIs in the form of regular
expressions and then checks this list against the VIA header field in each SIP packet. The default action
is to drop SIP packets with VIA fields that match the regex list.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-9 for a list of the supported characters that you can use in regular expressions.
Examples To filter SIP traffic based on the message path 192.168.12.3:5060, enter:
host1/Admin(config-cmap-sip-insp)# match message-path 192.168.12.3:5060
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match message-path 192.168.12.3:5060
Related Commands (config-cmap-sip-insp) match called-party
(config-cmap-sip-insp) match calling-party
(config-cmap-sip-insp) match content
(config-cmap-sip-insp) match im-subscriber
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression SIP proxy server. Enter a regular expression from 1 to 255
alphanumeric characters. The ACE supports the use of regular
expressions for matching.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-581
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
(config-cmap-sip-insp) match request-method
(config-cmap-sip-insp) match third-party registration
(config-cmap-sip-insp) match uri2-582
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
(config-cmap-sip-insp) match request-method
To filter SIP traffic based on the request method, use the match request-method command. Use the no
form of this command to remove the description from the class map.
[line_number] match request-method method_name
no [line_number] match request-method method_name
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
method_name Supported SIP method that uses one of the following keywords:
• ack
• bye
• cancel
• info
• invite
• message
• notify
• options
• prack
• refer
• register
• subscribe
• unknown
• update
Use the unknown keyword to permit or deny unknown or
unsupported SIP methods.2-583
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Command History
Usage Guidelines This command has no usage guidelines.
Examples To filter SIP traffic based on the INVITE request method, enter:
host1/Admin(config-cmap-sip-insp)# match request-method invite
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match request-method invite
Related Commands (config-cmap-sip-insp) match called-party
(config-cmap-sip-insp) match calling-party
(config-cmap-sip-insp) match content
(config-cmap-sip-insp) match im-subscriber
(config-cmap-sip-insp) match message-path
(config-cmap-sip-insp) match third-party registration
(config-cmap-sip-insp) match uri
(config-cmap-sip-insp) match third-party registration
To filter SIP traffic based on third-party registrations or deregistrations, use the match
third-party-registration command. Use the no form of this command to remove the match statement
from the class map.
[line_number] match third-party registration expression
no [line_number] match third-party registration expression
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-584
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines SIP allows users to register other users on their behalf by sending REGISTER messages with different
values in the From and To header fields. This process may pose a security threat if the REGISTER
message is actually a DEREGISTER message. A malicious user could cause a Denial of Service (DoS)
attack by deregistering all users on their behalf.
To prevent this security threat, the ACE administrator can specify a list of privileged users who can
register or unregister someone else on their behalf. The ACE maintains the list as a regex table. If you
configure this policy, the ACE drops REGISTER messages with mismatched From and To headers and
a From header value that does not match any of the privileged user IDs.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-9 for a list of the supported characters that you can use in regular expressions.
Examples To filter SIP traffic based on SIP registrations or deregistrations, enter:
host1/Admin(config-cmap-sip-insp)# match third-party-registration USER1
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match third-party-registration USER1
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
expression Privileged user that is authorized for third-party registrations. Enter
a regular expression from 1 to 255 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-585
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Inspection Configuration Mode Commands
Related Commands (config-cmap-sip-insp) match called-party
(config-cmap-sip-insp) match calling-party
(config-cmap-sip-insp) match content
(config-cmap-sip-insp) match im-subscriber
(config-cmap-sip-insp) match message-path
(config-cmap-sip-insp) match request-method
(config-cmap-sip-insp) match uri
(config-cmap-sip-insp) match uri
To filter SIP traffic based on URIs, use the match uri command. Use the no form of this command to
remove the match statement from the class map.
[line_number] match uri {sip | tel} length gt value
no [line_number] match uri {sip | tel} length gt value
Syntax Description
Command Modes Class map SIP inspection configuration mode
Admin and user contexts
Command History
[line_number] (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate a
priority for the match statements.
sip Specifies that the ACE validates the length of a SIP URI.
tel Specifies that the ACE validates the length of a Tel URI.
length Specifies the length of the SIP or Tel URI.
gt Specifies the greater than operator.
value Maximum value for the length of the SIP URI or Tel URI in bytes.
Enter an integer from 0 to 254 bytes.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-586
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
Usage Guidelines You can configure the ACE to validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier
that a calling party (source) uses to contact the called party (destination). A Tel URI is a telephone
number that identifies the endpoint of a SIP connection. For more information about SIP URIs and Tel
URIs, see RFC 2534 and RFC 3966, respectively.
Examples To instruct the ACE to filter traffic based on SIP URIs, enter:
host1/Admin(config-cmap-sip-insp)# match uri sip length gt 100
To remove the match statement from the class map, enter:
host1/Admin(config-cmap-sip-insp)# no match uri sip length gt 100
Related Commands (config-cmap-sip-insp) match called-party
(config-cmap-sip-insp) match calling-party
(config-cmap-sip-insp) match content
(config-cmap-sip-insp) match im-subscriber
(config-cmap-sip-insp) match message-path
(config-cmap-sip-insp) match request-method
(config-cmap-sip-insp) match third-party registration
Class Map SIP Load Balancing Configuration Mode Commands
Class map SIP load balancing configuration mode commands allow you to create a Layer 7 SIP server
load-balancing class map. To create a SIP load-balancing class map and access class map SIP load
balancing configuration mode, use the class-map type sip loadbalance command. The prompt changes
to (config-cmap-sip-lb). Use the no form of this command to remove a SIP load-balancing class map
from the configuration.
class-map type sip loadbalance [match-all | match-any] map_name
no class-map type sip loadbalance [match-all | match-any] map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
match-all | match-any (Optional) Determines how the ACE evaluates SIP network traffic when
multiple match criteria exist in a class map.
• match-all—(Default) Network traffic needs to satisfy all of the match
criteria (implicit AND) to match the SIP load-balancing class map.
• match-any—Network traffic needs to satisfy only one of the match
criteria (implicit OR) to match the SIP load-balancing class map.
map_name Unique identifier assigned to the SIP load-balancing class map. Enter an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.2-587
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
Command History
Usage Guidelines This command has no usage guidelines.
Examples To create a class map named SIP_L7_CLASS, enter:
host1/Admin(config)# class-map type sip loadbalance match-any SIP_L7_CLASS
host1/Admin(config-cmap-sip-lb)#
To remove the SIP load-balancing class map from the configuration, enter:
host1/Admin(config)# no class-map type sip loadbalance match-any SIP_L7_CLASS
Related Commands (config) class-map
(config-cmap-sip-lb) description
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-588
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
(config-cmap-sip-lb) description
To provide a brief description of the SIP load-balancing class map, use the description command. Use
the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Class map SIP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the SIP load-balancing class map, enter:
host1/Admin(config)# class-map type sip loadbalance match-any SIP_L7_CLASS
host1/Admin(config-cmap-sip-lb)# description SIP CLASS MAP
To remove the description from a SIP load-balancing class map, enter:
host1/Admin(config-cmap-sip-lb)# no description
Related Commands This command has no related commands.
text Description of the class map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-589
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
(config-cmap-sip-lb) match class-map
The nesting of class maps allows you to achieve complex logical expressions for Layer 7 server load
balancing. To identify one SIP load-balancing class map as a matching criterion for another SIP
load-balancing class map, use the match class-map command. Use the no form of this command to
remove the nested class map from a SIP load-balancing class map.
[line_number] match class-map name
no [line_number] match class-map name
Syntax Description
Command Modes Class map SIP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines The match class-map command allows you to combine the use of the match-any and match-all
keywords in the same class map. To combine match-all and match-any characteristics in a class map,
create a class map that uses one match command (either match-any or match-all) and then use this class
map as a match statement in a second class map that uses the other match type.
The ACE restricts the nesting of class maps to two levels to prevent you from including a nested class
map under another class map.
Examples To combine the characteristics of two class maps, one with match-any and one with match-all
characteristics, into a single class map, enter:
host1/Admin(config)# class-map type sip loadbalance match-any CLASS3
line_number (Optional) Line number that allows you to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
name Name of an existing SIP load-balancing class map.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-590
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
host1/Admin(config-cmap-sip-lb)# 200 match sip header Host header-value XYZ
host1/Admin(config-cmap-sip-lb)# exit
host1/Admin(config)# class-map type sip loadbalance match-all CLASS4
host1/Admin(config-cmap-sip-lb)# 10 match class-map CLASS3
host1/Admin(config-cmap-sip-lb)# 20 match source-address 192.168.11.2
host1/Admin(config-cmap-sip-lb)# exit
To remove the nested class map from the SIP class map, enter:
host1/Admin(config)# class-map type sip loadbalance match-all CLASS4
host1/Admin(config-cmap-sip-lb)# no 10
Related Commands (config-cmap-sip-lb) description
(config-cmap-sip-lb) match sip header
To configure a class map to make SIP SLB decisions based on the name and value of a SIP header, use
the match sip header command. Use the no form of this command to remove a SIP header match
statement from the SIP load-balancing class map.
[line_number] match sip header name header-value expression
no [line_number] match sip header name header-value expression
Syntax Description line_number (Optional) Line number that you can use to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements. 2-591
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
Command Modes Class map SIP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE can perform regular expression matching against the received packet data from a particular
connection based on the SIP header expression. You can configure a maximum of nine SIP header field
names per class map (the ACE always parses Call-ID).
When the ACE receives a SIP session request, the load-balancing decision is based on the first request
message. All subsequent request and response message exchanges (with the same Call-ID) are forwarded
to the same server. For this reason, when you configure header match criteria, ensure that the header is
included in the first request message.
Table 1-11 lists the standard SIP header fields.
name Name of the field in the SIP header. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. You
can enter a text string with spaces provided that you enclose the entire
string in quotation marks (“ ”). You can enter any header field name,
including a standard SIP header field name or any user-defined
header field name. For a list of standard SIP header field names, see
Table 1-11. Because SIP is similar to HTTP/1.1, you can use any
HTTP header listed in Table 1-10 if the SIP server supports it. For a
complete list of SIP headers, see RFC 3261.
header-value expression Header value expression string to compare against the value in the
specified field in the SIP header. Enter a text string with a maximum
of 255 alphanumeric characters. The ACE supports the use of regular
expressions for header matching. Expressions are stored in a header
map in the form header-name: expression. Header expressions allow
spaces if the entire string that contains spaces is quoted. If you use a
match-all class map, all headers in the header map must be matched.
For a list of the supported characters that you can use in regular
expressions, see Table 1-9.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
Ta b l e 1-11 Standard SIP Header Fields
Field Name Description
Call-ID Unique identifier that groups together a series of messages in a call.
Contact SIP URI that can be used to contact the user agent.
From Initiator of the SIP request, the source.2-592
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
Examples To configure a SIP load-balancing class map to load balance based on a SIP header named Session, enter:
host1/Admin(config)# class-map type sip loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-sip-lb)# 10 match sip header Session header-value abc123
To configure a SIP load-balancing class map to load balance based on a SIP header named Via, enter:
host1/Admin(config)# class-map type sip loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-sip-lb)# 20 match sip header Via header-value 192.*
To configure a SIP load-balancing class map to emulate a wildcard search to match the header value
expression string, enter:
host1/Admin(config)# class-map type sip loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-sip-lb)# 30 match sip header To header-value .*@cisco.com
host1/Admin(config-cmap-sip-lb)# 40 match sip header To header-value .*@linksys.com
To remove SIP header match criteria from the L7SLBCLASS class map, enter:
host1/Admin(config-cmap-sip-lb)# no 10
host1/Admin(config-cmap-sip-lb)# no 20
Related Commands (config-cmap-sip-lb) description
To Desired recipient of the SIP request, the destination.
Via Transport used for the transaction and where the response should be
sent.
Table 1-11 Standard SIP Header Fields (continued)
Field Name Description2-593
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
(config-cmap-sip-lb) match source-address
To configure the class map to make SIP SLB decisions based on a client source IP address, use the match
source-address command. Use the no form of this command to remove the source IP address match
statement from the class map.
[line_number] match source-address ip_address [netmask]
no [line_number] match source-address ip_address [netmask]
Syntax Description
Command Modes Class map SIP load balancing configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify that the SIP load-balancing class map match on source IP address 192.168.11.2
255.255.255.0, enter:
host1/Admin(config)# class-map type sip loadbalance match-any L7SLBCLASS
host1/Admin(config-cmap-sip-lb)# 50 match source-address 192.168.11.2 255.255.255.0
To remove the source IP address match statement from the class map, enter:
line_number (Optional) Line number that you can use to edit or delete individual
match commands.
• For the ACE module, enter an integer from 1 to 1024 as the line
number.
• For the ACE appliance, enter an integer from 2 to 1024 as the line
number.
You can enter no line_number to delete long match commands
instead of entering the entire line. The line numbers do not indicate
any priority for the match statements.
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.2).
netmask (Optional) Subnet mask of the IP address. Enter the netmask in
dotted-decimal notation (for example, 255.255.255.0). The default is
255.255.255.255.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-594
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Class Map SIP Load Balancing Configuration Mode Commands
host1/Admin(config-cmap-sip-lb)# no 50
Related Commands (config-cmap-sip-lb) description2-595
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Console Configuration Mode Commands
Console Configuration Mode Commands
(ACE module only) Console configuration mode commands allow you to configure the console interface
settings. To access console configuration mode, use the line console command in configuration mode.
The CLI prompt changes to (config-console). For information about the commands in console
configuration mode, see the commands in this section.
Use the no form of the line console command to reset the console configuration mode parameters to their
default settings.
line console
no line console
Syntax Description There are no keywords or arguments for this command.
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines All commands in this mode require the Admin user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The console port is an asynchronous serial port on the Catalyst 6500 series switch that enables the ACE
to be set up for initial configuration through a standard RS-232 port with an RJ-45 connector. Any device
connected to this port must be capable of asynchronous transmission. Connection to a terminal requires
a terminal emulator to be configured at 9600 baud, 8 data bits, 1 stop bit, and no parity.
Examples To enter console configuration mode, enter:
host1/Admin(config)# line console
host1/Admin(config-console)#
Related Commands clear line
show line
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-596
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Console Configuration Mode Commands
(config-console) databits
(ACE module only) To specify the number of data bits per character, use the databits command. Use the
no form of this command to revert to the default setting of 8 data bits.
databits number
no databits number
Syntax Description
Command Modes Console configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the number of data bits per character to 6, enter:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
host1/Admin(config)# line console
host1/Admin(config-console)# databits 6
Related Commands clear line
show line
(config) line console
number Number of data bits per character. Enter an integer from 5 to 8. The default
is 8 data bits.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-597
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Console Configuration Mode Commands
(config-console) parity
(ACE module only) To set the parity for the console connection, use the parity command. Use the no
form of this command to revert to the default setting of none.
parity {even | odd | none}
no parity {even | odd | none}
Syntax Description
Command Modes Console configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the parity for the console connection to even, enter:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
host1/Admin(config)# line console
host1/Admin(config-console)# parity even
Related Commands clear line
show line
(config) line console
even Sets the parity for the console connection to even.
odd Sets the parity for the console connection to odd.
none Sets the parity for the console connection to none. This is the default setting.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-598
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Console Configuration Mode Commands
(config-console) speed
(ACE module only) To set the transmit and receive speeds for the serial console, use the speed command.
Use the no form of this command to revert to the default setting of 9600 baud.
speed baud_rate
no speed baud_rate
Syntax Description
Command Modes Console configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the transmit and receive speeds for the serial console to 19,200 baud, enter:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
host1/Admin(config)# line console
host1/Admin(config-console)# speed 19200
Related Commands clear line
show line
(config) line console
baud_rate Transmit and receive speeds. Enter an integer between 110 and 115200 baud
(110, 150, 300, 600, 1200, 2400, 4800, 9600, 19200, 28800, 38400, 57600,
or 115200). The default is 9600 baud.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-599
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Console Configuration Mode Commands
(config-console) stopbits
(ACE module only) To set the number of stop bits for the console connection, use the stopbits command.
Use the no form of this command to revert to the default setting of 1 stop bit.
stopbits {1 | 2}
no stopbits {1 | 2}
Syntax Description
Command Modes Console configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the number of stop bits, enter:
host1/Admin(config)# line console
host1/Admin(config-console)# stopbits 2
Related Commands clear line
show line
(config) line console
1 Sets the stop bit to 1. The default is 1 stop bit.
2 Sets the stop bit to 2.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-600
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Context Configuration Mode Commands
Context Configuration Mode Commands
Context configuration mode commands allow you to configure attributes of virtual contexts. Each
context that you create behaves like an independent device with its own policies, interfaces, domains,
server farms, real servers, and administrators.
Each context, including the Admin context, has its own configuration file and local user database that
are stored in the local disk partition in flash memory or that can be downloaded from an FTP, TFTP, or
HTTP(S) server. The startup-config for each context is stored as the startup configuration file in flash
memory.
In the Admin context, use the changeto command in Exec mode or the do changeto command in any
configuration mode to move between contexts. Only users authenticated in the Admin context can use
the changeto command. Other users that are authorized for more than one context must explicitly log in
to each context.
To create a context and access context configuration mode, use the context command in configuration
mode. The CLI prompt changes to (config-context). For information about the commands in context
configuration mode, see the commands in this section.
Use the no form of this command to remove a context from the configuration.
context name
no context name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines All commands in this mode require the Admin user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To create a context named C1 and access context configuration mode, enter:
host1/Admin(config)# context C1
host1/Admin(config-context)#
name Unique identifier of a virtual context. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-601
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Context Configuration Mode Commands
To delete the C1 context, enter:
host1/Admin(config)# no context C1
Related Commands show context
show running-config
(config-context) allocate-interface
To assign one or more VLAN interfaces to the context, use the allocate-interface command. Use the no
form of this command to remove the VLAN from the context configuration.
allocate-interface vlan number_id
no allocate-interface vlan number_id
Syntax Description
Command Modes Context configuration mode
Admin context only
Command History
Usage Guidelines After you allocate the interface to a user context, you can configure the interface in that context.
When a VLAN is shared in multiple contexts, the interfaces must be on the same subnet. However, the
interfaces that share the VLANs will have different MAC addresses. These different MAC addresses on
the same VLAN classify traffic on multiple contexts. No routing can occur across contexts even if you
configure shared VLANs.
The ACE allows you to configure one or more VLAN interfaces in any user context before you assign
those VLAN interfaces to the associated user contexts through the allocate-interface vlan command in
the Admin context. For more information about assigning interfaces to the ACE, see the Routing and
Bridging Guide, Cisco ACE Application Control Engine.
You cannot deallocate a VLAN from a user context if the VLAN is currently in use on that context.
vlan number_id Identifies the VLAN to assign to the user context. For the number_id
argument, enter the number of an existing VLAN that you want to
assign to the context as an integer from 2 to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-602
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Context Configuration Mode Commands
Examples To allocate the VLAN interface identified as 100 to the currently active context, enter:
host1/Admin(config-context)# allocate-interface vlan 100
Related Commands show context
(config) interface
(ACE module only) (config) hw-module2-603
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Context Configuration Mode Commands
(config-context) description
To enter a description for a user context, use the description command. Use the no form of this
command to remove the context description from the configuration.
description text
no description
Syntax Description
Command Modes Context configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To provide a description of a user context, enter:
host1/Admin(config-context)# description context for accounting users
Related Commands show context
text Description for the user context. Enter a description as an unquoted
text string with a maximum of 240 characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-604
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Context Configuration Mode Commands
(config-context) member
To associate a context with a resource class, use the member command. Use the no form of this
command to remove a context from a resource class.
member class
no member class
Syntax Description
Command Modes Context configuration mode
Admin context only
Command History
Usage Guidelines You can associate a context with only one resource class. If you do not explicitly associate a context with
a resource class, the ACE associates the context with the default resource class.
Examples To disassociate a context from a resource class, enter:
host1/Admin(config-context)# no member RC1
Related Commands show context
(config) resource-class
class Name of an existing resource class. Enter the class name as an
unquoted text string with a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-605
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
CSR Parameters Configuration Mode Commands
CSR parameters configuration mode commands allow you to define the distinguished name attributes
for a Certificate Signing Request (CSR) parameter set. The ACE applies the CSR parameter set attributes
during the CSR-generating process. The distinguished name attributes provide the Certificate Authority
(CA) with the information that it needs to authenticate your site. The CA then applies the information
that you provide in the CSR parameter set to your Secure Sockets Layer (SSL) certificate. Creating a
CSR parameter set allows you to generate multiple CSRs with the same distinguished name attributes.
To create a new CSR parameter set (or modify an existing CSR parameter set) and access the CSR
parameters configuration mode, use the crypto csr-params command. The CLI prompt changes to
(config-csr-params). Use the no form of this command to remove an existing CSR parameter set.
crypto csr-params csr_param_name
no crypto csr-params csr_param_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the SSL feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you specify a CSR parameter set, you define the following distinguished name attributes:
• Common name—See the (config-csr-params) common-name command. This distinguished name
attribute is required.
• Country name—See the (config-csr-params) country command. This distinguished name attribute
is required.
• E-mail address—See the (config-csr-params) email command.
• Locality—See the (config-csr-params) locality command.
• Organization name (certificate subject)—See the (config-csr-params) organization-name
command.
• Organization unit—See the (config-csr-params) organization-unit command.
• Serial number—See the (config-csr-params) serial-number command. This distinguished name
attribute is required.
csr_param_name Name that designates a CSR parameter set. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-606
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
• State—See the (config-csr-params) state command. This distinguished name attribute is required.
If you do not define the required distinguished name attributes, the ACE displays an error message when
you attempt top generate a CSR using the CSR parameter set.
You can create up to eight CSR parameter sets per context.
To generate a Certificate Signing Request (CSR) file using the CSR parameter set, use the crypto
generate csr command in the Exec mode.
Examples To create the CSR parameter set CSR_PARAMS_1, enter:
host1/Admin(config)# crypto csr-params CSR_PARAMS_1
host1/Admin(config-csr-params)
Related Commands crypto generate csr
(config-csr-params) common-name
(config-csr-params) country
(config-csr-params) email
(config-csr-params) locality
(config-csr-params) organization-name
(config-csr-params) organization-unit
(config-csr-params) serial-number
(config-csr-params) state
(config-csr-params) common-name
To define the common name parameter in the Certificate Signing Request (CSR) parameter set, use the
common-name command. Use the no form of this command to delete an existing common name from
the CSR parameter set.
common-name name
no common-name
Syntax Description
Command Modes CSR parameters configuration mode
Command History
name Name that designates the common name in a CSR parameter set. Enter the common
name as an unquoted alphanumeric string with no spaces or a quoted string with
spaces and a maximum of 64 characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-607
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
Usage Guidelines The common name is a required distinguished name attribute. If you do not configure this attribute (and
all other required attributes), the ACE displays an error message when you try to generate a CSR using
the CSR parameter set.
The common name should be the domain name or individual hostname of the Secure Sockets Layer
(SSL) site.
Examples To specify the common name WWW.ABC123.COM, enter:
host1/Admin(config-csr-params)# common-name WWW.ABS123.COM
Related Commands (config) crypto csr-params
(config-csr-params) country
(config-csr-params) email
(config-csr-params) locality
(config-csr-params) organization-name
(config-csr-params) organization-unit
(config-csr-params) serial-number
(config-csr-params) state
(config-csr-params) country
To define the country name parameter in the Certificate Signing Request (CSR) parameter set, use the
country command. Use the no form of this command to delete an existing country name from the CSR
parameter set.
country name
no country
Syntax Description
Command Modes CSR parameters configuration mode
Command History
name Name of the country where the Secure Sockets Layer (SSL) site resides. Enter the
country name as an alphanumeric string from 1 to 2 characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-608
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
Usage Guidelines The country name is a required distinguished name attribute. If you do not configure this attribute (and
all other required attributes), the ACE displays an error message when you try to generate a CSR using
the CSR parameter set.
Examples To specify the country US (United States), enter:
host1/Admin(config-csr-params)# country US
Related Commands (config) crypto csr-params
(config-csr-params) common-name
(config-csr-params) email
(config-csr-params) locality
(config-csr-params) organization-name
(config-csr-params) organization-unit
(config-csr-params) serial-number
(config-csr-params) state
(config-csr-params) email
To define the e-mail address parameter in the Certificate Signing Request (CSR) parameter set, use the
email command. Use the no form of this command to delete an existing e-mail address from the CSR
parameter set.
email address
no email
Syntax Description
Command Modes CSR parameters configuration mode
Command History
Usage Guidelines The e-mail address is an optional distinguished name attribute.
address Address that designates the site e-mail address in a CSR parameter set. Enter an
unquoted text string with no spaces and a maximum of 40 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-609
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
Examples To specify the e-mail address WEBADMIN@ABC123.COM, enter:
host1/Admin(config-csr-params)# email WEBADMIN@ABC123.COM
Related Commands (config) crypto csr-params
(config-csr-params) common-name
(config-csr-params) country
(config-csr-params) locality
(config-csr-params) organization-name
(config-csr-params) organization-unit
(config-csr-params) serial-number
(config-csr-params) state
(config-csr-params) locality
To define the locality name parameter in the Certificate Signing Request (CSR) parameter set, use the
locality command. Use the no form of this command to delete an existing locality from the CSR
parameter set.
locality name
no locality
Syntax Description
Command Modes CSR parameters configuration mode
Command History
Usage Guidelines The locality name is an optional distinguished name attribute.
Examples To specify the locality ATHENS, enter:
host1/Admin(config-csr-params)# locality ATHENS
name Name that designates the locality (a county, for example) in a CSR parameter set.
Enter an unquoted text string with a maximum of 40 alphanumeric characters
including spaces and the ampersand (&) character.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.2) The ampersand (&) character is supported.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The ampersand (&) character is supported.2-610
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
Related Commands (config) crypto csr-params
(config-csr-params) common-name
(config-csr-params) country
(config-csr-params) email
(config-csr-params) organization-name
(config-csr-params) organization-unit
(config-csr-params) serial-number
(config-csr-params) state2-611
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
(config-csr-params) organization-name
To define the organization name parameter in the Certificate Signing Request (CSR) parameter set, use
the organization-name command. Use the no form of this command to delete an existing organization
name from the CSR parameter set.
organization-name name
no organization-name
Syntax Description
Command Modes CSR parameters configuration mode
Command History
Usage Guidelines The organization name is an optional distinguished name attribute.
Examples To specify the organization ABC123 SYSTEMS INC, enter:
host1/Admin(config-csr-params)# organization-name ABC123 SYSTEMS INC
Related Commands (config) crypto csr-params
(config-csr-params) common-name
(config-csr-params) country
(config-csr-params) email
(config-csr-params) locality
(config-csr-params) organization-unit
(config-csr-params) serial-number
(config-csr-params) state
name Name that designates the organization in a CSR parameter set. Enter the
organization name as an unquoted alphanumeric string with a maximum of
64 characters including spaces. The ACE also supports the ampersand (&)
character.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.2) The ampersand (&) character is supported.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The ampersand (&) character is supported.2-612
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
(config-csr-params) organization-unit
To define the organization unit parameter in the Certificate Signing Request (CSR) parameter set, use
the organization-unit command. Use the no form of this command to delete an existing organization
unit from the CSR parameter set.
organization-unit unit
no organization-unit
Syntax Description
Command Modes CSR parameters configuration mode
Command History
Usage Guidelines The organization unit is an optional distinguished name attribute.
Examples To specify the organization unit SSL ACCELERATOR, enter:
host1/Admin(config-csr-params)# organization-unit SSL ACCELERATOR
Related Commands (config) crypto csr-params
(config-csr-params) common-name
(config-csr-params) country
(config-csr-params) email
(config-csr-params) locality
(config-csr-params) organization-name
(config-csr-params) serial-number
(config-csr-params) state
unit Name that designates the unit (within an organization) in a CSR
configuration file. Enter the organization unit as an unquoted alphanumeric
string with a maximum of 64 characters including spaces. The ACE also
supports the ampersand (&) character.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.2) The ampersand (&) character is supported.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The ampersand (&) character is supported.2-613
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
(config-csr-params) serial-number
To define the serial number parameter in the Certificate Signing Request (CSR) parameter set, use the
serial-number command. Use the no form of this command to delete an existing serial number from the
CSR parameter set.
serial-number number
no serial-number
Syntax Description
Command Modes CSR parameters configuration mode
Command History
Usage Guidelines The serial number is a required distinguished name attribute. If you do not configure this attribute (and
all other required attributes), the ACE displays an error message when you try to generate a CSR using
the CSR parameter set.
The CA may choose to overwrite the serial number that you provide with its own serial number.
Examples To specify the serial number 1001, enter:
(config-csr-params)# serial-number 1001
Related Commands (config) crypto csr-params
(config-csr-params) common-name
(config-csr-params) country
(config-csr-params) email
(config-csr-params) locality
(config-csr-params) organization-name
(config-csr-params) organization-unit
(config-csr-params) state
number Number that designates the serial number in a CSR parameter set. Enter the serial
number as an alphanumeric string from 1 to 16 characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.2) The ampersand (&) character is supported.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The ampersand (&) character is supported.2-614
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
CSR Parameters Configuration Mode Commands
(config-csr-params) state
To define the state name parameter in the Certificate Signing Request (CSR) parameter set, use the state
command. Use the no form of this command to delete an existing state name from the CSR parameter set.
state name
no state
Syntax Description
Command Modes CSR parameters configuration mode
Command History
Usage Guidelines The state name is a required distinguished name attribute. If you do not configure this attribute (and all
other required attributes), the ACE displays an error message when you try to generate a CSR using the
CSR parameter set.
Examples To specify the state GA (Georgia), enter:
host1/Admin(config-csr-params)# state GA
Related Commands (config) crypto csr-params
(config-csr-params) common-name
(config-csr-params) country
(config-csr-params) email
(config-csr-params) locality
(config-csr-params) organization-name
(config-csr-params) organization-unit
(config-csr-params) serial-number
name Name that designates the state or province in a CSR configuration file. Enter an
unquoted text string with a maximum of 40 alphanumeric characters including spaces.
and the ampersand (&) character.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.2) The ampersand (&) character is supported.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The ampersand (&) character is supported.2-615
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
DCI Configuration Mode Commands
DCI Configuration Mode Commands
Data center interconnect (DCI) configuration mode commands allow you to create the local Nexus
device and configure its attributes for the dynamic workload scaling (DWS) feature. To create a local
Nexus device and access DCI configuration mode, use the nexus-device command in configuration
mode. The CLI prompt changes to (config-dci). For information about the commands in DCI
configuration mode, see the commands in this section.
Use the no form of this command to remove the Nexus device from the configuration.
nexus-device name
no nexus-device name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines All commands in this mode require the Admin user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To create a Nexus device named DCI_DEVICE1 and access DCI configuration mode, enter:
host1/Admin(config)# nexus-device DCI_DEVICE1
host1/Admin(config-dci)#
To delete the DCI_DEVICE1 domain, enter:
host1/Admin(config)# no nexus-device DCI_DEVICE1
Related Commands show nexus-device
(config-dci) credentials
(config-dci) ip-address
name Identifier of the local Nexus device. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-616
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
DCI Configuration Mode Commands
(config-dci) credentials
To configure the login credentials that the ACE uses to access the local Nexus device (Nexus 7000 series
switch) in a DWS configuration, use the credentials command. Use the no form of this command to
remove the login credentials of the local Nexus device from the ACE configuration.
credentials {username} {[encrypted] password}
no credentials {username} {[encrypted] password}
Syntax Description
Command Modes DCI configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You must have either the vdc-admin or the network-admin user role on the Nexus 7000 to receive the
Nexus 7000 output for the VM location information in XML format.
Examples To configure the credentials, enter the following command:
host1/Admin(config-dci)# credentials admin encrypted mydcipassphrase
To remove the credentials of the Nexus device from the ACE configuration, enter the following
command:
host1/Admin(config-dci)# no credentials admin encrypted mydcipassphrase
Related Commands show nexus-device
(config-dci) ip-address
username Username that the ACE uses to log in to the local Nexus device. Enter an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
encrypted (Optional) Specifies that the ACE encrypts the local Nexus device password.
password Password that the ACE uses to access the local Nexus device. Enter an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters. The password will not appear in the output of the show
running-config command.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-617
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
DCI Configuration Mode Commands
(config-dci) ip-address
To configure the IP address of the local Nexus device (Nexus 7000 series switch) in a DWS
configuration, use the ip-address command. Use the no form of this command to remove the IP address
of the local Nexus device from the ACE configuration.
ip-address ip_address
no ip-address ip_address
Syntax Description
Command Modes DCI configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The IP address specified with this command is the IP address of the management interface of either the
default VDC or the VDC in which the OTV configuration is deployed on the Nexus 7000 series switch.
Examples To configure the IP address of the Nexus device, enter:
host1/Admin(config-dci)# ip-address 192.168.12.15
Related Commands show nexus-device
(config-dci) credentials
ip_address Specifies the IP address of the local Nexus device.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-618
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Domain Configuration Mode Commands
Domain Configuration Mode Commands
Domain configuration mode commands allow you to determine a user’s domain (namespace in which
the user operates). To create a domain and access domain configuration mode, use the domain command
in configuration mode. The CLI prompt changes to (config-domain). For information about the
commands in domain configuration mode, see the commands in this section.
Use the no form of this command to remove a domain from the configuration.
domain name
no domain name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines All commands in this mode require the context Admin user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A domain does not restrict the context configuration that you can display using the show running-config
command. You can still display the running configuration for the entire context. However, you can
restrict your access to the configurable objects within a context by adding to the domain only a limited
subset of all the objects available to a context. To limit a user’s ability to manipulate the objects in a
domain, you can assign a role to that user. For more information about domains and user roles, see the
Virtualization Guide, Cisco ACE Application Control Engine.
You can configure KAL-AP TAGs as domains. For the domain load calculation, the ACE considers the
Layer 3 class map, server farm, and real server objects. All other objects under the domain are ignored
during the calculation.
Examples To create a domain named D1 and access domain configuration mode, enter:
host1/Admin(config)# domain D1
host1/Admin(config-domain)#
To delete the D1 domain, enter:
host1/Admin(config)# no domain D1
name Unique identifier of a domain in a context. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-619
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Domain Configuration Mode Commands
Related Commands show domain
show running-config2-620
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Domain Configuration Mode Commands
(config-domain) add-object
To associate a configuration object with a domain, use the add-object command. Use the no form of this
command to remove an object added to the domain.
add-object {access-list {ethertype | extended} name | action-list name | all | class-map name |
interface {bvi number | vlan number} | object-group name | parameter-map name |
policy-map name | probe name | rserver name | script name | serverfarm name | sticky name}
no add-object {access-list {ethertype | extended} name | action-list name | all | class-map name
| interface {bvi number | vlan number} | object-group name | parameter-map name |
policy-map name | probe name | rserver name | script name | serverfarm name | sticky name}
Syntax Description
Command Modes Domain configuration mode
Admin and user contexts
access-list Specifies an existing access control list that you want to associate with the
domain.
ethertype Specifies an existing EtherType access control list that you want to associate
with the domain.
extended Specifies an existing extended access control list that you want to associate
with the domain.
name Name of the access control list.
action-list name Specifies an existing action list that you want to associate with the domain.
all Specifies that all configuration objects in the context are added to the domain.
class-map name Specifies an existing class map for flow classification that you want to
associate with the domain.
interface Specifies an existing interface—either a Bridge Group Virtual Interface or a
VLAN—that you want to associate with the domain.
bvi number Specifies the existing Bridge Group Virtual Interface that you want to
associate with the domain. Enter an integer from 1 to 4094.
vlan number Specifies the existing VLAN that you want to associate with the domain. Enter
an integer from 2 to 4094.
object-group name Specifies an existing object group that you want to associate with the domain.
parameter-map
name
Specifies an existing parameter map that you want to associate with the
domain.
policy-map name Specifies an existing policy map that you want to associate with the domain.
probe name Specifies an existing real server probe (keepalive) that you want to associate
with the domain.
rserver name Specifies an existing real server that you want to associate with the domain.
script name Specifies an existing script file (created with the ACE TCL scripting language)
that you want to associate with the domain.
serverfarm name Specifies an existing server farm that you want to associate with the domain.
sticky name Specifies an existing sticky group that you want to associate with the domain
to maintain persistence with a server.2-621
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Domain Configuration Mode Commands
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate an interface called VLAN 10 with a domain, enter:
host1/Admin(config-domain)# add-object interface vlan 10
Related Commands show domain
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-622
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Group Configuration Mode Commands
FT Group Configuration Mode Commands
FT group configuration mode commands allow you to configure fault-tolerant (FT) groups that consist
of two contexts, each residing on a different ACE. FT groups are part of the ACE redundancy feature.
For details about redundancy, see the Virtualization Guide, Cisco ACE Application Control Engine.
To create an FT group and access the FT group configuration mode, use the ft group command in
configuration mode. The CLI prompt changes to (config-ft-group). For information about the commands
in FT group configuration mode, see the commands in this section.
Use the no form of this command to remove an FT group from the configuration.
ft group group_id
no ft group group_id
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines All commands in this mode require the Admin user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To create an FT group with a group ID of 1 and access ft-group configuration mode, enter:
host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)#
To delete the FT group, enter:
host1/Admin(config)# no ft group 1
Related Commands show ft
show running-config
group_id Unique identifier of an FT group. Enter an integer from 1 to 255.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-623
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Group Configuration Mode Commands
(config-ft-group) associate-context
To associate a context with a fault-tolerant (FT) group, use the associate-context command. You need
to make this association for each of the two redundant contexts in an FT group. Use the no form of this
command to remove a context from an FT group.
associate-context name
no associate-context name
Syntax Description
Command Modes FT group configuration mode
Admin context only
Command History
Usage Guidelines Before you can remove a context from an FT group, you must first take the group out of service using
the no inservice command. See the (config-ft-group) inservice command.
Examples To associate a context with an FT group, enter:
host1/Admin(config-ft-group)# associate-context C1
Related Commands show ft
(config) context
name Identifier of the context that you want to associate with the FT group.
Enter an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-624
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Group Configuration Mode Commands
(config-ft-group) inservice
To place a fault-tolerant (FT) group in service, use the inservice command. Use the no form of this
command to take the FT group out of service.
inservice
no inservice
Syntax Description This command has no keywords or arguments.
Command Modes FT group configuration mode
Admin context only
Command History
Usage Guidelines Before you place an FT group in service, be sure that you have associated one or two contexts with the
FT group and properly configured the two peers.
Examples To place an FT group in service, enter:
host1/Admin(config-ft-group)# inservice
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-625
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Group Configuration Mode Commands
(config-ft-group) peer
To associate a peer ACE with a fault-tolerant (FT) group, use the peer command. Use the no form of this
command to remove the peer association with the FT group.
peer peer_id
no peer peer_id
Syntax Description
Command Modes FT group configuration mode
Admin context only
Command History
Usage Guidelines The peer designation is used to denote the remote standby member of the FT group. A context in a
redundant configuration can have only one peer context.
Examples To associate a peer ACE with an FT group, enter:
host1/Admin(config-ft-group)# peer 1
Related Commands show ft
(config) ft peer
peer_id Identifier of an existing peer ACE. Enter 1 for the peer ID.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-626
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Group Configuration Mode Commands
(config-ft-group) peer priority
To configure the priority of a fault-tolerant (FT) group on the remote standby member, use the peer
priority command. Use the no form of this command to restore the default priority of 100.
peer priority number
no peer priority number
Syntax Description
Command Modes FT group configuration mode
Admin context only
Command History
Usage Guidelines Configure a lower priority on the FT group member (context) that you want as the standby member.
Examples To configure the priority of the FT group on the standby ACE with a value of 50, enter:
host1/Admin(config-ft-group)# peer priority 50
Related Commands (config-ft-group) peer
(config-ft-group) preempt
number Priority of the FT group on the standby member. Enter an integer
from 1 to 255. The default is 100.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-627
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Group Configuration Mode Commands
(config-ft-group) preempt
To configure preemption after it has been disabled, use the preempt command. Use the no form of this
command to disable preemption.
preempt
no preempt
Syntax Description This command has no keywords or arguments.
Command Modes FT group configuration mode
Admin context only
Command History
Usage Guidelines Preemption ensures that the group member with the higher priority always asserts itself and becomes the
active member. By default, preemption is enabled.
If you disable preemption and a member with a higher priority is found after the other member has
become active, the newly elected member becomes the standby member even though it has a higher
priority.
Examples To reenable preemption after its default setting was disabled, enter:
host1/Admin(config-ft-group)# preempt
Related Commands show ft
(config-ft-group) priority
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-628
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Group Configuration Mode Commands
(config-ft-group) priority
To configure the priority of the active group member, use the priority command. Use the no form of this
command to restore the default priority of 100.
priority number
no priority number
Syntax Description
Command Modes FT group configuration mode
Admin context only
Command History
Usage Guidelines You must configure the priority of a group on both peer ACEs. Configure a higher priority for the group
on the ACE where you want the active member to initially reside.
Examples To set the priority of the FT group on the active member to a value of 150, enter:
host1/Admin(config-ft-group)# priority 150
Related Commands show ft
(config-ft-group) preempt
number Priority number for the active group member. Enter an integer from
1 to 255. The default is 100.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-629
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Interface Configuration Mode Commands
FT Interface Configuration Mode Commands
FT interface configuration mode commands allows you to configure redundancy parameters for the
fault-tolerant (FT) VLAN. The FT VLAN is a dedicated interface that the ACE uses exclusively for
redundancy traffic (such as heartbeat, state, and replication packets). For more information about
configuring redundancy on the ACE, see the Administration Guide, Cisco ACE Application Control
Engine.
To create an FT VLAN and access FT interface configuration mode, use the ft interface vlan command
in configuration mode. The CLI prompt changes to (config-ft-intf). For information about the commands
in FT interface configuration mode, see the following commands.
Use the no form of this command to remove an FT VLAN from the redundancy configuration.
ft interface vlan vlan_id
no ft interface vlan vlan_id
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines All commands in this mode require the System feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
To remove an FT VLAN from the redundancy configuration, first dissociate it from the FT peer using
the no form of the (config-ft-peer) ft-interface vlan command and then enter the no ft interface vlan
command in configuration mode.
Examples To configure an FT VLAN and access FT group configuration mode, enter:
host1/Admin(config)# ft interface vlan 4000
host1/Admin(config-ft-intf)#
To delete the FT VLAN configuration, enter:
host1/Admin(config)# no ft interface vlan 4000
vlan_id Identifier of an existing VLAN that you want to use as the FT VLAN.
Enter an integer from 2 to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-630
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Interface Configuration Mode Commands
Related Commands show ft
show interface
show running-config
(ACE module only) (config) hw-module
(config-ft-peer) ft-interface vlan
(config-ft-intf) ip
To assign an IP address to the fault-tolerant (FT) VLAN, use the ip command. Use the no form of this
command to remove the IP address from the configuration.
ip address ip_address netmask
no ip address ip_address netmask
Syntax Description
Command Modes FT interface configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure an IP address for the FT VLAN, enter:
host1/Admin(config-ft-intf)# ip address 192.168.12.1 255.255.255.0
To remove an IP address from the FT VLAN, enter:
host1/Admin(config-ft-intf)# no ip address
address ip_address Specifies the IP address of the FT VLAN. Enter an IP address in
dotted-decimal notation (for example, 192.168.12.1).
netmask Subnet mask of the FT VLAN. Enter a subnet mask in dotted-decimal
notation (for example, 255.255.255.0).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-631
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Interface Configuration Mode Commands
Related Commands show ft
show interface
(config-ft-intf) peer ip2-632
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Interface Configuration Mode Commands
(config-ft-intf) peer ip
To allow the local member of the fault-tolerant (FT) group to communicate with the remote peer, use the
peer ip command to configure an IP address for the remote peer. Use the no form of this command to
remove the IP address from the peer configuration.
peer ip address ip_address netmask
no peer ip address ip_address netmask
Syntax Description
Command Modes FT interface configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure an IP address for the remote peer, enter:
host1/Admin(config-ft-intf)# peer ip address 192.168.12.15 255.255.255.0
To remove the IP address from the remote peer, enter:
host1/Admin(config-ft-intf)# no peer ip address 192.168.12.15 255.255.255.0
Related Commands show interface
(config-ft-intf) ip
address ip_address Specifies the IP address of the remote peer. Enter an IP address in
dotted-decimal notation (for example, 192.168.12.15).
netmask Subnet mask of the remote peer. Enter a subnet mask in
dotted-decimal notation (for example, 255.255.255.0).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-633
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Interface Configuration Mode Commands
(config-ft-intf) shutdown
To disable the fault-tolerant (FT) VLAN, use the shutdown command. Use the no form of this command
to enable the FT VLAN.
shutdown
no shutdown
Syntax Description This command has no keywords or arguments.
Command Modes FT interface configuration mode
Admin context only
Command History
Usage Guidelines When you create the FT VLAN, it is disabled by default. Use the no form of this command to enable the
FT VLAN.
Examples For example, to enable the FT VLAN, enter:
host1/Admin(config-ft-intf)# no shutdown
To disable the FT VLAN after you have enabled it, enter:
host1/Admin(config-ft-intf)# shutdown
Related Commands show interface
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-634
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Peer Configuration Mode Commands
FT Peer Configuration Mode Commands
Fault-tolerant (FT) peer configuration mode commands allow you to configure redundancy parameters
for peer (standby) ACEs. Each FT group in a redundant configuration consists of two ACE ACEs: a local
active ACE and a remote standby ACE or peer.
To configure an FT peer and access FT peer configuration mode, use the ft peer command in
configuration mode. The CLI prompt changes to (config-ft-peer). For information about the commands
in FT peer configuration mode, see the following commands.
Use the no form of this command to remove an FT group from the configuration.
ft peer peer_id
no ft peer peer_id
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines All commands in this mode require the Admin user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure an FT peer and access FT peer configuration mode, enter:
host1/Admin(config)# ft peer 1
host1/Admin(config-ft-peer)#
To delete the FT peer configuration, enter:
host1/Admin(config)# no ft peer 1
Related Commands show ft
show running-config
peer_id Unique identifier of the FT peer. Enter 1.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-635
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Peer Configuration Mode Commands
(config-ft-peer) ft-interface vlan
To associate an existing fault-tolerant (FT) VLAN with a peer, use the ft-interface vlan command. Use
the no form of this command to remove the FT VLAN from the peer configuration.
ft-interface vlan vlan_id
no ft-interface vlan vlan_id
Syntax Description
Command Modes FT peer configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate an existing FT VLAN with a peer, enter:
host1/Admin(config-ft-peer)# ft-interface vlan 200
Related Commands show ft
(config) ft interface vlan
vlan_id Identifier of an existing VLAN. Enter an integer from 2 to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-636
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Peer Configuration Mode Commands
(config-ft-peer) heartbeat
To configure the heartbeat interval and count for verification timing between active and standby
fault-tolerant (FT) peers, use the heartbeat command. Use the no form of this command to revert to the
default heartbeat interval and count.
heartbeat {count number | interval frequency}
no heartbeat {count number | interval frequency}
Syntax Description
Command Modes FT peer configuration mode
Admin context only
Command History
Usage Guidelines If the standby member of the FT group does not receive a heartbeat packet from the active member, a
time period equal to count number times interval frequency must elapse before a switchover between
the active and standby members can occur.
Examples To set a heartbeat count of 20, enter:
host1/Admin(config-ft-peer)# heartbeat count 20
To set a heartbeat interval of 200 milliseconds, enter:
host1/Admin(config-ft-peer)# heartbeat interval 200
Related Commands show ft
count number Specifies the number of heartbeat intervals that must transpire with
no heartbeat packet received by the standby member before the
standby member determines that the active member is not available.
Enter an integer from 10 to 50. The default is 10 heartbeat intervals.
interval frequency Specifies the time period between heartbeats in milliseconds (ms).
Enter an integer from 100 to 1000 ms. The default is 300 ms.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-637
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Peer Configuration Mode Commands
(config-ft-peer) query-interface
To configure an alternate interface to allow the standby member to determine whether the active member
is down or whether there is a connectivity problem with the fault-tolerant (FT) VLAN, use the
query-interface command. A query interface helps prevent two redundant contexts from becoming
active at the same time for the same FT group. Use the no form of this command to remove the query
interface from the peer configuration.
query-interface vlan vlan_id
no query-interface vlan vlan_id
Syntax Description
Command Modes FT peer configuration mode
Admin context only
Command History
Usage Guidelines Configuring a query interface allows you to assess the health of the active FT group member, but it
increases failover time. You cannot delete a query interface if it is associated with a peer. You must
dissociate the interface from the peer first, and then you can delete the query interface.
Examples To configure a query interface, enter:
host1/Admin(config-ft-peer)# query-interface vlan 400
Related Commands show ft
(config) ft interface vlan
vlan vlan_id Specifies the identifier of an existing VLAN. Enter an integer from 2
to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-638
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
FT Track Host Configuration Mode Commands
Fault-tolerant (FT) track host configuration mode commands allow you to configure tracking and failure
detection for critical network gateways and hosts.
To create a process that tracks and detects failures for a gateway or host and accesses FT track host
configuration mode, use the ft track host command in configuration mode. The CLI prompt changes to
(config-ft-track-host). For information about the commands in FT track host configuration mode, see the
following commands.
Use the no form of this command to delete a process that tracks and detects failures for a gateway or host.
ft track host name
no ft track host name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the fault-tolerant feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To create a process that tracks and detects failures for a gateway or host and accesses FT track host
configuration mode, enter:
host1/Admin(config)# ft track host TRACK_GATEWAY1
host1/Admin(config-ft-track-host)#
To delete the process that tracks and detects failures for a gateway or host, enter:
host1/Admin(config)# no ft track host TRACK_GATEWAY1
name Unique identifier of the tracking process for a gateway or a host.
Enter an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-639
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
Related Commands show ft
show running-config2-640
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
(config-ft-track-host) peer priority
To assign a priority for multiple probes on the standby member of a fault-tolerant (FT) group, use the
peer priority command. Use the no form of this command to reset the multiple-probe priority to the
default value of 10 on the standby member.
peer priority number
no peer priority number
Syntax Description
Command Modes FT track host configuration mode
Admin and user contexts
Command History
Usage Guidelines The peer command keyword indicates the standby member of an FT group.
Assign a priority value to multiple probes based on the relative importance of the gateway or host that
the probes are tracking. If all the probes go down, the ACE decrements the priority of the FT group on
the standby member by the value of the number argument. If the priority of the FT group on the active
member falls below the priority of the FT group on the standby member, a switchover occurs where the
active member becomes the standby member and the standby member becomes the active member.
Examples To assign a priority for multiple probes on the standby member of an FT group, enter:
host1/Admin(config-ft-track-host)# peer priority 50
To reset the priority of multiple probes on the standby member of an FT group to the default value of 0,
enter:
host1/Admin(config-ft-track-host)# no peer priority 50
Related Commands (config-ft-track-host) priority
number Priority of the probes configured for the gateway or host on the
standby member. Enter a priority value as an integer from 0 to 255.
The default is 0. Higher values indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-641
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
(config-ft-track-host) peer probe
To associate an existing probe with a gateway or host for tracking by the standby member of a
fault-tolerant (FT) group, use the peer probe command. Use the no form of this command to dissociate
the tracking probe from the tracking process on the standby member.
peer probe name priority number
no peer probe name priority number
Syntax Description
Command Modes FT track host configuration mode
Admin and user contexts
Command History
Usage Guidelines The peer command keyword indicates the standby member of an FT group.
Assign a priority value to the probe based on the relative importance of the gateway or host that the probe
is tracking. If the probe goes down, the ACE decrements the priority of the FT group on the standby
member by the value of the number argument. If the priority of the FT group on the active member falls
below the priority of the FT group on the standby member, a switchover occurs where the active member
becomes the standby member and the standby member becomes the active member.
Examples To configure a probe with priority of 15 on the standby member of an FT group, enter:
host1/Admin(config-ft-track-host)# peer probe TCP_PROBE1 priority 15
To remove the tracking probe from the standby member, enter:
host1/Admin(config-ft-track-host)# no peer probe TCP_PROBE1
name Identifier of an existing probe that you want to associate with a
gateway or host for tracking.
priority number (Optional) Specifies the priority of the probe. Enter an integer from
0 to 255. The default is 0. Higher values indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-642
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
Related Commands show probe
show running-config
(config) ft peer
(config) probe
(config-ft-track-host) probe2-643
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
(config-ft-track-host) peer track-host
To configure the IP address of the gateway or host that you want to track on the standby member of a
fault-tolerant (FT) group, use the peer track-host command. Use the no form of this command to
remove the IP address of the gateway or host from the tracking process on the standby member
configuration.
peer track-host ip_address
no peer track-host ip_address
Syntax Description
Command Modes FT track host configuration mode
Admin and user contexts
Command History
Usage Guidelines The peer command keyword indicates the standby member of an FT group.
Examples IPv6 Example:
To configure the IPv6 address of a gateway for tracking on the standby member of an FT group, enter:
host1/Admin(config-ft-track-host)# peer track-host 2001:DB8:12::101
To remove the IPv6 address of the tracked gateway from the standby member, enter:
host1/Admin(config-ft-track-host)# no peer track-host 2001:DB8:12::101
IPv4 Example:
To configure the IPv4 address of a gateway for tracking on the standby member of an FT group, enter:
host1/Admin(config-ft-track-host)# peer track-host 172.16.27.1
To remove the IPv4 address of the tracked gateway from the standby member, enter:
host1/Admin(config-ft-track-host)# no peer track-host 172.16.27.1
ip_address IPv6 or IPv4 address of the gateway or host that you want the standby
FT group member to track.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-644
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
Related Commands show running-config
(config) ft peer
(config-ft-track-host) track-host2-645
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
(config-ft-track-host) priority
To assign a priority for multiple probes on the active member of a fault-tolerant (FT) group, use the
priority command. Use the no form of this command to reset the multiple-probe priority to the default
value of 10 on the active member.
priority number
no priority number
Syntax Description
Command Modes FT track host configuration mode
Admin and user contexts
Command History
Usage Guidelines Assign a priority value for multiple probes based on the relative importance of the gateway or host that
the probes are tracking. If all the probes go down, the ACE decrements the priority of the FT group on
the active member by the value of the number argument. If the priority of the FT group on the active
member falls below the priority of the FT group on the standby member, a switchover occurs where the
active member becomes the standby member and the standby member becomes the active member.
Examples To assign a priority for multiple probes on the active member of an FT group, enter:
host1/Admin(config-ft-track-host)# priority 100
To reset the priority of multiple probes on the active member of an FT group to the default value of 0,
enter:
host1/Admin(config-ft-track-host)# no priority 100
Related Commands (config-ft-track-host) peer priority
number Priority of the probes configured for the gateway or host on the active
member. Enter a priority value as an integer from 0 to 255. The
default is 0. Higher values indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-646
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
(config-ft-track-host) probe
To associate an existing probe with a gateway or host for tracking by the active member of a fault-tolerant
(FT) group, use the probe command. Use the no form of this command to dissociate the tracking probe
from the tracking process on the active member.
probe name priority number
no probe name priority number
Syntax Description
Command Modes FT track host configuration mode
Admin and user contexts
Command History
Usage Guidelines Assign a priority value to the probe based on the relative importance of the gateway or host that the probe
is tracking. If the probe goes down, the ACE decrements the priority of the FT group on the active
member by the value of the number argument. If the priority of the FT group on the active member falls
below the priority of the FT group on the standby member, a switchover occurs where the active member
becomes the standby member and the standby member becomes the active member.
Examples To configure a probe with a priority of 25 on the active member of an FT group, enter:
host1/Admin(config-ft-track-host)# probe TCP_PROBE1 priority 25
To remove the tracking probe from the active member, enter:
host1/Admin(config-ft-track-host)# no probe TCP_PROBE1
Related Commands show probe
show running-config
(config) probe
(config-ft-track-host) peer probe
name Identifier of an existing probe that you want to associate with a
gateway or host for tracking.
priority number (Optional) Specifies the priority of the probe on the active member of
an FT group. Enter an integer from 0 to 255. The default is 0. Higher
values indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-647
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Host Configuration Mode Commands
(config-ft-track-host) track-host
To configure the IP address of the gateway or host that you want to track on the active member of a
fault-tolerant (FT) group, use the track-host command. Use the no form of this command to remove the
IP address of the gateway or host from the tracking process on the active member.
track-host ip_address
no track-host ip_address
Syntax Description
Command Modes FT track host configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples IPv6 Example:
To configure the IPv6 address of a gateway for tracking on the active member of an FT group, enter:
host1/Admin(config-ft-track-host)# track-host 2001:DB8:12::101
To remove the IPv6 address of the tracked gateway from the active member, enter:
host1/Admin(config-ft-track-host)# no track-host 2001:DB8:12::101
IPv4 Example:
To configure the IPv4 address of a gateway for tracking on the active member of an FT group, enter:
host1/Admin(config-ft-track-host)# track-host 172.16.27.1
To remove the IPv4 address of the tracked gateway from the active member, enter:
host1/Admin(config-ft-track-host)# no track-host 172.16.27.1
Related Commands show running-config
(config-ft-track-host) peer track-host
ip_address IPv6 or IPv4 address of the gateway or host that you want the active
FT group member to track.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-648
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track HSRP Configuration Mode Commands
FT Track HSRP Configuration Mode Commands
(ACE module only) Fault-tolerant (FT) track HSRP configuration mode allows you to configure tracking
and failure detection for critical Hot Standby Router Protocol (HSRP) groups configured on the
supervisor engine for the Catalyst 6500 series switch.
To create a process that tracks and detects failures for an HSRP group and accesses FT track HSRP
configuration mode, enter the ft track hsrp command in configuration mode. The CLI prompt changes
to (config-ft-track-hsrp). For information about the commands in FT track HSRP configuration mode,
see the following commands.
To delete the tracking and failure-detection process for an HSRP group, use the no form of this
command.
ft track hsrp name
no ft track hsrp name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the fault-tolerant feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To create a process that tracks and detects failures for an HSRP group and accesses FT track HSRP
configuration mode, enter:
host1/Admin(config)# ft track hsrp TRACK_HSRP_GRP1
host1/Admin(config-ft-peer)#
To delete the process that tracks and detects failures for an HSRP group, enter:
host1/Admin(config)# no ft track hsrp TRACK_HSRP_GRP1
Related Commands show ft
show running-config
name Unique identifier of the tracking process for an HSRP group. Enter
an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-649
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track HSRP Configuration Mode Commands
(config-ft-track-hsrp) peer priority
(ACE module only) To assign a priority to the Hot Standby Router Protocol (HSRP) group that you are
tracking on the standby member of a fault-tolerant (FT) group, use the peer priority command. Use the
no form of this command to reset the priority to the default value of 10.
peer priority number
no peer priority
Syntax Description
Command Modes FT track hsrp configuration mode
Admin and user contexts
Command History
Usage Guidelines The peer command keyword indicates the standby member of an FT group.
Assign a priority value to the HSRP group based on the relative importance of the group that you are
tracking on the standby member. If the HSRP group goes down, the ACE decrements the priority of the
FT group on the standby member by the value of the number argument. If the priority of the FT group
on the active member falls below the priority of the FT group on the standby member, a switchover
occurs where the active member becomes the standby member and the standby member becomes the
active member.
Examples To assign a priority to the HSRP group that you are tracking on the standby member of an FT group,
enter:
host1/Admin(config-ft-track-hsrp)# peer priority 50
To reset the priority of the HSRP group to the default value of 0, enter:
host1/Admin(config-ft-track-hsrp)# no peer priority 50
Related Commands (config-ft-track-hsrp) priority
number Priority of the HSRP group configured on the standby member of an
FT group. Enter an integer from 0 to 255. The default is 0. Higher
values indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-650
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track HSRP Configuration Mode Commands
(config-ft-track-hsrp) peer track-hsrp
(ACE module only) To track a Hot Standby Router Protocol (HSRP) group on the standby member of a
fault-tolerant (FT) group, use the peer track-hsrp command. Use the no form of this command to
remove the HSRP group name from the tracking process on the standby member.
peer track-hsrp name
no peer track-hsrp name
Syntax Description
Command Modes FT track HSRP configuration mode
Admin and user contexts
Command History
Usage Guidelines The peer command keyword indicates the standby member of an FT group.
Examples To configure an HSRP group for tracking on the standby member of an FT group, enter:
host1/Admin(config-ft-track-hsrp)# peer track-hsrp HSRP_GRP1
To remove the HSRP group from the tracking process on the standby member, enter:
host1/Admin(config-ft-track-hsrp)# no peer track-hsrp HSRP_GRP1
Related Commands show running-config
(config) ft peer
(config-ft-track-hsrp) track-hsrp
name Identifier of an HSRP group previously configured on the supervisor
engine for the Catalyst 6500 series switch that you want to track on
the standby member of an FT group. Enter the name as an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-651
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track HSRP Configuration Mode Commands
(config-ft-track-hsrp) priority
(ACE module only) To assign a priority to the Hot Standby Router Protocol (HSRP) group that you are
tracking on the active member of a fault-tolerant (FT) group, use the priority command. Use the no form
of this command to reset the priority to the default value of 10.
priority number
no priority number
Syntax Description
Command Modes FT track HSRP configuration mode
Admin and user contexts
Command History
Usage Guidelines Assign a priority value to the HSRP group based on the relative importance of the group that you are
tracking on the active member. If the HSRP group goes down, the ACE decrements the priority of the
FT group on the active member by the value of the number argument. If the priority of the FT group on
the active member falls below the priority of the FT group on the standby member, a switchover occurs
where the active member becomes the standby member and the standby member becomes the active
member.
Examples To assign a priority to the HSRP group that you are tracking on the active member of an FT group, enter:
host1/Admin(config-ft-track-hsrp)# priority 100
To reset the priority of the HSRP group to the default value of 0, enter:
host1/Admin(config-ft-track-hsrp)# no priority 100
Related Commands (config-ft-track-hsrp) peer priority
number Priority of the HSRP group configured on the active member of an FT
group. Enter an integer from 0 to 255. The default is 0. Higher values
indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-652
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track HSRP Configuration Mode Commands
(config-ft-track-hsrp) track-hsrp
(ACE module only) To track a Hot Standby Router Protocol (HSRP) group on the active member of a
fault-tolerant (FT) group, use the track-hsrp command. Use the no form of this command to remove the
HSRP group name from the tracking process on the active member.
track-hsrp name
no track-hsrp name
Syntax Description
Command Modes FT track HSRP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples For example, to configure the HSRP group for tracking on the active member of an FT group, enter:
host1/Admin(config-ft-track-hsrp)# track-hsrp HSRP_GRP1
To remove the HSRP group tracked by the active member, enter:
host1/Admin(config-ft-track-hsrp)# no track-hsrp HSRP_GRP1
Related Commands show running-config
(config) ft peer
(config-ft-track-hsrp) peer track-hsrp
name Identifier of an HSRP group previously configured on the supervisor
engine for the Catalyst 6500 series switch that you want to track on
the active member of an FT group. Enter the name as an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-653
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Interface Configuration Mode Commands
FT Track Interface Configuration Mode Commands
Fault-tolerant (FT) track interface configuration mode allows you to configure tracking and failure
detection for critical interfaces.
To create a process that tracks and detects failures for critical interfaces and accesses FT track interface
configuration mode, enter the ft track interface command in configuration mode. The CLI prompt
changes to (config-ft-track-interface). For information about the commands in FT track interface
configuration mode, see the following commands.
To delete the process that tracks and detects failures for an interface, use the no form of this command.
ft track interface name
no ft track interface name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the fault-tolerant feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To create a process that tracks and detects failures for an interface and access FT track interface
configuration mode, enter:
host1/Admin(config)# ft track interface TRACK_VLAN200
host1/Admin(config-ft-track-interface)#
To delete the process that tracks and detects failures for an interface, enter:
host1/Admin(config)# no ft track interface TRACK_VLAN200
Related Commands show running-config
name Unique identifier of the process that tracks and detects failures for a
critical interface. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-654
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Interface Configuration Mode Commands
(config-ft-track-interface) peer priority
To assign a priority to the interface that the standby member is tracking, use the peer priority command.
Use the no form of this command to reset the priority to the default value of 10.
peer priority number
no peer priority number
Syntax Description
Command Modes FT track interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The peer command keyword indicates the standby member of an FT group.
Assign a priority value based on the relative importance of the interface that you are tracking on the
standby member of an FT group. If the tracked interface goes down, the ACE decrements the priority of
the FT group on the standby member by the value of the number argument. If the priority of the FT group
on the active member falls below the priority of the FT group on the standby member, a switchover
occurs where the active member becomes the standby member and the standby member becomes the
active member.
Examples To set a priority of 100 for the interface that you are tracking on the standby member, enter:
host1/Admin(config-ft-track-intf)# peer priority 100
To reset the priority of the interface to the default value of 0, enter:
host1/Admin(config-ft-track-intf)# no peer priority 100
Related Commands (config-ft-track-interface) priority
number Priority of the interface tracked by the standby member of a
fault-tolerant (FT) group. Enter an integer from 0 to 255. The default
is 0. Higher values indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-655
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Interface Configuration Mode Commands
(config-ft-track-interface) peer track-interface vlan
To configure the interface that you want the standby member to track, use the peer track-interface vlan
command. Use the no form of this command to remove the interface.
peer track-interface vlan vlan_id
no peer track-interface vlan vlan_id
Syntax Description
Command Modes FT track interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The peer command keyword indicates the standby member of an FT group.
You cannot track the FT VLAN because it is reserved for the redundancy protocol.
Examples To configure the VLAN 200 interface for tracking on the standby member, enter:
host1/Admin(config-ft-track-intf)# peer track-interface vlan 200
To remove VLAN 200 from the tracking process, enter:
host1/Admin(config-ft-track-intf)# no peer track-interface vlan 200
Related Commands (config-ft-track-interface) track-interface vlan
vlan_id Unique identifier of an existing VLAN that you want to track on the
standby member of a fault-tolerant (FT) group. Enter an integer from
2 to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-656
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Interface Configuration Mode Commands
(config-ft-track-interface) priority
To assign a priority to the interface that the active member is tracking, use the priority command. Use
the no form of this command to reset the priority of the interface to the default value of 10.
priority number
no priority number
Syntax Description
Command Modes FT track interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Assign a priority value based on the relative importance of the interface that you are tracking on the
active member of an FT group. If the tracked interface goes down, the ACE decrements the priority of
the FT group on the active member by the value of the number argument. If the priority of the FT group
on the active member falls below the priority of the FT group on the standby member, a switchover
occurs where the active member becomes the standby member and the standby member becomes the
active member.
Examples To set a priority of 100 for the interface that you are tracking on the active member of an FT group, enter:
host1/Admin(config-ft-track-intf)# priority 100
To reset the priority of the interface to the default value of 0, enter:
host1/Admin(config-ft-track-intf)# no priority 100
Related Commands (config-ft-track-interface) peer priority
number Priority of the interface tracked by the active member of a
fault-tolerant (FT) group. Enter an integer from 0 to 255. The default
is 0. Higher values indicate higher priorities.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-657
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
FT Track Interface Configuration Mode Commands
(config-ft-track-interface) track-interface vlan
To configure the interface that you want the active member to track, use the track-interface vlan
command. Use the no form of this command to remove the interface from the tracking process.
track-interface vlan vlan_id
no track-interface vlan vlan_id
Syntax Description
Command Modes FT track interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the VLAN 200 interface for tracking on the active member, enter:
host1/Admin(config-ft-track-intf)# track-interface vlan 200
To remove VLAN 200 from the tracking process, enter:
host1/Admin(config-ft-track-intf)# no track-interface vlan 200
Related Commands show interface
(ACE module only) (config) hw-module
vlan_id Unique identifier of an existing VLAN that you want to track on the
active member of a fault-tolerant (FT) group. Enter an integer from 2
to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-658
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Interface Configuration Mode Commands
Interface configuration mode commands allow you to configure a VLAN interface or a bridge-group
virtual interface (BVI), and, for the ACE appliance, an Ethernet port or a port-channel interface. To
configure a bridge-group virtual interface (BVI), Ethernet port, port-channel interface, or VLAN
interface, use the interface command. The CLI prompt changes to (config-if). Use the no form of this
command to remove the interface from the context. For information about the commands in interface
configuration mode, see the following commands.
interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel
channel_number | vlan number}
no interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel
channel_number | vlan number}
Syntax Description
Command Modes Configuration mode
BVI and VLAN interface—Admin and user contexts
(ACE appliance only) Ethernet port and port-channel interface—Admin context only
Command History
bvi group_number Creates a BVI for a bridge group and accesses interface configuration
mode commands for the BVI. The group_number argument is the
bridge-group number configured on a VLAN interface.
gigabitEthernet slot_number/
port_number
(ACE appliance only) Specifies one of the four Ethernet ports on the
rear panel of the ACE.
• slot_number—The physical slot on the ACE containing the
Ethernet ports. This selection is always 1, the location of the
daughter card in the ACE. The daughter card includes the four
Layer 2 Ethernet ports to perform Layer 2 switching.
• port_number—The physical Ethernet port on the ACE. Valid
selections are 1 through 4, which specifies one of the four
Ethernet ports (1, 2, 3, or 4) associated with the slot 1 (daughter
card) selection.
port-channel
channel_number
(ACE appliance only) Specifies the channel number assigned to this
port-channel interface. Valid values are from 1 to 255.
vlan number Assigns the VLAN to the context and accesses interface
configuration mode commands for the VLAN. The number argument
is the number for a VLAN assigned to the ACE.
(ACE module only) The VLAN is assigned to the ACE from the
supervisor engine for the Catalyst 6500 series switch.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-659
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Usage Guidelines All commands in this mode require the interface feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that
represents a corresponding bridge group. An IP address in the same subnet should be configured on the
BVI. This address is used for management traffic and as a source IP address for traffic from the ACE,
similar to ARP requests.
The ACE supports a maximum of 4093 VLAN interfaces with a maximum of 1,024 shared VLANs.
The ACE supports a maximum of 4094 BVI interfaces.
The ACE supports a maximum of 8192 interfaces per system that include VLANs, shared VLANs, and
BVI interfaces.
The ACE requires a route back to the client before it can forward a request to a server. If the route back
is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure
the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE
ACE.
You can configure one or more VLAN interfaces in any user context before you assign those VLAN
interfaces to the associated user contexts through the (config-context) allocate-interface command in
the Admin context.
ACE Appliance Guidelines
In addition, the Ethernet port and port-channel interface command functions require the Admin user role.
The four Ethernet ports provide physical Ethernet ports to connect servers, PCs, routers, and other
devices to the ACE. You can configure the four Ethernet ports to provide an interface for connecting to
10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, or
full-duplex or half-duplex operation on an Ethernet LAN, and can carry traffic within a designated
VLAN.
You can group physical ports together on the ACE to form a logical Layer 2 interface called the
EtherChannel (or port-channel). All the ports belonging to the same port-channel must be configured
with same values; for example, port parameters, VLAN membership, trunk configuration. Only one
port-channel in a channel group is allowed, and a physical port can belong to only to a single
port-channel interface.
Examples To assign VLAN interface 200 to the Admin context and access interface configuration mode, enter:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)#
To remove a VLAN, enter:
host1/Admin(config)# no interface vlan 200
To create a BVI for bridge group 15, enter:
host1/Admin(config)# interface bvi 15
ACE Appliance Release Modification
A1(7) This command was introduced.2-660
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
host1/Admin(config-if)#
To delete a BVI for bridge group 15, enter:
host1/Admin(config)# no interface bvi 15
Related Commands show arp
show interface
show ip
show running-config
show vlans
(config-if) access-group
To apply an IPv6 or an IPv4 access control list (ACL) to the inbound or outbound direction of a VLAN
interface and make the ACL active, use the access-group command. Use the no form of this command
to remove an ACL from an interface.
access-group {input | output} acl_name
no access-group {input | output} acl_name
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
input Specifies the inbound direction of the interface to which you want to
apply the ACL.
output Specifies the outbound direction of the interface to which you want
to apply the ACL.
acl_name Identifier of an existing ACL that you want to apply to an interface.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-661
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Usage Guidelines You must apply ACLs to a VLAN interface to allow the traffic to pass on an interface. You can apply
one IPv6 and one IPv4 ACL of each type (extended and EtherType) to both directions of the interface.
For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you
want traffic to pass in both directions. For example, you can allow Border Gateway Protocol (BGP) in
an ACL in transparent mode, and you need to apply the ACL to both interfaces.
A bridge-group VLAN supports extended ACLs for IP traffic and EtherType ACLs for non-IP traffic.
For non-IP traffic, you can configure an EtherType ACL. EtherType ACLs support Ethernet V2 frames.
You can configure the ACE to pass one or any of the following non-IP EtherTypes: Multiprotocol Label
Switching (MPLS), IP version 6 (IPv6), and bridge protocol data units (BDPUs).
The output option is not allowed for EtherType ACLs.
To apply an ACL globally to all interfaces in a context, use the (config) access-group command.
Examples To apply an ACL named INBOUND to the inbound direction of an interface, enter:
host1/Admin(config)# interface vlan100
host1/Admin(config-if)# access-group input INBOUND
To remove an ACL from an interface, enter:
host1/Admin(config-if)# no access-group input INBOUND
Related Commands show access-list
(config) access-group
(config) access-list extended
(config-if) alias
To configure an IP address that is shared between active and standby ACEs for a bridge-group virtual
interface (BVI) or VLAN interface, use the alias command. Use the no form of this command to
delete an alias IP address.
alias {ipv6_address [/prefix_length] [eui64 | unique-local]} | {ip_address mask [secondary]}
no alias {ipv6_address [/prefix_length] [eui64 | unique-local]} | {ip_address mask [secondary]}
Syntax Description ipv6_address IPv6 address of the interface.
/prefix_length (Optional, except for EUI-64) Specifies how many of the most
significant bits (MSBs) of the IPv6 address are used for the network
identifier. Enter a a forward slash character (/) followed by an integer
from 1 to 128. The default is /128. If you use the optional eui64
keyword, you must specify a prefix length and the prefix must be less
than or equal to 64.
eui64 (Optional) Specifies that the low order 64 bits are automatically
generated in the IEEE 64-bit Extended Unique Identifier (EUI-64)
format specified in RFC 2373. To use this keyword, you must specify
a prefix length, the prefix must be less than or equal to 64, and the
host segment must be all zeros.2-662
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines You must configure redundancy (fault tolerance) on the ACE for the alias IP address to work. For more
information on redundancy, see the Administration Guide, Cisco ACE Application Control Engine.
For stealth firewalls, an ACE balances traffic among unique VLAN alias IP address interfaces on another
ACE that provides paths through stealth firewalls. You configure a stealth firewall so that all traffic
moving in both directions across that VLAN moves through the same firewall.
For details about firewall load balancing (FWLB), see the Server Load-Balancing Guide, Cisco ACE
Application Control Engine.
You cannot configure secondary IP addresses on FT VLANs.
Examples To configure an alias IP address and mask, enter:
host1/Admin(config-if)# alias 12.0.0.81 255.0.0.0
To configure a secondary alias IP address, enter:
host1/Admin(config-if)# alias 193.168.12.15 255.255.255.0 secondary
unique-local (Optional) Specifies that this address is globally unique and used
only for local communications within a site or organization.
ipv4_address IPv4 address of the interface.
mask Subnet mask of the interface.
secondary (Optional) Configures the address as a secondary IPv4 address
allowing multiple subnets under the same interface. You can
configure a maximum of 15 secondary addresses per interface. The
ACE has a system limit of 1,024 secondary addresses.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.0) The secondary option was added.
A2(3.1) The number of secondary addresses increased from 4 to 15.
A4(1.0) The number of secondary addresses decreased from 15 to 4.
A4(1.1) The number of secondary addresses increased from 4 to 15.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The secondary option was added.
A4(1.1) The number of secondary addresses increased from 4 to 15.
A5(1.0) Added IPv6 support.2-663
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
To remove an alias IP address, enter:
host1/Admin(config-if)# no alias 192.168.12.15 255.255.255.0
To remove a secondary alias IP address, enter:
host1/Admin(config-if)# no alias 193.168.12.15 255.255.255.0 secondary
Related Commands show interface
(config-if) arp
To add a static ARP entry in the ARP table for a VLAN interface, use the arp command. Use the no form
of this command to remove a static ARP entry.
arp ip_address mac_address
no arp ip_address mac_address
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Static ARPs for bridged interfaces are configured on the specific interface.
Examples To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter:
host1/Admin(config-if)# arp 10.1.1.1 00.02.9a.3b.94.d9
To remove a static ARP entry, use the no arp command. For example, enter:
host1/Admin(config-if)# no arp 10.1.1.1 00.02.9a.3b.94.d9
ip_address IP address for an ARP table entry. Enter the IP address in
dotted-decimal notation (for example, 172.16.27.1).
mac_address MAC address for the ARP table entry. Enter the MAC address in
dotted-hexadecimal notation (for example, 00.02.9a.3b.94.d9).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-664
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Related Commands show arp
(config-if) arp inspection
To enable the ACE to dynamically check the source MAC address in an Ethernet header against the
sender’s MAC address in an ARP payload for every ARP packet received by the ACE, use the arp
inspection command. Use the no form of this command to remove a static ARP entry.
arp inspection validate src-mac [flood | no-flood]
no arp ip_address mac_address
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE does not learn or update the ARP or MAC tables for packets with different MAC addresses.
By default, dynamic ARP inspection is disabled. If you enable this feature, the default option is flood.
Use this feature for interoperability with third-party firewalls (for example, CheckPoint).
If ARP inspection fails, then the ACE does not perform source MAC validation. For details about ARP
inspection, see the (config) arp command.
Regardless of whether you enter the flood or the no-flood option, if the source MAC address of the ARP
packet does not match the MAC address of the Ethernet header, then the source MAC validation fails
and the ACE increments the Smac-validation Failed counter of the show arp command.
validate src-mac Instructs the ACE to check the source MAC address in an Ethernet
header against the sender’s MAC address in an ARP payload for
every ARP packet received by the ACE
flood (Optional) Enables ARP forwarding for the interface and forwards
ARP packets with nonmatching source MAC addresses to all
interfaces in the bridge group. This is the default option when you
enable dynamic ARP inspection.
no-flood (Optional) Disables ARP forwarding for the interface and drops ARP
packets with nonmatching source MAC addresses.
ACE Module Release Modification
3.0(0)A1(6.3) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-665
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Examples To enable the ACE to check the source MAC address in an Ethernet header against the sender’s MAC
address in an ARP payload for every ARP packet received by the ACE and to forward (flood) the packets,
enter:
host1/Admin(config-if)# arp inspection validate src-mac
To restore the behavior of the ACE to the default of not validating source MAC addresses, enter the
following command:
host1/Admin(config-if)# no arp inspection validate src-mac
Related Commands show arp2-666
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) bridge-group
To assign the VLAN to a bridge group, use the bridge-group command. Use the no form of this
command to remove the bridge group from the VLAN.
bridge-group number
no bridge-group
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines In bridge mode, you can configure two interface VLANs into a group and bridge packets between them.
All interfaces are in one broadcast domain and packets from one VLAN are switched to the other VLAN.
The ACE bridge mode supports only two L2 VLANs per bridge group. In this mode, VLANs do not have
configured IP addresses.
To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that
represents a corresponding bridge group.
Examples To assign bridge group 15 to the VLAN, enter:
host1/Admin(config-if)# bridge-group 15
To remove the bridge group from the VLAN, enter:
host1/Admin(config-if)# no bridge-group
Related Commands show interface
number Bridge-group number. Enter an integer from 1 to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-667
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) carrier-delay
(ACE appliance only) To add a configurable delay at the physical port level to address issues with
transition time, based on the variety of peers, use the carrier-delay command. Use the no form of the
command to remove the carrier delay for the Ethernet port.
carrier-delay seconds
no carrier-delay seconds
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines If you connect an ACE to a Catalyst 6500 series switch, your configuration on the Catalyst may include
the Spanning Tree Protocol (STP). However, the ACE does not support STP. In this case, you may find
that the Layer 2 convergence time is much longer than the physical port up time. For example, the
physical port would normally be up within 3 seconds, but STP moving to the forward state may need
approximately 30 seconds. During this transitional time, although the ACE declares the port to be up,
the traffic will not pass.
The carrier-delay command adds a configurable delay at the physical port level to address this transition
time, based on the variety of peers.
Examples To add a configurable delay of 60 seconds at the physical port level for Ethernet port 3, enter:
host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)# carrier-delay 60
To remove the carrier delay for the Ethernet port, enter:
host1/Admin(config-if)# no carrier-delay 60
Related Commands show interface
seconds The carrier transition delay in seconds. Valid values are 0 to 120
seconds. The default is 0 (no carrier delay).
ACE Appliance Release Modification
A1(8) This command was introduced.2-668
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) channel-group
(ACE appliance only) To map the physical Ethernet port to a port channel when configuring Layer 2
EtherChannels, use the channel-group command. Use the no form of the command to remove the
channel group assigned to the Ethernet port.
channel-group channel_number
no channel-group channel_number
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines You can group physical ports together on the ACE to form a logical Layer 2 interface called the
EtherChannel (or port-channel). The channel-group command configures the Ethernet port in a
port-channel group and automatically creates the port-channel logical interface.
It is not necessary to configure a port-channel interface before assigning a physical Ethernet port to a
channel group through the channel-group command. A port-channel interface is created automatically
when the channel group receives its first physical interface, if it is not already created.
Examples To create a channel group with a channel number of 255, enter:
host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config)# channel-group 255
To remove the channel group assigned to the Ethernet port, enter:
host1/Admin(config-if)# no channel-group 255
Related Commands show interface
channel_number Channel number assigned to this channel group. Valid values are
from 1 to 255.
ACE Appliance Release Modification
A1(7) This command was introduced.2-669
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) description
To provide a description for a bridge-group virtual interface (BVI) or VLAN interface, use the
description command. Use the no form of this command to delete the description.
description text
no description
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To provide the description of POLICY MAP 3 FOR INBOUND AND OUTBOUND TRAFFIC, enter:
host1/admin(config-if)# description POLICY MAP3 FOR INBOUND AND OUTBOUND TRAFFIC
To remove the description for the interface, enter:
host1/admin(config-if)# no description
Related Commands show interface
text Description for the interface. Enter an unquoted text string that
contains a maximum of 240 characters including spaces.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-670
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) duplex
(ACE appliance only) To configure an Ethernet port for full- or half-duplex operation, use the duplex
command in interface configuration mode. The default configuration for an ACE interface is
autonegotiate. Use the no form of this command to revert to autonegotiation operation.
duplex {full | half}
no duplex
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines If you configure the Ethernet port speed to auto on a 10/100/1000-Mbps Ethernet port, both speed and
duplex are autonegotiated. The ACE prevents you from making a duplex setting when you configure the
speed of an Ethernet port to auto. The speed command must be a non-auto setting of 10, 100, or
1000 Mbps to be able to configure the duplex setting for the Ethernet port.
Examples To set the duplex mode to full on Ethernet port 3, enter:
host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)# duplex full
To restore the default setting of autonegotiate for an Ethernet port, enter:
host1/Admin(config-if)# no duplex
Related Commands (config-if) speed
full Configures the specified Ethernet port for full-duplex operation,
which allows data to travel in both directions at the same time.
half Configures the specified Ethernet port for half-duplex operation. A
half-duplex setting ensures that data travels only in one direction at
any given time.
ACE Appliance Release Modification
A1(7) This command was introduced.2-671
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) fragment chain
To configure the maximum number of fragments that belong to the same packet that the ACE accepts for
reassembly for a VLAN interface, use the fragment chain command. Use the no form of this command
to reset the default value.
fragment chain number
no fragment chain
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure a fragment chain limit of 126, enter:
host1/C1(config-if)# fragment chain 126
To reset the maximum number of fragments in a packet to the default of 24, enter:
host1/C1(config-if)# no fragment chain
Related Commands show fragment
(config-if) fragment min-mtu
(config-if) fragment timeout
number Maximum number of fragments that belong to the same packet. Enter an
integer from 1 to 256. The default is 24.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-672
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) fragment min-mtu
To configure the minimum fragment size that the ACE accepts for reassembly for a VLAN interface, use
the fragment min-mtu command. Use the no form of this command to reset the default value.
fragment min-mtu number
no fragment min-mtu
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure a minimum fragment size of 1024, enter:
host1/C1(config-if)# fragment min-mtu 1024
To reset the minimum fragment size to the default value of 576 bytes, enter:
host1/C1(config-if)# no fragment min-mtu
Related Commands show fragment
(config-if) fragment chain
(config-if) fragment timeout
number Minimum fragment size. Enter an integer from 28 to 9216 bytes. The default
is 576 bytes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-673
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) fragment timeout
To configure a reassembly timeout for a VLAN interface, use the fragment timeout command. Use the
no form of this command to reset the default value.
fragment timeout seconds
no fragment timeout
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The IP reassembly timeout specifies the period of time after which the ACE abandons the fragment
reassembly process if it does not receive any outstanding fragments for the current fragment chain
(fragments that belong to the same packet).
Examples To configure an IP reassembly timeout of 15 seconds, enter:
host1/C1(config-if)# fragment timeout 15
To reset the fragment timeout to the default value of 5 seconds, enter:
host1/C1(config-if)# no fragment timeout
Related Commands show fragment
(config-if) fragment chain
(config-if) fragment min-mtu
seconds Reassembly timeout in seconds. Enter an integer from to 1 to 30. The
default is 5.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-674
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ft-port vlan
(ACE appliance only) To configure one of the Ethernet ports or a port-channel interface on the ACE for
fault tolerance using a dedicated FT VLAN for communication between the members of an FT group,
use the ft-port vlan command in interface configuration mode. Use the no form of this command to
remove the FT VLAN function from an Ethernet port or port-channel interface.
ft-port vlan number
no ft-port vlan number
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines Peer ACE appliances communicate with each other over a dedicated FT VLAN. These redundant peers
use the FT VLAN to transmit and receive heartbeat packets and state and configuration replication
packets.
On both peer ACE appliances, you must configure the same Ethernet port or the same port-channel interface
as the FT VLAN port. For example, if you configure ACE appliance 1 to use Ethernet port 4 as the FT
VLAN port, then be sure to configure ACE appliance 2 to use Ethernet port 4 as the FT VLAN port.
It is not necessary to create an FT VLAN before designating an Ethernet port or port-channel interface as the
FT VLAN port.
When you specify the ft-port vlan command, the ACE modifies the associated Ethernet port or
port-channel interface to a trunk port.
We recommend that you enable QoS on the FT VLAN port to provide higher priority for FT traffic (see
the (config-if) qos trust cos command).
For details on configuring redundant ACE appliances, including an FT VLAN, see the Administration
Guide, Cisco ACE Application Control Engine.
Examples To configure FT VLAN identifier 60 for Ethernet port 3, enter:
host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)# ft-port vlan 60
To remove the FT VLAN from the Ethernet port, enter:
host1/Admin(config-if)# no ft-port vlan 60
Related Commands show interface
number Unique identifier for the FT VLAN. Valid values are from 2 to 4094.
ACE Appliance Release Modification
A1(7) This command was introduced.2-675
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) icmp-guard
To enable the ICMP security checks in the ACE after they have been disabled, use the icmp-guard
command. This feature is enabled by default. Use the no form of this command to disable the ICMP
security checks.
icmp-guard
no icmp-guard
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, the ACE provides several ICMP security checks by matching ICMP reply packets with
request packets and using mismatched packets to detect attacks. Also, the ACE forwards ICMP error
packets only if a connection record pertaining to the flow for which the error packet was received exists.
Caution If you disable the ACE ICMP security checks, you may expose your ACE and your data center to
potential security risks. After you enter the no icmp-guard command, the ACE no longer performs
Network Address Translation (NAT) translations on the ICMP header and payload in error packets,
which potentially can reveal real host IP addresses to attackers.
If you want to operate your ACE as a load balancer only, use the no icmp-guard command to disable
the ACE ICMP security checks. You must also disable TCP normalization by using the no
normalization command. For details about operating your ACE for load balancing only, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To enable the ACE ICMP security checks after you have disabled them, enter:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# icmp-guard
To disable ACE ICMP security checks, enter:
host1/Admin(config-if)# no icmp-guard
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-676
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Related Commands (config-if) normalization2-677
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip address
To assign an IPv6 or an IPv4 address to a bridge-group virtual interface (BVI) or a VLAN interface, use
the ip address command. Use the no form of this command to remove an IP address from an interface.
ip address {ipv6_address [/prefix_length] [eui64 | link-local | unique-local]} | {ipv4_address mask
[secondary]}
no ip address {ipv6_address [/prefix_length] [eui64 | link-local | unique-local]} | {ipv4_address
mask [secondary]}
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
ipv6_address IPv6 address of the interface.
/prefix_length (Optional, except for EUI-64) Specifies how many of the most
significant bits (MSBs) of the IPv6 address are used for the network
identifier. Enter a a forward slash character (/) followed by an integer
from 1 to 128. The default is /128. If you use the optional eui64
keyword, you must specify a prefix length and the prefix must be less
than or equal to 64.
eui64 (Optional) Specifies that the low order 64 bits are automatically
generated in the IEEE 64-bit Extended Unique Identifier (EUI-64)
format specified in RFC 2373. To use this keyword, you must specify
a prefix length, the prefix must be less than or equal to 64, and the
host segment must be all zeros.
link-local (Optional) Specifies that the address is valid only for the current link.
unique-local (Optional) Specifies that this address is globally unique and used
only for local communications within a site or organization.
ipv4_address IPv4 address of the interface.
mask Subnet mask of the interface.
secondary (Optional) Configures the address as a secondary IPv4 address
allowing multiple subnets under the same interface. You can
configure a maximum of 15 secondary addresses per interface. The
ACE has a system limit of 1,024 secondary addresses.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.0) The secondary option was added.
A2(3.1) The number of secondary addresses increased from 4 to 15.
A4(1.0) The number of secondary addresses decreased from 15 to 4.
A4(1.1) The number of secondary addresses increased from 4 to 15.
A5(1.0) Added IPv6 support.2-678
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Usage Guidelines To process IPv6 traffic on an interface, you must configure the ipv6 enable command on that interface.
You can configure one IPv6 link-local and one IPv6 local-unique address on an interface. If you
configure additional addresses of either type, the existing address is overwritten.
Caution Do not configure under a real server a peer IPv6 address that is calculated from EUI64. In a redundant
configuration, if you configure a peer IPv6 address as EUI64 on an interface, the address will not be
learned by the active member of an FT group because the address is calculated only on the peer. If you
then configure the same calculated IPv6 address on the active under a real server, the CLI accepts it
because it does not calculate it. This IPv6 address is not synced to the standby because it conflicts with
the interface address. If you subsequently apply a probe to the real server, the state of the real server is
PROBE-FAILED on the active and OUTOFSERVICE on the standby. This same check applies to VIPs,
routes, interfaces, and probes.
When you assign an IPv4 address to an interface, the ACE automatically makes the interface routed.
You must configure a primary IPv4 address for the interface to allow a VLAN to become active. The
primary address must be active before a secondary address can be active.
An interface can have only one primary IPv4 address.
When you configure access to an interface, the ACE applies it to all IPv4 addresses configured on the
interface.
The ACE treats the secondary addresses the same as a primary address and handles IP broadcasts and
ARP requests for the subnet that is assigned to the secondary address as well as the interface routes in
the IP routing table.
The ACE accepts client, server, or remote access traffic on the primary and secondary addresses. When
the destination for the control plane (CP)-originated packets is Layer 2 adjacent to either the primary
subnet or one of the secondary subnets, the ACE uses the appropriate primary or secondary interface IP
address for the destination subnet as the source IP address. For any destination that is not Layer 2
adjacent, the ACE uses the primary address as the source IP address. For packets destined to the
secondary IP address, the ACE sends the response with the secondary IP address as the source address.
SSL probes use the primary IP address as the source address for all the destinations.
You cannot configure secondary IP addresses on FT VLANs. When you configure a query interface to
assess the health of the active FT group member, it uses the primary IP address.
You must configure static ARP entries for bridged interfaces on the specific interface.
In a single context, you must configure each interface address on a unique subnet; the addresses cannot
overlap. However, the IP subnet can overlap an interface in different contexts.
You must configure a unique IP address across multiple contexts on a shared VLAN. On a nonshared
VLAN, the IP address can be the same.
No routing occurs across contexts even when shared VLANs are configured.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The secondary option was added.
A4(1.1) The number of secondary addresses increased from 4 to 15.
A5(1.0) Added IPv6 support.2-679
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Examples IPv6 Examples
To configure an IPv6 link-local address on VLAN 100, enter the following commands:
host1/Admin(config)# interface VLAN 100
host1/Admin(config-if)# ip address FE80:DB8:1::1 link-local
To remove a link-local address from an interface, enter the following commands:
host1/Admin(config)# interface VLAN 100
host1/Admin(config-if)# no ip address FE80:DB8:1::1 link-local
IPv4 Examples
To set the IPv4 address of 192.168.1.1 255.255.255.0 for VLAN interface 200, enter:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0
To assign a secondary IP address and mask 193.168.1.1 255.255.255.0 to VLAN interface 200, enter the
following command:
host1/Admin(config-if)# ip address 192.168.1.2 255.255.255.0 secondary
To remove the IP address for the VLAN, enter:
host1/Admin(config-if)# no ip address 192.168.1.1 255.255.255.0
To remove a secondary IP address for the VLAN, enter:
host1/Admin(config-if)# no ip address 192.168.1.2 255.255.255.0 secondary
Related Commands show arp
show interface
show ip2-680
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip df
To configure how the ACE handles an IP packet that has its Don’t Fragment (DF) bit set on a VLAN
interface, use the ip df command. Use the no form of this command to instruct the ACE to ignore the
DF bit.
ip df {clear | allow}
no ip df
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Occasionally, an ACE may receive a packet that has its DF bit set in the IP header. This flag tells network
routers and the ACE not to fragment the packet and to forward it in its entirety.
Examples To clear the DF bit and permit the packet, enter:
host1/Admin(config-if)# ip df clear
To instruct the ACE to ignore the DF bit, enter:
host1/Admin(config-if)# no ip df
Related Commands This command has no related commands.
clear Clears the DF bit and permits the packet. If the packet is larger than
the next-hop maximum transmission unit (MTU), the ACE fragments
the packet.
allow Permits the packet with the DF bit set. This is the default. If the
packet is larger than the next-hop MTU, the ACE discards the packet
and sends an ICMP unreachable message to the source host.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-681
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip dhcp relay enable
To accept Dynamic Host Configuration Protocol (DHCP) requests on a VLAN interface, use the ip dhcp
relay enable command. Use the no form of this command to disable DHCP on the interface.
ip dhcp relay enable
no ip dhcp relay enable
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The DHCP relay starts forwarding packets to the DHCP server address specified in the ip dhcp relay
server command for the associated interface or context.
Examples To enable the DHCP relay on the interface, enter:
host1/Admin(config-if)# ip dhcp relay enable
To disable the DHCP relay on the interface, enter:
host1/Admin(config-if)# no ip dhcp relay enable
Related Commands (config-if) ip dhcp relay enable
(config-if) ip dhcp relay server
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-682
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip dhcp relay server
To set the IP address of a Dynamic Host Configuration Protocol (DHCP) server to which the DHCP relay
agent forwards client requests on a VLAN interface, use the ip dhcp relay server command. Use the no
form of this command to remove the IP address of the DHCP server.
ip dhcp relay server ip_address
no ip dhcp relay server ip_address
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify the IP address for the DHCP relay server, enter:
host1/Admin(config-if)# ip dhcp relay server 192.168.20.1
To remove the IP address of the DHCP server, enter:
host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1
Related Commands This command has no related commands.
ip_address IP address of the DHCP server. Enter the address in dotted-decimal
IP notation (for example, 192.168.11.1).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-683
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip options
To configure how the ACE handles IP options and to perform specific actions when an IP option is set
in a packet for a VLAN interface, use the ip options command. Use the no form of this command to
instruct the ACE to ignore the IP option.
ip options {allow | clear | clear-invalid | drop}
no ip options
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To allow packets with IP options set, enter:
host1/Admin(config-if)# ip options allow
To reset the ACE to its default of clearing all IP options if the ACE encounters one or more invalid or
unsupported IP options, enter:
host1/Admin(config-if)# no ip options
Related Commands This command has no related commands.
allow Allows the packet with the IP options set.
clear Clears the specified option from the packet and allows the packet.
clear-invalid Clears all IP options from the packet if the ACE encounters one or
more invalid or unsupported IP options and allows the packet. This
option is the default.
drop Causes the ACE to discard the packet.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-684
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip route inject vlan
(ACE module only) To advertise a VLAN for route health injection (RHI) that is different from the VIP
interface VLAN, use the ip route inject vlan command. By default, the ACE advertises the VLAN of
the VIP interface for RHI. Use the no form of this command to restore the ACE default behavior of
advertising the VIP interface VLAN for RHI.
ip route inject vlan vlan_id
no ip route inject vlan vlan_id
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command when there is no directly shared VLAN between the ACE and the Catalyst 6500 series
supervisor. This topology can occur when there is an intervening device, for example, a Cisco Firewall
Services Module (FWSM), configured between the ACE and the supervisor.
Be sure to configure this command on the VIP interface of the ACE.
Examples To advertise route 200 for RHI, enter:
host1/Admin(config-if)# ip route inject vlan 200
To restore the ACE default behavior of advertising the VIP interface VLAN for RHI, enter:
host1/Admin(config-if)# no ip route inject vlan 200
Related Commands This command has no related commands.
vlan_id Interface shared between the supervisor and the intervening device.
Enter the ID as an integer from 2 to 4090.
ACE Module Release Modification
A2(1.0) This command was introduced.2-685
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip ttl minimum
To set the packet time-to-live (TTL) hops in the IP header on a VLAN interface, use the ip ttl minimum
command. By default, the ACE does not rewrite the TTL value of a packet. Use the no form of this
command to reset the default behavior.
ip ttl minimum number
no ip ttl minimum
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Each router along the packet’s path decrements the TTL by one. If the packet’s TTL equals 0 before the
packet reaches its destination, the packet is discarded.
If the TTL value of the incoming packet is lower than the configured minimum value, the ACE rewrites
the TTL with the configured value. Otherwise, the ACE transmits the packet with its TTL unchanged or
discards the packet if the TTL equals zero. This command applies to both IPv4 and IPv6 flows. The
configured value replaces the TTL in an IPv4 packet and the hop limit in an IPv6 packet if the original
value is lower.
Examples To set the TTL hops to 15, enter:
host1/Admin(config-if)# ip ttl minimum 15
To instruct the ACE to ignore the TTL value, enter:
host1/Admin(config-if)# no ip ttl minimum
Related Commands This command has no related commands.
number Minimum number of hops that a packet can take to reach its destination.
Enter an integer from 1 to 255 seconds.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-686
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ip verify reverse-path
To enable reverse-path forwarding (RPF) based on the source IP address for a VLAN interface, use the
ip verify reverse-path command. By default, URPF is disabled on the interface. Use the no form of this
command to reset the default behavior.
ip verify reverse-path
no ip verify reverse-path
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Unicast reverse-path forwarding (URPF) helps to mitigate problems caused by the introduction of
malformed or forged (spoofed) IP source addresses into a network by allowing the ACE to discard IP
packets that lack a verifiable source IP address. This feature enables the ACE to filter both ingress and
egress packets to verify addressing and route integrity. The route lookup is typically based on the
destination address, not the source address.
When you enable URPF, the ACE discards packets if no route is found or if the route does not match the
interface on which the packet arrived.
You cannot use this command when RPF based on the source MAC address for a VLAN interface is
enabled through the (config-if) mac-sticky enable command.
Examples To enable RPF, enter:
host/Admin(config-if)# ip verify reverse-path
To disable RPF, enter:
host/Admin(config-if)# no ip verify reverse-path
Related Commands (config-if) mac-sticky enable
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-687
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 dhcp relay enable
To configure the ACE to accept DHCP requests from IPv6 clients on the associated context or VLAN
interface and enable the DHCP relay agent, use the ipv6 dhcp relay enable command. Use the no form
of this command to disable DHCP relay on the specified context or interface.
ipv6 dhcp relay enable
no ipv6 dhcp relay enable
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode and interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To enable the DHCP relay agent globally for all VLAN interfaces associated with a context, enter the
following command:
host1/Admin(config)# ipv6 dhcp relay enable
To enable the DHCP relay agent at the VLAN interface level, enter the following command:
host1/Admin(config)# ipv6 dhcp relay enable
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 dhcp relay enable
To disable the DHCP relay agent globally for VLAN interfaces in a context where DHCP relay is not
explicitly configured, enter the following command:
host1/Admin(config)# no ipv6 dhcp relay enable
To disable the DHCP relay agent on a VLAN interface, enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# no ipv6 dhcp relay enable
Related Commands show ipv6
(config-if) ipv6 dhcp relay fwd-interface
(config-if) ipv6 dhcp relay server
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-688
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 dhcp relay fwd-interface
To configure a forwarding VLAN interface that the ACE uses to forward DHCP requests, use the ipv6
dhcp relay fwd-interface command. Use the no form of this command to remove the forwarding VLAN
interface from the configuration.
ipv6 dhcp relay fwd-interface vlan vlan_id
no ipv6 dhcp relay fwd-interface vlan vlan_id
Syntax Description
Command Modes Configuration mode and interface configuration mode
Admin and user contexts
Command History
Usage Guidelines When you configure this command, the ACE uses the specified VLAN interface to forward all client
DHCP requests to the All_DHCP_Relay_Agents_and_Servers address of FF02::1:2.
Examples To configure VLAN200 as the DHCP forwarding VLAN interface, enter the following command:
host1/Admin(config)# ipv6 dhcp relay fwd-interface vlan 200
To remove the forwarding VLAN interface from the configuration, enter the following command:
host1/Admin(config)# no ipv6 dhcp relay fwd-interface vlan 200
Related Commands show ipv6
(config-if) ipv6 dhcp relay enable
(config-if) ipv6 dhcp relay server
vlan vlan_id Specifies the VLAN interface number that the ACE uses to forward DHCP
requests. Enter the number of an existing VLAN interface as an integer from 2
to 4094.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-689
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 dhcp relay server
To set the IP address of a DHCP server to which the DHCP relay agent forwards client requests, use the
ipv6 dhcp relay server command. Use the no form of this command to remove the IPv6 address of a
DHCP server from a VLAN interface.
ipv6 dhcp relay server ipv6_address [fwd-interface vlan vlan_id]
no ipv6 dhcp relay server ipv6_address [fwd-interface vlan vlan_id]
Syntax Description
Command Modes Configuration mode and interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the IPv6 address of a DHCPv6 relay server globally for all interfaces associated with a context,
enter:
host1/Admin(config)# ipv6 dhcp relay enable
host1/Admin(config)# ipv6 dhcp relay server 2001:DB8:1::1/64
To set the IPv6 address of a DHCP relay server at the VLAN interface level, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ipv6 dhcp relay enable
host1/Admin(config-if)# ipv6 dhcp relay server 2001:DB8:1::1/64
To set the IPv6 address of a DHCPv6 server that is reachable on its link-local address, enter the following
commands:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ipv6 dhcp relay enable
host1/Admin(config-if)# ipv6 dhcp relay server fe80::250:56ff:fe90:2c fwd-interface vlan
100
To remove the IP address of a DHCP server from a VLAN interface, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# no ipv6 dhcp relay server 2001:DB8:1::1/64
ipv6_address Specifies the IPv6 address of the destination DHCPv6 server
fwd-interface vlan
vlan_id
(Optional) Specifies the outgoing forwarding interface if the DHCP server
address is a link-local address
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-690
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Related Commands show ipv6
(config-if) ipv6 dhcp relay enable
(config-if) ipv6 dhcp relay fwd-interface2-691
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 enable
To enable IPv6 on an interface, use the ipv6 enable command. By default, IPv6 is disabled on an
interface. Use the no form of this command to reset the default behavior. The syntax of this command is
as follows;
ipv6 enable
no ipv6 enable
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The interface cannot be in bridged mode. The interface may or may not have IPv4 addresses configured
on it.
Examples To enable IPv6 processing on an interface, enter:
host/Admin(config-if)# ipv6 enable
To disable IPv6 processing on an interface, enter:
host/Admin(config-if)# no ipv6 enable
Related Commands
ACE Module/Appliance
Release Modification
A5(1.0) This command was introduced.2-692
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 extension-header
To configure how the ACE processes IPv6 extension headers, use the ipv6 extension-header command.
Use the no form of this command to return the ACE behavior to the default of dropping packets that
contain an extension header with an invalid option.
ipv6 extension-header {allow | clear | clear-invalid | drop}
no ipv6 extension-header {allow | clear | clear-invalid | drop}
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The default option is drop. There is no provision to selectively choose which extension header to act on.
Examples To configure the ACE to clear IPv6 extension headers and allow the packet, enter the following
commands:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# ipv6 extension-header clear
To reset the behavior of the ACE to the default of dropping packets with invalid IPv6 extension headers,
enter the following command:
host1/Admin(config-if)# no ipv6 extension-header
Related Commands This command has no related commands.
allow If a packet contains an IPv6 extension header, the ACE allows the packet with
all the header options
clear If a packet contains an IPv6 extension header, the ACE clears all the IPv6
extension header options and allows the packet
clear-invalid If a packet contains an IPv6 extension header and one of the header options is
invalid, the ACE clears all the extension header options and allows the packet
drop (Default) If the packet contains an IPv6 extension header and one of the header
options is invalid, theACE drops the packet
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-693
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 fragment chain
To configure the maximum number of fragments belonging to the same packet that the ACE accepts for
reassembly, use the ipv6 fragment chain command. Use the no form of this command to reset the
maximum number of fragments in a packet to the default of 24.
ipv6 fragment chain number
no ipv6 fragment chain number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The default option is drop. There is no provision to selectively choose which extension header to act on.
Examples To set the IPv6 fragment chain limit as 48, enter the following command:
host1/C1(config-if)# ipv6 fragment chain 48
To reset the maximum number of fragments in a packet to the default of 24, enter the following
command:
host1/C1(config-if)# no ipv6 fragment chain
Related Commands (config-if) ipv6 fragment min-mtu
(config-if) ipv6 fragment timeout
number Specifies the fragment chain limit as an integer from 1 to 256 fragments. The
default is 24 fragments.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-694
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 fragment min-mtu
To configure the minimum fragment size that the ACE accepts for reassembly, use the ipv6 fragment
min-mtu command. Use the no form of this command to reset the minimum fragment size to the default
value of 1280 bytes.
ipv6 fragment min-mtu number
no ipv6 fragment min-mtu number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the minimum IPv6 fragment size that the ACE accepts for reassembly, enter the following
command:
host1/C1(config-if)# ipv6 fragment min-mtu 1024
To reset the minimum fragment size to the default value of 1280 bytes, enter the following command:
host1/C1(config-if)# no ipv6 fragment min-mtu
Related Commands (config-if) ipv6 fragment chain
(config-if) ipv6 fragment timeout
number Specifies the minimum fragment size as an integer from 68 to 1280 bytes. The
default is 1280 bytes.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-695
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 fragment timeout
To configure the IPv6 reassembly timeout, use the ipv6 fragment timeout command. Use the no form
of this command to reset the fragment timeout to the default value of 60 seconds.
ipv6 fragment timeout seconds
no ipv6 fragment timeout seconds
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The IPv6 reassembly timeout specifies the period of time after which the ACE abandons the fragment
reassembly process if it does not receive any outstanding fragments for the current fragment chain
(fragments that belong to the same packet).
Examples To set the fragment reassembly timeout to 30 seconds, enter the following command:
host1/C1(config-if)# ipv6 fragment timeout 30
To reset the fragment timeout to the default value of 60 seconds, enter the following command:
host1/C1(config-if)# no ipv6 fragment timeout
Related Commands (config-if) ipv6 fragment chain
(config-if) ipv6 fragment min-mtu
seconds Specifies the fragment reassembly timeout. Enter an integer from 1 to 60
seconds. The default is 60 seconds.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-696
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 icmp-guard
To enable the ICMP security checks in the ACE after they have been disabled, use the ipv6 icmp-guard
command. This feature is enabled by default. Use the no form of this command to disable the ICMP
security checks.
ipv6 icmp-guard
no ipv6 icmp-guard
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Use the no form of this command as part of an overall strategy to operate the ACE as a pure server load
balancer. For details, see Chapter 1, Overview, in the Server Load-Balancing Guide, Cisco ACE
Application Control Engine.
The ACE provides several ICMP security checks by matching ICMP reply packets with request packets
and using mismatched packets to detect attacks. Also, the ACE forwards ICMP error packets only if a
connection record exists pertaining to the flow for which the error packet was received. By default, the
ACE ICMP security checks are enabled.
Caution Disabling the ACE ICMPv6 security checks may expose your ACE and your data center to potential
security risks. After you enter the no ipv6 icmp-guard command, the ACE no longer performs NAT
translations on the ICMPv6 header and payload in error packets, which potentially can reveal real host
IPv6 addresses to attackers.
When the ipv6 icmp-guard command is enabled, only the "Packet Too Big” ICMPv6 message is
allowed. To allow other ICMPv6 error messages (for example, the “Time Exceeded” message or the
“Parameter Problem” message), the ipv6 icmp-guard command should be disabled.
Examples To disable ICMPv6 security checks on interface VLAN 100, enter:
host1/C1(config)# interface vlan 100
host1/C1(config-if)# no ipv6 icmp-guard
To reenable ICMPv6 security checks, enter:
host1/C1(config-if)# ipv6 icmp-guard
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-697
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Related Commands (config-if) ipv6 normalization2-698
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 mtu
To specify the maximum transmission unit (MTU) for an IPv6 VLAN interface, use the ipv6 mtu
command. This command allows you to set the data size that is sent on a Layer 3 IPv6 connection. Use
the no form of this command to reset the MTU block size to the default of 1500 bytes for Layer 3
interfaces.
ipv6 mtu bytes
no ipv6 mtu
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The default MTU is a 1500-byte block for Layer 3 interfaces. This value is sufficient for most
applications, but you can pick a lower number if network conditions require it. The ACE fragments
packets that are larger than the MTU value before sending them to the next hop.
This command is valid only for Layer 3 interfaces (VLANs or BVIs). The ACE will not recognize this
command on a transparent (Layer 2) interface.
Examples To specify the MTU data size of for a Layer 3 interface, enter the following command:
host1/admin(config-if)# ipv6 mtu 1300
To reset the MTU block size to the default value of 1500 for Layer 3 interfaces, enter:
host1/admin(config-if)# no ipv6 mtu
Related Commands show interface
bytes Number of bytes in the MTU. Enter a number from 1280 to 9216
bytes. The default is 1500.
ACE Release Modification
A5(1.0) This command was introduced.2-699
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd dad-attempts
To set the number of times that the ACE solicits its neighbors for duplicate address detection (DAD)
information on the local link, use the ipv6 nd dad-attempts command. Use the no form of this command
to reset the ACE behavior to the default of sending NS messages for DAD once.
ipv6 nd dad-attempts number
noipv6 nd dad-attempts number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the ACE to send NS messages three times for DAD, enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd dad-attempts 3
To reset the ACE behavior to the default of sending NS messages for DAD once, enter the following
command:
host1/Admin(config-if)# no ipv6 nd dad-attempts
Related Commands
number Specifies the number of times that the ACE sends NS messages to its neighbors
on the local link for DAD. Enter an integer from 0 to 255. The default is 1.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-700
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd managed-config-flag
To instruct the ACE to notify hosts that they should use Dynamic Host Configuration Protocol (DHCP)
for address configuration, use the ipv6 nd managed-config-flag command. Use the no form of this
command to reset the ACE behavior to the default of not notifying hosts to use DHCP.
ipv6 nd managed-config-flag
no ipv6 nd managed-config-flag
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To advertise route 200 for RHI, enter:
host1/Admin(config-if)# ip route inject vlan 200
To restore the ACE default behavior of advertising the VIP interface VLAN for RHI, enter:
host1/Admin(config-if)# no ip route inject vlan 200
Related Commands This command has no related commands.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-701
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd ns-interval
To configure the interval at which the ACE sends neighbor solicitation (NS) messages for duplicate
address detection (DAD) attempts, use the ipv6 nd ns-interval command. Use the no form of this
command to reset the NS interval to the default value of 1000 msecs.
ipv6 nd ns-interval interval
no ipv6 nd ns-interval interval
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE sends neighbor solicitation messages via ICMPv6 on the local link to determine the IPv6
addresses of nearby nodes (hosts or routers).
Examples To configure an NS frequency of 36000 msecs, enter the following commands:
host1/Admin(config)# interface VLAN 100
host1/Admin(config-if)# ipv6 nd ns-interval 36000
To reset the NS interval to the default value of 1000 msecs, enter the following commands:
host1/Admin(config)# interface VLAN 100
host1/Admin(config-if)# no ipv6 nd ns-interval 36000
Related Commands (config) ipv6 nd interval
ns-interval Indicates the frequency of the neighbor solicitation (NS) messages that are sent
by the ACE.
interval Specifies the frequency in milliseconds (msecs) of the NS messages that are sent
by the ACE. Enter an integer from 1000 to 2147483647. The default is 1000
msecs.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-702
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd other-config-flag
To notify hosts that they should use DHCP for nonaddress configurations, use the ipv6 nd
other-config-flag command. Use the no form of this command to reset the ACE behavior to the default
of not notifying hosts to use DHCP for nonaddress configurations.
ipv6 nd other-config-flag
no ipv6 nd other-config-flag
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct hosts to use DHCP for nonaddress configurations, enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd other-config-flag
To reset the ACE behavior to the default of not notifying hosts to use DHCP for nonaddress
configurations, enter the following command:
host1/Admin(config-if)# no ipv6 nd other-config-flag
Related Commands
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-703
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd prefix
To configure the prefixes that the ACE advertises in RA messages on the local link, use the ipv6 nd
prefix command. Use the no form of this command to remove the prefix from RA messages.
ipv6 nd prefix ipv6_address/prefix_length [no-advertise | no-autoconfig | off-link | [pref-lt |
valid-lt {number | infinite}]]
no ipv6 nd prefix ipv6_address/prefix_length [no-advertise | no-autoconfig | off-link | [pref-lt |
valid-lt {number | infinite}]]
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure a maximum of two prefixes for RA.
Examples To configure the prefixes that the ACE advertises in RA messages, enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd prefix 2001:DB8:1::2/64 valid-lt 3000000
To remove the prefix from RA messages, enter the following command:
ipv6_address Specifies the prefix that the ACE advertises in RA messages.
prefix_length
no-advertise (Optional) Instructs the ACE to not advertise the prefix.
no-autoconfig (Optional) Specifies that the prefix should not be used for autoconfiguration.
off-link (Optional) Flag related to the L-bit as defined in RFC 2461. When you specify
the optional off-link keyword, the L-bit flag is turned off, which indicates that
the specified prefix should not be used for onlink determination. However, when
the L-bit is enabled (the default setting), it indicates in the router advertisement
messages that the specified prefix is assigned to the local link. Therefore, nodes
sending traffic to addresses that contain the specified prefix consider the
destination to be locally reachable on the link.
valid-lt number pref-lt number—(Optional) Length of time in seconds that prefix is preferred.
For the number argument, enter an integer from 0 to 2147483647 The default is
604800 (seven days).
valid-lt number valid-lt number—(Optional) Length of time in seconds that the prefix is valid.
For the number argument, enter an integer from 0 to 2147483647. The default is
2592000 seconds (30 days).
infinite (Optional) Specified that the prefix never expires.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-704
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
host1/Admin(config-if)# no ipv6 nd prefix 2001:DB8:1::2/64 valid-lt 3000000
Related Commands2-705
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd ra hop-limit
To configure the hop limit in the IPv6 header that the ACE’s neighbors should use when originating IPv6
packets, use the ipv6 nd ra hop-limit command. Use the no form of this command to reset the hop limit
to the default value of 64.
ipv6 nd ra hop-limit number
no ipv6 nd ra hop-limit number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the number of hops that neighbors should use when originating IPv6 packets, enter the
following command:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd ra hop-limit 32
To reset the hop limit to the default of 64, enter the following command:
host1/Admin(config-if)# no ipv6 nd ra hop-limit 32
Related Commands (config-if) ipv6 nd ra interval
(config-if) ipv6 nd ra lifetime
(config-if) ipv6 nd ra suppress
number Specifies the number of hops that neighbors should use when they originate
IPv6 packets. Enter an integer from 0 to 255. The default is 64.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-706
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd ra interval
To configure the rate at which the ACE sends router advertisement (RA) messages, use the ipv6 nd ra
interval command. Use the no form of this command to reset the interval to the default of 600 seconds
(10 minutes).
ipv6 nd ra interval number
no ipv6 nd ra interval number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the ACE to send RA messages every 900 seconds (15 minutes), enter the following
command:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd ra interval 900
To reset the interval to the default of 600 seconds (10 minutes), enter the following command:
host1/Admin(config-if)# no ipv6 nd ra interval
Related Commands (config-if) ipv6 nd ra hop-limit
(config-if) ipv6 nd ra lifetime
(config-if) ipv6 nd ra suppress
number specifies the rate in seconds at which the ACE sends RA messages to other
nodes on the local link. Enter an integer from 4 to 1800. The default is 600.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-707
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd ra lifetime
The router advertisement (RA) lifetime is the length of time that neighboring nodes should consider the
ACE as the default router before they send RS messages again. To configure the RA lifetime, use the
ipv6 nd ra lifetime command. Use the no form of this command to reset the interval to the default of
600 seconds (10 minutes).
ipv6 nd ra lifetime number
no ipv6 nd ra lifetime number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure an RA lifetime of 2400 seconds (40 minutes), enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd ra lifetime 2400
To reset the RA lifetime to the default of 1800 seconds (30 minutes), enter the following command:
host1/Admin(config-if)# no ipv6 nd ra lifetime
Related Commands (config-if) ipv6 nd ra hop-limit
(config-if) ipv6 nd ra interval
(config-if) ipv6 nd ra suppress
number Specifies the length of time in seconds that the neighboring nodes should
consider the ACE as the default router. Enter an integer from 0 to 9000. The
default is 1800 seconds (30 minutes).
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-708
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd ra suppress
To configure the ACE to not respond to router solicitation (RS) messages, use the ipv6 nd ra suppress
command. Use the no form of this command to return the ACE to the default behavior of automatically
responding to RS messages.
ipv6 nd ra suppress
no ipv6 nd ra suppress
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the ACE to not send RA messages to neighbors in response to RS messages, enter the
following commands;
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd ra suppress
To reset the ACE behavior to the default of always sending RA messages in response to RS messages,
enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# no ipv6 nd ra suppress
Related Commands (config-if) ipv6 nd ra hop-limit
(config-if) ipv6 nd ra interval
(config-if) ipv6 nd ra lifetime
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-709
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd reachable-time
To configure the neighbor reachable time, use the ipv6 nd reachable-time command. Use the no form
of this command to reset the reachable time value to the default of 0 milliseconds (msecs).
ipv6 nd reachable-time number
no ipv6 nd reachable-time number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The reachable time parameter specifies the time in milliseconds during which a host considers a peer as
reachable following the host’s receipt of a reachability confirmation from the peer. A reachability
confirmation can be an NA or NS message or any upper protocol traffic. The ACE sends the reachable
time value in RA messages in response to RS messages.
Examples To configure the ACE to send a reachable time value of 2000 msecs, enter the following commands;
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd reachable-time 2000
To restore the reachable time value to the default of 1000 msecs, enter the following command:
host1/Admin(config-if)# no ipv6 nd reachable-time
Related Commands
number Specifies the length of time in milliseconds (msecs) after which a node is
considered reachable. Enter an integer from 0 to 3600000 msecs. The default is
0.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-710
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 nd retransmission-time
To configure the time during which NS messages (including DAD) are retransmitted, use the ipv6 nd
retransmission-time command. Use the no form of this command to restore the NS retransmission time
value to the default of 0 milliseconds (msecs).
ipv6 nd retransmission-time number
no ipv6 nd retransmission-time number
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The ND retransmission time is related to RA and applies to hosts.
Examples To configure the NS retransmission time for hosts, enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 nd retransmission-time 1000
To restore the NS retransmission time value to the default of 0 msecs, enter the following command:
host1/Admin(config-if)# no ipv6 nd retransmission-time
Related Commands
number Specifies the time in seconds during which NS messages are retransmitted.
Enter an integer from 0 to 3600000. The default is 0.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-711
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 neighbor
To configure a static ND entry that maps an IPv6 address to a Layer 2 address, use the ipv6 neighbor
command. Use the no form of this command to remove the static ND entry.
ipv6 neighbor ipv6_address mac_address
no ipv6 nd ns-interval interval
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE stores the static neighbor entry in the ND cache.
Examples To configure a static ND entry, enter the following commands:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 neighbor 2001:DB8:1::2 00-0c-f1-56-98-ad
To remove the static ND entry, enter the following command:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# no ipv6 neighbor
Related Commands This command has no related commands.
ipv6_address IPv6 address of the host.
mac_address Layer 2 media access control (MAC) address.
ACE Module/Appliance
Release Modification
A5(1.0) This command was introduced.2-712
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 normalization
To enable TCP normalization on an IPv6 interface after it has been disabled, use the ipv6 normalization
command. This feature is enabled by default. Use the no form of this command to disable TCP
normalization.
ipv6 normalization
no ipv6 normalization
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, TCP normalization is enabled.
Caution If you disable TCP normalization, you may expose your ACE and your data center to potential security
risks. TCP normalization helps protect the ACE and the data center from attackers by enforcing strict
security policies that are designed to examine traffic for malformed or malicious segments.
To operate your ACE for load balancing only, disable TCP normalization by entering the no ipv6
normalization command. You must also disable the ACE Internet Control Message Protocol (ICMP)
security checks by using the no icmp-guard command. For details about operating your ACE as a load
balancer only, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Disabling TCP normalization affects only Layer 4 traffic. TCP normalization is always enabled for Layer
7 traffic.
Use the no ipv6 normalization command when you encounter the following two types of asymmetric
flows, which would otherwise be blocked by the normalization checks that the ACE performs:
• ACE sees only the client-to-server traffic. For example, for a TCP connection, the ACE sees the SYN
from the client, but not the SYN-ACK from the server. In this case, apply the no ipv6 normalization
command to the client-side VLAN.
• ACE sees only the server-to-client traffic. For example, for a TCP connection, the ACE receives a
SYN-ACK from the server without having received the SYN from the client. In this case, apply the
no ipv6 normalization command to the server-side VLAN.
With TCP normalization disabled, the ACE still sets up flows for the asymmetric traffic described above
and makes entries in the connection table. Note that the ACE does not check the TCP flags and TCP state
of the connection. If a connection is in the half-closed state and a new SYN arrives, the connection is
still used but the states do not change. Once the connection is closed properly, the extra ACK from the
server goes through as a routed connection and the address is not masked to originate from the VIP.
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-713
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
With TCP normalization enabled, when the ACE receives the final ACK, the ACE removes the entry
from the connection table. Even if FIN/ACK retransmission occurs, the ACE drops this packet due to
TCP normalization feature. This means that the client cannot receive the final ACK and keeps the
LAST_ACK state until half-close timeout occurs by the client.
Examples To enable TCP normalization after you have disabled it, enter:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# ipv6 normalization
To disable TCP normalization, enter:
host1/Admin(config-if)# no ipv6 normalization
Related Commands (config-if) ipv6 icmp-guard2-714
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 route inject vlan
To advertise an ACE module IPv6 VLAN for route health injection (RHI) that is different from the VIP
interface VLAN, use the ipv6 route inject vlan command. Use the no form of this command to restore
the ACE module default behavior of advertising the VIP interface VLAN for RHI.
ipv6 route inject vlan vlan_id
no ipv6 route inject vlan vlan_id
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the routing feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use this command when there is no directly shared VLAN between the ACE module and the Catalyst
6500 series supervisor engine. This topology can occur when there is an intervening device, for example,
a Cisco Firewall Services Module (FWSM), configured between the ACE module and the supervisor
engine.
Be sure to configure this command on the VIP interface of the ACE module.
Examples To advertise VLAN 200 for RHI, enter:
host1/Admin(config-if)# ipv6 route inject vlan 200
To restore the ACE module default behavior of advertising the VIP interface VLAN for RHI, enter:
host1/Admin(config-if)# no ipv6 route inject vlan 200
Related Commands This command has no related commands.
vlan_id The IPv6 interface shared between the supervisor engine and the intervening
device. Enter it as an integer from 2 to 4090.
ACE Module Release Modification
A5(1.0) This command was introduced.2-715
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) ipv6 verify reverse-path
To enable unicast reverse-path forwarding (URPF) based on the source IPv6 address for a VLAN
interface, use the ip verify reverse-path command. By default, URPF is disabled on the interface. Use
the no form of this command to disable URPF after it has been enabled.
ipv6 verify reverse-path
no ipv6 verify reverse-path
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines URPF helps to mitigate problems caused by the introduction of malformed or forged (spoofed) IPv6
source addresses into a network by allowing the ACE to discard IPv6 packets that lack a verifiable source
IP address. This feature enables the ACE to filter both ingress and egress packets to verify addressing
and route integrity. The route lookup is typically based on the destination address, not the source address.
When you enable URPF, the ACE discards packets if no route is found or if the route does not match the
interface on which the packet arrived.
You cannot use this command when URPF based on the source MAC address for a VLAN interface is
enabled through the (config-if) mac-sticky enable command.
Examples To enable URPF, enter:
host/Admin(config-if)# ipv6 verify reverse-path
To disable URPF, enter:
host/Admin(config-if)# no ipv6 verify reverse-path
Related Commands (config-if) mac-sticky enable
ACE Module/Appliance Release Modification
A5(1.0) This command was introduced.2-716
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) mac-address autogenerate
To enable the autogeneration of a MAC address on a VLAN interface, use the mac-address
autogenerate command. Use the no form of this command to disable MAC address autogeneration.
mac-address autogenerate
no mac-address autogenerate
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Command HistoryA
Usage Guidelines By default, the ACE does not allow traffic from one context to another context over a transparent
firewall. The ACE assumes that VLANs in different contexts are in different Layer-2 domains, unless it
is a shared VLAN. Thus the ACE allocates the same MAC address to them.
When using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, two
Layer-3 VLANs must be assigned to the same bridge domain. To support this configuration, these VLAN
interfaces require different MAC addresses.
When you issue the mac-address autogenerate command, the ACE assigns a MAC address from the
bank of MAC address for shared VLANs. If you issue the no mac-address autogenerate command, the
interface retains this address. To revert to a MAC address for an unshared VLAN, you must delete the
interface and then readd it.
Examples To enable MAC address autogeneration on the VLAN, enter:
host1/Admin(config-if)# mac-address autogenerate
To disable MAC address autogeneration on the VLAN, enter:
host1/Admin(config-if)# no mac-address autogenerate
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-717
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) mac-sticky enable
To enable the mac-sticky feature for a VLAN interface, use the mac-sticky command. The mac-sticky
feature ensures that the ACE sends return traffic to the same upstream device through which the
connection setup from the original client was received. By default, the mac-sticky feature is disabled on
the ACE. Use the no form of this command to disable the mac-sticky feature, resetting the default
behavior of the ACE performing a route lookup to select the next hop to reach the client.
mac-sticky enable
no mac-sticky enable
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use this command to enable the mac-sticky feature, the ACE uses the source MAC address
from the first packet of a new connection to determine the device to send the return traffic. This
guarantees that the ACE sends the return traffic for load-balanced connections to the same device
originating the connection. By default, the ACE performs a route lookup to select the next hop to reach
the client.
This feature is useful when the ACE receives traffic from Layer-2/Layer-3 adjacent stateful devices, like
firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device
that sourced the connection without any requirement for source NAT. For more information on firewall
load balancing, see the Security Guide, Cisco ACE Application Control Engine.
You cannot use this command when RPF based on the source IP address for a VLAN interface is enabled
through the (config-if) ip verify reverse-path command.
Examples To enable the mac-sticky feature, enter:
host/Admin(config-if)# mac-sticky enable
To disable the mac-sticky feature, enter:
host/Admin(config-if)# no mac-sticky enable
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-718
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Related Commands (config-if) ip verify reverse-path2-719
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) mtu
To specify the maximum transmission unit (MTU) for a VLAN interface, use the mtu command. This
command allows you to set the data size that is sent on a connection. Use the no form of this command
to reset the MTU block size to the default of 1280 (IPv6) or 1500 (IPv4) for Ethernet interfaces.
mtu bytes
no mtu
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines The default MTU is a 1500-byte block for Ethernet interfaces. This value is sufficient for most
applications, but you can pick a lower number if network conditions require it. The ACE fragments
packets that are larger than the MTU value before sending them to the next hop.
Examples To specify the MTU data size of for an Ethernet interface, enter the following command:
host1/admin(config-if)# mtu 1300
To reset the MTU block size to the default value of 1500 for Ethernet interfaces, enter:
host1/admin(config-if)# no mtu
Related Commands show interface
bytes Number of bytes in the MTU. For IPv6, enter a number from 1280 to
9216 bytes. The default is 1500. For IPv4, enter a number from 64 to
9216 bytes. The default is 1500.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Modified range and default for IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Modified range and default for IPv6 support.2-720
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) nat-pool
To create a pool of IP addresses for dynamic Network Address Translation (NAT) for a VLAN interface,
use the nat-pool command. Use the no form of this command to remove a NAT pool from the
configuration.
nat-pool nat_id {ipv6_address1[/prefix_length] [ipv6_address2[/prefix_length]]} | {ipv4_address1
[ipv4_address2] netmask mask} [pat]
no nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
nat_id Identifier of the NAT pool of global IP addresses. Enter an integer from 1 to
2147483647.
ipv6_address1
[/prefix_length]
Single IPv6 address and optional prefix length, or if you are also using the
ipv6_address2 argument, the first IP address in a range of global addresses
used for NAT.
ipv6_address2
[/prefix_length]
(Optional) Highest IPv6 address and optional prefix length in a range of
global IPv6 addresses used for NAT. You can configure a maximum of 64 K
addresses in a NAT pool.
ip_address1 Single IP address, or if also using the ip_address2 argument, the first IP
address in a range of global addresses used for NAT. Enter an IP address in
dotted-decimal notation (for example, 172.27.16.10).
ip_address2 (Optional) Highest IP address in a range of global IP addresses used for
NAT. Enter an IP address in dotted-decimal notation (for example,
172.27.16.109).
netmask mask Specifies the subnet mask for the IP address pool. Enter a mask in
dotted-decimal notation (for example, 255.255.255.0). If you do not specify
a network mask for the global IP addresses in the pool, the ACE, by default,
uses the network mask of the interface to which the pool is attached.
pat (Optional) Specifies that the ACE perform Port Address Translation (PAT)
in addition to NAT.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-721
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Usage Guidelines Dynamic NAT uses a pool of global IP addresses that you specify. You can define either a single global
IP address for a group of servers with PAT to differentiate between them or a range of global IP addresses
when using dynamic NAT only. To use a single IP address or a range of addresses, you assign an
identifier to the address pool. You then associate the NAT pool with a global interface that is different
from the interface that you use to filter and receive NAT traffic.
The ACE allows you to configure a virtual IP (VIP) address in the NAT pool for dynamic NAT and PAT.
This action is useful when you want to source NAT real server originated connections (bound to the
client) using the VIP address. This feature is specifically useful when there are a limited number of real
world IP addresses on the client-side network. To perform PAT for different real servers that are
source-NATed to the same IP address (VIP), you must configure the pat keyword in the nat-pool
command.
If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet
untranslated.
If the ACE runs out of IP addresses in a NAT pool, it can switch over to a PAT rule, if configured. For
example, you can configure the following:
nat-pool 1 10.1.100.10 10.1.100.99 netmask 255.255.255.255
nat-pool 1 10.1.100.100 10.1.100.100 netmask 255.255.255.255 pat
Examples IPv6 Example
To configure a NAT pool that consists of a range of global IPV6 addresses with PAT, enter:
host1/C1(config-if)# nat-pool 1 2001:DB8:1::/64 2001:DB8:1::1/64 pat
IPv4 Example
To configure a NAT pool that consists of a range of 100 global IPv4 addresses with PAT, enter:
host1/C1(config-if)# nat-pool 1 172.27.16.10 172.27.16.109 netmask 255.255.255.0 pat
Related Commands show nat-fabric
(config-pmap-lb-c) nat dynamic
(config-if) normalization
To enable TCP normalization, use the normalization command. This feature is enabled by default. Use
the no form of this command to disable TCP normalization.
normalization
no normalization
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts2-722
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Command History
Usage Guidelines By default, TCP normalization is enabled.
Caution If you disable TCP normalization, you may expose your ACE and your data center to potential security
risks. TCP normalization helps protect the ACE and the data center from attackers by enforcing strict
security policies that are designed to examine traffic for malformed or malicious segments.
To operate your ACE for load balancing only, disable TCP normalization by entering the no
normalization command. You must also disable the ACE Internet Control Message Protocol (ICMP)
security checks by using the no icmp-guard command. For details about operating your ACE as a load
balancer only, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Disabling TCP normalization affects only Layer 4 traffic. TCP normalization is always enabled for Layer
7 traffic.
Use the no normalization command when you encounter the following two types of asymmetric flows,
which would otherwise be blocked by the normalization checks that the ACE performs:
• ACE sees only the client-to-server traffic. For example, for a TCP connection, the ACE sees the SYN
from the client, but not the SYN-ACK from the server. In this case, apply the no normalization
command to the client-side VLAN.
• ACE sees only the server-to-client traffic. For example, for a TCP connection, the ACE receives a
SYN-ACK from the server without having received the SYN from the client. In this case, apply the
no normalization command to the server-side VLAN.
With TCP normalization disabled, the ACE still sets up flows for the asymmetric traffic described above
and makes entries in the connection table. Note that the ACE does not check the TCP flags and TCP state
of the connection. If a connection is in the half-closed state and a new SYN arrives, the connection is
still used but the states do not change. Once the connection is closed properly, the extra ACK from the
server goes through as a routed connection and the address is not masked to originate from the VIP.
With TCP normalization enabled, when the ACE receives the final ACK, the ACE removes the entry
from the connection table. Even if FIN/ACK retransmission occurs, the ACE drops this packet due to
TCP normalization feature. This means that the client cannot receive the final ACK and keeps the
LAST_ACK state until half-close timeout occurs by the client.
Examples To enable TCP normalization after you have disabled it, enter:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# normalization
To disable TCP normalization, enter:
host1/Admin(config-if)# no normalization
Related Commands (config-if) icmp-guard
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-723
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) normalization send-reset
To enable sending a RST to the peer so it can reset its TCP connections for any non-SYN packets that
are a connection miss, use the normalization send-reset command. This feature is disabled by default.
Use the no form of this command to disable the normalization RST function. When disabled, the ACE
silently drops any non-SYN packet when there is no flow.
normalization send-reset
no normalization send-reset
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Ensure that TCP normalization is enabled through the normalization command and that the switch
mode feature is disabled (the switch-mode command in configuration mode).
Examples To enable sending a RST to the peer so it can reset its TCP connections for any non-SYN packets, enter:
host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# normalization
host1/Admin(config-if)# normalization send-reset
To disable the normalization RST function, enter:
host1/Admin(config-if)# no normalization send-reset
Related Commands (config-if) normalization
(config) switch-mode
(config-if) peer ip address
To configure the IP address of a standby ACE for the bridge-group virtual interface (BVI) or VLAN
interface, use the peer ip address command. Use the no form of this command to delete the IP address
of the peer ACE.
peer ip address {ipv6_address [/prefix_length] [eui64 | link-local | unique-local]} {ipv4_address
mask [secondary]}
ACE Module/Appliance
Release Modification
A4(1.1) This command was introduced.2-724
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
no peer ip address {ipv6_address [/prefix_length] [eui64 | link-local | unique-local]}
{ipv4_address mask [secondary]}
Syntax Description
Command Modes Interface configuration mode for BVI and VLAN interfaces
Admin and user contexts
Command History
ipv6_address IPv6 address of the interface.
/prefix_length (Optional, except for EUI-64) Specifies how many of the most
significant bits (MSBs) of the IPv6 address are used for the network
identifier. Enter a a forward slash character (/) followed by an integer
from 1 to 128. The default is /128. If you use the optional eui64
keyword, you must specify a prefix length and the prefix must be less
than or equal to 64.
eui64 (Optional) Specifies that the low order 64 bits are automatically
generated in the IEEE 64-bit Extended Unique Identifier (EUI-64)
format specified in RFC 2373. To use this keyword, you must specify
a prefix length, the prefix must be less than or equal to 64, and the
host segment must be all zeros.
link-local (Optional) Specifies that the address is valid only for the current link.
unique-local (Optional) Specifies that this address is globally unique and used
only for local communications within a site or organization.
ipv4_address IPv4 address of the interface.
mask Subnet mask of the interface.
secondary (Optional) Configures the address as a secondary IPv4 address
allowing multiple subnets under the same interface. You can
configure a maximum of 15 secondary addresses per interface. The
ACE has a system limit of 1,024 secondary addresses.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.0) The secondary option was added.
A2(3.1) The number of secondary addresses increased from 4 to 15.
A4(1.0) The number of secondary addresses decreased from 15 to 4.
A4(1.1) The number of secondary addresses increased from 4 to 15.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) The secondary option was added.
A4(1.1) The number of secondary addresses increased from 4 to 15.
A5(1.0) Added IPv6 support.2-725
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Usage Guidelines When you configure redundancy, configuration mode on the standby ACE is disabled by default and
changes on an active ACE are automatically synchronized to the standby ACE. However, interface IP
addresses on the active and standby ACEs must be unique. To ensure that the addresses on the interfaces
are unique, the interface IP address on the active ACE is synchronized to the standby ACE as the peer
IP address. To configure an interface IP address on the standby ACE, use the peer ip address command.
The peer IP address on the active ACE is synchronized on the standby ACE as the interface IP address.
You must configure a unique IP address across multiple contexts on a shared VLAN. On a nonshared
VLAN, the IP address can be the same.
You can configure only one IPv6 peer link-local or IPv6 peer unique local address on an interface. Any
additional peer link-local or peer unique local address that you configure will overwrite the existing one.
When the destination for the control plane (CP)-originated packets is Layer 2 adjacent to either the
primary subnet or one of the secondary subnets, the ACE always uses the appropriate primary or
secondary interface IP address that belongs to the destination subnet as the source IP address. For any
destination that is not Layer 2 adjacent, the ACE uses the primary address as the source IP address.
SSL probes always uses the primary IP address as the source address for all destinations.
You cannot configure secondary IPv4 addresses on FT VLANs.
Examples To configure an IP address and mask for the peer ACE, enter:
host1/Admin(config-if)# peer ip address 11.0.0.81 255.0.0.0
To configure a secondary IP address and mask for the peer ACE ACE, enter:
host1/Admin(config-if)# peer ip address 12.0.0.81 255.0.0.0 secondary
To delete the IP address for the peer ACE ACE, enter:
host1/Admin(config-if)# no peer ip address 11.0.0.81 255.0.0.0
To delete the secondary IP address for the peer ACE ACE, enter:
host1/Admin(config-if)# no peer ip address 12.0.0.81 255.0.0.0 secondary
Related Commands show interface2-726
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) port-channel load-balance
(ACE appliance only) To set the load-distribution method among the ports in the EtherChannel bundle,
use the port-channel load-balance command. Use the no form of the command to remove the
load-distribution method.
port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port |
src-ip | src-mac | src-port}
no port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port
| src-ip | src-mac | src-port}
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines An EtherChannel balances the traffic load across the links in the EtherChannel by reducing part of the
binary pattern formed from the addresses in the frame to a numerical value that selects one of the links
in the channel. EtherChannel load balancing can use MAC addresses or IP addresses, Layer 4 port
numbers, source addresses, destination addresses, or both source and destination addresses.
Use the option that provides the load-balance criteria with the greatest variety in your configuration. For
example, if the traffic on an EtherChannel is going to a single MAC address only and you use the
destination MAC address as the basis of EtherChannel load balancing, the EtherChannel always chooses
the same link in the EtherChannel.
Examples To configure an EtherChannel to balance the traffic load across the links using source or destination IP
addresses, enter:
host1/Admin(config)# interface gigabitEthernet 1/1
host1/Admin(config-if)# port-channel load-balance src-dst-ip
Related Commands This command has no related commands.
dst-ip Loads the distribution on the destination IP address
dst-mac Loads the distribution on the destination MAC address
dst-port Loads the distribution on the destination TCP or UDP port
src-dst-ip Loads the distribution on the source or destination IP address
src-dst-mac Loads the distribution on the source or destination MAC address
src-dst-port Loads the distribution on the source or destination port
src-ip Loads the distribution on the source IP address
src-mac Loads the distribution on the source MAC address
src-port Loads the distribution on the TCP or UDP source port
ACE Appliance Release Modification
A1(7) This command was introduced.2-727
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) qos trust cos
(ACE appliance only) To enable Quality of Service (QoS) for a configured physical Ethernet port that is
based on VLAN Class of Service (CoS) bits, use the qos trust cos command. Use the no form of the
command to disable QoS for the Ethernet port.
qos trust cos
no qos trust cos
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines QoS is configured at the physical port level. When you enable QoS on a trusted port, traffic is mapped
into different ingress queues based on their VLAN CoS bits. If there are no VLAN CoS bits, or QoS is
not enabled on the port (untrusted port), the traffic is then mapped into the lowest priority queue.
You can enable QoS for an Ethernet port configured for fault tolerance (see (config-if) ft-port vlan). In
this case, heartbeat packets are always tagged with COS bits set to 7 (a weight of High). We recommend
that you enable QoS on the FT VLAN port to provide higher priority for FT traffic.
QoS is configurable only for a physical Ethernet port and is not VLAN interface-based.
Examples To enable QoS for Ethernet port 3, enter:
host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)# qos trust cos
To disable QoS for the Ethernet port, enter:
host1/Admin(config-if)# no qos trust cos
Related Commands show interface
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-728
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) remove-eth-pad
To enable an internal length check and remove a trailing byte appended to the end of an Ethernet IP
packet coming into the ACE, use the remove-eth-pad command. This check is performed on the VLAN
interface and is disabled by default. Use the no form of the command to disable an internal length check
and the removal of the trailing byte.
remove-eth-pad
no remove-eth-pad
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples To enable an internal length check and remove the trailing byte appended to the end of an Ethernet IP
packet coming into the ACE, enter:
host1/Admin(config)# interface vlan 3
host1/Admin(config-if)# remove-eth-pad
To disable an internal length check and the removal of the trailing byte, enter:
host1/Admin(config-if)# no remove-eth-pad
Related Commands show interface
ACE Module Release Modification
A2(1.6) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-729
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) service-policy input
To apply a previously created policy map and attach the traffic policy to the input direction of a VLAN
interface, use the service-policy input command Use the no form of this command to remove a service
policy.
service-policy input policy_name
no service-policy input policy_name
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines When you enter the service-policy command in configuration mode, the policy maps that are applied
globally in a context are applied on all interfaces that exist in the context.
A policy activated on an interface overwrites any specified global policies for overlapping classifications
and actions.
The ACE allows only one policy of a specific feature type to be activated on a given interface.
Examples To apply the L4SLBPOLICY policy map to an interface, enter:
host1/C1(config-if)# service-policy input L4SLBPOLICY
To remove the L4SLBPOLICY policy map from the interface, enter:
host1/C1(config-if)# no service-policy input L4SLBPOLICY
Related Commands show service-policy
(config) service-policy
policy_name Name of a previously defined policy map, configured with a
previously created policy-map command. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-730
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) shutdown
To disable a bridge-group virtual interface (BVI) or VLAN interface, use the shutdown command. Use
the no form of this command to enable the interface.
shutdown
no shutdown
Syntax Description This command has no keywords or arguments.
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines When you create an interface, the interface is in the shutdown state until you enable it. If you disable or
reenable the interface within a context, only that context interface is affected.
To enable a bridge-group virtual interface (BVI), VLAN interface, VLAN trunking, or for an ACE
Appliance, Ethernet port or port-channel interface, use the no shutdown command in interface
configuration mode. This puts the interface in the Up administrative state.
To disable a bridge-group virtual interface (BVI), VLAN interface, VLAN trunking, or for an ACE
Appliance, Ethernet port or port-channel interface, use the shutdown command in interface
configuration mode. This puts the interface in the Down administrative state.
When you enable the interface, all of its configured primary and secondary addresses are enabled. You
must configure a primary IP address to enable an interface. The ACE does not enable an interface with
only secondary addresses. When you disable an interface, all of its configured primary and secondary
addresses are disabled.
Examples To disable an interface, enter:
host1/Admin(config-if)# shutdown
To enable an interface for use, enter:
host1/Admin (config-if)# no shutdown
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-731
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Related Commands show interface
show running-config2-732
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) speed
(ACE appliance only) To configure the Ethernet port speed for a setting of 10, 100, or 1000 Mbps, use
the speed command in interface configuration mode. The default speed for an ACE interface is
autonegotiate. Use the no form of the command to return to the default Ethernet port speed setting.
speed {1000M | 100M | 10M | auto}
no speed
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines By default, the ACE automatically uses the autonegotiate setting for Ethernet port speed and duplex
mode parameters to allow the ACE to negotiate the speed and duplex mode between ports. If you
manually configure the port speed and duplex modes, follow these guidelines:
• The ACE prevents you from making a duplex setting when you configure the speed of an Ethernet
port to auto. The speed command must be a non-auto setting of 10, 100, or 1000 Mbps to be able
to configure the duplex setting for the Ethernet port.
• If you configure an Ethernet port speed to a value other than auto (for example, 10, 100, or
1000 Mbps), ensure that you configure the connecting port to match. Do not configure the
connecting port to negotiate the speed through the auto keyword.
• The ports on both ends of a link must have the same setting. The link will not come up if the port at
each end of the connecting interface has a different setting.
• If you enter the no speed command, the ACE automatically configures both the speed and duplex
settings to auto.
The ACE cannot automatically negotiate interface speed and duplex mode if you configure the
connecting interface to a value other than auto.
If you configure the Ethernet port speed to auto, the ACE automatically sets the duplex mode to auto.
1000M Initiates 1000-Mbps operation.
100M Initiates 100-Mbps operation.
10M Initiates 10-Mbps operation.
auto Enables the ACE to autonegotiate with other devices for speeds of 10,
100, or 1000 Mbps. If you set the Ethernet port speed to auto, the
ACE automatically sets the duplex mode to auto. This is the default
setting.
ACE Appliance Release Modification
A1(7) This command was introduced.2-733
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Examples To set the speed to 1000 Mbps on Ethernet port 3, enter:
host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)# speed 1000M
To restore the default setting of autonegotiate for an Ethernet port, enter:
host1/Admin(config-if)# no speed
Related Commands (config-if) duplex2-734
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) switchport access vlan
(ACE appliance only) To configure an access port to a specific VLAN for either an Ethernet interface or a
Layer 2 EtherChannel interface, use the switchport access vlan command in interface configuration mode.
Use the no form of the command to reset the access mode to the default VLAN 1.
switchport access vlan number
no switchport access vlan number
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines On the ACE, ports are assigned to a single VLAN. These ports are referred to as access ports and provide
a connection for end users or node devices, such as a router or server. By default, all devices are assigned
to VLAN 1, known as the default VLAN.
You can configure a trunk on a single Ethernet port or on a port-channel interface (EtherChannel).
It is not necessary to create a VLAN interface before configuring an access VLAN. To configure a VLAN
interface and access its mode to configure its attributes, use the interface vlan command in
configuration mode for the context.
When you assign a VLAN as the access port for a specific Ethernet port or port-channel interface, the
VLAN is reserved and cannot be configured as a VLAN trunk. A VLAN access port and a VLAN trunk
cannot coexist for the same Ethernet port or port-channel interface. If you specify both configurations
for the same Ethernet port or port-channel interface, the most recent configuration will overwrite the
older configuration.
If you have QoS enabled for a physical Ethernet port (see the “(config-if) qos trust cos” command) that
has been designated as an FT VLAN port (see the “(config-if) ft-port vlan” command), do not configure
this Ethernet port as a VLAN access port. In this configuration, the QoS setting for redundancy traffic,
such as heartbeat packets or TCP tracking probes, may not be handled properly by the ACE and FT traffic
may be dropped when there is network congestion.
Examples To configure VLAN 101 as an access port for Ethernet port 4, enter:
host1/Admin(config)# interface gigabitEthernet 1/4
host1/Admin(config-if)# switchport access vlan 101
To configure VLAN 101 as an access port for EtherChannel 255, enter:
host1/Admin(config)# interface port-channel 255
host1/Admin(config-if)# switchport access vlan 101
number VLAN number that you want to configure as the IEEE 802.1Q native
VLAN when operating in trunking mode. Valid values are from 1 to
4094. The default is VLAN 1.
ACE Appliance Release Modification
A1(7) This command was introduced.2-735
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
To reset the access mode to the default VLAN 1, enter:
host1/Admin(config)# interface gigabitEthernet 1/4
host1/Admin(config-if)# no switchport access vlan 101
Related Commands (config) interface2-736
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) switchport trunk allowed vlan
(ACE appliance only) To specify which VLANs are to be allocated to a trunk link, use the switchport
trunk allowed vlan command in interface configuration mode. To remove a VLAN from the trunk link,
use the no form of the command.
switchport trunk allowed vlan vlan_list
no switchport trunk allowed vlan vlan_list
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines You cannot remove VLAN 1. If you remove VLAN 1 from a trunk, the trunk interface continues to send
and receive management traffic in VLAN 1.
You can selectively allocate individual VLANs to a trunk link. All added VLANs are active on a trunk
link, and as long as the VLAN is available for use, traffic for that VLAN is carried across the trunk link.
It is not necessary to create a VLAN interface before you allocate a VLAN to an Ethernet port or port-channel
interface (EtherChannel). To configure a VLAN interface and access its mode to configure its attributes,
use the interface vlan command in configuration mode for the context.
If you configure a VLAN on a trunk, you cannot configure the VLAN as the access port for a specific
Ethernet port or port-channel interface. A VLAN access port and a VLAN trunk cannot coexist for the
same Ethernet port or port-channel interface. If you specify both configurations for the same Ethernet
port or port-channel interface, the most recent configuration will overwrite the older configuration.
When allocating VLANs to ports, overlapping is not allowed. For example, if you associate VLAN 10
with Ethernet port 1, you cannot associate VLAN 10 with another Ethernet port.
If you have QoS enabled for a physical Ethernet port (see the “(config-if) qos trust cos” command) that
has been designated as an FT VLAN port (see the “(config-if) ft-port vlan” command), do not configure
the FT VLAN as an 802.1Q native VLAN. In this configuration, the QoS setting for redundancy traffic,
such as heartbeat packets or TCP tracking probes, may not be handled properly by the ACE and FT traffic
may be dropped when there is network congestion.
vlan_list The allowed VLANs that transmit this interface in tagged format when
in trunking mode. The vlan_list argument can be one of the following:
• Single VLAN number
• Range of VLAN numbers separated by a hyphen
• Specific VLAN numbers separated by commas
Valid entries are 1 through 4094. Do not enter any spaces between the
dash-specified ranges or the comma-separated numbers in the
vlan_list argument.
ACE Appliance Release Modification
A1(7) This command was introduced.2-737
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
Examples To add VLANs 101, 201, and 250 through 260 to the defined list of VLANs currently set for Ethernet
port 4, enter:
host1/Admin(config)# interface gigabitEthernet 1/4
host1/Admin(config-if)# switchport trunk allowed vlan 101,201,250-260
To remove VLANs 101 through 499 from the defined list of VLANs currently set for Ethernet port 4,
enter:
host1/Admin(config)# interface gigabitEthernet 1/4
host1/Admin(config-if)# no switchport trunk allowed vlan 101-499
Related Commands (config) interface2-738
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) switchport trunk native vlan
(ACE appliance only) To set the IEEE 802.1Q native VLAN for a trunk, use the switchport trunk native
vlan command in interface configuration mode. Use the no form of the command to revert to the default of
VLAN 1.
switchport trunk native vlan number
no switchport trunk native vlan number
Syntax Description
Command Modes Interface configuration mode
Admin context only
Command History
Usage Guidelines You can only have one assigned native VLAN.
The native VLAN is the VLAN that is assigned to all ports in the ACE. By default, all interfaces are in
VLAN 1 on the ACE, and VLAN 1 is the native VLAN. Depending on your network needs, you may
change the native VLAN to be other than VLAN 1.
When configuring 802.1Q trunking, you must match the native VLAN across the link. Because the native
VLAN is untagged, you must keep the native VLAN the same on each side of the trunk line. The native
VLAN must match on both sides of the trunk link for 802.1Q; otherwise, the link will not work.
It is not necessary to create a VLAN interface setting the 802.1Q native VLAN for a trunk. To configure a
VLAN interface and access its mode to configure its attributes, use the interface vlan command in
configuration mode for the context.
Examples To specify VLAN 3 as the 802.1Q native VLAN for the trunk, enter:
host1/Admin(config)# interface port-channel 255
host1/Admin(config-if)# switchport trunk native vlan 3
To revert to the default of VLAN 1, enter:
host1/Admin(config-if)# no switchport trunk native vlan
Related Commands (config) interface
number VLAN number that you want to configure as the 802.1Q native
VLAN when operating in trunking mode. Valid values are from 1 to
4094. The default is VLAN 1.
ACE Appliance Release Modification
A1(7) This command was introduced.2-739
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) syn-cookie
To configure SYN-cookie-based DoS protection, use the syn-cookie command. Use the no form of this
command to remove SYN-cookie DoS protection from the interface.
syn-cookie number
no syn-cookie
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines Keep in mind the following guidelines when you use the SYN cookie feature:
• If the server drops the SYN that is sent by the ACE, the ACE resets the connection using the
embryonic timeout. It does not retry the SYN packet.
• A SYN cookie supports only the MSS TCP option. The ACE ignores all other TCP options, even if
there are problems with those other options.
• The ACE returns an MSS of 536 to the client, which is the RFC-specified default.
• If you use a parameter map to specify the minimum and maximum MSS values, the ACE ignores
those values.
• Disabling normalization and using a SYN cookie concurrently may result in unpredictable behavior.
• The ACE does not generate any syslogs for a SYN cookie, even if the number of embryonic
connections exceeds the configured threshold, which may indicate a SYN-flood attack.
• (ACE module only) When you configure SYN cookie protection, the ACE calculates the internal
embryonic connection threshold value for each network processor (NP) as configured_threshold ÷ 4
(fractions are not disregarded). For example, if you configure the threshold as 6, the ACE applies
the threshold to each NP in a round-robin fashion in the order shown, which results in the following
threshold distribution:
– NP1=2
– NP2=2
number Embryonic connection threshold above which the ACE applies SYN-cookie
DoS protection. Enter an integer from 1 to 65535.
ACE Module Release Modification
A2(1.0) This command was introduced.
A4(1.0) The embryonic connection threshold range changed to 1 to 65535
(from 2 to 65535).
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-740
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
– NP3=1
– NP4=1
Because of this internal division of the threshold value, you may occasionally observe that SYN
cookie protection is applied before the embryonic connection count reaches the configured threshold
value. For example, suppose that you configure a threshold value of 4. Because the threshold value
is divided by four internally for each NP, the internally calculated threshold is 1. After one
incomplete connection attempt (SYN) is sent to an NP, the ACE activates SYN cookie protection
and intercepts the second SYN going to that same NP.
• If you are configuring the SYN cookie feature on a bridged VLAN with non-loadbalanced flows,
you must configure static routes for non-loadbalanced destinations that do not reside in the same
subnet as the bridge-group virtual interface (BVI).
IPv6 Configuration
For example, assuming the following IPv6 configuration:
– BVI IPv6 address is 2001:DB8:1::1
– Gateway1 IPv6 address 2001:DB8:1::2 to reach external network 2001:DB8:2::1
– Gateway2 IPv6 address 2001:DB8:1::3 to reach external network 2001:DB8:3::1
Configure the following static routes:
– ip route 2001:DB8:2::1/64 2001:DB8:1::2
– ip route 2001:DB8:3::1/64 2001:DB8:1::3
IPv4 Configuration
For example, assuming the following IPv4 configuration:
– BVI IPv4 address is 192.168.1.1
– Gateway1 IPv4 address 192.168.1.2 to reach external network 172.16.1.0
– Gateway2 IPv4 address 192.168.1.3 to reach external network 172.31.1.0
Configure the following static routes:
– ip route 172.16.1.0 255.255.255.0 192.168.1.2
– ip route 172.31.1.0 255.255.255.0 192.168.1.3
Examples To configure SYN-cookie DoS protection for servers in a data center connected to VLAN 100, enter:
host1/C1(config)# interface vlan 100
host1/C1(config-if)# syn-cookie 4096
To remove SYN-cookie DoS protection from the interface, enter:
host1/C1(config-if)# no syn-cookie
Related Commands show interface
show running-config2-741
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
(config-if) udp
To enable the UDP booster feature for applications that require very high UDP connection rates, use the
udp command in interface configuration mode. The syntax of this command is as follows:
udp {ip-source-hash | ip-destination-hash}
no udp
Syntax Description
Command Modes Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines For the UDP booster feature to work, you must configure both command keywords on their respective
interfaces.
Do not configure this feature with NAT or with any Layer 7 feature, for example, per-packet UDP load
balancing (also called UDP fast-age) using the loadbalance vip udp-fast-age command. Otherwise,
unexpected results may occur.
For detailed information concerning this feature and its configuration, see the Server Load-Balancing
Guide, Cisco ACE Application Control Engine.
Examples To configure the UDP booster feature on the client VLAN 100, enter:
host1/C1(config)# interface vlan 100
host1/C1(config-if)# udp ip-source-hash
To configure the UDP booster feature on the server VLAN 200, enter:
host1/C1(config)# interface vlan 200
host1/C1(config-if)# udp ip-destination-hash
To remove the UDP booster feature from an interface, enter:
ip-source-hash Instructs the ACE to hash the source IP address of UDP packets that hit a
source-hash VLAN interface prior to performing a connection match.
Configure this keyword on a client-side interface.
ip-destination-hash Instructs the ACE to hash the destination IP address of UDP packets that hit
a destination-hash VLAN interface prior to performing a connection match.
Configure this keyword on a server-side interface.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-742
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Interface Configuration Mode Commands
host1/C1(config-if)# no udp
Related Commands show interface
show running-config2-743
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
KAL-AP UDP Configuration Mode Commands
KAL-AP UDP Configuration Mode Commands
The ACE supports secure KAL-AP for MD5 encryption of data between the ACE and the Global Site
Selector (GSS). To configure secure KAL-AP on the ACE, access KAL-AP UDP configuration mode
using the kalap udp command. The CLI prompt changes to (config-kalap-udp). Use the no form of this
command to return to configuration mode (or use the exit command).
kalap udp
no kalap udp
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE supports secure KAL-AP for MD5 encryption of data between the ACE and the GSS. For
encryption, you must configure a shared secret as a key for authentication between the GSS and the ACE
context.
Examples To enter KAL-AP UDP configuration mode, enter:
host1/Admin(config)# kalap udp
host1/Admin(config-kalap-udp)#
Related Commands show kalap udp load
show running-config
(config-kalap-udp) ip address
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-744
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
KAL-AP UDP Configuration Mode Commands
(config-kalap-udp) ip address
To enable secure KAL-AP, you configure the VIP address to the GSS and the shared secret using the
ip address command. Use the no form of this command to remove the VIP address and the shared secret
from the configuration.
ip address ip_address encryption md5 secret
no ip address ip_address
Syntax Description
Command Modes KAL-AP UDP configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE supports secure KAL-AP for MD5 encryption of data between the ACE and the Global Site
Selector (GSS). For encryption, you must configure a shared secret as a key for authentication between
the GSS and the ACE context.
Examples To enable secure KAL-AP and configure the VIP address for the GSS and the shared secret, enter:
host1/Admin(config)# kalap udp
host1/Admin(config-kalap-udp)# ip address 10.1.0.1 encryption md5 andromeda
To disable secure KAL-AP, enter:
host1/Admin(config-kalap-udp)# no ip address 10.1.0.1
Related Commands show kalap udp load
show running-config
(config) kalap udp
ip_address VIP address for the GSS. Enter the IP address in dotted-decimal notation (for
example, 192.168.11.1).
secret Shared secret between the GSS and the ACE. Enter the shared secret as a
case-sensitive string with no spaces and a maximum of 31 alphanumeric
characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-745
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
LDAP Configuration Mode Commands
LDAP Configuration Mode Commands
LDAP configuration mode commands allow you to configure multiple Lightweight Directory Access
Protocol (v3) (LDAP) servers as a named AAA server group. You specify the IP address of one or more
previously configured LDAP servers that you want added to or removed from a AAA server group with
configuration parameters such as the user profile attribute, the base DN, and the filter to use in the search
request.
For details about creating an LDAP server group, see the Security Guide, Cisco ACE Application Control
Engine.
To create an LDAP server group and access the LDAP server configuration mode, use the aaa group
server ldap command in configuration mode. The CLI prompt changes to (config-ldap). Use the no form
of this command to remove an LDAP server group.
aaa group server ldap group_name
no aaa group server ldap group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines All commands in this mode require the AAA feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
A server group is a list of server hosts. The ACE allows you to configure multiple AAA servers as a
named server group. You group the different AAA server hosts into distinct lists. The ACE searches for
the server hosts in the order in which you specify them within a group. You can configure a maximum
of 10 server groups for each context in the ACE.
You can configure LDAP server groups at any time, but you must enter the aaa authentication login
command to apply the groups to the AAA service.
ldap Specifies an LDAP directory server group.
group_name Name for the group of LDAP servers. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-746
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
LDAP Configuration Mode Commands
Examples To create an LDAP server group, enter:
host1/Admin(config) aaa group server ldap LDAP_Server_Group1
host1/Admin(config-ldap)# server 172.16.56.76
host1/Admin(config-ldap)# server 172.16.56.77
host1/Admin(config-ldap)# server 172.16.56.78
Related Commands (config) aaa authentication login
(config-ldap) attribute user-profile
To specify the user profile attribute that the Lightweight Directory Access Protocol (LDAP) server group
uses, use the attribute user-profile command. Use the no form of this command to delete a user profile
attribute from the LDAP server group.
attribute user-profile text
no attribute user-profile text
Syntax Description
Command Modes LDAP configuration mode
Admin and user contexts
Command History
Usage Guidelines The user profile attribute type is a mandatory configuration for an LDAP server group. Without this
setting, the user profile attribute cannot be retrieved by the LDAP server.
The user profile attribute type is a private attribute. In this case, the LDAP server database should use
the same attribute type for the user profile. The LDAP client (the ACE) sends the search request with
this attribute type as the attribute that it wants to download. If the lookup was successful, the search
response contains this attribute value. The attribute value should contain a string that represents the user
role and domain pair for this particular context.
Examples To configure a user profile attribute for the LDAP server group, enter:
host1/Admin(config)# aaa group server ldap LDAP_Server_Group1
text User profile. The user profile is an unquoted text string of a maximum of 63 alphanumeric
characters without spaces.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-747
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
LDAP Configuration Mode Commands
host1/Admin(config-ldap)# attribute user-profile usrprof
Related Commands (config) aaa group server2-748
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
LDAP Configuration Mode Commands
(config-ldap) baseDN
To configure the base distinguished name (DN) that you want to use to perform search operations in the
LDAP directory tree, use the baseDN command. A baseDN can take a form such as dc=your,dc=domain,
where the base DN uses the DNS domain name as its basis and is split into the domain components. Use
the no form of this command to delete a configured baseDN for the LDAP server group.
baseDN text
no baseDN text
Syntax Description
Command Modes LDAP configuration mode
Admin and user contexts
Command History
Usage Guidelines The base DN is a mandatory configuration for an LDAP server group. Without this setting, a user cannot
be authenticated.
Examples To configure the base DN for the LDAP server group, enter:
host1/Admin(config)# aaa group server ldap LDAP_Server_Group1
host1/Admin(config-ldap)# baseDN "dc=sns,dc=cisco,dc=com"
To delete the configured base DN, enter:
host1/Admin(config-ldap)# no baseDN "dc=sns,dc=cisco,dc=com"
Related Commands (config) aaa group server
text Distinguished name of the search base. The baseDN name is a quoted text string of a maximum
of 63 alphanumeric characters without spaces.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-749
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
LDAP Configuration Mode Commands
(config-ldap) filter search-user
To configure a search request sent by the Lightweight Directory Access Protocol (LDAP) client to the
server to find the user’s node in the Directory Information Tree (DIT), use the filter search-user
command. The $user and $contextid are substituted with actual values when sending the request. Use
the no form of this command to delete the search request from the LDAP server group.
filter search-user text
no filter search-user text
Syntax Description
Command Modes LDAP configuration mode
Admin and user contexts
Command History
Usage Guidelines The search filter is a mandatory configuration for an LDAP server group. Without this setting, a user
cannot be authenticated.
The search filter should follow the format defined in RFC 2254. The LDAP client sends the search
request with the configured search filter after replacing the $userid and $contextid with the userid that
the client is trying to authenticate and the associated virtual context name.The ACE allows $userid and
$contextid to be used as placeholders for user ID and context ID.
Examples To configure a search request for the LDAP server group, enter:
host1/Admin(config)# aaa group server ldap LDAP_Server_Group1
host1/Admin(config-ldap)# filter search-user "(&(objectclass=person)
(&(cn=$userid)(cid=$contextid)))"
To delete the search request, enter:
host1/Admin(config-ldap)# no filter search-user
"(&(objectclass=person)(&(cn=$userid)(cid=$contextid)))"
Related Commands (config) aaa group server
text Search request. The search filter is a quoted text string of a maximum of 63 alphanumeric
characters without spaces.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-750
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
LDAP Configuration Mode Commands
(config-ldap) server
To specify the IP address of one or more previously configured Lightweight Directory Access Protocol
(LDAP) servers that you want added to or removed from the AAA server group, use the server
command. Use the no form of this command to remove the server from the AAA server group.
server ip_address
no server ip_address
Syntax Description
Command Modes LDAP configuration mode
Admin and user contexts
Command History
Usage Guidelines You can add multiple LDAP servers to the AAA server group by entering multiple server commands
while in this mode. The same server can belong to multiple server groups.
Examples To add one or more servers to an LDAP server group, enter:
host1/Admin(config)# aaa group server ldap LDAP_Server_Group1
host1/Admin(config-ldap)# server 172.16.56.76
host1/Admin(config-ldap)# server 172.16.56.79
host1/Admin(config-ldap)# server 172.16.56.82
To remove a server from the LDAP server group, enter:
host1/Admin(config-ldap)# no server 172.16.56.76
Related Commands (config) aaa group server
ip_address IP address of the LDAP server. Enter the address in dotted-decimal IP notation (for
example, 192.168.11.1).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-751
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Line Configuration Mode Commands
Line Configuration Mode Commands
Line configuration mode commands allow you to configure the virtual terminal line settings. To configure
the virtual terminal line settings and access line configuration mode, use the line vty command in
configuration mode. The CLI prompt changes to (config-line). For information about the commands in
line configuration mode, see the following commands.
Use the no form of the line vty command to reset the line configuration mode parameter to its default
setting.
line vty
no line vty
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines The commands in this mode have no user role feature restrictions. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To enter the line configuration mode, enter:
host1/Admin(config)# line vty
host1/Admin(config-line)#
Related Commands clear line
show line
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-752
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Line Configuration Mode Commands
(config-line) session-limit
T o configure the maximum number of terminal sessions per line, use the session-limit command. Use the
no form of this command to disable a setting for the configured virtual terminal line.
session-limit number
no session-limit number
Syntax Description
Command Modes Line configuration mode
Admin context only
Command History
Usage Guidelines This command has no usage guidelines.
Examples For example, to configure a virtual terminal line, enter:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
host1/Admin(config)# line vty
host1/Admin(config-line)# session-limit 23
To disable a setting for the configured virtual terminal line, enter:
host1/Admin(config-line)# no session-limit 23
Related Commands clear line
show line
(config) line vty
number Maximum number of terminal sessions per line. Enter an integer from 1 to 251.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-753
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
Object Group Configuration Mode Commands
Object groups allow you to simplify the creation of multiple access control list (ACL) entries in an ACL.
By grouping like objects together, you can use an object group in an ACL entry instead of having to enter
an ACL entry for each object separately.
To create an object group and access object group configuration mode, use the object-group command.
The CLI prompt changes to (config-objgrp-netw or config-objgrp-serv) depending upon whether you
create a network or service object group. Use the no form of this command to delete an existing object
group.
object-group [network | service] name
no object-group [network | service] name
Syntax Description
Command Modes Action list modify configuration mode
Admin and user contexts
Command History
Usage Guidelines You can create either network or service object groups. After you create these groups, you can use a
single ACL entry to allow trusted hosts to make specific service requests to a group of public servers.
If you add new members to an existing object group that is already in use by an entry in a large ACL,
recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In
some cases, making this change can cause the ACE to devote over an hour to committing the ACL, during
which time you cannot access the terminal. We recommend that you first remove the ACL entry that
refers to the object group, make your change, and then add the ACL entry back into the ACL.
Examples To create a network object group, enter:
host1/Admin(config)# object-group network NET_OBJ_GROUP1
host1/Admin(config-objgrp-netw)#
To create a service object group, enter:
network Specifies a group of hosts or subnet IP addresses.
service Specifies a group of TCP or UDP port specifications or ICMP types.
name Unique identifier of the object group. Enter the object group name as an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-754
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
host1/Admin(config)# object-group service SERV_OBJ_GROUP1
host1/Admin(config-objgrp-serv)#
Related Commands (config-objgrp-netw) description
(config-objgrp-netw) host
(config-objgrp-netw) ip_address
(config-objgrp-netw) description
To add an optional description to a network object group, use the description command. Use the no form
of this command to remove a description from a network object group.
description text
no description text
Syntax Description
Command Modes Network object group configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description to the network object group, enter:
host1/Admin(config-objgrp-netw)# description intranet network object group
To remove a description from the network object group, enter:
host1/Admin(config-objgrp-netw)# no description intranet network object group
Related Commands (config) object-group
(config-objgrp-netw) host
(config-objgrp-netw) ip_address
text (Optional) Description of the network object group. Enter the description as an
unquoted, alphanumeric, text string from 1 to 240 characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-755
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
(config-objgrp-netw) host
To associate a host IPv6 or IPv4 address with a network object group, use the host command. Use the
no form of this command to remove a host from the network object group.
host ip_address
no host ip_address
Syntax Description
Command Modes Network object group configuration mode
Admin and user contexts
Command History
Usage Guidelines You cannot mix an IPv6 address and an IPv4 address in the same network object group.
Examples IPv6 Example
To create a network object group that includes three IPv6 host addresses, enter:
host1/Admin(config)# object-group network NET_OBJ_GROUP1
host1/Admin(config-objgrp-netw)# description Administrator Addresses
host1/Admin(config-objgrp-netw)# host 2001:DB8:1::/64
host1/Admin(config-objgrp-netw)# host 2001:DB8:2::/64
host1/Admin(config-objgrp-netw)# host 2001:DB8:3::/64
To remove host IPv6 address 2001:DB8:1::/64 from the network object group, enter:
host1/Admin(config-objgrp-netw)# no host 2001:DB8:1::/64
IPv4 Example
To create a network object group that includes three IPv4 host addresses, enter:
host1/Admin(config)# object-group network NET_OBJ_GROUP1
host1/Admin(config-objgrp-netw)# description Administrator Addresses
host1/Admin(config-objgrp-netw)# host 192.168.12.15
host1/Admin(config-objgrp-netw)# host 192.168.12.21
host1/Admin(config-objgrp-netw)# host 192.168.12.27
ip_address Host IP address associated with the network object group. Enter an IP address in
dotted-decimal notation (for example, 192.168.12.15).
ACE Module Release Modification
A2(1.0) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A5(1.0) Added IPv6 support.2-756
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
To remove host IPv4 address 192.168.12.15 from the network object group, enter:
host1/Admin(config-objgrp-netw)# no host 192.168.12.15
Related Commands (config) object-group
(config-objgrp-netw) description
(config-objgrp-netw) ip_address2-757
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
(config-objgrp-netw) ip_address
To associate a network IP address with a network object group, use the ip_address command. Use the
no form of this command to remove an IP address or host from the network object group.
ip_address{/prefix_length | netmask}
no ip_address{/prefix_length | netmask}
Syntax Description
Command Modes Network object group configuration mode
Admin and user contexts
Command History
Usage Guidelines You cannot mix an IPv6 address and an IPv4 address in the same network object group.
Examples IPv6 Example
To add the IPv6 address and prefix length 2001:DB8:1::1/64 to a network object group, enter:
host1/Admin(config-objgrp-netw)# 2001:DB8:1::1/64
Enter additional object-group IP addresses as required.
To remove an IP address from the network object group, enter:
host1/Admin(config-objgrp-netw)# no 2001:DB8:1::1/64
IPv4 Example
To add the IP address 192.168.12.15 and network mask 255.255.255.0 to a network object group, enter:
host1/Admin(config-objgrp-netw)# 192.168.12.15 255.255.255.0
ip_address IP address assigned to the network object group.
/prefix_length For an IPv6 address, the length of the network prefix. Enter a “/” (forward slash)
followed by an integer from 1 to 128.
netmask Network mask applied to the IP address. Enter a network mask in dotted decimal
notation (for example, 255.255.255.0).
ACE Module Release Modification
A2(1.0) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A5(1.0) Added IPv6 support.2-758
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
To remove an IP address from the network object group, enter:
host1/Admin(config-objgrp-netw)# no 192.168.12.15 255.255.255.0
Related Commands (config) object-group
(config-objgrp-netw) description
(config-objgrp-netw) host2-759
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
(config-objgrp-serv) description
To add an optional description to a service object group, use the description command. Use the no form
of this command to remove a description from a service object group.
description text
no description text
Syntax Description
Command Modes Service object group configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description to the service object group, enter:
host1/Admin(config-objgrp-serv)# description intranet service object group
To remove a description from the service object group, enter:
host1/Admin(config-objgrp-serv)# no description intranet service object group
Related Commands (config) object-group
(config-objgrp-serv) protocol
text (Optional) Description of the service object group. Enter the description as an
unquoted text string with a maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-760
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
(config-objgrp-serv) protocol
To associate a protocol and port designation with a service object group, use the protocol command. Use
the no form of this command to remove the protocol and port designation from a service object group.
protocol [source operator port1 [port2]] [operator port3 [port4]] [icmp-type type code operator
code1 code2]
no protocol [source operator port1 [port2]] [operator port3 [port4]] [icmp-type type code operator
code1 code2]
Syntax Description protocol Name or number of an IP protocol. Enter a protocol name or an integer from 1 to 255
that represents an IP protocol number. See Table 1-12.
source Specifies a source port for TCP, TCP-UDP, or UDP. To specify a destination port,
use the operator argument with no keyword.
operator (Optional) Operand used to compare source and destination port numbers for TCP
and UDP protocols, and message codes for ICMP. To specify a destination port, use
the operator argument with no keyword.The operators are as follows:
• lt—Less than.
• gt—Greater than.
• eq—Equal to.
• neq—Not equal to.
• range—An inclusive range of port values or ICMP message codes. If you enter
this operator, enter a second port number value or second ICMP message code
to define the upper limit of the range.
port1 [port2] TCP or UDP source name or port number from which you permit or deny services
access. Enter a port name or an integer from 0 to 65535. To enter an inclusive range
of ports, enter two port numbers. Port2 must be greater than or equal to port1. See
Table 1-13 for a list of well-known TCP keywords and port numbers and Table 1-14
for a list of well-known UDP key words and port numbers.
port3 [port4] TCP or UDP destination name or port number to which you permit or deny services
access. To enter an optional inclusive range of ports, enter two port numbers. port4
must be greater than or equal to port3. See Table 1-13 for a list of well-known TCP
keywords and port numbers and Table 1-14 for a list of well-known UDP keywords
and port numbers.
icmp-type type (Optional) If you entered ICMP as the protocol, specifies the type of ICMP
messaging. Enter either an integer corresponding to the ICMP code number or one
of the ICMP types listed in Table 1-15 (ICMPv4) or Table 1-16 (ICMPv6).
code (Optional) Specifies that a numeric operator and ICMP code follows.
code1 [code2] ICMP code number that corresponds to an ICMP type. See Table 1-15 (ICMPv4) or
Table 1-16 (ICMPv6). If you entered the range operator, enter a second ICMP code
value to define the upper limit of the range.2-761
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
Ta b l e 1-12 Supported Protocol Keywords and Numbers
Protocol Name Protocol Number Description
ah 51 Authentication Header
eigrp 88 Enhanced IGRP
esp 50 Encapsulated Security Payload
gre 47 Generic Routing Encapsulation
icmp 1 Internet Control Message Protocol v4
icmpv6 58 Internet Control Message Protocol v6
igmp 2 Internet Group Management Protocol
ip any Internet Protocol
ip-in-ip 4 IP-in-IP Layer 3 Tunneling Protocol
ospf 89 Open Shortest Path First
pim 103 Protocol Independent Multicast
tcp 6 Transmission Control Protocol
tcp-udp 6 and 17 TCP and UDP
udp 17 User Datagram Protocol
Ta b l e 1-13 Well-Known TCP Port Numbers and Keywords
Keyword Port Number Description
aol 5190 America-Online
bgp 179 Border Gateway Protocol
chargen 19 Character Generator
citrix-ica 1494 Citrix Independent Computing Architecture
Protocol
cmd 514 Same as exec, with automatic
authentication
ctiqbe 2748 Computer Telephony Interface Quick
Buffer Encoding
daytime 13 Daytime
discard 9 Discard
domain 53 Domain Name System
echo 7 Echo
exec 512 Exec (RSH)
finger 79 Finger
ftp 21 File Transfer Protocol
ftp-data 20 FTP data connections
gopher 70 Gopher
h323 1720 H.323 call signaling2-762
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
hostname 101 NIC hostname server
http 80 Hypertext Transfer Protocol
https 443 HTTP over TLS/SSL
ident 113 Ident Protocol
imap4 143 Internet Message Access Protocol,
version 4
irc 194 Internet Relay Chat
kerberos 88 Kerberos
klogin 543 Kerberos Login
kshell 544 Kerberos Shell
ldap 389 Lightweight Directory Access Protocol
ldaps 636 LDAP over TLS/SSL
login 513 Login (rlogin)
lotusnotes 1352 IBM Lotus Notes
lpd 515 Printer Service
matip-a 350 Mapping of Airline Traffic over Internet
Protocol Type A
netbios-ssn 139 NetBIOS Session Service
nntp 119 Network News Transport Protocol
pcanywhere-data 5631 PC Anywhere data
pim-auto-rp 496 PIM Auto-RP
pop2 109 Post Office Protocol v2
pop3 110 Post Office Protocol v3
pptp 1723 Point-to-Point Tunneling Protocol, RFC
2637
rtsp 554 Real-Time Streaming Protocol
sip 5060 Session Initiation Protocol
skinny 2000 Cisco Skinny Client Control Protocol
(SCCP)
smtp 25 Simple Mail Transfer Protocol
sqlnet 1521 Structured Query Language Network
ssh 22 Secure Shell
sunrpc 111 Sun Remote Procedure Call
tacacs 49 Terminal Access Controller Access Control
System
talk 517 Talk
telnet 23 Telnet
Table 1-13 Well-Known TCP Port Numbers and Keywords (continued)
Keyword Port Number Description2-763
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
time 37 Time
uucp 540 Unix-to-Unix Copy Program
whois 43 Nicname
www 80 World Wide Web (HTTP)
Ta b l e 1-14 Well-Known UDP Keywords and Port Numbers
Keyword Port Number Description
biff 512 Mail notification
bootpc 68 Bootstrap Protocol client
bootps 67 Bootstrap Protocol server
discard 9 Discard
dnsix 195 DNSIX Security protocol auditing
(dn6-nlm-aud)
domain 53 Domain Name System
echo 7 Echo
isakmp 500 Internet Security Association Key
Management Protocol
kerberos 88 Kerberos
mobile-ip 434 Mobile IP registration
nameserver 42 Host Name Server
netbios-dgm 138 NetBIOS datagram service
netbios-ns 137 NetBIOS name service
netbios-ssn 139 NetBIOS Session Service
ntp 123 Network Time Protocol
pcanywhere-statu
s
5632 PC Anywhere status
radius-auth 1812 (ACE module only) Remote Authentication
Dial-in User Service
radius 1812 (ACE appliance only) Remote
Authentication Dial-in User Service
radius-acct 1813 RADIUS Accounting
rip 520 Routing Information Protocol
snmp 161 Simple Network Management Protocol
snmptrap 162 SNMP Traps
sunrpc 111 Sun Remote Procedure Call
syslog 514 System Logger
Table 1-13 Well-Known TCP Port Numbers and Keywords (continued)
Keyword Port Number Description2-764
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
tacacs 49 Terminal Access Controller Access Control
System
talk 517 Talk
tftp 69 Trivial File Transfer Protocol
time 37 Time
who 513 Who service (rwho)
wsp 9200 Connectionless Wireless Session Protocol
wsp-wtls 9202 Secure Connectionless WSP
wsp-wtp 9201 Connection-based WSP
wsp-wtp-wtls 9203 Secure Connection-based WSP
xdmcp 177 X Display Manager Control Protocol
Ta b l e 1-15 ICMPv4 Types
ICMP Code Number ICMP Type
0 echo-reply
3 unreachable
4 source-quench
5 redirect
6 alternate-address
8 echo
9 router-advertisement
10 router-solicitation
11 time-exceeded
12 parameter-problem
13 timestamp-request
14 timestamp-reply
15 information-request
16 information-reply
17 mask-request
18 mask-reply
30 traceroute
31 conversion-error
32 mobile-redirect
Table 1-14 Well-Known UDP Keywords and Port Numbers (continued)
Keyword Port Number Description2-765
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
Command Modes Service object group configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To create a service object group for TCP (source port only), UDP (source and destination ports), and
ICMPv6, enter:
ISM/Admin(config)# object-group service TCP_UDP_ICMP
ISM/Admin(config-objgrp-serv)# tcp source eq domain
ISM/Admin(config-objgrp-serv)# udp source eq radius eq radius-acct
ISM/Admin(config-objgrp-serv)# icmpv6 echo code eq 128
To remove the ICMP protocol from the above service object group, enter:
host1/Admin(config-objgrp-prot)# no icmpv6 echo code eq 128
Ta b l e 1-16 ICMPv6 Types
ICMPv6 Code Number ICMPv6 Type
1 unreachable
3 time-exceeded
4 parameter-problem
30 traceroute
128 echo
129 echo-reply
137 redirect
139 information-request
140 information-reply
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(2.1) The radius keyword is deprecated and is now the radius-auth
keyword.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A5(1.0) Added IPv6 support.2-766
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Object Group Configuration Mode Commands
Related Commands (config) object-group
(config-objgrp-serv) description2-767
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Optimize Configuration Mode Commands
Optimize Configuration Mode Commands
(ACE appliance only) The optimize mode includes a set of commands that allow you to globally
configure application acceleration and optimization operation on the ACE. To remove an optimize mode
selection, use the no form of the command. For details about using the commands in the optimize mode,
see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and
Optimization Configuration Guide.
To access the optimize mode, enter the optimize command. The CLI prompt changes to
(config-optimize).
optimize
no optimize
Syntax Description This command has no keywords or arguments.
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To access the optimize mode, enter:
host1/Admin(config)# optimize
host1/Admin(config-optimize)#
Related Commands show optimization-global
ACE Appliance Release Modification
A1(7) This command was introduced.2-768
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Optimize Configuration Mode Commands
(config-optimize) appscope-log
(ACE appliance only) To configure the ACE to upload the application acceleration and optimization
statistical log information to the optional Cisco AVS 3180A Management Station, use the appscope-log
command. Use the no form of this command to disable sending statistical log information to a
Management Station.
appscope-log
no appscope-log
Syntax Description This command has no keywords or arguments.
Command Modes Optimize mode
Admin and user contexts
Command History
Usage Guidelines The statistical log file contains an entry for each ACE optimization request to the server and is used for
statistical analysis by the optional Cisco AVS 3180A Management Station. The ACE collects statistical
log data and then sends it to the Management Station for loading into the management station database.
For details about the optional Cisco AVS 3180A Management Station database, management, and
reporting features, including AppScope reporting, see the Cisco 4700 Series Application Control Engine
Appliance Application Acceleration and Optimization Configuration Guide.
To enable the AppScope feature, use the appscope command in action list optimization configuration
mode. See the (config-actlist-optm) appscope command.
For each ACE request, information about the statistical log is written to the statlog.nnn file, where nnn
is a three-digit number. Each entry in the statlog file is written in an XML-like syntax, where each
element is opened with an angle-bracketed tag, and closed with a similar tag, and can contain several
fields with nested elements.
Note Statistical log information from active ACE nodes is carried by the syslog-ng daemon to the Cisco AVS
3180A Management Console and written to a file under the avs-log/syslog/ directory. The file is
_, which is unique across all ACE nodes.
To specify the host (the syslog server on the Management Station) that receives the syslog messages sent
by the ACE, use the logging host configuration command. See the (config) logging host command. This
command allows you to identify the IP address of the Management Station that will be used as the syslog
server. You can specify that the host uses either UDP or TCP to send messages to the syslog server.
Examples To specify that the information about statistical log is to be sent to a Management Station at 192.168.10.1
using TCP, enter:
host1/Admin(config)# optimize
ACE Appliance Release Modification
A1(7) This command was introduced.2-769
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Optimize Configuration Mode Commands
host1/Admin(config-optimize)# appscope-log
host1/Admin(config-optimize)# exit
host1/Admin(config)# logging host 192.168.10.1 tcp
To disable sending information about the statistical log information to an AVS 3180A Management
Station, enter:
host1/Admin(config-optimize)# no appscope-log
Related Commands (config-actlist-optm) appscope
(config-parammap-optmz) appscope optimize-rate-percent
(config-parammap-optmz) parameter-summary parameter-value-limit
(config-parammap-optmz) request-grouping-string
(config-optimize) concurrent-connections
(ACE appliance only) To define the concurrent connection limit at which optimization will be disabled
for all new connections that are received by the ACE, use the concurrent-connections command. Use
the no form of this command to return to the default concurrent connection limit of 1000.
concurrent-connections connection_limit
no concurrent-connections
Syntax Description
Command Modes Optimize mode
Admin and user contexts
Command History
Usage Guidelines When you use the ACE to perform a specific set of application acceleration and optimization functions,
and the ACE reaches the maximum of 10,000 concurrent connections, the ACE stops accepting any
additional concurrent connections until the count drops below 10,000. You can define the limit at which
all new connections are directly sent to the real server without the ACE performing application
acceleration and optimization. This user-defined limit bypasses application acceleration and
optimization requests on a connection until the concurrent connection count is less than the allowed
specified maximum of 9,500 concurrent connections.
The ACE will always perform application acceleration and optimization for FlashForward URLs,
AppScope URLs, and base file URLs in a new connection even if you have specified a concurrent
connection limit.
connection_limit Maximum concurrent connection limit. Enter an integer from 100 to 9500. The
default is 1000.
ACE Appliance Release Modification
A1(8) This command was introduced.
A4(1.0) The limit keyword was removed.
A4(2.0) This command was deprecated. Application acceleration concurrent
connections are now fixed at 100.2-770
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Optimize Configuration Mode Commands
Note The show stats loadbalance command in Exec mode displays the optimized connection counter
(maximum and concurrent) and the unoptimized connection counter for all application acceleration
connections.
Examples To specify a concurrent connection limit of 5000, enter:
host1/Admin(config)# optimize
host1/Admin(config-optimize)# concurrent-connections 5000
To return to the default concurrent connection limit of 1000, enter:
host1/Admin(config-optimize)# no concurrent-connections
Related Commands This command has no related commands.
(config-optimize) debug-level
(ACE appliance only) To enable HTTP optimization logging and control the maximum level for system
log messages sent to the host (the syslog server on the optional Cisco AVS 3180A Management Station),
use the debug-level command. Use the no form of the command to disable the debug function for HTTP
optimization.
debug-level severity_level
no debug-level severity_level
Syntax Description
Command Modes Optimize mode
Admin and user contexts
severity_level Maximum level for system log messages sent to a syslog server. The severity level
that you specify indicates that you want syslog messages at that level and messages
lower than that level. For example, if the specified level is 3, the syslog displays level
3, 2, 1, and 0 messages. The severity level that you specify indicates that you want to
log messages at that level and below.
Allowable entries are as follows:
• 0—emergencies (system unusable messages)
• 1—alerts (take immediate action)
• 2—critical (critical condition)
• 3—errors (error message)
• 4—warnings (warning message)
• 5—notifications (normal but significant condition)
• 6—informational (information message)
• 7—debugging (debug messages)2-771
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Optimize Configuration Mode Commands
Command History
Usage Guidelines The debug-level command limits the HTTP optimization logging messages sent to a syslog server based
on severity.
To specify the host (the syslog server on the optional Management Station) that receives the syslog
messages sent by the ACE, use the logging host configuration command. See the (config) logging host
command. You can specify that the host uses either UDP or TCP to send messages to the syslog server.
Examples To enable HTTP optimization logging and send informational system message logs to the syslog server,
enter:
host1/Admin(config)# debug-level 6
To disable the debug function for HTTP optimization, enter:
host1/Admin(config)# no debug-level
Related Commands (config-parammap-optmz) appscope optimize-rate-percent
(config-parammap-optmz) parameter-summary parameter-value-limit
(config-parammap-optmz) request-grouping-string
Command Modes Optimize mode
ACE Appliance Release Modification
A1(7) This command was introduced.2-772
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Parameter Map Connection Configuration Mode Commands
Parameter map connection configuration mode commands allow you to define a connection-type parameter
map. After you create the connection parameter map, you can configure TCP, IP, and other settings for
the map. To create the connection parameter map and access parameter map connection configuration
mode, use the parameter-map type connection command in configuration mode. The prompt changes
to (config-parammap-conn). Use the no form of this command to remove the parameter map from the
configuration.
parameter-map type connection name
no parameter-map type connection name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the connection feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
If you configure switch mode and you configure any connection parameter-map commands (for example,
set tcp buffer-share, rate-limit, exceed-mss, nagle, random-sequence-number, reserved-bits, set
tcp wan-optimization, timeout inactivity, slowstart, and so on) either locally on a specific interface or
globally on all interfaces, switch mode will override these commands for certain types of traffic. This
behavior applies only to non-VIP, non-inspection, non-NATed, and non-management traffic. The ACE
continues to apply local, global, and VIP-specific connection parameter maps to load-balanced (VIP),
inspected, NATed, and management traffic. For information about switch mode, see the (config)
switch-mode command.
After you create and configure a parameter map, you must associate the parameter map with a policy
map to activate it. For details, see the (config-pmap-c) connection advanced-options command in the
“Policy Map Configuration Mode Commands” section.
Examples To create a connection parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type connection TCP_MAP
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-773
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
host1/Admin(config-parammap-conn)#
To delete the connection parameter map, enter:
host1/Admin(config)# no parameter-map type connection TCP_MAP
Related Commands (config) parameter-map type
(config-pmap-c) connection advanced-options
show parameter-map2-774
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the connection parameter map, enter:
host1/Admin(config)# parameter-map type connection TCP_MAP
host1/Admin(config-parammap-conn)# description TCP CONNECTION PARAMETER MAP
To remove the description from the connection parameter map, enter:
host1/Admin(config-parammap-conn)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-775
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) exceed-mss
To configure the ACE to allow segments that exceed the maximum segment size (MSS), use the
exceed-mss command. Use the no form of this command to reset the ACE to its default of discarding
segments that exceed the MSS.
exceed-mss {allow | drop}
no exceed-mss
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the ACE to allow segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# exceed-mss allow
To configure the ACE to discard segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# exceed-mss drop
To reset the ACE behavior to the default of discarding segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# no exceed-mss allow
Related Commands (config-parammap-conn) set tcp mss
show parameter-map
allow Permits segments that exceed the maximum segment size.
drop Discards segments that exceed the maximum segment size. This is
the default.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-776
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) nagle
To enable Nagle’s algorithm, use the nagle command. By default, this command is disabled. Nagle’s
algorithm instructs a sender to buffer any data to be sent until all outstanding data has been
acknowledged or until there is a full segment of data to send. Use the no form of this command to disable
Nagle’s algorithm.
nagle
no nagle
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines Nagle’s algorithm automatically concatenates a number of small buffer messages that are transmitted
over the TCP connection. This process increases throughput by decreasing the number of segments that
need to be sent over the network. However, the interaction between Nagle’s algorithm and the TCP delay
acknowledgment may increase latency in your TCP connection. You should disable Nagle’s algorithm if
you notice delays in your TCP connection.
Examples To enable Nagle’s algorithm, enter:
host1/Admin(config-parammap-conn)# nagle
To disable Nagle’s algorithm, enter:
host1/Admin(config-parammap-conn)# no nagle
Related Commands show parameter-map
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-777
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) random-sequence-number
To enable TCP sequence number randomization, use the random-sequence-number command. This
feature is enabled by default. Use the no form of this command to disable sequence number
randomization for Layer 4 flows only.
random-sequence-number
no random-sequence-number
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines Randomizing TCP sequence numbers makes it more difficult for a hacker to guess or predict the next
sequence number in a TCP connection. This feature is enabled by default and you cannot disable it for
Layer 7 flows.
Examples To enable sequence number randomization, enter:
host1/Admin(config-parammap-conn)# random-sequence-number
To disable sequence number randomization, enter:
host1/Admin(config-parammap-conn)# no random-sequence-number
Related Commands show parameter-map
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-778
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) rate-limit
To limit the connection rate or the bandwidth rate of a policy, use the rate-limit command. Use the no
form of this command to return the behavior of the ACE to the default of not limiting the policy
bandwidth rate.
rate-limit {connection number1 | bandwidth number2}
no rate-limit {connection number1 | bandwidth number2}
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines In addition to preserving system resources by limiting the total number of active connections to a real
server, the ACE allows you to limit the connection rate and the bandwidth rate of a policy map. The
connection rate is the number of connections per second that match the policy. The bandwidth rate is the
number of bytes per second that match the policy. The ACE applies these rate limits to each class map
that you associate with the policy at the virtual server level.
When the connection-rate limit or the bandwidth-rate limit is reached, the ACE blocks any further traffic
that matches that policy until the connection rate or bandwidth rate drops below the configured limit. By
default, the ACE does not limit the connection rate or the bandwidth rate of a policy.
You can also limit the connection rate and the bandwidth rate of a real server in a server farm. For details,
see the Server Load-Balancing Guide, Cisco ACE Application Control Engine
Examples To limit the connection rate of a policy to 100000 connections per second, enter:
host1/Admin(config-parammap-conn)# rate-limit connection 100000
To return the behavior of the ACE to the default of not limiting the policy connection rate, enter:
host1/Admin(config-parammap-conn)# no rate-limit connection 100000
connection number1 Specifies the connection-rate limit for a policy in connections per
second. Enter an integer from 0 to 350000. There is no default value.
bandwidth number2 Specifies the bandwidth-rate limit for a policy in bytes per second.
Enter an integer from 0 to 300000000. There is no default value.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-779
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
To limit the policy bandwidth rate to 5000000 bytes per second, enter:
host1/Admin(config-parammap-conn)# rate-limit bandwidth 50000000
To return the behavior of the ACE to the default of not limiting the policy bandwidth rate, enter:
host1/Admin(config-parammap-conn)# no rate-limit bandwidth 50000000
Related Commands show parameter-map
(config-parammap-conn) reserved-bits
To configure how an ACE handles segments with the reserved bits set in the TCP header, use the
reserved-bits command. Use the no form of this command to reset the ACE to its default of clearing
reserved bits set in the TCP header of a segment.
reserved-bits {allow | clear | drop}
no reserved-bits
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines The six reserved bits in the TCP header are for future use and have a value of 0.
Examples To configure the ACE to allow segments with the reserved bits set in the TCP header, enter:
host1/Admin(config-parammap-conn)# reserved-bits allow
To reset the ACE to its default of clearing reserved bits set in the TCP header of a segment, enter:
host1/Admin(config-parammap-conn)# no reserved-bits allow
allow Permits segments with the reserved bits set in the TCP header.
clear Clears the reserved bits in the TCP header and allows the segment.
This is the default.
drop Discards segments with reserved bits set in the TCP header.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-780
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Related Commands show parameter-map
(config-parammap-conn) set ip tos
To set the type of service (ToS) for packets in a particular traffic class, use the set ip tos command. Use
the no form of this command to instruct the ACE to not rewrite the IP ToS value.
set ip tos number
no set ip tos
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines The ToS for a packet determines how the network handles the packet and balances its precedence, delay,
throughput, and reliability. This information resides in the IP header.
For details about the ToS byte, see RFCs 791, 1122, 1349, and 3168.
Examples To set a packet’s ToS value to 20, enter:
host1/Admin(config-parammap)# set ip tos 20
To instruct the ACE to ignore the ToS of a packet, enter:
host1/Admin(config-parammap)# no set ip tos
Related Commands show parameter-map
number Packet ToS value. Enter an integer from 0 to 255.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-781
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) set tcp ack-delay
To configure an ACK delay, use the set tcp ack-delay command. You can configure the ACE to delay
sending the ACK from a client to a server. Some applications delay the ACK for best performance. To
reset the ACK delay timer to the default value of 200 ms, use the no form of this command.
set tcp ack-delay number
no set tcp ack-delay
Syntax Description
Command Modes Connection parameter-map configuration mode
Command History
Usage Guidelines Delaying the ACK can help reduce congestion by sending one ACK for multiple segments rather than
sending an ACK for each segment.
Examples To delay sending an ACK for 400 ms, enter:
host1/Admin(config-parammap-conn)# set tcp ack-delay 400
To reset the ACK delay timer to the default of 200 ms, enter:
host1/Admin(config-parammap-conn)# no set tcp ack-delay
Related Commands show parameter-map
number Delay time for sending an ACK from a client to a server. Enter an
integer from 0 to 400 ms. The default is 200 ms.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-782
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) set tcp buffer-share
To set the maximum receive or transmit buffer share size for each TCP and UDP connection, use the set
tcp buffer-share command. Use the no form of this command to reset the buffer limit to the default of
32768 bytes.
set tcp buffer-share number
no set tcp buffer-share
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines To improve throughput and overall performance, the ACE checks the number of buffered bytes on a TCP
and UDP connection against the configured buffer setting before accepting new receive or transmit data.
By default, the maximum size of the receive or transmit buffer for each TCP or UDP connection is
32768 bytes. For large bandwidth and delay network connections, you may want to increase the default
buffer size to improve your network performance.
If you set the (config-parammap-http) set content-maxparse-length or (config-parammap-http) set
header-maxparse-length command in HTTP parameter-map configuration mode to a value that is
greater than 32 KB, you must configure the set tcp buffer-share command to a value that is greater than
their values. If you do not, even if you configure (config-parammap-http) length-exceed continue
command, the ACE may not completely parse a content string or a header packet that is greater than
32 KB. The reason is that the default value of the set tcp buffer-share command buffer size (32 KB)
will not accommodate the larger content string size.
Examples To specify a maximum receive buffer share size of 16384 bytes, enter:
host1/Admin(config-parammap-conn)# set tcp buffer-share 16384
number Maximum size of the receive or transmit buffer share in bytes for
each TCP and UDP connection. Enter an integer from 8192 to
262143. The default is 32768 bytes.
ACE Module Release Modification
3.0(0)A1(6.2a) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) This command now allows you to configure the buffer limit for UDP
connections. Previously, the buffer limit was configurable only for
TCP connections.2-783
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
To reset the buffer limit to the default of 65535 bytes, enter:
host1/Admin(config-parammap-conn)# no set tcp buffer-share
Related Commands show parameter-map
(config-parammap-http) set content-maxparse-length
(config-parammap-http) set header-maxparse-length2-784
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) set tcp mss
To set a range of values for the TCP maximum segment size (MSS), use the set tcp mss command. Use
the no form of this command to reset the minimum MSS to the default of 0 bytes and the maximum MSS
to the default of 1460.
set tcp mss min number1 max number2
no set tcp mss
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines The MSS is the largest amount of TCP data that the ACE accepts in one segment. To prevent the
transmission of many smaller segments or very large segments that may require fragmentation, you can
set the minimum and maximum acceptable sizes of the MSS.
Both the host and the server can set the MSS when they first establish a connection. If either maximum
value exceeds the value that you set with the set tcp mss max command, then the ACE overrides the
maximum value and inserts the value that you set. If either maximum value is less than the value that
you set with the set tcp mss min command, then the ACE overrides the maximum value and inserts the
minimum value (the minimum value is actually the smallest maximum allowed). For example, if you set
a maximum value of 1200 bytes and a minimum value of 400 bytes, when a host requests a maximum
value of 1300 bytes, then the ACE alters the packet to request 1200 bytes (the maximum). If another host
requests a maximum value of 300 bytes, then the ACE alters the packet to request 400 bytes (the
minimum).
If the host or server does not request an MSS, the ACE assumes that the RFC 793 default value of
536 bytes is in effect.
min number1 Specifies the smallest segment size in bytes that the ACE will accept.
Enter an integer from 0 to 65535. The default is 0 bytes. If the ACE
receives a segment smaller than the configured minimum size, the
ACE discards the segment.
max number2 Specifies the largest segment size in bytes that the ACE will accept.
Enter an integer from 0 to 65535. The default is 1460 bytes. If the
ACE receives a segment larger than the configured maximum size,
the ACE discards the segment.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-785
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Examples To set the minimum acceptable MSS value to 768 bytes and the maximum acceptable MSS value to 1500,
enter:
host1/Admin(config-parammap-conn)# set tcp mss min 768 max 1500
To reset the minimum MSS to the default of 0 bytes and the maximum MSS to the default of 1460, enter:
host1/Admin(config-parammap-conn)# no set tcp mss
Related Commands (config-parammap-conn) exceed-mss
show parameter-map2-786
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) set tcp reassembly-timout
To stop reassembling TCP packets that have remained idle for the specified timeout period, use the set
tcp reassembly timeout command. Use the no form of this command to reset the timeout to the default
value of 60 seconds.
set tcp reassembly-timeout seconds
no set tcp reassembly-timeout seconds
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the TCP reassembly timeout to 5 minutes, enter:
host1/Admin(config-parammap-conn)# set tcp reassembly-timeout 300
To reset the TCP reassembly timeout to the default of 60 seconds, enter:
host1/Admin(config-parammap-conn)# no set tcp reassembly-timeout
Related Commands show parameter-map
(config-parammap-conn) set tcp syn-retry
To set the maximum number of attempts that the ACE can take to transmit a TCP segment, use the set
tcp syn-retry number command. Use the no form of this command to reset the maximum number of
TCP SYN retires to the default of 4.
set tcp syn-retry number
no set tcp syn-retry
seconds Time period in seconds after which the ACE stops reassembling TCP
packets. Enter an integer from 1 to 255. The default is 60 seconds.
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.2-787
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the maximum number of attempts that the ACE takes to transmit a TCP segment to 3, enter:
host1/Admin(config-parammap-conn)# set tcp syn-retry 3
To reset the maximum number of TCP SYN retries to the default of 4, enter:
host1/Admin(config-parammap-conn)# no set tcp syn-retry
Related Commands show parameter-map
(config-parammap-conn) set tcp timeout
To configure a timeout for TCP embryonic connections (connections that result from an incomplete
three-way handshake) and half-closed connections (connections where the client has sent a FIN and the
server has not responded), use the set tcp timeout command. Use the no form of this command to reset
TCP timeout values to their default settings.
set tcp timeout {embryonic seconds | half-closed seconds}
no set tcp timeout {embryonic | half-closed}
Syntax Description
number Number of SYN retries. Enter an integer from 1 to 15. The default
is 4.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
embryonic Specifies the timeout for embryonic connections.
seconds Time in seconds after which the ACE times out an embryonic
connection. Enter an integer from 0 to 4294967295. The default is
5 seconds. A value of 0 specifies that the ACE never time out an
embryonic connection.2-788
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines The set tcp timeout embryonic command affects only Layer 4 flows and not Layer 7 flows.
Examples To set the TCP timeout for embryonic connections to 24 seconds, enter:
host1/Admin(config-parammap-conn)# set tcp timeout embryonic 24
To reset the TCP half-closed connection timeout to the default of 600 seconds, enter:
host1/Admin(config-parammap-conn)# no set tcp timeout half-closed
Related Commands show parameter-map
(config-parammap-conn) set tcp wan-optimization
To control how the ACE applies TCP optimizations to packets on a connection associated with a Layer
7 policy map using a round-trip time (RTT) value, use the set tcp wan-optimization command. Use the
no form of this command to restore ACE behavior to the default of not optimizing TCP connections.
set tcp wan-optimization rtt number
no set tcp wan-optimization rtt number
Syntax Description
half-closed Specifies the timeout for half-closed connections.
seconds Time in seconds after which the ACE times out a half-closed
connection. Enter an integer from 0 to 4294967295. The default is
3600 seconds (1 hour). A value of 0 specifies that the ACE never time
out a half-closed TCP connection.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
number RTT value. Enter an integer from 0 to 65535. The default is 65535.2-789
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command allows you to control how the ACE applies TCP optimizations to packets on a connection
associated with a Layer 7 policy map using the following RTT values:
• For a value of 0, the ACE applies TCP optimizations to packets for the life of a connection.
• For a value of 65535 (the default), the ACE performs normal operations (no optimizations) for the
life of a connection.
• For values from 1 to 65534, the ACE applies TCP optimizations to packets based on the client RTT
to the ACE as follows:
– If the actual client RTT is less than the configured RTT, the ACE performs normal operations
for the life of the connection.
– If the actual client RTT is greater than or equal to the configured RTT, the ACE performs TCP
optimizations on the packets for the life of a connection.
TCP optimizations include the following connection parameter-map configuration mode operations:
• Nagle optimization algorithm
• Slow-start connection behavior
• Acknowledgement (ACK) delay timer
• Window-scale factor
• Retry settings
Examples To set the RTT to 0 to apply TCP optimizations to packets for the life of a connection, enter:
host1/C1(config-parammap-conn)# set tcp wan-optimization rtt 0
To restore the ACE behavior to the default of not optimizing TCP connections, enter:
host1/C1(config-parammap-conn)# no set tcp wan-optimization rtt
Related Commands show parameter-map
ACE Module Release Modification
3.0(0)A1(3) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-790
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) set tcp window-scale
To configure a TCP window-scale factor for network paths with high-bandwidth, long-delay
characteristics, use the set tcp window-scale command. Use the no form of this command to reset the
window-scale factor to its default setting.
set tcp window-scale number
no set tcp window-scale
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines The TCP window scaling feature adds support for the Window Scaling option in RFC 1323. We
recommend increasing the window size to improve TCP performance in network paths with large
bandwidth, long-delay characteristics. This type of network is called a long fat network (LFN).
The window scaling extension expands the definition of the TCP window to 32 bits and then uses a scale
factor to carry this 32-bit value in the 16-bit window field of the TCP header. You can increase the
window size to a maximum scale factor of 14. Typical applications use a scale factor of 3 when deployed
in LFNs.
Examples To set the TCP window-scale factor to 3, enter:
host1/Admin(config-parammap-conn)# set tcp window-scale 3
To reset the TCP window-scale factor to the default of 0, enter:
host1/Admin(config-parammap-conn)# no set tcp window-scale
Related Commands show parameter-map
number Window-scale factor. Enter an integer from 0 to 14. The default is 0.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-791
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) set timeout inactivity
To configure the connection inactivity timer, use the set timeout inactivity command. Use the no form
of this command to reset the timeout inactivity values to the default ICMP, TCP, and UDP settings.
set timeout inactivity seconds
no set timeout inactivity
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE uses the connection inactivity timer to disconnect established ICMP, TCP, and UDP
connections that have remained idle for the duration of the specified timeout period.
The ACE rounds up the configured timeout value to the nearest 30-second interval.
Examples To specify that the ACE disconnect idle established TCP connections after 2400 seconds, enter:
host1/Admin(config-parammap-conn)# set timeout inactivity 2400
To reset the ICMP, TCP, and UDP inactivity timeout to the default values, enter:
host1/Admin(config-parammap-conn)# no set timeout inactivity
inactivity Specifies the timeout for idle TCP connections.
seconds Time period after which the ACE disconnects idle established
connections.
• For the ACE module, enter an integer from 0 to 1608601.
• For the ACE appliance, enter an integer from 0 to 1638050.
A value of 0 specifies that the ACE never time out a TCP connection.
Default settings are as follows:
• ICMP—2 seconds
• TCP—3600 seconds (1 hour)
• HTTP/SSL—300 seconds
• UDP—120 seconds (2 minutes)
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-792
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Related Commands show parameter-map
(config-parammap-conn) slowstart
To enable the slow start algorithm, use the slowstart command. This feature is disabled by default. Use
the no form of this command to disable the slow start algorithm after it has been enabled.
slowstart
no slowstart
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines The slow start algorithm is a congestion avoidance method in which TCP increases its window size as
ACK handshakes arrive. It operates by observing that the rate at which new segments should be injected
into the network is the rate at which the acknowledgments are returned by the host at the other end of
the connection. For further details about the TCP slow start algorithm, see RFC 2581 and 3782.
Examples To enable the slow start algorithm, enter:
host1/Admin(config-parammap-conn)# slowstart
To disable the slow start algorithm, enter:
host1/Admin(config-parammap-conn)# no slowstart
Related Commands show parameter-map
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-793
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) syn-data
To set the ACE to discard SYN segments with data, use the syn-data command. Use the no form of this
command to reset the ACE to its default of allowing SYN segments that contain data.
syn-data {allow | drop}
no syn-data
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines Occasionally, the ACE may receive a SYN segment that contains data. You can configure the ACE to
either discard the segment or flag the segment for data processing.
Examples To instruct the ACE to discard segments that contain data, enter:
host1/Admin(config-parammap-conn)# syn-data drop
To reset the ACE to its default of allowing SYN segments that contain data, enter:
host1/Admin(config-parammap-conn)# no syn-data
Related Commands show parameter-map
allow Permits the SYN segments that contain data and flags them for data
processing. This is the default.
drop Discards the SYN segments that contain data.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-794
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) tcp-options
To specify a range of TCP options not explicitly supported by the ACE, or allow or clear explicitly
supported TCP options specified in a SYN segment, use the tcp-options command. Use the no form of
this command to remove a TCP option range from the configuration or reset the ACE to its default of
clearing the specific TCP options.
tcp-options {range number1 number2 {allow | drop}} | {selective-ack | timestamp |
window-scale {allow | clear | drop}}
no tcp-options {range number1 number2 {allow | drop}} | {selective-ack | timestamp |
window-scale {allow | clear | drop}}
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
range number1 number2 Specifies the TCP options not explicitly supported by the ACE using
a range of option numbers. The arguments are as follows:
• number1—Specifies the lower limit of the TCP option range.
Enter either 6 or 7 or an integer from 9 to 255. See the “Usage
Guidelines” section for the available TCP options.
• number2—Specifies the upper limit of the TCP option range.
Enter 6 or 7 or an integer from 9 to 255. See the “Usage
Guidelines” section for the available TCP options.
allow Allows any segment with the specified option set.
drop Causes the ACE to discard any segment with the specified option set.
selective-ack Allows the ACE to inform the sender about all segments that it
received. The sender needs to retransmit the lost segments, rather
than wait for a cumulative acknowledgement or retransmit segments
unnecessarily. Selective ACK (SACK) can reduce the number of
retransmitted segments and increase throughput under some
circumstances.
timestamp Measures the round-trip time (RTT) of a TCP segment between two
nodes on a network. Time stamps are always sent and echoed in both
directions.
window-scale Allows the ACE to use a window-scale factor that increases the size
of the TCP send and receive buffers. The sender specifies a
window-scale factor in a SYN segment that determines the send and
receive window size for the duration of the connection.
clear Clears the specified option from any segment that has it set and
allows the segment. This is the default action on the explicitly
supported options.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-795
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Usage Guidelines Using the tcp-options command, the ACE permits you to allow or clear the following explicitly
supported TCP options specified in a SYN segment:
• Selective Acknowledgement (SACK)
• Time stamp
• Window Scale
You can specify this command multiple times to configure different options and actions. If you specify
the same option with different actions, the ACE uses the order of precedence to decide which action to
use.
The order of precedence for the actions in this command is as follows:
1. Drop
2. Clear
3. Allow
Table 1-17 lists the TCP options not explicitly supported by the ACE.
ACE Appliance Release Modification
A1(7) This command was introduced.
Ta b l e 1-17 Unsupported TCP Options
Kind Length Meaning Reference
6 6 Echo (obsoleted by option 8) RFC 1072
7 6 Echo Reply (obsoleted by
option 8)
RFC 1072
9 2 Partial Order Connection
Permitted
RFC 1693
10 3 Partial Order Service Profile RFC 1693
11 CC RFC 1644
12 CC.NEW RFC 1644
13 CC.ECHO RFC 1644
14 3 TCP Alternate Checksum
Request
RFC 1146
15 N TCP Alternate Checksum
Data
RFC 1146
16 Skeeter [Knowles]
17 Bubba [Knowles]
18 3 Trailer Checksum Option [Subbu &
Monroe]
19 18 MD5 Signature Option RFC 2385
20 SCPS Capabilities [Scott]2-796
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Table 1-18 lists the TCP options explicitly supported by the ACE.
Examples To allow the segment with the SACK option set, enter:
host1/Admin(config-parammap-conn)# tcp-options selective-ack allow
To reset the behavior of the ACE to the default of clearing the SACK option and allowing the segment,
enter:
host1/Admin(config-parammap-conn)# no tcp-options selective-ack allow
You can specify a range of options for each action. If you specify overlapping option ranges with
different actions, the ACE uses the order of precedence described in the “Usage Guidelines” section to
decide which action to perform for the specified options.
For example, to specify a range of options for each action, enter:
host1/Admin(config-parammap-conn)# tcp-options range 6 7 allow
host1/Admin(config-parammap-conn)# tcp-options range 9 18 clear
host1/Admin(config-parammap-conn)# tcp-options range 19 26 drop
To remove the TCP option ranges from the configuration, enter:
host1/Admin(config-parammap-conn)# no tcp-options range 6 7 allow
host1/Admin(config-parammap-conn)# no tcp-options range 9 18 clear
host1/Admin(config-parammap-conn)# no tcp-options range 19 26 drop
21 Selective Negative
Acknowledgements
(SNACK)
[Scott]
22 Record Boundaries [Scott]
23 Corruption experienced [Scott]
24 SNAP [Sukonnik]
25 Unassigned (released
12/18/00)
26 TCP Compression Filter [Bellovin]
Table 1-17 Unsupported TCP Options (continued)
Kind Length Meaning Reference
Ta b l e 1-18 Supported TCP Options
Kind Length Meaning Reference
0 - End of Option List RFC 793
1 - No Operation RFC 793
3 3 WSOPT—Window Scale RFC 1323
4 2 Selective Acknowledgement
(SACK) Permitted
RFC 2018
5 N SACK RFC 2018
8 10 Time Stamp Option
(TSOPT)
RFC 13232-797
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
Related Commands show parameter-map2-798
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) urgent-flag
To set the Urgent Pointer policy, use the urgent-flag command. Use the no form of this command to
return to the default setting of clearing the Urgent flag.
urgent-flag {allow | clear}
no urgent-flag
Syntax Description
Command Modes Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines If the Urgent control bit (flag) is set in the TCP header, it indicates that the Urgent Pointer is valid. The
Urgent Pointer contains an offset that indicates the location of the segment that follows the urgent data
in the payload. Urgent data is data that should be processed as soon as possible, even before normal data
is processed. The ACE permits you to allow or clear the Urgent flag. If you clear the Urgent flag, you
invalidate the Urgent Pointer.
The ACE clears the Urgent flag for any traffic above Layer 4. If you have enabled server connection
reuse (see the Security Guide, Cisco ACE Application Control Engine), the ACE does not pass the Urgent
flag value to the server.
Examples To clear the Urgent flag, enter:
host1/Admin(config-parammap-conn)# urgent-flag clear
To reset the ACE to its default of allowing the Urgent flag, enter:
host1/Admin(config-parammap-conn)# no urgent-flag
Related Commands show parameter-map
allow Permits the status of the Urgent flag. This is the default. If the Urgent
flag is set, the offset in the Urgent Pointer that indicates the location
of the urgent data is valid. If the Urgent flag is not set, the offset in
the Urgent Pointer is invalid.
clear Sets the Urgent flag to 0, which invalidates the offset in the Urgent
Pointer.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-799
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map DNS Configuration Mode Commands
Parameter Map DNS Configuration Mode Commands
Parameter map DNS configuration mode commands allow you to define a DNS-type parameter map. After
you create the DNS parameter map, you can configure a query timeout for the map. To create the DNS
parameter map and access parameter map DNS configuration mode, use the parameter-map type dns
command in configuration mode. The prompt changes to (config-parammap-dns). Use the no form of
this command to remove the parameter map from the configuration.
parameter-map type dns name
no parameter-map type dns name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the connection feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
After you create and configure a parameter map, you must associate the parameter map with a policy
map to activate it. For details, see the (config-pmap-c) appl-parameter dns advanced-options
command in the “Policy Map Configuration Mode Commands” section.
Examples To create a DNS-type parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type dns TCP_MAP
host1/Admin(config-parammap-dns)#
To delete the DNS-type parameter map, enter:
host1/Admin(config)# no parameter-map type dns TCP_MAP
Related Commands (config) parameter-map type
(config-pmap-c) appl-parameter dns advanced-options
show parameter-map
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-800
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map DNS Configuration Mode Commands
(config-parammap-dns) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map DNS configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type dns TCP_MAP
host1/Admin(config-parammap-dns)# description DNS-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-dns)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-801
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Generic Configuration Mode Commands
(config-parammap-dns) timeout query
To configure the ACE to time out DNS queries that have no matching server response, use the timeout
query command. Use the no form of this command to reset the ACE behavior to the default of timing
out DNS queries when the underlying UDP connection times out.
timeout query {number}
no timeout query {number}
Syntax Description
Command Modes Parameter map DNS configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the ACE to time out DNS query entries with no corresponding server responses after 20
seconds, enter:
host1/Admin(config-parammap-dns)# timeout query 20
To reset the ACE behavior to the default of timing out DNS queries without server responses when the
underlying UDP connection times out, enter:
host1/Admin(config-parammap-dns)# no timeout query 20
Related Commands show parameter-map
Parameter Map Generic Configuration Mode Commands
Parameter map generic configuration mode commands allow you to define a generic-type parameter map.
After you create the generic parameter map, you can configure related parameters for the map. To create
the generic parameter map and access parameter map generic configuration mode, use the
number Specifies the length of time in seconds that the ACE keeps the query
entries without answers in the hash table before timing them out.
Enter an integer from 2 to 120 seconds. The default is 10 seconds.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-802
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Generic Configuration Mode Commands
parameter-map type generic command in configuration mode. The prompt changes to
(config-parammap-generic). Use the no form of this command to remove the parameter map from the
configuration.
parameter-map type generic name
no parameter-map type generic name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the connection feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
After you create and configure a parameter map, you must associate the parameter map with a policy
map to activate it. For details, see the (config-pmap-c) appl-parameter generic advanced-options
command in the “Policy Map Configuration Mode Commands” section.
Examples To create a generic parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type generic TCP_MAP
host1/Admin(config-parammap-generi)#
To delete the generic parameter map, enter:
host1/Admin(config)# no parameter-map type generic TCP_MAP
Related Commands (config) parameter-map type
(config-pmap-c) appl-parameter generic advanced-options
show parameter-map
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-803
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Generic Configuration Mode Commands
(config-parammap-generi) case-insensitive
To enable case-insensitive matching for generic matching only, use the case-insensitive command. With
case-insensitive matching enabled, uppercase and lowercase letters are considered the same. By default,
the ACE CLI is case sensitive. Use the no form of this command to reset the ACE to its default of
case-sensitive generic matching.
case-insensitive
no case-insensitive
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map generic configuration mode
Admin and user contexts
Command History
Usage Guidelines When enabled, case insensitivity applies to generic protocol regular expression matches.
Examples To enable case-insensitive-matching, enter:
host1/Admin(config-parammap-generi)# case-insensitive
To reenable case-sensitive matching, enter:
host1/Admin(config-parammap-generi)# no case-insensitive
Related Commands show parameter-map
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-804
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Generic Configuration Mode Commands
(config-parammap-generi) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map generic configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type generic TCP_MAP
host1/Admin(config-parammap-generi)# description GENERIC-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-generi)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-805
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Generic Configuration Mode Commands
(config-parammap-generi) set max-parse-length
You can set the maximum number of bytes to parse for generic protocols by using the set
max-parse-length command in generic parameter-map configuration mode. The syntax of this
command is as follows:
set max-parse-length bytes
no set max-parse-length bytes
Syntax Description
Command Modes Parameter map generic configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the maximum parse length for generic protocols, enter the following command:
host1/Admin(config-parammap-generi)# set max-parse-length 8192
To reset the maximum parse length for generic protocols to the default value of 2048, enter the following
command:
host1/Admin(config-parammap-generi)# no set max-parse-length
Related Commands show parameter-map
bytes Maximum number of bytes to parse. Enter an integer from 1 to
65535. The default is 2048 bytes.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-806
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
Parameter Map HTTP Configuration Mode Commands
Parameter map HTTP configuration mode commands allow you to specify an HTTP-type parameter map
and define its settings. To create an HTTP-type parameter map and access parameter map HTTP
configuration mode, use the parameter-map type http command in configuration mode. The prompt
changes to (config-parammap-http). Use the no form of this command to remove an HTTP-type
parameter map from the configuration.
parameter-map type http name
no parameter-map type http name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the connection feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
After you create and configure a parameter map, you must associate the parameter map with a policy
map to activate it. For details, see the (config-pmap-c) appl-parameter http advanced-options
command in the “Policy Map Configuration Mode Commands” section.
Examples To create an HTTP-type parameter map called HTTP_MAP, enter:
host1/Admin(config)# parameter-map type http HTTP_MAP
host1/Admin(config-parammap-http)#
To delete the HTTP-type parameter map, enter:
host1/Admin(config)# no parameter-map type http HTTP_MAP
Related Commands (config) parameter-map type
(config-pmap-c) appl-parameter http advanced-options
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-807
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
show parameter-map2-808
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) case-insensitive
To enable case-insensitive matching for HTTP matching only, use the case-insensitive command. With
case-insensitive matching enabled, uppercase and lowercase letters are considered the same. By default,
the ACE CLI is case sensitive. Use the no form of this command to reset the ACE to its default of
case-sensitive HTTP matching.
case-insensitive
no case-insensitive
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When enabled, case insensitivity applies to the following:
• HTTP header names and values
• HTTP cookie names and values
• URL strings
• HTTP deep inspection
Examples To enable case-insensitive-matching, enter:
host1/Admin(config-parammap-http)# case-insensitive
To reenable case-sensitive matching, enter:
host1/Admin(config-parammap-http)# no case-insensitive
Related Commands show parameter-map
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-809
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) cookie-error-ignore
(ACE appliance only) This command has been deprecated in software version A4(1.1) and later. See the
parsing non-strict command.
To configure the ACE to ignore malformed cookies in a request and continue parsing the remaining
cookies, use the cookie-error-ignore command. By default, when the ACE finds a malformed cookie in
a flow, it stops parsing the remaining packets. Use the no form of this command to reset the default
behavior.
cookie-error-ignore
no cookie-error-ignore
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the ACE to ignore malformed cookies in a request and continue parsing the remaining
cookies, enter:
host1/Admin(config)# parameter-map type http HTTP_MAP
host1/Admin(config-parammap-http)# cookie-error-ignore
To reset the default behavior. enter the following:
host1/Admin(config-parammap-http)# no cookie-error-ignore
Related Commands show parameter-map
ACE Appliance Release Modification
A3(2.7). Not applicable for
A4(1.0) or A4(2.0).
This command was introduced.2-810
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type http HTTP_MAP
host1/Admin(config-parammap-http)# description HTTP-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-http)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-811
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) compress
To define the parameters that the ACE uses when compressing HTTP traffic, use the compress
command. Use the no form of this command to remove the HTTP compression.
compress {mimetype type/subtype | minimum-size size | user-agent string}
no compress {mimetype type/subtype | minimum-size size | user-agent string}
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you attempt to remove a default Multipurpose Internet Mail Extension (MIME) type and no other
MIME type is configured, the following error message is displayed:
Error: At least one user mimetype needs to be
configured before removing the default mimetype
When you remove the only configured MIME type and the default MIME type was previously removed,
the default MIME type is restored and the following information message is displayed:
The only user mimetype available is deleted so the
default mimetype is configured
Examples To specify compression of all image MIME types, enter:
host1/Admin(config-parammap-http)# compress mimetype image/.*
mimetype type/subtype Specifies the Multipurpose Internet Mail Extension (MIME) type to
compress. The default is text/.* which includes all text MIME types,
such as text/html, text/plain, and so on.
minimum-size size Specifies the threshold at which compression occurs. The ACE
compresses files that are the specified minimum size or larger. The
default is 512 bytes.
user-agent string Specifies the text string in the request to match. The ACE does not
compress the response to a request when the request contains the
specified user agent string. The default is none.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.6) Additional error messages were added when removing a MIME type.2-812
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
To specify the user agent string .*Konqueror.*, enter:
host1/Admin(config-parammap-http)# compress user-agent .*Konqueror.*
Related Commands (config-pmap-lb-c) compress2-813
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) header modify per-request
To instruct the ACE to modify headers (insert, delete, or rewrite) on every HTTP request or response
without the additional effect of performing load balancing on each new HTTP request caused by the
persistence-rebalance command, use the header modify per-request command. Use the no form of
this command to reset the ACE to its default of case-sensitive HTTP matching.
header modify per-request
no header modify per-request
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has an effect only when persistence-rebalance is disabled. The header modify
per-request command also causes the ACE to perform URL location header rewrite on every HTTP
response if the ssl url rewrite location command is enabled. For more information about SSL URL
rewrite, see the SSL Guide, Cisco ACE Application Control Engine.
Examples To instruct the ACE to perform header modification on every HTTP request or response, enter the
following command:
host1/Admin(config-parammap-http)# header modify per-request
To return the ACE behavior to the default of modifying headers only on the first HTTP request or
response, enter the following command:
host1/Admin(config-parammap-http)# no header modify per-request
Related Commands show parameter-map
(config) action-list type modify http
(config-actlist-modify) header delete
(config-actlist-modify) header insert
(config-actlist-modify) header rewrite
(config-actlist-modify) ssl url rewrite location
ACE Module Release Modification
A2(2.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-814
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) persistence-rebalance
(config-pmap-lb-c) insert-http
(config-pmap-lb-m) insert-http2-815
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) length-exceed
To configure how the ACE handles URLs or cookies that exceed the maximum parse length, use the
length command. Use the no form of this command to reset the ACE to its default of stopping load
balancing and discarding a packet when its URL or cookie exceeds the maximum parse length.
length-exceed {continue | drop}
no length-exceed
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you specify the continue keyword, the (config-parammap-http) persistence-rebalance
command is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum
parse-length value.
Examples To continue load balancing when the maximum parse length is exceeded, enter:
host1/Admin(config-parammap-http)# length-exceed continue
To reset the ACE to its default of stopping load balancing and discarding a packet when its URL or
cookie exceeds the maximum parse length, enter:
host1/Admin(config-parammap-http)# no length-exceed
Related Commands show parameter-map
(config-parammap-http) persistence-rebalance
continue Specifies that the ACE continue load balancing when the maximum
parse length is exceeded.
drop Specifies that the ACE stop load balancing when the maximum parse
length is exceeded. This is the default.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-816
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) parsing non-strict
To configure the ACE to ignore malformed cookies in a request and continue parsing the remaining
cookies, use the parsing non-strict command. By default, when the ACE finds a malformed cookie in
a flow, it stops parsing the remaining packets. Use the no form of this command to reset the default
behavior.
cookie-error-ignore
no cookie-error-ignore
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines In software version A4(1.1) and later, the cookie-error-ignore command is deprecated. If you are
upgrading from version A2(3.3) and have the cookie-error-ignore command in your configuration, you
will receive a command exec error during the upgrade process. In a redundant configuration, the standby
ACE will remain in the WARM_COMPATIBLE state until you manually change the command
configuration to the new syntax that is described below. The functionality of this command has not
changed; only the command name has changed.
Examples To configure the ACE to ignore malformed cookies in a request and continue parsing the remaining
cookies, enter:
host1/Admin(config)# parameter-map type http HTTP_MAP
host1/Admin(config-parammap-http)# parsing non-strict
To reset the default behavior. enter the following:
host1/Admin(config-parammap-http)# no parsing non-strict
Related Commands show parameter-map
ACE Appliance Release Modification
A4(1.1) This command was introduced.2-817
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) persistence-rebalance
To enable the ACE to check each GET request on a TCP connection and to load balance the request only
if it matches a load-balancing class map that is different from the load-balancing class map matched by
the previous request, use the persistence-rebalance command. By default, HTTP persistence is
disabled. Use the no form of this command to reset persistence to the default setting of disabled.
persistence-rebalance [strict]
no persistence-rebalance
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines With persistence rebalance enabled, when successive GET requests result in load balancing that chooses
the same class in the same policy, the ACE sends the requests to the real server that was used for the last
GET request. This behavior prevents the ACE from load balancing every request and recreating the
server-side connection on every GET request, producing less overhead and better performance. If a
request matches a different policy, then the ACE rebalances the server-side connection.
When persistence rebalance is disabled, the ACE load balances the first GET request on a new
connection to a real server. The ACE sends successive requests on that same connection to the same
server that serviced the first request because the ACE does not parse the Layer 7 information that is
present in the request. In this case, load balancing is not involved after the initial load-balancing decision
is made.
strict Allows you to configure the ACE to load balance each subsequent
GET request on the same TCP connection independently. This option
allows the ACE to load balance each HTTP request to a potentially
different Layer 7 class and/or real server. The persistence-rebalance
command without this option does not load balance successive GET
requests on the same TCP connection unless it matches a
load-balancing class map that is different from the load-balancing
class map matched by the previous request.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(6.2a) This command’s behavior was modified.
A2(2.1) This command was revised to include the strict option.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.3) This command was revised to include the strict option.2-818
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
Another effect of persistence rebalance is that header insertion and cookie insertion, if enabled, occur
for every request instead of only the first request.
If a real server is enabled with the NTLM Microsoft authentication protocol, we recommend that you
leave persistence rebalance disabled. NTLM is a security measure that is used to perform authentication
with Microsoft remote access protocols. When a real server is enabled with NTLM, every connection to
the real server must be authenticated; typically, each client user will see a pop-up window prompting for
a username and password. Once the connection is authenticated, all subsequent requests on the same
connection will not be challenged. However, when the server load balancing function is enabled and
configured with persistence rebalance, a subsequent request may point to a different real server causing
a new authentication handshake.
The persistence-rebalance command is not compatible with generic protocol parsing.
By default, persistence rebalance is enabled when you configure an HTTP parameter map. In the absence
of an HTTP parameter map in the configuration, persistence rebalance will also be enabled by default
when you configure a Layer 7 SLB policy map of type http or generic, associate it with a Layer 4
multi-match policy map, and any one of the following conditions exist:
• The class map in the SLB policy is not class-default
Note If you specify the default class map in the SLB policy map of type http or generic and no
other Layer 7 features are configured, that policy becomes a Layer 4 policy and, in that case,
persistence rebalance is disabled by default.
• Any type of stickiness is configured except IP netmask stickiness
• The predictor is not based on the IP address
• You configure an action list, compression, HTTP header insertion, or an SSL proxy service
Note If you configure SSL termination on the ACE with no other Layer 7 features (for example, compression,
Layer 7 predictors, HTTP header insertion, and so on), persistence rebalance is disabled by default.
Examples To enable persistence rebalance, enter:
host1/Admin(config-parammap-http)# persistence-rebalance
To enable persistence rebalance strict feature, enter:
host1/Admin(config-parammap-http)# persistence-rebalance strict
To reset persistence rebalance to the default setting of disabled, enter:
host1/Admin(config-parammap-http)# no persistence-rebalance
Related Commands show parameter-map
(config-pmap-lb-c) insert-http
(config-sticky-cookie) cookie insert2-819
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) server-conn reuse
To configure TCP server reuse, use the server-conn reuse command. TCP server reuse allows the ACE
to reduce the number of open connections on a server by allowing connections to persist and be reused
by multiple client connections. Use the no form of this command to disable TCP server reuse.
server-conn reuse
no server-conn reuse
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE maintains a pool of TCP connections that can be reused if the client connection and the server
connection share the same TCP options. For information about how the ACE handles TCP options, see
the Security Guide, Cisco ACE Application Control Engine. For proper operation of this feature, follow
these TCP server reuse configuration recommendations and restrictions:
• Ensure that the ACE maximum segment size (MSS) is the same as the server MSS.
• Configure Port Address Translation (PAT) on the interface that is connected to the real server. PAT
prevents collisions when a client stops using a server connection and then that connection is reused
by another client. Without PAT, if the original client tries to reuse the original server connection, it
is no longer available. For details about configuring PAT, see the Security Guide, Cisco ACE
Application Control Engine.
• Configure the same TCP options that exist on the TCP server.
• Ensure that all real servers within a server farm have identical configurations.
Another effect of TCP server reuse is that header insertion and cookie insertion, if enabled, occur for
every request instead of only the first request.
Examples To enable TCP server reuse, enter:
host1/Admin(config-parammap-http)# server-conn reuse
To disable TCP server reuse, enter:
host1/Admin(config-parammap-http)# no server-conn reuse
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-820
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
Related Commands show parameter-map
(config-parammap-http) persistence-rebalance
(config-pmap-lb-c) insert-http
(config-sticky-cookie) cookie insert
(config-parammap-http) set content-maxparse-length
To set the maximum number of bytes to parse in HTTP content, use the set content-maxparse-length
command. Use the no form of this command to reset the maximum parse length to the default of 4096
bytes.
set content-maxparse-length bytes
no set content maxparse-length
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines If you set the bytes argument to a value that is greater than 32 KB, you must configure the
(config-parammap-conn) set tcp buffer-share command in a connection parameter map to a value that
is greater than the bytes value. If you do not, even if you configure the (config-parammap-http)
length-exceed continue command, the ACE may not completely parse a content string packet that is
greater than 32 KB. The reason is that the default value of the (config-parammap-conn) set tcp
buffer-share command buffer size (32 KB) will not accommodate the larger content string size.
Examples To set the maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set content-maxparse-length 8192
To reset the maximum parse length to the default of 4096 bytes, enter:
host1/Admin(config-parammap-http)# no set content-maxparse-length
bytes Maximum number of bytes to parse in HTTP content. Enter an
integer from 1 to 65535. The default is 4096 bytes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-821
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
Related Commands show parameter-map
(config-parammap-conn) set tcp buffer-share2-822
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) set header-maxparse-length
To set the maximum number of bytes to parse for cookies, HTTP headers, and URLs, use the set
header-maxparse-length command. Use the no form of this command to reset the HTTP header
maximum parse length to the default of 4096 bytes.
set header-maxparse-length bytes
no set-header maxparse-length
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines If you set the bytes argument to a value that is greater than 32 KB, you must configure the
(config-parammap-conn) set tcp buffer-share command in a connection parameter map to a value that
is greater than the bytes value. If you do not, even if you configure the (config-parammap-http)
length-exceed continue command, the ACE may not completely parse a header packet that is greater
than 32 KB. The reason is that the default value of the (config-parammap-conn) set tcp buffer-share
buffer size (32 KB) will not accommodate the larger header size.
Examples To set the HTTP header maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set header-maxparse-length 8192
To reset the HTTP header maximum parse length to the default of 4096 bytes, enter:
host1/Admin(config-parammap-http)# no set header-maxparse-length
Related Commands show parameter-map
(config-parammap-conn) set tcp buffer-share
bytes Maximum number of bytes to parse for the total length of all cookies,
HTTP headers, and URLs. Enter an integer from 1 to 65535. The
default is 4096 bytes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) The default value increased from 2048 to 4096.
ACE Appliance Release Modification
A1(7) This command was introduced.2-823
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) set secondary-cookie-delimiters
To define a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL
string, use the set secondary-cookie-delimiters command. Use the no form of this command to reset
the delimiter string list to the default of /?&#+.
set secondary-cookie-delimiters text
no set secondary-cookie-delimiters
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines Cookies and their delimiters appear in GET request lines. In the following example of a GET request
line, the ampersand (&) that appears between name-value pairs is the secondary cookie delimiter. The
question mark (?) begins the URL query and is not configurable.
GET /default.cgi?user=me&hello=world&id=2 HTTP/1.1
Examples To set the delimiter string list to the characters !@#$, enter:
host1/Admin(config-parammap-http)# set secondary-cookie-delimiters !@#$
To reset the delimiter string list to the default of /?&#+, enter:
host1/Admin(config-parammap-http)# no set secondary-cookie-delimiters
Related Commands show parameter-map
text Delimiter string. Enter an unquoted text string with no spaces and a
maximum of four characters. The order of the delimiters in the list
does not matter. The default list of delimiters is /&#+.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-824
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) set secondary-cookie-start
To define the ASCII-character string at the start of a secondary cookie in a URL or ignore any start string
of a secondary cookie in the URL and consider the secondary cookie part of the URL, use the set
secondary-cookie-start command. Use the no form of this command to reset the secondary cookie start
string to the default setting of ?.
The syntax of this command is as follows:
set secondary-cookie-start {none | text}
set secondary-cookie-start
Syntax Description
Command Modes Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To define the secondary cookie start string, enter:
host1/Admin(config-parammap-http)# set secondary-cookie-start ?!
To reset the secondary cookie start string to the default setting of ?, enter:
host1/Admin(config-parammap-http)# no set secondary-cookie-start
none The secondary cookie start is not configured or the ACE ignores any
start string of a secondary cookie in the URL and considers the
secondary cookie as part of the URL.
When you configure the none keyword to consider the entire URL
query string as part of a URL, the commands that rely on the URL
query, such as the match cookie secondary and predictor hash
cookie secondary commands, do not work. Do not configure these
commands under the same real server.
text The start string of the secondary cookie. Enter a maximum of two
characters. The default start character is ?.
ACE Module Release Modification
A2(1.5) and A2(2.1) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-825
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Related Commands show parameter-map
Parameter Map Optimization Configuration Mode Commands
(ACE appliance only) Parameter map optimization configuration mode commands allow you to create
an optimization HTTP-type parameter map and define its application acceleration settings. To create an
optimization HTTP-type parameter map and access parameter map optimization configuration mode, use
the parameter-map type optimization http command in configuration mode. The prompt changes to
(config-parammap-optmz). Use the no form of the command to remove an optimization HTTP-type
parameter map from the configuration.
parameter-map type optimization http map_name
no parameter-map type optimization http map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
An optimization HTTP parameter map can be optionally specified in an optimization HTTP policy map
to identify the association between an optimization HTTP action list and the parameter map. The
optimization HTTP action list defines what to do, while the optimization HTTP parameter map defines
the specific details about how to accomplish the application acceleration action. For details, see the
“Policy Map Management Configuration Mode Commands” section.
Examples To create an optimization HTTP-type parameter map, enter:
host1/Admin(config)# parameter-map type optimization http OPTIMIZE_PARAM_MAP
host1/Admin(config-parammap-optmz)#
To remove a Layer 7 optimization parameter map from the configuration, enter:
host1/Admin(config)# no parameter-map type optimization http OPTIMIZE_PARAM_MAP
Related Commands (config) parameter-map type
map_name Enter a unique name as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters
ACE Appliance Release Modification
A1(7) This command was introduced.2-826
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config) action-list type optimization http
show parameter-map
(config-parammap-optmz) appscope optimize-rate-percent
(ACE appliance only) To control the AppScope features that measure application acceleration
performance by the optional Cisco AVS 3180A Management Station, use the appscope
optimize-rate-percent command. Use the no form of the command to revert to the default AppScope
performance rate settings.
appscope optimize-rate-percent value passthru-rate-percent value
no appscope optimize-rate-percent value passthru-rate-percent value
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines The statistical log contains an entry for each ACE optimization request to the server and is used for
statistical analysis by the optional Cisco AVS 3180A Management Station. The ACE collects statistical
log and sends it to the Cisco AVS 3180A Management Station for loading into the database. For details
about the use of the Cisco AVS 3180A Management Station for database, management, and reporting
features for the ACE optimization functionality, including AppScope reporting, see the Cisco 4700
Series Application Control Engine Appliance Application Acceleration and Optimization Configuration
Guide.
To control the AppScope features that measure application acceleration and optimization performance,
use the appscope commands in action list optimization configuration mode. See the “Action List
Optimization Configuration Mode Commands” section for details.
value Percentage of all requests (or sessions) to be sampled for
performance with acceleration (optimization) applied. All applicable
optimizations for the class will be performed. Valid values are from
0 to 100 percent. The default is 10 percent. This value plus the
passthru-rate-percent value must not exceed 100.
passthru-rate-percent value Percentage of all requests (or sessions) to be sampled for
performance without optimization. No optimizations for the class
will be performed. Valid values are from 0 to 100 percent. The default
is 10 percent. This value plus the optimize-rate-percent value must
not exceed 100.
ACE Appliance Release Modification
A1(7) This command was introduced.2-827
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
To specify the host (the syslog server on the Management Station) that receives the syslog messages sent
by the ACE, use the logging host configuration command. See the (config) logging host command. This
command allows you to identify the IP address of the Management Station that will be used as the syslog
server. You can specify that the host uses either UDP or TCP to send messages to the syslog server.
Examples To specify a percentage of all requests (or sessions) to be sampled for performance with acceleration and
without optimization applied by AppScope, enter:
host1/Admin(config-parammap-optmz)# appscope optimize-rate-percent 50
passthru-rate-percent 50
To revert to the default rate AppScope performance rate settings of 10 percent, enter:
host1/Admin(config-parammap-optmz)# no appscope optimize-rate-percent 50
passthru-rate-percent 50
Related Commands (config-actlist-optm) appscope
(config-parammap-optmz) request-grouping-string
(config-parammap-optmz) basefile anonymous-level
(ACE appliance only) To define the base file anonymity level for the all-user delta optimization method,
use the basefile anonymous-level command. By default, the base file anonymity level is disabled. Use
the no form of the command to revert to the default base file anonymity level of 0.
basefile anonymous-level value
no basefile anonymous-level value
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines The string can contain a URL regular expression that defines a set of URLs in which URLs that differ
only by their query parameters are to be treated as separate URLs in AppScope reports.
value Base file anonymity level for the all-user delta optimization method.
Valid values are from 0 to 50. The default is a value of 0 (disables
anonymity).
ACE Appliance Release Modification
A1(7) This command was introduced.2-828
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Typically, in an AppScope report organized by URL, matching URLs that differ only in their query
parameters are treated as the same URL and are not listed on separate lines. Use the
request-grouping-string command to specify that all URL variations that are based on query
parameters are to be treated as separate URLs for reporting purposes. Each variation will appear on a
separate line in the report.
For details about the optional Cisco AVS 3180A Management Station database, management, and
reporting features for the ACE optimization functionality, including AppScope reporting, see the Cisco
4700 Series Application Control Engine Appliance Application Acceleration and Optimization
Configuration Guide.
Examples To specify a base file anonymity level of 25, enter:
host1/Admin(config-parammap-optmz)# basefile anonymous-level 25
To revert to the default base file anonymity level of 0, enter:
host1/Admin(config-parammap-optmz)# no basefile anonymous-level
Related Commands (config-parammap-optmz) canonical-url
(config-parammap-optmz) delta
(config-parammap-optmz) cache key-modifier
(ACE appliance only) To modify the canonical form of a URL, which is the portion before the question
mark (?), to form the cache key, use the cache key-modifier command. This command specifies a
regular expression that contains embedded variables that are expanded by the ACE. Use the no form of
the command to remove a cache key modifier.
cache key-modifier {string parameter_expander_function}
no cache key-modifier {regular_expression parameter_expander_function}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
string A regular expression. Enter an unquoted text string with no spaces
and a maximum of 255 alphanumeric characters. Alternatively, you
can enter a text string with spaces provided that you enclose the entire
string in quotation marks (“). The ACE supports the use of regular
expressions for matching string expressions. The “Usage Guidelines”
section lists the supported characters that you can use for matching
string expressions.
parameter_expander_function A parameter expander function that evaluate to strings. The “Usage
Guidelines” section lists the parameter expander functions that you
can use.2-829
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Command History
Usage Guidelines The key that the ACE uses for any given requesting URL comprises one or more of the following two
components:
• Query parameters—The URL portion after a question mark (?). You can modify query parameters
by using the cache parameter command, which can be used to include selected query parameters,
a cookie value, an HTTP header value, or other values.
• Canonical URL—The URL portion up to a question mark (?). You can modify the canonical URL
by using the cache key-modifier command.
The expanded string that results from the cache key-modifier command replaces the default canonical
URL portion of the cache key. If you do not specify the cache key-modifier command, the canonical
URL is used as the default value for the URL portion of the cache key (there may also be a query
parameter portion).
For details on modifying the cache key, see the Cisco 4700 Series Application Control Engine Appliance
Application Acceleration and Optimization Configuration Guide.
The following table lists the supported characters that you can use for matching string expressions.
ACE Appliance Release Modification
A1(7) This command was introduced.
Convention Description
. One of any character.
.* Zero or more of any character.
\. Period (escaped).
[charset] Match any single character from the range.
[^charset] Do not match any character in the range. All other characters represent
themselves.
() Expression grouping.
(expr1 | expr2) OR of expressions.
(expr)* 0 or more of expression.
(expr)+ 1 or more of expression.
expr{m,n} Repeat the expression between m and n times, where m and n have a range
of 1 to 255.
expr{m} Match the expression exactly m times. The range for m is from 1 to 255.
expr{m,} Match the expression m or more times. The range for m is from 1 to 255.
\a Alert (ASCII 7).
\b Backspace (ASCII 8).
\f Form-feed (ASCII 12).
\n New line (ascii 10).
\r Carriage return (ASCII 13).
\t Tab (ASCII 9).
\v Vertical tab (ASCII 11).2-830
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
The following table lists the parameter expander functions that you can use.
\0 Null (ASCII 0).
\\ Backslash.
\x## Any ASCII character as specified in two-digit hexadecimal notation.
Convention Description
Variable Description
$(number) Expands to the corresponding matching subexpression (by number) in
the URL pattern. Subexpressions are marked in a URL pattern using
parentheses (). The numbering of the subexpressions begins with 1 and
is the number of the left-parenthesis “(“ counting from the left. You can
specify any positive integer for the number. $(0) matches the entire
URL. For example, if the URL pattern is ((http://server/.*)/(.*)/)a.jsp,
and the URL that matched it is the following:
http://server/main/sub/a.jsp?category=shoes&session=99999, then the
following are correct:
$(0) = http://server/main/sub/a.jsp
$(1) = http://server/main/sub/
$(2) = http://server/main
$(3) = sub
If the specified subexpression does not exist in the URL pattern, then the
variable expands to the empty string.
$http_query_string() Expands to the value of the whole query string in the URL. For example,
if the URL is
http://myhost/dothis?param1=value1¶m2=value2
then the following is correct:
$http_query_string() = param1=value1¶m2=value2
This function applies to both GET and POST requests.
$http_query_param(query-param-name)
this obsolete syntax is also supported:
$param(query-param-name)
Expands to the value of the named query parameter (case sensitive). For
example, if the URL is
http://server/main/sub/a.jsp?category=shoes&session=99999
then the following are correct:
$http_query_param(category) = shoes
$http_query_param(session) = 99999
If the specified parameter does not exist in the query, then the variable
expands to the empty string. This function applies to both GET and
POST requests.
$http_cookie(cookie-name) Evaluates to the value of the named cookie. For example,
$http_cookie(cookiexyz). The cookie name is case sensitive.2-831
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Examples For example, enter:
host1/Admin(config-parammap-optmz)# cache key-modifier $http://www(1)
To remove a cache key modifier, enter:
host1/Admin(config-parammap-optmz)# no cache key-modifier
Related Commands (config-parammap-optmz) cache parameter
(config-parammap-optmz) cache ttl
(config-parammap-optmz) cache parameter
(ACE appliance only) To modify the query parameter part of a URL, which is the portion after the
question mark (?), to form the cache key, use the cache parameter command. Use the no form of the
command to remove a cache parameter.
cache parameter parameter_expander_function
no cache parameter parameter_expander_function
Syntax Description
$http_header(request-header-name) Evaluates to the value of the specified HTTP request header. In the case
of multivalued headers, it is the single representation as specified in the
HTTP specification. For example, $http_header(user-agent). The HTTP
header name is not case sensitive.
$http_method() Evaluates to the HTTP method used for the request, such as GET or
POST.
Boolean Functions:
$http_query_param_present(query-param-name)
$http_query_param_notpresent
(query-param-name)
$http_cookie_present(cookie-name)
$http_cookie_notpresent(cookie-name)
$http_header_present(request-header-name)
$http_header_notpresent(request-header-name)
$http_method_present(method-name)
$http_method_notpresent(method-name)
Evaluates to a Boolean value: True or False, depending on the presence
or absence of the element in the request. The elements are a specific
query parameter (query-param-name), a specific cookie (cookie-name),
a specific request header (request-header-name), or a specific HTTP
method (method-name). All identifiers are case sensitive except for the
HTTP request header name.
Variable Description
parameter_expander_function Parameter expander function that evaluates to strings. Use the
forwardslash (/) character when combining multiple parameter
expander functions (for example, cache parameter
$http_cookie(ID)/$http_query_param(category)). The
maximum string value is 255 characters. See the
“(config-parammap-optmz) cache key-modifier” section for a listing
of the parameter expander functions that you can use.2-832
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines The key that the ACE uses for any given requesting URL comprises one or more of the following two
components:
• Query parameters—The URL portion after a question mark (?). You can modify query parameters
by using the cache parameter command, which can be used to include selected query parameters,
a cookie value, an HTTP header value, or other values.
• Canonical URL—The URL portion up to a question mark (?). You can modify the canonical URL
by using the cache key-modifier command.
The cache parameter command specifies an expression that includes one or more parameter expander
functions if you want to modify the parameter portion of the cache key. This command specifies one or
more parameter expander functions that evaluate to strings. These strings are appended to the canonical
URL to form the last portion of the cache key. The parameter expander functions are listed in the
(config-parammap-optmz) cache key-modifier command.
The string specified in the cache parameter command replaces the default query parameter that is used
in the cache key. If you do not specify the cache parameter command, the query parameter portion of
the URL is used as the default value for this portion of the cache key. The canonical URL, possibly
modified by the cache key-modifier command, is the first part of the cache key.
For details on modifying the cache key, see the Cisco 4700 Series Application Control Engine Appliance
Application Acceleration and Optimization Configuration Guide.
Examples To set the value of the query parameter portion of the cache key, enter:
host1/Admin(config-parammap-optmz)# cache parameter $http_query_param (version)
To remove a cache parameter, enter:
host1/Admin(config-parammap-optmz)# no cache parameter
Related Commands (config-parammap-optmz) cache key-modifier
(config-parammap-optmz) cache ttl
ACE Appliance Release Modification
A1(7) This command was introduced.2-833
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) cache ttl
(ACE appliance only) To define the ACE cache freshness settings, use the cache ttl command. Use the no
form of the command to revert to a default cache time-to-live value.
cache ttl {min time | max time | percent value}
no cache ttl {min time | max time | percent value}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command sets the maximum time (max keyword) or the minimum time (min keyword) in seconds that
an object without an explicit expiration time should be considered fresh. The percent keyword sets the
percent of an object's age at which an embedded object without an explicit expiration time is considered fresh.
Examples To specify a minimum time-to-live value of 1000 seconds in which the content can be cached, enter:
host1/Admin(config-parammap-optmz)# cache ttl min 1000
To revert to a default cache time-to-live value, enter:
host1/Admin(config-parammap-optmz)# no cache ttl min
min time Minimum time in seconds that an object without an explicit
expiration time should be considered fresh. The min keyword
specifies the minimum time that the content can be cached for, which
corresponds to the time-to-live value of the content. In the case of a
new item that is valid for three hours, this value would be 3 x 60 x 60
= 10800 seconds. If you perform static caching (the
flashforward-object action), this value should normally be 0. If you
perform dynamic caching (the cache dynamic action) this value
should be set to indicate how long the ACE should cache the page.
Valid values are from 0 to 2147483647 seconds. The default is 0.
max time Maximum time in seconds than an object without an explicit
expiration time should be considered fresh. The max keyword
determines how the ACE handles the case when the object has passed
its cache minimum time-to-live value.Valid values are from 0 to
2147483647 seconds. The default is 300 seconds.
percent value Percent of an object’s age at which an embedded object without an
explicit expiration time is considered fresh. Valid values are from 0
to 100 percent. The default is 0 percent.
ACE Appliance Release Modification
A1(7) This command was introduced.2-834
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Related Commands (config-parammap-optmz) cache key-modifier
(config-parammap-optmz) cache parameter
(config-parammap-optmz) cache ttl
(config-parammap-optmz) cache-policy request
(ACE appliance only) To override client request headers (primarily for embedded objects), use the
cache-policy request command. Use the no form of the command to remove a cache policy request
selection.
cache-policy request {override-all | override-cache-ctl-no-cache}
no cache-policy request {override-all | override-cache-ctl-no-cache}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE that all cache request headers are ignored, enter:
host1/Admin(config-parammap-optmz)# cache-policy request override-all
To remove a cache policy request selection, enter:
host1/Admin(config-parammap-optmz)# no cache-policy request override-all
Related Commands (config-actlist-optm) flashforward-object
override-all Specifies that all cache request headers are ignored.
override-cache-ctl-no-cache Overrides the Cache-Control: no cache HTTP header from a request.
This keyword is used for a flashforward-object command action
(see the “(config-actlist-optm) flashforward-object” section).
Typically, if there is a cache control request header stating no cache,
the ACE will not cache this object. The override-cache-ctl-no-cache
keyword instructs the ACE to ignore the Cache-Control: no cache
header from the request side.
ACE Appliance Release Modification
A1(7) This command was introduced.2-835
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) cache-policy response
(ACE appliance only) To override origin server response headers (primarily for embedded objects), use
the cache-policy response command. Use the no form of the command to remove a cache policy
response selection.
cache-policy response {override-all | override-cache-ctl-private}
no cache-policy response {override-all | override-cache-ctl-private}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE that all cache response headers are ignored, enter:
host1/Admin(config-parammap-optmz)# cache-policy response override-all
To remove a cache policy response selection, enter:
host1/Admin(config-parammap-optmz)# no cache-policy response override-all
Related Commands (config-actlist-optm) flashforward-object
override-all Specifies that all cache response headers are ignored.
override-cache-ctl-private Overrides the Cache-Control: private HTTP header from a response.
This keyword is used for a flashforward-object command action
(see the “(config-actlist-optm) flashforward-object” section) and
is equivalent to static object caching. Typically, if there is a cache
control response header stating private, these response headers will
make the object not cacheable. The override-cache-ctl-private
keyword instructs the ACE to ignore the Cache-Control: private
HTTP header from a response.
ACE Appliance Release Modification
A1(7) This command was introduced.2-836
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) canonical-url
(ACE appliance only) To specify a string containing a canonical URL regular expression that defines a
set of URLs to which the parameter map applies, use the canonical-url command. Use the no form of
the command to delete the string that contains a canonical URL regular expression.
canonical-url {parameter-expander-function}
no canonical-url {parameter-expander-function}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines At least one URL must be specified using the canonical-url command.
Use the canonical URL function in a parameter map to specify a base file selection policy. The canonical
URL function specifies a regular expression that is used to match a variety of actual URLs. All matched
URLs share a single base file.
The ACE uses the canonical URL feature to modify a parameterized request to eliminate the question
mark (?) and the characters that follow to identify the general part of the URL. This general URL is then
used to create the base file. The ACE uses this feature to map multiple parameterized URLs to a single
canonical URL.
Examples To specify a string that contains a canonical URL regular expression, enter:
host1/Admin(config-parammap-optmz)# canonical-url (1)/http_query_param(category)
To delete the string that contains a canonical URL regular expression, enter:
host1/Admin(config-parammap-optmz)# no canonical-url
Related Commands (config-parammap-optmz) basefile anonymous-level
(config-parammap-optmz) cache key-modifier
(config-parammap-optmz) cache parameter
(config-parammap-optmz) expires-setting
parameter-expander-function Parameter expander function that evaluates to strings. See the
“(config-parammap-optmz) cache key-modifier” section for a listing
of the parameter expander functions that you can use.
ACE Appliance Release Modification
A1(7) This command was introduced.2-837
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) clientscript-default
(ACE appliance only) To configure the ACE to recognize the scripting language used on delta optimized
content pages, either JavaScript or Visual Basic, use the clientscript-default command. Use the no form
of the command to revert to the default JavaScript scripting language.
clientscript-default {javascript | vbscript}
no clientscript-default {javascript | vbscript}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the default scripting language to Visual Basic, enter:
host1/Admin(config-parammap-optmz)# clientscript-default vbscript
To revert to the default JavaScript scripting language, enter:
host1/Admin(config-parammap-optmz)# no clientscript-default vbscript
Related Commands This command has no related commands.
javascript Sets the default scripting language to JavaScript (default).
vbscript Sets the default scripting language to Visual Basic.
ACE Appliance Release Modification
A1(7) This command was introduced.2-838
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) description
(ACE appliance only) To add a description for the parameter map, use the description command. Use
the no form of this command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type optimization http OPTIMIZE_PARAM_MAP
host1/Admin(config-parammap-optmz)# description OPTIMIZATION HTTP-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-optz)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-839
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) delta
(ACE appliance only) To control the delta optimization mode used by the ACE and to configure the delta
optimization operating parameters on the ACE, use the delta command. Use the no form of the command
to revert to the default all-user delta optimization mode.
delta {all-user | cacheable-content | exclude {iframes | mime-type mime-type | non-ascii |
scripts} | first-visit | page-size {min value | max value} | per-user}
no delta {all-user | cacheable-content | exclude {iframes | mime-type mime-type | non-ascii |
scripts} | first-visit | page-size {min value | max value} | per-user}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
all-user Specifies the corresponding URLs are to be delta optimized using the
all-user delta optimization mode. This is the default.
cacheable-content Enables delta optimization of cacheable content. Typically, the ACE
detects cacheable content and prevents its delta optimization.
exclude Defines the cacheable objects that should not be delta optimized.
iframes Specifies that IFrames should not be delta optimized.
mime-type mime-type Specifies the Multipurpose Internet Mail Extension (MIME)-type
messages that should not be delta optimized (such as image/Jpeg,
text/html, application/msword, audio/mpeg).
non-ascii Specifies that non-ASCII data should not to be delta optimized.
Specify this keyword if the content has UTF8 characters. Using this
keyword excludes such UTF8 characters from delta optimization but
the remainder of that page can still have delta optimization.
scripts Specifies that JavaScript should not to be delta optimized.
first-visit Enables delta optimization on the first visit to a web page.
page-size Sets the minimum and maximum page size, in bytes, that can be delta
optimized.
min value Specifies the minimum page size, in bytes, that can be delta
optimized. Valid values are from 1 to 250000 bytes. The default is
1024 bytes.
max value Specifies the maximum page size, in bytes, that can be delta
optimized. Valid values are 1024 to 250000 bytes. The default is
250000 bytes.
per-user Specifies the corresponding URLs are to be delta optimized using the
per-user delta optimization mode.
ACE Appliance Release Modification
A1(7) This command was introduced.2-840
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Usage Guidelines Delta optimization mode specifies whether the web pages to be delta optimized are common to all users
or personalized for individual users, which determines what kind of page deltas are generated by the
ACE.
The ACE supports two delta optimization modes:
• All-user mode
• Per-user mode
In the all-user delta optimization mode, the delta is generated against a single base file that is shared by
all users of the URL. The all-user delta optimization mode is usable in most cases, even in the case of
dynamic personalized content if the structure of a page is common across users. The disk space overhead
is minimal (the disk space requirements are determined by the number of delta optimized pages, not the
number of users).
In the per-user delta optimization mode, when a specific user requests a URL, the delta for the response
is generated against a base file that is created specifically for that user. The per-user delta optimization
mode is useful in situations where the contents of a page (including layout elements) are different for
each user. This mode delivers the highest level of delta optimization. However, a copy of the base page
that is delivered to each user has to be kept in the ACE cache which increases the requirements on disk
space for the ACE cache. The per-user delta optimization mode is useful for content privacy because
base pages are not shared among users.
Examples To specify that the corresponding URLs are to be delta optimized using the per-user delta optimization
mode, enter:
host1/Admin(config-parammap-optmz)# delta per-user
To revert to the default all-user delta optimization mode, enter:
host1/Admin(config-parammap-optmz)# no delta per-user
To specify the MIME-type messages that should not be delta optimized, enter:
host1/Admin(config-parammap-optmz)# delta exclude mime-type audio/mpeg
To disable a delta optimization operating parameter on the ACE, enter:
host1/Admin(config-parammap-optmz)# no delta exclude mime-type audio/mpeg
Related Commands (config-actlist-optm) delta
(config-parammap-optmz) basefile anonymous-level2-841
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) expires-setting
(ACE appliance only) To control the period of time that objects in the client’s browser remain fresh, use
the expires-setting command. Use the no form of the command to remove an expiration setting.
expires-setting {cachettl | time-to-live seconds | unmodified)
no expires-setting {cachettl | time-to-live seconds | unmodified)
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines The expires-setting command instructs the ACE to insert an Expires response header with a time value
for an object. It is not necessary to configure this command when specifying the flashforward command
in an action list because, in this case, the ACE always inserts a long time value in the Expires header for
the transformed object. The expires-setting command is typically used when you are not using
FlashForward but want to achieve the FlashForward affect by making all of the embedded objects
perceived as being fresh by the browser.
Examples To specify that the ACE use the settings configured by the cache ttl command, enter:
host1/Admin(config-parammap-optmz)# expires-setting cachettl
To remove an expiration setting, enter:
host1/Admin(config-parammap-optmz)# no expires-setting cachettl
Related Commands (config-parammap-optmz) cache ttl
cachettl Sets the freshness similar to FlashForwarded objects and uses the
minimum and maximum settings configured by the cache ttl
command (if set). See the “(config-parammap-optmz) cache ttl”
section.
time-to-live seconds The duration that objects in the client’s browser remain fresh. Valid
entries are from 0 to 2147483647 seconds.
unmodified Disables browser object freshness control (default).
ACE Appliance Release Modification
A1(7) This command was introduced.2-842
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) extract meta
(ACE appliance only) To configure the ACE to remove HTML Meta elements from documents to prevent
them from being condensed, use the extract meta command. By default, the ACE includes HTML Meta
elements in documents. Use the no form of the command to include HTML Meta elements in documents.
extract meta
no extract meta
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To remove HTML Meta elements from documents, enter:
host1/Admin(config-parammap-optmz)# extract meta
To include HTML Meta elements in documents, enter:
host1/Admin(config-parammap-optmz)# no extract meta
Related Commands This command has no related commands.
ACE Appliance Release Modification
A1(7) This command was introduced.2-843
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) flashforward refresh-policy
(ACE appliance only) To configure the ACE to bypass FlashForward for stale embedded objects, use the
flashforward refresh-policy command. Use the no form of the command to revert to the default of
allowing FlashForward to indirectly refresh embedded objects.
flashforward refresh-policy {all | direct}
no flashforward refresh-policy {all | direct}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines Request headers that the ACE sends to the origin server for stale embedded objects (indirect GET) may
not be accepted by the origin server and cause errors. In this case, specify direct to prevent this behavior.
FlashForward is disabled by default; you must enable it by specifying the following commands in action
list optimization mode: flashforward and flashforward-object (for embedded objects).
Examples To bypass FlashForward for stale embedded objects, enter:
host1/Admin(config-parammap-optmz)# flashforward refresh-policy direct
To revert to the default of allowing FlashForward to indirectly refresh embedded objects, enter:
host1/Admin(config-parammap-optmz)# no flashforward refresh-policy
Related Commands (config-actlist-optm) flashforward
(config-actlist-optm) flashforward-object
all Allows FlashForward to indirectly refresh embedded objects
(default).
direct Bypasses FlashForward for stale embedded objects so that they are
directly refreshed.
ACE Appliance Release Modification
A1(7) This command was introduced.2-844
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) ignore-server-content
(ACE appliance only) To specify a comma-separated list of HTTP response codes for which the response
body must not be read (ignored), use the ignore-server-content command. Use the no form of the
command to remove one or more response codes to ignore.
ignore-server-content value
no ignore-server-content value
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify a response code value of 302 to ignore, enter:
host1/Admin(config-parammap-optmz)# ignore-server-content 302
To remove one or more response codes to ignore, enter:
host1/Admin(config-parammap-optmz)# no ignore-server-content
Related Commands This command has no related commands.
value The response code as an unquoted text string with a maximum of
64 alphanumeric characters. For example, a response code value of
302 directs the ACE to ignore the response body in the case of a 302
(redirect) response from the origin server.
ACE Appliance Release Modification
A1(7) This command was introduced.2-845
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) parameter-summary parameter-value-limit
(ACE appliance only) To set the maximum number of bytes that are logged for each parameter value in
the parameter summary of a transaction log entry in the statistics log, use the parameter-summary
parameter-value-limit command. Use the no form of the command to revert to the default of 100 bytes
as the parameter summary value.
parameter-summary parameter-value-limit bytes
no parameter-summary parameter-value-limit bytes
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify 5000 bytes as the value of the parameter summary, enter:
host1/Admin(config-parammap-optmz)# parameter-summary parameter-value-limit 5000
To revert to the default of 100 bytes as the value of the parameter summary, enter:
host1/Admin(config-parammap-optmz)# no parameter-summary parameter-value-limit
Related Commands (config) logging host
(config-actlist-optm) appscope
(config-parammap-optmz) appscope optimize-rate-percent
(config-parammap-optmz) request-grouping-string
bytes Maximum number of bytes that are logged for each parameter value
in the parameter summary of a transaction log entry in the statistical
log. If a parameter value is longer than this limit, it is truncated at the
specified parameter limit. Valid values are from 0 to 10,000 bytes.
The default is 100 bytes.
ACE Appliance Release Modification
A1(7) This command was introduced.2-846
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) post-content-buffer-limit
(ACE appliance only) To set the buffer size of an HTTP POST to a maximum number of kilobytes, use
the post-content-buffer-limit command. Use the no form of the command to revert to the default buffer
size of 40K.
post-content-buffer-limit value
no post-content-buffer-limit value
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines An HTTP POST can send a very large (effectively unlimited) amount of data; in an extreme case, the
client can keep sending a stream of data for the server to handle. In order to parse and inspect the POST
data, the ACE needs to load the data into a buffer in memory.
Two types of standard HTTP form POST operations are as follows (they are distinguished by the value
in the Content-Type header):
• application/x-www-form-urlencoded—This type represents the majority of all HTTP POSTs. This
type is just a standard POST of a webpage form.
• multipart/form-data—This type is much less common. It allows browser users to upload files to a
website or application. For example, if you use a web-based email program, and you want to attach
a file to an e-mail that you are sending, the upload of the file is done using this type. Another usage
(even less common) of this type of HTTP POST is to send binary data (for example, from a custom
browser plug-in, or from a non-browser HTTP client).
Examples To specify a buffer size of 1000 KB, enter:
host1/Admin(config-parammap-optmz)# post-content-buffer-limit 1000
To revert to the default buffer size of 40 KB, enter:
host1/Admin(config-parammap-optmz)# no post-content-buffer-limit
Related Commands This command has no related commands.
value The buffer size for POST data for the purpose of logging transaction
parameters in the statistics log. Valid values are 0 to 1000 KB. The
default is 40 KB. Parameters beyond this limit will not be logged by
the ACE.
ACE Appliance Release Modification
A1(7) This command was introduced.2-847
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
(config-parammap-optmz) rebase
(ACE appliance only) To control the rebasing of base files by the ACE, use the rebase command. Use
the no form of the command to revert to a default rebase setting.
rebase {delta-percent value | flashforward-percent value | history-size value |
modification-cooloff-period value | reset-period value}
no rebase {delta-percent value | flashforward-percent value | history-size value |
modification-cooloff-period value | reset-period value}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
delta-percent value Specifies the delta threshold at which rebasing is triggered. This
number represents the size of a page delta relative to the page total
size, expressed as a percentage. Valid values are from 0 to 10000
percent. The default threshold is 50 percent.
flashforward-percent value Specifies a rebase, based on the percent of FlashForwarded URLs in
the response. Rebasing is triggered when the difference between the
percentages of FlashForwarded URLs in the delta response and the
base file exceed the threshold. Valid values are from 0 to 10000
percent. The default is 50 percent. The flashforward-percent
keyword provides a threshold control for rebasing based on the
percent of FlashForwarded URLs in the response. Where the
delta-percent keyword triggers rebasing when the delta response
size exceeds the threshold as a percentage of base file size; the
flashforward-percent keyword triggers rebasing when the
difference between the percentages of FlashForwarded URLs in the
delta response and the base file exceed the threshold.
history-size value Controls how much history is stored before resetting. Once the
sample collection reaches the specified history size, the ACE resets
all rebase control parameters to zero and starts over. Using the
history-size keyword prevents the base file from becoming too rigid.
That is, if a base file has served approximately one million pages,
then it would take another half million unfavorable responses before
the base file can be rebased. Valid values are from 10 to 2147483647
pages. The default value for this parameter is 1000 pages.
modification-cooloff-period
value
Specifies the time, in seconds, after the last modification before
performing a rebase. Valid values are from 1 to 14400 seconds
(4 hours).The default is 14400 seconds.
reset-period value Specifies the period for performing a meta data refresh Valid values
are from 1 to 900 seconds (15 minutes). The default is 900 seconds.
ACE Appliance Release Modification
A1(7) This command was introduced.2-848
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
Usage Guidelines Rebasing refers to the process of updating the base file that is used for generating deltas between
subsequent content retrievals. Because the base content of a site often changes over a period of time, the
size of the generated deltas can grow relatively large. To maintain the effectiveness of the delta
optimization process, the base files are automatically updated as required.
Examples To specify a rebase, based on a percentage of 1000 FlashForwarded URLs in the response, enter:
host1/Admin(config-parammap-optmz)# rebase flashforward-percent 1000
To revert to a default rebase setting, enter:
host1/Admin(config-parammap-optmz)# no rebase flashforward-percent
Related Commands This command has no related commands.
(config-parammap-optmz) request-grouping-string
(ACE appliance only) To define a string to sort requests for AppScope reporting by the optional Cisco
AVS 3180A Management Station, use the request-grouping-string command. Use the no form of the
command to re move a request grouping string.
request-grouping-string string
no request-grouping-string string
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines The string can contain a URL regular expression that defines a set of URLs in which URLs that differ
only by their query parameters are to be treated as separate URLs in AppScope reports.
Typically, in an AppScope report organized by URL, matching URLs that differ only in their query
parameters are treated as the same URL and are not listed on separate lines. Use the
request-grouping-string command to specify that all URL variations that are based on query
parameters are to be treated as separate URLs for reporting purposes. Each variation will appear on a
separate line in the report.
string URL regular expression that defines a set of URLs. The string can
contain the parameter expander functions listed in the
(config-parammap-optmz) cache key-modifier section.
ACE Appliance Release Modification
A1(7) This command was introduced.2-849
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
For details about the Cisco AVS 3180A Management Station database, management, and reporting
features for the ACE optimization functionality, including AppScope reporting, see the Cisco 4700
Series Application Control Engine Appliance Application Acceleration and Optimization Configuration
Guide.
Examples To define a string that is used to make the URLs http://server/catalog.asp?region=asia and
http://server/catalog.asp?region=america into two separate reporting categories, enter:
host1/Admin(config-parammap-optmz)# request-grouping-string http_query_param(region)
To remove a request grouping string, enter:
host1/Admin(config-parammap-optmz)# no request-grouping-string
Related Commands (config-parammap-optmz) appscope optimize-rate-percent
(config-actlist-optm) appscope
(config-parammap-optmz) server-header
(ACE appliance only) To define a user-specified string to be sent in the server header for an HTTP
response, use the server-header command in parameter map optimization configuration mode. Use the
no form of the command to delete the server header string.
server-header string
no server-header srting
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command provide you with a method to uniquely tag the context or URL match statement by setting
server header value to a particular string. The server header string can be used in cases where a particular
URL is not being transmitted to the correct target context or the match statement.
Examples To specify a string to be sent in the server header, enter:
host1/Admin(config-parammap-optmz)# server-header “Header from Admin Context”
string A particular string to be included in the server header. Enter a quoted
text string. A maximum of 64 alphanumeric characters are allowed.
ACE Appliance Release Modification
A1(7) This command was introduced.2-850
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
To delete the server header string, enter:
host1/Admin(config-parammap-optmz)# no server-header
Related Commands This command has no related commands.
(config-parammap-optmz) server-load
(ACE appliance only) To control load-based expiration for the cache, use the server-load command. Use
the no form of the command to revert to a default setting of 20 percent.
server-load {trigger-percent value | ttl-change-percent value}
no server-load {trigger-percent value | ttl-change-percent value}
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines Performance assurance with load-based expiration allows an object in the cache to expire (excluding the
natural process of cache pruning). The origin server’s load determines when the object expires.
This type of expiration allows you to dynamically increase the time to live (TTL) of cached responses if
the current response time (average computed over a short time window) from the origin servers is larger
than the average response time (average computed over a longer time window) by a threshold amount.
Similarly, the TTL is dynamically decreased if the reverse holds true. The starting value for the cache
trigger-percent value Defines the threshold that triggers a change in the cache TTL. This
keyword enables the ACE to monitor server load in real time and
make intelligent “closed loop” content expiration decisions so that
site performance is maximized and existing hardware resources are
used most efficiently, even during periods of peak traffic load. Valid
values are from 0 to 100 percent. The default is 20 percent.
ttl-change-percent value Defines the percentage by which the cache TTL is increased or
decreased in response to a change in the server load. For example, if
you set this value to 20 and the current TTL for a particular response
is 300 seconds, and if the current server response time exceeds the
trigger threshold, then the cache TTL for the response is raised to
360 seconds (20 percent increase). Valid values are from 0 to 100
percent. The default is 20 percent.
ACE Appliance Release Modification
A1(7) This command was introduced.2-851
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map Optimization Configuration Mode Commands
TTL is the cache ttl min value (see the “(config-parammap-optmz) cache ttl” section) or 0 if you do not
specify a value. Moving average-based calculation allows the cache to respond to trends in usage
patterns, smoothing out uncharacteristic spikes.
Examples To specify a threshold trigger of 50 percent, enter:
host1/Admin(config-parammap-optmz)# server-load trigger-percent 50
To revert to a default setting of 20 percent, enter:
host1/Admin(config-parammap-optmz)# no server-load trigger-percent
Related Commands (config-parammap-optmz) cache ttl2-852
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map RTSP Configuration Mode Commands
(config-parammap-optmz) utf8 threshold
(ACE appliance only) To determine how many UTF-8 characters on a page constitute a UTF-8 character
set page for purposes of UTF-8 detection, use the utf8 threshold command. Use the no form of the
command to disable the UTF-8 threshold.
utf8 threshold value
no utf8 threshold value
Syntax Description
Command Modes Parameter map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This threshold adjusts the detection of multibyte UTF-8 character set pages.
Examples To specify a value of 1000 UTF-8 characters on a page, enter:
host1/Admin(config-parammap-optmz)# utf8 threshold 1000
To disable the UTF-8 threshold, enter:
host1/Admin(config-parammap-optmz)# no utf8 threshold
Related Commands This command has no usage guidelines.
Parameter Map RTSP Configuration Mode Commands
Parameter map RTSP configuration mode commands allow you to specify a Real-Time Streaming
Protocol (RTSP-type) parameter map and define its settings. To create an RTSP-type parameter map and
access parameter map RTSP configuration mode, use the parameter-map type rtsp command. The
prompt changes to (config-parammap-rtsp). Use the no form of this command to remove an RTSP-type
parameter map from the configuration.
parameter-map type rtsp name
no parameter-map type rtsp name
value Number of UTF-8 characters on a page that constitute a UTF-8
character set page. Valid values are from 1 to 1,000,000 characters. The
default is 5 characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-853
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map RTSP Configuration Mode Commands
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the connection feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
After you create and configure a parameter map, you must associate the parameter map with a policy
map to activate it. For details, see the (config-pmap-c) appl-parameter rtsp advanced-options
command in the “Policy Map Configuration Mode Commands” section.
Examples To create an RTSP-type parameter map called RTSP_MAP, enter:
host1/Admin(config)# parameter-map type rtsp RTSP_MAP
host1/Admin(config-parammap-rtsp)#
Related Commands (config) parameter-map type
(config-pmap-c) appl-parameter rtsp advanced-options
show parameter-map
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-854
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map RTSP Configuration Mode Commands
(config-parammap-rtsp) case-insensitive
To disable case-sensitivity matching for RTSP, use the case-insensitive command. Use the no form of
this command to reset the ACE to its default of case-sensitive RTSP matching.
case-insensitive
no case-insensitive
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map RTSP configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, the ACE CLI is case sensitive. With case-insensitive matching enabled, uppercase and
lowercase letters are considered the same.
When case sensitivity is disabled, it applies to the following:
• RTSP header names and values
• RTSP URL strings
• RTSP inspection (for details, see the Security Guide, Cisco ACE Application Control Engine)
Examples To enable case-insensitive matching, enter:
host1/Admin(config-parammap-rtsp)# case-insensitive
To reenable case-sensitive matching, enter:
host1/Admin(config-parammap-rtsp)# no case-insensitive
Related Commands show parameter-map
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-855
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map RTSP Configuration Mode Commands
(config-parammap-rtsp) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map RTSP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type rtsp RTSP_MAP
host1/Admin(config-parammap-rtsp)# description RTSP-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-rtsp)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-856
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map RTSP Configuration Mode Commands
(config-parammap-rtsp) set header-maxparse-length
To set the maximum number of bytes to parse for RTSP headers, use the set header-maxparse-length
command. Use the no form of this command to reset the RTSP header maximum parse length to the
default of 2048 bytes.
set header-maxparse-length bytes
no set-header maxparse-length
Syntax Description
Command Modes Parameter map RTSP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the RTSP header maximum parse length to 16,384 bytes, enter:
host1/Admin(config-parammap-rtsp)# set header-maxparse-length 16384
To reset the RTSP header maximum parse length to the default of 2048 bytes, enter:
host1/Admin(config-parammap-rtsp)# no set header-maxparse-length 8192
Related Commands show parameter-map
bytes Maximum number of bytes to parse for the total length of all RTSP
headers. Enter an integer from 1 to 65535. The default is 2048 bytes.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-857
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SCCP Configuration Mode Commands
Parameter Map SCCP Configuration Mode Commands
Parameter map Skinny Client Control Protocol (SCCP) configuration mode commands allow you to specify
an SCCP-type parameter map and configure SCCP packet inspection on the ACE. To configure SCCP
packet inspection, use the parameter-map type skinny command in configuration mode. The prompt
changes to (config-parammap-skinny). Use the no form of this command to remove the parameter map
from the configuration.
parameter-map type skinny name
no parameter-map type skinny name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines Note the following considerations when you configure SCCP inspection on the ACE:
• If the IP address of an internal Cisco CallManager (CCM) is configured for Network Address
Translation (NAT) or Port Address Translation (PAT) to a different IP address or port, registrations
for external IP phones fail because the ACE does not support NAT or PAT of the file content
transferred over TFTP. Although the ACE supports NAT of TFTP messages and opens a secure port
for the TFTP file, the ACE cannot translate the CCM IP address and port that are embedded in the
IP phone configuration files. The configuration files are transferred using TFTP during phone
registration.
• If a Skinny phone is in a low security zone and the TFTP server is in a high security zone, the ACE
cannot translate the TFTP server IP address. In this case, the ACE opens the TFTP port (69) for
Skinny phones.
Examples To create an SCCP-type parameter map called SCCP_PARAMMAP, enter:
host1/Admin(config)# parameter-map type skinny SCCP_PARAMMAP
host1/Admin(config-parammap-skinny)#
To remove the parameter map from the configuration, enter:
host1/Admin(config)# no parameter-map type skinny SCCP_PARAMMAP
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 32 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-858
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SCCP Configuration Mode Commands
Related Commands (config) parameter-map type
(config-pmap-c) appl-parameter skinny advanced-options
show parameter-map2-859
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SCCP Configuration Mode Commands
(config-parammap-skinny) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map SCCP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type skinny SCCP_PARAMMAP
host1/Admin(config-parammap-skinny)# description SCCP-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-skinny)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-860
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SCCP Configuration Mode Commands
(config-parammap-skinny) enforce-registration
To enable registration enforcement, use the enforce-registration command. Use the no form of this
command to disable registration enforcement.
enforce-registration
no enforce-registration
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map SCCP configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure the ACE to allow only registered Skinny clients to make calls. To accomplish this task,
the ACE maintains the state of each Skinny client. After a client registers with CCM, the ACE opens a
secure port (pinhole) to allow that client to make a call. By default, this feature is disabled.
Examples To enable registration enforcement for Skinny clients, enter:
host1/Admin(config-parammap-skinny)# enforce-registration
To disable registration enforcement, enter:
host1/Admin(config-parammap-skinny)# no enforce-registration
Related Commands (config-pmap-c) appl-parameter skinny advanced-options
(config-parammap-skinny) message-id max
(config-parammap-skinny) sccp-prefix-len
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-861
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SCCP Configuration Mode Commands
(config-parammap-skinny) message-id max
To set the maximum SCCP StationMessageID that the ACE allows, use the message-id max command.
Use the no form of this command to reset the maximum message ID to the default of 0x181.
message-id max number
no message-id max number
Syntax Description
Command Modes Parameter map SCCP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set the maximum SCCP message ID to 0x3000, enter:
host1/Admin(config-parammap-skinny)# message-id max 3000
To reset the maximum message ID to the default of 0x181, enter
host1/Admin(config-parammap-skinny)# no message-id max 3000
Related Commands (config-pmap-c) appl-parameter skinny advanced-options
(config-parammap-skinny) enforce-registration
(config-parammap-skinny) sccp-prefix-len
number Largest value for the station message ID in hexadecimal that the ACE
accepts. Enter a hexadecimal value from 0 to 4000. If a packet arrives
with a station message ID greater than the maximum configured
value or greater than the default value, the ACE drops the packet and
generates a syslog message.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-862
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SCCP Configuration Mode Commands
(config-parammap-skinny) sccp-prefix-len
To set the minimum and maximum SCCP prefix length, use the sccp-prefix-len command. Use the no
form of this command to reset the minimum prefix length to the default behavior.
sccp-prefix len {max number | min number}
no sccp-prefix len {max number | min number}
Syntax Description
Command Modes Parameter map SCCP configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, the ACE drops SCCP messages that have an SCCP Prefix length that is less than the message
ID. You can configure the ACE to check for a specific minimum prefix length. You can also configure
the ACE to check for a maximum prefix length, but this check is disabled by default. The ACE drops any
Skinny message packets that fails these checks and generates a syslog message.
Examples To set the minimum SCCP prefix length, enter:
host1/Admin(config-parammap-skinny)# sccp-prefix-len min 4
To reset the minimum SCCP prefix length to the default behavior, enter:
host1/Admin(config-parammap-skinny)# no sccp-prefix-len min 4
Related Commands (config-pmap-c) appl-parameter skinny advanced-options
(config-parammap-skinny) enforce-registration
(config-parammap-skinny) message-id max
max number Enables the check of the maximum SCCP prefix length. Enter an
integer from 4 to 4000 bytes. The default is 4 bytes.
min number Specifies the minimum SCCP prefix length. Enter an integer from 4
to 4000 bytes.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-863
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
Parameter Map SIP Configuration Mode Commands
Parameter map Session Initiation Protocol (SIP) configuration mode commands allow you to specify an
SIP-type parameter map and configure a SIP deep packet inspection policy map. To configure SIP deep
packet inspection, use the parameter-map type sip command in configuration mode. The prompt
changes to (config-parammap-sip). Use the no form of this command to remove the parameter map from
the configuration.
parameter-map type sip name
no parameter-map type sip name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines Note the following considerations when you configure SIP inspection on the ACE:
• If the IP address in the owner field (o=) is different from the IP address in the connection field (c=)
of the Session Description Protocol (SDP) portion of a SIP packet, the ACE may not translate the
IP address properly. This improper IP address translation is caused by a limitation of the SIP
protocol, which does not provide a port value in the owner field (o=).
• If a remote endpoint attempts to register with a SIP proxy server on a network protected by the ACE,
the registration fails under the following conditions:
– PAT is configured on the remote endpoint
– The SIP registration server is on the outside network
The port value is missing in the contact field of the REGISTER message that the endpoint sends to the
proxy server.
Examples To create an SIP-type parameter map called SIP_PARAMMAP, enter:
host1/Admin(config)# parameter-map type sip SIP_PARAMMAP
host1/Admin(config-parammap-sip)#
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 32 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-864
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
To remove the parameter map from the configuration, enter:
host1/Admin(config)# no parameter-map type sip SIP_PARAMMAP
Related Commands (config) parameter-map type
(config-pmap-c) appl-parameter sip advanced-options
show parameter-map2-865
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
(config-parammap-sip) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type sip SIP_PARAMMAP
host1/Admin(config-parammap-sip)# description SIP-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-sip)# no description
Related Commands show parameter-map
(config-parammap-sip) im
To enable instant messaging (IM) over SIP, use the im command. Use the no form of this command to
disable instant messaging.
im
no im
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-866
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
Syntax Description This command has no keywords or arguments.
Command Modes Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines Disabling IM results in the ACE dropping all messages belonging to the IM.
Examples To enable instant messaging over SIP, enter:
host1/Admin(config-parammap-sip)# im
To disable instant messaging, enter:
host1/Admin(config-parammap-sip)# no im
Related Commands (config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) strict-header-validation
(config-parammap-sip) uri-non-sip
(config-parammap-sip) max-forward-validation
To instruct the ACE to validate the value of the Max-Forwards header field, use the ACE
max-forward-validation command. Use the no form of this command to disable maximum forward
field validation.
max-forward-validation {log} | {{drop| reset} [log]}
no max-forward-validation {log} | {{drop| reset} [log]}
Syntax Description
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
log Specifies that the ACE log a max forward validation event.
drop Specifies that the ACE drop the SIP message.
reset Specifies that the ACE reset the SIP connection.2-867
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
Command Modes Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines The Max-Forwards header field limits the number of hops that a SIP request can take on the way to its
destination. This header field contains an integer that is decremented by one at each hop. If the
Max-Forwards value reaches zero before the request reaches its destination, the request is rejected with
a 483 Too Many Hops error response. You can instruct the ACE to validate the Max-Forwards header
field value and to take appropriate action if the validation fails.
Examples To enable Max-Forwards header field validation, enter:
host1/Admin(config-parammap-sip)# max-forward-validation drop log
To disable maximum forward field validation, enter:
host1/Admin(config-parammap-sip)# no max-forward-validation
Related Commands (config-parammap-sip) im
(config-parammap-sip) software-version
(config-parammap-sip) strict-header-validation
(config-parammap-sip) uri-non-sip
(config-parammap-sip) software-version
To enable user agent (UA) software version options, use the software-version command. Use the no
form of this command to reset the software version to the default behavior.
software-version {log} | {mask [log]}
no software-version {log} | {mask [log]}
Syntax Description
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
log Specifies that the ACE log the UA software version.
mask Specifies that the ACE mask the UA software version.2-868
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
Command Modes Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines If the software version of a user agent (UA) were exposed, the UA may be more vulnerable to attacks
from hackers who exploit the security holes present in that particular version of software. To protect the
UA from such attacks, the ACE allows you to log or mask the UA software version.
Examples To configure the ACE to mask the UA software version, enter:
host1/Admin(config-parammap-sip)# software-version mask
To return the ACE behavior to the default of not masking the UA software version, enter:
host1/Admin(config-parammap-sip)# no software-version mask
Related Commands (config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) strict-header-validation
(config-parammap-sip) uri-non-sip
(config-parammap-sip) strict-header-validation
To enable strict header validation and the action that you want the ACE to perform if a SIP header does
not meet the validation requirements, use the strict-header-validation command. Use the no form of
this command to disable strict header validation.
strict-header-validation {log} | {{drop | reset} [log]}
no strict-header-validation {log} | {{drop| reset} [log]}
Syntax Description
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
drop Specifies that the ACE drop the SIP message.
reset Specifies that the ACE reset the connection.
log Specifies that the ACE log the header validation event.2-869
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
Command Modes Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines You can ensure the validity of SIP packet headers by configuring the ACE to check for the presence of
the following mandatory SIP header fields:
• From
• To
• Call-ID
• CSeq
• Via
• Max-Forwards
If one of these header fields is missing in a SIP packet, the ACE considers that packet invalid. The ACE
also checks for forbidden header fields, according to RFC 3261.
Use care if you plan to enable the drop option to ensure the validity of SIP packet headers. The drop
option results in dropping requests which do not include the mandatory headers of that request. In some
cases, the use of the drop option can lead to problems with some phones which do not utilize the
mandatory headers in the request. For example, when a call is made and then cancelled, the phone
receives a 487 Request Terminated cancel status request and transmits an ACK. However, for the Cisco
IP Phone 7960, the transmitted ACK does not contain the MAX-FORWARDS header, which is a
mandatory header for ACK. The ACE will then drop this packet, which can result in operational issues
with the phone.
Examples To enable strict header validation, instruct the ACE to drop the connection if the packet header does not
meet the header validation requirements, and log the event, enter:
host1/Admin(config-parammap-sip)# strict-header-validation drop log
To disable strict header validation, enter:
host1/Admin(config-parammap-sip)# no strict-header-validation drop log
Related Commands (config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) uri-non-sip
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-870
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
(config-parammap-sip) timeout
To prevent a hacker from exploiting this port, set a timeout for SIP media by using the timeout command
in parameter map SIP configuration mode. Use the no form of this command to return the streaming
media port timeout value to the default of 5 seconds.
timeout sip-media number
no timeout sip-media number
Syntax Description
Command Modes Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify a secure streaming media port timeout value of 1 hour, enter:
host1/Admin(config)# parameter-map type sip SIP_PARAMMAP
host1/Admin(config-parammap-sip)# timeout sip-media 3600
To return the streaming media port timeout value to the default of 5 seconds, enter:
host1/Admin(config-parammap-sip)# no timeout sip-media 3600
Related Commands (config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) uri-non-sip
number The timeout in seconds for the media port. Enter an integer from 1 to
65535 seconds. The default is 5 seconds. Be sure to provide a timeout
value that is large enough for streaming media applications to
complete.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-871
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SIP Configuration Mode Commands
(config-parammap-sip) uri-non-sip
To enable the detection of non-SIP URIs in SIP messages, use the uri-non-sip command. Use the no
form of this command to disable the detection of non-SIP URIs.
uri-non-sip {log} | {mask [log]}
no uri-non-sip {log} | {mask [log]}
Syntax Description
Command Modes Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To enable the detection of non-SIP URIs in SIP messages and log the event, enter:
host1/Admin(config-parammap-sip)# uri-non-sip log
To disable the detection of non-SIP URIs in SIP messages, enter:
host1/Admin(config-parammap-sip)# no uri-non-sip log
Related Commands (config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) strict-header-validation
log Specifies the ACE log the non-SIP URI.
mask Specifies that the ACE mask the non-SIP URI.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-872
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
Parameter Map SSL Configuration Mode Commands
Parameter map Secure Sockets Layer (SSL) configuration mode commands allow you to specify an
SSL-type parameter map and configure SSL settings for the map. To create an SSL-type parameter map
and access parameter map SSL configuration mode, use the parameter-map type ssl command in
configuration mode. The prompt changes to (config-parammap-ssl). Use the no form of this command
to remove the parameter map from the configuration.
parameter-map type ssl name
no parameter-map type ssl name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the connection or SSL feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
After you create and configure an SSL parameter map, you must associate the parameter map with a
policy map to activate it. For details, see the (config-ssl-proxy) ssl advanced-options command in the
“SSL Proxy Configuration Mode Commands” section.
Examples To create an SSL-type parameter map called SSL_MAP, enter:
host1/Admin(config)# parameter-map type ssl SSL_MAP
host1/Admin(config-parammap-ssl)#
Related Commands (config) parameter-map type
(config-ssl-proxy) ssl advanced-options
show parameter-map
name Name assigned to the parameter map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-873
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) authentication-failure
To configure the ACE to continue an SSL handshake when certificate failure occurs, use the
authentication-failure command. This command applies when client or server authentication is
enabled. Use the no form of this command to reset the default behavior of terminating an SSL handshake
when a certificate failure occurs.
authentication-failure {ignore | redirect reason {serverfarm serverfarm_name | url URL_string
{301|302}}}
no authentication-failure
Syntax Description ignore Ignores any client or server certificate failure during the SSL
handshake in a SSL termination or initiation configuration,
respectively.
redirect reason (SSL termination only) Performs a redirect to the specified redirect
server farm or URL when the ACE encounters a client certificate
failure. When you configure this keyword, after the handshake is
completed, the redirect occurs to the redirect server farm or the URL.
If multiple failures cause a redirect, the ACE performs a redirect on
the first failure that it encounters. If that failure is corrected, the ACE
performs a redirect on the next failure that it encounters.
For the reason argument, enter of the following to associate the client
certificate failure with a redirect:
• cert-not-yet-valid—Associates a certificate that is not yet valid
failure with the redirect.
• cert-expired—Associates an expired certificate failure with a
redirect.
• unknown-issuer—Associates an unknown issuer certificate
failure with a redirect.
• cert-revoked—Associates a revoked certificate failure with a
redirect.
• no-client-cert—Associates no client certificate failure with a
redirect.
• crl-not-available—Associates a CRL that is not available failure
with a redirect.
• crl-has-expired—Associates an expired CRL failure with a
redirect.
• cert-signature-failure—Associates a certificate signature
failure with a redirect.
• cert-other-error—Associates a all other certificate failures with
a redirect.
• any—Associates any of the certificate failures with the redirect.2-874
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, when the ACE encounters one of the following certificate failures during the setup of the
front-end connection in an SSL termination configuration or back-end connection in an SSL initiation
configuration when authentication is enabled, it terminates the SSL handshake:
• Certificate is not yet valid
• Certificate has expired
• Unable to get issuer certificate
• Certificate is revoked
• No client certificate is sent
• Certificate signature failure
• CRL is not available during the revocation check
• CRL is expired during revocation check
• All other certificate errors
serverfarm serverfarm_name Specifies the name of a configured server farm for the redirect as
follows:
• ACE software version A4(1.0) or later—Enter the name of a
configured host or redirect server farm.
• All earlier ACE software versions—Enter the name of a
configured redirect server farm only.
url URL_string Specifies the static URL path for the redirect. Enter a string with a
maximum of 255 characters and no spaces.
301|302 Specifies the redirect code that is sent back to the client. Enter one of
the following:
• 301, the status code for a resource permanently moving to a new
location.
• 302, the status code for a resource temporarily moving to a new
location.
ACE Module Release Modification
A2(1.1) This command was introduced.
A2(3.0) Added the redirect keyword.
ACE Appliance Release Modification
A1(8) This command was introduced.
A4(1.0) Added the ignore keyword for client authentication and the redirect
keyword.2-875
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
For client certificate failures, you can configure the ACE to either ignore these failures or perform a
redirect to a server farm or URL.
For server certificate failures, you can only configure the ACE to ignore these failures.
Examples For example, to ignore all certificate failures during the SSL handshake, enter:
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore
To perform a redirect to the INVALID-CERT server farm when a cert-not-yet-valid failure occurs with
a client certificate, enter:
host1/Admin(config-parammap-ssl)# authentication-failure redirect cert-not-yet-valid
serverfarm INVALID-CERT
To perform a redirect to a static URL with a 302 status code when an unknown-issuer failure occurs with
a client certificate, enter:
host1/Admin(config-parammap-ssl)# authentication-failure redirect unknown-issuer url
https://www.example.com/NewCertRequest.html 302
To reset the default behavior of terminating an SSL handshake when a certificate failure occurs, use the
no form of the command:
host1/Admin(config-parammap-ssl)# no authentication-failure redirect unknown-issuer
Related Commands (config-ssl-proxy) authgroup2-876
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) cdp-errors ignore
When the crl best-effort command is configured, to configure the ACE to allow the SSL connection if
CRL distribution point (CDP) errors occur in the presented certificates or errors occur during a CRL
download, use the cdp-errors ignore command. Use the no form of this command to reset the default
behavior where the ACE rejects an SSL connection when CDP or CRL-download errors occur.
cdp-errors ignore
no cdp-errors ignore
Syntax Description This command has no keywords or arguments.
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, when you configure the crl best-effort command for client or server certificate revocation
checks, if the ACE detects CRL distribution point (CDP) errors in the presented certificates or errors
occur during a CRL download, the ACE rejects the SSL connection.
The cdp-errors ignore command allows you to configure the ACE to ignore CDP errors when the crl
best-effort command is configured. When you configure the cdp-errors ignore command, the ACE
allows SSL connections when it detects CDP errors in the presented certificates or it could not download
a valid certificate revocation list (CRL) from valid CDPs on the certificates.
Examples For example, to configure the ACE to ignore CDP or CRL-download errors, enter:
host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# cdp-errors ignore
To reset the default behavior where the ACE rejects an SSL connection when CDP or CRL-download
errors occur, enter:
host1/Admin(config-parammap-ssl)# no cdp-errors ignore
Related Commands show crypto
(config-ssl-proxy) crl
ACE Module Release Modification
A2(2.1) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.2-877
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) cipher
To define each of the cipher suites that you want the ACE to support during a secure session, use the
cipher command. Use the no form of this command to delete a cipher suite from the SSL parameter map.
cipher cipher_name [priority cipher_priority]
no cipher cipher_name
Syntax Description
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines Table 1-19 lists the available cipher suites that the ACE supports and indicates which of the supported
cipher suites are exportable from the ACE. Table 1-19 also lists the authentication certificate and
encryption key required by each cipher suite.
cipher_name Name of the cipher suite. See the “Usage Guidelines” section for the
TCP options available for the available cipher suites that the ACE
supports. Enter one of the supported cipher suites from Table 1-19.
The default setting is all.
priority (Optional) Assigns a priority level to the cipher suite. The priority
level represents the preference-for-use ranking of the cipher suite,
with 10 being the most preferred and 1 being the least preferred. By
default, all configured cipher suites have a priority level of 1.
cipher_priority Priority level of the cipher suite. Enter a value from 1 to 10. The
default priority value is 1.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
Ta b l e 1-19 Supported Cipher Suites
Cipher Suite Exportable
Authentication
Certificate Used
Key Exchange Algorithm
Used
RSA_WITH_RC4_128_MD5 No RSA certificate RSA key exchange
RSA_WITH_RC4_128_SHA No RSA certificate RSA key exchange
RSA_WITH_DES_CBC_SHA No RSA certificate RSA key exchange
RSA_WITH_3DES_EDE_CBC_SHA No RSA certificate RSA key exchange
RSA_EXPORT_WITH_RC4_40_MD5 Yes RSA certificate RSA key exchange2-878
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
Repeat the cipher command for each cipher suite that you want to include in the SSL parameter map.
The ACE chooses a cipher suite with the highest priority level from the client list. For SSL termination
applications, the ACE uses the priority level to match cipher suites in the client’s ClientHello handshake
message. For SSL initiation applications, the priority level represents the order in which the ACE places
the cipher suites in its ClientHello handshake message to the server.
The default “all cipher suites” setting works only when you do not configure the SSL parameter map
with any specific ciphers. To return to using the “all cipher suites” setting, you must delete each of the
specifically defined ciphers from the parameter map using the no form of the command.
Examples To add the cipher suite RSA_WITH _AES_128_CBC_SHA and assign it a priority 2 level, enter:
host1/Admin(config-parammap-ssl)# cipher RSA_WITH_AES_128_CBC_SHA priority 2
To delete the cipher suite RSA_WITH _AES_128_CBC_SHA from the SSL parameter map, enter:
host1/Admin(config-parammap-ssl)# no cipher RSA_WITH_AES_128_CBC_SHA
Related Commands (config-parammap-ssl) queue-delay timeout
(config-parammap-ssl) session-cache timeout
(config-parammap-ssl) version
show parameter-map
RSA_EXPORT_WITH_DES40_CBC_SHA Yes RSA certificate RSA key exchange
RSA_EXPORT1024_WITH_RC4_56_MD5 Yes RSA certificate RSA key exchange
RSA_EXPORT1024_WITH_DES_CBC_SHA Yes RSA certificate RSA key exchange
RSA_EXPORT1024_WITH_RC4_56_SHA Yes RSA certificate RSA key exchange
RSA_WITH_AES_128_CBC_SHA No RSA certificate RSA key exchange
RSA_WITH_AES_256_CBC_SHA No RSA certificate RSA key exchange
Table 1-19 Supported Cipher Suites (continued)
Cipher Suite Exportable
Authentication
Certificate Used
Key Exchange Algorithm
Used2-879
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) close-protocol
To configure how the ACE handles the sending of close-notify messages, use the close-protocol
command. By default, the ACE sends a close-notify alert message to its peer when closing a session but
has no expectation of receiving one back from the peer. Use the no form of this command to reset the
the default behavior.
close-protocol {disabled | none}
no close-protocol
Syntax Description
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To set close-protocol to disabled, enter:
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# close-protocol disabled
To configure the close-protocol command with the default setting of none, enter:
host1/Admin(config-parammap-ssl)# no close-protocol
Related Commands show parameter-map
disabled Configures the ACE not to send a close-notify alert message to its
peer when closing a session with no expectation of receiving one
back from the peer.
none Configures the ACE to send a close-notify alert message to its peer
when closing a session, but the ACE has no expectation of receiving
one back from the peer.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-880
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) description
To add a description for the parameter map, use the description command. Use the no form of this
command to remove the description from the parameter map.
description text_string
no description
Syntax Description
Command Modes Parameter map SSL configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for the parameter map, enter:
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP
host1/Admin(config-parammap-ssl)# description SSL-TYPE PARAMETER MAP
To remove the description from the parameter map, enter:
host1/Admin(config-parammap-ssl)# no description
Related Commands show parameter-map
text_string Description for the action list. Enter an unquoted text string with a maximum of
240 alphanumeric characters.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.3) This command was introduced.2-881
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) expired-crl reject
To configure the ACE to reject a client or server certificate when the CRL in use has expired, use the
expired-crl reject command. For the ACE module, you can also configure the ACE to reject a server
certificate. Use the no form of this command to reset the default behavior of the ACE accepting a client
certificate after the CRL in use has expired.
expired-crl reject
no expired-crl reject
Syntax Description This command has no keywords or arguments.
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines When you configure certificate revocation lists (CRLs) on the ACE, the CRLs contain an update field
that specifies the date when a new version would be available. By default, the ACE does not continue to
use CRLs that contain an update field with an expired date and, thus, does not reject incoming
certificates using the CRL.
Examples To configure the ACE to reject a client certificate when the CRL in use has expired, enter:
host1/Admin(config-parammap-ssl)# expired-crl reject
To reset the default behavior of the ACE accepting a client certificate after the CRL in use has expired,
enter:
host1/Admin(config-parammap-ssl)# no expired-crl reject
Related Commands show parameter-map
(config-ssl-proxy) crl
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-882
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) purpose-check disabled
To disable the ACE from performing purpose checking during the authentication of the client or server
certificates, use the purpose-check disabled command.By default, during client authentication of a
chain of certificates, the ACE performs a purpose check on the basicContraint field for the following:
• The client or server certificate has a CA FALSE setting.
• The intermediate certificates have the CA TRUE setting.
If the field does not have these settings, the certificate fails authentication. Use the no form of this
command to reset the default behavior.
purpose-check disabled
no purpose-check disabled
Syntax Description This command has no keywords or arguments.
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To disable purpose checking on the certificates, enter:
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# purpose-check disabled
To reenable the default behavior, enter:
host1/Admin(config-parammap-ssl)# no purpose-check disabled
Related Commands show parameter-map
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.2-883
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) queue-delay timeout
To set the delay time, use the queue-delay timeout command. The queue delay time is the amount of
time that the ACE waits before emptying the queued data for encryption. Use the no form of this
command to disable the queue delay time to its default value of 0. By default, the queue delay timer is
disabled.
queue-delay timeout milliseconds
no queue-delay
Syntax Description
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines The queue delay applies only to data that the ACE sends to the client.
Examples To set the queue delay time to 500 milliseconds, enter:
host1/Admin(config-parammap-ssl)# queue-delay timeout 500
To disable the queue delay time to its default value of 0, enter:
host1/Admin(config-parammap-ssl)# no queue-delay
Related Commands show parameter-map
milliseconds Delay time in milliseconds before the data is emptied from the queue.
Enter an integer from 0 to 10000. A value of 0 disables the delay
timer, causing the ACE to encrypt data from the server as it arrives
and then sends the encrypted data to the client.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-884
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) rehandshake enabled
To enable the SSL session rehandshake function, use the rehandshake enabled command in the
parameter map SSL configuration mode. By default, SSL session rehandshake is disabled. Use the no
form of this command to reset the default behavior.
rehandshake enabled
no rehandshake enabled
Syntax Description This command has no keywords or arguments.
Command Modes SSL parameter-map configuration mode
Command History
Usage Guidelines The crypto rehandshake enabled configuration mode command to enable SSL rehandshake in all
contexts overrides the rehandshake enable parameter map command.
Examples To enable the SSL rehandshake function, enter:
host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# rehandshake enabled
To disable the rehandshake function, enter:
host1/Admin(config-parammap-ssl)# no rehandshake enabled
Related Commands show parameter-map
(config) crypto rehandshake enabled
ACE Module Release Modification
A2(2.3) This command was introduced.
ACE Appliance Release Modification
A3(2.5) This command was introduced.2-885
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) session-cache timeout
To set the session cache timeout, use the session-cache timeout command. Use the no form of this
command to disable the timer and ensure that the full SSL handshake occurs for each new connection
with the ACE.
session-cache timeout seconds
no session-cache timeout
Syntax Description
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines A SSL session ID is created every time the client and the ACE perform a full SSL key exchange and
establish a new master secret key. To quicken the SSL negotiation process between the client and the
ACE, the SSL session ID reuse feature allows the ACE to reuse the secret key information in the session
cache. On subsequent connections with the client, the ACE reuses the key stored in the cache from the
last negotiated session.
You can enable session ID reuse by setting a session cache timeout value for the total amount of time
that the SSL session ID remains valid before the ACE requires a full SSL handshake to establish a new
session.
Examples To set the session cache timeout to 600 milliseconds, enter:
host1/Admin(config-parammap-ssl)# session-cache timeout 600
To disable the timer and ensure that the full SSL handshake occurs for each new connection with the
ACE, enter:
host1/Admin(config-parammap-ssl)# no session-cache timeout
seconds Time in seconds that the ACE reuses the key stored in the cache
before removing the session IDs. Enter an integer from 0 to 72000
(20 hours). By default, session ID reuse is disabled. A value of 0
causes the ACE to remove the session IDs from the cache when the
cache is full and to implement the least-recently-used (LRU) timeout
policy.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-886
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
Related Commands show parameter-map2-887
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) version
To specify the versions of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) that the ACE
supports when it uses the SSL proxy parameter map during the handshake process, use the version
command. Use the no form of the command to remove a version from the SSL proxy parameter map.
version {all | ssl3 | tls1}
no version
Syntax Description
Command Modes SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify the version SSL3, enter:
host1/Admin(config-parammap-ssl)# version SSL3
To remove the version TLS1 from the SSL proxy parameter map, enter:
host1/Admin(config-parammap-ssl)# no version
Related Commands (config-parammap-ssl) cipher
(config-parammap-ssl) queue-delay timeout
(config-parammap-ssl) session-cache timeout
show parameter-map
all Specifies that the ACE supports both SSL (version SSL3) and TLS
(version TLS1). This is the default setting.
ssl3 Specifies that the ACE supports only SSL version SSL3.
tls1 Specifies that the ACE supports only TLS version TLS1.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-888
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Configuration Mode Commands
Policy Map Configuration Mode Commands
Policy map configuration mode commands allow you to configure a Layer 3 and Layer 4 policy map that
defines the different actions applied to traffic that passes through the ACE. The ACE attempts to match
multiple classes within the Layer 3 and Layer 4 policy map to allow a multifeature Layer 3 and Layer 4
policy map. The ACE executes the action for only one matching class within each of the class sets. The
definition of which classes are in the same class set depends on the actions applied to the classes; the
ACE associates each policy map action with a specific set of classes.
To create a Layer 3 and Layer 4 policy map and access policy map configuration mode, use the
policy-map multi-match command in configuration mode. When you access the policy map
configuration mode, the prompt changes to (config-pmap). Use the no form of this command to remove
a Layer 3 and Layer 4 policy map from the ACE.
For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions
that configure the following:
• Server load balancing based on Layer 3 and Layer 4 connection information (virtual IP address)
• (ACE appliance only) Application acceleration and optimization
• Secure Sockets Layer (SSL) security services between a web browser (the client) and the HTTP
connection (the server)
• Static or dynamic Network Address Translation (NAT)
• Application protocol inspection (also known as protocol fixup)
• TCP termination, normalization, and reuse
• IP normalization and fragment reassembly
Use the no form of the policy-map multimatch command to remove a policy map from the ACE.
policy-map multi-match map_name
no policy-map multi-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
map_name Name assigned to the Layer 3 and Layer 4 policy map. Enter an
unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-889
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Configuration Mode Commands
Usage Guidelines The commands in this mode require the loadbalance, inspect, connection, NAT, or SSL feature in your
user role. For details about role-based access control (RBAC) and user roles, see the Virtualization
Guide, Cisco ACE Application Control Engine.
To perform HTTP load balancing, HTTP deep packet inspection, or FTP command inspection functions,
you associate a previously created Layer 7 policy map within a Layer 3 and Layer 4 policy map to
provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child
policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4
policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on
a VLAN (or any) interface. For example, to associate a Layer 7 HTTP load-balancing policy map, you
nest the Layer 7 load-balancing policy map by using the Layer 3 and Layer 4 (config-pmap-c)
loadbalance policy command.
The ACE supports a system-wide maximum of 4096 policy maps.
Examples To create a Layer 3 and Layer 4 server load balancing (SLB) policy map named L4_SLB_POLICY, enter:
host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
host1/Admin(config-pmap)#
To create a Layer 3 and Layer 4 application protocol inspection policy map named
L4_HTTP_APP_INSPECTION_POLICY, enter:
host1/Admin(config)# policy-map multi-match L4_HTTP_APP_INSPECTION_POLICY
host1/Admin(config-pmap)#
Related Commands show startup-config
(config) class-map2-890
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Configuration Mode Commands
(config-pmap) class
To associate a Layer 3 and Layer 4 class map with a Layer 3 and Layer 4 policy map, use the class
command. The prompt changes from (config-pmap) to (config-pmap-c). For information about commands
in this mode, see the “Policy Map Class Configuration Mode Commands” section. Use the no form of this
command to remove an associated class map from a policy map.
class {name1 [insert-before name2] | class-default-v6 | class-default}
no class {name1 [insert-before name2] | class-default-v6 | class-default}}
Syntax Description
Command Modes Policy map configuration mode
Admin and user contexts
Command History
name1 Name of a previously defined Layer 3 and Layer 4 traffic class
configured with the class-map command. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current named class map ahead of an existing
class map or inline match condition specified by the name2 argument
in the policy-map configuration. The ACE does not save the sequence
reordering as part of the configuration. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
class-default-v6 class-default-v6—Specifies the reserved, well-known IPv6 class
map created by the ACE. You cannot delete or modify this class. All
traffic that fails to meet the other matching criteria in the named class
map belongs to the default traffic class. If none of the specified
classifications match the traffic, then the ACE performs the action
specified under the class class-default-v6 command. The
class-default-v6 class map has an implicit match any statement in it
enabling it to match all IPv6 traffic.
class-default Associates the reserved, well-known class map created by the ACE.
You cannot delete or modify this class. All traffic that fails to meet
the other matching criteria in the named class map belongs to the
default traffic class. If none of the specified classifications matches
the traffic, then the ACE performs the action specified under the class
class-default command. The class-default class map has an implicit
match any statement in it that enables it to match all traffic.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added the class-default-v6 keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added the class-default-v6 keyword.2-891
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Configuration Mode Commands
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 3 and Layer 4 class map with a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
host1/Admin(config-pmap)# class L4_SLB_CLASS
host1/Admin(config-pmap-c)#
Related Commands (config-pmap) description
(config-pmap) description
To provide a brief summary about the Layer 3 and Layer 4 policy map, use the description command.
Use the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Policy map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the class map is to perform Layer 3 and Layer 4 server load balancing, enter:
host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
host1/Admin(config-pmap)# description Policy map for L3/L4 SLB
Related Commands (config-pmap) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-892
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
Policy Map Class Configuration Mode Commands
Policy map class configuration mode commands allow you to specify the actions that the ACE should
take when network traffic matches one or more match statements in the associated Layer 3 and Layer 4
class map. To access policy map class configuration mode, use the class command in policy map
configuration mode (see the (config-pmap) class command for details). The prompt changes from
(config-pmap) to (config-pmap-c).
The features required in your user role to execute a specific command in policy map class configuration
mode are described in the “Usage Guidelines” section of the command. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.2-893
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) appl-parameter dns advanced-options
To associate a DNS parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter dns
advanced-options command. Use the no form of this command to disassociate the DNS parameter map
as an action from the Layer 3 and Layer 4 generic application inspection policy map.
appl-parameter dns advanced-options name
no appl-parameter dns advanced-options name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a DNS parameter map with a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config)# policy-map multi-match DNS_INSPECT_L4POLICY
host1/Admin(config-pmap)# class DNS_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter dns advanced-options DNS_PARAM_MAP1
To disassociate the DNS parameter map from the Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap-c)# no appl-parameter dns advanced-options DNS_PARAM_MAP1
Related Commands show parameter-map
(config) parameter-map type
name Name of an existing DNS parameter map. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-894
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) appl-parameter generic advanced-options
To associate a generic Layer 7 parameter map with a Layer 3 and Layer 4 policy map, use the
appl-parameter generic advanced-options command. Use the no form of this command to disassociate
the generic Layer 7 parameter map as an action from the Layer 3 and Layer 4 generic application
inspection policy map.
appl-parameter generic advanced-options name
no appl-parameter generic advanced-options name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a generic Layer 7 parameter map with the Layer 3 and Layer 4 policy map, enter:
host1/Admin(config)# policy-map multi-match GEN_L7_INSPECT_L4POLICY
host1/Admin(config-pmap)# class GEN_L7_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter generic advanced-options GEN_L7_PARAM_MAP1
To disassociate the generic Layer 7 parameter map from the Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap-c)# no appl-parameter generic advanced-options GEN_L7_PARAM_MAP1
Related Commands show parameter-map
(config) parameter-map type
name Name of an existing generic Layer 7 parameter map. Enter an
unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-895
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) appl-parameter http advanced-options
To associate an HTTP parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter
http advanced-options command. A parameter map is a means to combine related actions for use in a
Layer 3 and Layer 4 HTTP policy map. Use the no form of this command to disassociate the HTTP
parameter map as an action from the policy map.
appl-parameter http advanced-options name
no appl-parameter http advanced-options name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the loadbalance and inspect features in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To associate an HTTP parameter map with a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# appl-parameter http advanced-options http_param_map1
Related Commands show parameter-map
(config) parameter-map type
name Name of an existing HTTP parameter map. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-896
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) appl-parameter rtsp advanced-options
To associate a Real-Time Streaming Protocol (RTSP) parameter map with a Layer 3 and Layer 4 policy
map, use the appl-parameter rtsp advanced-options command. A parameter map is a means to
combine related actions for use in a Layer 3 and Layer 4 RTSP policy map. Use the no form of this
command to disassociate the RTSP parameter map from the policy map.
appl-parameter rtsp advanced-options name
no appl-parameter rtsp advanced-options name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the loadbalance and inspect features in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To associate an RTSP parameter map with a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# appl-parameter rtsp advanced-options rtsp_param_map1
Related Commands show parameter-map
(config) parameter-map type
name Name of an existing RTSP parameter map. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-897
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) appl-parameter sip advanced-options
To associate a Session Initiation Protocol (SIP) application protocol inspection parameter map with a
Layer 3 and Layer 4 policy map, use the appl-parameter sip advanced-options command. Use the no
form of this command to disassociate the SIP parameter map as an action from the Layer 3 and Layer 4
SIP application inspection policy map.
appl-parameter sip advanced-options name
no appl-parameter sip advanced-options name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a SIP parameter map with a SIP packet inspection policy map, enter:
host1/Admin(config)# policy-map multi-match SIP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class SIP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter sip advanced-options SIP_PARAM_MAP1
To disassociate the SIP parameter map from the SIP packet inspection policy map, enter:
host1/Admin(config-pmap-c)# no appl-parameter sip advanced-options SIP_PARAM_MAP1
Related Commands show parameter-map
(config) parameter-map type
name Name of an existing SIP parameter map. Parameter maps aggregate
SIP traffic-related actions together. Enter the name of an existing SIP
parameter map as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-898
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) appl-parameter skinny advanced-options
To associate a Skinny Client Control Protocol (SCCP) parameter map with a Layer 3 and Layer 4 policy
map, use the appl-parameter skinny advanced-options command. Use the no form of this command
to disassociate the SCCP parameter map as an action from the Layer 3 and Layer 4 SCCP application
inspection policy map.
appl-parameter skinny advanced-options name
no appl-parameter skinny advanced-options name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate an SCCP parameter map with the SCCP deep packet inspection policy map, enter:
host1/Admin(config)# policy-map multi-match SCCP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class SCCP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter skinny advanced-options SCCP_PARAM_MAP1
To disassociate the SCCP parameter map from the SCCP packet inspection policy map, enter:
host1/Admin(config-pmap-c)# no appl-parameter skinny advanced-options SCCP_PARAM_MAP1
Related Commands show parameter-map
(config) parameter-map type
name Name of an existing SCCP parameter map. Parameter maps
aggregate SCCP traffic-related actions together. Enter the name of an
existing SCCP parameter map as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-899
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) connection advanced-options
To associate a connection parameter map with a Layer 3 and Layer 4 policy map, use the connection
advanced-options command. Use the no form of this command to disassociate the parameter map from
a policy map.
connection advanced-options name
no connection advanced-options name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the connection feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
For details about configuring a connection parameter map, see the Security Guide, Cisco ACE
Application Control Engine.
Examples To associate the connection parameter map IP_MAP with a Layer 3 and Layer 4 TCP/IP policy map:
host1/Admin(config)# policy-map multi-match TCPIP_POLICY
host1/Admin(config-pmap)# class TCP_CLASS
host1/Admin(config-pmap-c)# connection advanced-options IP_MAP
Related Commands This command has no related commands.
name Name of an existing connection parameter map. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-900
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) inspect
To define the Layer 3 and Layer 4 HTTP deep packet inspection, File Transfer Protocol (FTP) command
inspection, or application protocol inspection policy actions, use the inspect command. Application
inspection involves the examination of protocols such as Domain Name System (DNS), FTP, HTTP,
Internet Control Message Protocol (ICMP), and Real Time Streaming Protocol (RTSP) to verify the
protocol behavior and identify unwanted or malicious traffic that passes through the ACE. Use the no
form of this command to remove an associated class map from a policy map.
inspect {dns [maximum-length bytes]} | {ftp [strict policy name1 | sec-param
conn_parammap_name1]} | {http [policy name4 | url-logging]} | {icmp [error]} | ils | {rtsp
[sec-param conn_parammap_name3]} | {sip [sec-param conn_parammap_name4] [policy
name5]} | {skinny [sec-param conn_parammap_name5] [policy name6]}
no inspect {dns [maximum-length bytes]} | {ftp [strict policy name1 | sec-param
conn_parammap_name1]} | {http [policy name4 | url-logging]} | {icmp [error]} | ils | {rtsp
[sec-param conn_parammap_name3]} | {sip [sec-param conn_parammap_name4] [policy
name5]} | {skinny [sec-param conn_parammap_name5] [policy name6]}
Syntax Description dns Enables DNS query inspection. DNS requires application inspection
so that DNS queries will not be subject to the generic UDP handling
based on activity timeouts. Instead, the UDP connections associated
with DNS queries and responses are torn down as soon as a reply to
a DNS query has been received. The ACE performs the reassembly
of DNS packets to verify that the packet length is less than the
configured maximum length.
maximum-length bytes (Optional) Sets the maximum length of a DNS reply. Valid entries are
from 512 to 65535 bytes. The default is 512 bytes.
ftp Enables FTP inspection. The ACE inspects FTP packets, translates
the address and the port that are embedded in the payload, and opens
up a secondary channel for data.
strict (Optional) Checks for protocol RFC compliance and prevents web
browsers from sending embedded commands in FTP requests. The
strict keyword prevents an FTP client from determining valid
usernames that are supported on an FTP server. When an FTP server
replies to the USER command, the ACE intercepts the 530 reply code
from the FTP server and replaces it with the 331 reply code.
Specifying an FTP inspection policy allows selective command
filtering and also prevents the display of the FTP server system type
to the FTP client. The ACE intercepts the FTP server 215 reply code
and message to the SYST command, and then replaces the text
following the reply code with asterisks.
policy name1 Specifies the name assigned to a previously created Layer 7 FTP
command inspection policy map to implement the inspection of
Layer 7 FTP commands by the ACE. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. Use
the inspect ftp command in policy map class configuration mode to
define the FTP command request inspection policy.
Note If you do not specify a Layer 7 policy map, the ACE performs
a general set of Layer 3 and Layer 4 FTP fixup actions.2-901
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
sec-param
conn_parammap_name1
(Optional) Specifies the name of a previously created connection
parameter map used to define parameters for FTP inspection.
http Enables enhanced Hypertext Transfer Protocol (HTTP) inspection on
the HTTP traffic. The inspection checks are based on configured
parameters in an existing Layer 7 policy map and internal RFC
compliance checks performed by the ACE. By default, the ACE
allows all request methods.
policy name4 (Optional) Specifies the name assigned to a previously created
Layer 7 HTTP application inspection policy map to implement the
deep packet inspection of Layer 7 HTTP application traffic by the
ACE. The inspection checks are based on configured parameters in
an existing Layer 7 policy map and internal RFC compliance checks
performed by the ACE. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
Note If you do not specify a Layer 7 policy map, the ACE performs
a general set of Layer 3 and Layer 4 HTTP fixup actions and
internal RFC compliance checks.
url-logging (Optional) Enables the monitoring of Layer 3 and Layer 4 traffic.
This function logs every URL request that is sent in the specified
class of traffic, including the source or destination IP address and the
URL that is accessed.
icmp Enables ICMP payload inspection. ICMP inspection allows ICMP
traffic to have a “session” so it can be inspected similarly to TCP and
UDP traffic.
error (Optional) Performs a Network Address Translation (NAT) of ICMP
error messages. The ACE creates translation sessions for
intermediate or endpoint nodes that send ICMP error messages based
on the NAT configuration. The ACE overwrites the packet with the
translated IP addresses.
ils Enables Internet Locator Service (ILS) protocol inspection.
rtsp Enables RTSP packet inspection. RTSP is used by RealAudio,
RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV
connections. The ACE monitors Setup and Response (200 OK)
messages in the control channel established using TCP port 554 (no
UDP support).
sec-param
conn_parammap_name3
(Optional) Specifies the name of a previously created connection
parameter map used to define parameters for RTSP inspection.
sip Enables Session Initiation Protocol (SIP) inspection. SIP is used for
call handling sessions and instant messaging. The ACE inspects
signaling messages for media connection addresses, media ports, and
embryonic connections. The ACE also uses NAT to translate IP
addresses that are embedded in the user-data portion of the packet.
sec-param
conn_parammap_name4
(Optional) Specifies the name of a previously created connection
parameter map used to define parameters for SIP inspection.2-902
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the inspect feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To perform the deep packet inspection of Layer 7 HTTP application traffic by the ACE, you should create
a Layer 7 HTTP deep packet inspection policy using the policy-map type inspect http command (see
the Security Guide, Cisco ACE Application Control Engine). Nest the Layer 7 deep packet inspection
policy name5 (Optional) Specifies the name of a previously created Layer 7 SIP
application inspection policy map to implement packet inspection of
Layer 7 SIP application traffic by the ACE. The inspection checks are
based on configured parameters in an existing Layer 7 policy map
and internal RFC compliance checks performed by the ACE. Enter an
unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
Note If you do not specify a Layer 7 policy map, the ACE performs
a general set of Layer 3 and Layer 4 HTTP fixup actions and
internal RFC compliance checks.
skinny Enables Cisco Skinny Client Control Protocol (SCCP) inspection.
The SCCP is a Cisco proprietary protocol that is used between Cisco
CallManager and CIsco VOiP phones. The ACE uses NAT to
translate embedded IP addresses and port numbers in SCCP packet
data.
sec-param
conn_parammap_name5
(Optional) Specifies the name of a previously created connection
parameter map used to define parameters for SCCP inspection.
policy name6 (Optional) Specifies the name of a previously created deep packet
inspection of Layer 7 SCCP application traffic by the ACE. The
inspection checks are based on configured parameters in an existing
Layer 7 policy map and internal RFC compliance checks performed
by the ACE. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
Note If you do not specify a Layer 7 policy map, the ACE performs
a general set of Layer 3 and Layer 4 HTTP fixup actions and
internal RFC compliance checks.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-903
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
policy using the Layer 3 and Layer 4 inspect http command. If you do not specify a Layer 7 HTTP
policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC
compliance checks.
To perform checks for protocol RFC compliance and to prevent web browsers from sending embedded
commands in FTP requests, you should create a Layer 7 FTP policy using the policy-map type inspect
ftp command (see the Security Guide, Cisco ACE Application Control Engine). Nest the Layer 7 FTP
inspection traffic policy using the Layer 3 and Layer 4 inspect ftp command. If you do not specify a
Layer 7 FTP policy map, the ACE performs a general set of Layer 3 and Layer 4 FTP fixup actions.
Examples To specify the inspect http command as an action for an HTTP application protocol inspection policy
map, enter:
host1/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# inspect http policy HTTP_DEEPINSPECT_L7POLICY
Related Commands This command has no related commands.2-904
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) kal-ap primary-oos
To enable the ACE to report the maximum load value of 255 to a GSS when the primary server farm is
down and the backup server farm is in use, use the kal-ap primary-oos command in policy map class
configuration mode. Use the no form of this command to disable the reporting of a load value of 255
when the primary server is down and the backup server is in use.
kal-ap primary-oos
no kal-ap primary-oos
Syntax Description This command has no keywords or arguments.
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you configure a server farm as a backup server farm on the ACE and the primary server farm fails,
the backup server farm redirects the client requests to another data center. However, the VIP remains in
the INSERVICE state.
When you configure the ACE to communicate with a GSS, the ACE reports the availability of the server
to a GSS by sending a load number. To inform the GSS that the primary server farm is down and a backup
server farm is in use, the ACE needs to send a load value that the server is unavailable.
When you configure the kal-ap primary-oos command, the ACE reports a load value of 255 when the
primary server is down and the backup server is in use. When the GSS receives the load value of 255, it
recognizes that the primary server farm is down and sends future DNS requests with the IP address of
the other data center.
Examples To enable the reporting of a load value of 255 when the primary server is down and the backup server is
in use, enter:
host1/Admin(config-pmap-c)# kal-ap primary-oos
To disable the reporting of a load value of 255 when the primary server is down and the backup server
is in use, enter:
host1/Admin(config-pmap-c)# no kal-ap primary-oos
ACE Module Release Modification
A2(3.1) This command was introduced.
ACE Appliance Release Modification
A3(2.6) This command was introduced.2-905
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
Related Commands This command has no related commands.2-906
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) kal-ap-tag
To associate a KAL-AP tag to a VIP address in a Layer 3 and Layer 4 SLB policy map configuration,
use the kal-ap-tag command. Use the no form of this command to disassociate the KAL-AP tag from
the Layer 3 and Layer 4 SLB policy map.
kal-ap-tag tag_name
no kal-ap-tag
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To associate the associate a VIP tag to a policy map configuration, enter:
host1/Admin(config)# policy-map multi-match l4_policy20
host1/Admin(config-pmap)# class VIP-20
host1/Admin(config-pmap-c)# kal-ap-tag KAL-AP-TAG2
To remove the KAL-AP-TAG2 tag from the class map, enter:
host1/Admin(config-pmap-c)# no kal-ap-tag
Related Commands show kalap udp load
tag_name Name of the KAL-AP tag. Enter the name as an unquoted text string
with no spaces and a maximum of 76 alphanumeric characters.
Note the following restrictions:
• You cannot configure a tag name for a VIP address that is already
configured in a different policy map.
• You cannot associate the same tag name to a domain and a VIP
address.
ACE Module Release Modification
A2(2.0) This command was introduced.
ACE Appliance Release Modification
A4(1.0) This command was introduced.2-907
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) loadbalance policy
To associate a Layer 7 server load balancing (SLB) policy map with a Layer 3 and Layer 4 SLB policy
map, use the loadbalance policy command. Use the no form of this command to disassociate the Layer
7 SLB policy from the Layer 3 and Layer 4 SLB policy map.
loadbalance policy name
no loadbalance policy name
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the loadbalance feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE treats all Layer 7 policy maps as child policies, so you must always associate a Layer 7 SLB
policy map with a Layer 3 and Layer 4 SLB policy map.
Examples To reference the Layer 7 L7SLBPOLICY policy map within the Layer 3 and Layer 4 L4SLBPOLICY
policy map, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY
host1/Admin(config-pmap)# class L7SLBCLASS
host1/Admin(config-pmap-c)# serverfarm FARM2
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class L4SLBCLASS
host1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICY
Related Commands This command has no related commands.
name Name of an existing Layer 7 SLB policy map. Enter the name as an
unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-908
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) loadbalance vip advertise
(ACE module only) To allow the ACE to advertise the IP address of the virtual server as the host route,
use the loadbalance vip advertise command. This function is used with route health injection (RHI) to
allow the ACE to advertise the availability of a VIP address throughout the network. Use the no form of this
command to stop advertising the host route as an action from the policy map.
loadbalance vip advertise [active] | [metric number]
no loadbalance vip advertise [active] | [metric number]
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the loadbalance feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
You must enable the advertising of a VIP using the loadbalance vip advertise command before you can
enter a distance metric value for the route. Otherwise, the ACE returns an error message.
If you configured the loadbalance vip advertise metric command and then you enter the no
loadbalance vip advertise [active] command, the ACE resets the metric value to the default of 77.
Examples To advertise as an action for the SLB policy map, enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip advertise active
Related Commands This command has no related commands.
active (Optional) Allows the ACE to advertise the IP address of the virtual
server (VIP) as the host route only if there is at least one active real
server in the server farm. Without the active option, the ACE always
advertises the VIP whether or not there is any active real server
associated with this VIP.
metric number (Optional) Specifies the distance metric for the route. Enter the
metric value that needs to be entered in the routing table. Valid values
are from 1 through 254. The default is 77.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-909
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) loadbalance vip icmp-reply
To enable a VIP to reply to ICMP requests, use the loadbalance vip icmp-reply command. For example,
if a user sends an ICMP ECHO request to a VIP, this command instructs the VIP to send an ICMP
ECHO-REPLY. Use the no form of this command to disable a VIP reply to ICMP requests as an action
from the policy map.
loadbalance vip icmp-reply [active [primary-inservice]]
no loadbalance vip icmp-reply [active [primary-inservice]]
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the loadbalance feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To complete the configuration when you configure the active option of this command, be sure to
configure a Telnet probe and associate it with the server farm. The probe monitors the health of all the
real servers in the server farm and ensures that the VIP responds with an ICMP ECHO REPLY only if
the server port is active. If the server port is down or unreachable, the probe fails and the VIP stops
responding to the ECHO request. For details about configuring probes, see the Server Load-Balancing
Guide, Cisco ACE Application Control Engine.
The loadbalance vip icmp-reply active command alone controls a ping to a VIP on the ACE. This
command implicitly downloads an ICMP access control list entry for the VIP. When you configure this
command on the ACE, any configured ACLs that deny ICMP traffic have no effect on a client’s ability
to ping the VIP.
active (Optional) Instructs the ACE to reply to an ICMP request only if the
configured VIP is active. If the VIP is not active and the active option
is specified, the ACE discards the ICMP request and the request times
out.
primary-inservice (Optional) Instructs the ACE to reply to an ICMP ping only if the
primary server farm state is UP, regardless of the state of the backup
server farm. If this option is enabled and the primary server farm state
is DOWN, the ACE discards the ICMP request and the request times
out.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(6.3) The primary-inservice option was added.
ACE Appliance Release Modification
A1(7) This command was introduced.2-910
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
Examples To enable a VIP to reply to ICMP requests, enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active
Related Commands This command has no related commands.
(config-pmap-c) loadbalance vip inservice
To enable a VIP for server load-balancing operations, use the loadbalance vip inservice command. Use
the no form of this command to disable a VIP.
loadbalance vip inservice
no loadbalance vip inservice
Syntax Description This command has no keywords or arguments.
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the loadbalance feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To specify the loadbalance vip inservice command as an action for a server load-balancing policy map,
enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip oos-arpreply enable
host1/Admin(config-pmap-c)# loadbalance vip inservice
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-911
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) loadbalance vip udp-fast-age
To close the connection immediately after a response is sent back to the client, enabling per-packet load
balancing for UDP DNS A-record (IPv4) or AAAA-record (IPv6) traffic, use the loadbalance vip
udp-fast-age command. Use the no form of this command to reset the ACE default behavior.
loadbalance vip udp-fast-age
no loadbalance vip udp-fast-age
Syntax Description This command has no keywords or arguments.
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the loadbalance feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you use this command, the ACE load balances all new requests to a new real server in the server
farm according to the predictor algorithm. All retransmitted UDP packets from the client go to the same
real server.
By default, the ACE load balances UDP packets using the same tuple to the same real server on an
existing connection.
Examples To configure the ACE to perform per-packet load balancing for UDP traffic, enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip udp-fast-age
To reset the default ACE handling of UDP traffic, enter:
host1/Admin(config-pmap-c)# no loadbalance vip udp-fast-age
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A5(1.0) Added IPv6 support.2-912
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) nat dynamic
To configure dynamic Network Address Translation (NAT) and Port Address Translation (PAT) as an
action in a policy map, use the nat dynamic command. The ACE applies the dynamic NAT from the
interface attached to the traffic policy (through the service-policy interface configuration command) to
the interface specified in the nat dynamic command. Use the no form of this command to remove a
dynamic NAT action from a policy map.
nat dynamic nat_id vlan number
no nat dynamic nat_id vlan number
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the NAT feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet
untranslated.
Examples To specify the nat dynamic command as an action for a dynamic NAT policy map, enter:
host1/Admin(config)# policy-map multi-action NAT_POLICY
host1/Admin(config-pmap)# class NAT_CLASS
host1/Admin(config-pmap-c)# nat dynamic 1 vlan 200
Related Commands This command has no related commands.
nat dynamic nat_id Refers to a global pool of IP addresses that exists under the VLAN
number. Dynamic NAT translates a group of local source IP addresses
to a pool of global IP addresses that are routable on the destination
network. All packets going from the interface attached to the traffic
policy have their source address translated to one of the available
addresses in the global pool. Enter an integer from 1 to 2147483647.
vlan number Specifies the VLAN number of an existing interface for which you
are configuring NAT. Enter an integer from 2 to 4094.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-913
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) nat static
To configure static Network Address Translation (NAT) and static port redirection in a policy map, use
the nat static command. Static NAT allows you to identify local traffic for address translation by
specifying the source and destination addresses in an extended access control list (ACL) that is
referenced as part of the class map traffic classification. The ACE applies static NAT from the interface
attached to the traffic policy (through the service-policy interface configuration command) to the
interface specified in the nat static command. Use the no form of this command to remove a NAT action
from a policy map.
nat static [ipv6_address/prefix_length | ipv4_address netmask mask] {port1 | tcp eq port2 | udp
eq port3} vlan number
no nat static [ipv6_address/prefix_length | ipv4_address netmask mask] {port1 | tcp eq port2 | udp
eq port3} vlan number
Syntax Description
Command Modes Policy map class configuration mode
Admin and user contexts
ipv6_address IPv6 address for a single static translation. This argument establishes
the globally unique IP address of a host as it appears to the outside
world. The policy map performs the global IP address translation for
the source IP address specified in the ACL (as part of the class map
traffic classification).
/prefix_length Prefix length of the IPv6 address.
ip_address IP address for a single static translation. This argument establishes
the globally unique IP address of a host as it appears to the outside
world. The policy map performs the global IP address translation for
the source IP address specified in the ACL (as part of the class map
traffic classification).
netmask mask Specifies the subnet mask for the IP address. Enter a subnet mask in
dotted-decimal notation (for example, 255.255.255.0).
port1 Global TCP or UDP port for static port redirection. Enter an integer
from 0 to 65535.
tcp eq port2 Specifies a TCP port name or number. Enter an integer from 0 to
65535. A value of 0 instructs the ACE to match any port.
Alternatively, you can enter a protocol keyword that corresponds to a
TCP port number. See the “Usage Guidelines” section for a list of
supported well-known TCP port names and numbers.
udp eq port3 Specifies a UDP port name or number. Enter an integer from 0 to
65535. A value of 0 instructs the ACE to match any port.
Alternatively, you can enter a protocol keyword that corresponds to a
UDP port number. See the “Usage Guidelines” section for a list of
supported well-known UDP port names and numbers.
vlan number Specifies the interface for the global IP address. This interface must
be different from the interface that the ACE uses to filter and receive
traffic that requires NAT.2-914
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
Command History
Usage Guidelines This command requires the NAT feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE supports static NAT only for IPv6 to IPv6 and IPv4 to IPv4 translations. Mixed mode is not
supported.
Table 1-20 provides a list of supported well-known TCP and UDP port names and numbers.
Examples To specify the nat command as an action for a static NAT and port redirection policy map, enter:
host1/Admin(config)# policy-map multi-action NAT_POLICY
host1/Admin(config-pmap)# class NAT_CLASS
host1/Admin(config-pmap-c)# nat static 192.168.12.15 255.255.255.0 8080 vlan 200
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
Ta b l e 1-20 Supported TCP and UDP Ports
Well-Known TCP Port Numbers and Keywords
Keyword Port Number Description
ftp 21 File Transfer Protocol
http 80 Hyper Text Transfer Protocol
https 443 HTTP over TLS/SSL
irc 194 Internet Relay Chat
matip-a 350 Mapping of Airline Traffic over Internet
Protocol (MATIP) Type A
nntp 119 Network News Transport Protocol
pop2 109 Post Office Protocol v2
pop3 110 Post Office Protocol v3
rtsp 554 Real Time Streaming Protocol
smtp 25 Simple Mail Transfer Protocol
telnet 23 Telnet
Well-Known UDP Port Numbers and Keywords
dns 53 Domain Name System
wsp 9200 Connectionless Wireless Session
Protocol (WSP)
wsp-wtls 9202 Secure Connectionless WSP
wsp-wtp 9201 Connection-based WSP
wsp-wtp-wtls 9203 Secure Connection-based WSP2-915
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
Related Commands This command has no related commands.2-916
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Class Configuration Mode Commands
(config-pmap-c) ssl-proxy
To associate the Secure Sockets Layer (SSL) client or server proxy service with the policy map, use the
ssl-proxy command. Use the no form of this command to remove the SSL proxy service from the policy
map.
ssl-proxy {client | server} ssl_service_name
no ssl-proxy {client | server} ssl_service_name
Syntax Description
Command Modes Policy map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the SSL feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To associate the SSL proxy service with the policy map, enter:
host1/C1(config-pmap-c)# ssl-proxy server SSL_SERVER_PROXY_SERVICE
host1/C1(config-pmap-c)#
Related Commands This command has no related commands.
client Associates an SSL client proxy service with the policy map. This
keyword is available only when building a Layer 7 policy map, where
the ACE acts as an SSL client device.
server Associates an SSL server proxy service with the policy map. This
keyword is available only when building a Layer 2 or Layer 3 policy
map, where the ACE acts as an SSL server device.
ssl_service_name Name of an existing SSL proxy service. Enter the name as an
unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-917
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Configuration Mode Commands
Policy Map FTP Inspection Configuration Mode Commands
Policy map FTP inspection configuration mode commands allow you to configure a Layer 7 policy map
that defines the inspection of the File Transfer Protocol (FTP) commands by the ACE. The ACE executes
the action for the first matching classification.
To create an FTP command request inspection policy map and access policy map FTP inspection
configuration mode, use the policy-map type inspect ftp first-match command in configuration mode.
When you access the policy map FTP inspection configuration mode, the prompt changes to
(config-pmap-ftp-ins). Use the no form of this command to remove an FTP command request inspection
policy map from the ACE.
policy-map type inspect ftp first-match map_name
no policy-map type inspect ftp first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You associate the Layer 7 FTP command request inspection policy map within a Layer 3 and Layer 4
policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to
be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3
and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly
applied on a VLAN (or any) interface.
To associate the Layer 7 FTP inspection policy map, you nest it by using the Layer 3 and Layer 4 inspect
ftp strict command (see the (config-pmap-c) inspect command).
Examples To create a Layer 7 FTP command inspection policy map, enter:
host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins) #
map_name Name assigned to the Layer 7 FTP command request class map. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-918
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Configuration Mode Commands
Related Commands show startup-config
(config) class-map2-919
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Configuration Mode Commands
(config-pmap-ftp-ins) class
To associate a Layer 7 File Transfer Protocol (FTP) inspection class map with a Layer 7 FTP inspection
policy map, use the class command. The prompt changes from (config-pmap-ftp-ins) to
(config-pmap-ftp-ins-c). For information about commands in this mode, see the “Policy Map FTP
Inspection Class Configuration Mode Commands” section. Use the no form of this command to remove
an associated class map from a policy map.
class name
no class name
Syntax Description
Command Modes Policy map FTP inspection configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 FTP inspection class map with a Layer 7 FTP inspection policy map, enter:
host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)#
Related Commands (config-pmap-ftp-ins) description
name Name of a previously defined Layer 7 FTP command inspection class
map configured with the class-map command. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-920
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Configuration Mode Commands
(config-pmap-ftp-ins) description
To provide a brief summary about the Layer 7 File Transfer Protocol (FTP) command inspection policy
map, use the description command. Use the no form of this command to remove the description from
the class map.
description text
no description text
Syntax Description
Command Modes Policy map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform FTP command inspection, enter:
host1/Admin(config-pmap-ftp-ins)# description FTP command inspection of incoming traffic
To remove d a description from the FTP policy map, enter:
host1/Admin(config-pmap-ftp-ins)# no description FTP command inspection of incoming
traffic
Related Commands (config-pmap-ftp-ins) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-921
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Configuration Mode Commands
(config-pmap-ftp-ins) match request-method
To configure the Layer 7 FTP inspection policy map to define FTP command inspection decisions
performed by the ACE, use the match request-method command. The prompt changes from
(config-pmap-ftp-ins) to (config-pmap-ftp-ins-m). For information about commands in this mode, see the
“Policy Map FTP Inspection Match Configuration Mode Commands” section. Use the no form of this
command to clear the FTP inspection request method from the policy map.
match name request-method ftp_command
no match name
Syntax Description
Command Modes Policy map FTP inspection configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
ftp_command FTP command in the class map to be subjected to FTP inspection by
the ACE. The FTP commands are as follows:
• appe—Appends to a file.
• cd—Change to the specified directory.
• cdup—Changes to the parent of the current directory.
• dele—Deletes a file at the server side.
• get—Retrieves a file.
• help—Retrieves Help information from the server.
• mkd—Creates a directory.
• put—Stores a file.
• rmd—Removes a directory.
• rnfr—Renames from.
• rnto—Renames to.
• site—Specifies the server-specific command.
• stou—Stores a file with a unique name.
• syst—Gets system information.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-922
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Class Configuration Mode Commands
Usage Guidelines The match command identifies the FTP command that you want filtered by the ACE.
You can specify multiple match request-method commands within a class map.
Examples To add an inline match command to a Layer 7 FTP command policy map, enter:
host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdir
host/Admin(config-pmap-ftp-ins-m)#
Related Commands This command has no related commands.
Policy Map FTP Inspection Class Configuration Mode
Commands
Use the policy map File Transfer Protocol (FTP) inspection class configuration mode to specify the
actions that the ACE should take when network traffic matches one or more match statements in the
associated Layer 7 FTP inspection class map. To access policy map FTP inspection class configuration
mode, use the class command in the policy map FTP inspection configuration mode (see the
(config-pmap-ftp-ins) class command for details). The prompt changes from (config-pmap-ftp-ins) to
(config-pmap-ftp-ins-c).
The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
ACE Appliance Release Modification
A1(7) This command was introduced.2-923
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Class Configuration Mode Commands
(config-pmap-ftp-ins-c) deny
To deny the FTP request commands specified in the class map by resetting the FTP session, use the deny
command. Use the no form of this command to return to the default state and permit all FTP request
commands to pass.
deny
no deny
Command Modes Policy map FTP inspection class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to deny the FTP request commands specified in the Layer 7 FTP inspection class
map by resetting the FTP session, enter:
host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# deny
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-924
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Match Configuration Mode Commands
(config-pmap-ftp-ins-c) mask-reply
To instruct the ACE to mask the reply to the FTP SYST command by filtering sensitive information from
the command output, use the mask-reply command. Use the no form of this command to disable the
masking of the system reply to the FTP SYST command.
mask-reply
no mask-reply
Syntax Description This command has no keywords or arguments.
Command Modes Policy map FTP inspection class configuration mode
Admin and user contexts
Command History
Usage Guidelines The mask-reply command is applicable only to the FTP SYST command and its associated reply. The
SYST command is used to find out the FTP server’s operating system type.
Examples To instruct the ACE to mask the reply to the FTP SYST command, enter:
host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# mask-reply
Related Commands This command has no related commands.
Policy Map FTP Inspection Match Configuration Mode
Commands
Policy map FTP inspection match configuration mode commands allow you to specify the actions that
the ACE should take when network traffic matches the specified inline match command. To access policy
map FTP inspection match configuration mode, use the match request-method command in policy map
FTP inspection configuration mode (see the (config-pmap-ftp-ins) match request-method command
for details). The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-m).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-925
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Match Configuration Mode Commands
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The match commands function the same as with the
Layer 7 class map match commands. However, when you use an inline match command, you can
specify an action for only a single match command in the Layer 7 policy map.
The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.2-926
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map FTP Inspection Match Configuration Mode Commands
(config-pmap-ftp-ins-m) deny
To deny the FTP request commands specified in the inline match command by resetting the FTP session,
use the deny command. By default, the ACE allows all FTP commands to pass. Use the no form of this
command to return to the default state and permit all FTP request commands to pass.
deny
no deny
Syntax Description This command has no keywords or arguments.
Command Modes Policy map FTP inspection match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to deny the FTP request commands specified in the Layer 7 FTP inspection class
map by resetting the FTP session, enter:
host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdir
host/Admin(config-pmap-ftp-ins-m)# deny
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-927
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ftp-ins-m) mask-reply
To instruct the ACE to mask the system’s reply to the FTP SYST command by filtering sensitive
information from the command output, use the mask-reply command. Use the no form of this command
to disable the masking of the system reply to the FTP SYST command.
mask-reply
no mask-reply
Syntax Description This command has no keywords or arguments.
Command Modes Policy map FTP inspection match configuration mode
Admin and user contexts
Command History
Usage Guidelines The mask-reply command is applicable only to the FTP SYST command and its associated reply. The
SYST command is used to find out the FTP server’s operating system type.
Examples To instruct the ACE to mask the system’s reply to the FTP SYST command, enter:
host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method syst
host/Admin(config-pmap-ftp-ins-m)# mask-reply
Related Commands This command has no related commands.
Policy Map Inspection HTTP Configuration Mode Commands
Policy map inspection HTTP configuration mode commands allow you to define a policy map that
initiates the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all
specified conditions against the matching classification and executes the actions of all matching classes
until it encounters a deny for a match request.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-928
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
To create an HTTP deep packet inspection policy map and access policy map inspection HTTP
configuration mode, use the policy-map type inspect http all-match command in configuration mode.
When you access the policy map inspection HTTP configuration mode, the prompt changes to
(config-pmap-ins-http). Use the no form of this command to remove an HTTP deep packet inspection
policy map from the ACE.
policy-map type inspect http all-match map_name
no policy-map type inspect http all-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You associate the Layer 7 HTTP deep packet inspection policy map within a Layer 3 and Layer 4 policy
map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child
policies and can only be associated within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer
4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on
a VLAN (or any) interface.
To associate the Layer 7 HTTP inspection policy map, you nest it by using the Layer 3 and Layer 4
inspect http command (see the (config-pmap-c) inspect command).
Examples To create a Layer 7 HTTP deep packet inspection policy map, enter:
host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host/Admin(config-pmap-ins-http)#
Related Commands show startup-config
(config) class-map
map_name Name assigned to the Layer 7 HTTP deep packet inspection policy map. Enter an
unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-929
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) class
To associate a Layer 7 HTTP inspection class map with a Layer 7 HTTP inspection policy map, use the
class command. The prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-c). Use the
no form of this command to remove an associated class map from a policy map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 HTTP inspection class map with a Layer 7 HTTP inspection policy map, enter:
host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASS
name1 Name of a previously defined Layer 7 HTTP inspection class map
configured with the class-map command. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current class map ahead of an existing class
map or inline match condition specified by the name2 argument in the
policy map configuration. The ACE does not save the sequence
reordering as part of the configuration.
class-default Associates a reserved, well-known class map created by the ACE.
You cannot delete or modify this class. All traffic that fails to meet
the other matching criteria in the named class map belongs to the
default traffic class. If none of the specified classifications matches
the traffic, then the ACE performs the action specified under the class
class-default command. The class-default class map has an implicit
match any statement in it that enables it to match all traffic.
Note By default, all matches are applied to both HTTP request and
response messages, but the class class-default command is
applied only to HTTP requests.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-930
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
host1/Admin(config-pmap-ins-http-c)#
Related Commands (config-pmap-ins-http) description2-931
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) description
To provide a brief summary about the Layer 7 HTTP inspection policy map, use the description
command. Use the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Policy map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform HTTP deep packet inspection, enter:
host1/Admin(config-pmap-ins-http)# description HTTP protocol deep inspection of incoming
traffic
Related Commands (config-pmap-ins-http) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-932
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) match content
To configure the Layer 7 HTTP inspection policy map to define HTTP application inspection decisions
based on content expressions contained within the HTTP entity body, use the match content command.
Use the no form of this command to clear content expression-checking match criteria from the policy
map.
match name content expression [offset number] [insert-before map_name]
no match name
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match content command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command. For information about commands in this mode, see the “Policy Map Inspection
HTTP Match Configuration Mode Commands” section.
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression Content expression contained within the HTTP entity body. The
range is from 1 to 255 alphanumeric characters. See the “Usage
Guidelines” section for a list of the supported characters that you can
use in regular expressions.
offset number (Optional) Provides an absolute offset where the content expression
search string starts. The offset starts at the first byte of the message
body, after the empty line (CR, LF, CR, LF) between the headers and
the body of the message. The offset value is from 1 to 4000 bytes.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-933
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
The ACE supports regular expressions for matching. Expressions are stored in a header map in the form
header-name: expression. Header expressions allow spaces, if the spaces are escaped or quoted.
Table 1-21 lists the supported characters that you can use in regular expressions.
Examples To specify a content expression contained within the entity body sent with an HTTP request, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH1 content .*newp2psig
host1/Admin(config-pmap-ins-http-m)
Related Commands This command has no related commands.
Ta b l e 1-21 Characters Supported in Regular Expressions
Convention Description
.* Zero or more characters.
. Exactly one character.
\ . Escaped character.
\xhh Any ASCII character as specified in two-digit hex notation.
() Expression grouping.
Bracketed range [for
example, 0-9]
Matches any single character from the range.
A leading ^ in a range
[^charset]
Does not match any character in the range; all other characters represent
themselves.
(expr1 | expr2) OR of expressions.
(expr)* 0 or more of expressions.
(expr)+ 1 or more of expressions.
(expr{m,n} Matches the previous item between m and n times; valid entries are from 0
to 255.
(expr{m} Matches the previous item exactly m times; valid entries are from 1 to 255.
(expr{m,} Matches the previous item m or more times; valid entries are from 1 to 255.
\a Alert (ASCII 7).
\b Backspace (ASCII 8).
\f Form-feed (ASCII 12).
\n New line (ASCII 10).
\r Carriage return (ASCII 13).
\t Tab (ASCII 9).
\v Vertical tab (ASCII 11).
\0 Null (ASCII 0).
.\\ Backslash.2-934
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) match content length
To configure the Layer 7 HTTP inspection policy map to define application inspection decisions in the
HTTP content up to the configured maximum content parse length, use the match content length
command. Use the no form of this command to clear the HTTP content length match criteria from the
policy map.
match name content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before
map_name]
no match name
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
eq bytes Specifies a value for the content parse length in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with a content length equal to the specified value.
Valid entries are from 1 to 65535 bytes.
gt bytes Specifies a minimum value for the content parse length in an HTTP
message received by the ACE. Based on the policy map action, the
ACE allows or denies messages with a content length greater than the
specified value. Valid entries are from 1 to 65535 bytes.
lt bytes Specifies a maximum value for the content parse length in an HTTP
message received by the ACE. Based on the policy map action, the
ACE allows or denies messages with a content length less than the
specified value. Valid entries are from 1 to 65535 bytes.
range bytes1 bytes Specifies a size range for the content parse length in an HTTP
message received by the ACE. Based on the policy map action, the
ACE allows or denies messages with a content length within this
range. The range is from 1 to 65535 bytes.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-935
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Usage Guidelines Messages that meet the specified criteria will be either allowed or denied based on the Layer 7 HTTP
deep packet inspection policy map action.
When you use the match content length command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command. For information about commands in this mode, see the “Policy Map Inspection
HTTP Match Configuration Mode Commands” section.
Examples To define application inspection decisions in the HTTP content up to the configured maximum content
parse length, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH2 content length eq 3495
host1/Admin(config-pmap-ins-http-m)
Related Commands This command has no related commands.
(config-pmap-ins-http) match content-type-verification
To verify the content MIME-type messages with the header MIME type, use the match
content-type-verification command. Use the no form of this command to clear the MIME-type match
criteria from the policy map.
match name content-type-verification [insert-before map_name]
no match name
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
ACE Appliance Release Modification
A1(7) This command was introduced.
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.2-936
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Command History
Usage Guidelines When you use the match content-type-verification command, you access the policy map inspection
HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to
(config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network
traffic matches the specified inline match command. For information about commands in this mode, see
the “Policy Map Inspection HTTP Match Configuration Mode Commands” section.
This inline match condition limits the MIME types in HTTP messages allowed through the ACE. It
verifies that the header MIME-type value is in the internal list of supported MIME types and that the
header MIME type matches the actual content in the data or entity body portion of the message. If they
do not match, the ACE performs either the permit or reset policy map action.
The MIME-type HTTP inspection process searches the entity body of the HTTP message, which may
degrade performance of the ACE.
Examples To verify the content MIME-type messages with the header MIME type, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH3 content-type-verification
host1/Admin(config-pmap-ins-http-m)
Related Commands This command has no related commands.
(config-pmap-ins-http) match cookie secondary
To configure a policy map to define HTTP inspection decisions based on the name or prefix and value
of a secondary cookie (URL query string), use the match cookie secondary command. Use the no form
of this command to clear secondary cookie match criteria from the class map.
match name cookie secondary [name cookie_name | prefix prefix_name] value expression
[insert-before map_name]
no match name cookie secondary [name cookie_name | prefix prefix_name] value expression
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-937
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines The following configuration guidelines apply when you configure a secondary cookie inline match
statement for HTTP inspection:
• Ensure that secondary cookie names do not overlap with other secondary cookie names in the same
match-all class map. For example, the following configuration is not allowed because the two match
statements have overlapping cookie names:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-insp-http)# match cookie secondary prefix id value .*
host1/Admin(config-pmap-insp-http-m)# exit
host1/Admin(config-pmap-insp-http)# match cookie secondary name identity value bob
• When you configure a secondary cookie value match across all secondary cookie names in a
match-all class map, you cannot configure any other secondary cookie match in the same class map.
That is because a secondary cookie match on value alone is equivalent to a wildcard match on name.
In the following example, the second match statement is not allowed:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-insp-http)# match cookie secondary value bob
host1/Admin(config-pmap-insp-http-m)# exit
host1/Admin(config-pmap-insp-http)# match cookie secondary name identity value jane
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
name cookie_name Identifier of the secondary cookie to match. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
prefix prefix_name Prefix of the secondary cookie to match. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
value expression Regular expression of the secondary cookie to match. Enter an
unquoted text string with no spaces and a maximum of 255
alphanumeric characters.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-938
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Examples To match a secondary cookie called “matchme” with a regular expression value of .*abc123, enter the
following commands:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-insp-http)# match cookie secondary name matchme value .*abc123
Related Commands (config-cmap-http-insp) match cookie secondary2-939
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) match header
To define HTTP deep packet inspection decisions based on the name and value in an HTTP header, use
the match header command. The ACE performs regular expression matching against the received
packet data from a particular connection based on the HTTP header expression.Use the no form of this
command to clear an HTTP header match criteria from the policy map.
match name header {header_name | header_field} header-value expression [insert-before
map_name]
no match name header
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
header_name Name of the HTTP header to match (for example,
www.example1.com). The range is from 1 to 64 alphanumeric
characters.
Note The header_name argument cannot include the colon in the
name of the HTTP header; the ACE rejects the colon as an
invalid token. 2-940
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
header_field Standard HTTP/1.1 header field. Valid selections include
request-header fields, general-header fields, and entity-header fields.
Selections also include two lower-level header-matching commands:
“length” and “mime-type.” The supported selections are as follows:
• Accept—Semicolon-separated list of representation schemes
(content type metainformation values) that will be accepted in
the response to the request.
• Accept-Charset—Character sets that are acceptable for the
response. This field allows clients capable of understanding
more comprehensive or special-purpose character sets to signal
that capability to a server that can represent documents in those
character sets.
• Accept-Encoding—Restricts the content encoding that a user
will accept from the server.
• Accept-Language—ISO code for the language in which the
document is written. The language code is an ISO 3316 language
code with an optional ISO639 country code to specify a national
variant.
• Authorization—Specifies that the user agent wants to
authenticate itself with a server, usually after receiving a
401 response.
• Cache-Control—Directives that must be obeyed by all caching
mechanisms along the request/response chain. The directives
specify behavior intended to prevent caches from adversely
interfering with the request or response.
• Connection—Allows the sender to specify connection options.
• Content-MD5—MD5 digest of the entity body that provides an
end-to-end integrity check. Only a client or an origin server can
generate this header field.
• Expect—Used by a client to inform the server about the
behaviors that the client requires.
• From—Contains the e-mail address of the person that controls
the requesting user agent.
• Host—Internet host and port number of the resource being
requested, as obtained from the original URI given by the user or
referring resource. The Host field value must represent the
naming authority of the origin server or gateway given by the
original URL.
• If-Match—Used with a method to make it conditional. A client
that has one or more entities previously obtained from the
resource can verify that one of those entities is current by
including a list of their associated entity tags in the If-Match
header field. This feature allows efficient updates of cached
information with a minimum amount of transaction overhead. It
is also used on updating requests to prevent inadvertent
modification of the wrong version of a resource. As a special
case, the value “*” matches any current entity of the resource.2-941
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
• length —See the (config-pmap-ins-http) match header length
command for details.
• mime-type—See the (config-pmap-ins-http) match header
mime-type command for details.
• Pragma—Pragma directives that are understood by servers to
whom the directives are relevant. The syntax is the same as for
other multiple-value fields in HTTP. For example, the accept
field is a comma-separated list of entries for which the optional
parameters are separated by semicolons.
• Referer—Address (URI) of the resource from which the URI in
the request was obtained.
• Transfer-Encoding—Indicates what (if any) type of
transformation has been applied to the message body in order to
safely transfer it between the sender and the recipient.
• User-Agent—Information about the user agent (for example, a
software program that originates the request). This information
is for statistical purposes, the tracing of protocol violations, and
automated recognition of user agents.
• Via—Used by gateways and proxies to indicate the intermediate
protocols and recipients between the user agent and the server on
requests and between the origin server and the client on
responses.
header-value expression Specifies the header value expression string to compare against the
value in the specified field in the HTTP header. The range is from 1 to
255 alphanumeric characters. For a list of supported characters that
you can use in regular expressions, see the “Usage Guidelines”
section for the (config-pmap-ins-http) match content command.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-942
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Usage Guidelines When you use the match header command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command. For information about commands in this mode, see the “Policy Map Inspection
HTTP Match Configuration Mode Commands” section.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces, if the spaces are escaped or
quoted. For a list of supported characters that you can use in regular expressions, see the “Usage
Guidelines” section for the (config-pmap-ins-http) match content command.
Examples To filter on the content and allow HTTL headers that contain the expression html, enter:
host1/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH4 header accept header-value html
host1/Admin(config-pmap-ins-http-m)
Related Commands This command has no related commands.
(config-pmap-ins-http) match header length
To limit the HTTP traffic allowed through the ACE based on the length of the entity body in the HTTP
message, use the match header length command. Messages will be either allowed or denied based on
the Layer 7 HTTP deep packet inspection policy map action. Use the no form of this command to clear
an HTTP header length match criteria from the policy map.
match name header length {request | response} {eq bytes | gt bytes | lt bytes | range bytes1 bytes
2} [insert-before map_name]
no match name
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
request Specifies the size of the HTTP header request message that can be
received by the ACE.
response Specifies the size of the HTTP header response message sent by the
ACE.
eq bytes Specifies a value for the entity body in an HTTP message received by
the ACE. Based on the policy map action, the ACE allows or denies
messages with an entity body size equal to the specified value. Valid
entries are from 1 to 65535 bytes.2-943
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match header length command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command.
By default, the maximum header length for HTTP deep packet inspection is 2048 bytes. For information
about commands in this mode, see the “Policy Map Inspection HTTP Match Configuration Mode
Commands” section.
Examples To specify that the policy map match on HTTP traffic received with a length less than or equal to
3600 bytes in the entity body of the HTTP message, enter:
host1/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-http-insp)# match MATCH4 header length request eq 3600
host1/Admin(config-pmap-ins-http-m)
Related Commands This command has no related commands.
gt bytes Specifies a minimum value for the entity body in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with an entity body size greater than the specified
value. Valid entries are from 1 to 65535 bytes.
lt bytes Specifies a maximum value for the entity body in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with an entity body size less than the specified
value. Valid entries are from 1 to 65535 bytes.
range bytes1 bytes 2 Specifies a size range for the entity body in an HTTP message
received by the ACE. Based on the policy map action, the ACE allows
or denies messages with a entity body size within this range. The
range is from 1 to 65535 bytes.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-944
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) match header mime-type
To specify a subset of the MIME-type messages that the ACE permits or denies based on the actions in
the policy map, use the match header mime-type command. Use the no form of this command to
deselect the specified Multipurpose Internet Mail Extension (MIME) message match criteria from the
policy map.
match name header mime-type mime_type [insert-before map_name]
no match name 2-945
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
mime_type MIME type. The ACE includes a predefined list of MIME types, such
as image\Jpeg, text\html, application\msword, or audio\mpeg.
Choose whether only the MIME types included in this list are
permitted through the ACE firewall or whether all MIME types are
acceptable. The default behavior is to allow all MIME types.
The supported MIME types are as follows:
• application\msexcel
• application\mspowerpoint
• application\msword
• application\octet-stream
• application\pdf
• application\postscript
• application\x-gzip
• application\x-java-archive
• application\x-java-vm
• application\x-messenger
• application\zip
• audio\*
• audio\basic
• audio\midi
• audio\mpeg
• audio\x-adpcm
• audio\x-aiff
• audio\x-ogg
• audio\x-wav image \*
• image\gifimage\jpeg
• image\png 2-946
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
• image\tiff
• image\x-3ds
• image\x-bitmap
• image\x-niff
• image\x-portable-bitmap
• image\x-portable-greymap
• image\x-xpm
• text\*
• text\css
• text\html
• text\plain
• text\richtext
• text\sgml
• text\xmcd
• text\xml
• video\*
• video\flc
• video\mpeg
• video\quicktime
• video\sgi
• video\x-fli
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-947
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Usage Guidelines When you use the match header mime-type command, you access the policy map inspection HTTP
match configuration mode and the prompt changes from (config-pmap-ins-http) to
(config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network
traffic matches the specified inline match command. For information about commands in this mode, see
the “Policy Map Inspection HTTP Match Configuration Mode Commands” section.
MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages,
nontextual messages, multipart message bodies, and non-US-ASCII information in message headers.
Examples To specify that the policy map permits MIME-type audio/midi messages through the ACE, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH5 header mime-type audio\midi
host1/Admin(config-pmap-ins-http-m)#
Related Commands This command has no related commands.
(config-pmap-ins-http) match port-misuse
To define HTTP deep packet inspection compliance decisions that restrict certain HTTP traffic from
passing through the ACE, use the match port-misuse command. Use the no form of this command to
clear the HTTP restricted application category match criteria from the policy map.
match name port-misuse {im | p2p | tunneling} [insert-before map_name]
no match name
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
im Defines the instant messaging application category. The ACE checks
for the Yahoo Messenger instant messaging application.
p2p Defines the peer-to-peer application category. The applications
checked include Kazaa and Gnutella.
(ACE appliance only) The applications checked also include
GoToMyPC.
tunneling Defines the tunneling application category. The applications checked
include HTTPort/HTTHost, GNU httptunnel, and FireThru.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.2-948
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines The policy map detects the misuse of port 80 (or any other port running HTTP) for tunneling protocols
such as peer-to-peer (p2p) applications, tunneling applications, and instant messaging.
When you use the match port-misuse command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command. For information about commands in this mode, see the “Policy Map Inspection
HTTP Match Configuration Mode Commands” section.
The port misuse application inspection process searches the entity body of the HTTP message, which
may degrade performance of the ACE.
The ACE disables the match port-misuse command by default. If you do not configure a restricted
HTTP application category, the default action by the ACE is to allow the applications without generating
a log.
Examples To specify that the policy map identifies peer-to-peer applications as restricted HTTP traffic, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH6 port-misuse p2p
host1/Admin(config-pmap-ins-http-m)#
Related Commands This command has no related commands.
(config-pmap-ins-http) match request-method
To define HTTP deep packet inspection compliance decisions based on the request methods defined in
RFC 2616 and by HTTP extension methods, use the match request-method command. If the HTTP
request method or extension method compliance checks fails, the ACE denies or resets the specified
HTTP traffic based on the policy map action. Use the no form of this command to clear the HTTP request
method match criteria from the policy map.
match name request-method {ext method | rfc method} [insert-before map_name]
no match name
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-949
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match request-method command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command. For information about commands in this mode, see the “Policy Map Inspection
HTTP Match Configuration Mode Commands” section.
For unsupported HTTP request methods, include the inspect http strict command as an action in the
Layer 3 and Layer 4 policy map (see (config-pmap-c) inspect command).
The ACE disables the match request-method command by default. If you do not configure a request
method, the default action by the ACE is to allow the RFC 2616 HTTP request method without
generating a log. By default, the ACE allows all request and extension methods.
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
ext method Specifies an HTTP extension method. If the RFC request messages
does not contain one of the RFC 2616 HTTP request methods, the
ACE verifies if it is an extension method. The ACE supports the
inspection of the following HTTP request extension methods: bcopy,
bdelete, bmove, bpropfind, bproppatch, copy, edit, getattr,
getattrname, getprops, index, lock, mkcol, mkdir, move,
propfind, proppatch, revadd, revlabel, revlog, revnum, save,
search, setattr, startrev, stoprev, unedit, and unlock.
(ACE module only) The ACE also supports the inspection of the
following HTTP request extension methods: notify, poll, subscribe,
unsubscribe, and x-ms-emumatts.
rfc method Specifies an RFC 2616 HTTP request method that you want to
perform an RFC compliance check. The ACE supports the inspection
of the following RFC 2616 HTTP request methods: connect, delete,
get, head, options, post, put, and trace.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-950
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Examples To specify that the policy map identifies the index HTTP RFC 2616 protocol for application inspection,
enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH7 request-method ext index
host1/Admin(config-pmap-ins-http-m)#
Related Commands This command has no related commands.
(config-pmap-ins-http) match strict-http
To ensure that the internal compliance checks verify message compliance with the HTTP RFC standard,
RFC 2616, use the match strict-http command. If the HTTP message is not compliant, the ACE denies
or resets the specified HTTP traffic based on the policy map action. Use the no form of this command
to clear the HTTP RFC standard, RFC 2616, match criteria from the policy map.
match name strict-http [insert-before map_name]
no match name
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-951
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Examples When you use the match strict-http command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command. For information about commands in this mode, see the “Policy Map Inspection
HTTP Match Configuration Mode Commands” section.
To configure the policy map to ensure that the internal compliance checks verify message compliance
with the HTTP RFC standard, RFC 2616, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH8 strict-http
host1/Admin(config-pmap-ins-http-m)#
Related Commands This command has no related commands.2-952
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) match transfer-encoding
To define HTTP deep packet inspection decisions that limit the HTTP transfer-encoding types that can
pass through the ACE, use the match transfer-encoding command. Use the no form of this command
to clear the HTTP transfer-encoding type match criteria from the policy map.
match name transfer-encoding coding_types [insert-before map_name]
no match name
Syntax Descriptionh
Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
transfer-encoding
coding_types
Specifies the HTTP transfer-encoding type for the class map. The
possible values for coding_types are as follows:
• chunked—Message body transferred as a series of chunks.
• compress—Encoding format produced by the common UNIX
file compression program “compress.” This format is an adaptive
Lempel-Ziv-Welch coding (LZW).
• deflate—.zlib format defined in RFC 1950 with the deflate
compression mechanism described in RFC 1951.
• gzip—Encoding format produced by the file compression
program gzip (GNU zip) as described in RFC 1952. This format
is a Lempel-Ziv coding (LZ77) with a 32-bit CRC.
• identity—Default (identity) encoding, which does not require
the use of transformation.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-953
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Usage Guidelines When you use the match transfer-encoding command, you access the policy map inspection HTTP
match configuration mode and the prompt changes from (config-pmap-ins-http) to
(config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network
traffic matches the specified inline match command. For information about commands in this mode, see
the “Policy Map Inspection HTTP Match Configuration Mode Commands” section.
The transfer-encoding general-header field indicates the type of transformation, if any, that has been
applied to the HTTP message body to safely transfer it between the sender and the recipient. When an
HTTP request message contains the configured transfer-encoding type, the ACE performs the configured
action in the policy map.
Each match transfer-encoding command configures a single application type.
The ACE disables the match transfer-encoding command by default.
Examples To configure the policy map to specify a chunked HTTP transfer encoding type to limit the HTTP traffic
that flows through the ACE, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH9 transfer-encoding chunked
host1/Admin(config-pmap-ins-http-m)#
Related Commands This command has no related commands.
(config-pmap-ins-http) match url
To define HTTP deep packet inspection decisions based on the URL name and, optionally, the HTTP
method, use the match url command. HTTP performs regular expression matching against the received
packet data from a particular connection based on the URL expression. Use the no form of this command
to remove the URL name match criteria from the policy map.
match name url expression [insert-before map_name]
no match name
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression URL, or portion of a URL, to match. The URL string range is from 1
to 256 characters. Include only the portion of the URL that follows
www.hostname.domain in the match statement.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.2-954
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match url command, you access the policy map inspection HTTP match configuration
mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then
specify the actions that the ACE should take when network traffic matches the specified inline match
command. For information about commands in this mode, see the “Policy Map Inspection HTTP Match
Configuration Mode Commands” section.
Include only the portion of the URL that follows www.hostname.domain in the match statement. For
example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
To match the www.anydomain.com portion, the URL string can take the form of a URL regular
expression. The ACE supports the use of regular expressions for matching. For a list of the supported
characters that you can use in regular expressions, see the “Usage Guidelines” section for the
(config-pmap-ins-http) match content command.
The period (.) does not have a literal meaning in regular expressions. Use either brackets ([]) or the
backslash (\) character to match this symbol. For example, specify www[.]xyz[.]com instead of
www.xyz.com.
Examples To configure the policy map to define application inspection decisions based on a URL, enter
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH_URL url whatsnew/latest.*
host1/Admin(config-pmap-ins-http-m)#
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-955
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Configuration Mode Commands
(config-pmap-ins-http) match url length
To limit the HTTP traffic allowed through the ACE by specifying the maximum length of a URL in a
request message that can be received by the ACE, use the match url length command. Messages will be
either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action. Use the
no form of this command to clear a URL length match criteria from the policy map.
match name url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before
map_name]
no match name
Syntax Description
Command Modes Policy map inspection HTTP configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
eq bytes Specifies a value for the HTTP URL length received by the ACE.
Based on the policy map action, the ACE allows or denies messages
with an HTTP URL length equal to the specified value. Valid entries
are from 1 to 65535 bytes.
gt bytes Specifies a minimum value for the HTTP URL length received by the
ACE. Based on the policy map action, the ACE allows or denies
messages with an HTTP URL length greater than the specified value.
Valid entries are from 1 to 65535 bytes.
lt bytes Specifies a maximum value for the HTTP URL length received by the
ACE. Based on the policy map action, the ACE allows or denies
messages with an HTTP URL length less than the specified value.
Valid entries are from 1 to 65535 bytes.
range bytes1 bytes Specifies a size range for the HTTP URL length received by the ACE.
Based on the policy map action, the ACE allows or denies messages
with an HTTP URL length within this range. The range is from 1 to
65535 bytes.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-956
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Class Configuration Mode Commands
Usage Guidelines When you use the match url length command, you access the policy map inspection HTTP match
configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).
You can then specify the actions that the ACE should take when network traffic matches the specified
inline match command. For information about commands in this mode, see the “Policy Map Inspection
HTTP Match Configuration Mode Commands” section.
Examples To specify that the policy map is to match on a URL with a length less than or equal to 10,000 bytes in
the request message, enter:
(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH10 url length eq 10000
host1/Admin(config-pmap-ins-http-m)#
Related Commands This command has no related commands.
Policy Map Inspection HTTP Class Configuration Mode
Commands
Policy map inspection HTTP class configuration mode commands allow you to specify the actions that
the ACE should take when network traffic matches one or more match statements in the associated
Layer 7 HTTP deep packet inspection class map. To access policy map inspection HTTP class
configuration mode, use the class command in policy map inspection HTTP configuration mode (see the
(config-pmap-ins-http) class command for details). The prompt changes from (config-pmap-ins-http)
to (config-pmap-ins-http-c).
The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the
HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through
the reset command is capable of dropping traffic.
The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
ACE Appliance Release Modification
A1(7) This command was introduced.2-957
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Class Configuration Mode Commands
(config-pmap-ins-http-c) passthrough log
To prevent a reset from being sent to the client and the server, the ACE bypasses the HTTP 1.1 parsing
after a CONNECT request is received, use the passthrough command. The ACE uses this pass-through
action when there is a match on a port misuse configuration with a pass-through action and a
CONNECT request. Use the no form of this command to .
passthrough log
no passthrough log
Syntax Description
Command Modes Policy map inspection HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, with HTTP 1.1, the ACE performs strict header parsing, which may cause a reset (RST) to
be sent to the client and the server when the ACE is unable to parse the encrypted packet over a
CONNECT request. This issue is not seen with HTTP 1.0 because the ACE skips the header parsing.
Examples Create a Layer 7 class map for tunneling protocols and the policy-map action as pass through using the
passthrough log command as follows:
class-map type http inspect match-any c2
2 match port-misuse tunneling
policy-map type inspect http all-match SECURITY
class c2
passthrough log
Related Commands This command has no related commands.
log (Optional) Generates a log message for traffic that matches the class
map.
ACE Module Release Modification
A4(1.1) This command was introduced.
ACE Appliance Release Modification
A4(1.1) This command was introduced.2-958
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Class Configuration Mode Commands
(config-pmap-ins-http-c) permit
To allow the specified HTTP traffic to be received by the ACE if it passes the HTTP deep packet
inspection match criteria specified in the class map, use the permit command. Use the no form of this
command to disallow the specified HTTP traffic to be received by the ACE.
permit [log]
no permit
Syntax Description
Command Modes Policy map inspection HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, HTTP inspection allows traffic that does not match any of the configured Layer 7 HTTP deep
packet inspection matches. You can modify this behavior by including the class class-default command
with the reset action to deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches
configured in the Layer 7 HTTP deep packet inspection policy map are hit, the class-default action will
be taken by the ACE. For example, you can include a class map to allow the HTTP GET method and use
the class class-default command to block all of the other requests.
Note By default, all matches are applied to both HTTP request and response messages, but the class
class-default command is applied only to HTTP requests.
Examples To allow the specified HTTP traffic to be received by the ACE if the class map match criteria in class
map L7HTTP_CHECK are met, enter:
host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class L7HTTP_CHECK
host1/Admin(config-pmap-ins-http-c)# permit
Related Commands This command has no related commands.
log (Optional) Generates a log message for traffic that matches the class
map.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-959
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Match Configuration Mode Commands
(config-pmap-ins-http-c) reset
To deny the specified HTTP traffic by sending a TCP reset message to the client or server to close the
connection, use the reset command. Use the no form of this command to allow the specified HTTP
traffic to be received by the ACE.
reset [log]
no reset
Syntax Description
Command Modes Policy map inspection HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To deny the specified HTTP traffic to be received by the ACE if the class map match criteria in class map
L7HTTP_CHECK are met, enter:
host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class http_check
host1/Admin(config-pmap-ins-http-c)# reset
Related Commands This command has no related commands.
Policy Map Inspection HTTP Match Configuration Mode
Commands
Policy map inspection HTTP match configuration mode commands allow you to specify the actions that
the ACE should take when network traffic matches the specified inline match command. To access
policy map inspection HTTP match configuration mode, use one of the match commands in policy map
log (Optional) Generates a log message for traffic that matches the class
map.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-960
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Match Configuration Mode Commands
inspection HTTP configuration mode (see the “Policy Map Inspection HTTP Configuration Mode
Commands” section for command details). The prompt changes from (config-pmap-ins-http) to
(config-pmap-ins-http-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The match commands function the same as with the
Layer 7 class map match commands. However, when you use an inline match command, you can
specify an action for only a single match command in the Layer 7 policy map.
The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the
HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through
the reset command is capable of dropping traffic.
The commands in this mode requires the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.2-961
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Match Configuration Mode Commands
(config-pmap-ins-http-m) passthrough log
To prevent a reset from being sent to the client and the server, the ACE bypasses the HTTP 1.1 parsing
after a CONNECT request is received, use the passthrough command. The ACE uses this pass-through
action when there is a match on a port misuse configuration with a pass-through action and a
CONNECT request. Use the no form of this command to .
passthrough log
no passthrough log
Syntax Description
Command Modes Policy map inspection HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, with HTTP 1.1, the ACE performs strict header parsing, which may cause a reset (RST) to
be sent to the client and the server when the ACE is unable to parse the encrypted packet over a
CONNECT request. This issue is not seen with HTTP 1.0 because the ACE skips the header parsing.
Examples Create a Layer 7 class map for tunneling protocols and the policy-map action as pass through using the
passthrough log command as follows:
class-map type http inspect match-any c2
2 match port-misuse tunneling
policy-map type inspect http all-match SECURITY
class c2
passthrough log
Related Commands This command has no related commands.
log (Optional) Generates a log message for traffic that matches the class
map.
ACE Module Release Modification
A4(1.1) This command was introduced.
ACE Appliance Release Modification
A4(1.1) This command was introduced.2-962
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Match Configuration Mode Commands
(config-pmap-ins-http-m) permit
To allow the specified HTTP traffic to be received by the ACE if it passes inspection of the match criteria
in an inline match condition, use the permit command. Use the no form of this command to disallow the
specified HTTP traffic to be received by the ACE.
permit [log]
no permit
Syntax Description
Command Modes Policy map inspection HTTP match configuration mode
Admin and user contexts
Command History
Usage Guidelines The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the
HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through
the reset command is capable of dropping traffic.
Examples To allow the specified HTTP traffic to be received by the ACE if the match criteria are met, enter:
host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunked
host1/Admin(config-pmap-ins-http-m)# permit
Related Commands This command has no related commands.
log (Optional) Generates a log message for traffic that matches the inline
match command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-963
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection HTTP Match Configuration Mode Commands
(config-pmap-ins-http-m) reset
To deny the specified HTTP traffic by sending a TCP reset message to the client or server to close the
connection, use the reset command. Use the no form of this command to allow the specified HTTP
traffic to be received by the ACE.
reset [log]
no reset
Syntax Description
Command Modes Policy map inspection HTTP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To deny the specified HTTP traffic to be received by the ACE if the match criteria are met, enter:
host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunked
host1/Admin(config-pmap-ins-http-m)# reset
Related Commands This command has no related commands.
log (Optional) Generates a log message for traffic that matches the inline
match command.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-964
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
Policy Map Inspection SIP Configuration Mode Commands
Policy map inspection SIP configuration mode commands allow you to define a policy map that initiates
the inspection of the SIP protocol packets by the ACE. The ACE attempts to match all specified
conditions against the matching classification and executes the actions of all matching classes until it
encounters a deny for a match request.
To create a SIP policy map and access policy map inspection SIP configuration mode, use the
policy-map type inspect sip all-match command in configuration mode. When you access the policy
map inspection SIP configuration mode, the prompt changes to (config-pmap-ins-sip). Use the no form
of this command to remove a SIP inspection policy map from the ACE.
policy-map type inspect sip all-match map_name
no policy-map type inspect sip all-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
The Layer 7 policy map configures the applicable SIP inspection actions executed on the network traffic
that match the classifications defined in a class map. You then associate the completed Layer 7 SIP
inspection policy with a Layer 3 and Layer 4 policy map to activate the operation on a VLAN interface.
Examples To create a Layer 7 SIP inspection policy map, enter:
host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)#
sip
all-match
Specifies the policy map that initiates the inspection of the SIP protocol packets by the
ACE. The ACE attempts to match all specified conditions against the matching
classification and executes the actions of all matching classes until it encounters a deny
for a match request.
map_name Name assigned to the Layer 7 SIP inspection policy map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-965
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
To remove the SIP inspection policy map from the configuration, enter:
host1/Admin(config)# no policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
Related Commands show startup-config2-966
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
(config-pmap-ins-sip) class
To associate a Layer 7 SIP inspection class map with a Layer 7 SIP inspection policy map, use the class
command. The prompt changes from (config-pmap-sip-ins) to (config-pmap-sip-ins-c). Use the no form
of this command to remove an associated class map from a policy map.
class map_name [insert-before map_name]
no class map_name
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 SIP inspection class map with a Layer 7 SIP inspection policy map, enter:
host/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host/Admin(config-pmap-ins-sip-c)#
To disassociate the class map from the policy map, enter:
host/Admin(config-pmap-ins-sip)# no class SIP_INSPECT_L7CLASS
Related Commands (config-pmap-ins-sip) description
(config-pmap-ins-sip-c) drop
(config-pmap-ins-sip-c) log
(config-pmap-ins-sip-c) permit
(config-pmap-ins-sip-c) reset
map_name Name of a previously defined Layer 7 SIP inspection class map
configured with the class-map command. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
insert-before map_name (Optional) Places the class map ahead of an existing class map in the
policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-967
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
(config-pmap-ins-sip) description
To provide a brief summary about the Layer 7 SIP inspection policy map, use the description command.
Use the no form of this command to remove the description from the policy map.
description text
no description
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description for a Layer 7 SIP inspection policy map, enter:
host1/Admin(config-pmap-ins-sip)# description layer 7 sip inspection policy
To remove the description from the policy map, enter:
host1/Admin(config-pmap-ins-sip)# no description
Related Commands (config-pmap-ins-sip) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-968
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
(config-pmap-ins-sip) match called-party
To filter SIP traffic based on the called party, use the match called-party command. Use the no form of
this command to remove the match statement from the policy map.
match name called-party expression [insert-before map_name]
no match name called-party expression
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines You can filter SIP traffic based on the called party (callee or destination) as specified in the URI of the
SIP To header. The ACE does not include the display name or tag part of the field.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. Table 1-21 lists the supported characters that you can use in regular expressions.
Examples To identify the called party in the SIP To header, enter:
host1/Admin(config-pmap-ins-sip)# match MATCH_CALLED called-party
sip:some-user@somenetwork.com
To remove the match statement from the policy map, enter:
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression Called party in the URI of the SIP To header. Enter a regular
expression from 1 to 255 alphanumeric characters.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-969
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
host1/Admin(config-pmap-ins-sip)# no match MATCH_CALLED called-party
sip:some-user@somenetwork.com
Related Commands (config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri
(config-pmap-ins-sip) match calling-party
To filter SIP traffic based on the calling party, use the match calling-party command. Use the no form
of this command to remove the description from the policy map.
match name calling-party expression [insert-before map_name]
no match name calling-party expression
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression Calling party in the URI of the SIP From header. Enter a regular
expression from 1 to 255 alphanumeric characters. The ACE supports
the use of regular expressions for matching.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-970
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
Usage Guidelines You can filter SIP traffic based on the calling party (caller or source) as specified in the URI of the SIP
From header. The ACE does not include the display name or tag part of the field.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-21 for a list of the supported characters that you can use in regular expressions.
Examples To identify the calling party in the SIP From header, enter:
host1/Admin(config-pmap-ins-sip)# match MATCH_CALLING calling-party
sip:this-user@thisnetwork.com;tag=745g8
To remove the match statement from the policy map, enter:
host1/Admin(config-pmap-ins-sip)# no match MATCH_CALLING calling-party
sip:this-user@thisnetwork.com;tag=745g8
Related Commands (config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri
(config-pmap-ins-sip) match content
To define SIP content checks, use the match content command. Use the no form of this command to
remove the match statement from the policy map.
match name content {length gt number} | {type sdp | expression} [insert-before map_name]
no match name content {length gt number} | {type sdp | expression}
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
length Specifies the SIP message body length.
gt Specifies the greater than operator.
number Maximum size of a SIP message body that the ACE allows. Enter an
integer from 0 to 65534 bytes. If the message body is greater than the
configured value, the ACE performs the action that you configure in
the policy map.
type Specifies a content type check.2-971
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure the ACE to perform SIP content checks based on content length or content type. By
default, the ACE allows all content types.
Examples To configure the ACE to drop SIP packets that have content with a length greater than 4000 bytes in
length, enter:
host1/Admin(config)# class-map type sip inspect match-all SIP_INSP_CLASS
host1/Admin(config-pmap-ins-sip)# match MATCH_CONTENT content length gt 200
host1/Admin(config)# policy-map type inspect sip all-match SIP_INSP_POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSP_CLASS
host1/Admin(config-pmap-ins-sip-c)# deny
To remove the match statement from the policy map, enter:
host1/Admin(config-cmap-sip-insp)# no match MATCH_CONTENT content length gt 200
Related Commands (config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri
sdp Specifies that the traffic must be of type Session Description Protocol
(SDP) to match the policy map.
expression Regular expression that identifies the content type in the SIP message
body that is required to match the policy map. Enter a regular
expression from 1 to 255 alphanumeric characters. The ACE supports
the use of regular expressions for matching. See Table 1-21 for a list
of the supported characters that you can use in regular expressions.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-972
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
(config-pmap-ins-sip) match im-subscriber
To filter SIP traffic based on the IM subscriber, use the match im-subscriber command. Use the no form
of this command to remove the description from the policy map.
match name im-subscriber expression [insert-before map_name]
no match name im-subscriber expression
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-21 for a list of the supported characters that you can use in regular expressions.
Examples To filter SIP traffic based on the IM subscriber, John Q. Public, enter:
host1/Admin(config-pmap-ins-sip)# match MATCH_IM im-subscriber John_Q_Public
To remove the match statement from the policy map, enter:
host1/Admin(config-pmap-ins-sip)# no match MATCH_IM im-subscriber John_Q_Public
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression Calling party. Enter a regular expression from 1 to 255 alphanumeric
characters. The ACE supports the use of regular expressions for
matching.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-973
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
Related Commands (config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri
(config-pmap-ins-sip) match message-path
To filter SIP traffic based on the message path, use the match message-path command. Use the no form
of this command to remove the match statement from the policy map.
match name message-path expression [insert-before map_name]
no match name message-path expression
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines SIP inspection allows you to filter messages coming from or transiting through certain SIP proxy servers.
The ACE maintains a list of unauthorized SIP proxy IP addresses or URIs in the form of regular
expressions and then checks this list against the VIA header field in each SIP packet. The default action
is to drop SIP packets with VIA fields that match regex list.
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression SIP proxy server. Enter a regular expression from 1 to 255
alphanumeric characters. The ACE supports the use of regular
expressions for matching.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-974
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-21 for a list of the supported characters that you can use in regular expressions.
Examples To filter SIP traffic based on the message path 192.168.12.3:5060, enter:
host1/Admin(config-pmap-ins-sip)# match MATCH_PATH message-path 192.168.12.3:5060
To remove the match statement from the policy map, enter:
host1/Admin(config-pmap-ins-sip)# no match MATCH_PATH message-path 192.168.12.3:5060
Related Commands (config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri
(config-pmap-ins-sip) match request-method
To filter SIP traffic based on the request method, use the match request-method command. Use the no
form of this command to remove the description from the policy map.
match name request-method method_name [insert-before map_name]
no match name request-method method_name2-975
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To filter SIP traffic based on the INVITE request method, enter:
host1/Admin(config-pmap-ins-sip)# match MATCH_REQUEST request-method invite
To remove the match statement from the policy map, enter:
host1/Admin(config-pmap-ins-sip)# no match MATCH_REQUEST request-method invite
method_name Supported SIP method using one of the following keywords:
• ack
• bye
• cancel
• info
• invite
• message
• notify
• options
• prack
• refer
• register
• subscribe
• unknown
• update
Use the unknown keyword to permit or deny unknown or
unsupported SIP methods.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-976
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
Related Commands (config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri
(config-pmap-ins-sip) match third-party registration
To filter SIP traffic based on third-party registrations or deregistrations, use the match
third-party-registration command. Use the no form of this command to remove the match statement
from the policy map.
match name third-party registration expression [insert-before map_name]
no match name third-party registration expression
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines SIP allows users to register other users on their behalf by sending REGISTER messages with different
values in the From and To header fields. This process may pose a security threat if the REGISTER
message is actually a DEREGISTER message. A malicious user could cause a Denial of Service (DoS)
attack by deregistering all users on their behalf. To prevent this security threat, you ACE can specify a
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression Privileged user that is authorized for third-party registrations. Enter
a regular expression from 1 to 255 alphanumeric characters.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-977
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
list of privileged users who can register or unregister someone else on their behalf. The ACE maintains
the list as a regex table. If you configure this policy, the ACE drops REGISTER messages with
mismatched From and To headers and a From header value that does not match any of the privileged user
IDs.
The ACE supports the use of regular expressions for matching. Expressions are stored in a header map
in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or
quoted. See Table 1-21 for a list of the supported characters that you can use in regular expressions.
Examples To filter SIP traffic based on SIP registrations or deregistrations, enter:
host1/Admin(config-pmap-ins-sip)# match MATCH_REG third-party-registration USER1
To remove the match statement from the policy map, enter:
host1/Admin(config-pmap-ins-sip)# no match MATCH_REG third-party-registration USER1
Related Commands (config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match uri2-978
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Configuration Mode Commands
(config-pmap-ins-sip) match uri
To filter SIP traffic based on URIs, use the match uri command. Use the no form of this command to
remove the match statement from the policy map.
match name uri {sip | tel} length gt value [insert-before map_name]
no match name uri {sip | tel} length gt value
Syntax Description
Command Modes Policy map inspection SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure the ACE to validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier
that a calling party (source) uses to contact the called party (destination). A Tel URI is a telephone
number that identifies the endpoint of a SIP connection. For more information about SIP URIs and Tel
URIs, see RFC 2534 and RFC 3966, respectively.
Examples To instruct the ACE to filter traffic based on SIP URIs, enter:
host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
sip Specifies that the ACE validates the length of a SIP URI.
tel Specifies that the ACE validates the length of a Tel URI.
length Specifies the length of the SIP or Tel URI.
gt Specifies the greater than operator.
value Maximum value for the length of the SIP URI or Tel URI in bytes.
Enter an integer from 0 to 254 bytes.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-979
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Class Configuration Mode Commands
To remove the match statement from the policy map, enter:
host1/Admin(config-pmap-ins-sip)# no match MATCH_URI uri sip length gt 100
Related Commands (config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
Policy Map Inspection SIP Class Configuration Mode
Commands
Use the policy map SIP inspection class configuration mode to specify the actions that the ACE should
take when network traffic matches one or more match statements in the associated Layer 7 SIP
inspection class map. To access policy map SIP inspection class configuration mode, use the class
command in the policy map SIP inspection configuration mode (see the (config-pmap-ins-sip) class
command for details). The prompt changes from (config-pmap-ins-sip) to (config-pmap-ins-sip-c).
The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.2-980
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Class Configuration Mode Commands
(config-pmap-ins-sip-c) drop
To discard the SIP traffic that matches the traffic specified in the class map, use the drop command. Use
the no form of this command to return the ACE behavior to the default of permitting all SIP traffic to
pass.
drop [log]
no drop
Syntax Description
Command Modes Policy map inspection SIP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To discard the SIP traffic that matches the class map, enter:
host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# drop
Related Commands This command has no related commands.
(config-pmap-ins-sip-c) log
To log all SIP traffic that matches the class map, use the log command. Use the no form of this command
to return the ACE behavior to the default of not logging SIP traffic.
log
no log
log (Optional) Generates a log message for traffic that matches the class
map.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-981
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Class Configuration Mode Commands
Syntax Description This command has no keywords or arguments.
Command Modes Policy map inspection SIP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To log the SIP traffic that matches the class map, enter:
host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# log
Related Commands This command has no related commands.
(config-pmap-ins-sip-c) permit
To permit the SIP traffic that matches the class map to pass through the ACE, use the permit command.
Use the no form of this command to return the ACE behavior to the default of permitting all SIP traffic
to pass.
permit [log]
no permit
Syntax Description
Command Modes Policy map inspection SIP class configuration mode
Admin and user contexts
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
log (Optional) Generates a log message for traffic that matches the class
map.2-982
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Class Configuration Mode Commands
Command History
Usage Guidelines This command has no usage guidelines.
Examples To permit the SIP traffic that matches the class map to pass through the ACE, enter:
host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# permit
Related Commands This command has no related commands.
(config-pmap-ins-sip-c) reset
To instruct the ACE to deny the SIP traffic that matches the class map and to reset the connection using
the TCP RESET message, use the reset command. Use the no form of this command to return the ACE
behavior to the default of permitting all SIP traffic to pass.
reset [log]
no reset
Syntax Description
Command Modes Policy map inspection SIP class configuration mode
Admin and user contexts
Command History
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
log (Optional) Generates a log message for traffic that matches the class
map.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-983
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Match Configuration Mode Commands
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to deny the traffic that matches the class map and to reset the connection, enter:
host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# reset
Related Commands This command has no related commands.
Policy Map Inspection SIP Match Configuration Mode
Commands
Policy map inspection SIP match configuration mode commands allow you to specify the actions that
the ACE should take when network traffic matches the specified inline match command. To access policy
map inspection SIP match configuration mode, use the match command in policy map inspection SIP
configuration mode. The prompt changes from (config-pmap-ins-sip) to (config-pmap-ins-sip-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The match commands function the same as with the
Layer 7 class map match commands. However, when you use an inline match command, you can
specify an action for only a single match command in the Layer 7 policy map.
The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.2-984
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Match Configuration Mode Commands
(config-pmap-ins-sip-m) drop
To discard the SIP traffic that matches the traffic specified in the single inline match command, use the
drop command. Use the no form of this command to return the ACE behavior to the default of permitting
all SIP traffic to pass.
drop [log]
no drop
Syntax Description
Command Modes Policy map inspection SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To discard the SIP traffic that matches the traffic specified in the single inline match command, enter:
host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
host1/Admin(config-pmap-ins-sip-m)# drop
Related Commands This command has no related commands.
log (Optional) Generates a log message for traffic that matches the single
inline match command.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-985
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection SIP Match Configuration Mode Commands
(config-pmap-ins-sip-m) permit
To permit the SIP traffic that matches the traffic specified in the single inline match command to pass
through the ACE, use the permit command. Use the no form of this command to return to the default
state and permit all SIP traffic to pass.
permit [log]
no permit
Syntax Description
Command Modes Policy map inspection SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To permit the SIP traffic specified in the single inline match command to pass through the ACE, enter:
host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
host1/Admin(config-pmap-ins-sip-m)# permit
Related Commands This command has no related commands.
log (Optional) Generates a log message for traffic that matches the inline
match command.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-986
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection Skinny Configuration Mode Commands
(config-pmap-ins-sip-m) reset
To instruct the ACE to deny SIP traffic that matches the single inline match command and to reset the
connection using the TCP RESET message, use the reset command. Use the no form of this command
to return the ACE behavior to the default of permitting all SIP traffic to pass.
reset [log]
no reset
Syntax Description
Command Modes Policy map inspection SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to deny the traffic that matches the single inline match command and to reset the
connection, enter:
host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
host1/Admin(config-pmap-ins-sip-m)# reset
Related Commands This command has no related commands.
Policy Map Inspection Skinny Configuration Mode Commands
Policy map inspection Skinny configuration mode commands allow you to define a policy map that
initiates inspection of the Skinny Client Control Protocol (SCCP) by the ACE. The ACE uses the SCCP
inspection policy to filter traffic based on the message ID and to perform user-configurable actions on
that traffic.
log (Optional) Generates a log message for traffic that matches the single
inline match command.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-987
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection Skinny Configuration Mode Commands
To create an SCCP inspection policy map and access policy map inspection Skinny configuration mode,
use the policy-map type inspect skinny command in configuration mode. When you access the policy
map inspection skinny configuration mode, the prompt changes to (config-pmap-ins-skinny). Use the no
form of this command to remove an SCCP inspection policy map from the ACE.
policy-map type inspect skinnny map_name
no policy-map type inspect skinny map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
Examples To create a Layer 7 SCCP inspection policy map, enter:
host1/Admin(config)# policy-map type inspect skinny SCCP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-skinny)#
Related Commands This command has no related commands.
map_name Name assigned to the Layer 7 SCCP inspection policy map. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-988
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection Skinny Configuration Mode Commands
(config-pmap-ins-skinny) description
To provide a brief summary about the Layer 7 SCCP inspection policy map, use the description
command. Use the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Policy map inspection Skinny configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description about the SCCP policy map, enter:
host1/Admin(config-pmap-ins-skinny)# description this is an SCCP inspection policy map
To remove the inline match statement from the policy map, enter:
host1/Admin(config-pmap-ins-skinny)# no match SCCP_MATCH message-id range 100 500
Related Commands (config-pmap-ins-skinny-m) reset
(config-pmap-ins-skinny) match message-id
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-989
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection Skinny Configuration Mode Commands
(config-pmap-ins-skinny) match message-id
To include a single inline match criteria in the policy map without specifying a traffic class, use the
match message-id command. Use the no form of this command to remove the inline match statement
from the policy map.
match name message-id {number1 | range {number2 number3}} [insert-before name]
no match name
Syntax Description
Command Modes Policy map inspection skinny configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use an inline match command, you can specify an action for only a single match statement
in the Layer 7 policy map.
Examples To specify an inline match command for a Layer 7 SCCP inspection policy map, enter:
host1/Admin(config-pmap-ins-skinny)# match SCCP_MATCH message-id range 100 500
host1/Admin(config-pmap-ins-skinny-m)#
Related Commands (config-pmap-ins-skinny) description
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
number1 Numerical identifier of the SCCP message. Enter an integer from 0
to 65535.
range {number2 number3} Specifies a range of SCCP message IDs. Enter an integer from 0 to
65535 for the lower and the upper limits of the range. The upper limit
must be greater than or equal to the lower limit.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-990
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection Skinny Match Configuration Mode Commands
Policy Map Inspection Skinny Match Configuration Mode
Commands
Policy map inspection Skinny match configuration mode commands allow you to specify the actions that
the ACE should take when network traffic matches the specified inline match command. To access
policy map inspection Skinny match configuration mode, use the match message-id command in policy
map inspection Skinny configuration mode (see the (config-pmap-ins-skinny) match message-id
command for details). The prompt changes from (config-pmap-ins-skinny) to
(config-pmap-ins-skinny-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The match commands function the same as with the
Layer 7 class map match commands. However, when you use an inline match command, you can
specify an action for only a single match command in the Layer 7 policy map.
The commands in this mode require the inspect feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.2-991
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Inspection Skinny Match Configuration Mode Commands
(config-pmap-ins-skinny-m) reset
To instruct the ACE to deny SCCP traffic that matches the single inline match command and to reset the
connection using the TCP RESET message, use the reset command as the policy map action. By default,
the ACE allows all SCCP packets to pass through it. Use the no form of this command to reset the ACE
behavior to the default of allowing all SCCP traffic to pass.
reset [log]
no reset
Syntax Description
Command Modes Policy map inspection Skinny match configuration mode
Admin and user contexts
Command History
Usage Guidelines You apply the specified action against the single inline match command. The reset command causes the
ACE to drop the SCCP traffic that matches the inline match command and reset the connection.
Examples To specify that the ACE drop SCCP traffic that matches the match message-id inline command, enter:
host1/Admin(config)# policy-map type inspect sccp SCCP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-skinny)# match SCCP_MATCH message-id range 100 500
host1/Admin(config-pmap-ins-skinny-m)# reset
Related Commands (config-pmap-ins-skinny) description
(config-pmap-ins-skinny) match message-id
log (Optional) Generates a log message for traffic that matches the single
inline match command.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-992
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Configuration Mode Commands
Policy Map Load Balancing Generic Configuration Mode
Commands
Policy map load balancing generic configuration mode commands allow you to specify a generic Layer 7
policy map for server load-balancing decisions. The ACE executes the specified action only against the
first matching load-balancing classification.
To create a generic Layer 7 server load balancing (SLB) policy map and access policy map load
balancing generic configuration mode, use the policy-map type loadbalance generic first-match
command. When you access the policy map load balancing generic configuration mode, the prompt
changes to (config-pmap-lb-generic). Use the no form of this command to remove a generic Layer 7 SLB
policy map from the ACE.
policy-map type loadbalance generic first-match map_name
no policy-map type loadbalance generic first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide
an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only
a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot
be directly applied on a VLAN (or any) interface.
To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4
(config-pmap-c) loadbalance policy command.
Examples To create a generic SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)#
map_name Name assigned to the generic SLB policy map. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-993
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Configuration Mode Commands
Related Commands show running-config
(config) policy-map2-994
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Configuration Mode Commands
(config-pmap-lb-generic) class
To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the
class command. The prompt changes from (config-pmap-lb-generic) to (config-pmap-lb-generic-c). For
information about commands in this mode, see the “Policy Map Load Balancing Generic Class
Configuration Mode Commands” section. Use the no form of this command to remove an associated
class map from a policy map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Policy map load balancing generic configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7LOADBALNCE_CLASS
name1 Name of a previously defined Layer 7 SLB class map configured with
the class-map command. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current named class map ahead of an existing
class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration.
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other
matching criteria in the named class map belongs to the default traffic
class. If none of the specified classifications matches the traffic, then
the ACE performs the action specified under the class class-default
command. The class-default class map has an implicit match any
statement in it that enables it to match all traffic.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-995
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Configuration Mode Commands
Related Commands (config-pmap-lb-generic) description2-996
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Configuration Mode Commands
(config-pmap-lb-generic) description
To provide a brief description of the generic server load balancing (SLB) policy map, use the description
command. Use the no form of this command to remove the description from the policy map.
description text
no description
Syntax Description
Command Modes Policy map load balancing generic configuration mode
Admin role in any user context
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform server load balancing, enter:
host/Admin(config-pmap-lb-generic)# description GENERIC_LOAD_BALANCE_PROTOCOL
Related Commands (config-pmap-lb-generic) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-997
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Configuration Mode Commands
(config-pmap-lb-generic) match layer4-payload
To make server load balancing (SLB) decisions based on the Layer 4 payload, use the match
layer4-payload command. Use the no form of this command to remove the Layer 4 payload match
statement from the policy map.
match name layer4-payload [offset bytes] regex expression [insert-before map_name]
no match name layer4-payload [offset bytes] regex expression [insert-before map_name]
Syntax Description
Command Modes Policy map load balancing generic configuration mode
Admin and user contexts
Command History
Usage Guidelines To specify actions for multiple match statements, use a class map as described in the “Class Map Generic
Configuration Mode Commands” section.
Generic data parsing begins at Layer 4 with the TCP or UDP payload, which allows you the flexibility
to match Layer 5 data (in the case of the Lightweight Directory Access Protocol (LDAP) or the Domain
Name System (DNS) or any Layer 7 header or payload (for example, HTTP).
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
offset bytes (Optional) Specifies an absolute offset in the data where the Layer 4
payload expression search string starts. The offset starts at the first
byte of the TCP or UDP body. Enter an integer from 0 to 999. The
default is 0.
regex expression Specifies the Layer 4 payload expression that is contained within the
TCP or UDP entity body. Enter a string from 1 to 255 alphanumeric
characters. For a list of the supported characters that you can use in
regular expression strings, see Table 1-21.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map or other match statement specified by the map_name
argument. The ACE does not save the sequence reordering as part of
the configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-998
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Configuration Mode Commands
When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning
in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com
instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).
When you use the match layer4-payload command, you access the policy map load balancing generic
match configuration mode and the prompt changes to (config-pmap-lb-generic-m). For information about
commands in this mode, see the “Policy Map Load Balancing Generic Match Configuration Mode
Commands” section.
Examples To define Layer 4 payload match criteria for a generic policy map, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match L4_MATCH layer4-payload offset 10 regex abc12.*
host1/Admin(config-pmap-lb-generic-m)#
Related Commands (config-cmap-generic) match layer4-payload
(config-pmap-lb-generic) match source-address
To specify a client source host IP address and subnet mask as the network traffic matching criteria, use
the match source-address command. You configure the associated policy map to permit or restrict
management traffic to the ACE from the specified source network or host. Use the no form of this
command to clear the source IP address and subnet mask match criteria from the policy map.
match name source-address ip_address mask [insert-before map_name]
no match name source-address ip_address mask
Syntax Description
Command Modes Policy map load balancing generic configuration mode
Admin and user contexts
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
mask Subnet mask of the client entry in dotted-decimal notation (for
example, 255.255.255.0).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.2-999
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Class Configuration Mode Commands
Command History
Usage Guidelines When you use the match source-address command, you access the policy map load balancing generic
match configuration mode and the prompt changes from (config-pmap-lb-generic) to
(config-pmap-lb-generic-m). For information about commands in this mode, see the “Policy Map Load
Balancing Generic Match Configuration Mode Commands” section.
Examples To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0,
enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match match3 source-address 192.168.10.1 255.255.0.0
host1/Admin(config-pmap-lb-generic-m)#
Related Commands (config-cmap-generic) match source-address
Policy Map Load Balancing Generic Class Configuration Mode
Commands
Policy map load balancing generic class configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches one or more match statements in the associated
Layer 7 server load balancing (SLB) class map. To access policy map load balancing generic class
configuration mode, use the class command in policy map load balancing generic configuration mode
(see the (config-pmap-lb-generic) class command for details). The prompt changes to
(config-pmap-lb-generic-c).
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1000
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Class Configuration Mode Commands
(config-pmap-lb-generic-c) drop
To instruct the ACE to discard packets that match a particular load-balancing criterion in the class map,
use the drop command. Use the no form of this command to reset the ACE to its default of accepting
packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing generic class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1001
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Class Configuration Mode Commands
(config-pmap-lb-generic-c) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing generic class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1002
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Class Configuration Mode Commands
(config-pmap-lb-generic-c) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7
load-balancing policy map.
serverfarm name1 [backup name2] [aggregate-state]
no serverfarm name1 [backup name2] [aggregate-state]
Syntax Description
Command Modes Policy map load balancing generic class configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# serverfarm FARM2 backup FARM3
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1003
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Class Configuration Mode Commands
Related Commands This command has no related commands.
(config-pmap-lb-generic-c) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing generic class configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing
policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP
value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network
configuration.
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1004
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Match Configuration Mode Commands
(config-pmap-lb-generic-c) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing generic class configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a generic Layer 7 policy map are load balanced to a sticky server
farm, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
Policy Map Load Balancing Generic Match Configuration Mode
Commands
Policy map load balancing generic match configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches the specified inline match command. To access
policy map load balancing generic match configuration mode, use one of the match commands in policy
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1005
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Match Configuration Mode Commands
map load balancing generic configuration mode (see the “Policy Map Load Balancing Generic
Configuration Mode Commands” section for details). The prompt changes to
(config-pmap-lb-generic-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The inline match commands function the same way as
the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline
match command, you can specify an action for only a single match command in the generic SLB policy
map.
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.2-1006
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Match Configuration Mode Commands
(config-pmap-lb-generic-m) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match
command, use the drop command. Use the no form of this command to reset the ACE to its default of
accepting packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing generic match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the inline match
command, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.10.1
255.255.0.0
host1/Admin(config-pmap-lb-generic-m)# drop
Related Commands This command has no related commands.
(config-pmap-lb-generic-m) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1007
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Match Configuration Mode Commands
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing generic match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.10.1
255.255.0.0
host1/Admin(config-pmap-lb-generic-m)# forward
Related Commands This command has no related commands.
(config-pmap-lb-generic-m) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7 load
balancing policy map.
serverfarm name1 [backup name2] [aggregate-state]
no serverfarm name1 [backup name2] [aggregate-state]
Syntax Description
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.2-1008
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Match Configuration Mode Commands
Command Modes Policy map load balancing generic match configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.11.2
255.255.255.0
host1/Admin(config-pmap-lb-generic-m)# serverfarm FARM2 backup FARM3
Related Commands This command has no related commands.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1009
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Match Configuration Mode Commands
(config-pmap-lb-generic-m) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing generic match configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.10.1
255.255.0.0
host1/Admin(config-pmap-lb-generic-m)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1010
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing Generic Match Configuration Mode Commands
(config-pmap-lb-generic-m) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing generic match configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.11.2
255.255.255.0
host1/Admin(config-pmap-lb-generic-m)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1011
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
Policy Map Load Balancing HTTP Configuration Mode
Commands
Policy map load balancing HTTP configuration mode commands allow you to specify an HTTP Layer 7
policy map for server load-balancing decisions. The ACE executes the specified action only against the
first matching load-balancing classification.
To create an HTTP Layer 7 server load balancing (SLB) policy map and access policy map load
balancing HTTP configuration mode, use the policy-map type loadbalance http first-match command.
When you access the policy map load balancing HTTP configuration mode, the prompt changes to
(config-pmap-lb). Use the no form of this command to remove an HTTP SLB policy map from the ACE.
policy-map type loadbalance [http] first-match map_name
no policy-map type loadbalance [http] first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide
an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only
a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot
be directly applied on a VLAN (or any) interface.
To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4
(config-pmap-c) loadbalance policy command.
Examples To create an HTTP SLB policy map, enter:
http (Optional) Specifies an HTTP Layer 7 load-balancing policy map. HTTP is the
default type of load-balancing policy map. If you enter policy-map type loadbalance
first-match map_name, the ACE creates an HTTP load-balancing policy map.
map_name Name assigned to the HTTP SLB policy map. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1012
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)#
Related Commands show running-config
(config) policy-map
(config-pmap-lb) class
To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the
class command. The prompt changes from (config-pmap-lb) to (config-pmap-lb-c). For information
about commands in this mode, see the “Policy Map Load Balancing HTTP Class Configuration Mode
Commands” section. Use the no form of this command to remove an associated class map from a policy
map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Policy map load balancing HTTP configuration mode
Admin and user contexts
Command History
name1 Name of a previously defined Layer 7 SLB class map configured with
the class-map command. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current named class map ahead of an existing
class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration.
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other
matching criteria in the named class map belongs to the default traffic
class. If none of the specified classifications matches the traffic, then
the ACE performs the action specified under the class class-default
command. The class-default class map has an implicit match any
statement in it that enables it to match all traffic.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1013
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7LOADBALNCE_CLASS
Related Commands (config-pmap-lb) description
(config-pmap-lb) description
To provide a brief description of the HTTP server load balancing (SLB) policy map, use the description
command. Use the no form of this command to remove the description from the policy map.
description text
no description
Syntax Description
Command Modes Policy map load balancing HTTP configuration mode
Admin role in any user context
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform server load balancing, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host/Admin(config-pmap-lb)# description HTTP LOAD BALANCE PROTOCOL
Related Commands (config-pmap-lb) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1014
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
(config-pmap-lb) match cipher
To make server load-balancing (SLB) decisions based on a specific SSL cipher or cipher strength used
to initiate a connection, use the match cipher command. Use the no form of this command to remove
an SSL cipher content match statement from the policy map.
match name cipher {equal-to cipher | less-than cipher_strength}
no match name cipher {equal-to cipher | less-than cipher_strength}
Syntax Description
Command Modes Policy map load balancing HTTP configuration mode
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
equal-to cipher Specifies the SSL cipher. The possible values for cipher are as
follows:
• RSA_EXPORT1024_WITH_DES_CBC_SHA
• RSA_EXPORT1024_WITH_RC4_56_MD5
• RSA_EXPORT1024_WITH_RC4_56_SHA
• RSA_EXPORT_WITH_DES40_CBC_SHA
• RSA_EXPORT_WITH_RC4_40_MD5
• RSA_WITH_3DES_EDE_CBC_SHA
• RSA_WITH_AES_128_CBC_SHA
• RSA_WITH_AES_256_CBC_SHA
• RSA_WITH_DES_CBC_SHA
• RSA_WITH_RC4_128_MD5
• RSA_WITH_RC4_128_SHA
less-than cipher_strength Specifies a noninclusive minimum SSL cipher bit strength. For
example, if you specify a cipher strength value of 128, any SSL
cipher that was no greater than 128 would hit the traffic polkcy. If the
SSL cipher was 128-bit or greater, the connection would miss the
policy.
The possible values for cipher_strength are as follows:
• 128
• 168
• 256
• 562-1015
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines To specify actions for multiple match statements, use a class map as described in the “Class Map HTTP
Load Balancing Configuration Mode Commands” section.
When you use the match cipher command, you access the policy map load balancing match
configuration mode and the prompt changes to (config-pmap-lb-generic-m). For information about
commands in this mode, see the “Policy Map Load Balancing Generic Match Configuration Mode
Commands” section.
Examples To specify that the Layer 7 SLB policy map load balances on a specific SSL cipher, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 cipher equal-to RSA_WITH_RC4_128_CBC_SHA
host1/Admin(config-pmap-lb-m)#
Related Commands This command has no related commands.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1016
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
(config-pmap-lb) match http content
To make server load-balancing (SLB) decisions based on the HTTP packet content, use the match http
content command. Use the no form of this command to remove an HTTP content match statement from
the policy map.
match name http content expression [offset bytes] [insert-before map_name]
no match name http content expression
Syntax Description
Command Modes Policy map load balancing HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines To specify actions for multiple match statements, use a class map as described in the “Class Map HTTP
Load Balancing Configuration Mode Commands” section.
When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning
in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com
instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression Regular expression content to match. Enter a string from 1 to
255 alphanumeric characters. The ACE supports the use of regular
expressions for matching data strings. For a list of the supported
characters that you can use in regular expressions, see Table 1-21.
offset number (Optional) Specifies the byte at which the ACE begins parsing the
packet data. Enter an integer from 1 to 255. The default is 0.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map or other match statement specified by the map_name
argument. The ACE does not save the sequence reordering as part of
the configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1017
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
The ACE can perform regular expression matching against the received packet data from a particular
connection based on a regular expression string in HTTP packet data (not the header).
When you use the match http content command, you access the policy map load balancing match
configuration mode and the prompt changes to (config-pmap-lb-generic-m). For information about
commands in this mode, see the “Policy Map Load Balancing Generic Match Configuration Mode
Commands” section.
Examples To specify that the Layer 7 SLB policy map load balances on a specific URL, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http content abc*123 offset 50
host1/Admin(config-pmap-lb-m)#
Related Commands (config-cmap-http-lb) match http content
(config-pmap-lb) match http cookie
To make server load balancing (SLB) decisions based on the name and string of a cookie, use the match
http cookie command. Use the no form of this command to remove an HTTP cookie match statement
from the policy map.
match name1 http cookie {name2 | secondary name3} cookie-value expression [insert-before
map_name]
no match name1 http cookie {name2 | secondary name3} cookie-value expression
Syntax Description name1 Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
name2 Unique cookie name. Enter an unquoted text string with no spaces
and a maximum of 63 alphanumeric characters.
secondary name3 Specifies a cookie in a URL string. You can specify the delimiters for
cookies in a URL string using a command in an HTTP parameter
map.
cookie-value expression Specifies a unique cookie value expression. Enter an unquoted text
string with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching
string expressions. For a list of supported characters that you can use
for matching string expressions, see Table 1-21.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.2-1018
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
Command Modes Policy map load balancing HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match http cookie command, you access the policy map load balancing HTTP match
configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For
information about commands in this mode, see the “Policy Map Load Balancing HTTP Match
Configuration Mode Commands” section.
The ACE performs regular expression matching against the received packet data from a particular
connection based on the cookie expression. You can configure a maximum of five cookie names per VIP.
The ACE supports regular expressions for matching string expressions. For a list of supported characters
that you can use for matching string expressions, see Table 1-21.
For details on defining a list of ASCII-character delimiter strings that you can use to separate the cookies
in a URL string, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To specify that the Layer 7 SLB policy map load balances on a cookie with the name of testcookie1,
enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host/Admin(config-pmap-lb)# match MATCH2 http cookie testcookie1 cookie-value 123456
host1/Admin(config-pmap-lb-m)#
Related Commands (config-parammap-http) set content-maxparse-length
(config-parammap-http) set secondary-cookie-delimiters
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1019
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
(config-pmap-lb) match http header
To make server load balancing (SLB) decisions based on the name and value of an HTTP header, use the
match http header command. The ACE performs regular expression matching against the received
packet data from a particular connection based on the HTTP header expression. Use the no form of this
command to clear an HTTP header match criteria from the policy map.
match name http header {header_name | header_field} header-value expression [insert-before
map_name]
no match name http header {header_name | header_field} header-value expression
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
header_name Name of the HTTP header to match (for example,
www.example1.com.) The range is from 1 to 64 alphanumeric
characters.
Note The header_name argument cannot include the colon in the
name of the HTTP header; the ACE rejects the colon as an
invalid token.
header_field A standard HTTP/1.1 header field. Valid selections include
request-header fields, general-header fields, and the entity-header
field. The supported selections are the following:
• Accept—Semicolon-separated list of representation schemes
(content type metainformation values) that will be accepted in
the response to the request.2-1020
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
• Accept-Charset—Character sets that are acceptable for the
response. This field allows clients capable of understanding
more comprehensive or special-purpose character sets to signal
that capability to a server that can represent documents in those
character sets.
• Accept-Encoding—Restricts the content encoding that a user
will accept from the server.
• Accept-Language—ISO code for the language in which the
document is written. The language code is an ISO 3316 language
code with an optional ISO639 country code to specify a national
variant.
• Authorization—Specifies that the user agent wants to
authenticate itself with a server, usually after receiving a 401
response.
• Cache-Control—Directives that must be obeyed by all caching
mechanisms along the request/response chain. The directives
specify behavior intended to prevent caches from adversely
interfering with the request or response.
• Connection—Allows the sender to specify connection options.
• Content-MD5—MD5 digest of the entity body that provides an
end-to-end integrity check. Only a client or an origin server can
generate this header field.
• Expect—Used by a client to inform the server about the
behaviors that the client requires.
• From—Contains the e-mail address of the person that controls
the requesting user agent.
• Host—Internet host and port number of the resource being
requested, as obtained from the original URI given by the user or
referring resource. The Host field value must represent the
naming authority of the origin server or gateway given by the
original URL.
• If-Match—Used with a method to make it conditional. A client
that has one or more entities previously obtained from the
resource can verify that one of those entities is current by
including a list of their associated entity tags in the If-Match
header field. This feature allows efficient updates of cached
information with a minimum amount of transaction overhead. It
is also used on updating requests to prevent inadvertent
modification of the wrong version of a resource. As a special
case, the value “*” matches any current entity of the resource.
• Pragma—Pragma directives that are understood by servers to
whom the directives are relevant. The syntax is the same as for
other multiple-value fields in HTTP. For example, the Accept
field is a comma-separated list of entries for which the optional
parameters are separated by semicolons.2-1021
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
Command Modes Policy map load balancing HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match http header command, you access the policy map load balancing HTTP match
configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For
information about commands in this mode, see the “Policy Map Load Balancing HTTP Match
Configuration Mode Commands” section.
The ACE supports regular expressions for matching. Expressions are stored in a header map in the form
header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. For a list
of supported characters that you can use in regular expressions, see Table 1-21.
Examples To specify that the Layer 7 SLB policy map load balances on an HTTP header named Host, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)#
• Referer—Address (URI) of the resource from which the URI in
the request was obtained.
• Transfer-Encoding—Indicates what (if any) type of
transformation has been applied to the message body in order to
safely transfer it between the sender and the recipient.
• User-Agent—Information about the user agent (for example, a
software program that originates the request). This information
is for statistical purposes, the tracing of protocol violations, and
automated recognition of user agents.
• Via—Used by gateways and proxies to indicate the intermediate
protocols and recipients between the user agent and the server on
requests and between the origin server and the client on
responses.
header-value expression Specifies the header value expression string to compare against the
value in the specified field in the HTTP header. The range is from 1
to 255 alphanumeric characters. For a list of supported characters that
you can use in regular expressions, see Table 1-21.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1022
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
Related Commands (config-parammap-http) set header-maxparse-length2-1023
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
(config-pmap-lb) match http url
To make server load balancing (SLB) decisions based on the URL name and, optionally, the HTTP
method, use the match http url command. The ACE performs regular expression matching against the
received packet data from a particular connection based on the HTTP URL string. Use the no form of
this command to remove a URL match statement from the policy map.
match name http url expression [method name] [insert-before map_name]
no match name http url expression [method name]
Syntax Description
Command Modes Policy map load balancing HTTP configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression URL, or portion of a URL, to match. Enter a URL string from 1 to
255 alphanumeric characters. Include only the portion of the URL
that follows www.hostname.domain in the match statement. For a list
of supported characters that you can use in regular expressions, see
Table 1-21.
method name (Optional) Specifies the HTTP method to match. Enter a method
name as an unquoted text string with no spaces and a maximum of
15 alphanumeric characters. The method can either be one of the
standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST,
PUT, DELETE, TRACE, or CONNECT) or a text string that must be
matched exactly (for example, PROTOPLASM).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1024
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Configuration Mode Commands
Usage Guidelines When you use the match http url command, you access the policy map load balancing HTTP match
configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For
information about commands in this mode, see the “Policy Map Load Balancing HTTP Match
Configuration Mode Commands” section.
Include only the portion of the URL that follows www.hostname.domain in the match statement. For
example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
To match the www.anydomain.com portion, the URL string can take the form of a URL regular
expression. For a list of supported characters that you can use in regular expressions, see Table 1-21.
When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning
in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com
instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).
Examples To specify that the Layer 7 SLB policy map load balances on a specific URL, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http url whatsnew/latest.*
To use regular expressions to emulate a wildcard search to match on any .gif file, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http url .*.gif
host1/Admin(config-pmap-lb-m)#
Related Commands (config-parammap-http) set content-maxparse-length
(config-pmap-lb) match source-address
To specify a client source host IP address and subnet mask from which the ACE accepts traffic as the
network traffic matching criteria, use the match source-address command. You configure the associated
policy map to permit or restrict management traffic to the ACE from the specified source network or
host. Use the no form of this command to clear the source IP address and subnet mask match criteria
from the policy map.
match name source-address ip_address mask [insert-before map_name]
no match name source-address ip_address mask
Syntax Description name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1). 2-1025
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
Command Modes Policy map load balancing HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match source-address command, you access the policy map load balancing HTTP
match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For
information about commands in this mode, see the “Policy Map Load Balancing HTTP Match
Configuration Mode Commands” section.
Examples To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0,
enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 source-address 192.168.10.1 255.255.0.0
host1/Admin(config-pmap-lb-m)#
Related Commands (config-cmap-http-lb) match source-address
Policy Map Load Balancing HTTP Class Configuration Mode
Commands
Policy map load balancing HTTP class configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches one or more match statements in the associated
Layer 7 server load balancing (SLB) class map. To access policy map load balancing HTTP class
configuration mode, use the class command in policy map load balancing HTTP configuration mode (see
the (config-pmap-lb) class command for details). The prompt changes to (config-pmap-lb-c).
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
mask Subnet mask of the client entry in dotted-decimal notation (for
example, 255.255.255.0).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1026
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) action
To associate an action list with an HTTP load-balancing policy map, use the action command. Use the
no form of this command to remove the action list association.
action name
no action
Syntax Description
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines You use action lists to group several ACE actions (for example, HTTP header insert, rewrite, or delete)
together in a named list under a Layer 7 policy map. For information about action list commands, see
the “Action List Modify Configuration Mode Commands” section.
Examples To associate an action list for HTTP header rewrite, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class HTTP_CLASS
host1/Admin(config-pmap-lb-c)# action HTTP_MODIFY_ACTLIST
To disassociate the action list from the policy map, enter:
host1/Admin(config-pmap-lb-c)# no action
Related Commands This command has no related commands.
name Identifier of an existing action list. Enter an unquoted text string with
a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1027
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) compress
To instruct the ACE to compress and encode packets that match a Layer 7 SLB policy map, use the
compress command. Use the no form of this command to disable HTTP compression.
compress default-method {deflate | gzip}
no compress default-method {deflate | gzip}
Syntax Description
Command Modes Policy map load balancing class configuration mode
Admin and user contexts
Command History
Usage Guidelines The compress command option displays only when you associate an HTTP-type class map with a policy
map.
When a client request specifies deflate or gzip encoding in the Accept-Encoding field, the ACE uses
either deflate or gzip to compress and encode the response content to the client. If both encoding formats
are specified in the Accept-Encoding field, the response from the ACE will be encoded according to the
compress default-method command in the Layer 7 SLB policy map.
HTTP compression is intended primarily for text-based content types. For example, the following are
text-based content types:
• text/html
• text/plain
• text/xml
• text/css
• application/x-javascript
(ACE module only) By default, the ACE supports HTTP compression at a rate of 1 Gbps. Installing an
optional license bundle allows you to increase this value to a maximum of 6 Gbps. See the
Administration Guide, Cisco ACE Application Control Engine for information on ACE licensing options.
deflate Specifies the deflate compression method as the method to use when
the client browser supports both deflate and gzip compression
methods.
gzip Specifies the gzip compression method as the method to use when the
client browser supports both deflate and gzip compression methods.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1028
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(ACE appliance only) By default, the ACE supports HTTP compression at a rate of 100 megabits per
second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a
maximum of 2 Gbps. See the Administration Guide, Cisco ACE Application Control Engine for
information on ACE licensing options.
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
• Multipurpose Internet Mail Extension (MIME) type—All text formats (text/.*)
• Minimum content length size—512 bytes
• User agent exclusion—No user agent is excluded
You can create an HTTP parameter map to modify the compression parameters that the ACE uses (see
the “Parameter Map Connection Configuration Mode Commands” section).
Examples To enable compression and specify gzip as the HTTP compression method when both formats are
included in the Accept-Encoding client request, enter, enter:
host1/Admin(config-pmap-lb-c)# compress default-method gzip
Related Commands (config-parammap-http) compress2-1029
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in the class map,
use the drop command. Use the no form of this command to reset the ACE to its default of accepting
packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1030
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1031
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) insert-http
To specify the name and value of a generic header field that you want the ACE to insert in the HTTP
header, use the insert-http command. Use the no form of this command to delete the HTTP header name
and value from the policy map.
insert-http name header-value expression
no insert-http name header-value expression
Syntax Description
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines To identify a client whose source IP address has been mapped to another IP address using NAT, you can
instruct the ACE to insert a generic header and string value in the client HTTP request. (For information
about NAT, see the Security Guide, Cisco ACE Application Control Engine.)
For the name argument, you can specify any custom header name that you want, subject to the maximum
character length. You can also enter any of the predefined header names described for the
(config-pmap-lb) match http header command, regardless of whether that header name already exists
in the client request header. The ACE does not overwrite any existing header information in the client
request.
You can enter a maximum of 255 bytes of data for the header expression. If you enter more than
255 bytes, the ACE does not insert the header name and expression in the client request.
You can also specify the following special header-value expressions by using the following special
parameter values:
• %is—Inserts the source IP address in the HTTP header.
• %id—Inserts the destination IP address in the HTTP header.
• %ps—Inserts the source port in the HTTP header.
name Name of the generic header field that you want the ACE to insert in
the HTTP header. Enter an unquoted text string with no spaces and a
maximum of 255 alphanumeric characters.
header-value expression Specifies the header-value expression string to insert in the specified
field in the HTTP header. Enter a text string with a maximum of
255 alphanumeric characters. See the Server Load-Balancing Guide,
Cisco ACE Application Control Engine for details.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1032
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
• %pd—Inserts the destination port in the HTTP header.
For IPv6 to IPv4 and Ipv4 to IPv6 load balancing, use the X-FORWARDED-FOR header. For details,
see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
For Microsoft Outlook Web Access (OWA), specify the field name as HTTP_FRONT_END_HTTPS
with a value of ON.
If either TCP server reuse or persistence rebalance is enabled, the ACE inserts a header in every client
request.
Examples For example, to specify the insert-http command as an action in the Layer 7 load-balancing policy map,
enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# insert-http Host header-value www.cisco.com
Related Commands (config-parammap-http) server-conn reuse
(config-parammap-http) persistence-rebalance
(config-pmap-lb-c) nat dynamic
To configure server farm-based dynamic NAT as an action in a Layer 7 load-balancing policy map, use
the nat dynamic command.
The syntax of this command is as follows:
nat dynamic pool_id vlan number serverfarm {primary | backup}
no nat dynamic pool_id vlan number serverfarm {primary | backup}
Syntax Description
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
pool_id Identifier of the NAT pool of global IP addresses. Enter an integer
from 1 to 2147483647.
vlan number Specifies the server interface for the global IP address. This interface
must be different from the interface that the ACE uses to filter and
receive traffic that requires NAT, unless the network design operates
in one-arm mode. In that case, the VLAN number is the same.
serverfarm {primary |
backup}
Specifies that the dynamic NAT applies to either the primary server
farm or the backup server farm.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1033
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
Usage Guidelines Typically, you use dynamic NAT for SNAT. Dynamic NAT allows you to identify local traffic for address
translation by specifying the source and destination addresses in an extended ACL, which is referenced
as part of the class map traffic classification. The ACE applies dynamic NAT from the interface to which
the traffic policy is attached (through the service-policy interface configuration command) to the
interface specified in the nat dynamic command.
Examples For example, to specify the nat-dynamic command as an action in the Layer 7 load-balancing policy
map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# nat dynamic serverfarm primary 1 vlan 200
Related Commands show parameter-map
(config-if) nat-pool
(config-pmap-lb-c) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7
load-balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
ACE Appliance Release Modification
A3(1.0) This command was introduced.
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state (Optional) This option has been deprecated and no longer has an
effect on the state of the VIP. By default, the ACE takes into account
the state of all real servers in the backup server farm before taking the
VIP out of service. If all real servers in the primary server farm fail,
but there is at least one real server in the backup server farm that is
operational, the ACE keeps the VIP in service.2-1034
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
By default, the ACE takes into account the state of all the real servers in the backup server farm before
taking the VIP out of service. If all the real servers in the primary server farm fail, but there is at least
one real server in the backup server farm that is operational, the ACE keeps the VIP in service.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# serverfarm FARM2 backup FARM3
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(5) The aggregate-state option was deprecated.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) The aggregate-state option was deprecated.2-1035
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing
policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP
value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network
configuration.
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1036
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) ssl-proxy client
To specify a Secure Sockets Layer (SSL) proxy service in a Layer 7 load-balancing policy map, use the
ssl-proxy command. The ACE uses an SSL proxy service in a Layer 7 policy map to load balance
outbound SSL initiation requests to SSL servers. In this case, the ACE acts as an SSL client that sends
an encrypted request to an SSL server. Use the no form of this command to remove the SSL proxy service
from the policy map.
ssl-proxy client name
no ssl-proxy client name
Syntax Description
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For more information about configuring SSL, see the SSL Guide, Cisco ACE Application Control
Engine.
Examples To associate an SSL proxy service with a Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# ssl-proxy client SSL_SERVER_PROXY_SERVICE
Related Commands This command has no related commands.
name Name of an existing SSL proxy service. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1037
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Class Configuration Mode Commands
(config-pmap-lb-c) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing HTTP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1038
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
Policy Map Load Balancing HTTP Match Configuration Mode
Commands
Policy map load balancing HTTP match configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches the specified inline match command. To access
policy map load balancing HTTP match configuration mode, use one of the match commands in policy
map load balancing HTTP configuration mode (see the “Policy Map Load Balancing HTTP
Configuration Mode Commands” section for details). The prompt changes to (config-pmap-lb-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The inline match commands function the same way as
the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline
match command, you can specify an action for only a single match command in the HTTP SLB policy
map.
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
(config-pmap-lb-m) action
To associate an action list with an HTTP load-balancing policy map, use the action command. Use the
no form of this command to remove the action list association.
action name
no action
Syntax Description
Command Modes Policy map load balancing HTTP match configuration mode
Admin and user contexts
Command History
Usage Guidelines You use action lists to group several ACE actions (for example, HTTP header insert, rewrite, or delete)
together in a named list under a Layer 7 policy map. For information about action list commands, see
the “Action List Modify Configuration Mode Commands” section.
name Identifier of an existing action list. Enter an unquoted text string with
a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1039
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
Examples To associate an action list for HTTP header rewrite, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 source-address 192.168.10.1 255.255.0.0
host1/Admin(config-pmap-lb-m)# action HTTP_MODIFY_ACTLIST
To disassociate the action list from the policy map, enter:
host1/Admin(config-pmap-lb-m)# no action
Related Commands This command has no related commands.2-1040
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
(config-pmap-lb-m) compress
To instruct the ACE to compress and encode packets that match a Layer 7 SLB policy map, use the
compress command. Use the no form of this command to disable HTTP compression.
compress default-method {deflate | gzip}
no compress default-method {deflate | gzip}
Syntax Description
Command Modes Policy map load balancing class configuration mode
Admin and user contexts
Command History
Usage Guidelines The compress command option displays only when you associate an HTTP-type class map with a policy
map.
When a client request specifies deflate or gzip encoding in the Accept-Encoding field, the ACE uses
either deflate or gzip to compress and encode the response content to the client. If both encoding formats
are specified in the Accept-Encoding field, the response from the ACE will be encoded according to the
compress default-method command in the Layer 7 SLB policy map.
HTTP compression is intended primarily for text-based content types. For example, the following are
text-based content types:
• text/html
• text/plain
• text/xml
• text/css
• application/x-javascript
By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps). Installing
an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See
the Administration Guide, Cisco ACE Application Control Engine for information on ACE licensing
options.
deflate Specifies the deflate compression method as the method to use when
the client browser supports both deflate and gzip compression
methods.
gzip Specifies the gzip compression method as the method to use when the
client browser supports both deflate and gzip compression methods.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1041
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
• Multipurpose Internet Mail Extension (MIME) type—All text formats (text/.*)
• Minimum content length size—512 bytes
• User agent exclusion—No user agent is excluded
You can create an HTTP parameter map to modify the compression parameters that the ACE uses (see
the “Parameter Map Connection Configuration Mode Commands” section).
Examples To enable compression and specify gzip as the HTTP compression method when both formats are
included in the Accept-Encoding client request, enter, enter:
host1/Admin(config-pmap-lb-c)# compress default-method gzip
Related Commands (config-parammap-http) compress
(config-pmap-lb-m) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match
command, use the drop command. Use the no form of this command to reset the ACE to its default of
accepting packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing HTTP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1042
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the inline match
command, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)# drop
Related Commands This command has no related commands.2-1043
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
(config-pmap-lb-m) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing HTTP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1044
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
(config-pmap-lb-m) insert-http
To specify the name and value of a generic header field that you want the ACE to insert in the HTTP
header, use the insert-http command. Use the no form of this command to delete the HTTP header name
and value from the policy map.
insert-http name header-value expression
no insert-http name header-value expression
Syntax Description
Command Modes Policy map load balancing HTTP match configuration mode
Admin and user contexts
Command History
Usage Guidelines To identify a client whose source IP address has been mapped to another IP address using NAT, you can
instruct the ACE to insert a generic header and string value in the client HTTP request. (For information
about NAT, see the Security Guide, Cisco ACE Application Control Engine.)
For the name argument, you can specify any custom header name that you want, subject to the maximum
character length. You can also enter any of the predefined header names described for the
(config-pmap-lb) match http header command, regardless of whether that header name already exists
in the client request header. The ACE does not overwrite any existing header information in the client
request.
You can enter a maximum of 255 bytes of data for the header expression. If you enter more than
255 bytes, the ACE does not insert the header name and expression in the client request.
You can also specify the following special header-value expressions by using the following special
parameter values:
• %is—Inserts the source IP address in the HTTP header.
• %id—Inserts the destination IP address in the HTTP header.
• %ps—Inserts the source port in the HTTP header.
name Name of the generic header field that you want the ACE to insert in
the HTTP header. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
header-value expression Specifies the header-value expression string to insert in the specified
field in the HTTP header. Enter a text string with a maximum of
255 alphanumeric characters. See the Server Load-Balancing Guide,
Cisco ACE Application Control Engine for details.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1045
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
• %pd—Inserts the destination port in the HTTP header.
For Microsoft Outlook Web Access (OWA), specify the field name as HTTP_FRONT_END_HTTPS
with a value of ON.
If either TCP server reuse or persistence rebalance is enabled, the ACE inserts a header in every client
request.
Examples For example, to specify the insert-http command as an action in the Layer 7 load-balancing policy map,
enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*test.com
host1/Admin(config-pmap-lb-m)# insert-http Host header-value .*cisco.com
The header name and value will appear in the HTTP header as follows:
Host: www.cisco.com
Related Commands (config-parammap-http) server-conn reuse
(config-parammap-http) persistence-rebalance
(config-pmap-lb-m) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7 load
balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
Command Modes Policy map load balancing HTTP match configuration mode
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.2-1046
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 source-address 192.168.11.2 255.255.255.0
host1/Admin(config-pmap-lb-m)# serverfarm FARM2 backup FARM3
Related Commands This command has no related commands.
(config-pmap-lb-m) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing HTTP match configuration mode
Admin and user contexts
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
3.0(0)A1(5) The aggregate-state option was deprecated.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) The aggregate-state option was deprecated.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.2-1047
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Via header-value 192.*
host1/Admin(config-pmap-lb-m)# set ip tos 8
Related Commands This command has no related commands.
(config-pmap-lb-m) ssl-proxy client
To specify a Secure Sockets Layer (SSL) proxy service in a Layer 7 load-balancing policy map, use the
ssl-proxy client command. The ACE uses an SSL proxy service in a Layer 7 policy map to load balance
outbound SSL initiation requests to SSL servers. In this case, the ACE acts as an SSL client that sends
an encrypted request to an SSL server. Use the no form of this command to remove the SSL proxy service
from the policy map.
ssl-proxy client name
no ssl-proxy client name
Syntax Description
Command Modes Policy map load balancing HTTP match configuration mode
Admin and user contexts
Command History
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
name Name of an existing SSL proxy service. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1048
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing HTTP Match Configuration Mode Commands
Usage Guidelines For more information about configuring SSL, see the SSL Guide, Cisco ACE Application Control
Engine.
Examples To associate an SSL proxy service with a Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)# ssl-proxy client SSL_SERVER_PROXY_SERVICE
Related Commands This command has no related commands.
(config-pmap-lb-m) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing HTTP match configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 source-address 192.168.11.2 255.255.255.0
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1049
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Configuration Mode Commands
host1/Admin(config-pmap-lb-m)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
Policy Map Load Balancing RADIUS Configuration Mode
Commands
Policy map load balancing RADIUS configuration mode commands allow you to specify a RADIUS
Layer 7 policy map for server load-balancing decisions. The ACE executes the specified action only
against the first matching load-balancing classification.
To create a RADIUS Layer 7 server load balancing (SLB) policy map and access policy map load
balancing RADIUS configuration mode, use the policy-map type loadbalance radius first-match
command. When you access the policy map load balancing RADIUS configuration mode, the prompt
changes to (config-pmap-lb-radius). Use the no form of this command to remove a RADIUS Layer 7
SLB policy map from the ACE.
policy-map type loadbalance radius first-match map_name
no policy-map type loadbalance radius first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide
an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only
a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot
be directly applied on a VLAN (or any) interface.
map_name Name assigned to the RADIUS SLB policy map. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1050
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Configuration Mode Commands
To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4
(config-pmap-c) loadbalance policy command.
Examples To create a RADIUS SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-radius)#
Related Commands show running-config
(config) policy-map2-1051
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Configuration Mode Commands
(config-pmap-lb-radius) class
To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the
class command. The prompt changes from (config-pmap-lb-radius) to (config-pmap-lb-radius-c). For
information about commands in this mode, see the “Policy Map Load Balancing RADIUS Class
Configuration Mode Commands” section. Use the no form of this command to remove an associated
class map from a policy map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Policy map load balancing RADIUS configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-radius)# class L7LOADBALNCE_CLASS
host1/Admin(config-pmap-lb-radius-c)#
name1 Name of a previously defined Layer 7 SLB class map configured with
the class-map command. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current named class map ahead of an existing
class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration.
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other
matching criteria in the named class map belongs to the default traffic
class. If none of the specified classifications matches the traffic, then
the ACE performs the action specified under the class class-default
command. The class-default class map has an implicit match any
statement in it that enables it to match all traffic.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1052
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Configuration Mode Commands
Related Commands (config-pmap-lb-radius) description2-1053
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Configuration Mode Commands
(config-pmap-lb-radius) description
To provide a brief description of the RADIUS server load balancing (SLB) policy map, use the
description command. Use the no form of this command to remove the description from the policy map.
description text
no description
Syntax Description
Command Modes Policy map load balancing RADIUS configuration mode
Admin role in any user context
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform server load balancing, enter:
host/Admin(config-pmap-lb-radius)# description RADIUS_LOAD_BALANCE_PROTOCOL
Related Commands (config-pmap-lb-radius) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1054
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Configuration Mode Commands
(config-pmap-lb-radius) match radius attribute
To make server load balancing (SLB) decisions based on the calling-station-ID or username RADIUS
attribute, use the match radius attribute command. Use the no form of this command to remove the
RADIUS attribute match statement from the policy map.
match name radius attribute {calling-station-id | username} expression [insert-before
map_name]
no match name radius attribute {calling-station-id | username} expression [insert-before
map_name]
Syntax Description
Command Modes Policy map load balancing RADIUS configuration mode
Admin and user contexts
Command History
Usage Guidelines To specify actions for multiple match statements, use a class map as described in the “Class Map
RADIUS Load Balancing Configuration Mode Commands” section.
When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning
in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com
instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
calling-station-id Specifies the unique identifier of the calling station.
username Specifies the name of the RADIUS user who initiated the connection.
expression Calling station ID or username to match. Enter a string from 1 to 64
alphanumeric characters. The ACE supports the use of regular
expressions for matching strings. For a list of the supported
characters that you can use in regular expressions, see Table 1-21.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map or other match statement specified by the map_name
argument. The ACE does not save the sequence reordering as part of
the configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1055
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Class Configuration Mode Commands
When you use the match radius attribute command, you access the policy map load balancing
RADIUS match configuration mode and the prompt changes to (config-pmap-lb-radius-m). For
information about commands in this mode, see the “Policy Map Load Balancing RADIUS Match
Configuration Mode Commands” section.
Examples To configure RADIUS match criteria for a RADIUS policy map based on the calling station ID attribute,
enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)#
To remove the RADIUS attribute match statement from the RADIUS policy map, enter:
host1/Admin(config-pmap-lb-radius)# no match CALL_ID radius attribute calling-station-id
122*
Related Commands (config-cmap-radius-lb) match radius attribute
Policy Map Load Balancing RADIUS Class Configuration Mode
Commands
Policy map load balancing RADIUS class configuration mode commands allow you to specify the
actions that the ACE should take when network traffic matches one or more match statements in the
associated Layer 7 server load balancing (SLB) class map. To access policy map load balancing
RADIUS class configuration mode, use the class command in policy map load balancing RADIUS
configuration mode (see the (config-pmap-lb-radius) class command for details). The prompt changes
to (config-pmap-lb-radius-c).
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.2-1056
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Class Configuration Mode Commands
(config-pmap-lb-radius-c) drop
To instruct the ACE to discard packets that match a particular load-balancing criterion in the class map,
use the drop command. Use the no form of this command to reset the ACE to its default of accepting
packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RADIUS class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1057
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Class Configuration Mode Commands
(config-pmap-lb-radius-c) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RADIUS class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1058
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Class Configuration Mode Commands
(config-pmap-lb-radius-c) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7
load-balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
Command Modes Policy map load balancing RADIUS class configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# serverfarm FARM2 backup FARM3
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1059
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Class Configuration Mode Commands
Related Commands This command has no related commands.
(config-pmap-lb-radius-c) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing RADIUS class configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing
policy map. All packets that satisfy the match criteria of the class map RAD_CLASS are marked with
the IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by
the network configuration.
host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1060
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Match Configuration Mode Commands
(config-pmap-lb-radius-c) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing RADIUS class configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a RADIUS Layer 7 policy map are load balanced to a sticky server
farm, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
Policy Map Load Balancing RADIUS Match Configuration Mode
Commands
Policy map load balancing RADIUS match configuration mode commands allow you to specify the
actions that the ACE should take when network traffic matches the specified inline match command. To
access policy map load balancing RADIUS match configuration mode, use one of the match commands
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1061
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Match Configuration Mode Commands
in policy map load balancing RADIUS configuration mode (see the “Policy Map Load Balancing
RADIUS Configuration Mode Commands” section for details). The prompt changes to
(config-pmap-lb-radius-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The inline match commands function the same way as
the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline
match command, you can specify an action for only a single match command in the RADIUS SLB
policy map.
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.2-1062
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Match Configuration Mode Commands
(config-pmap-lb-radius-m) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match
command, use the drop command. Use the no form of this command to reset the ACE to its default of
accepting packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RADIUS match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the inline match
command, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1063
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Match Configuration Mode Commands
(config-pmap-lb-radius-m) forward
To instruct the ACE to forward requests that match a particular load-balancing criteria in an inline match
command without performing load balancing on the request, use the forward command. Use the no form
of this command to reset the ACE to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RADIUS match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1064
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Match Configuration Mode Commands
(config-pmap-lb-radius-m) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7 load
balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
Command Modes Policy map load balancing RADIUS match configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the RADIUS load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# serverfarm FARM2 backup FARM3
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1065
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RADIUS Match Configuration Mode Commands
Related Commands This command has no related commands.
(config-pmap-lb-radius-m) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing RADIUS match configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1066
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Configuration Mode Commands
(config-pmap-lb-radius-m) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing RADIUS match configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a RADIUS policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
Policy Map Load Balancing RDP Configuration Mode
Commands
Policy map load balancing Reliable Datagram Protocol (RDP) configuration mode commands allow you
to specify an RDP Layer 7 policy map for server load-balancing decisions. The ACE executes the
specified action only against the first matching load-balancing classification.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1067
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Configuration Mode Commands
To create an RDP Layer 7 server load balancing (SLB) policy map and access policy map load balancing
RDP configuration mode, use the policy-map type loadbalance rdp first-match command. When you
access the policy map load balancing RDP configuration mode, the prompt changes to
(config-pmap-lb-rdp). Use the no form of this command to remove an RDP Layer 7 SLB policy map
from the ACE.
policy-map type loadbalance rdp first-match map_name
no policy-map type loadbalance rdp first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide
an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only
a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot
be directly applied on a VLAN (or any) interface.
To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4
(config-pmap-c) loadbalance policy command.
Examples To create an RDP SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance rdp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rdp)#
Related Commands show running-config
(config) policy-map
map_name Name assigned to the RDP SLB policy map. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1068
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Configuration Mode Commands
(config-pmap-lb-rdp) class
To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the
class command. The prompt changes from (config-pmap-lb-rdp) to (config-pmap-lb-rdp-c). For
information about commands in this mode, see the “Policy Map Load Balancing RDP Class Configuration
Mode Commands” section. Use the no form of this command to remove the associated class map from a
policy map.
class class-default
no class class-default
Syntax Description
Command Modes Policy map load balancing RDP configuration mode
Admin and user contexts
Command History
Usage Guidelines For RDP load-balancing policy maps, you can only assign the class-default class map.
Examples To associate the Layer 7 class-default class map with the RDP SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host/Admin(config-pmap-lb-rdp)# class class-default
host/Admin(config-pmap-lb-rdp-c)#
Related Commands (config-pmap-lb-rdp) description
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class map. The class-default class map has an
implicit match any statement in it that enables it to match all traffic.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1069
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Class Configuration Mode Commands
(config-pmap-lb-rdp) description
To provide a brief description of the RDP server load balancing (SLB) policy map, use the description
command. Use the no form of this command to remove the description from the policy map.
description text
no description
Syntax Description
Command Modes Policy map load balancing RDP configuration mode
Admin role in any user context
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform server load balancing, enter:
host/Admin(config-pmap-lb-rdp)# description RDP_LOAD_BALANCE_PROTOCOL
Related Commands (config-pmap-lb-rdp) class
Policy Map Load Balancing RDP Class Configuration Mode
Commands
Policy map load balancing RDP class configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches one or more match statements in the associated
Layer 7 server load balancing (SLB) class map. To access policy map load balancing RDP class
configuration mode, use the class command in policy map load balancing RDP configuration mode (see
the (config-pmap-lb-rdp) class command for details). The prompt changes to (config-pmap-lb-rdp-c).
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1070
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Class Configuration Mode Commands
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.2-1071
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Class Configuration Mode Commands
(config-pmap-lb-rdp-c) drop
To instruct the ACE to discard packets that match a particular load-balancing criterion in the class map,
use the drop command. Use the no form of this command to reset the ACE to its default of accepting
packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RDP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:
host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1072
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Class Configuration Mode Commands
(config-pmap-lb-rdp-c) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RDP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1073
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Class Configuration Mode Commands
(config-pmap-lb-rdp-c) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7
load-balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
Command Modes Policy map load balancing RDP class configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# serverfarm FARM2 backup FARM3
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1074
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Class Configuration Mode Commands
Related Commands This command has no related commands.
(config-pmap-lb-rdp-c) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing RDP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing
policy map. All packets that satisfy the match criteria of the class-default class map are marked with the
IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the
network configuration.
host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1075
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RDP Class Configuration Mode Commands
(config-pmap-lb-rdp-c) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing RDP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match an RDP Layer 7 policy map are load balanced to a sticky server
farm, enter:
host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1076
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
Policy Map Load Balancing RTSP Configuration Mode
Commands
Policy map load balancing RTSP configuration mode commands allow you to specify a Real-Time
Streaming Protocol (RTSP) Layer 7 policy map for server load-balancing decisions. The ACE executes
the specified action only against the first matching load-balancing classification.
To create an RTSP Layer 7 server load balancing (SLB) policy map and access policy map load
balancing RTSP configuration mode, use the policy-map type loadbalance rtsp first-match command.
When you access the policy map load balancing RTSP configuration mode, the prompt changes to
(config-pmap-lb-rtsp). Use the no form of this command to remove an RTSP SLB policy map from the
ACE.
policy-map type loadbalance rtsp first-match map_name
no policy-map type loadbalance rtsp first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide
an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only
a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot
be directly applied on a VLAN (or any) interface.
To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4
(config-pmap-c) loadbalance policy command.
Examples To create an RTSP SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)#
map_name Name assigned to the RTSP SLB policy map. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1077
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
Related Commands show running-config
(config) policy-map2-1078
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
(config-pmap-lb-rtsp) class
To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the
class command. The prompt changes from (config-pmap-lb-rtsp) to (config-pmap-lb-rtsp-c). For
information about commands in this mode, see the “Policy Map Load Balancing RTSP Class Configuration
Mode Commands” section. Use the no form of this command to remove an associated class map from a
policy map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Policy map load balancing RTSP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# class L7LOADBALNCE_CLASS
host1/Admin(config-pmap-lb-rtsp-c)#
name1 Name of a previously defined Layer 7 SLB class map configured with
the class-map command. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current named class map ahead of an existing
class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration.
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other
matching criteria in the named class map belongs to the default traffic
class. If none of the specified classifications matches the traffic, then
the ACE performs the action specified under the class class-default
command. The class-default class map has an implicit match any
statement in it that enables it to match all traffic.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1079
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
Related Commands (config-pmap-lb-rtsp) description
(config-pmap-lb-rtsp) description
To provide a brief description of the RTSP server load balancing (SLB) policy map, use the description
command. Use the no form of this command to remove the description from the policy map.
description text
no description
Syntax Description
Command Modes Policy map load balancing RTSP configuration mode
Admin role in any user context
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform server load balancing, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host/Admin(config-pmap-lb-rtsp)# description RTSP_LOAD_BALANCE_PROTOCOL
Related Commands (config-pmap-lb-rtsp) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1080
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
(config-pmap-lb-rtsp) match rtsp header
To make server load balancing (SLB) decisions based on the name and value of an RTSP header, use the
match rtsp header command. The ACE performs regular expression matching against the received
packet data from a particular connection based on the RTSP header expression. Use the no form of this
command to clear an RTSP header match criteria from the policy map.
match name rtsp header header_name header-value expression [insert-before map_name]
no match name rtsp header header_name header-value expression
Syntax Description
Command Modes Policy map load balancing RTSP configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
header_name Name of the field in the RTSP header. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“ ”). You can enter any header field name, including
a standard RTSP header field name or any user-defined header field
name. Because RTSP is similar in syntax and operation to HTTP/1.1,
you can use any HTTP header listed in Table 1-10 if the RTSP server
supports it. For a complete list of RTSP headers, see RFC 2326.
header-value expression Specifies the expression string to compare against the value in the
specified field in the RTSP header. Enter a text string with a
maximum of 255 alphanumeric characters. The ACE supports the use
of regular expressions for header matching. Header expressions
allow spaces if the entire string that contains spaces is quoted. For a
list of the supported characters that you can use in regular
expressions, see Table 1-21.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1081
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
Usage Guidelines When you use the match rtsp header command, you access the policy map load balancing RTSP match
configuration mode and the prompt changes from (config-pmap-lb-rtsp) to (config-pmap-lb-rtsp-m). For
information about commands in this mode, see the “Policy Map Load Balancing RTSP Match
Configuration Mode Commands” section.
The ACE supports regular expressions for matching. Expressions are stored in a header map in the form
header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. For a list
of supported characters that you can use in regular expressions, see Table 1-21.
Examples To specify that the Layer 7 SLB policy map load balances on an RTSP header named Host, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match match3 rtsp header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-rtsp-m)#
Related Commands (config-parammap-rtsp) set header-maxparse-length2-1082
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
(config-pmap-lb-rtsp) match rtsp source-address
To specify a client source host IP address and subnet mask from which the ACE accepts traffic as the
network traffic matching criteria, use the match rtsp source-address command. You configure the
associated policy map to permit or restrict management traffic to the ACE from the specified source
network or host. Use the no form of this command to clear the source IP address and subnet mask match
criteria from the policy map.
match name rtsp source-address ip_address mask [insert-before map_name]
no match name rtsp source-address ip_address mask
Syntax Description
Command Modes Policy map load balancing RTSP configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match rtsp source-address command, you access the policy map load balancing
RTSP match configuration mode and the prompt changes from (config-pmap-lb-rtsp) to
(config-pmap-lb-rtsp-m). For information about commands in this mode, see the “Policy Map Load
Balancing RTSP Match Configuration Mode Commands” section.
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
mask Subnet mask of the client entry in dotted-decimal notation (for
example, 255.255.255.0).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1083
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Configuration Mode Commands
Examples To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0,
enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match match3 rtsp source-address 192.168.10.1
255.255.0.0
host1/Admin(config-pmap-lb-rtsp-m)#
Related Commands (config-cmap-rtsp-lb) match source-address
(config-pmap-lb-rtsp) match rtsp url
To make server load balancing (SLB) decisions based on the URL name and, optionally, the RTSP
method, use the match rtsp url command. The ACE performs regular expression matching against the
received packet data from a particular connection based on the RTSP URL string. Use the no form of
this command to remove a URL match statement from the policy map.
match name rtsp url expression [method name] [insert-before map_name]
no match name rtsp url expression [method name]
Syntax Description
Command Modes Policy map load balancing RTSP configuration mode
Admin and user contexts
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression URL, or portion of a URL, to match. Enter a URL string from 1 to
255 alphanumeric characters. The ACE supports the use of regular
expressions for matching URL strings. For a list of supported
characters that you can use in regular expressions, see Table 1-21.
method name (Optional) Specifies the RTSP method to match. Enter a method
name as an unquoted text string with no spaces and a maximum of
64 alphanumeric characters. The method can either be one of the
standard RTSP method names (OPTIONS, GET, HEAD, POST, PUT,
DELETE, TRACE, or CONNECT) or it can be a text string that must
be matched exactly (for example, STINGRAY).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.2-1084
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Class Configuration Mode Commands
Command History
Usage Guidelines When you use the match rtsp url command, you access the policy map load balancing RTSP match
configuration mode and the prompt changes from (config-pmap-lb-rtsp) to (config-pmap-lb-rtsp-m). For
information about commands in this mode, see the “Policy Map Load Balancing RTSP Match
Configuration Mode Commands” section.
When matching data strings, note that the period (.) and question mark (?) characters do not have a literal
meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter
www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a
question mark (?).
Examples To specify that the Layer 7 SLB policy map load balances on a specific URL, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match match3 rtsp url whatsnew/latest.*
host1/Admin(config-pmap-lb-rtsp-m)#
To use regular expressions to emulate a wildcard search to match on any .gif file, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match match3 rtsp url .*.gif
Related Commands (config-cmap-rtsp-lb) match rtsp url
Policy Map Load Balancing RTSP Class Configuration Mode
Commands
Policy map load balancing RTSP class configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches one or more match statements in the associated
Layer 7 server load balancing (SLB) class map. To access policy map load balancing RTSP class
configuration mode, use the class command in policy map load balancing RTSP configuration mode (see
the (config-pmap-lb-rtsp) class command for details). The prompt changes to (config-pmap-lb-rtsp-c).
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1085
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Class Configuration Mode Commands
(config-pmap-lb-rtsp-c) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in the class map,
use the drop command. Use the no form of this command to reset the ACE to its default of accepting
packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RTSP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# class L7SLBCLASS
host1/Admin(config-pmap-lb-rtsp-c)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1086
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Class Configuration Mode Commands
(config-pmap-lb-rtsp-c) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RTSP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# class L7SLBCLASS
host1/Admin(config-pmap-lb-rtsp-c)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1087
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Class Configuration Mode Commands
(config-pmap-lb-rtsp-c) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7
load-balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
Command Modes Policy map load balancing RTSP class configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# class L7SLBCLASS
host1/Admin(config-pmap-lb-rtsp-c)# serverfarm FARM2 backup FARM3
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1088
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Class Configuration Mode Commands
Related Commands This command has no related commands.
(config-pmap-lb-rtsp-c) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing RTSP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing
policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP
value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network
configuration.
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# class L7SLBCLASS
host1/Admin(config-pmap-lb-rtsp-c)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1089
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Class Configuration Mode Commands
(config-pmap-lb-rtsp-c) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing RTSP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# class L7SLBCLASS
host1/Admin(config-pmap-lb-rtsp-c)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1090
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Match Configuration Mode Commands
Policy Map Load Balancing RTSP Match Configuration Mode
Commands
Policy map load balancing RTSP match configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches the specified inline match command. To access
policy map load balancing RTSP match configuration mode, use one of the match commands in policy
map load balancing RTSP configuration mode (see the “Policy Map Load Balancing RTSP
Configuration Mode Commands” section for details). The prompt changes to (config-pmap-lb-rtsp-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The inline match commands function the same way as
the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline
match command, you can specify an action for only a single match command in the RTSP SLB policy
map.
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.2-1091
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Match Configuration Mode Commands
(config-pmap-lb-rtsp-m) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match
command, use the drop command. Use the no form of this command to reset the ACE to its default of
accepting packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RTSP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the inline match
command, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match MATCH_SLB1 rtsp header Host header-value
.*cisco.com
host1/Admin(config-pmap-lb-rtsp-m)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1092
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Match Configuration Mode Commands
(config-pmap-lb-rtsp-m) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing RTSP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match the criteria in the inline match command without
performing load balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match MATCH_SLB1 rtsp header Host header-value
.*cisco.com
host1/Admin(config-pmap-lb-rtsp-m)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1093
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Match Configuration Mode Commands
(config-pmap-lb-rtsp-m) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7 load
balancing policy map.
serverfarm name1 [backup name2] [aggregate-state]
no serverfarm name1 [backup name2] [aggregate-state]
Syntax Description
Command Modes Policy map load balancing RTSP match configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match MATCH_SLB1 rtsp source-address 192.168.11.2
255.255.255.0
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1094
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing RTSP Match Configuration Mode Commands
host1/Admin(config-pmap-lb-rtsp-m)# serverfarm FARM2 backup FARM3
Related Commands This command has no related commands.
(config-pmap-lb-rtsp-m) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing RTSP match configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match MATCH_SLB1 rtsp header Via header-value 192.*
host1/Admin(config-pmap-lb-rtsp-m)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1095
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Configuration Mode Commands
(config-pmap-lb-rtsp-m) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing RTSP match configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match MATCH_SLB1 rtsp source-address 192.168.11.2
255.255.255.0
host1/Admin(config-pmap-lb-rtsp-m)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
Policy Map Load Balancing SIP Configuration Mode Commands
Policy map load balancing SIP configuration mode commands allow you to specify a SIP Layer 7 policy
map for server load-balancing decisions. The ACE executes the specified action only against the first
matching load-balancing classification.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1096
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Configuration Mode Commands
To create a SIP Layer 7 server load balancing (SLB) policy map and access policy map load balancing
SIP configuration mode, use the policy-map type loadbalance sip first-match command. When you
access the policy map load balancing SIP configuration mode, the prompt changes to
(config-pmap-lb-sip). Use the no form of this command to remove a SIP SLB policy map from the ACE.
policy-map type loadbalance sip first-match map_name
no policy-map type loadbalance sip first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide
an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only
a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot
be directly applied on a VLAN (or any) interface.
To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4
(config-pmap-c) loadbalance policy command.
Examples To create a SIP SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)#
Related Commands show running-config
(config) policy-map
map_name Name assigned to the SIP SLB policy map. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1097
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Configuration Mode Commands
(config-pmap-lb-sip) class
To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the
class command. The prompt changes from (config-pmap-lb-sip) to (config-pmap-lb-sip-c). For
information about commands in this mode, see the “Policy Map Load Balancing SIP Class Configuration
Mode Commands” section. Use the no form of this command to remove an associated class map from a
policy map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Policy map load balancing SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# class L7LOADBALNCE_CLASS
host1/Admin(config-pmap-lb-sip-c)#
name1 Name of a previously defined Layer 7 SLB class map configured with
the class-map command. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current named class map ahead of an existing
class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration.
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other
matching criteria in the named class map belongs to the default traffic
class. If none of the specified classifications matches the traffic, then
the ACE performs the action specified under the class class-default
command. The class-default class map has an implicit match any
statement in it that enables it to match all traffic.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1098
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Configuration Mode Commands
Related Commands (config-pmap-lb-sip) description2-1099
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Configuration Mode Commands
(config-pmap-lb-sip) description
To provide a brief description of the SIP server load balancing (SLB) policy map, use the description
command. Use the no form of this command to remove the description from the policy map.
description text
no description
Syntax Description
Command Modes Policy map load balancing SIP configuration mode
Admin role in any user context
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform server load balancing, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host/Admin(config-pmap-lb-sip)# description SIP_LOAD_BALANCE_PROTOCOL
Related Commands (config-pmap-lb-sip) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1100
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Configuration Mode Commands
(config-pmap-lb-sip) match sip header
To make server load balancing (SLB) decisions based on the name and value of a SIP header, use the
match sip header command. The ACE performs regular expression matching against the received
packet data from a particular connection based on the SIP header expression. Use the no form of this
command to clear a SIP header match criteria from the policy map.
match name sip header header_name header-value expression [insert-before map_name]
no match name sip header header_name header-value expression
Syntax Description
Command Modes Policy map load balancing SIP configuration mode
Admin and user contexts
Command History
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
header_name Name of the field in the SIP header. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. You
can enter a text string if you enclose the entire string in quotation
marks (“ ”). You can enter any header field name, including a
standard SIP header field name or any user-defined header field
name. For a list of standard SIP header field names, see Table 1-11.
Because SIP is similar in syntax and operation to HTTP/1.1, you can
use any HTTP header listed in Table 1-10 if the SIP server supports
it. For a complete list of SIP headers, see RFC 3261.
header-value expression Specifies the expression string to compare against the value in the
specified field in the SIP header. Enter a text string with a maximum
of 255 alphanumeric characters. The ACE supports the use of regular
expressions for header matching. Header expressions allow spaces if
the entire string that contains spaces is quoted. For a list of the
supported characters that you can use in regular expressions, see
Table 1-21.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1101
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Configuration Mode Commands
Usage Guidelines When you use the match sip header command, you access the policy map load balancing SIP match
configuration mode and the prompt changes from (config-pmap-lb-sip) to (config-pmap-lb-sip-m). For
information about commands in this mode, see the “Policy Map Load Balancing SIP Match Configuration
Mode Commands” section.
The ACE supports regular expressions for matching. Expressions are stored in a header map in the form
header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. For a list
of supported characters that you can use in regular expressions, see Table 1-21.
Examples To specify that the Layer 7 SLB policy map load balances on the standard SIP header Via, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# match SIP_MATCH sip header Via header-value 192.*
host1/Admin(config-pmap-lb-sip-m)#
Related Commands (config-cmap-sip-lb) match sip header
(config-pmap-lb-sip) match source-address
To specify a client source host IP address and subnet mask from which the ACE accepts traffic as the
network traffic matching criteria, use the match source-address command. You configure the associated
policy map to permit or restrict management traffic to the ACE from the specified source network or
host. Use the no form of this command to clear the source IP address and subnet mask match criteria
from the policy map.
match name source-address ip_address mask [insert-before map_name]
no match name source-address ip_address mask
Syntax Description
Command Modes Policy map load balancing SIP configuration mode
Admin and user contexts
name Name of the inline match condition. Enter an unquoted text string
with no spaces. The length of the inline match statement name plus
the length of the policy map name with which it is associated cannot
exceed a total maximum of 64 alphanumeric characters. For example,
if the policy map name is L7_POLICY (nine characters), an inline
match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
ip_address Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
mask Subnet mask of the client entry in dotted-decimal notation (for
example, 255.255.255.0).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.2-1102
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Class Configuration Mode Commands
Command History
Usage Guidelines When you use the match source-address command, you access the policy map load balancing SIP
match configuration mode and the prompt changes from (config-pmap-lb-sip) to
(config-pmap-lb-sip-m). For information about commands in this mode, see the “Policy Map Load
Balancing SIP Match Configuration Mode Commands” section.
Examples To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0,
enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# match match3 source-address 192.168.10.1 255.255.0.0
host1/Admin(config-pmap-lb-sip-m)#
Related Commands (config-cmap-sip-lb) match source-address
Policy Map Load Balancing SIP Class Configuration Mode
Commands
Policy map load balancing SIP class configuration mode commands allow you to specify the actions that
the ACE should take when network traffic matches one or more match statements in the associated
Layer 7 server load balancing (SLB) class map. To access policy map load balancing SIP class
configuration mode, use the class command in policy map load balancing SIP configuration mode (see
the (config-pmap-lb-sip) class command for details). The prompt changes to (config-pmap-lb-sip-c).
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1103
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Class Configuration Mode Commands
(config-pmap-lb-sip-c) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in the class map,
use the drop command. Use the no form of this command to reset the ACE to its default of accepting
packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing SIP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# class L7SLBCLASS
host1/Admin(config-pmap-lb-sip-c)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1104
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Class Configuration Mode Commands
(config-pmap-lb-sip-c) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing SIP class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# class L7SLBCLASS
host1/Admin(config-pmap-lb-sip-c)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1105
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Class Configuration Mode Commands
(config-pmap-lb-sip-c) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7
load-balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
Command Modes Policy map load balancing SIP class configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# class L7SLBCLASS
host1/Admin(config-pmap-lb-sip-c)# serverfarm FARM2 backup FARM3
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1106
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Class Configuration Mode Commands
Related Commands This command has no related commands.
(config-pmap-lb-sip-c) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing SIP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing
policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP
value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network
configuration.
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# class L7SLBCLASS
host1/Admin(config-pmap-lb-sip-c)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1107
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Class Configuration Mode Commands
(config-pmap-lb-sip-c) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing SIP class configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# class L7SLBCLASS
host1/Admin(config-pmap-lb-sip-c)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1108
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Match Configuration Mode Commands
Policy Map Load Balancing SIP Match Configuration Mode
Commands
Policy map load balancing SIP match configuration mode commands allow you to specify the actions
that the ACE should take when network traffic matches the specified inline match command. To access
policy map load balancing SIP match configuration mode, use one of the match commands in policy
map load balancing SIP configuration mode (see the “Policy Map Load Balancing SIP Configuration
Mode Commands” section for details). The prompt changes to (config-pmap-lb-sip-m).
The inline Layer 7 policy map match commands allow you to include a single inline match criteria in
the policy map without specifying a traffic class. The inline match commands function the same way as
the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline
match command, you can specify an action for only a single match command in the SLB policy map.
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.2-1109
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Match Configuration Mode Commands
(config-pmap-lb-sip-m) drop
To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match
command, use the drop command. Use the no form of this command to reset the ACE to its default of
accepting packets from the policy map.
drop
no drop
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to discard packets that match the load-balancing criteria in the inline match
command, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# match SIP_MATCH sip header Via header-value 192.*
host1/Admin(config-pmap-lb-sip-m)# drop
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1110
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Match Configuration Mode Commands
(config-pmap-lb-sip-m) forward
To instruct the ACE to forward requests that match a particular policy map without performing load
balancing on the request, use the forward command. Use the no form of this command to reset the ACE
to its default of load balancing packets from the policy map.
forward
no forward
Syntax Description This command has no keywords or arguments.
Command Modes Policy map load balancing SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To instruct the ACE to forward requests that match the criteria in the inline match command without
performing load balancing on the request, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# match SIP_MATCH sip header Via header-value 192.*
host1/Admin(config-pmap-lb-sip-m)# forward
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1111
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Match Configuration Mode Commands
(config-pmap-lb-sip-m) serverfarm
To load balance a client request for content to a server farm, use the serverfarm command. Server farms
are groups of networked real servers that contain the same content and reside in the same physical
location. Use the no form of this command to remove the server-farm action from the Layer 7 load
balancing policy map.
serverfarm name1 [backup name2 [aggregate-state]]
no serverfarm name1 [backup name2 [aggregate-state]]
Syntax Description
Command Modes Policy map load balancing SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset
(RST) to a client in response to a content request.
If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.
Examples To specify the serverfarm command as an action in the load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# match MATCH_SLB1 source-address 192.168.11.2
255.255.255.0
name1 Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm goes down, the ACE sends all connections to the configured
backup server farm. Enter a name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
aggregate-state This option has been deprecated and no longer has an effect on the
state of the VIP. By default, the ACE takes into account the state of
all real servers in the backup server farm before taking the VIP out of
service. If all real servers in the primary server farm fail, but there is
at least one real server in the backup server farm that is operational,
the ACE keeps the VIP in service.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1112
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Load Balancing SIP Match Configuration Mode Commands
host1/Admin(config-pmap-lb-sip-m)# serverfarm FARM2 backup FARM3
Related Commands This command has no related commands.
(config-pmap-lb-sip-m) set ip tos
To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB)
policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the
Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can
then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the
default of 0.
set ip tos value
no set ip tos value
Syntax Description
Command Modes Policy map load balancing SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.
Examples To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# match MATCH_SLB1 sip header Via header-value 192.*
host1/Admin(config-pmap-lb-sip-m)# set ip tos 8
Related Commands This command has no related commands.
value IP DSCP value. Enter an integer from 0 to 255. The default is 0.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1113
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Management Configuration Mode Commands
(config-pmap-lb-sip-m) sticky-serverfarm
To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from
the policy map.
sticky-serverfarm name
no sticky-serverfarm name
Syntax Description
Command Modes Policy map load balancing SIP match configuration mode
Admin and user contexts
Command History
Usage Guidelines For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application
Control Engine.
Examples To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm,
enter:
host1/Admin(config)# policy-map type loadbalance sip first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-sip)# match MATCH_SLB1 source-address 192.168.11.2
255.255.255.0
host1/Admin(config-pmap-lb-sip-m)# sticky-serverfarm STICKY_GROUP1
Related Commands This command has no related commands.
Policy Map Management Configuration Mode Commands
Policy map management configuration mode commands allow you to specify a Layer 3 and Layer 4
policy map that identifies the network management protocols that can be received by the ACE. The ACE
executes the specified action only for traffic that meets the first matching classification with a policy
map. The ACE does not execute any additional actions.
name Name of an existing sticky group. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1114
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Management Configuration Mode Commands
To create a Layer 3 and Layer 4 network management policy map and access the policy map management
configuration mode, use the policy-map type management first-match command in configuration
mode. You can classify network traffic based on the following management protocols: HTTP, HTTPS,
ICMP, SNMP, SSH, or Telnet. When you access this mode, the prompt changes to (config-pmap-mgmt).
Use the no form of this command to remove a Layer 3 and Layer 4 network management policy map
from the ACE.
policy-map type management first-match map_name
no policy-map type management first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the context Admin user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To create a Layer 3 and Layer 4 network traffic management policy map, enter:
host1/Admin(config)# policy-map type management first-match L4_REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)#
Related Commands (config) class-map
map_name Name assigned to the Layer 3 and Layer 4 network management
policy map. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1115
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Management Configuration Mode Commands
(config-pmap-mgmt) class
To associate a Layer 3 and Layer 4 management protocol class map with a Layer 3 and Layer 4 traffic
management policy map, use the class command. The prompt changes from (config-pmap-mgmt) to
(config-pmap-mgmt-c). For information about commands in this mode, see the “Policy Map Management
Class Configuration Mode Commands” section. Use the no form of this command to remove an
associated class map from a policy map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Management policy map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To permit remote Secure Shell (SSH) access, enter:
host1/Admin(config)# policy-map type management first-match L4_REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS
name1 Name of a previously defined Layer 3 and Layer 4 management
protocol class map configured with the class-map command. Enter
an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
insert-before name2 (Optional) Places the current class map ahead of an existing class
map or inline match condition specified by the name2 argument in the
policy map configuration. The ACE does not save the sequence
reordering as part of the configuration. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other
matching criteria in the named class map belongs to the default traffic
class. If none of the specified classifications matches the traffic, then
the ACE performs the action specified under the class class-default
command. The class-default class map has an implicit match any
statement in it enabling it to match all traffic.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1116
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Management Configuration Mode Commands
Related Commands (config) class-map
(config-pmap-mgmt) description2-1117
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Management Class Configuration Mode Commands
(config-pmap-mgmt) description
To provide a brief summary about the Layer 3 and Layer 4 management protocol policy map, use the
description command. Use the no form of this command to remove the description from the class map.
description text
no description
Syntax Description
Command Modes Policy map configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to allow remote Telnet access, enter:
host1/Admin(config-pmap-mgmt)# description Allow Telnet access to the ACE
Related Commands (config-pmap-mgmt) class
Policy Map Management Class Configuration Mode Commands
Policy map management class configuration mode commands allow you to specify the actions that the
ACE should take when network traffic matches one or more match statements in the associated Layer 3
and Layer 4 network management protocol class map. To access policy map management class
configuration mode, use the class command in policy map management configuration mode (see the
(config-pmap-mgmt) class command for details). The prompt changes from (config-pmap-mgmt) to
(config-pmap-mgmt-c).
The commands in this mode require the context Admin user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1118
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Management Class Configuration Mode Commands
(config-pmap-mgmt-c) deny
To deny the specified IP network management protocol, use the deny command. Use the no form of this
command to allow the specified IP network management protocol to be received by the ACE.
deny
no deny
Syntax Description This command has no keywords or arguments.
Command Modes Policy map management class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To deny the specified IP network management protocol by the ACE, enter:
host1/Admin(config-pmap-mgmt)# class SSH_CLASS
host1/Admin(config-pmap-mgmt-c)# deny
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1119
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
(config-pmap-mgmt-c) permit
To allow the IP network management protocols listed in the associated Layer 3 and Layer 4 management
class map to be received by the ACE, use the permit command. Use the no form of this command to
disallow the specified IP network management protocols to be received by the ACE.
permit
no permit
Syntax Description This command has no keywords or arguments.
Command Modes Policy map management class configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To permit the specified IP network management protocol by the ACE, enter:
host1/Admin(config-pmap-mgmt)# class SSH_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
Related Commands This command has no related commands.
Policy Map Optimization Configuration Mode Commands
(ACE appliance only) Policy map optimization configuration mode commands allow you to associate an
HTTP optimization action list and, optionally, a parameter map to perform the specified application
acceleration optimization actions. The ACE executes the specified action only for traffic that meets the
first matching classification with a policy map. The ACE does not execute any additional actions.
To create a Layer 7 optimization policy map and access the policy map optimization configuration mode,
use the policy-map type optimization http first-match command in configuration mode. When you
access this mode, the prompt changes to (config-pmap-optmz). Use the no form of the command to
remove a Layer 3 and Layer 4 network management policy map from the ACE.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1120
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
policy-map type optimization http first-match map_name
no policy-map type optimization http first-match map_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To create a Layer 7 optimization HTTP policy map named L7OPTIMIZATION_POLICY, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host/Admin(config-pmap-optmz)#
Related Commands (config) class-map
map_name Name assigned to the Layer 7 optimization HTTP policy map. Enter
an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1121
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
(config-pmap-optmz) class
(ACE appliance only) To associate a Layer 7 SLB class map with a Layer 7 optimization HTTP policy
map, use the class command. The prompt changes from (config-pmap-optmz) to
(config-pmap-optmz-c). For information on commands in this mode, see the “Policy Map Optimization
Class Configuration Mode Commands” section. Use the no form of this command to remove an
associated class map from a policy map.
class {name1 [insert-before name2] | class-default}
no class {name1 [insert-before name2] | class-default}
Syntax Description
Command Modes Policy map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To specify an existing Layer SLB class map, enter:
host1/Admin(config-pmap-optmz)# class L7SLBCLASS
host1/Admin(config-pmap-optmz-c)#
Related Commands (config) class-map
(config-pmap-optmz) description
name1 Name of a previously defined Layer 7 SLB class map configured with
the class-map command. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
insert-before name2 (Optional) Places the current class map ahead of an existing class
map or inline match condition specified by the name2 argument in the
policy map configuration. The ACE does not save the sequence
reordering as part of the configuration. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
class-default Reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other
matching criteria in the named class map belongs to the default traffic
class. If none of the specified classifications matches the traffic, then
the ACE performs the action specified under the class class-default
command. The class-default class map has an implicit match any
statement in it that enables it to match all traffic.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1122
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
(config-pmap-optmz) description
(ACE appliance only) To provide a brief summary about the Layer 7 optimization HTTP policy map, use
the description command. Use the no form of the command to remove the description from the class
map.
description text
no description
Syntax Description
Command Modes Policy map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To add a description that the policy map is to perform delta optimization, enter:
host1/Admin(config-pmap-optmz)# description This policy map performs delta optimization
To remove the description from the policy map, enter:
host1/Admin(config-pmap-optmz)# no description
Related Commands (config-pmap-mgmt) class
text Description for the policy map. Enter an unquoted text string with a
maximum of 240 alphanumeric characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1123
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
(config-pmap-optmz) match http cookie
(ACE appliance only) To make server load balancing (SLB) decisions based on the name and string of
a cookie, use the match http cookie command. Use the no form of the command to remove an HTTP
cookie match statement from the policy map.
match name1 http cookie {name2 | secondary name3} cookie-value expression [insert-before
map_name]
no match name1 http cookie {name2 | secondary name3} cookie-value expression
Syntax Description
Command Modes Policy map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines When you use the match http cookie command, you access the policy map optimization match
configuration mode and the prompt changes from (config-pmap-optmz) to (v-m). For information on the
load-balancing commands in this mode, see the “Policy Map Load Balancing HTTP Match Configuration
Mode Commands” section.
The ACE performs regular expression matching against the received packet data from a particular
connection based on the cookie expression. You can configure a maximum of five cookie names per VIP.
name1 Name assigned to the inline match command. Enter an unquoted text
string with no spaces. The length of the inline match statement name
plus the length of the policy map name with which it is associated
cannot exceed a total maximum of 64 alphanumeric characters. For
example, if the policy map name is L7_POLICY (nine characters), an
inline match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
name2 A unique cookie name. Enter an unquoted text string with no spaces
and a maximum of 63 alphanumeric characters.
secondary name3 Specifies a cookie in a URL string. You can specify the delimiters for
cookies in a URL string using a command in an HTTP parameter
map.
cookie-value expression Specifies a unique cookie value expression. Enter an unquoted text
string with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching
string expressions. For a list of supported characters that you can use
for matching string expressions, see the “Usage Guidelines” section
for the (config-pmap-ins-http) match content command.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1124
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
The ACE supports regular expressions for matching string expressions. For a list of supported characters
that you can use for matching string expressions, see the “Usage Guidelines” section for the
(config-pmap-ins-http) match content command.
For details on defining a list of ASCII-character delimiter strings that you can use to separate the cookies
in a URL string, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To specify that the Layer 7 optimization policy map load balances on a cookie with the name of
testcookie1, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host/Admin(config-pmap-optmz)# match MATCH2 http cookie testcookie1 cookie-value 123456
Related Commands (config-parammap-http) set content-maxparse-length
(config-parammap-http) set secondary-cookie-delimiters
(config-pmap-optmz) match http header
(ACE appliance only) To define application inspection decisions based on the name and value in an
HTTP header, use the match http header command. Use the no form of the command to clear an HTTP
header match criteria from the policy map.
match name http header {header_name | header_field} header-value expression [insert-before
map_name]
no match name http header {header_name | header_field} header-value expression
Syntax Description name Name assigned to the inline match command. Enter an unquoted text
string with no spaces. The length of the inline match statement name
plus the length of the policy map name with which it is associated
cannot exceed a total maximum of 64 alphanumeric characters. For
example, if the policy map name is L7_POLICY (nine characters), an
inline match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
header_name Name of the HTTP header to match (for example,
www.example1.com.) The range is from 1 to 64 alphanumeric
characters.
Note The header_name argument cannot include the colon in the
name of the HTTP header; the ACE rejects the colon as an
invalid token.
header_field A standard HTTP/1.1 header field. Valid selections include
request-header fields, general-header fields, and the entity-header
field. Selections also include two lower-level header-matching
commands: “length” and “mime-type.” The supported selections are
the following:
• Accept—Specifies a semicolon-separated list of representation
schemes (content type metainformation values) that will be
accepted in the response to the request.2-1125
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
• Accept-Charset—Specifies the character sets that are
acceptable for the response. This field allows clients capable of
understanding more comprehensive or special-purpose character
sets to signal that capability to a server that can represent
documents in those character sets.
• Accept-Encoding—Restricts the content encoding that a user
will accept from the server.
• Accept-Language—Specifies the ISO code for the language in
which the document is written. The language code is an ISO
3316 language code with an optional ISO639 country code to
specify a national variant.
• Authorization—Specifies that the user agent wants to
authenticate itself with a server, usually after receiving a 401
response.
• Cache-Control—Specifies the directives that must be obeyed by
all caching mechanisms in the request/response chain. The
directives specify behavior intended to prevent caches from
adversely interfering with the request or response.
• Connection—Allows the sender to specify connection options.
• Content-MD5—Specifies the MD5 digest of the entity body that
provides an end-to-end integrity check. Only a client or an origin
server can generate this header field.
• Expect—Used by a client to inform the server about the
behaviors that the client requires.
• From—Contains the e-mail address of the person who controls
the requesting user agent.
• Host—Specifies the internet host and port number of the
resource that is requested, as obtained from the original URI
given by the user or referring resource. The Host field value must
represent the naming authority of the origin server or gateway
given by the original URL.
• If-Match—Used with a method to make it conditional. A client
that has one or more entities previously obtained from the
resource can verify that one of those entities is current by
including a list of their associated entity tags in the If-Match
header field. This feature allows efficient updates of cached
information with a minimum amount of transaction overhead. It
is also used on updating requests to prevent inadvertent
modification of the wrong version of a resource. As a special
case, the value “*” matches any current entity of the resource.
• Pragma—Specifies the pragma directives that are understood by
servers to whom the directives are relevant. The syntax is the
same as for other multiple-value fields in HTTP. For example,
the Accept field is a comma-separated list of entries for which
the optional parameters are separated by semicolons.2-1126
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
Command Modes Policy map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE performs regular expression matching against the received packet data from a particular
connection based on the HTTP header expression.
When you use the match http header command, you access the policy map optimization match
configuration mode and the prompt changes from (config-pmap-optmz) to (config-pmap-optmz-m). For
information on the load-balancing commands in this mode, see the “Policy Map Load Balancing HTTP
Match Configuration Mode Commands” section.
The ACE supports regular expressions for matching. Expressions are stored in a header map in the form
header-name: expression. Header expressions allow spaces, if the spaces are escaped or quoted. For a
list of supported characters that you can use in regular expressions, see the “Usage Guidelines” section
for the (config-pmap-ins-http) match content command.
Examples To specify that the Layer 7 optimization policy map load balances on an HTTP header named Host,
enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host1/Admin(config-pmap-optmz)# match match3 http header Host header-value .*cisco.com
Related Commands (config-parammap-http) set content-maxparse-length
• Referer—Specifies the address (URI) of the resource from
which the URI in the request was obtained.
• Transfer-Encoding—Indicates what (if any) type of
transformation has been applied to the message body in order to
safely transfer it between the sender and the recipient.
• User-Agent—Specifies the information about the user agent (for
example, a software program that originates the request). This
information is for statistical purposes, the tracing of protocol
violations, and automated recognition of user agents.
• Via—Used by gateways and proxies to indicate the intermediate
protocols and recipients between the user agent and the server on
requests and between the origin server and the client on
responses.
header-value expression Specifies the header value expression string to compare against the
value in the specified field in the HTTP header. The range is from 1
to 255 alphanumeric characters. For a list of supported characters that
you can use in regular expressions, see the “Usage Guidelines”
section for the (config-pmap-ins-http) match content command.
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1127
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Configuration Mode Commands
(config-pmap-optmz) match http url
(ACE appliance only) To make server load balancing (SLB) decisions based on the URL name and,
optionally, the HTTP method, use the match http url command. Use the no form of the command to
remove a URL match statement from the policy map.
match name http url expression [method name] [insert-before map_name]
no match name http url expression [method name]
Syntax Description
Command Modes Policy map optimization configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE performs regular expression matching against the received packet data from a particular
connection based on the HTTP URL string.
When you use the match http url command, you access the policy map optimization match
configuration mode and the prompt changes from (config-pmap-optmz) to (config-pmap-optmz-m). For
information on the load-balancing commands in this mode, see the “Policy Map Load Balancing HTTP
Match Configuration Mode Commands” section.
name Name assigned to the inline match command. Enter an unquoted text
string with no spaces. The length of the inline match statement name
plus the length of the policy map name with which it is associated
cannot exceed a total maximum of 64 alphanumeric characters. For
example, if the policy map name is L7_POLICY (nine characters), an
inline match statement name under this policy cannot exceed 55
alphanumeric characters (64 - 9 = 55).
expression URL, or portion of a URL, to match. Enter a URL string from 1 to
255 alphanumeric characters. Include only the portion of the URL
that follows www.hostname.domain in the match statement. For a list
of supported characters that you can use in regular expressions, see
the “Usage Guidelines” section for the (config-pmap-ins-http)
match content command.
method name (Optional) Specifies the HTTP method to match. Enter a method
name as an unquoted text string with no spaces and a maximum of
15 alphanumeric characters. The method can either be one of the
standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST,
PUT, DELETE, TRACE, or CONNECT) or a text string that must be
matched exactly (for example, PROTOPLASM).
insert-before map_name (Optional) Places the inline match command ahead of an existing
class map in the policy map configuration.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1128
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Class Configuration Mode Commands
Include only the portion of the URL that follows www.hostname.domain in the match statement. For
example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
To match the www.anydomain.com portion, the URL string can take the form of a URL regular
expression. For a list of supported characters that you can use in regular expressions, see the “Usage
Guidelines” section for the (config-pmap-ins-http) match content command.
The period (.) does not have a literal meaning in regular expressions. Use either brackets ([]) or the
backslash (\) character to match this symbol. For example, specify www[.]xyz[.]com instead of
www.xyz.com.
Examples To specify that the Layer 7 optimization policy map load balances on a specific URL, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host1/Admin(config-pmap-optmz)# match match3 http url whatsnew/latest.*
To use regular expressions to emulate a wildcard search to match on any .gif file, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host1/Admin(config-pmap-optmz)# match match3 http url .*.gif
Related Commands (config-parammap-http) set content-maxparse-length
Policy Map Optimization Class Configuration Mode Commands
(ACE appliance only) Policy map optimization class configuration mode commands allow you to specify
the actions that the ACE should take when network traffic matches the Layer 7 optimization HTTP action
statement. To access policy map optimization class configuration mode, use the class command in policy
map optimization configuration mode (see the (config-pmap-optmz) class command for details). The
prompt changes from (config-pmap-optmz) to (config-pmap-optmz-c).
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
(config-pmap-optmz-c) action
(ACE appliance only) To perform a specific set of application acceleration actions, use the action
command. The Layer 7 optimization HTTP policy map activates the use of an optimization HTTP action
list to configure the specified application acceleration and optimization actions. See Cisco 4700 Series
Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide
for details on creating an optimization HTTP action list. Use the no form of the command to remove the
action list from the policy map.
action list_name [parameter map_name]
no action list_name [parameter map_name]2-1129
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Match Configuration Mode Commands
Syntax Description
Command Modes Policy map optimization class configuration mode
Admin and user contexts
Command History
Usage Guidelines Optionally, you can specify an optimization HTTP parameter list in an optimization HTTP policy map
to identify the association between the action list and the parameter map. The optimization HTTP action
list defines what to do while the optimization HTTP parameter map defines the specific details about
how to accomplish the application acceleration action. Refer to Cisco 4700 Series Application Control
Engine Appliance Application Acceleration and Optimization Configuration Guide for details on
creating an optimization HTTP parameter map.
Examples To associate an existing action list with an existing parameter map to control the actions in the Layer 7
HTTP optimization policy map, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host1/Admin(config-pmap-optmz)# class L7SLBCLASS
host1/Admin(config-pmap-optmz-c)# action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP
To remove the action list from the Layer 7 HTTP optimization policy map, enter:
host1/Admin(config-pmap-optmz-c)# no action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP
Related Commands (config) action-list type modify http
(config) parameter-map type
Policy Map Optimization Match Configuration Mode Commands
(ACE appliance only) Policy map optimization match configuration mode commands allow you to
specify the actions that the ACE should take when network traffic matches the Layer 7 optimization
HTTP action statement. To access policy map optimization match configuration mode, use a match
command in policy map optimization configuration mode (see the “Policy Map Optimization Match
Configuration Mode Commands” section). The prompt changes from (config-pmap-optmz) to
(config-pmap-optmz-m).
list_name Unique name of an existing action list as an unquoted text string with
a maximum of 64 alphanumeric characters. The action command
groups the application acceleration functions associated with the
specified action list that apply to a specific type of operation.
parameter map_name (Optional) Specifies optimization-related commands that pertain to
application acceleration performed by the ACE. A parameter map
groups the application acceleration functions that adjust or control
the actions specified in an associated action list. The map_name
argument specifies a unique name of an existing parameter map as an
unquoted text string with a maximum of 64 alphanumeric characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1130
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Match Configuration Mode Commands
The commands in this mode require the loadbalance feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
(config-pmap-optmz-m) action
(ACE appliance only) To perform a specific set of application acceleration actions, use the action
command. The Layer 7 optimization HTTP policy map activates the use of an optimization HTTP action
list to configure the specified application acceleration optimization actions. Refer to the Cisco 4700
Series Application Control Engine Appliance Application Acceleration and Optimization Configuration
Guide for details on creating an optimization HTTP action list. Use the no form of the command to
remove the action list from the policy map.
action list_name [parameter map_name]
no action list_name [parameter map_name]
Syntax Description
Command Modes Policy map optimization match configuration mode
Admin and user contexts
Command History
Usage Guidelines Optionally, you can specify an optimization HTTP parameter list in an optimization HTTP policy map
to identify the association between the action list and the parameter map. In this case, the optimization
HTTP action list defines what to do while the optimization HTTP parameter map defines the specific
details about how to accomplish the application acceleration action. Refer to the Cisco 4700 Series
Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide
for details on creating an optimization HTTP parameter map.
Examples To associate an existing action list with an existing parameter map to control the match command action
in the Layer 7 HTTP optimization policy map, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
list_name Unique name of an existing action list as an unquoted text string with
a maximum of 64 alphanumeric characters. The action command
groups the application acceleration functions associated with the
specified action list that apply to a specific type of operation.
parameter map_name (Optional) Specifies optimization-related commands that pertain to
application acceleration performed by the ACE. A parameter map
groups the application acceleration functions that adjust or control
the actions specified in an associated action list. The map_name
argument specifies a unique name of an existing parameter map as an
unquoted text string with a maximum of 64 alphanumeric characters.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1131
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Policy Map Optimization Match Configuration Mode Commands
host1/Admin(config-pmap-optmz)# match match3 http url .*.gif
host1/Admin(config-pmap-optmz-m)# action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP
To remove the action list from the Layer 7 HTTP optimization policy map, enter:
host1/Admin(config-pmap-optmz-m)# no action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP
Related Commands (config) action-list type modify http
(config) parameter-map type2-1132
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Probe Configuration Mode Commands
Probe configuration mode commands allow you to configure health monitoring on the ACE to track the
state of a server by sending out probes. Also referred to as out-of-band health monitoring, the ACE
verifies the server response or checks for any network problems that can prevent a client from reaching
a server. Based on the server response, the ACE can place the server in or out of service and can make
reliable load-balancing decisions. You can also use health monitoring to detect failures for a gateway or
host in high availability configurations. The ACE identifies the health of a server in the following
categories:
• Passed—The server returns a valid response.
• Failed—The server fails to provide a valid response to the ACE or the ACE is unable to reach a
server for a specified number of retries.
By configuring the ACE for health monitoring, the ACE sends active probes periodically to determine
the server state. The ACE supports 4096 (ACE module) or 1000 (ACE appliance) unique probe
configurations, which includes ICMP, TCP, HTTP, and other predefined health probes. The ACE can
execute only up to 200 concurrent script probes at a time. The ACE also allows the opening of
2048 sockets simultaneously.
You can associate the same probe with multiple real servers or server farms. Each time that you use the
same probe again, the ACE counts it as another probe instance. You can allocate a maximum of 16 K
(ACE module) or 4000 (ACE appliance) probe instances.
To configure probes and access probe configuration mode for that probe type, use the probe command.
The CLI prompt changes to (config-probe-probe_type). For information about the commands in all probe
configuration modes, see the commands in this section. See the “Command Modes” section for each
command to find out to which probe-type configuration modes a specific command applies.
Use the no form of this command to remove a probe from the configuration.
probe probe_type probe_name
no probe probe_type probe_name
Syntax Description probe_type Type of probe to configure. The probe type determines what the probe sends
to the server. Enter one of the following types:
• dns—Sends a request to a DNS server that passes a configured domain
to the server (by default, the domain is www.cisco.com). To determine
whether the server is up, the ACE must receive one of the configured IP
addresses for that domain.
• echo {tcp | udp}—Sends a specified string to the server and compares
the response to the original string. You must configure the string that
needs to be echoed. If the response string matches the original string,
the server is marked as passed. If you do not configure a string, the
probe behaves like a TCP or UDP probe.
• finger—Uses a Finger query to a server for an expected response
string. The ACE searches the response for the configured string. If the
ACE finds the expected response string, the server is marked as passed.
If you do not configure an expected response string, the ACE ignores
the server response. 2-1133
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
• ftp —Establishes a TCP connection to the server and then issues a quit
command.
• http—Establishes a TCP connection and issues an HTTP request to the
server for an expected string and status code. The ACE can compare the
received response with configured codes, looking for a configured
string in the received HTTP page, or verifying hash for the HTTP page.
If any of these checks fail, the server is marked as failed.
For example, if you configure an expected string and status code and
the ACE finds them both in the server response, the server is marked as
passed. However, if the ACE does not receive either the server response
string or the expected status code, it marks the server as failed.
If you do not configure a status code, any response code from the server
is marked as failed.
• https—Similar to an HTTP probe except that it uses Secure Sockets
Layer (SSL) to generate encrypted data.
• icmp—Sends an ICMP echo request and listens for a response. If a
server returns a response, the ACE marks the server as passed. If the
server does not send a response, causing the probe to time out, or if the
server sends an unexpected ICMP echo response type, the ACE marks
the probe as failed.
• imap—Makes a server connection and sends user credential (login,
password, and mailbox) information. The ACE can send a configured
command. Based on the server response, the ACE marks the probe as
passed or failed.
• pop—Initiates a session and sends the configured credentials. The ACE
can send a configured command. Based on the server response, the
ACE marks the probe as passed or failed.
• radius—Sends a query using a configured username, password, and
shared secret to a RADIUS server. If the server is up, it is marked as
passed. If you configure a Network Access Server (NAS) address, the
ACE uses it in the outgoing packet. Otherwise, the ACE uses the IP
address associated with the outgoing interface as the NAS address.
• rtsp—Establishes a TCP connection and sends a request packet to the
server. The ACE compares the response with the configured response
code to determine whether the probe has succeeded.
• scripted—Allows you to run a script to execute the probe that you
created for health monitoring. You can author specific scripts with
features not present in standard health probes.
• sip {tcp | udp}—Establishes a TCP or UDP connection and sends an
OPTIONS request packet to the user agent on the server. The ACE
compares the response with the configured response code or expected
string, or both, to determine whether the probe has succeeded. If you do
not configure an expected status code, any response from the server is
marked as failed.
• smtp—Initiates an SMTP session by logging into the server, sends a
HELLO message, and then disconnects from the server.2-1134
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
• snmp—Establishes a UDP connection and sends a maximum of eight
SMNP OID queries to probe the server. The ACE weighs and averages
the load information that is retrieved and uses it as input to the
least-loaded algorithm for load-balancing decisions. If the retrieved
value is within the configured threshold, the server is marked as passed.
If the threshold is exceeded, the server is marked as failed.
• tcp—Initiates a TCP 3-way handshake (SYN, SYN-ACK, ACK) and
expects the server to send a response. By default, a successful response
causes the probe to mark the server as passed and send a FIN to end the
session. If the response is not valid or if there is no response, the probe
marks the server as failed.
• telnet—Establishes a connection to the server and verifies that a
greeting from the application was received.
• udp—Sends a UDP packet to a server and marks the server as failed
only if the server returns an ICMP Port Unreachable message. If the
ACE does not receive any ICMP errors for the UDP request that was
sent, the probe is marked as passed. Optionally, you can configure this
probe to send specific data and expect a specific response to mark the
server as passed.
If the IP interface of the server is down or disconnected, the UDP probe
by itself would not know that the UDP application is not reachable.
• vm—Sends a query to the VM controller (Vcenter) to obtain the load
information of the local VMs.
probe_name Identifier for the probe. Use the probe name to associate the probe to the
server. Enter an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A4(2.0) Added the VM probe type.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A4(2.0) Added the VM probe type.
A5(1.0) Added IPv6 support.2-1135
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
You can associate only IPv4 probes with IPv4 real servers and only IPv6 probes wth IPv6 real servers.
For IPv6, the ACE supports the following probe types:
• DNS
• HTTP
• HTTPs
• ICMP
• TCP
• UDP
• Scripted
Examples To define a TCP probe named PROBE, and access its mode, enter:
host1/Admin(config)# probe tcp PROBE1
host1/Admin(config-probe-tcp)#
To delete the TCP probe named PROBE1 for TCP and access its mode, enter:
host1/Admin(config)# probe tcp PROBE1
Related Commands clear stats
show probe
show running-config
show stats
(config-probe-probe_type) append-port-hosttag
(ACE appliance only) To append port information in the HTTP Host header when you configure a
non-default destination port for an HTTP or HTTPS probe, use the append-port-hosttag command.Use
the no form of this command to reset the default behavior of not appending the port information in the
HTTP Host header.
append-port-hosttag
no append-port-hosttag
Syntax Description This command has no keywords or arguments.
Command Modes HTTP and HTTPS probe configuration mode
Admin and user contexts
Command History ACE Appliance Release Modification
A3(2.7). Not applicable for
A4(1.0) or A4(2.0).
This command was introduced.2-1136
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Usage Guidelines This command has no usage guidelines.
Examples To configure the ACE to append the port information, enter the following command:
host1/Admin(config-probe-http)# append-port-hosttag
To reset the default behavior, enter the following:
host1/Admin(config-probe-http)# no append-port-hosttag
Related Commands This command has no related commands.2-1137
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) community
To change the community string used by an SNMP probe, use the community command. Use the no
form of this command to remove the community string.
community text
no community
Syntax Description
Command Modes SNMP probe configuration mode
Admin and user contexts
Command History
Usage Guidelines An ACE Simple Network Management Protocol (SNMP) probe accesses the server through its
community string. By default, the community string is not set.
Examples To configure the private community string, enter:
host1/Admin(config-probe-snmp)# community private
To reset the community string to its default value of public, enter:
host1/Admin(config-probe-snmp)# no community
Related Commands show probe
text Name of the SNMP community string for the server. Enter a text string with
a maximum of 255 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1138
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) connection term
To configure the ACE to terminate a TCP connection by sending a RST, use the connection term
command. Use the no form of this command to reset its default of graceful termination.
connection term forced
no connection term forced
Syntax Description This command has no keywords or arguments.
Command Modes ECHO TCP, Finger, FTP, HTTP, HTTPS, IMAP, POP, RTSP, SIP TCP, SMTP, TCP, and Telnet probe
configuration modes
Admin and user contexts
Command History
Usage Guidelines This command applies only to TCP-based probes. By default, the ACE terminates a TCP connection
gracefully by sending a FIN to the server.
Examples To terminate a TCP connection by sending a RST for a TCP probe, enter:
host1/Admin(config-probe-tcp)# connection term forced
To reset the method to terminate a connection gracefully, enter:
host1/Admin(config-probe-tcp)# no connection term forced
Related Commands show probe
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1139
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) credentials
To configure the credentials for username and password authentication of a probe to access a server, use
the credentials command. For a Remote Authentication Dial-In User Service (RADIUS) probe, a shared
secret may also be required. For an Internet Message Access Protocol (IMAP) probe, you can provide a
mailbox username. Use the no form of this command to remove the credentials from the configuration.
For HTTP, HTTPS, and POP probes, the syntax is as follows:
credentials username [password]
For RADIUS probes, the syntax is as follows:
credentials username password [secret shared_secret]
For IMAP probes, the syntax is as follows:
credentials {username password} | {mailbox name}
For HTTP, HTTPS, POP, and RADIUS probes, the syntax is as follows:
no credentials
For IMAP probes, the syntax is as follows:
no credentials {username | mailbox}
Syntax Description
Command Modes HTTP, HTTPS, IMAP, POP, and RADIUS probe configuration modes
Admin and user contexts
Command History
username User identifier used for authentication. Enter an unquoted text string
with a maximum of 64 alphanumeric characters.
password (Optional except for RADIUS and IMAP probes) Password used for
authentication. Enter an unquoted text string with a maximum of
64 alphanumeric characters.
mailbox name (IMAP probe) Specifies the user mailbox name from which to
retrieve e-mail for an IMAP probe. Enter an unquoted text string with
a maximum of 64 alphanumeric characters.
secret shared_secret (RADIUS probe) Specifies the password used for the MD5 hash
encryption algorithm. Enter an unquoted text string with a maximum
of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1140
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Usage Guidelines You must configure the credentials for an IMAP probe using the credentials command before you
configure the mailbox or the ACE will ignore the specified user mailbox name.
Examples To configure the username ENG1 and a password TEST for an HTTP probe, enter:
host1/Admin(config-probe-http)# credentials ENG1 TEST
To delete the credentials for a probe, enter:
host1/Admin(config-probe-http)# no credentials
To configure the user mailbox LETTERS for an IMAP probe, enter:
host1/Admin(config-probe-imap)# credentials mailbox LETTERS
To delete the mailbox for the IMAP probe, enter:
host1/Admin(config-probe-imap)# no credentials mailbox
Related Commands show probe
(config-probe-probe_type) description
To provide a description for a probe, use the description command. Use the no form of this command
to remove the description for the probe.
description text
no description
Syntax Description
Command Modes All probe-type configuration modes
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
text Description for the probe. Enter a text string with a maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1141
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Examples To configure a description THIS PROBE IS FOR TCP SERVERS for a TCP probe, enter:
host1/Admin(config-probe-tcp)# description THIS PROBE IS FOR TCP SERVERS
To remove the description THIS PROBE IS FOR TCP SERVERS for a TCP probe, enter:
host1/Admin(config-probe-tcp)# no description
Related Commands show probe2-1142
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) domain
To configure the domain name that the probe sends to the DNS server to resolve, use the domain
command. Use the no form of this command to reset the default domain (www.cisco.com) that the probe
sends to the server.
domain name
no domain
Syntax Description
Command Modes DNS probe configuration mode
Admin and user contexts
Command History
Usage Guidelines The DNS probe sends a domain name for the DNS server to resolve. By default, the probe uses the
www.cisco.com domain name.
Examples To configure the domain name of MARKET, enter:
host1/Admin(config-probe-dns)# domain MARKET
To reset the default domain that the probe sends to the DNS server, enter:
host1/Admin(config-probe-dns)# no domain
Related Commands show probe
name Domain that the probe sends to the DNS server. Enter an unquoted text
string with a maximum of 255 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1143
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) expect address
To configure one or more IPv6 or IPv4 addresses that the ACE expects as a server response to a DNS
request, use the expect address command. The probe matches the received IP address with the
configured addresses. Use the no form of this command to remove the expected IP address from the
configuration.
expect address ip_address
no expect address ip_address
Syntax Description
Command Modes DNS probe configuration mode
Admin and user contexts
Command History
Usage Guidelines A DNS probe sends a request for a domain to a DNS server. The ACE uses the IP address specified in
the expect address command to decide whether to pass or fail the DNS probe for the server based on
the server response. You can specify multiple IP addresses with this command by entering the command
with a different address separately.
Examples IPv6 Example
To configure an expected IPv6 address of 2001:DB8:15::/64, enter:
host1/Admin(config-probe-dns)# expect address 2001:DB8:15::/64
To remove an IPv6 address, use the no expect address command. For example, enter:
host1/Admin(config-probe-dns)# no expect address 2001:DB8:15::/64
IPv4 Example
To configure an expected IPv4 address of 192.8.12.15, enter:
host1/Admin(config-probe-dns)# expect address 192.8.12.15
To remove an IPv4 address, use the no expect address command. For example, enter:
ip_address IPv6 or IPv4 address expected from the DNS server in response to the
DNS probe request for a domain.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-1144
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
host1/Admin(config-probe-dns)# no expect address 192.8.12.15
Related Commands show probe2-1145
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) expect regex
To configure what the ACE expects as a response from the probe destination server, use the expect regex
command. Use the no form of this command to remove the expectation of a response expression.
expect regex string [offset number] [cache [length]]
For TCP and UDP probes, the syntax is as follows:
no expect
For Finger, HTTP, HTTPS, and SIP probes, the syntax is as follows:
no expect regex
Syntax Description
Command Modes Finger, HTTP, HTTPS, SIP, TCP, and UDP probe configuration modes
Admin and user contexts
Command History
string Expected response string from the probe destination. Enter an unquoted text string
with no spaces. If the string includes spaces, enclose the string in quotes. The string
can be a maximum of 255 alphanumeric characters.
offset number (Optional) Sets the number of characters into the received message or buffer where
the probe starts searching for the defined expression. Enter an number from 1 to 4000.
(ACE appliance only) If you do not include the cache keyword when entering this
command, the number argument is from 1 to 4000. However, if you include the cache
keyword, the offset maximum number is 163840.
cache (ACE appliance only, Optional for HTTP and HTTPS probes only) Enables caching
when regex parsing long web pages . By default, when you configure the expect
regex command for HTTP or HTTPS probes in probe configuration mode, the ACE
does not cache the web page parsed by the probes. If the web page is longer than
4kBytes and the regex matching string exceeds this length, the probe fails.
length (ACE appliance only, Optional) Cache length. Enter a number from 1 to 1000. The
default cache length is 1000.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.7). Not applicable to
A4(1.0) or A4(2.0).
Added the cache [length] option for regex parsing of long web pages.2-1146
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Usage Guidelines When you configure a probe to expect a string from a server, it searches the response for a configured
string. If the ACE finds the expected string, the server is marked as passed. If you do not configure an
expected string, the ACE ignores the server response.
If you configure the expect regex command for TCP probes, you must configure the send-data
command. Otherwise, the probe performs a connection open and close without checking the response
from the server.
For HTTP or HTTPS probes, the server response must include the Content-Length header for the expect
regex command to function. Otherwise, the probe does not attempt to parse the regex.
(ACE appliance only) For the cache option, consider the following:
• The HTML file configured with the request method command cannot exceed the length of the offset
plus the length of the cache. If the file exceeds this length, the probes fail.
• For HTTP and HTTPS probes with active and standby ACEs that are running different software
versions, any incremental changes made for the expect regex command are not synchronized. Any
synchronization changes to the other ACE occur through bulk synchronization. Bulk
synchronization takes place as expected.
Examples To configure a TCP probe to expect an ACK response, enter:
host1/Admin(config-probe-tcp)# expect regex ack
(ACE appliance only) To configure the expected response string with caching with the default cache
length of 1000, enter:
host1/Admin(config-probe-http)# expect regex test cache
To remove the expectation of a response expression for a TCP probe, enter:
host1/Admin(config-probe-tcp)# no expect
To remove the expectation of a response expression for an HTTP probe, enter:
host1/Admin(config-probe-http)# no expect regex
Related Commands show probe2-1147
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) expect status
To configure a single status code or a range of status code responses that the ACE expects from the probe
destination, use the expect status command. You can specify multiple status code ranges with this
command by entering the command with different ranges separately. Use the no form of this command
to remove the expected status code or codes from the configuration.
expect status min_number max_number
no expect status min_number max_number
Syntax Description
Command Modes FTP, HTTP, HTTPS, RTSP, SIP, and SMTP probe configuration modes
Admin and user contexts
Command History
Usage Guidelines When the ACE receives a response from the server, it expects a status code to mark a server as passed.
By default, no status codes are configured on the ACE. If you do not configure a status code, any
response code from the server is marked as failed.
For HTTP and HTTPS, if you configure the expect-regex command without configuring a status code,
the probe will pass if the regular expresion response string is present.
You can specify multiple status code ranges with this command by entering the command with different
ranges one at a time. Both the min_number and the max_number values can be any integer between 0 and
999 if the max_number is greater than or equal to the min_number. When the min_number and
max_number values are the same, the ACE uses a single status code number.
Examples To configure an expected status code of 200 that indicates that the HTTP request was successful, enter:
host1/Admin(config-probe-http)# expect status 200 200
To configure a range of expected status codes from 200 to 202, enter:
host1/Admin(config-probe-rtsp)# expect status 200 202
min_number Single status code or the lower limit of a range of status codes. Enter
an integer from 0 to 999.
max_number Upper limit of a range of status codes. Enter an integer from 0 to 999.
When configuring a single code, reenter the min_number value.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1148
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
To configure multiple ranges of expected status codes from 200 to 202 and 204 to 205, configure each
range separately. Enter:
host1/Admin(config-probe-http)# expect status 200 202
host1/Admin(config-probe-http)# expect status 204 205
To remove a single expected status code of 200, enter:
host1/Admin(config-probe-sip-udp)# no expect status 200 200
To remove a range of expected status codes, enter:
host1/Admin(config-probe-http)# no expect status 200 202
To remove multiple ranges of expected status codes, you must remove each range separately. If you have
set two different ranges (200 to 202 and 204 to 205), enter:
host1/Admin(config-probe-http)# no expect status 200 202
host1/Admin(config-probe-http)# no expect status 204 205
Related Commands show probe
(config-probe-probe_type) faildetect
To change the number of consecutive failed probes, use the faildetect command. Use the no form of this
command to reset the number of probe retries to its default.
faildetect retry-count
no faildetect
Syntax Description
Command Modes All probe-type configuration modes
Admin and user contexts
Command History
Usage Guidelines Before the ACE marks a server as failed, it must detect that probes have failed a consecutive number of
times. By default, when three consecutive probes have failed, the ACE marks the server as failed.
retry_count Consecutive number of failed probes before marking the server as
failed. Enter a number from 1 to 65535. The default is 3.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1149
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Examples To set the number of failed probes to 5 before declaring the server as failed for a TCP probe, enter:
host1/Admin(config-probe-tcp)# faildetect 5
To reset the number of probe failures to the default of 3, enter:
host1/Admin(config-probe-tcp)# no faildetect
Related Commands show probe
(config-probe-probe_type) hash
To configure the ACE to dynamically generate the MD5 hash value or manually configure the value, use
the hash command. By default, no hash value is configured on the ACE. Use the no form of this
command to configure the ACE to no longer compare the referenced hash value to the computed hash
value.
hash [value]
no hash
Syntax Description
Command Modes HTTP and HTTPS probe configuration mode
Admin and user contexts
Command History
Usage Guidelines If you do not use this command to configure the hash value, the ACE does not calculate a hash value on
the HTTP data returned by the probe.
When you enter this command with no argument, the ACE generates the hash on the HTTP data returned
by the first successful probe. If subsequent HTTP server hash responses match the generated hash value,
the ACE marks the server as passed. If a mismatch occurs due to changes to the HTTP data, the probe
fails and the show probe ... detail command displays an MD5 mismatch error in the Last disconnect
error field.
To clear the reference hash and have the ACE recalculate the hash value at the next successful probe,
change the URL or method by using the request method command.
value (Optional) The MD5 hash value that you want to manually configure. Enter the MD5 hash
value as a hexadecimal string with exactly 32 characters (16 bytes).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1150
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
The server response must include the Content-Length header for the hash command to function.
Otherwise, the probe does not attempt to parse the hash value.
You can configure the hash command on a probe using the HEAD method, however there is no data to
hash and has no effect causing the probe to always succeed.
Examples To configure the ACE to generate the hash on the HTTP data returned by the first successful probe, enter:
host1/Admin(config-probe-http)# hash
To manually configure a hash value, enter:
host1/Admin(config-probe-http)# hash 0123456789abcdef0123456789abcdef
To configure the ACE to no longer compare the referenced hash value to the computed hash value, enter:
host1/Admin(config-probe-http)# no hash
Related Commands show probe
(config-probe-probe_type) request method
(config-probe-probe_type) header
To configure a header field value for a probe, use the header command. Use the no form of this
command to remove the header field from the probe configuration.
For HTTP and HTTPS probes, the syntax is as follows:
header field_name header-value field_value
no header field_name
For RTSP probes, the syntax is as follows:
header {require | proxy-require} header-value field_value
no header {require | proxy-require}
Syntax Description field_name (HTTP and HTTPS probes) Identifier for a standard header field. Enter a text string
with a maximum of 64 alphanumeric characters. If the header field includes spaces,
enclose the string in quotation marks (“). You can also enter one of the following
header keywords:
• Accept—Accept request header
• Accept-Charset—Accept-Charset request header
• Accept-Encoding—Accept-Encoding request header
• Accept-Language—Accept-Language request header
• Authorization—Authorization request header
• Cache-Control—Cache-Control general header
• Connection—Connection general header2-1151
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Command Modes HTTP, HTTPS, and RTSP probe configuration mode
Admin and user contexts
Command History
Usage Guidelines For each HTTP or HTTPS probe in your configuration, you can configure multiple header fields.
Examples To configure the Accept-Encoding HTTP header with a value of identity, enter:
host1/Admin(config-probe-http)# header Accept-Encoding header-value identity
To remove the header with the Accept-Encoding field name from the probe, enter:
host1/Admin(config-probe-http)# no header Accept-Encoding
To configure the RTSP REQUIRE header with a field value of implicit-play, enter:
host1/Admin(config-probe-rtsp)# header require header-value implicit-play
• Content-MD5—Content-MD5 entity header
• Expect—Expect request header
• From—From request header
• Host—Host request header
• If-Match—If-Match request header
• Pragma—Pragma general header
• Referer—Referer request header
• Transfer-Encoding—Transfer-Encoding general header
• User-Agent—User-Agent request header
• Via—Via general header
header-value
field_value
(HTTP and HTTPS probes) Specifies the value assigned to the header field. Enter a
text string with a maximum of 255 alphanumeric characters. If the value string
includes spaces, enclose the string in quotation marks (“).
require (RTSP probes) Specifies the Require header.
proxy-require (RTSP probes) Specifies the Proxy-Require header.
header-value
field_value
(RTSP probes) Specifies the value assigned to the header field. Enter an alphanumeric
string with no spaces and a maximum of 255 characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-1152
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
To remove the header configuration for the RTSP probe, enter:
host1/Admin(config-probe-rtsp)# no header require
To remove a Proxy-Require header, enter:
host1/Admin(config-probe-rtsp)# no header proxy-require
Related Commands show probe2-1153
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) interval
To change the time interval between probes, use the interval command. The time interval between
probes is the frequency that the ACE sends probes to the server marked as passed. Use the no form of
this command to reset the default time interval of 15 seconds.
interval seconds
no interval
Syntax Description
Command Modes All probe-type configuration modes
Admin and user contexts
Command History
Usage Guidelines The open timeout value for TCP-based probes and the receive timeout value can impact the execution
time for a probe. When the probe interval is less than or equal to these timeout values and the server
takes a long time to respond or it fails to reply within the timeout values, the probe is skipped. When the
probe is skipped, the No. Probes skipped counter through the show probe detail command increments.
Examples To configure a time interval of 50 seconds for a TCP probe, enter:
host1/Admin(config-probe-tcp)# interval 50
To reset the time interval to the default of 15 seconds, enter:
host1/Admin(config-probe-tcp)# no interval
Related Commands show probe
seconds Time interval in seconds. Enter a number from 2 to 65535. The
default is 15.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The default is 15. Previously, it was 120.
A4(2.0) Added the interval command for VM probes.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(2.0) Added the interval command for VM probes.2-1154
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) ip address
To override the destination address that the probe uses, use the ip address command. By default, the
probe uses the IP address from the real server or server farm configuration for the destination IP address.
Use the no form of this command to reset the default of the probe.
ip address ip_address [routed]
no ip address
Syntax Description
Command Modes All probe-type configuration modes except scripted probe configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples IPv6 Example
To configure an IPv6 address of 2001:DB8:12::15, enter:
host1/Admin(config-probe-type)# ip address 2001:DB8:12::15
To reset the default behavior of the probe using the IPv6 address from the real server or server farm
configuration, use the no ip address command. For example, enter:
host1/Admin(config-probe-type)# no ip address
ip_address Destination IP address. The default is the IP address from the real
server or server farm configuration. Enter a unique IPv4 address in
dotted-decimal notation (for example, 192.168.12.15).
routed (Optional) Routes the address according to the ACE internal routing
table. If you are configuring a probe under a redirect server, you must
configure this option.
(ACE module only) Hardware-initiated SSL probes do not support
this option.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.7). Not applicable for
A4(1.0).
Support added to configure a probe under a redirect server or server
farm.
A5(1.0) Added IPv6 support.2-1155
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
IPv4 Example
To configure an IP address of 192.8.12.15, enter:
host1/Admin(config-probe-type)# ip address 192.8.12.15
To reset the default behavior of the probe using the IP address from the real server or server farm
configuration, use the no ip address command. For example, enter:
host1/Admin(config-probe-type)# no ip address
Related Commands show probe2-1156
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) nas ip address
To configure a Network Access Server (NAS) address, use the nas ip address command. Use the no
form of this command to remove the NAS address.
nas ip address ip_address
no nas ip address
Syntax Description
Command Modes RADIUS probe configuration mode
Admin and user contexts
Command History
Usage Guidelines If a NAS address is not configured for the RADIUS probe, the ACE performs a route lookup on the
RADIUS server IP address.
Examples To configure a NAS address of 192.168.12.15, enter:
host1/Admin(config-probe-radius)# nas ip address 192.168.12.15
To remove the NAS IP address, enter:
host1/Admin(config-probe-radius)# no nas ip address
Related Commands show probe
ip_address NAS IP address. Enter a unique IPv4 address in dotted-decimal
notation (for example, 192.168.12.15). By default, if a NAS address
is not configured for the Remote Authentication Dial-In User Service
(RADIUS) probe, the ACE uses the IP address associated with the
outgoing interface as the NAS address.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1157
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) oid
To configure an Object Identifier (OID) for an SNMP probe, use the oid command. When you enter this
command, the CLI prompt changes to (config-probe-snmp-oid). For information about the commands
available in probe SNMP OID configuration mode, see the Probe SNMP OID Configuration Mode
Commands section. Use the no form of this command to remove the OID from the probe configuration.
oid string
no oid string
Syntax Description
Command Modes SNMP probe configuration mode
Admin and user contexts
Command History
Usage Guidelines When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. Least-loaded load balancing bases the server
selection on the server with the lowest load value. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed.
You can configure a maximum of eight OID queries to probe the server.
Examples To configure the OID string .1.3.6.1.4.1.2021.10.1.3.1 and access probe SNMP OID configuration mode,
enter:
host1/Admin(config-probe-snmp)# oid .1.3.6.1.4.1.2021.10.1.3.1
host1/Admin(config-probe-snmp-oid)#
To remove the OID string, enter:
host1/Admin(config-probe-snmp)# no oid .1.3.6.1.4.1.2021.10.1.3.1
string OID that the probe uses to query the server for a value. Enter an
unquoted string with a maximum of 255 alphanumeric characters in
dotted-decimal notation. The OID string is based on the server type.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1158
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Related Commands show probe
(config-probe-snmp-oid) threshold
(config-probe-snmp-oid) type absolute max
(config-probe-snmp-oid) weight2-1159
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) open
To configure the time interval for a connection to be established through a TCP three-way handshake,
use the open command. By default, when the ACE sends a probe, it waits 1 second to open and establish
the connection with the server. Use the no form of this command to reset its default of 1 second.
open timeout
no open
Syntax Description
Command Modes Echo TCP, Finger, FTP, HTTP, HTTPS, IMAP, POP, RTSP, scripted, SIP TCP, SMTP, TCP, and Telnet
probe configuration mode
Admin and user contexts
Command History
Usage Guidelines The open timeout value for TCP-based probes and the receive timeout value can impact the execution
time for a probe. When the probe interval is less than or equal to these timeout values and the server
takes a long time to respond or it fails to reply within the timeout values, the probe is skipped. When the
probe is skipped, the No. Probes skipped counter increments through the show probe detail command.
Examples To configure the wait time interval to 25 seconds for a TCP probe, enter:
host1/Admin(config-probe-tcp)# open 25
To reset the time interval to its default of 1 second, enter:
host1/Admin(config-probe-tcp)# no open
Related Commands show probe
timeout Time in seconds. Enter an integer from 1 to 65535. The default is 1.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The default is 1. Previously, it was 10.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1160
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) passdetect
To configure the time interval to send a probe to a failed server and the number of consecutive successful
probe responses required to mark the server as passed, use the passdetect command. Use the no form of
this command to reset the default of waiting 60 seconds before sending out a probe to a failed server and
marking a server as passed if it receives 3 consecutive successful responses.
passdetect {interval seconds | count number}
no passdetect {interval | count}
Syntax Description
Command Modes All probe-type configuration modes except scripted probe configuration mode
Admin and user contexts
Command History
Usage Guidelines For best results, we recommend that you do not configure a passdetect interval value of less than 30
seconds. If you configure a passdetect interval value of less than 30 seconds, the open timeout and
receive timeout values are set to their default values, and a real server fails to respond to a probe,
overlapping probes may result, which can cause management resources to be consumed unnecessarily
and the No. Probes skipped counter to increase.
After the ACE marks a server as failed, it waits a period of time and then sends a probe to the failed
server. When the ACE receives a number of consecutive successful probes, it marks the server as passed.
By default, the ACE waits 60 seconds before sending out a probe to a failed server and marks a server
as passed if it receives 3 consecutive successful responses.
The receive timeout value can impact the execution time for a probe. When the probe interval is less than
or equal to this timeout value and the server takes a long time to respond or it fails to reply within the
timeout value, the probe is skipped. When the probe is skipped, the No. Probes skipped counter
increments through the show probe detail command.
Examples To configure a wait interval of 10 seconds for a TCP probe, enter:
host1/Admin(config-probe-tcp)# passdetect interval 10
interval seconds Specifies the wait time interval in seconds. Enter a number from 2 to
65535. The default is 60.
count number Specifies the number of successful probe responses from the server.
Enter a number from 1 to 65535. The default is 3.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The default is 60. Previously, it was 300.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1161
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
To configure five success probe responses from the server before declaring it as passed, enter:
host1/Admin(config-probe-tcp)# passdetect count 5
To reset the wait interval to its default, enter:
host1/Admin(config-probe-tcp)# no passdetect interval
To reset the successful probe responses to its default, enter:
host1/Admin(config-probe-tcp)# no passdetect count
Related Commands show probe2-1162
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) port
To configure the port number that the probe uses, use the port command. Use the no form of this
command to reset the port number based on the probe type.
port port-number
no port
Syntax Description
Command Modes All probe-type configuration modes except ICMP probe configuration mode
Admin and user contexts
Command History
Usage Guidelines Table 1-22 lists the default port numbers for each probe type.
port-number Port number for the probe. Enter an integer from 1 to 65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) This command was revised to support probe port inheritance.
ACE Appliance Release Modification
A1(7) This command was introduced.
Ta b l e 1-22 Default Port Numbers for Probe Types
Probe Type Default Port Number
DNS 53
Echo 7
Finger 79
FTP 21
HTTP 80
HTTPS 443
ICMP Not applicable
IMAP 143
POP 110
RADIUS 1812
RTSP 554
SIP (TCP and UDP) 5060
SMTP 25 2-1163
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
If you choose not to specify a port number for a probe, the ACE can dynamically inherit the port number
specified:
• From the real server specified in a server farm (see the (config-sfarm-host) rserver command).
• From the VIP specified in a Layer 3 and Layer 4 class map (see the (config-cmap) match
virtual-address command).
In this case, all you need is a single probe configuration, which will be sufficient to probe a real server
on multiple ports or on all VIP ports. The same probe inherits all of the real server’s ports or all of the
VIP ports and creates probe instances for each port.
Note Probe port inheritance is not applicable for the server farm predictor method, a probe assigned to a
standalone real server, or a probe configured on the active FT group member in a redundant
configuration.
For a Layer 3 and Layer 4 class map, a VIP port will be inherited only if a match command consists of
a single port. If you specify a wildcard value for the IP protocol value (the any keyword) or a port range
for the port, port inheritance does not apply for those match statements.
The order of precedence for inheriting the probe's port number is as follows:
1. Probe's configured port
2. Server farm real server's configured port
3. VIP's configured port
4. Probe's default port
For example, if the configured probe does not contain a specified port number, the ACE will look for the
configured port associated with the real server specified in a server farm. If a port number is not
configured, the ACE looks for the configured port associated with the VIP specified in a Layer 3 and
Layer 4 class map. If a port number is also not configured, the ACE then uses the probe's default port to
perform health monitoring on the back-end real server.
Examples To configure a port number of 88 for an HTTP probe, enter:
host1/Admin(config-probe-HTTP)# port 88
To reset the port number to its default, in this case, port 80 for an HTTP probe, enter:
host1/Admin(config-probe-HTTP)# no port
Related Commands show probe
Telnet 23
TCP 80
UDP 53
Table 1-22 Default Port Numbers for Probe Types
Probe Type Default Port Number2-1164
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) receive
To configure the time period that the ACE expects to receive a server response to the probe, use the
receive command. Use the no form of this command to reset its default of 10 seconds.
receive seconds
no receive
Syntax Description
Command Modes All probe-type configuration modes
Admin and user contexts
Command History
Usage Guidelines By default, when the ACE sends a probe, it expects a response within a time period of 10 seconds. For
example, for an HTTP probe, the timeout period is the number of seconds to receive an HTTP reply for
a GET or HEAD request. If the server fails to respond to the probe, the ACE marks the server as failed.
The open timeout value for TCP-based probes and the receive timeout value can impact the execution
time for a probe. When the probe interval is less than or equal to these timeout values and the server
takes a long time to respond or it fails to reply within the timeout values, the probe is skipped. When the
probe is skipped, the No. Probes skipped counter increments through the show probe detail command.
Examples To configure the timeout period for a response at 5 seconds for a TCP probe, enter:
host1/Admin(config-probe-TCP)# receive 5
To reset the time period to receive a response from the server to its default of 10 seconds, enter:
host1/Admin(config-probe-TCP)# no receive
Related Commands show probe
seconds Time to wait in seconds. Enter an integer from 1 to 65535. The
default is 10.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1165
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) request command
To configure the request command used by an Internet Message Access Protocol (IMAP) or POP probe,
use the request command command. Use the no form of this command to remove the request command
from the configuration.
request command command
no request
Syntax Description
Command Modes IMAP and POP probe configuration modes
Admin and user contexts
Command History
Usage Guidelines You must configure the name of the mailbox using the (config-probe-probe_type) credentials
command before you configure the request command used by an IMAP probe or the ACE will ignore the
specified request command.
Examples To configure the last request command for an IMAP probe, enter:
host1/Admin(config-probe-imap)# request command last
To remove the request command for the probe, enter:
host1/Admin(config-probe-imap)# no request
Related Commands show probe
command Request command for the probe. Enter a text string with a maximum
of 32 alphanumeric characters with no spaces.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-1166
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) request method
To configure the request method and URL used by a probe, use the request method command. Use the
no form of this command to reset the default request method.
For HTTP and HTTPS probes, the syntax is as follows:
request method {get | head} [url url_string]
no request method {get | head} [url url_string]
For RTSP probes, the syntax is as follows:
request method {options | describe url url_string}
no request method
For SIP probes, the syntax is as follows:
request method options
no request method
Syntax Description
Command Modes HTTP, HTTPS, RTSP, and SIP probe configuration modes
Admin and user contexts
Command History
get (HTTP or HTTPS probe) Configures the HTTP GET request method
to direct the server to get the page. This method is the default.
head (HTTP or HTTPS probe) Configures the HTTP HEAD request
method to direct the server to get only the header for the page.
url url_string (HTTP or HTTPS probe) Specifies the URL string used by the probe.
Enter an alphanumeric string with a maximum of 255 characters. The
default string is a forward slash (/).
options (RTSP or SIP probe) Specifies the OPTIONS request method. This is
the default method. The ACE uses the asterisk (*) request URL for
this method.
describe url url_string (RTSP probe) Specifies the DESCRIBE request method. The
url_string is the URL request for the RTSP media stream on the
server. Enter an alphanumeric string with a maximum of
255 characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.2-1167
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Usage Guidelines By default, the HTTP request method is a GET with the URL of a forward slash (/). If you do not
configure a URL, the HTTP or HTTPS probe functions as a TCP probe.
By default, the RTSP request method is the OPTIONS method. You can also configure the DESCRIBE
method.
By default, the SIP request method is the OPTIONS method; this method is the only method available
for SIP probes.
Examples To configure the HTTP HEAD request method and the /digital/media/graphics.html URL used by an
HTTP probe, enter:
host1/Admin(config-probe-http)# request method head url /digital/media/graphics.html
To reset the HTTP method for the probe to HTTP GET with a URL of “/”, enter:
host1/Admin(config-probe-http)# no request method head url /digital/media/graphics.html
To configure an RTSP probe to use the URL rtsp:///media/video.smi, enter:
host1/Admin(config-probe-rtsp)# request method describe url
rtsp://192.168.10.1/media/video.smi
To reset the default RTSP request method (OPTIONS), use the no request method or the request
method options command. For example, enter:
host1/Admin(config-probe-rtsp)# no request method
Related Commands show probe
(config-probe-probe_type) hash
(config-probe-probe_type) script
To specify the script name and the arguments to be passed to a scripted probe, use the script command.
Use the no form of this command to remove the script and its arguments from the configuration.
script script_name [script_arguments]
no script
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-1168
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Syntax Description
Command Modes Scripted probe configuration mode
Admin and user contexts
Command History
Usage Guidelines Scripted probes run probes from a configured script to perform health probing. You can also configure
arguments that are passed to the script. Before you can associate a script file with a probe, you must copy
and load the script on the ACE. For information about TCL scripts and instructions for copying and
loading script files on the ACE, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
The ACE allows the configuration of 256 unique script files.
The ACE can simultaneously execute only 200 scripted probe instances. When this limit is exceeded, the
show probe detail command displays the “Out-of Resource: Max. script-instance limit reached” error
message in the Last disconnect err field and the out-of-sockets counter increments.
Examples To configure the script name of PROBE-SCRIPT and arguments of double question marks (??), enter:
host1/Admin(config-probe-scrptd)# script PROBE-SCRIPT ??
To remove the script and its arguments from the configuration, enter:
host1/Admin(config-probe-scrptd)# no script
Related Commands show probe
show script
(config) script file name
(config-probe-probe_type) send-data
To configure the ASCII data that the probe sends when the ACE connects to the server, use the send-data
command. Use the no form of this command to remove the data from the configuration.
script_name Name of the script. Enter an unquoted text string with no spaces and
a maximum of 255 alphanumeric characters.
script_arguments (Optional) Data sent to the script. Enter a text string with a maximum
of 255 alphanumeric characters including spaces and quotes.
Separate each argument by a space. If a single argument contains
spaces, enclose the argument string in quotes.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1169
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
send-data expression
no send-data
Syntax Description
Command Modes ECHO, Finger, TCP, and UDP probe configuration modes
Admin and user contexts
Command History
Usage Guidelines If you do not configure the send-data command for a UDP probe, the probe sends one byte, 0x00.
When you configure the expect regex command for a TCP probe, you must configure the send-data
command for the expect function to work. Otherwise, the TCP probe makes a socket connection and
disconnects without checking the data.
Examples To configure a TCP probe to send TEST as the data, enter:
host1/Admin(config-probe-tcp)# send-data TEST
To remove the data, enter:
host1/Admin(config-probe-tcp)# no send-data
Related Commands show probe
(config-probe-probe_type) ssl cipher
To configure the probe to expect a specific type of RSA cipher suite from the back-end server, use the
ssl cipher command. Use the no form of this command to reset its default of accepting any RSA
configured cipher suites.
ssl cipher {RSA_ANY | cipher_suite}
no ssl cipher
expression ASCII data that the probe sends. Enter an unquoted text string with
no spaces and a maximum of 255 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1170
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Syntax Description
Command Modes HTTPS probe configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the HTTPS probes with the RSA_WITH_RC4_128_SHA cipher suite, enter:
host1/Admin(config-probe-https)# ssl cipher RSA_WITH_RC4_128_SHA
To reset the default of the HTTPS probes accepting any RSA cipher suite, enter:
host1/Admin(config-probe-https)# ssl cipher RSA_ANY
To reset the default by using the no ssl cipher command, enter:
host1/Admin(config-probe-https)# no ssl cipher
Related Commands show probe
RSA_ANY Specifies that the probe accepts any of the RSA configured cipher suites.
This is the default.
cipher_suite RSA cipher suite that the probe expects from the back-end server. Enter one
of the following keywords:
RSA_EXPORT1024_WITH_DES_CBC_SHA
RSA_EXPORT1024_WITH_RC4_56_MD5
RSA_EXPORT1024_WITH_RC4_56_SHA
RSA_EXPORT_WITH_DES40_CBC_SHA
RSA_EXPORT_WITH_RC4_40_MD5
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_DES_CBC_SHA
RSA_WITH_RC4_128_MD5
RSA_WITH_RC4_128_SHA
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1171
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-probe_type) ssl version
To configure the version of Secure Sockets Layer (SSL) that the probe supports, use the ssl version
command. Use the no form of this command to reset the default to SSL version 3.
ssl version {all | SSLv3 | TLSv1}
no ssl version
Syntax Description
Command Modes HTTPS probe configuration mode
Admin and user contexts
Command History
Usage Guidelines The version in the ClientHello message sent to the server indicates the highest supported version.
Examples To configure the probe to support all SSL versions, enter:
host1/Admin(config-probe-https)# ssl version all
To reset the default of SSL version 3, enter:
host1/Admin(config-probe-https)# no ssl version
Related Commands show probe
(config-probe-probe_type) version
To configure the version of SNMP that the probe supports, use the version command. Use the no form
of this command to reset the version to its default value of SNMP version 1.
version {1 | 2c}
no version
all Configures the probe to support all SSL versions.
SSLv3 Configures the probe to support SSL version 3. This is the default.
TLSv1 Configures the probe to support TLS version 1.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1172
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
Syntax Description
Command Modes SNMP probe configuration mode
Admin and user contexts
Command History
Usage Guidelines The version in the SNMP OID query sent to the server indicates the supported SNMP version. By
default, the probe supports SNMP version 1.
Examples To configure the probe to use SNMP version 2c, enter:
host1/Admin(config-probe-snmp)# version 2c
To reset the version of SNMP to the default value, SNMP version 1, enter:
host1/Admin(config-probe-snmp)# no version
Related Commands show probe
1 Configures the probe to support SNMP version 1. This is the default.
2c Configures the probe to support SNMP version 2c.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1173
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe Configuration Mode Commands
(config-probe-sip-udp) rport enable
To force the SIP server to send the 200 OK message from the same port as the destination port of the
probe request OPTIONS method per RFC 3581 when you configure the ACE for SIP UDP, use the rport
enable command. By default, if the SIP server sends the 200 OK message from a port that is different
from the destination port of the probe request, the ACE discards the response packet from the server. Use
the no form of this command to reset the default behavior.
rport enable
no rport enable
Syntax Description This command has no keywords or arguments.
Command Modes SIP UDP probe configuration modes
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To force the SIP server to send the 200 OK message from the destination port of the probe request
OPTIONS method, enter:
host1/Admin(config-probe-sip-udp)# rport enable
To reset the ACE behavior to the default, enter:
host1/Admin(config-probe-sip-udp)# no rport enable
Related Commands show probe
ACE Module Release Modification
A2(2.3) This command was introduced.
ACE Appliance Release Modification
A3(2.5) This command was introduced.2-1174
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe SNMP OID Configuration Mode Commands
Probe SNMP OID Configuration Mode Commands
Probe SNMP OID configuration mode commands allow you to configure an OID for an SNMP probe.
To configure an OID for an SNMP probe and access probe SNMP OID configuration mode, use the oid
command in SNMP probe configuration mode. The CLI prompt changes to (config-probe-snmp-oid).
For information about the commands in this mode, see the following commands. Use the no form of this
command to remove the OID from the SNMP probe configuration.
oid string
no oid string
Syntax Description
Command Modes SNMP probe configuration mode
Admin and user contexts
Command History
Usage Guidelines When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. Least-loaded load balancing bases the server
selection on the server with the lowest load value. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed.
You can configure a maximum of eight OID queries to probe the server.
Examples To configure the OID string .1.3.6.1.4.2021.10.1.3.1 and access probe SNMP OID configuration mode,
enter:
host1/Admin(config-probe-snmp)# oid .1.3.6.1.4.2021.10.1.3.1
host1/Admin(config-probe-snmp-oid)#
To remove the OID string, enter:
host1/Admin(config-probe-snmp)# no oid .1.3.6.1.4.2021.10.1.3.1
string OID that the probe uses to query the server for a value. Enter an
unquoted string with a maximum of 255 alphanumeric characters in
dotted-decimal notation. The OID string is based on the server type.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1175
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe SNMP OID Configuration Mode Commands
Related Commands show probe
(config-probe-snmp-oid) threshold
(config-probe-snmp-oid) type absolute max
(config-probe-snmp-oid) weight2-1176
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe SNMP OID Configuration Mode Commands
(config-probe-snmp-oid) threshold
To specify the threshold value for an OID, use the threshold command. Use the no form of this
command to remove the threshold value.
threshold integer
no threshold integer
Syntax Description
Command Modes Probe SNMP OID configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure a threshold for an OID value so that when the threshold is exceeded, the server is taken
out of service.
When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. Least-loaded load balancing bases the server
selection on the server with the lowest load value. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed.
By default, the OID value is based on a percentile. If you use the type absolute maximum command to
base the OID on an absolute value, the threshold range is from 1 to the maximum value specified with
the type absolute maximum command.
Examples To configure a threshold of 90 for the OID, enter:
host1/Admin(config-probe-snmp-oid)# threshold 90
To remove the threshold from the OID, enter:
host1/Admin(config-probe-snmp-oid)# no threshold
integer Threshold value to take the server out of service. When the OID value is
based on a percentile, enter an integer from 0 to 100, with a default value
of 100. When the OID is based on an absolute value, the threshold range
is from 1 to the maximum value specified using the type absolute max
command.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1177
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe SNMP OID Configuration Mode Commands
Related Commands show probe
(config-probe-probe_type) oid
(config-probe-snmp-oid) type absolute max
(config-probe-snmp-oid) weight2-1178
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe SNMP OID Configuration Mode Commands
(config-probe-snmp-oid) type absolute max
To specify that the retrieved OID value is an absolute value, use the type absolute max command. Use
the no form of this command to remove the absolute value.
type absolute max integer
no type
Syntax Description
Command Modes Probe SNMP OID configuration mode
Admin and user contexts
Command History
Usage Guidelines When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. By default, the ACE assumes that the retrieved OID
value is a percentile value.
Least-loaded load balancing bases the server selection on the server with the lowest load value. If the
retrieved value is within the configured threshold, the server is marked as passed. If the threshold is
exceeded, the server is marked as failed.
When you configure the type absolute max command, we recommend that you also configure the value
for the threshold command because the default threshold value is 100 and is not automatically adjusted
with respect to the type absolute max value.
The no type command resets the values of both the type absolute max command and the threshold
command to a value of 100.
Examples To specify that the retrieved maximum OID value is 597, enter:
host1/Admin(config-probe-snmp-oid)# type absolute max 597
To remove the OID value and reset the expected OID to a percentile, enter:
host1/Admin(config-probe-snmp-oid)# no type
integer Expected OID value. Enter an integer from 1 through 4294967295.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1179
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe SNMP OID Configuration Mode Commands
Related Commands show probe
(config-probe-probe_type) oid
(config-probe-snmp-oid) threshold
(config-probe-snmp-oid) weight2-1180
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe SNMP OID Configuration Mode Commands
(config-probe-snmp-oid) weight
To configure the weight to be assigned to this OID for the SNMP probe, use the weight command. Use
the no form of this command to remove the weight.
weight number
no weight
Syntax Description
Command Modes Probe SNMP OID configuration mode
Admin and user contexts
Command History
Usage Guidelines If you configure more than one OID and they are used in a load-balancing decision, you must configure
a weight value.
When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. Least-loaded load balancing bases the server
selection on the server with the lowest load value. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed.
Examples To configure a weight of 90 for the OID, enter:
host1/Admin(config-probe-snmp-oid)# weight 90
To remove the threshold from the OID, enter:
host1/Admin(config-probe-snmp-oid)# no weight
Related Commands show probe
(config-probe-probe_type) oid
(config-probe-snmp-oid) threshold
(config-probe-snmp-oid) type absolute max
number Weight value assigned to this OID for the SNMP probe. Enter an integer
from 0 to 16000.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1181
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe VM Configuration Mode Commands
Probe VM Configuration Mode Commands
Probe VM configuration mode commands allow you to configure a VM probe that the ACE uses to poll
the local VM controller for the load of the local virtual machines (VMs) in a dynamic workload scaling
(DWS) configuration. To configure a VM probe and access probe VM configuration mode, use the probe
vm command in configuration mode. The CLI prompt changes to (config-probe-vm). For information
about the commands in this mode, see the commands in this section. Use the no form of this command
to remove the VM probe from the ACE configuration.
probe vm probe_name
no probe vm probe_name
Syntax Description
Command Modes VM probe configuration mode
Admin and user contexts
Command History
Usage Guidelines All commands in this mode require the probe feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
When the ACE sends a VM probe to a VM controller to retrieve the load of the local VMs, the ACE uses
the retrieved load value to make a decision about bursting traffic to the remote data center. If the retrieved
load equals or exceeds the configured load threshold, the ACE bursts traffic to the remote data center
while it continues to load balance traffic to the local data center. When the VM load drops below the
configured threshold for CPU and memory usage, the ACE load balances traffic only to the local data
center.
The VM probe is not supported with IPv6.
Examples To configure a VM probe, enter the following command:
host1/Admin(config)# probe vm VM_PROBE
host1/Admin(config-probe-vm)#
To remove the VM probe and all its attributes from the ACE configuration, enter the following command:
host1/Admin(config)# no probe vm
probe_name Unique identifier of the probe that the ACE uses to poll the vCenter
for the load of the local VMs. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-1182
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe VM Configuration Mode Commands
Related Commands show probe
(config-probe-vm) interval
(config-probe-vm) vm-controller
(config-probe-vm) load
(config-probe-vm) interval
To specify the frequency with which the ACE sends probes to the VM controller, use the interval
command. Use the no form of this command to remove the threshold value.
interval value
no interval value
Syntax Description
Command Modes Probe VM configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure the ACE to send a probe to the VM controller every 420 seconds (7 minutes), enter the
following command:
host1/Admin(config-probe-vm)# interval 420
To reset VM probe interval to the default value of 300 seconds (5 minutes), enter the following
command:
host1/Admin(config-probe-vm)# no interval
Related Commands show probe
(config-probe-vm) vm-controller
(config-probe-vm) load
value Specifies the elapsed time between probes. Enter the time interval in
seconds as an integer from 300 to 65535. The default is 300 seconds
(5 minutes).
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-1183
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe VM Configuration Mode Commands
(config-probe-vm) load
To specify the interesting load of the local VMs, use the load command. You can specify CPU usage,
memory usage, or both. Use the no form of this command to remove the load from the configuration.
load {cpu | mem} burst-threshold {max value min value}
no load {cpu | mem} burst-threshold {max value min value}
Syntax Description
Command Modes Probe VM configuration mode
Admin and user contexts
Command History
load {cpu | mem} Specifies the type of load information that the VM controller sends back
to the ACE in response to the VM probe. You can specify that the probe
poll the VM controller for load information based on CPU usage,
memory usage, or both. The default behavior is for the probe to check
either the CPU usage or the memory usage against the maximum
threshold value. Whichever load type reaches its maximum threshold
value first causes the ACE to burst traffic to the remote data center. The
VM controller returns the load information of each VM in the local data
center to the probe. The ACE ignores any physical servers in the server
farm.
burst-threshold {max
value min value}
Specifies the threshold values that determine when the ACE starts and
stops bursting traffic through the local DCI device over the DCI link to
the remote data center. Enter a maximum and a minimum threshold
value as a load percentage from 1 to 99. The default value is 99 percent
for both the max and the min keywords. A maximum burst threshold
value of 1 percent instructs the ACE to always burst traffic to the remote
data center. A maximum burst threshold value of 99 percent instructs the
ACE to always load balance traffic to the local VMs unless the load
value is equal to 100 percent or the VMs are not in the OPERATIONAL
state.
If the average load value returned by the VM controller is greater than
or equal to the maximum threshold value, the ACE starts bursting traffic
to the remote data center. When the load value returned by the VM
controller is less than the minimum threshold value, the ACE stops
bursting traffic to the remote data center and load balances traffic to the
local VMs. Any active connections to the remote data center are allowed
to complete.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-1184
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe VM Configuration Mode Commands
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To instruct the ACE to start bursting traffic to the remote datacenter when the local average VM load
exceeds 80 percent CPU usage and to stop bursting traffic when the local average CPU usage drops
below 50 percent, enter the following command:
host1/Admin(config-probe-vm)# load cpu burst-threshold max 80 min 50
You can configure an additional load command under the same VM probe to create an OR statement
between the CPU usage and the memory usage of the local VMs. Whichever load type reaches its
maximum threshold first will cause the ACE to burst traffic to the remote data center. For example, enter
the following commands:
host1/Admin(config-probe-vm)# load cpu burst-threshold max 80 min 50
host1/Admin(config-probe-vm)# load mem burst-threshold max 70 min 40
In this case, if the average CPU usage reaches 80 percent or the average memory usage reaches 70
percent, the ACE bursts traffic to the remote data center. The ACE does not stop bursting traffic to the
remote data center until both the CPU load and the memory load drop below their respective minimum
configured values.
To reset the VM probe behavior to the default of checking the average VM CPU usage and memory usage
against the maximum and minimum threshold values of 99 percent each, enter the following command:
host1/Admin(config-probe-vm)# no load cpu burst-threshold max 80 min 50
host1/Admin(config-probe-vm)# no load mem burst-threshold max 70 min 40
Related Commands show probe
(config-probe-vm) interval
(config-probe-vm) vm-controller2-1185
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Probe VM Configuration Mode Commands
(config-probe-vm) vm-controller
To identify the VM controller for the probe, use the vm-controller command . Use the no form of this
command to remove the VM controller name from the VM probe configuration.
vm-controller name
no vm-controller name
Syntax Description
Command Modes Probe VM configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the probe feature in your user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure the VM controller called VCENTER_1, enter the following command:
host1/Admin(config-probe-vm)# vm-controller VCENTER_1
To remove the VM controller name from the VM probe configuration, enter the following command:
host1/Admin(config-probe-vm)# no vm-controller VCENTER_1
Related Commands show probe
(config-probe-vm) interval
(config-probe-vm) load
name Identifier of the existing VM controller that you previously configured.
Enter an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-1186
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
RADIUS Configuration Mode Commands
RADIUS Configuration Mode Commands
RADIUS configuration mode commands allow you to configure multiple Remote Access Dial-In User
Service (RADIUS) servers as a named AAA server group. You specify the IP address of one or more
previously configured RADIUS servers that you want added to or removed from a AAA server group,
along with a dead-time interval for the RADIUS server group.
For details about creating a RADIUS server group, see the Security Guide, Cisco ACE Application
Control Engine.
To create a RADIUS server group and access RADIUS server configuration mode, enter the aaa group
server radius command. The CLI prompt changes to (config-radius). Use the no form of this command
to remove a RADIUS server group.
aaa group server radius group_name
no aaa group server radius group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the AAA feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
A server group is a list of server hosts. The ACE allows you to configure multiple AAA servers as a
named server group. You group the different AAA server hosts into distinct lists. The ACE searches for
the server hosts in the order in which you specify them within a group. You can configure a maximum
of 10 server groups for each context in the ACE.
You can configure server groups at any time, but you must enter the aaa authentication login or the aaa
accounting default command to apply them to the AAA service.
Examples To create a RADIUS server group, enter:
host1/Admin(config) aaa group server radius RADIUS_Server_Group1
host1/Admin(config-radius)# server 172.16.56.76
host1/Admin(config-radius)# server 172.16.56.79
host1/Admin(config-radius)# server 172.16.56.82
group_name Group of RADIUS servers. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1187
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
RADIUS Configuration Mode Commands
Related Commands (config) aaa accounting default
(config) aaa authentication login2-1188
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
RADIUS Configuration Mode Commands
(config-radius) deadtime
To specify a dead-time interval for the Remote Authentication Dial-In User Service (RADIUS) server
group, use the deadtime command. Use the no form of this command to reset the RADIUS server group
dead-time request to its default of 0.
deadtime minutes
no deadtime minutes
Syntax Description
Command Modes RADIUS configuration mode
Admin and user contexts
Command History
Usage Guidelines Use of the deadtime command causes the ACE to mark as dead any RADIUS servers that fail to respond
to authentication requests. Entering this command prevents the wait for the request to time out before
trying the next configured server. The ACE skips a RADIUS server that is marked as dead by additional
requests for the duration of minutes.
During the dead-time interval, the ACE sends probe access-request packets to verify that the RADIUS
server is available and can receive authentication requests. The dead-time interval starts when the server
does not respond to an authentication request transmission. When the server responds to a probe
access-request packet, the ACE retransmits the authentication request to the server.
Examples To globally configure a 15-minute dead-time interval for RADIUS servers that fail to respond to
authentication requests, enter:
host1/Admin(config) aaa group server radius RADIUS_Server_Group1
host1/Admin(config-radius)# deadtime 15
To reset the RADIUS server dead-time request to the default of 0, enter:
host1/Admin(config-radius)# no deadtime 15
Related Commands (config) aaa group server
minutes Length of time that the ACE skips a nonresponsive RADIUS server for transaction requests.
Valid entries are from 0 to 1440 (24 hours). The default is 0.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1189
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
RADIUS Configuration Mode Commands
(config-radius) server
To specify the IP address of one or more previously configured Remote Authentication Dial-In User
Service (RADIUS) servers that you want added to or removed from a server group, use the server
command. Use the no form of this command to remove the RADIUS server from the AAA server group.
server ip_address
no server ip_address
Syntax Description
Command Modes RADIUS configuration mode
Admin and user contexts
Command History
Usage Guidelines You can add multiple RADIUS servers to the AAA server group by entering multiple server commands
in this mode. The same server can belong to multiple server groups.
Examples To add servers to a RADIUS server group, enter:
host1/Admin(config-radius)# server 172.16.56.76
host1/Admin(config-radius)# server 172.16.56.79
host1/Admin(config-radius)# server 172.16.56.82
To remove a server from a RADIUS server group, enter:
host1/Admin(config) aaa group server radius RADIUS_Server_Group1
host1/Admin(config-radius)# no server 172.16.56.76
Related Commands (config) aaa group server
ip_address IP address of the RADIUS server. Enter the address in dotted-decimal IP notation (for
example, 192.168.11.1).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1190
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
Real Server Host Configuration Mode Commands
Real server host configuration mode commands allow you to create and configure host real servers that
are used in server load balancing (SLB). The parameters that you configure determine how the ACE
interacts with the servers used for web content and services. For details about SLB, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
To create a host real server and access real server host configuration mode, use the rserver host
command in configuration mode. The CLI prompt changes to (config-rserver-host). For information
about commands available in this mode, see the following commands.
Use the no form of this command to remove an existing real server from the configuration.
rserver [host] name
no rserver name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the rserver feature in your user role unless otherwise specified. For
details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE
Application Control Engine.
All servers in a server farm should be of the same type: host or redirect.
Examples To create a host server named SERVER1, enter:
host1/Admin(config)# rserver SERVER1
host1/Admin(config-rserver-host)#
To delete the host server named SERVER1, enter:
host1/Admin(config)# no rserver SERVER1
name Unique identifier of the real server. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
host (Optional) Specifies that the real server is a typical server that
provides web services and content.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1191
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
Related Commands (config-sfarm-host) rserver
(config-rserver-host) conn-limit
To configure the maximum and minimum number of connections that you want to allow for a host real
server, use the conn-limit command. Use the no form of this command to reset the maximum number
of connections and the minimum connection threshold for a real server to the default of 4000000.
conn-limit max max-conns min min-conns
no conn-limit max
Syntax Description
Command Modes Real server host configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command to specify the maximum number of connections and the minimum connection
threshold for a real server. The minconns value must be less than or equal to the maxconns value. When
the number of connections to a real server reaches the maxconns value, the ACE stops sending
connections to that server and assigns it a state of OUTOFSERVICE. The ACE uses the minconns value
as a threshold for load balancing to start accepting connections again after the maxconns limit is reached.
max maxconns Specifies the maximum number of connections allowed for this real
server.
• For the ACE module, enter an integer from 2 to 4000000.
• For the ACE appliance, enter an integer from 1 to 4000000.
The default is 4000000.
min minconns Specifies the connection threshold below which the real server will
start accepting connections again after the number of connections
exceeds the configured maximum number of connections.
• For the ACE module, enter an integer from 2 to 4000000.
• For the ACE appliance, enter an integer from 1 to 4000000.
The default is minconns equal to maxconns.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1192
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
Examples To configure the maximum number of connections and the minimum connection threshold for a real
server, enter:
host1/Admin(config-rserver-host)# conn-limit max 65535 min 40000
To reset the maximum number of connections and the minimum connection threshold for a real server
to the default of 4000000, enter:
host1/Admin(config-rserver-host)# no conn-limit
Related Commands (config-rserver-host) rate-limit2-1193
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
(config-rserver-host) description
To configure a description for a real server, use the description command. Use the no form of this
command to remove the real server description from the configuration.
description text
no description
Syntax Description
Command Modes Real server host configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure a description for a real server, enter:
host1/Admin(config-rserver-host)# description database application server
To delete a description for a real server, enter:
host1/Admin(config-rserver-host)# no description
Related Commands This command has no related commands.
text User-defined description of the real server and related information.
Enter an unquoted text string with a maximum of 240 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1194
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
(config-rserver-host) fail-on-all
To configure a real server to remain in the OPERATIONAL state unless all probes associated with it fail
(AND logic), use the fail-on-all command in real server host configuration mode. This command is
applicable to all probe types. The syntax of this command is:
fail-on-all
no fail-on-all
Syntax Description This command has no keywords or arguments.
Command Modes Real server host configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure the SERVER1 real server to remain in the OPERATIONAL state unless all associated
probes fail, enter the following commands:
host1/Admin(config)# rserver SERVER1
host1/Admin(config-rserver-host)# ip address 2001:DB8:1::1
or
host1/Admin(config-rserver-host)# ip address 192.168.12.15
host1/Admin(config-rserver-host)# probe HTTP_PROBE
host1/Admin(config-rserver-host)# probe ICMP_PROBE
host1/Admin(config-rserver-host)# fail-on-all
To remove the AND probe logic from the real server and return the behavior to the default of OR logic,
enter the following command:
host1/Admin(config-rserver-host)# no fail-on-all
Related Commands This command has no related commands.
ACE Module Release Modification
A2(1.0) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A5(1.0) Added IPv6 support.2-1195
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
(config-rserver-host) inservice
To place a real server in service, use the inservice command in real server host configuration mode. Use
the no form of this command to gracefully shut down a real server.
inservice
no inservice
Syntax Description This command has no keywords or arguments.
Command Modes Real server host configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the real-inservice feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the no form of this command to shut down a real server gracefully for maintenance or software
upgrades. When you enter this command, the ACE tears down all non-TCP connections. For TCP
connections, the ACE allows existing connections to end before taking the server out of service. No new
connections are allowed. To place the real server back in service, use the inservice command.
The ACE resets all SSL connections to a particular real server when you enter the no inservice command
for that server.
Examples To place a real server in service, enter:
host1/Admin(config-rserver-host)# inservice
To take a real server out of service, enter:
host1/Admin(config-rserver-host)# no inservice
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1196
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
(config-rserver-host) ip address
To configure an IPv6 or an IPv4 address for a real server, use the ip address command in real server host
configuration mode. Use the no form of this command to remove the real server IP address from the
configuration.
ip address ip-address
no ip address
Syntax Description
Command Modes Real server host configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command to provide a unique IP address for a real server. The address that you choose must not
be a VIP of an existing virtual server.
Caution Do not configure under a real server a peer IPv6 address that is calculated from EUI64. In a redundant
configuration, if you configure a peer IPv6 address as EUI64 on an interface, the address will not be
learned by the active member of an FT group because the address is calculated only on the peer. If you
then configure the same calculated IPv6 address on the active under a real server, the CLI accepts it
because it does not calculate it. This IPv6 address is not synced to the standby because it conflicts with
the interface address. If you subsequently apply a probe to the real server, the state of the real server is
PROBE-FAILED on the active and OUTOFSERVICE on the the standby. This same check applies to
VIPs, routes, interfaces, and probes.
Examples IPv6 Example
To configure the IPv6 address of a real server, enter:
host1/Admin(config-rserver-host)# ip address 2001:DB8:1::1
To delete the real server IPv6 address from the configuration, enter:
host1/Admin(config-rserver-host)# no ip address 2001:DB8:1::1
IPv4 Example
To configure the IPv4 address of a real server, enter:
ip-address IP address for the real server of type host.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1197
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
host1/Admin(config-rserver-host)# ip address 192.168.12.6
To delete the real server IPv4 address from the configuration, enter:
host1/Admin(config-rserver-host)# no ip address 192.168.12.6
Related Commands This command has no related commands.2-1198
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
(config-rserver-host) probe
To configure a probe to monitor the health of a real server, use the probe command. Use the no form of
this command to remove the probe from the real server.
probe probe-name
no probe probe-name
Syntax Description
Command Modes Real server host configuration mode
Admin and user contexts
Command History
Usage Guidelines You can associate multiple probes with each real server.
Examples To configure a probe for a real server of type host, enter:
host1/Admin(config-rserver-host)# probe SERVER1_PROBE
To remove a probe from a real server of type host, enter:
host1/Admin(config-rserver-host)# no probe SERVER1_PROBE
Related Commands This command has no related commands.
probe-name Identifier of an existing probe that you want to assign to a real server
to monitor its health. Enter an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1199
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
(config-rserver-host) rate-limit
To configure a limit for the connection rate and the bandwidth rate of a real server, use the rate-limit
command. The connection rate is the number of connections per second received by the ACE and applies
only to the new connections destined to a real server. The bandwidth rate is the number of bytes per
second and applies to the network traffic exchanged between the ACE and the real server in both
directions. Use the no form of this command to revert to the ACE default of not limiting the connection
rate or bandwidth rate of real servers.
rate-limit {connection number1 | bandwidth number2}
no rate-limit {connection | bandwidth}
Syntax Description
Command Modes Real server host configuration mode
Admin and user contexts
Command History
Usage Guidelines For a real server that is associated with more than one server farm, the ACE uses the aggregated
connection rate or bandwidth rate to determine whether the real server has exceeded its rate limits. If the
connection rate or the bandwidth rate of incoming traffic destined for a particular server exceeds the
configured rate of the server, the ACE blocks any further traffic destined to that real server until the
connection rate or bandwidth rate drops below the configured limit. Also, the ACE removes the blocked
real server from future load-balancing decisions.
You can also limit the connection rate and the bandwidth rate at the virtual server level in a connection
parameter map. For details, see the Security Guide, Cisco ACE Application Control Engine.
connection number1 Specifies the real server connection-rate limit in connections per
second.
• For the ACE module, enter an integer from 2 to 350000.
• For the ACE appliance, enter an integer from 1 to 350000.
There is no default value.
bandwidth number2 Specifies the real server bandwidth-rate limit in bytes per second.
• For the ACE module, enter an integer from 4 to 300000000.
• For the ACE appliance, enter an integer from 1 to 300000000.
There is no default value.
ACE Module Release Modification
A2(1.0) This command was introduced.
A4(1.0) The lowest real server bandwidth-rate limit was changed from 2 to 4.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1200
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
Examples To limit the connection rate of a real server to 100,000 connections per second, enter:
host1/Admin(config-rserver-host)# rate-limit connection 100000
To revert to the ACE default of not limiting the real-server connection rate, enter:
host1/Admin(config-rserver-host)# no rate-limit connection
To limit the real-server bandwidth rate to 5,000,000 bytes per second, enter:
host1/Admin(config-rserver-host)# rate-limit bandwidth 5000000
To revert to the ACE default of not limiting real-server bandwidth, enter:
host1/Admin(config-rserver-host)# no rate-limit bandwidth
Related Commands (config-rserver-host) conn-limit2-1201
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Host Configuration Mode Commands
(config-rserver-host) weight
To configure the capacity of a real server in relation to other servers in a server farm, use the weight
command. The weight value that you specify for a server is used in the weighted round-robin and
least-connections predictor load-balancing methods. Use the no form of this command to reset the real
server weight to the default.
weight number
no weight
Syntax Description
Command Modes Real server host configuration mode.
Admin and user contexts
Command History
Usage Guidelines Servers with a higher configured weight value have a higher priority with respect to connections than
servers with a lower weight. For example, a server with a weight of 5 would receive five connections for
every one connection received by a server with a weight of 1.
To specify different weight values for a real server in a server farm, you can assign multiple IP addresses
to the server. You can also use the same IP address of a real server with different port numbers.
Server weights take effect only when there are open connections to the servers. When there are no
sustained connections to any of the servers, the leastconns predictor method behaves like the roundrobin
method.
Examples To configure a weight value for a real server, enter:
host1/Admin(config-rserver-host)# weight 50
To reset the weight of a real server to the default of 8, enter:
host1/Admin(config-rserver-host)# no weight
Related Commands This command has no related commands.
number Weight value assigned to a real server in a server farm. This value is used in the
weighted round-robin and least-connections predictor load-balancing algorithms.
Enter an integer from 0 to 100. The default is 8.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1202
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
Real Server Redirect Configuration Mode Commands
Real server redirect configuration mode commands allow you to configure parameters for redirection
real servers used in server load balancing (SLB). A redirection real server is used only for redirecting
network traffic to another server as indicated in the Webhost redirection string. See the
(config-rserver-redir) webhost-redirection command. The parameters that you configure determine
how the ACE interacts with the servers used for redirection. Redirection servers are useful for content
that has physically moved to another location, either temporarily or permanently. For details about SLB
and redirection, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
To create a redirect real server and access real server configuration mode, use the rserver redirect
command in configuration mode. The CLI prompt changes to (config-rserver-redir). For information
about commands available in this mode, see the commands that follow this section.
Use the no form of this command to remove an existing real server from the configuration.
rserver redirect name
no rserver redirect name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines All commands in this mode require the Real feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
All servers in a server farm should be of the same type: host or redirect.
Examples To create a redirect server named SERVER1, enter:
host1/Admin(config)# rserver redirect SERVER1
To delete the redirect server named SERVER1, enter:
host1/Admin(config)# no rserver redirect SERVER1
name Unique identifier of the real server. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1203
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
Related Commands (config-rserver-redir) webhost-redirection2-1204
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
(config-rserver-redir) conn-limit
To configure the maximum and minimum number of connections that you want to allow for a real server,
use the conn-limit command. Use the no form of this command to reset the maximum number of
connections and the minimum connection threshold for a real server to the default of 4000000.
conn-limit max max-conns min min-conns
no conn-limit max
Syntax Description
Command Modes Real server redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command to specify the maximum number of connections and the minimum connection
threshold for a real server. The minconns value must be less than or equal to the maxconns value. When
the number of connections to a real server reaches the maxconns value, the ACE stops sending
connections to that server and assigns it a state of OUTOFSERVICE. The ACE uses the minconns value
as a threshold for load balancing to start accepting connections again after the maxconns limit is reached.
Examples To configure the maximum number of connections and the minimum connection threshold for a real
server, enter:
host1/Admin(config-rserver-redir)# conn-limit maxconns 65535 minconns 40000
max max-conns Specifies the maximum number of connections allowed for this real
server.
• For the ACE module, enter an integer from 2 to 4000000.
• For the ACE appliance, enter an integer from 1 to 4000000.
The default is 4000000.
min min-conns Specifies the connection threshold below which the real server will
start accepting connections again after the number of connections
exceeds the configured maximum number of connections.
• For the ACE module, enter an integer from 2 to 4000000.
• For the ACE appliance, enter an integer from 1 to 4000000.
The default is minconns equal to maxconns.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1205
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
To reset the maximum number of connections and the minimum connection threshold for a real server
of type redirect to the default of 4000000, enter:
host1/Admin(config-rserver-redir)# no conn-limit
Related Commands This command has no related commands.2-1206
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
(config-rserver-redir) description
To configure a description for a real server, use the description command. Use the no form of this
command to remove the real server description from the configuration.
description text
no description
Syntax Description
Command Modes Real server redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command to provide a unique description for the real server with a maximum of 240 characters.
Examples To configure a real server description, enter:
host1/Admin(config-rserver-redir)# description database application server
To delete a real server description, enter:
host1/Admin(config-rserver-redir)# no description
Related Commands This command has no related commands.
text User-defined description of the real server and related information.
Enter an unquoted text string with a maximum of 240 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1207
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
(config-rserver-redir) inservice
To place a real server in service, use the inservice command. Use the no form of this command to remove
the real server from service.
inservice
no inservice
Syntax Description This command has no keywords or arguments.
Command Modes Real server redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the real-inservice feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Use the no form of this command to shut down a real server gracefully for maintenance or software
upgrades. When you enter this command, the ACE tears down all non-TCP connections. For TCP
connections, the ACE allows existing connections to end before taking the server out of service. No new
connections are allowed. To place the real server back in service, use the inservice command.
Examples To place a real server in service, enter:
host1/Admin(config-rserver-redir)# inservice
To take a real server out of service, enter:
host1/Admin(config-rserver-redir)# no inservice
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1208
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
(config-rserver-redir) probe
To configure a probe to monitor the health of a real server, use the probe command. Use the no form of
this command to remove the probe from the real server.
probe probe-name
no probe probe-name
Syntax Description
Command Modes Real server redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines You can associate multiple probes with each real server.
You can only configure probes with an IP address in routed mode under a redirect server.
You cannot associate a scripted probe with a redirect server.
Examples To configure a probe for a real server, enter:
host1/Admin(config-rserver-redir)# probe SERVER1_PROBE
To remove a probe from a real server, enter:
host1/Admin(config-rserver-redir)# no probe SERVER1_PROBE
Related Commands (config-probe-probe_type) ip address
probe-name Identifier of an existing probe that you want to assign to a real server
to monitor its health. Enter an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(3.2). Not applicable for
A4(1.0).
This command was introduced.
ACE Appliance Release Modification
A3(2.7). Not applicable for
A4(1.0).
This command was introduced.2-1209
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
(config-rserver-redir) rate-limit
To configure a limit for the connection rate and the bandwidth rate of a real server, use the rate-limit
command. The connection rate is the number of connections per second received by the ACE and applies
only to the new connections destined to a real server. The bandwidth rate is the number of bytes per
second and applies to the network traffic exchanged between the ACE and the real server in both
directions. Use the no form of this command to revert to the ACE default of not limiting the connection
rate or bandwidth rate of real servers.
rate-limit {connection number1 | bandwidth number2}
no rate-limit {connection | bandwidth}
Syntax Description
Command Modes Real server redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines For a real server that is associated with more than one server farm, the ACE uses the aggregated
connection rate or bandwidth rate to determine whether the real server has exceeded its rate limits. If the
connection rate or the bandwidth rate of incoming traffic destined for a particular server exceeds the
configured rate of the server, the ACE blocks any further traffic destined to that real server until the
connection rate or bandwidth rate drops below the configured limit. Also, the ACE removes the blocked
real server from future load-balancing decisions.
You can also limit the connection rate and the bandwidth rate at the virtual server level in a connection
parameter map. For details, see the Security Guide, Cisco ACE Application Control Engine.
Examples To limit the connection rate of a real server to 100,000 connections per second, enter:
host1/Admin(config-rserver-redir)# rate-limit connection 100000
To revert to the ACE default of not limiting the real-server connection rate, enter:
host1/Admin(config-rserver-redir)# no rate-limit connection
connection number1 Specifies the real server connection-rate limit in connections per
second. Enter an integer from 2 to 350000. There is no default value.
bandwidth number2 Specifies the real server bandwidth-rate limit in bytes per second.
Enter an integer from 2 to 300000000. There is no default value.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1210
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
To limit the real-server bandwidth rate to 5,000,000 bytes per second, enter:
host1/Admin(config-rserver-redir)# rate-limit bandwidth 5000000
To revert to the ACE default of not limiting real-server bandwidth, enter:
host1/Admin(config-rserver-redir)# no rate-limit bandwidth
Related Commands (config-rserver-redir) conn-limit
(config-rserver-redir) webhost-redirection
To configure the relocation URL string used for redirection, use the webhost-redirection command. You
can configure a port number to redirect a request in the relocation string. Use the no form of this
command to remove the real server redirection URL string from the configuration.
webhost-redirection relocation_string [301 | 302]
no webhost-redirection
Syntax Description
Command Modes Real server redirect configuration mode
Admin and user contexts
relocation_string URL string used to redirect requests to another server. Enter an
unquoted text string with no spaces and a maximum of
255 alphanumeric characters. The redirection string supports the
following special characters:
• %h—Inserts the hostname from the request Host header
• %p—Inserts the URL path string from the request
Note To insert a question mark (?) in the relocation string,
press Ctrl-v before you type the question mark.
[301 | 302] (Optional) Specifies the redirection status code returned to a client.
The codes indicate the following:
• 301—The requested resource has been moved permanently. For
future references to this resource, the client should use one of the
returned URIs.
• 302—(Default) The requested resource has been found but has
been moved temporarily to another location. For future
references to this resource, the client should continue to use the
request URI because the resource may be moved to other
locations from time to time.
For more information about redirection status codes, see RFC 2616.2-1211
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Real Server Redirect Configuration Mode Commands
Command History
Usage Guidelines Enter this command only on a real server that you have configured as a redirection server.
Examples To configure a redirection string on a real server, enter:
host1/Admin(config-rserver-redir)# webhost-redirection www.acme.com/common/images/*.jpg
301
To remove the redirection string from a real server, enter:
host1/Admin(config-rserver-redir)# no webhost-redirection
Related Commands This command has no related commands.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1212
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Resource Configuration Mode Commands
Resource Configuration Mode Commands
Resource configuration mode commands allow you to limit the usage of resources by one or more
contexts. To create a resource class and access resource configuration mode, enter the resource-class
command. The CLI prompt changes to (config-resource). For information about the commands in
resource configuration mode, see the commands in this section. Use the no form of this command to
delete a resource class.
resource-class name
no resource-class name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines The commands in this mode require the Admin user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
After you create and configure the class, use the (config-context) member command in context
configuration mode to assign a context to the class.
Examples To create a resource-class called RC1 and enter resource configuration mode, enter:
host1/C1(config)# resource-class RC1
host1/C1(config-resource)
To remove the RC1 resource class from the configuration, enter:
host1/C1(config)# no resource-class RC1
Related Commands (config-context) member
name Name assigned to the new resource class. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
You can also use the resource class called default.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1213
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Resource Configuration Mode Commands
(config-resource) limit-resource
To limit system resources for all members of a resource class, use the limit-resource command. Use the
no form of this command to restore the default resource settings for all resources or individual resources
for all members (contexts) of a resource class.
limit-resource {acl-memory | all | buffer syslog | conc-connections | http-comp |
mgmt-connections | proxy-connections | rate {bandwidth | connections | inspect-conn |
mac-miss | mgmt-traffic | ssl-connections | syslog} | regexp | sticky | xlates} {minimum
number} {maximum {equal-to-min | unlimited}}
no limit-resource {acl-memory | all | buffer {syslog} | conc-connections | http-comp |
mgmt-connections | proxy-connections | rate {bandwidth | connections | inspect-conn |
mac-miss | mgmt-traffic | ssl-connections | syslog | to-cp-ipcp} | regexp | sticky | xlates}
Syntax Description acl-memory Limits memory allocated for ACLs.
all Limits all resources to the specified value for all contexts assigned to
this resource class.
buffer syslog Limits the amount of buffering for syslog messages.
conc-connections Limits the number of simultaneous connections.
http-comp Limits the HTTP compression rate.
mgmt-connections Limits the number of management connections.
proxy-connections Limits the number of proxy connections.
rate Limits the resource as a number per second for the following:
• bandwidth—Limits context throughput in bytes per second.
• connections—Limits the number of connections of any kind per
second.
• inspect conn—Limits the number of application protocol
inspection connections per second for Domain Name System
(DNS), File Transfer Protocol (FTP), HTTP Deep Packet,
Internet Control Message Protocol (ICMP), Internet Locator
Service (ILS), Real-Time Streaming Protocol (RTSP)Skinny
Client Control Protocol (SCCP), and Session Initiation Protocol
(SIP).
• mac-miss—Limits the ACE traffic sent to the control plane when
the encapsulation is not correct in packets per second.
• mgmt-traffic—Limits the management traffic in bytes per
second.
• ssl-connections—Limits the number of SSL connections per
second.
• syslog—Limits the number of syslog messages per second.
• to-cp-ipcp—(ACE module only) Limits the IPCP traffic from
the DP to the CP in packets per second. This keyword prevents
the overwhelming of the CP under high syslog rate conditions
(for example, level 7 messages).
regexp Limits the amount of regular expression memory.2-1214
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Resource Configuration Mode Commands
Command Modes Resource configuration mode
Admin context only
Command History
Usage Guidelines You can limit all resources or individual resources for all members (contexts) of a resource class. For
example, you can limit only concurrent connections, probes, or sticky table entries.
For details about the system resource maximum values when you use the limit-resource command, see
the Virtualization Guide, Cisco ACE Application Control Engine
If you lower the limits for one context (context A) to increase the limits of another context (context B),
you may experience a delay in the configuration change because the ACE will not lower the limits of
context A until the resources are no longer being used by the context.
The limit that you set for individual resources when you use the limit-resource command overrides the
limit that you set for all resources when you use the limit-resource all command.
When you enter the no limit-resource all command, all ACE contexts associated with the resource class
are left without resources that are not separately configured with a minimum limit in the resource class.
The CLI displays the following message:
Warning: The context(s) associated with this resource-class
will be denied of all the resources that are not explicitly
configured with minimum limit in this resource-class
sticky Limits the number of entries in the sticky table. You must configure
a minimum value for sticky to allocate resources for sticky entries,
because the sticky software receives no resources under the unlimited
setting.
xlates Limits the number of network and port address translations entries.
minimum number Specifies the lowest acceptable value. Enter an integer from 0.00 to
100.00 percent (two-decimal places of granularity). The number
argument specifies a percentage value for all contexts that are
members of the class. When used with the rate keyword, the number
argument specifies a value per second.
maximum {equal-to-min |
unlimited}
Specifies the maximum resource value: either the same as the
minimum value or no limit.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) This command was modified to add the http-comp keyword for
compression. Also, added the rate to-cp-ipcp keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) Added the rate to-cp-ipcp keyword.2-1215
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Resource Configuration Mode Commands
Examples To allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource
class, enter:
(config-resource)# limit-resource all minimum 20% maximum equal-to-min
To restore resource allocation to the default of 0 percent minimum and 100 percent maximum for all
resources to all member contexts, enter:
(config-resource)# no limit-resource all
Related Commands This command has no related commands.2-1216
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Role Configuration Mode Commands
Role Configuration Mode Commands
Role configuration mode commands allow you to define various rules for users who are assigned a role
and optionally, to describe a role definition. Roles determine the privileges that a user has, the commands
a user can enter, and the actions that a user can perform in a particular context.
To assign a role and access role configuration mode, enter the role command in configuration mode. The
CLI prompt changes to (config-role). For information about the commands in role configuration mode,
see the commands in this section. Use the no form of this command to remove the user role assignment.
role name
no role name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the context Admin user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
If you do not assign a user role to a new user, the default user role is Network-Monitor. For users that
you create in the Admin context, the default scope of access is the entire device. For users that you create
in other contexts, the default scope of access is the entire context. If you need to restrict a user’s access,
you must assign a role-domain pair using the (config) username command.
Examples To assign a role, enter:
host1/C1(config)# role TECHNICIAN
host1/C1(config-role)#
To remove the role from the configuration, enter:
host1/C1(config)# no role TECHNICIAN
Related Commands This command has no related commands.
name Identifier associated with a user role. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1217
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Role Configuration Mode Commands
(config-role) description
To enter a description for the role, use the description command. Use the no form of this command to
remove the role description from the configuration.
description text
no description
Syntax Description
Command Modes Role configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples This example shows how to provide an additional description about a role:
host1/C1(config-role)# description DEFINES TECHNICIAN ROLE
To remove the description from the configuration, enter:
host1/C1(config)# no description DEFINES TECHNICIAN ROLE
Related Commands This command has no related commands.
text Description for the role. Enter a description as an unquoted text string
with a maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1218
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Role Configuration Mode Commands
(config-role) rule
To assign privileges on a per-feature basis to a role, use the rule command. You can limit the features
that a user has access to and the commands that the user can enter for that feature by configuring rules
for roles. Use the no form of this command to remove the rule from a user role.
rule number {{permit | deny} {create | debug | modify | monitor} [feature {AAA | access-list |
changeto | config-copy | connection | dhcp | exec-commands | fault-tolerant | inspect |
interface | loadbalance | nat | pki | probe | real-inservice | routing | rserver | serverfarm | ssl
| sticky | syslog | vip}]}
no rule number
Syntax Description
number Identifier of the rule and order of precedence. Enter a unique integer from
1 to 16. The rule number determines the order in which the ACE applies the
rules, with a higher-numbered rule applied after a lower-numbered rule.
permit Allows the role to perform the operations defined by the rest of the
command keywords.
deny Disallows the role to perform the operations defined by the rest of the
command keywords.
create Specifies commands for the creation of new objects or the deletion of
existing objects (includes modify, debug, and monitor commands).
debug Specifies commands for debugging problems (includes monitor
commands).
modify Specifies commands for modifying existing configurations (includes
debug and monitor commands).
monitor Specifies commands for monitoring resources and objects (show
commands).
feature (Optional) Specifies a particular ACE feature for which you are
configuring this rule. The available features are listed below.
AAA Specifies commands for authentication, authorization, and accounting.
access-list Specifies commands for access control lists (ACLs). Includes ACL
configuration, class maps for ACLs, and policy maps that contain ACL
class maps.
changeto Specifies the changeto command for user-defined roles. Users retain their
privileges when accessing different contexts. By default, this command is
disabled for user-defined roles.
config-copy Specifies commands for copying the running-config to the startup-config,
startup-config to the running-config, and copying both config files to the
Flash disk (disk0:) or a remote server.
connection Specifies commands for network connections.
dhcp Specifies commands for Dynamic Host Configuration Protocol (DHCP).
exec-commands Specifies the following command for user-defined roles: capture, debug,
delete, gunzip, mkdir, move, rmdir, set, setup, system, tac-pac, untar,
write, and undebug commands. By default, these command are disabled
for user-defined roles.
fault-tolerant Specifies commands for redundancy.
inspect Specifies commands for packet inspection used in data-center security.2-1219
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Role Configuration Mode Commands
Command Modes Role configuration mode.
Command History
Usage Guidelines (ACE appliance only) To allow a user with a customized role to work from the ACE Appliance Device
Manager, you must configure the role with rules that permit the create operation for the config-copy and
exec-commands features.
Examples To configure a rule that allows a role to create and configure real servers, enter:
host1/C1(config-role)# rule 1 permit create rserver
To remove the rule from a role, enter:
host1/C1(config-role)# no rule 1 permit create rserver
interface Specifies all interface commands.
loadbalance Specifies commands for load balancing (for the ACE appliance, this
includes the application acceleration and optimization functions). Allows
adding a load-balancing action in a policy map.
nat Specifies commands for Network Address Translation (NAT) associated
with a class map in a policy map used in data-center security.
pki Specifies commands for Public Keyword Infrastructures (PKIs).
probe Specifies commands for keepalives for real servers.
real-inservice Specifies commands for placing a real server in service.
routing Specifies all commands for routing, both global and per interface.
rserver Specifies commands for physical servers.
serverfarm Specifies commands for server farms.
ssl Specifies commands for SSL.
sticky Specifies commands for server persistence.
syslog Specifies the system logging facility setup commands.
vip Specifies commands for virtual IP addresses.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.3) The changeto and exec-commands options were added to this
command.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) The changeto and exec-commands options were added to this
command.2-1220
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Role Configuration Mode Commands
Related Commands This command has no related commands.2-1221
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Server Farm Host Configuration Mode Commands
Serverfarm host configuration mode commands allow you to create and configure host server farms and
associate host real servers with the server farm. Host server farms are clusters of real servers that provide
web content or services in a data center. You must configure a real server using the (config) rserver
command in configuration mode before you can associate it with a server farm.
To create a host server farm and access serverfarm host configuration mode, use the serverfarm
command. Note that host is the default server-farm type, so you do not need to enter the host option. The
CLI prompt changes to (config-sfarm-host). For information about the commands in this mode, see the
following commands.
Use the no form of this command to remove a server farm from the configuration.
serverfarm [host] name
no serverfarm name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the server-farm feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To create a host server farm named SFARM1, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)#
To delete the server farm named SFARM1, enter:
host1/Admin(config)# no serverfarm SFARM1
host (Optional) Specifies a server farm of mirrored real servers that
provide web content or services.
name Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1222
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Related Commands show serverfarm
show running-config
(config) rserver2-1223
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) description
To configure the description of a server farm, use the description command. Use the no form of this
command to delete the description of a server farm.
description text
no description
Syntax Description
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure a description of a server farm, enter:
host1/Admin(config-sfarm-host)# description CURRENT EVENTS ARCHIVE
To delete the description of a server farm, enter:
host1/Admin(config-sfarm-host)# no description
Related Commands This command has no related commands.
text Text description of a server farm. Enter an unquoted text string with
a maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1224
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) dws
To enable a server farm for the dynamic workload scaling (DWS) feature, use the dws command. Use
the no form of this command to disable the DWS feature on a server farm.
dws {local | burst probe name}
no dws {local | burst probe name}
Syntax Description
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To enable DWS on a server farm, enter the following command:
host1/Admin(config-sfarm-host)# dws burst probe VM_PROBE
To disable DWS on a server farm, enter the following command:
host1/Admin(config-sfarm-host)# no dws burst probe VM_PROBE
Related Commands This command has no related commands.
local Specifies that only the local pool of VMs are taken into account for
load balancing decisions
burst Specifies that remote VMs are taken into account for load balancing
decisions when the configured threshold for the load of the local pool
of VMs is reached or exceeded.
probe name Existing VM probe associated with this server farm. For details about
configuring a VM probe, see the (config-sfarm-host) probe
command.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-1225
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) failaction
To configure the action that the ACE takes if a real server in a server farm goes down, use the failaction
command. Use the no form of this command to reset the ACE to its default of taking no action when a
server fails.
failaction {purge | reassign [across-interface]}
no failaction
Syntax Description
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
Usage Guidelines If you do not configure this command, the ACE takes the real server out of rotation for new connections
and allows existing connections to complete. The ACE does not send the connections to a backup server
in the server farm or to a backup server farm if all servers in the primary server farm fail. To clear
connections to servers that have failed prior to entering the failaction command, use the clear conn
command.
This feature is required for stateful firewall load balancing (FWLB). For details about FWLB, see the
Server Load-Balancing Guide, Cisco ACE Application Control Engine
purge Specifies that the ACE remove the connections to a real server if that
real server in the server farm fails after you configure this command.
The ACE sends a reset (RST) both to the client and to the server that
failed.
reassign Specifies that the ACE reassigns existing server connections to the
backup real server, if a backup real server is configured. If no backup
real server is configured, this keyword has no effect.
across-interface (Optional) Instructs the ACE to reassign all connections from the
failed real server to a backup real server on a different VLAN that is
commonly referred to as a bypass VLAN. By default, this feature is
disabled.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised (reassign keyword added).
A2(3.0) The across-interface option was added.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised (reassign keyword added).
A4(1.0) The across-interface option was added.2-1226
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
The use of the failaction reassign command requires that you enable the transparent command (see
(config-sfarm-host) transparent) to instruct the ACE not to use NAT to translate the ACE VIP address
to the server IP address. The failaction reassign command is intended for use in FWLB where the
destination IP address for the connection coming in to the ACE is for the end-point real server, and the
ACE reassigns the connection so that it is transmitted through a different next hop.
Follow these configuration requirements and restrictions when you use the across-interface option:
• You must configure identical policies on the primary interface and the backup-server interface. The
backup interface must have the same feature configurations as the primary interface.
• If you configure a policy on the backup-server interface that is different from the policies on the
primary-server interface, that policy will be effective only for new connections. The reassigned
connection will always have only the primary-server interface policies.
• Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs, or
SYN cookie) are not supported.
• You cannot reassign connections to the failed real server after it comes back up. This restriction also
applies to same-VLAN backup servers.
• You must connect real servers directly to the ACE. This requirement also applies to same-VLAN
backup servers.
• You must disable sequence number randomization on the firewall.
• Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE1 and a low interval value on ACE2, the
reassigned connections may become stuck because of the probe configuration mismatch. ACE2 with
the low interval value will detect the primary server failure first and will reassign all its incoming
connections to the backup-server interface VLAN. ACE1 with the high interval value may not detect
the failure before the primary server comes back up and will still point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs:
– Interval: 2
– Faildetect: 2
– Passdetect interval: 2
– Passdetect count: 5
Examples To instruct the ACE to remove connections from a failed server in the server farm, enter:
host1/Admin(config-sfarm-host)# failaction purge
To specify that the ACE reassign the existing server connections to a backup real server in a different
VLAN, enter:
host1/Admin(config-sfarm-host)# failaction reassign across-interface
host1/Admin(config-sfarm-host)# transparent
To specify that the ACE reassign the existing server connections to the backup real server, enter:
host1/Admin(config-sfarm-host)# failaction reassign
host1/Admin(config-sfarm-host)# transparent
To reset the ACE to its default of taking no action if a real server fails, enter:
host1/Admin(config-sfarm-host)# no failaction2-1227
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Related Commands (config-sfarm-host) transparent2-1228
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) fail-on-all
To configure the real servers in a server farm to use AND logic with respect to multiple server farm
probes, use the fail-on-all command in server farm host configuration mode. This command is
applicable to all probe types. The syntax of this command is:
fail-on-all
no fail-on-all
Syntax Description This command has no keywords or arguments.
Command Modes Server farm host configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, real servers that you configure in a server farm inherit the probes that you configure directly
on that server farm. When you configure multiple probes on a server farm, the real servers in the server
farm use an OR logic with respect to the probes. This means that if one of the probes configured on the
server farm fails, all the real servers in that server farm fail and enter the PROBE-FAILED state.
With AND logic, if one server farm probe fails, the real servers in the server farm remain in the
OPERATIONAL state. If all the probes associated with the server farm fail, then all the real servers in
that server farm fail and enter the PROBE-FAILED state. You can also configure AND logic for probes
that you configure directly on real servers in a server farm. For more information, see the command in
server farm host real server configuration mode.
Examples To configure the SERVER1 real server to remain in the OPERATIONAL state unless all associated
probes fail, enter the following commands:
host1/Admin(config)# rserver SERVER1
host1/Admin(config-rserver-host)# ip address 192.168.12.15
host1/Admin(config-rserver-host)# probe HTTP_PROBE
host1/Admin(config-rserver-host)# probe ICMP_PROBE
host1/Admin(config-rserver-host)# fail-on-all
To remove the AND probe logic from the real server and return the behavior to the default of OR logic,
enter the following command:
host1/Admin(config-rserver-host)# no fail-on-all
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1229
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Related Commands This command has no related commands.2-1230
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) inband-health check
To enable inband health monitoring for each real server in a server farm, use the inband-health check
command. Use the no form of this command to disable inband health monitoring.
inband-health check {count | {log fail_threshold_count [reset milliseconds]} | {remove
fail_threshold_count [reset milliseconds] [resume-service seconds]}}
no inband-health
Syntax Description
Command Modes Server-farm host configuration mode
Admin and user contexts
Command History
count Tracks the total number of TCP or UDP failures, and increments the
counters as displayed by the show serverfarm name inband
command.
log Logs a syslog error message when the number of events reaches the
configured connection failure threshold.
remove Specifies a syslog error message when the number of events reaches
the threshold specified by the threshold_number argument and the
ACE removes the server from service.
fail-threshold The maximum number of connection failures that a real server can
have during the configurable reset-time interval before the ACE
marks the real server as failed.
• For the ACE module, enter an integer from 4 to 4294967295.
• For the ACE appliance, enter an integer from 1 to 4294967295.
reset milliseconds Specifies the reset-time interval in milliseconds. For the milliseconds
argument, enter an integer from 100 to 300000. The default interval
is 100.
This interval starts when the ACE detects a connection failure. If the
connection failure threshold is reached during this interval, the ACE
generates a syslog message. If you configure the remove keyword,
the ACE also removes the real server from service.
remove Logs a syslog error message when the number of events reaches the
configured threshold and removes the real server from service.
resume-service seconds (Optional) Specifies the number of seconds after a server has been
marked as failed for the ACE to reconsider sending live connections.
For the seconds argument, enter an integer from 30 to 3600. The
default setting is 0.
ACE Module/Appliance
Release Modification
A4(1.0) This command was introduced.2-1231
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Usage Guidelines By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs
and health probes. However, there is latency period between when the real server goes down and when
the ACE becomes aware of the state.
When you configure the inband health monitoring feature, it informs the ACE load balancer of
connection failures on the real servers in a server farm. These connection failures are as follows:
• For TCP, resets (RSTs) from the server or SYN timeouts
• For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages
When you configure the failure-count threshold and the number of these failures exceeds the threshold
within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service,
and removes it from load balancing. The server is not considered for load balancing until the optional
resume-service interval expires.
Inband health monitoring has the following considerations and restrictions:
• When you configure inband health monitoring, the setting of the resume-service option for the
inband-health check command affects the behavior of the real server in the INBAND-HM-FAILED
state.
• Inband health monitoring works with connection reuse only when the ACE to server connection is
torn down, not for every request that is sent out on the reused connection.
• The state of the real server is not synchronized to the standby ACE when the state of the real server
changes due to inband health monitoring.
• If you configure a different port for probes than what is used for traffic forwarding (for example,
when you configure port inheritance or specify the port under the probe configuration), out-of-band
and inband health monitoring monitor different ports.
• If a server farm is attached to two different VIPs, one servicing TCP and the other servicing UDP
requests, and both TCP and UDP inband health monitoring are enabled on that server farm, the
inband probe that goes down first takes the real server down. We recommend that you configure two
different server farms, and enable both with inband health monitoring.
• When you configure inband health monitoring with a Layer 7 configuration containing a Layer 4 or
Layer 7 class map, you must configure the inactivity timeout using the set timeout inactivity
command to a time greater than the time to teardown the connection. The teardown time is based on
the number of SYN retries configured by the set tcp syn-retry command. Otherwise, inband health
monitoring does not track the syn-timeout failures. For example, if you configure the set tcp
syn-retry command to 4, the connection teardown takes 45 seconds. You must configure the set
timeout inactivity command to greater than 45 seconds.
• You can configure inband health monitoring to work with health probes to monitor a server. If you
do, both sets of health checks are required to keep a real server in service within a server farm. If
either detects a server is out of service, the ACE does not select the server for load balancing.
• You can configure inband health monitoring with HTTP return codes under the same server farm.
The reset interval starts when the ACE detects a connection failure. If the connection failure threshold
is reached during this interval, the ACE generates a syslog message. If you configure the remove
keyword, the ACE also removes the real server from service.
Changing the setting of the reset option affects the behavior of the real server, as follows:
• When the real server is in the OPERATIONAL state, even if several connection failures have
occurred, the new reset-time interval takes effect the next time that a connection error occurs.
• When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes effect the
next time that a connection error occurs after the server transitions to the OPERATIONAL state. 2-1232
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
• The default setting is 0. The setting of this option affects the behavior of the real server in the
INBAND-HM-FAILED state, as follows:
– When the resume-service option is not configured and has the default setting of 0, the real
server remains in the failed state until you manually enter the no inservice command followed
by the inservice command.
– When this option is not configured and has the default setting of 0 and then you configure this
option with an integer between 30 and 3,600, the failed real server immediately transitions to
the Operational state.
– When you configure this option and then increase the value, the real server remains in the failed
state for the duration of the previously-configured value. The new value takes effect the next
time the real server transitions to the failed state.
When you configure the resume-service option and then decrease the value, the failed real server
immediately transitions to the Operational state.
• When you configure this option with an integer between 30 and 3,600 and then reset it to the default
of 0, the real server remains in the failed state for the duration of the previously-configured value.
The default setting takes effect the next time the real server transitions to the failed state. Then the
real server remains in the failed state until you manually enter the no inservice command followed
by the inservice command.
• When you change this option within the reset-time interval and the real server is in the
OPERATIONAL state with several connection failures, the new threshold interval takes effect the
next time that a connection error occurs, even if it occurs within the current reset-time interval.
Examples To track the total number of TCP or UDP failures for the real servers on a server farm and increment the
show serverfarm name inband command counters, enter:
host1/Admin(config)# serverfarm host SF1
host1/Admin(config-sfarm-host)# inband-health check count
To configure the ACE to remove a real server at a failure threshold of 400, and resume service to it after
300 seconds, enter:
host1/Admin(config-sfarm-host)# inband-health check remove 400 resume-service 300
To disable inband health monitoring, enter:
host1/Admin(config-sfarm-host)# no inband-health
Related Commands show serverfarm2-1233
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) partial-threshold
By default, if you configured a backup server farm and all real servers in the primary server farm go
down, the primary server farm fails over to the backup server farm. Partial server farm failover allows
you to specify a failover threshold. If the percentage of active real servers in a server farm falls below
the specified threshold, the primary server farm fails over to the backup server farm (if configured).
To enable partial server farm failover, use the partial-threshold command in server farm host
configuration mode. Use the no form of this command to disable partial server farm failover.
partial-threshold percentage1 back-inservice percentage2
no partial-threshold
Syntax Description
Command Modes Server-farm host configuration mode
Admin and user contexts
Command History
Usage Guidelines Each time that a server is taken out of service (for example, by an administrator using the CLI, because
of a probe failure, or because the retcode threshold is exceeded), the ACE is updated. If the percentage
of active real servers in a server farm falls below the specified threshold, the primary server farm fails
over to the backup server farm (if a backup server farm is configured).
With partial server farm failover configured, the ACE allows current connections on the remaining active
servers in the failed primary server farm to complete. The ACE redirects any new connection requests
to the backup server farm.
Examples To configure partial server farm failover, enter:
host1/Admin(config-sfarm-host)# partial-threshold 40 back-inservice 60
percentage1 Minimum percentage of real servers in the primary server farm that
must remain active for the server farm to stay up. If the percentage of
active real servers falls below this threshold, the ACE takes the server
farm out of service. Enter an integer from 0 to 99.
back-inservice percentage2 Specifies the percentage of real servers in the primary server farm
that must be active again for the ACE to place the server farm back
into service. Enter an integer from 0 to 99. The percentage configured
with the back-inservice keyword must be greater than or equal to the
percentage1 value.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1234
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
To disable partial server farm failover, enter:
host1/Admin(config-sfarm-host)# no partial-threshold
Related Commands show serverfarm
(config-sfarm-host) predictor
To configure the load-balancing algorithm for the server farm, use the predictor command. Use the no
form of this command to revert to the default load-balancing algorithm (the round-robin algorithm).
predictor {hash {address [destination | source] [netmask]} | {content [offset number1]
[length number2] [begin-pattern expression1] [end-pattern expression2]} |
{cookie [secondary] name1} | {header name2} | {layer4-payload [offset number3] [length
number4] [begin-pattern expression3] [end-pattern expression4]} | {url [begin-pattern
expression5] [end-pattern expression6]}} | {least-bandwidth [samples number5]
[assess-time seconds]} | {least-loaded probe name3 [samples number6]} | {leastconns
[slowstart seconds]} | {response {app-req-to-resp | syn-to-close | syn-to-synack} [samples
number7]} | {roundrobin}
no predictor
Syntax Description hash address Selects the server using a hash value based on the source and
destination IP addresses. Use the hash address source and hash
address destination methods for firewall load balancing (FWLB).
destination (Optional) Selects the server using a hash value based on the
destination IP address.
source (Optional) Selects the server using a hash value based on the source
IP address.
netmask (Optional) Bits in the IP address to use for the hash. If not specified,
the default is 255.255.255.255.
hash content Selects the server using a hash value based on the specified content
string of the HTTP packet body.
offset number1 (Optional) Specifies the portion of the content that the ACE uses to
stick the client on a particular server by indicating the bytes to ignore
starting with the first byte of the payload. Enter an integer from 0 to
999. The default is 0, which indicates that the ACE does not exclude
any portion of the content.2-1235
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
length number2 (Optional) Specifies the length of the portion of the content (starting
with the byte after the offset value) that the ACE uses for sticking the
client to the server. Enter an integer from 1 to 1000. The default is the
entire payload.
The offset and length can vary from 0 to 1000 bytes. If the payload is
longer than the offset but shorter than the offset plus the length of the
payload, the ACE sticks the connection based on that portion of the
payload starting with the byte after the offset value and ending with
the byte specified by the offset plus the length. The total of the offset
and the length cannot exceed 1000.
Note: You cannot specify both the length and the end-pattern
options in the same hash content command.
begin-pattern
expression1
(Optional) Specifies the beginning pattern of the content string and
the pattern string to match before hashing. If you do not specify a
beginning pattern, the ACE starts parsing the HTTP body
immediately following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part
of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
When matching data strings, note that the period (.) and question
mark (?) characters do not have a literal meaning in regular
expressions. Use brackets ([]) to match these symbols (for example,
enter www[.]xyz[.]com instead of www.xyz.com). You can also use
a backslash (\) to escape a dot (.) or a question mark (?).
end-pattern expression2 (Optional) Specifies the pattern that marks the end of hashing. If you
do not specify either a length or an end pattern, the ACE continues to
parse the data until it reaches the end of the field or the end of the
packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
Note: You cannot specify both the length and the end-pattern
options in the same hash content command.
hash cookie Selects the server using a hash value based on the cookie name or
based on the name in the cookie name of the URL query string.
secondary (Optional) Selects the server by using the hash value based on the
specified name in the cookie name in the URL query string, not the
cookie header. If you do not include this option, the ACE selects a
real server using the hash value of the cookie name.
name1 Cookie name. Enter a cookie name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.2-1236
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
hash header name2 Selects the server using a hash value based on the header name. Enter
a header name as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters, or enter one of the
following standard headers:
• Accept
• Accept-Charset
• Accept-Encoding
• Accept-Language
• Authorization
• Cache-Control
• Connection
• Content-MD5
• Expect
• From
• Host
• If-Match
• Pragma
• Referrer
• Transfer-Encoding
• User-Agent
• Via
hash layer4-payload Specifies a Layer 4 generic protocol load-balancing method. Use this
predictor to load balance packets from protocols that are not
explicitly supported by the ACE.
offset number3 (Optional) Specifies the portion of the payload that the ACE uses to
stick the client on a particular server by indicating the bytes to ignore
starting with the first byte of the payload. Enter an integer from 0 to
999. The default is 0, which indicates that the ACE does not exclude
any portion of the payload.
length number4 (Optional) Specifies the length of the portion of the payload (starting
with the byte after the offset value) that the ACE uses for sticking the
client to the server. Enter an integer from 1 to 1000. The default is the
entire payload.
The offset and length can vary from 0 to 1000 bytes. If the payload is
longer than the offset but shorter than the offset plus the length of the
payload, the ACE sticks the connection based on that portion of the
payload starting with the byte after the offset value and ending with
the byte specified by the offset plus the length. The total of the offset
and the length cannot exceed 1000.
Note: You cannot specify both the length and the end-pattern
options in the same hash layer4-payload command.2-1237
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
begin-pattern
expression3
(Optional) Specifies the beginning pattern of the Layer 4 payload and
the pattern string to match before hashing. If you do not specify a
beginning pattern, the ACE starts parsing the HTTP body
immediately following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part
of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
When matching data strings, note that the period (.) and question
mark (?) characters do not have a literal meaning in regular
expressions. Use brackets ([]) to match these symbols (for example,
enter www[.]xyz[.]com instead of www.xyz.com). You can also use
a backslash (\) to escape a dot (.) or a question mark (?).
end-pattern expression4 (Optional) Specifies the pattern that marks the end of hashing. If you
do not specify either a length or an end pattern, the ACE continues to
parse the data until it reaches the end of the field or the end of the
packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
Note: You cannot specify both the length and the end-pattern
options in the same hash layer4-payload command.
hash url Selects the server using a hash value based on the requested URL.
Use this predictor method to load balance cache servers. Cache
servers perform better with the URL hash method because you can
divide the contents of the caches evenly if the traffic is random
enough. In a redundant configuration, the cache servers continue to
work even if the active ACE switches over to the standby ACE. For
information about configuring redundancy, see the Administration
Guide, Cisco ACE Application Control Engine.
begin-pattern
expression5
(Optional) Specifies the beginning pattern of the URL and the pattern
string to match before hashing. You cannot configure different
beginning and ending patterns for different server farms that are part
of the same traffic classification. Enter an unquoted text string with
no spaces and a maximum of 255 alphanumeric characters for each
pattern that you configure. If you want to match a URL that contains
spaces, you must use \x20 for each space character.2-1238
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
end-pattern expression6 (Optional) Specifies the pattern that marks the end of hashing. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. If
you want to match a URL that contains spaces, you must use \x20 for
each space character.
least-bandwidth Selects the server that processed the least amount of network traffic
over a specified sampling period. Use this predictor for heavy traffic
use, such as downloading a video clip. The ACE measures traffic
statistics between itself and the real servers in the server farm in both
directions and calculates the bandwidth over the sampling period.
Then, it creates an ordered list of real servers based on the sampling
results and selects the server that used the least amount of bandwidth
during the sampling period.
samples number5 (Optional) Specifies the number of samples over which you want to
weight and average the results of the probe query to calculate the
final load value. Enter an integer from 1 to 16. Each value must be a
power of 2, so the valid values are as follows: 1, 2, 4, 8, and 16. The
default is 8.
assess-time seconds (Optional) Specifies the sampling period over which the ACE
measures traffic for all the servers in the server farm. Enter an integer
from 1 to 10. The default is 2 seconds.
least-loaded Selects the server with the lowest load based on information obtained
from SNMP probes. To use this predictor, you must associate an
SNMP probe with the server farm. The ACE queries one
user-specified OID (for example, CPU utilization or memory
utilization). The ACE uses the retrieved value directly to determine
the server with the lowest load.
probe name3 Specifies the name of the SNMP probe that you want to query. Enter
an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
samples number6 (Optional) Specifies the number of samples over which you want to
weight and average the results of the probe query to calculate the
final load value. Enter an integer from 1 to 16. Each value must be a
power of 2, so the valid values are as follows: 1, 2, 4, 8, and 16. The
default is 8.
leastconns Selects the real server with the fewest number of active connections
based on the server weight. Use this predictor for processing light
user requests (for example, browsing simple static web pages). For
information about setting real server weight, see the
(config-sfarm-host-rs) weight section.
slowstart seconds (Optional) Specifies that the connections to the real server be in a
slow-start mode for the duration indicated by the seconds value. Use
the slow-start mechanism to avoid sending a high rate of new
connections to servers that you have recently put into service.
Enter an integer from 1 to 65535, where 1 is the slowest ramp-up
value. By default, slowstart is disabled.2-1239
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Command Modes Server-farm host configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command to specify the load-balancing algorithm that the ACE uses in choosing a real server
in the server farm. If you do not specify the predictor command, the default algorithm is roundrobin.
Using the no form of this command changes the configured predictor algorithm to the default algorithm.
The weight assigned to the real servers is used only in the roundrobin and leastconns predictor
methods. The hash and the response predictor methods do not recognize the weight for the real servers.
For information about setting real server weight, see the (config-sfarm-host-rs) weight section.
response Selects the server with the lowest response time for the requested
response-time measurement. If you do not specify a response-time
measurement method, the ACE uses the HTTP app-req-to-response
method.
app-req-to-resp (Default) Measures the response time from when the ACE sends an
HTTP request to a server to the time that the ACE receives a response
from the server for that request. The ACE does not allow you to
configure this predictor response in a generic load-balancing policy
map.
syn-to-close Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives a CLOSE from the server.
syn-to-synack Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives the SYN-ACK from the
server.
samples number7 (Optional) Number of samples over which you want to average the
results of the response time measurement. Enter an integer from 1 to
16 in powers of 2. Valid values are: 1, 2, 4, 8, and 16. The default is 8.
roundrobin (Default) Selects the next server in the list of real servers based on
server weight (weighted round-robin). For information about setting
real server weight, see the (config-sfarm-host-rs) weight section.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A2(1.4) and A2(2.1) This secondary option for the hash cookie keywords was added.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.
A3(2.2) This secondary option for the hash cookie keywords was added.2-1240
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
If you configure the leastconns predictor, you can use a slowstart mechanism (ramp-up) to avoid
sending a high rate of new connections to the servers that have just been put in service. The real server
with the fewest number of active connections will get the next connection request for the server farm
with the leastconns predictor. The ramp-up stops when the duration timer that you specify expires.
The only time that the sequence of servers starts over at the beginning (with the first server) is when there
is a configuration or server state change (for example, a probe failure).
Server weights take effect only when there are open connections to the servers. When there are no
sustained connections to any of the servers, the leastconns predictor method behaves like the roundrobin
method.
The secondary option allows the ACE to correctly load balance in cases when the query string identifies
the actual resource, instead of the URL.
Examples To configure the ACE to select the real server with the lowest number of connections in the server farm,
enter:
host1/Admin(config-sfarm-host)# predictor leastconns slowstart 300
To reset the load-balancing algorithm to the default of roundrobin, enter:
host1/Admin(config-sfarm-host)# no predictor
Related Commands (config-sfarm-host-rs) weight
(config-sfarm-host) probe
Use probes to monitor the health of real servers in a server farm. To associate a probe with a server farm,
use the probe command. Use the no form of this command to dissociate a probe from a server farm.
probe probe-name
no probe probe-name
Syntax Description
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
probe-name Identifier of an existing probe that you want to associate with a server
farm. Enter an unquoted text string with no spaces and a maximum
of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-1241
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Usage Guidelines The probe must already exist. (To create a probe, see the (config) probe command.) You can associate
multiple probes of the same or different protocols with each server farm.
Examples To associate a probe with a server farm, enter:
host1/Admin(config-sfarm-host)# probe TCP1
To dissociate a probe from a server farm, enter:
host1/Admin(config-sfarm-host)# no probe TCP1
Related Commands (config) probe
ACE Appliance Release Modification
A1(7) This command was introduced.2-1242
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) retcode
To configure HTTP return-code checking (retcode map) for a server farm, use the retcode command.
Use the no form of this command to dissociate a return code map. You can specify a single return code
number or a range of return code numbers. For example, you can instruct the ACE to check for and count
the number of occurrences of such return codes as HTTP/1.1 200 OK, HTTP/1.1 100 Continue, or
HTTP/1.1 404 Not Found.
retcode number1 number2 check {count | {log threshold_number reset seconds1
| {remove threshold_number reset seconds1 [resume-service seconds2]}}
no retcode number1 number2
Syntax Description
Command Modes Server-farm host configuration mode
Admin and user contexts
number1 Minimum value for an HTTP return code. Enter an integer from 100
to 599. The minimum value must be less than or equal to the
maximum value.
number2 Maximum value for an HTTP return code. Enter an integer from 100
to 599. The maximum value must be greater than or equal to the
minimum value.
check Checks for HTTP return codes associated with the server farm.
count Tracks the total number of return codes received for each return code
number that you specify.
log Specifies a syslog error message when the number of events reaches
the threshold specified by the threshold_number argument.
remove Specifies a syslog error message when the number of events reaches
the threshold specified by the threshold_number argument and the
ACE removes the server from service.
threshold_number Threshold for the number of events that the ACE receives before it
performs the log or remove action.
• For the ACE module, enter an integer from 4 to 4294967295.
• For the ACE appliance, enter an integer from 1 to 4294967295.
reset seconds1 Specifies the time interval in seconds over which the ACE checks for
the return code for the log or remove action.
• For the ACE module, enter an integer from 1 to 4294967295.
• For the ACE appliance, enter an integer from 1 to 2147483647.
resume-service seconds2 (Optional) Specifies the number of seconds that the ACE waits before
it resumes service for the real server automatically after taking the
real server out of service because the remove option is configured.
Enter an integer from 30 to 3600. The default setting is 0.2-1243
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
Command History
Usage Guidelines You can configure multiple return code maps on each server farm. You can view hitcounts for return code
checking by using the show serverfarm command.
The setting of the remove option affects the behavior of the real server in the failed state, as follows:
• When the resume-service option is not configured and has the default setting of 0, the real server
remains in the failed state until you manually enter the no inservice command followed by the
inservice command.
• When this option is not configured and has the default setting of 0 and then you configure this option
with an integer between 30 and 3600, the failed real server transitions to the Operational state.
• When you configure this option and then increase the value, the real server remains in the failed state
for the duration of the previously configured value. The new value takes effect the next time the real
server transitions to the failed state.
• When you configure this option and then decrease the value, the failed real server transitions to the
Operational state.
• When you configure this option with an integer between 30 and 3600 and then reset it to the default
of 0, the real server remains in the failed state for the duration of the previously configured value.
The default setting takes effect the next time the real server transitions to the failed state. Then the
real server remains in the failed state until you manually enter the no inservice command followed
by the inservice command.
The ACE performs the log or remove actions only if the threshold_number value for a particular retcode
is reached within a specified period of time. The time period is defined from the receipt of a retcode until
the next reset time.
Examples To check for and count the number of return code hits for all return codes from 200 to 500 inclusive,
enter:
host1/Admin(config-sfarm-host)# retcode 200 500 check count
To remove the HTTP return-code map from the configuration, enter:
host1/Admin(config-sfarm-host)# no retcode 200 500
Related Commands show serverfarm
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A4(1.0) The lowest integer for the threshold_number argument was changed
from 2 to 4.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised.2-1244
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
(config-sfarm-host) rserver
To associate one or more existing host real servers with a server farm and access serverfarm host real
server configuration mode, use the rserver command. The CLI prompt changes to
(config-sfarm-host-rs). For information on commands in serverfarm host real server configuration mode,
see the “Server Farm Host Real Server Configuration Mode Commands” section. Use the no form of this
command to dissociate the real server from the server farm.
rserver name [port]
no rserver name [port]
Syntax Description
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
Usage Guidelines The real server must already exist. To create a real server, see the (config) rserver command. You can
associate a maximum of 16,384 real servers with a server farm.
You can configure a combination of IPv6 and IPv4 servers in a server farm (mixed mode), but a mixed
mode server farm will have limited feature support.
Caution Do not configure under a real server a peer IPv6 address that is calculated from EUI64. In a redundant
configuration, if you configure a peer IPv6 address as EUI64 on an interface, the address will not be
learned by the active member of an FT group because the address is calculated only on the peer. If you
then configure the same calculated IPv6 address on the active under a real server, the CLI accepts it
because it does not calculate it. This IPv6 address is not synced to the standby because it conflicts with
the interface address. If you subsequently apply a probe to the real server, the state of the real server is
PROBE-FAILED on the active and OUTOFSERVICE on the the standby. This same check applies to
VIPs, routes, interfaces, and probes.
If you choose not to assign a port number for the real server association with the server farm, the default
behavior by the ACE is to automatically assign the same destination port that was used by the inbound
connection to the outbound server connection. For example, if the incoming connection to the ACE is a
name Unique identifier of the real server. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
port (Optional) Port number used for the real server Port Address
Translation (PAT). Enter an integer from 1 to 65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1245
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Configuration Mode Commands
secure client HTTPS connection, the connection is typically made on port 443. If you do not assign a
port number to the real server, the ACE will automatically use port 443 to connect to the server, which
results in the ACE making a clear-text HTTP connection over port 443. In this case, you would typically
define an outbound destination port of 80, 81, or 8080 for the backend server connection.
Examples To associate a real server with a server farm, enter:
host1/Admin(config-sfarm-host)# rserver server1 80
To dissociate a real server from a server farm, enter:
host1/Admin(config-sfarm-host)# no rserver server1 80
Related Commands (config) rserver
(config-sfarm-host) transparent
To configure the ACE not to use Network Address Translation (NAT) to translate the ACE VIP address
to the server IP address, use the transparent command. Use the no form of this command to reset the
ACE to its default of using NAT to translate the VIP address to the server IP address.
transparent
no transparent
Syntax Description This command has no keywords or arguments.
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command in firewall load balancing (FWLB) when you configure the insecure and secure sides
of the firewall as a server farm. For details about FWLB, see the Server Load-Balancing Guide, Cisco
ACE Application Control Engine.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1246
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Host Predictor Configuration Mode Commands
Examples To prevent the ACE from using NAT to translate the ACE VIP address to the server IP address, enter:
host1/Admin(config-sfarm-host)# transparent
host1/Admin(config-sfarm-host)#
To reset the ACE to its default of using NAT to translate the VIP address to the server IP address, enter:
host1/Admin(config-sfarm-host)# no transparent
host1/Admin(config-sfarm-host)#
Related Commands This command has no related commands.
Serverfarm Host Predictor Configuration Mode Commands
Serverfarm host predictor configuration mode commands allow you to configure additional parameters
for some of the server farm predictor methods.
To configure these additional predictor parameters, use the predictor least-loaded or the predictor
response command in serverfarm host configuration mode. The CLI prompt changes to
(config-sfarm-host-predictor). For information about the commands in this mode, see the following
commands. Use the no form of this command to remove the predictor from the server farm.
predictor {least-loaded probe name} | {response {app-req-to-resp | syn-to-close |
syn-to-synack}[samples number]}}
no predictor
Syntax Description least-loaded Selects the server with the lowest load based on information obtained
from SNMP probes. To use this predictor, you must associate an
SNMP probe with the server farm. The ACE queries one
user-specified OID (for example, CPU utilization or memory
utilization). The ACE uses the retrieved value directly to determine
the server with the lowest load.
probe name Specifies the name of the SNMP probe that you want to query. Enter
an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
response Selects the server with the lowest response time for the requested
response-time measurement. If you do not specify a response-time
measurement method, the ACE uses the HTTP app-req-to-response
method.
app-req-to-resp (Default) Measures the response time from when the ACE sends an
HTTP request to a server to the time that the ACE receives a response
from the server for that request. The ACE does not allow you to
configure this predictor response in a generic load-balancing policy
map.
syn-to-close Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives a CLOSE from the server.2-1247
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Host Predictor Configuration Mode Commands
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the server-farm feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To specify the least-loaded predictor method with a probe called SNMP_PROBE for the server farm,
enter:
host1/Admin(config-sfarm-host)# predictor least-loaded probe SNNMP_PROBE
host1/Admin(config-sfarm-host-predictor)#
To remove the least-loaded predictor from the server farm, enter:
host1/Admin(config-sfarm-host)# no predictor
To specify the response predictor method that measures the response time from when the ACE sends an
HTTP request to a server to the time that the ACE receives a response from the server for that request,
enter:
host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
host1/Admin(config-sfarm-host-predictor)#
To remove the response predictor from the server farm, enter:
host1/Admin(config-sfarm-host)# no predictor
Related Commands show serverfarm detail
(config-sfarm-host) predictor
(config-sfarm-host-predictor) autoadjust
(config-sfarm-host-predictor) weight connection
syn-to-synack Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives the SYN-ACK from the
server.
samples number (Optional) Number of samples over which you want to average the
results of the response time measurement. Enter an integer from 1 to
16 in powers of 2. Valid values are: 1, 2, 4, 8, and 16. The default is 8.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1248
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Host Predictor Configuration Mode Commands
(config-sfarm-host-predictor) autoadjust
After you specify the predictor least-loaded command, use the autoadjust command to instruct the
ACE to apply the maximum load of 16000 to a real server whose load reaches zero or override the default
behavior. Use the no form of this command to return the ACE behavior to the reset the behavior of the
ACE to the default of average load of the server farm to a real server whose load is zero.
autoadjust {average | maxload | off}
no autoadjust
Syntax Description
Command Modes Serverfarm host predictor configuration mode
Admin and user contexts
Command History
average Applies the average load of the server farm to a real server whose
load is zero. This setting allows the server to participate in load
balancing, while preventing it from being flooded by new
connections. This is the default setting.
maxload Instructs the ACE to apply the maximum load of 16000 to a real
server whose load reaches zero.
off Overrides the default behavior of the ACE of applying the average
load of the server farm to a real server whose load is zero. When you
configure this command, the ACE sends all new connections to the
server that has a load of zero until the next load update arrives from
the SNMP probe for this server.
If two servers have the same lowest load (either zero or nonzero), the
ACE load balances the connections between the two servers in a
round-robin manner.
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(2.4) The average load became the default autoadjust setting for the
least-loaded predictor. Previously, the default setting was maximum
load.
The maxload keyword was added to set the least-loaded predictor to
maximum load.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A4(1.0) The average load became the default autoadjust setting for the
least-loaded predictor. Previously, the default setting was maximum
load.
The maxload keyword was added to set the least-loaded predictor to
maximum load. 2-1249
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Host Predictor Configuration Mode Commands
Usage Guidelines Whenever a server’s load reaches zero, by default, the ACE uses the autoadjust feature to assign an
average load value to that server to prevent it from being flooded with new incoming connections. The
ACE periodically adjusts this load value based on feedback from the server’s SNMP probe and other
configured options.
Using the least-loaded predictor with the configured server weight and the current connection count
option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load × static weight × current connection count
where:
• weighted load is the load reported by the SNMP probe
• static weight is the configured weight of the real server
• current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the weight
connection command is configured. If the weight connection command is not configured, the ACE
updates the final load when the next load update arrives from the SNMP probe.
Examples To instruct the ACE to apply the maximum load of 16000 to a real server whose load reaches zero, enter:
host1/Admin(config-sfarm-host-predictor)# autoadjust maxload
To turn off the autoadjust feature for all servers in a server farm so that servers with a load of zero receive
all new connections, enter:
host1/Admin(config-sfarm-host-predictor)# autoadjust off
To reset the behavior of the ACE to the default of applying the average load of the server farm to a real
server whose load is zero, enter:
host1/Admin(config-sfarm-host-predictor)# no autoadjust
You can also reset the behavior of the ACE to the default by entering the following:
host1/Admin(config-sfarm-host-predictor)# autoadjust average
Related Commands show serverfarm detail
(config-sfarm-host) predictor
(config-sfarm-host-predictor) weight connection2-1250
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Host Predictor Configuration Mode Commands
(config-sfarm-host-predictor) weight connection
After you specify the predictor least-loaded or the predictor response command, use the weight
connection command to instruct the ACE to use the current connection count in the final load calculation
for each real server in the server farm. Use the no form of this command to reset the behavior of the ACE
to the default of excluding the current connection count from the load calculation.
weight connection
no weight connection
Syntax Description This command has no keywords or arguments.
Command Modes Serverfarm host predictor configuration mode
Admin and user contexts
Command History
Usage Guidelines To see how the weight connection command affects the (config-sfarm-host-predictor) autoadjust
command for the least-loaded predictor, see the Usage Guidelines section of the
(config-sfarm-host-predictor) autoadjust command.
Examples To instruct the ACE to use the current connection count in the final load calculation for each real server
in the server farm, enter:
host1/Admin(config-sfarm-host-predictor)# weight connection
To reset the behavior of the ACE to the default of excluding the current connection count from the load
calculation, enter:
host1/Admin(config-sfarm-host-predictor)# no weight connection
Related Commands show serverfarm detail
(config-sfarm-host) predictor
(config-sfarm-host-predictor) autoadjust
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1251
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
Server Farm Host Real Server Configuration Mode Commands
Serverfarm host real server configuration mode commands allow you to associate a host real server with
a host server farm and configure the real server attributes.
To associate one or more existing host real servers with a host server farm and access serverfarm host
real server configuration mode, use the rserver command in serverfarm host configuration mode. The
CLI prompt changes to (config-sfarm-host-rs). For information about the commands in this mode, see
the following commands. Use the no form of this command to remove the real server from the server
farm.
rserver name [port]
no rserver name
Syntax Description
Command Modes Serverfarm host configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the server-farm feature in your user role unless otherwise specified.
For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco
ACE Application Control Engine.
The real server must already exist. To create a real server, see the (config) rserver command. You can
associate a maximum of 16,384 real servers with a server farm.
Examples To associate a real server with a server farm, enter:
host1/Admin(config-sfarm-host)# rserver SERVER1
To dissociate a real server from a server farm, enter:
host1/Admin(config-sfarm-host)# no rserver SERVER1
name Unique identifier of the real server. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
port (Optional) Port number used for the real server Port Address
Translation (PAT). Enter an integer from 1 to 65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1252
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
Related Commands This command has no related commands.2-1253
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) backup-rserver
To configure a backup real server for a real server in a server farm, use the backup-rserver command.
If a real server associated with a server farm becomes unavailable, the ACE directs flows to the
configured backup real server. Use the no form of this command to remove a backup real server from
the configuration.
backup-rserver name [port]
no backup-rserver
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines The real server used as a backup server must already exist. To create a real server, see the (config)
rserver command.
Examples To associate a backup real server with a server farm, enter:
host1/Admin(config-sfarm-host-rs)# backup-rserver BACKUP_SERVER1 3500
To dissociate a backup real server from a server farm, enter:
host1/Admin(config-sfarm-host-rs)# no backup-rserver
Related Commands (config) rserver
(config-sfarm-host-rs) inservice
name Unique identifier of an existing real server that you want to configure
as a backup server in a server farm. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
port (Optional) Port number used for the backup real server Port Address
Translation (PAT). Enter an integer from 0 to 65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) This command now supports cyclic backup of real servers in a server
farm.2-1254
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) conn-limit
To configure the maximum and minimum number of connections that you want to allow for a host real
server in a server farm, use the conn-limit command. Use the no form of this command to reset the limits
for the real server maximum connections and minimum connections to the default of 4000000.
conn-limit max maxconns min minconns
no conn-limit
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command to specify the maximum number of connections and the minimum connection
threshold for a host real server in a server farm. The minconns value must be less than or equal to the
maxconns value. The ACE uses the minconns value as a threshold to start accepting connections again
after the maxconns limit is exceeded.
Examples To configure the maximum number of connections and the minimum connection threshold for a host real
server, enter:
host1/Admin(config-sfarm-host-rs)# conn-limit max 65535 min 40000
To reset the maximum number of connections and the minimum connection threshold for a host real
server to the default of 4000000, enter:
host1/Admin(config-sfarm-host-rs)# no conn-limit
Related Commands (config-sfarm-host-rs) rate-limit
max maxconns Specifies the maximum number of connections allowed for this real
server. Enter an integer from 2 to 4000000. The default is 4000000.
min minconns Specifies the connection threshold below which the real server will
start accepting connections again after the number of connections
exceeds the configured maximum number of connections. Enter an
integer from 2 to 4000000. The default is minconns equal to
maxconns.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1255
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) cookie-string
To configure a cookie string value of the real server for HTTP cookie insertion when establishing a sticky
connection, use the cookie-string command. Use the no form of this command to remove the
user-defined cookie string value of the real server for cookie insertion and have the ACE generate the
cookie string for the associated real server.
cookie-string text_string
no cookie-string
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines Use cookie insertion when you want to use a session cookie for persistence if the server is not currently
setting the appropriate cookie. When you configure a cookie string value, the ACE inserts the cookie in
the Set-Cookie header of the response from the server to the client.
If you do not configure a cookie string value, when you enable cookie insertion for a sticky group, the
ACE generates the cookie string for each real server after sending a connection to it. The ACE-generated
cookie string appears as “Rxxxxxxx” (for example, R2148819051).
When configuring a cookie string value, consider the following:
• You can configure one cookie string for each real server.
• The ACE automatically uses the user-defined cookie string for cookie insertion for a sticky group
instead of the ACE-generated cookie string.
• Ensure that there are no duplicate strings configured for real servers. If there are duplicate cookie
strings, the old entry will be removed and sticky database will use the latest configured cookie string
for the real server.
If you remove the user-defined cookie string from a real server, the ACE generates the cookie string for
the associated real server after sending a connection.
text_string Cookie string value for the real server. Enter a text string with a
maximum of 32 alphanumeric characters. When you include spaces
and special characters in a cookie string value, enter a quoted text
string (for example, “test cookie string”). The quotes appear in the
running-configuration file.
ACE Module Release Modification
A4(1.0) This command was introduced.
ACE Appliance Release Modification
A3(2.2) This command was introduced.2-1256
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
Examples To configure a cookie string value of the real server for HTTP cookie insertion, enter:
host1/Admin(config-sfarm-host-rs)# cookie-string ABC123
To remove the configured cookie string value, enter:
host1/Admin(config-sfarm-host-rs)# no cookie-string
Related Commands show sticky database2-1257
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) description
To configure the description of a real server in a server farm, use the description command. Use the no
form of this command to delete the description of a real server.
description text
no description
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure a description of a real server in a server farm, enter:
host1/Admin(config-sfarm-host-rs)# description "CURRENT EVENTS: EDITION 1"
To delete the description, enter:
host1/Admin(config-sfarm-host-rs)# no description
Related Commands This command has no related commands.
text Text description of a server farm. Enter an unquoted text string with
a maximum of 240 alphanumeric characters. If the text string
includes spaces, enclose the string in quotes/
ACE Module Release Modification
A2(2.1) This command was introduced.
ACE Appliance Release Modification
A3(2.4) This command was introduced.2-1258
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) fail-on-all
To configure a real server in a server farm to remain in the OPERATIONAL state unless all probes
associated with it fail (AND logic), use the fail-on-all command in server farm host real server
configuration mode. This command is applicable to all probe types. The syntax of this command is:
fail-on-all
no fail-on-all
Syntax Description This command has no keywords or arguments.
Command Modes Server farm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, multiple probes that you configure directly on a real server in a server farm have an OR logic
associated with them. This means that, if one of the real server probes fails, then the real server fails and
enters the PROBE-FAILED state.
You can selectively configure this command on only certain real servers in the server farm to give those
server ADN logic. Any real server that you do not configure with the fail-on-all command, maintains its
default OR logic with respect to probes.
Examples For example, to configure the SERVER1 real server in SFARM1 to remain in the OPERATIONAL state
unless all associated probes fail, enter the following commands:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# rserver SERVER1
host1/Admin(config-sfarm-host-rs)# inservice
host1/Admin(config-sfarm-host-rs)# probe HTTP_PROBE
host1/Admin(config-sfarm-host-rs)# probe ICMP_PROBE
host1/Admin(config-sfarm-host-rs)# fail-on-all
If either HTTP_PROBE or ICMP_PROBE fails, the SERVER1 real server remains in the
OPERATIONAL state. If both probes fail, the real server fails and enters the PROBE-FAILED state.
To remove the AND probe logic from the real server in a server farm and return the behavior to the
default of OR logic, enter the following command:
host1/Admin(config-rserver-host)# no fail-on-all
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1259
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
Related Commands This command has no related commands.2-1260
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) inservice
To place a real server associated with a server farm in service, use the inservice command. Use the no
form of this command to take a real server out of service.
inservice [standby]
no inservice
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the real-inservice feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To start load balancing connections to a real server in a server farm, you must place the real server in
service by using the inservice command.
You can modify the attributes of a real server in a server farm without taking the server out of service.
In addition to putting a backup real server in service standby, another use of the inservice standby
command is to provide the graceful shutdown of primary real servers. Use this command to gracefully
shut down servers with sticky connections. When you enter this command for a primary real server, the
ACE does the following:
• Tears down existing non-TCP connections to the server
• Allows current TCP connections to complete
• Allows new sticky connections for existing server connections that match entries in the sticky
database
• Load balances all new connections (other than the matching sticky connections mentioned above)
to the other servers in the server farm
• Eventually takes the server out of service
standby (Optional) Used with backup real servers, specifies that a backup real
server remain inactive unless the primary real server fails. If the
primary fails, the backup server becomes active and starts accepting
connections.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1261
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
Examples To place a real server in service, enter:
host1/Admin(config-sfarm-host-rs)# inservice
To take a real server out of service, enter:
host1/Admin(config-sfarm-host-rs)# no inservice
To perform a graceful shutdown on a primary real server with sticky connections in a server farm, enter:
host1/Admin(config-sfarm-host-rs)# inservice standby
Related Commands This command has no related commands.2-1262
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) probe
To configure a probe to monitor the health of a host real server in a host server farm, use the probe
command. Use the no form of this command to remove the probe from the real server.
probe probe-name
no probe probe-name
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines You can associate multiple probes with each real server.
The ACE periodically sends the probes to the real servers. If the ACE receives the appropriate responses
from the servers, the ACE includes the servers in load-balancing decisions. If not, the ACE marks the
servers as out of service, depending on the configured number of retries.
Examples To configure a probe for a host real server, enter:
host1/Admin(config-sfarm-host-rs)# probe SERVER1_PROBE
To remove a probe from a host real server, enter:
host1/Admin(config-sfarm-host-rs)# no probe SERVER1_PROBE
Related Commands This command has no related commands.
probe-name Identifier of an existing probe that you want to assign to a real server
to monitor its health. Enter an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1263
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
(config-sfarm-host-rs) rate-limit
To configure a limit for the connection rate and the bandwidth rate of a real server in a host server farm,
use the rate-limit command. The connection rate is the number of connections per second received by
the ACE and destined to a particular real server. The bandwidth rate is the number of bytes per second
received by the ACE and destined for a particular real server. Use the no form of this command to revert
to the ACE default of not limiting the connection rate or bandwidth rate of real servers in a server farm.
rate-limit {connection number1 | bandwidth number2}
no rate-limit {connection | bandwidth}
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines If the connection rate or the bandwidth rate of incoming traffic destined for a particular real server
exceeds the configured rate for the server, the ACE blocks any further traffic destined to that real server
until the connection rate or bandwidth rate drops below the configured limit. Also, the ACE removes the
blocked real server from future load-balancing decisions. By default, the ACE does not limit the
connection rate or the bandwidth rate of real servers in a server farm.
Examples To limit the connection rate of a real server to 100,000 connections per second, enter:
host1/Admin(config-sfarm-host-rs)# rate-limit connection 100000
connection number1 Specifies the real server connection-rate limit in connections per
second.
• For the ACE module, enter an integer from 2 to 350000.
• For the ACE appliance, enter an integer from 1 to 350000.
There is no default value.
bandwidth number2 Specifies the real server bandwidth-rate limit in bytes per second.
• For the ACE module, enter an integer from 4 to 300000000.
• For the ACE appliance, enter an integer from 1 to 300000000.
There is no default value.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A4(1.0) The lowest real server bandwidth-rate limit was changed from 2 to 4.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1264
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Host Real Server Configuration Mode Commands
To revert to the ACE default of not limiting the real-server connection rate, enter:
host1/Admin(config-sfarm-host-rs)# no rate-limit connection
To limit the real-server bandwidth rate to 5,000,000 bytes per second, enter:
host1/Admin(config-sfarm-host-rs)# rate-limit bandwidth 5000000
To revert to the ACE default of not limiting real-server bandwidth, enter:
host1/Admin(config-sfarm-host-rs)# no rate-limit bandwidth
Related Commands (config-sfarm-host-rs) conn-limit
(config-sfarm-host-rs) weight
To configure the capacity of a real server in relation to other servers in a server farm, use the weight
command. The weight value that you specify for a server is used in the weighted round-robin and
least-connections predictor load-balancing methods. Use the no form of this command to reset the real
server weight to the default.
weight number
no weight
Syntax Description
Command Modes Serverfarm host real server configuration mode
Admin and user contexts
Command History
Usage Guidelines Servers with higher weight values receive a proportionally higher number of connections than servers
with lower weight values. If you do not specify a weight in serverfarm host real server configuration
mode, the ACE uses the weight that you configured for the global real server in real server host
configuration mode.
number Weight value assigned to a real server in a server farm. This value is
used in the weighted round-robin and least-connections predictor
load-balancing algorithms. Enter an integer from 1 to 100. The
default is 8.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1265
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
To specify different weight values for a host real server in a server farm, you can assign multiple IP
addresses to the server. You can also use the same IP address of a real server with different port numbers.
Server weights take effect only when there are open connections to the servers. When there are no
sustained connections to any of the servers, the leastconns predictor method behaves like the roundrobin
method.
Examples To configure a weight value for a real server, enter:
host1/Admin(config-sfarm-host-rs)# weight 50
To reset the weight of a real server to the default of 8, enter:
host1/Admin(config-sfarm-host-rs)# no weight
Related Commands (config-rserver-host) weight
(config-sfarm-host) predictor
Server Farm Redirect Configuration Mode Commands
Serverfarm redirect configuration mode commands allow you to create and configure redirect server
farms and associate redirect real servers with the server farm. Redirect server farms are clusters of real
servers that redirect users to alternative URLs where content has been moved, either temporarily or
permanently. The server farm consists only of real servers that redirect client requests to alternative
locations specified by the relocation string or port number in the real server configuration. You must
configure a redirect real server using the (config) rserver redirect command in configuration mode
before you can associate it with a server farm.
To create a redirect server farm and access serverfarm redirect configuration mode, use the serverfarm
redirect command. The CLI prompt changes to (config-sfarm-redirect). For information about the
commands in this mode, see the following commands.
Use the no form of this command to remove a server farm from the configuration.
serverfarm redirect name
no serverfarm redirect name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
name Unique identifier of the server farm. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-1266
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
Usage Guidelines The commands in this mode require the server-farm feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To create a redirect server farm named SFARM2, enter:
host1/Admin(config)# serverfarm redirect SFARM2
host1/Admin(config-sfarm-redirect)#
To delete the redirect server farm named SFARM2, enter:
host1/Admin(config)# no serverfarm redirect SFARM2
Related Commands show serverfarm
show running-config
(config) rserver
ACE Appliance Release Modification
A1(7) This command was introduced.2-1267
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
(config-sfarm-redirect) description
To configure the text description of a server farm, use the description command. Use the no form of this
command to delete the description of a server farm.
description text
no description
Syntax Description
Command Modes Serverfarm redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To configure a description of a server farm, enter:
host1/Admin(config-sfarm-redirect)# description REDIRECT_NEW_SITE
To delete the description of a server farm, enter:
host1/Admin(config-sfarm-redirect)# no description
Related Commands This command has no related commands.
text Text description of a server farm. Enter an unquoted text string with
a maximum of 240 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1268
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
(config-sfarm-redirect) failaction
To configure the action that the ACE takes if a real server in a server farm goes down, use the failaction
command. Use the no form of this command to reset the ACE to its default of taking no action when a
server fails.
failaction {purge | reassign [across-interface]}
no failaction
Syntax Description
Command Modes Serverfarm redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines If you do not configure this command, the ACE takes the real server out of rotation for new connections
and allows existing connections to complete. The ACE does not send the connections to a backup server
in the server farm or to a backup server farm if all servers in the primary server farm fail.
This feature is required for stateful firewall load balancing (FWLB). For details about FWLB, see the
Server Load-Balancing Guide, Cisco ACE Application Control Engine.
purge Specifies that the ACE removes the connections to a real server in the
server farm if that real server fails. The ACE sends a reset (RST) both
to the client and to the server that failed.
reassign Specifies that the ACE reassigns existing server connections to the
backup real server if a backup real server is configured. If no backup
real server is configured, this keyword has no effect.
across-interface (Optional) Instructs the ACE to reassign all connections from the
failed real server to a backup real server on a different VLAN that is
commonly referred to as a bypass VLAN. By default, this feature is
disabled.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised (reassign keyword added).
A2(3.0) The across-interface option was added.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised (reassign keyword added).
A4(1.0) The across-interface option was added.
A5(1.0) Added IPv6 support.2-1269
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
Examples To instruct the ACE to remove connections from a failed server in the server farm, enter:
host1/Admin(config-sfarm-redirect)# failaction purge
To reset the ACE to its default of taking no action if a real server fails, enter:
host1/Admin(config-sfarm-redirect)# no failaction
Related Commands This command has no related commands.2-1270
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
(config-sfarm-redirect) predictor
To configure the load-balancing algorithm for the server farm, use the predictor command. Use the no
form of this command to revert to the default load-balancing algorithm (the round-robin algorithm).
predictor {hash {address [destination | source] [prefix-length | netmask]} | {content [offset
number1]
[length number2] [begin-pattern expression1] [end-pattern expression2]} |
{cookie [secondary] name1} | {header name2} | {layer4-payload [offset number3] [length
number4] [begin-pattern expression3] [end-pattern expression4]} | {url [begin-pattern
expression5] [end-pattern expression6]}} | {least-bandwidth [samples number5]
[assess-time seconds]} | {least-loaded probe name3 [samples number6]} | {leastconns
[slowstart seconds]} | {response {app-req-to-resp | syn-to-close | syn-to-synack} [samples
number7] [threshold milliseconds [resume-timer seconds]]} | {roundrobin}
no predictor
Syntax Description hash address Selects the server using a hash value based on the source and
destination IP addresses. Use the hash address source and hash
address destination methods for firewall load balancing (FWLB).
destination (Optional) Selects the server using a hash value based on the
destination IP address.
source (Optional) Selects the server using a hash value based on the source
IP address.
v6-prefix prefix-length (Optional) Specifies how many of the most significant bits (MSBs) of
the IPv6 address are used for the network identifier. Enter an integer
from 1 to 128.
netmask (Optional) Bits in the IP address to use for the hash. If not specified,
the default is 255.255.255.255.
hash content Selects the server using a hash value based on the specified content
string of the HTTP packet body.
offset number1 (Optional) Specifies the portion of the content that the ACE uses to
stick the client on a particular server by indicating the bytes to ignore
starting with the first byte of the payload. Enter an integer from 0 to
999. The default is 0, which indicates that the ACE does not exclude
any portion of the content.
length number2 (Optional) Specifies the length of the portion of the content (starting
with the byte after the offset value) that the ACE uses for sticking the
client to the server. Enter an integer from 1 to 1000. The default is the
entire payload.
The offset and length can vary from 0 to 1000 bytes. If the payload is
longer than the offset but shorter than the offset plus the length of the
payload, the ACE sticks the connection based on that portion of the
payload starting with the byte after the offset value and ending with
the byte specified by the offset plus the length. The total of the offset
and the length cannot exceed 1000.
You cannot specify both the length and the end-pattern options in
the same hash content command.2-1271
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
begin-pattern
expression1
(Optional) Specifies the beginning pattern of the content string and
the pattern string to match before hashing. If you do not specify a
beginning pattern, the ACE starts parsing the HTTP body
immediately following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part
of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
When matching data strings, note that the period (.) and question
mark (?) characters do not have a literal meaning in regular
expressions. Use brackets ([]) to match these symbols (for example,
enter www[.]xyz[.]com instead of www.xyz.com). You can also use
a backslash (\) to escape a dot (.) or a question mark (?).
end-pattern expression2 (Optional) Specifies the pattern that marks the end of hashing. If you
do not specify either a length or an end pattern, the ACE continues to
parse the data until it reaches the end of the field or the end of the
packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
You cannot specify both the length and the end-pattern options in
the same hash content command.
hash cookie Selects the server using a hash value based on the cookie name or
based on the name in the cookie name of the URL query string.
secondary (Optional) Selects the server by using the hash value based on the
specified name in the cookie name in the URL query string, not the
cookie header. If you do not include this option, the ACE selects a
real server using the hash value of the cookie name.
name1 Cookie name. Enter a cookie name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.2-1272
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
hash header name2 Selects the server using a hash value based on the header name. Enter
a header name as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters, or enter one of the
following standard headers:
• Accept
• Accept-Charset
• Accept-Encoding
• Accept-Language
• Authorization
• Cache-Control
• Connection
• Content-MD5
• Expect
• From
• Host
• If-Match
• Pragma
• Referrer
• Transfer-Encoding
• User-Agent
• Via
hash layer4-payload Specifies a Layer 4 generic protocol load-balancing method. Use this
predictor to load balance packets from protocols that are not
explicitly supported by the ACE.
offset number3 (Optional) Specifies the portion of the payload that the ACE uses to
stick the client on a particular server by indicating the bytes to ignore
starting with the first byte of the payload. Enter an integer from 0 to
999. The default is 0, which indicates that the ACE does not exclude
any portion of the payload.
length number4 (Optional) Specifies the length of the portion of the payload (starting
with the byte after the offset value) that the ACE uses for sticking the
client to the server. Enter an integer from 1 to 1000. The default is the
entire payload.
The offset and length can vary from 0 to 1000 bytes. If the payload is
longer than the offset but shorter than the offset plus the length of the
payload, the ACE sticks the connection based on that portion of the
payload starting with the byte after the offset value and ending with
the byte specified by the offset plus the length. The total of the offset
and the length cannot exceed 1000.
You cannot specify both the length and the end-pattern options in
the same hash layer4-payload command.2-1273
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
begin-pattern
expression3
(Optional) Specifies the beginning pattern of the Layer 4 payload and
the pattern string to match before hashing. If you do not specify a
beginning pattern, the ACE starts parsing the HTTP body
immediately following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part
of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
When matching data strings, note that the period (.) and question
mark (?) characters do not have a literal meaning in regular
expressions. Use brackets ([]) to match these symbols (for example,
enter www[.]xyz[.]com instead of www.xyz.com). You can also use
a backslash (\) to escape a dot (.) or a question mark (?).
end-pattern expression4 (Optional) Specifies the pattern that marks the end of hashing. If you
do not specify either a length or an end pattern, the ACE continues to
parse the data until it reaches the end of the field or the end of the
packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
Note: You cannot specify both the length and the end-pattern
options in the same hash layer4-payload command.
hash url Selects the server using a hash value based on the requested URL.
Use this predictor method to load balance cache servers. Cache
servers perform better with the URL hash method because you can
divide the contents of the caches evenly if the traffic is random
enough. In a redundant configuration, the cache servers continue to
work even if the active ACE switches over to the standby ACE. For
information about configuring redundancy, see the Administration
Guide, Cisco ACE Application Control Engine.
begin-pattern
expression5
(Optional) Specifies the beginning pattern of the URL and the pattern
string to match before hashing. You cannot configure different
beginning and ending patterns for different server farms that are part
of the same traffic classification. Enter an unquoted text string with
no spaces and a maximum of 255 alphanumeric characters for each
pattern that you configure. If you want to match a URL that contains
spaces, you must use \x20 for each space character.2-1274
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
end-pattern expression6 (Optional) Specifies the pattern that marks the end of hashing. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. If
you want to match a URL that contains spaces, you must use \x20 for
each space character.
least-bandwidth Selects the server that processed the least amount of network traffic
over a specified sampling period. Use this predictor for heavy traffic
use, such as downloading a video clip. The ACE measures traffic
statistics between itself and the real servers in the server farm in both
directions and calculates the bandwidth over the sampling period.
Then, it creates an ordered list of real servers based on the sampling
results and selects the server that used the least amount of bandwidth
during the sampling period.
samples number5 (Optional) Specifies the number of samples over which you want to
weight and average the results of the probe query to calculate the
final load value. Enter an integer from 1 to 16. Each value must be a
power of 2, so the valid values are as follows: 1, 2, 4, 8, and 16. The
default is 8.
assess-time seconds (Optional) Specifies the sampling period over which the ACE
measures traffic for all the servers in the server farm. Enter an integer
from 1 to 10. The default is 4 seconds.
least-loaded Selects the server with the lowest load based on information obtained
from SNMP probes. To use this predictor, you must associate an
SNMP probe with the server farm. The ACE queries one
user-specified OID (for example, CPU utilization or memory
utilization). The ACE uses the retrieved value directly to determine
the server with the lowest load. This predictor is not supported with
IPv6.
probe name3 Specifies the name of the SNMP probe that you want to query. Enter
an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
samples number6 (Optional) Specifies the number of samples over which you want to
weight and average the results of the probe query to calculate the
final load value. Enter an integer from 1 to 16. Each value must be a
power of 2, so the valid values are as follows: 1, 2, 4, 8, and 16. The
default is 8.
leastconns Selects the real server with the fewest number of active connections
based on the server weight. Use this predictor for processing light
user requests (for example, browsing simple static web pages). For
information about setting real server weight, see the
(config-sfarm-redirect-rs) weight section.
slowstart seconds (Optional) Specifies that the connections to the real server be in a
slow-start mode for the duration indicated by the seconds value. Use
the slow-start mechanism to avoid sending a high rate of new
connections to servers that you have recently put into service.
Enter an integer from 1 to 65535, where 1 is the slowest ramp-up
value. By default, slowstart is disabled.2-1275
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
Command Modes Server-farm redirect configuration mode
Admin and user contexts
Command History
response Selects the server with the lowest response time for the requested
response-time measurement. If you do not specify a response-time
measurement method, the ACE uses the HTTP app-req-to-response
method.
app-req-to-resp (Default) Measures the response time from when the ACE sends an
HTTP request to a server to the time that the ACE receives a response
from the server for that request. The ACE does not allow you to
configure this predictor response in a generic load-balancing policy
map.
syn-to-close Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives a CLOSE from the server.
syn-to-synack Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives the SYN-ACK from the
server.
samples number7 (Optional) Specifies the number of samples that you want to average
from the results of the response time measurement. Enter an integer
from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The
default is 8.
threshold milliseconds (Optional) Specifies the required minimum average response time for
a server. If the server response time is greater than the specified
threshold value, the ACE removes the server from the load-balancing
decision process (takes the server out of service). Enter an integer
from 1 to 300000 milliseconds (5 minutes). The default is no
threshold (servers are not taken out of service).
resume-timer
seconds
(Optional) Specifies the number of seconds after which the ACE
sends traffic again to a server that was taken out of the load-balancing
decision process. The ACE monitors the server’s response time. If
that response time is less than or equal to the value set with the
threshold keyword, the ACE places the server back in service. Enter
an integer from 30 to 3600 seconds (1 hour). The default value is 300
seconds (5 minutes) if you configure a threshold without specifying
the resume timer.
roundrobin (Default) Selects the next server in the list of real servers based on
server weight (weighted round-robin). For information about setting
the real server weight, see the (config-sfarm-redirect-rs) weight
section.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(1.0) This command was revised.
A2(1.4) and A2(2.1) This secondary option for the hash cookie keywords was added.2-1276
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
Usage Guidelines Use this command to specify the load-balancing algorithm that the ACE uses in choosing a real server
in the server farm. If you do not specify the predictor command, the default algorithm is roundrobin.
Using the no form of this command changes the configured predictor algorithm to the default algorithm.
The weight assigned to the real servers is used only in the roundrobin and leastconns predictor
methods. The hash and the response predictor methods do not recognize the weight for the real servers.
For information about setting the real server weight, see the (config-sfarm-redirect-rs) weight section.
If you configure the leastconns predictor, you can use a slowstart mechanism (ramp-up) to avoid
sending a high rate of new connections to the servers that have just been put in service. The real server
with the fewest number of active connections will get the next connection request for the server farm
with the leastconns predictor. The ramp-up stops when the duration timer that you specify expires.
The only time that the sequence of servers starts over at the beginning (with the first server) is when there
is a configuration or server state change (for example, a probe failure).
The secondary option allows the ACE to correctly load balance in cases when the query string identifies
the actual resource, instead of the URL.
Examples To configure the ACE to select the real server with the lowest number of connections in the server farm,
enter:
host1/Admin(config-sfarm-redirect)# predictor leastconns slowstart 300
To reset the load-balancing algorithm to the default round-robin algorithm, enter:
host1/Admin(config-sfarm-redirect)# no predictor
Related Commands (config-sfarm-redirect-rs) weight
(config-sfarm-redirect) probe
Use probes to monitor the health of real servers in a server farm. To associate a probe with a server farm,
use the probe command. Use the no form of this command to dissociate a probe from a server farm.
probe probe-name
no probe probe-name
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(1.0) This command was revised (reassign keyword added).
A3(2.2) This secondary option for the hash cookie keywords was added.
probe-name Identifier of an existing probe that you want to associate with a server
farm. Enter an unquoted text string with no spaces and a maximum
of 64 alphanumeric characters.2-1277
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
Command Modes Serverfarm redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines The probe must already exist. (To create a probe, see the (config) probe command.) You can associate
multiple probes of the same or different protocols with each server farm.
You can only configure probes with an IP address in routed mode under a redirect server.
You cannot associate a scripted probe with a redirect server.
Examples To associate a probe with a server farm, enter:
host1/Admin(config-sfarm-redirect)# probe TCP1
To dissociate a probe from a server farm, enter:
host1/Admin(config-sfarm-redirect)# no probe TCP1
Related Commands (config) probe
(config-probe-probe_type) ip address
(config-sfarm-redirect) rserver
To associate one or more existing redirect real servers with a server farm and access serverfarm redirect
real server configuration mode, use the rserver command. The CLI prompt changes to
(config-sfarm-redirect-rs). For information on commands in serverfarm redirect real server
configuration mode, see the “Server Farm Redirect Real Server Configuration Mode Commands”
section. Use the no form of this command to dissociate the real server from the server farm.
rserver name [port]
no rserver name [port]
ACE Module Release Modification
A2(3.2). Not applicable for
A4(1.0).
This command was introduced.
ACE Appliance Release Modification
A3(2.7). Not applicable for
A4(1.0).
This command was introduced.2-1278
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Configuration Mode Commands
Syntax Description
Command Modes Serverfarm redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines The real server must already exist. To create a real server, see the (config) rserver command. You can
associate a maximum of 16,384 real servers with a server farm.
Examples To associate a real server with a server farm, enter:
host1/Admin(config-sfarm-redirect)# rserver server1 4000
host1/Admin(config-sfarm-redirect-rs)#
To dissociate a real server from a server farm, enter:
host1/Admin(config-sfarm-redirect)# no rserver server1
host1/Admin(config-sfarm-redirect)#
Related Commands (config) rserver
name Unique identifier of the real server. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
port (Optional) Port number used for the real server Port Address
Translation (PAT). Enter an integer from 1 to 65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1279
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Redirect Predictor Configuration Mode Commands
Serverfarm Redirect Predictor Configuration Mode Commands
Serverfarm redirect predictor configuration mode commands allow you to configure additional
parameters for some of the server farm predictor methods.
To configure these additional predictor parameters, use the predictor least-loaded or the predictor
response command in serverfarm host configuration mode. The CLI prompt changes to
(config-sfarm-host-predictor). For information about the commands in this mode, see the following
commands. Use the no form of this command to remove the predictor from the server farm.
predictor {least-loaded probe name} | {response {app-req-to-resp | syn-to-close |
syn-to-synack} [samples number]}}
no predictor
Syntax Description
Command Modes Serverfarm redirect configuration mode
Admin and user contexts
least-loaded Selects the server with the lowest load based on information obtained
from SNMP probes. To use this predictor, you must associate an
SNMP probe with the server farm. The ACE queries one
user-specified OID (for example, CPU utilization or memory
utilization). The ACE uses the retrieved value directly to determine
the server with the lowest load.
probe name Specifies the name of the SNMP probe that you want to query. Enter
an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
response Selects the server with the lowest response time for the requested
response-time measurement. If you do not specify a response-time
measurement method, the ACE uses the HTTP app-req-to-response
method.
app-req-to-resp (Default) Measures the response time from when the ACE sends an
HTTP request to a server to the time that the ACE receives a response
from the server for that request. The ACE does not allow you to
configure this predictor response in a generic load-balancing policy
map.
syn-to-close Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives a CLOSE from the server.
syn-to-synack Measures the response time from when the ACE sends a TCP SYN to
a server to the time that the ACE receives the SYN-ACK from the
server.
samples number (Optional) Number of samples over which you want to average the
results of the response time measurement. Enter an integer from 1 to
16 in powers of 2. Valid values are: 1, 2, 4, 8, and 16. The default is 8.2-1280
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Redirect Predictor Configuration Mode Commands
Command History
Usage Guidelines The commands in this mode require the server-farm feature in your user role. For details about
role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Examples To specify the least-loaded predictor method with a probe called SNMP_PROBE for the server farm,
enter:
host1/Admin(config-sfarm-redirect)# predictor least-loaded probe SNNMP_PROBE
host1/Admin(config-sfarm-redirect-predictor)#
To remove the least-loaded predictor from the server farm, enter:
host1/Admin(config-sfarm-redirect)# no predictor
To specify the response predictor method that measures the response time from when the ACE sends an
HTTP request to a server to the time that the ACE receives a response from the server for that request,
enter:
host1/Admin(config-sfarm-redirect)# predictor response app-req-to-resp
host1/Admin(config-sfarm-redirect-predictor)#
To remove the response predictor from the server farm, enter:
host1/Admin(config-sfarm-redirect)# no predictor
Related Commands show serverfarm detail
(config-sfarm-redirect) predictor
(config-sfarm-redirect-predictor) autoadjust
(config-sfarm-redirect-predictor) weight connection
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1281
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Redirect Predictor Configuration Mode Commands
(config-sfarm-redirect-predictor) autoadjust
After you specify the predictor least-loaded command, use the autoadjust command to instruct the
ACE to apply the maximum load of 16000 to a real server whose load reaches zero or override the default
behavior. Use the no form of this command to return the ACE behavior to the reset the behavior of the
ACE to the default of average load of the server farm to a real server whose load is zero.
autoadjust {average | maxload | off}
no autoadjust
Syntax Description
Serverfarm redirect predictor configuration mode
Admin and user contexts
Command History
average Applies the average load of the server farm to a real server whose
load is zero. This setting allows the server to participate in load
balancing, while preventing it from being flooded by new
connections. This is the default setting.
maxload Instructs the ACE to apply the maximum load of 16000 to a real
server whose load reaches zero.
off Overrides the default behavior of the ACE of applying the average
load of the server farm to a real server whose load is zero. When you
configure this command, the ACE sends all new connections to the
server that has a load of zero until the next load update arrives from
the SNMP probe for this server.
If two servers have the same lowest load (either zero or nonzero), the
ACE load balances the connections between the two servers in a
round-robin manner.
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(2.4) The average keyword became the default autoadjust setting for the
least-loaded predictor. Previously, the default setting was maximum
load.
The maxload keyword was added to set the least-loaded predictor to
maximum load.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A4(1.0) The average keyword became the default autoadjust setting for the
least-loaded predictor. Previously, the default setting was maximum
load.
The maxload keyword was added to set the least-loaded predictor to
maximum load. 2-1282
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Redirect Predictor Configuration Mode Commands
Usage Guidelines Whenever a server’s load reaches zero, by default, the ACE uses the autoadjust feature to assign an
average load value to that server to prevent it from being flooded with new incoming connections. The
ACE periodically adjusts this load value based on feedback from the server’s SNMP probe and other
configured options.
Using the least-loaded predictor with the configured server weight and the current connection count
option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load × static weight × current connection count
where:
• weighted load is the load reported by the SNMP probe
• static weight is the configured weight of the real server
• current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the weight
connection command is configured. If the weight connection command is not configured, the ACE
updates the final load when the next load update arrives from the SNMP probe.
Examples To instruct the ACE to apply the maximum load of the server farm to a real server whose load value
reaches zero, enter:
host1/Admin(config-sfarm-redirect-predictor)# autoadjust maxload
To turn off the autoadjust feature for all servers in a server farm so that servers with a load of zero receive
all new connections, enter:
host1/Admin(config-sfarm-redirect-predictor)# autoadjust off
To reset the behavior of the ACE to the default of applying the average load value of 16000 to a real
server whose load is zero, enter:
host1/Admin(config-sfarm-redirect-predictor)# no autoadjust
Related Commands show serverfarm detail
(config-sfarm-redirect) predictor
(config-sfarm-redirect-predictor) weight connection2-1283
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Serverfarm Redirect Predictor Configuration Mode Commands
(config-sfarm-redirect-predictor) weight connection
After you specify the predictor least-loaded or the predictor response command, use the weight
connection command to instruct the ACE to use the current connection count in the final load calculation
for each real server in the server farm. Use the no form of this command to reset the behavior of the ACE
to the default of excluding the current connection count from the load calculation.
weight connection
no weight connection
Syntax Description This command has no keywords or arguments.
Command Modes Serverfarm redirect predictor configuration mode
Admin and user contexts
Command History
Usage Guidelines To see how the weight connection command affects the (config-sfarm-redirect-predictor) autoadjust
command for the least-loaded predictor, see the Usage Guidelines section of the
(config-sfarm-redirect-predictor) autoadjust command.
Examples To instruct the ACE to use the current connection count in the final load calculation for each real server
in the server farm, enter:
host1/Admin(config-sfarm-redirect-predictor)# weight connection
To reset the behavior of the ACE to the default of excluding the current connection count from the load
calculation, enter:
host1/Admin(config-sfarm-redirect-predictor)# no weight connection
Related Commands show serverfarm detail
(config-sfarm-redirect) predictor
(config-sfarm-redirect-predictor) autoadjust
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1284
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
Server Farm Redirect Real Server Configuration Mode
Commands
Serverfarm redirect real server configuration mode commands allow you to associate a redirect real
server with a redirect server farm and configure the real server attributes.
To associate one or more existing redirect real servers with a redirect server farm and access serverfarm
redirect real server configuration mode, use the rserver command in serverfarm redirect configuration
mode. The CLI prompt changes to (config-sfarm-redirect-rs). For information about the commands in
this mode, see the following commands. Use the no form of this command to remove the real server from
the server farm.
rserver name
no rserver name
Syntax Description
Command Modes Serverfarm redirect configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the server-farm feature in your user role unless otherwise specified.
For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco
ACE Application Control Engine.
The redirect real server must already exist. To create a real server, see the (config) rserver redirect
command. You can associate a maximum of 16,384 real servers with a server farm.
Examples To associate a real server with a server farm, enter:
host1/Admin(config-sfarm-redirect)# rserver server1
To dissociate a real server from a server farm, enter:
host1/Admin(config-sfarm-redirect)# no rserver server1
name Unique identifier of the real server. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1285
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
Related Commands This command has no related commands.2-1286
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
(config-sfarm-redirect-rs) backup-rserver
To configure a backup real server for a real server in a server farm, use the backup-rserver command.
If a real server associated with a server farm becomes unavailable, the ACE directs flows to the
configured backup real server. Use the no form of this command to remove a backup real server from
the configuration.
backup-rserver name
no backup-rserver
Syntax Description
Command Modes Serverfarm redirect real server configuration mode
Admin and user contexts
Command History
Usage Guidelines The real server used as a backup server must already exist. To create a redirect real server, see the
(config) rserver redirect command.
IPv6 servers can back up IPv4 servers, but only for the HTTP and the HTTPS protocols.
Examples To associate a backup real server with a server farm, enter:
host1/Admin(config-sfarm-redirect-rs)# backup-rserver BACKUP_SERVER1
To dissociate a backup real server from a server farm, enter:
host1/Admin(config-sfarm-redirect-rs)# no backup-rserver
Related Commands (config) rserver
name Unique identifier of an existing real server that you want to configure
as a backup server in a server farm. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added support for IPv6.
ACE Appliance Release Modification
A1(7) This command was introduced.
A3(2.2) This command supports cyclic backup of real servers in a server
farm.
A5(1.0) Added support for IPv6.2-1287
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
(config-sfarm-redirect-rs) conn-limit
To configure the maximum and minimum number of connections that you want to allow for a redirect
real server in a server farm, use the conn-limit command. Use the no form of this command to reset the
real server maximum connections and minimum connections threshold to the default of 4000000.
conn-limit max maxconns min minconns
no conn-limit
Syntax Description
Command Modes Serverfarm redirect real server configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command to specify the maximum number of connections and the minimum connection
threshold for a redirect real server in a server farm. The minconns value must be less than or equal to the
maxconns value. The ACE uses the minconns value as a threshold to start accepting connections again
after the maxconns limit is exceeded.
Examples To configure the maximum number of connections and the minimum connection threshold for a redirect
real server, enter:
host1/Admin(config-sfarm-redirect-rs)# conn-limit max 65535 min 40000
To reset the maximum number of connections and the minimum connection threshold for a redirect real
server to the default of 4000000, enter:
host1/Admin(config-sfarm-redirect-rs)# no conn-limit
Related Commands (config-sfarm-redirect-rs) rate-limit
max maxconns Specifies the maximum number of connections allowed for this real
server. Enter an integer from 2 to 4000000. The default is 4000000.
min minconns Specifies the connection threshold below which the real server will
start accepting connections again after the number of connections
exceeds the configured maximum number of connections. Enter an
integer from 2 to 4000000. The default is minconns equal to
maxconns.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1288
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
(config-sfarm-redirect-rs) inservice
To place a real server associated with a server farm in service, use the inservice command. Use the no
form of this command to take a real server out of service.
inservice [standby]
no inservice
Syntax Description
Command Modes Serverfarm redirect real server configuration mode
Admin and user contexts
Command History
Usage Guidelines This command requires the real-inservice feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
To start load-balancing connections to a real server in a server farm, you must place the real server in
service by using the inservice command.
You can modify the attributes of a real server in a server farm without taking the server out of service.
In addition to putting a backup real server in service standby, another use of the inservice standby
command is to provide the graceful shutdown of primary real servers. Use this command to gracefully
shut down servers with sticky connections. When you enter this command for a primary real server, the
ACE does the following:
• Tears down existing non-TCP connections to the server
• Allows current TCP connections to complete
• Allows new sticky connections for existing server connections that match entries in the sticky
database
• Load balances all new connections (other than the matching sticky connections mentioned above)
to the other servers in the server farm
• Eventually takes the server out of service
standby (Optional) Used with backup real servers, specifies that a backup real
server remain inactive unless the primary real server fails. If the
primary fails, the backup server becomes active and starts accepting
connections.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1289
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
Examples To place a real server in service, enter:
host1/Admin(config-sfarm-redirect-rs)# inservice
To perform a graceful shutdown on a primary real server with sticky connections in a server farm, enter:
host1/Admin(config-sfarm-host-rs)# inservice standby
To take a real server out of service, enter:
host1/Admin(config-sfarm-redirect-rs)# no inservice
Related Commands This command has no related commands.2-1290
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
(config-sfarm-host-rs) probe
To configure a probe to monitor the health of a redirect real server in a redirect server farm, use the probe
command. Use the no form of this command to remove the probe from the real server.
probe probe-name
no probe probe-name
Syntax Description
Command Modes Serverfarm redirect real server configuration mode
Admin and user contexts
Command History
Usage Guidelines You can associate multiple probes with each real server.
The ACE periodically sends the probes to the real servers. If the ACE receives the appropriate responses
from the servers, the ACE includes the servers in load-balancing decisions. If not, the ACE marks the
servers as out of service, depending on the configured number of retries.
You can only configure probes with an IP address in routed mode under a redirect server.
You cannot associate a scripted probe with a redirect server.
Examples To configure a probe for a redirect real server, enter:
host1/Admin(config-sfarm-host-rs)# probe SERVER1_PROBE
To remove a probe from a redirect real server, enter:
host1/Admin(config-sfarm-host-rs)# no probe SERVER1_PROBE
Related Commands (config-probe-probe_type) ip address
probe-name Identifier of an existing probe that you want to assign to a real server
to monitor its health. Enter an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(3.2). Not applicable for
A4(1.0).
This command was introduced.
ACE Appliance Release Modification
A3(2.7). Not applicable for
A4(1.0).
This command was introduced.2-1291
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
(config-sfarm-redirect-rs) rate-limit
To configure a limit for the connection rate and the bandwidth rate of a real server in a redirect server
farm, use the rate-limit command. The connection rate is the number of connections per second received
by the ACE and destined to a particular redirect real server. The bandwidth rate is the number of bytes
per second received by the ACE and destined for a particular redirect real server. Use the no form of this
command to revert to the ACE default of not limiting the connection rate or bandwidth rate of real
servers in a server farm.
rate-limit {connection number1 | bandwidth number2}
no rate-limit {connection | bandwidth}
Syntax Description
Command Modes Serverfarm redirect real server configuration mode
Admin and user contexts
Command History
Usage Guidelines If the connection rate or the bandwidth rate of incoming traffic destined for a particular real server
exceeds the configured rate for the server, the ACE blocks any further traffic destined to that real server
until the connection rate or bandwidth rate drops below the configured limit. Also, the ACE removes the
blocked real server from future load-balancing decisions. By default, the ACE does not limit the
connection rate or the bandwidth rate of real servers in a server farm.
Examples To limit the connection rate of a real server to 100,000 connections per second, enter:
host1/Admin(config-sfarm-redir-rs)# rate-limit connection 100000
To revert to the ACE default of not limiting the real-server connection rate, enter:
host1/Admin(config-sfarm-redir-rs)# no rate-limit connection
To limit the real-server bandwidth rate to 5,000,000 bytes per second, enter:
host1/Admin(config-sfarm-redir-rs)# rate-limit bandwidth 5000000
connection number1 Specifies the real server connection-rate limit in connections per
second. Enter an integer from 2 to 350000. There is no default value.
bandwidth number2 Specifies the real server bandwidth-rate limit in bytes per second.
Enter an integer from 2 to 300000000. There is no default value.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1292
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
To revert to the ACE default of not limiting real-server bandwidth, enter:
host1/Admin(config-sfarm-redir-rs)# no rate-limit bandwidth
Related Commands (config-sfarm-redirect-rs) conn-limit
(config-sfarm-redirect-rs) weight
To configure the capacity of a real server in relation to other servers in a server farm, use the weight
command. The weight value that you specify for a server is used in the weighted round-robin and
least-connections predictor load-balancing methods. Use the no form of this command to reset the real
server weight to the default.
weight number
no weight
Syntax Description
Command Modes Serverfarm redirect real server configuration mode
Admin and user contexts
Command History
Usage Guidelines Servers with higher weight values receive a proportionally higher number of connections than servers
with lower weight values.
To specify different weight values for a redirect real server in a server farm, you can assign multiple IP
addresses to the server.
Examples To configure a weight value for a real server, enter:
host1/Admin(config-sfarm-redirect-rs)# weight 50
To reset the weight of a real server to the default of 8, enter:
host1/Admin(config-sfarm-redirect-rs)# no weight
number Weight value assigned to a real server in a server farm. This value is
used in the weighted round-robin and least-connections predictor
load-balancing algorithms. Enter an integer from 1 to 100. The
default is 8.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1293
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Server Farm Redirect Real Server Configuration Mode Commands
Related Commands (config-sfarm-redirect) predictor2-1294
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
SSL Proxy Configuration Mode Commands
SSL proxy configuration mode commands allow you to define the Secure Sockets Layer (SSL)
parameters that the ACE SSL proxy service uses in either SSL termination (proxy server service) or SSL
initiation (proxy client service) during the SSL handshake.
To create a new proxy service (or edit an existing proxy service) and access SSL proxy configuration
mode, use the ssl-proxy service command in configuration mode. The CLI prompt changes to
(config-ssl-proxy). Use the no form of this command to delete an existing SSL proxy service.
ssl-proxy service pservice_name
no ssl-proxy service pservice_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the SSL feature in your user role. For details about role-based access
control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
When you create a SSL proxy service, the CLI changes to the SSL proxy configuration mode, where you
define the following SSL proxy service attributes:
• Client authentication group—See the (config-ssl-proxy) authgroup command.
• Certificate—See the (config-ssl-proxy) cert command.
• Client authentication using CRLs—See the (config-ssl-proxy) crl command
• Chain group—See the (config-ssl-proxy) chaingroup command.
• Key pair—See the (config-ssl-proxy) key command.
• Parameter map—See the (config-ssl-proxy) ssl advanced-options command.
Examples To create the SSL proxy service PSERVICE_SERVER, enter:
host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)#
pservice_name Name of the SSL proxy service. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1295
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
To delete an existing SSL proxy service, enter:
host1/Admin(config)# no ssl-proxy PSERVICE_SERVER
Related Commands (config-ssl-proxy) authgroup
(config-ssl-proxy) cert
(config-ssl-proxy) chaingroup
(config-ssl-proxy) key
(config-ssl-proxy) ssl advanced-options
(config-ssl-proxy) authgroup
To specify the certificate authentication group that the ACE uses during the Secure Sockets Layer (SSL)
handshake and enable client authentication on this SSL-proxy service, use the authgroup command.
Use the no form of this command to delete a certificate authentication group from the SSL proxy service.
authgroup group_name
no authgroup group_name
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines When you enable client authentication, a significant performance decrease may occur in the ACE ACE.
Examples To specify the certificate authentication group AUTH-CERT1, enter:
host1/Admin(config-ssl-proxy)# authgroup AUTH-CERT1
To delete the certificate authentication group AUTH-CERT1 from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no authgroup AUTH-CERT1
Related Commands (config) crypto chaingroup
group_name Name of an existing certificate authentication group.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1296
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-parammap-ssl) authentication-failure
(config-ssl-proxy) cert
(config-ssl-proxy) key
(config-ssl-proxy) ssl advanced-options2-1297
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) cert
To specify the certificate that the ACE uses during the Secure Sockets Layer (SSL) handshake to prove
its identity, use the cert command. Use the no form of this command to delete a certificate file from the
SSL proxy service.
cert cert_filename | cisco-sample-key
no cert cert_filename | cisco-sample-key
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines The public key embedded in the certificate that you select must match the public key in the key pair file
that you select. To verify that the public keys in the two files match, use the crypto verify command in
the Exec mode.
Examples To specify the certificate in the certificate file MYCERT.PEM, enter:
host1/Admin(config-ssl-proxy)# cert MYCERT.PEM
To delete the certificate in the certificate file MYCERT.PEM from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no cert MYCERT.PEM
Related Commands crypto verify
name Name of an existing certificate file loaded on the ACE. Enter an unquoted text
string with no spaces and a maximum of 40 alphanumeric characters. To
display a list of available certificate files, use the do show crypto files
command.
cisco-sample-cert Specifies the self-signed certificate named cisco-sample-cert that is
preinstalled on the ACE. This file is available for use in any context with the
filename remaining the same in each context.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.0) Added the sample-cisco-cert keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) Added the sample-cisco-cert keyword.2-1298
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config) crypto chaingroup
(config-ssl-proxy) authgroup
(config-ssl-proxy) chaingroup
(config-ssl-proxy) key
(config-ssl-proxy) ssl advanced-options2-1299
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) chaingroup
To specify the certificate chain group that the ACE sends to its peer during the Secure Sockets Layer
(SSL) handshake, use the chaingroup command. Use the no form of this command to delete a certificate
chain group from the SSL proxy service.
chaingroup group_name
no chaingroup group_name
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE includes the certificate chain with the certificate that you specified for the SSL proxy service.
When a change occurs in a chain-group certificate, the change takes effect when you read the associated
chain group through the chaingroup command.
Examples To configure the ACE SSL proxy service to send the certificate chain group MYCHAINGROUP to its
peer during the SSL handshake, enter:
host1/Admin(config-ssl-proxy)# chaingroup MYCHAINGROUP
To delete the certificate chain group MYCHAINGROUP from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no chaingroup MYCHAINGROUP
Related Commands (config) crypto chaingroup
(config-ssl-proxy) authgroup
(config-ssl-proxy) cert
(config-ssl-proxy) key
(config-ssl-proxy) ssl advanced-options
group_name Name of an existing certificate chain group.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1300
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) crl
To determine which certificate revocation lists (CRLs) to use for client or server authentication, use the
crl command. Use the no form of this command to disable the use of CRL certificates during
authentication.
crl crl_name | best- effort
no crl crl_name | best-effort
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines By default, the ACE does not use CRLs during client or server authentication. You can configure the SSL
proxy service to use a CRL by either of the following methods:
• The ACE can scan each certificate for the service to determine if it contains a CRL Distribution
Point (CDP) pointing to a CRL in the certificate extension and then retrieve the CRL from that
location if the CDP is valid. If the CDP has an http:// or ldap:// based URL, it uses the URL to
download the CRL to the ACE module.
• You can manually configure the download location for the CRL from which the ACE retrieves it.
You can configure a maximum of eight CRLs per context.
By default, the ACE does not reject certificates when the CRL in use has passed its update date. To
configure the ACE to reject certificates when the CRL is expired, use the expired-crl reject command
in parameter map SSL configuration mode.
crl_name Name that you assigned to the CRL when you downloaded it using the configuration
mode crypto crl command. See (config) crypto crl for more information.
best-effort Specifies that the ACE scans each certificate to determine if it contains a CDP
pointing to a CRL in the certificate extension and then retrieves the CRLs from that
location, if the CDP is valid.
ACE Module Release Modification
A2(1.0) This command was introduced.
A2(2.0) This command was revised for server authentication.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
A4(1.0) This command was revised for server authentication and the CRLs
per context were increased from four to eight.2-1301
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
When attempting to download a CRL when best-effort CRLs are configured:
• The ACE considers only the first four CDPs. From the CDPs obtained from certificate, the ACE only
considers valid and complete CDPs for the downloading of the CRLs. If a CDP leads to the
successful downloading of the CRL, ACE does not consider the subsequent CDPs for CRL
downloads.
• If none of the first four CDPs present in the certificate are valid to proceed with the downloading of
the CRL, the ACE considers the certificate as revoked unless you configured the
authentication-failure ignore command in parameter map SSL configuration mode.
• If the ACE fails to download a CRL after trying four valid CDPs, the ACE aborts its initiated SSL
connection unless you configured the authentication-failure ignore command in parameter map
SSL configuration mode.
• If the ACE detects CDP errors in the presented certificates or errors that occur during a CRL
download, the ACE rejects the SSL connection unless you configured the cdp-errors ignore
command in parameter map SSL configuration mode
• The ACE skips malformed CDPs and processes subsequent CDPs. To display CDP error statistics
including the number of malformed CDPs, use the show crypto cdp-errors command.
Examples To enable the CRL1 CRL for authentication on an SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# crl CRL1
To scan the client certificate for CRL information, enter:
host1/Admin(config-ssl-proxy)# crl best-effort
To disable the use of a downloaded CRL during authentication, enter:
host1/Admin(config-ssl-proxy)# no crl CRL1
To disable the use of CRL client certificates during authentication, enter:
host1/Admin(config-ssl-proxy)# no crl best-effort
Related Commands crypto crlparams
(config) crypto crl
(config-parammap-ssl) authentication-failure
(config-parammap-ssl) cdp-errors ignore
(config-parammap-ssl) expired-crl reject
(config-ssl-proxy) authgroup
(config-ssl-proxy) cert
(config-ssl-proxy) chaingroup
(config-ssl-proxy) key
(config-ssl-proxy) ssl advanced-options2-1302
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) key
To specify the key pair that the ACE uses during the Secure Sockets Layer (SSL) handshake for data
encryption, use the key command. Use the no form of this command to delete a private key from the SSL
proxy service.
key key_filename | cisco-sample-key
no key key_filename | cisco-sample-key
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines The public key in the key pair file that you select must match the public key embedded in the certificate
that you select. To verify that the public keys in the two files match, use the crypto verify command in
the Exec mode.
Examples To specify the private key in the key pair file MYKEY.PEM for the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# key MYKEY.PEM
To delete the private key in the key pair file MYKEY.PEM from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no key MYKEY.PEM
Related Commands crypto verify
(config-ssl-proxy) authgroup
(config-ssl-proxy) cert
key_filename Name of an existing key pair file loaded on the ACE. Enter an unquoted text
string with no spaces and a maximum of 40 alphanumeric characters.
cisco-sample-key Specifies the sample RSA 1024-bit key pair named cisco-sample-key that is
preinstalled on the ACE. This file is available for use in any context with the
filename remaining the same in each context.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A2(3.0) Added the sample-cisco-key keyword.
ACE Appliance Release Modification
A1(7) This command was introduced.
A4(1.0) Added the sample-cisco-key keyword.2-1303
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) chaingroup
(config-ssl-proxy) ssl advanced-options2-1304
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) ocspserver
To apply an OCSP server to an SSL proxy service, use the ocspserver command. Use the no form of this
command to remove the association of an OCSP server with the SSL proxy service.
ocspserver ocsp_server_name | best-effort
no ocspserver ocsp_server_name | best-effort
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines You can apply a maximum of 10 OCSP servers to an SSL proxy service.
The format of the AIA extension is as follows:
authorityInfoAccess = OCSP;URI: http://test1.ocsp.ve/,OCSP;URI:http://test2.ocsp.ve/
If this extension is missing from a certificate when best-effort is configured, the certificate is considered
to be revoked.
Examples to apply the OCSP_SERVER1 OCSP server to the PSERVICE_SERVER SSL proxy service, enter the
following commands:
host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)# ocspserver OCSP_SERVER1
To apply a best-effort OCSP server to an SSL proxy service, enter the following commands:
host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
ocsp_server_name Identifier of an OCSP server that you want to apply to this SSL proxy service.
Enter the name of an existing OCSP server as a text string with no spaces and a
maximum of 64 alphanumeric characters.
best-effort Specifies that the ACE attempts to obtain certificate revocation information from
an OCSP server on a best-effort basis. When you configure this keyword, the
ACE extracts the OCSP server information (up to four OCSP server information
elements) from the client certificate. This keyword forces the ACE to look for the
AuthorityInfoAccess (AIA) extension in the incoming client or server
certificates.
ACE Module Release Modification
A5(1.0) This command was introduced.
ACE Appliance Release Modification
A5(1.0) This command was introduced.2-1305
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
host1/Admin(config-ssl-proxy)# ocspserver best-effort
To remove an OCSP server from an SSL proxy service, enter the following command;
host1/Admin(config-ssl-proxy)# no ocspserver OCSP_SERVER1
Related Commands show crypto
(config) crypto ocspserver2-1306
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) revcheckprio
When you configure both OCSP and CRLs in the same SSL proxy service, you can control the order in
which the ACE uses these two resources to check the revocation status of SSL certificates. To configure
the order of revocation checking, use the revcheckprio command. Use the no form of this command to
reset the ACE behavior to the default of checking the OCSP server first and then the CRLs for certificate
revocation.
revcheckprio crl-ocsp | ocsp-crl
no revcheckprio crl-ocsp | ocsp-crl
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines If either OCSP or CRLs, but not both methods, are applied to an SSL proxy service, this command is not
configurable.
The coexistence of CRLs and OCSP server information and traversal through them may lead to extended
handshake completion time and the overall performance of the ACE may degrade.
You can apply a maximum of 10 OCSP servers to an SSL proxy service.
The format of the AIA extension is as follows:
authorityInfoAccess = OCSP;URI: http://test1.ocsp.ve/,OCSP;URI:http://test2.ocsp.ve/
If this extension is missing from a certificate when best-effort is configured, the certificate is considered
to be revoked.
The default revocation check priority order (revcheckprio ocsp-crl) is not displayed in the output of the
show running-config command even if that priority order is configured.
Examples To configure the ACE to check revocation status with CRLs first and then OCSP, enter the following
commands:
crl-ocsp Instructs the ACE to use a CRLs first and then OCSP to determine the revocation
status of a client SSL certificate.
ocsp-crl (Default) Instructs the ACE to use OSCP first and then CRLs to determine the
revocation status of a client SSL certificate.
ACE Module Release Modification
A5(1.0) This command was introduced.
ACE Appliance Release Modification
A5(1.0) This command was introduced.2-1307
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)# revcheckprio crl-ocsp
To reset the ACE behavior to the default of checking the OCSP server first and then the CRLs for
certificate revocation, enter the following command:
host1/Admin(config-ssl-proxy)# no revcheckprio crl-ocsp
Related Commands show crypto
(config) crypto ocspserver2-1308
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) ssl advanced-options
To associate a context Secure Sockets Layer (SSL) parameter map with the SSL proxy server service,
use the ssl advanced-options command. Use the no form of this command to remove the association of
an SSL parameter map with the SSL proxy service.
ssl advanced-options parammap_name
no ssl advanced-options parammap_name
Syntax Description
Command Modes SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines This command has no usage guidelines.
Examples To associate the parameter map PARAMMAP_SSL with the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# ssl advanced-options PARAMMAP_SSL
To remove the association of an SSL parameter map PARAMMAP_SSL with the SSL proxy service,
enter:
host1/Admin(config-ssl-proxy)# no ssl advanced-options PARAMMAP_SSL
Related Commands (config) parameter-map type
(config-ssl-proxy) authgroup
(config-ssl-proxy) cert
(config-ssl-proxy) chaingroup
(config-ssl-proxy) key
parammap_name Name of an existing SSL parameter map.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1309
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
Sticky HTTP Cookie Configuration Mode Commands
Sticky cookie configuration mode commands allow you to configure the ACE to learn a cookie from
either the HTTP header of a client request or the Set-Cookie message sent by the server to a client. The
ACE then uses the learned cookie to provide stickiness between a client and a server for the duration of
a transaction. To configure the ACE to use HTTP cookies for stickiness, use the sticky http-cookie
command in configuration mode. This command creates a sticky cookie group and allows you to access
sticky cookie configuration mode. The prompt changes to (config-sticky-cookie). To remove the sticky
cookie group from the configuration, use the no form of this command.
sticky http-cookie name1 name2
no sticky http-cookie name1 name2
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups in the ACE.
By default, the maximum number of bytes that the ACE parses to check for a cookie, HTTP header, or
URL is 2048. If a cookie, HTTP header, or URL exceeds the default value, the ACE drops the packet
and sends a RST (reset) to the client browser. You can increase the number of bytes that the ACE parses
using the (config-parammap-http) set header-maxparse-length command in HTTP parameter-map
configuration mode.
You can also change the default behavior of the ACE when a cookie, header, or URL exceeds the
maximum parse length using the (config-parammap-http) length-exceed command in HTTP
parameter-map configuration mode.
name1 Cookie value from the HTTP header of the client request or from the
Set-Cookie message from the server. Enter a unique identifier for the
cookie with a maximum of 64 alphanumeric characters.
name2 Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1310
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
Examples To create a sticky group for cookie stickiness, enter:
host1/Admin(config)# sticky http-cookie cisco.com GROUP3
host1/Admin(config-sticky-cookie)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky http-cookie cisco.com GROUP3
Related Commands show running-config
show sticky database
(config) sticky http-header
(config) sticky ip-netmask
(config-sticky-cookie) cookie insert
To enable cookie insertion, use the cookie insert command. Use cookie insertion when you want to use
a session cookie for persistence if the server is not currently setting the appropriate cookie. Use the no
form of this command to disable cookie insertion.
cookie insert [browser-expire]
no cookie insert [browser-expire]
Syntax Description
Command Modes Sticky cookie configuration mode
Admin and user contexts
Command History
Usage Guidelines With cookie insertion enabled, the ACE inserts the cookie in the Set-Cookie header of the response from
the server to the client. The ACE selects a cookie value that identifies the original server from which the
client received a response. For subsequent connections of the same transaction, the client uses the cookie
to stick to the same server.
With either TCP server reuse or persistence rebalance enabled, the ACE inserts a cookie in every client
request. See the (config-parammap-http) server-conn reuse or (config-parammap-http)
persistence-rebalance commands.
browser-expire (Optional) Allows the client’s browser to expire a cookie when the
session ends.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1311
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
Examples To enable cookie insertion, enter:
host1/Admin(config-sticky-cookie)# cookie insert
To disable cookie insertion, enter:
host1/Admin(config-sticky-cookie)# no cookie insert
Related Commands show sticky cookie-insert group
(config) sticky http-cookie
(config-sticky-cookie) cookie
To configure the cookie offset and length, use the cookie command. Use the no form of this command
to remove the cookie offset and length from the configuration.
cookie offset number1 [length number2]
no cookie offset number1 [length number2]
Syntax Description
Command Modes Sticky cookie configuration mode
Admin and user contexts
Command History
Usage Guidelines An HTTP cookie value may change over time with only a portion remaining constant throughout a
transaction between the client and a server. You can configure the ACE to use the constant portion of a
cookie to make persistent connections to a specific server. The ACE stores cookie offset and length
values in the sticky table.
offset number1 Specifies the portion of the cookie that the ACE uses to stick the
client on a particular server by indicating the bytes to ignore starting
with the first byte of the cookie. Enter an integer from 0 to 999. The
default is 0, which indicates that the ACE does not exclude any
portion of the cookie.
length number2 (Optional) Specifies the length of the portion of the cookie (starting
with the byte after the offset value) that the ACE uses for sticking the
client to the server. Enter an integer from 1 to 1000. The default is
1000.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1312
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
The offset and length can vary from 0 to 1000 bytes. If the content string is longer than the offset but
shorter than the offset plus the length of the string, the ACE sticks the connection based on that portion
of the content starting with the byte after the offset value and ending with the byte specified by the offset
plus the length. The total of the offset and the length cannot exceed 1000.
Examples To configure the cookie offset and length, enter:
host1/Admin(config-sticky-cookie)# cookie offset 300 length 900
To remove the cookie offset and length from the configuration, enter:
host1/Admin(config-sticky-cookie)# no cookie offset 300 length 900
Related Commands (config) sticky http-cookie
(config-sticky-cookie) cookie secondary
To configure a secondary cookie, use the cookie secondary command. Use the no form of this command
to remove a secondary cookie from the configuration.
cookie secondary name
no cookie secondary
Syntax Description
Command Modes Sticky cookie configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure an alternative cookie name that appears in the URL string of the web page on the
server. The ACE uses this cookie to maintain a sticky connection between a client and a server and adds
a secondary entry in the sticky table.
name Name of the secondary cookie. Enter a cookie name as an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1313
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
Examples To configure a secondary cookie, enter:
host1/Admin(config-sticky-cookie)# cookie secondary mysite.com
To remove a secondary cookie from the configuration, enter:
host1/Admin(config-sticky-cookie)# no cookie secondary
Related Commands (config) sticky http-cookie
(config-sticky-cookie) replicate sticky
To instruct the ACE to replicate HTTP cookie sticky table entries on the standby ACE, use the replicate
sticky command. Use the no form of this command to restore the ACE to its default of not replicating
HTTP cookie sticky table entries.
replicate sticky
no replicate sticky
Command Modes Sticky cookie configuration mode
Admin and user contexts
Command History
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate HTTP cookie sticky table entries
on the standby ACE so if a switchover occurs, the new active ACE can maintain existing sticky
connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate HTTP cookie sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-cookie)# replicate sticky
To restore the ACE to its default of not replicating HTTP cookie sticky table entries, enter:
host1/Admin(config-sticky-cookie)# no replicate sticky
Related Commands (config) sticky http-cookie
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1314
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
(config-sticky-cookie) serverfarm
To complete a sticky group configuration, you must configure a server farm entry for the group. To
configure a server farm entry for a sticky group, use the serverfarm command. Use the no form of this
command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
Command Modes Sticky cookie configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
name1 Identifier of an existing server farm that you want to associate with
the sticky group. You can associate one server farm with each sticky
group. Enter a name as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm is unavailable, the ACE uses the configured backup server farm.
The backup server farm becomes sticky when you enter the sticky
keyword. Enter a name as an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied
to the state of all the real servers in that server farm and in the backup
server farm if configured. The ACE declares the primary server farm
down if all real servers in the primary server farm and all real servers
in the backup server farm are down.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1315
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with a sticky group and specify a sticky backup server farm, enter:
host1/Admin(config-sticky-cookie)# serverfarm SFARM1 backup BKUP_SFARM2 sticky
aggregate-state
To dissociate a server farm from a sticky group, enter:
host1/Admin(config-sticky-cookie)# no serverfarm
Related Commands (config) sticky http-cookie
(config-sticky-cookie) static cookie-value
To configure a static cookie, use the static cookie-value command. Use the no form of this command to
remove a static cookie from the configuration.
static cookie-value value rserver name [number]
no static cookie-value value rserver name [number]
Syntax Description
Command Modes Sticky cookie configuration mode
Admin and user contexts
Command History
value Cookie string value. Enter an unquoted text string with no spaces and
a maximum of 255 alphanumeric characters. Alternatively, you can
enter a text string with spaces provided that you enclose the string in
quotation marks (“).
rserver name Specifies the hostname of an existing real server. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
number (Optional) Port number of the real server. Enter an integer from 1 to
65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-1316
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Cookie Configuration Mode Commands
Usage Guidelines You can configure the ACE to use static cookies from entries based on cookie values and, optionally, real
server names and ports. Static cookie values remain constant over time.
You can configure multiple static cookie entries, but only one unique real-server name can exist for a
given static cookie value. When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4096 static sticky entries in the ACE.
Examples To configure a static cookie, enter:
host1/Admin(config-sticky-cookie)# static cookie-value CORVETTE rserver SERVER1 4000
To remove a static cookie form the configuration, enter:
host1/Admin(config-sticky-cookie)# no static cookie-value CORVETTE rserver SERVER1 4000
Related Commands (config) sticky http-cookie
(config-sticky-cookie) timeout
To configure an HTTP cookie sticky timeout, use the timeout minutes command. Use the no form of this
command to reset the sticky timeout to the default of 1440 minutes.
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky cookie configuration mode
Admin and user contexts
Command History
ACE Appliance Release Modification
A1(7) This command was introduced.
minutes Length of time in minutes that the ACE ACE remembers the last real
server to which a client made a sticky connection. Enter an integer
from 0 to 65535. The default timeout value is 1440 minutes (24
hours).
activeconns Specifies that a sticky entry is timed out when the timer expires even
if there are active connections associated with the sticky entry.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.2-1317
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps the HTTP cookie sticky information
for a client connection in the sticky table after the latest client connection terminates. The ACE resets
the sticky timer for a specific sticky-table entry each time that the ACE opens a new connection matching
that entry.
When you configure sticky timeout for an HTTP cookie, the timeout translates into the expiration date
for the cookie. This expiration date can be longer than the actual timeout specified in the timeout
command, with sometimes as much as 20 to 25 minutes added to the expiration date.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out HTTP cookie sticky table entries
even if active connections exist after the sticky timer expires, use the timeout activeconns command.
Examples To set the duration for sticky connections between a client and a real server to 720 minutes, enter:
host1/Admin(config-sticky-cookie)# timeout 720
To configure the ACE to time out HTTP cookie sticky entries even if active connections exist for those
entries, enter:
host1/Admin(config-sticky-cookie)# timeout activeconns
To restore the ACE to its default of not timing out HTTP cookie sticky entries if active connections exist
for those entries, enter:
host1/Admin(config-sticky-cookie)# no timeout activeconns
Related Commands (config) sticky http-cookie
Sticky HTTP Content Configuration Mode Commands
Sticky HTTP content configuration mode commands allow you to configure the ACE to stick client
connections to the same real server based on a string in the data portion of the HTTP packet. To create
an HTTP content sticky group and access sticky HTTP content configuration mode, use the sticky
http-content command. The prompt changes to (config-sticky-content). Use the no form of this
command to remove the sticky group from the configuration.
sticky http-content name
no sticky http-content name
Syntax Description
ACE Appliance Release Modification
A1(7) This command was introduced.
name Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.2-1318
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups on the ACE.
Examples To create a sticky group for HTTP packet content stickiness, enter:
host1/Admin(config)# sticky http-content HTTP_CONTENT_GROUP
host1/Admin(config-sticky-content)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky http-content HTTP_CONTENT_GROUP
Related Commands show running-config
show sticky database
(config-sticky-content) content
To define the portion of the HTTP packet contents that you want the ACE to match, use the content
command. Using this command, you can specify offset and length values and a beginning and ending
pattern based on a regular expression. The ACE stores these values in the sticky table and uses them to
stick a client to a particular server. Use the no form of this command to remove the HTTP content
specification from the sticky table.
content [offset number1] [length number2] [begin-pattern expression1]
[end-pattern expression2]
no content [offset number1] [length number2] [begin-pattern expression1]
[end-pattern expression2]
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1319
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
Syntax Description
Command Modes Sticky HTTP content configuration mode
offset number1 (Optional) Specifies the portion of the content that the ACE uses to
stick the client on a particular server by indicating the bytes to ignore
starting with the first byte of the content. Enter an integer from 0 to
999. The default is 0, which indicates that the ACE does not exclude
any portion of the content.
length number2 (Optional) Specifies the length of the portion of the content (starting
with the byte after the offset value) that the ACE uses for sticking the
client to the server. Enter an integer from 1 to 1000. The default is the
entire content.
The offset and length can vary from 0 to 1000 bytes. If the content
string is longer than the offset but shorter than the offset plus the
length of the string, the ACE sticks the connection based on that
portion of the content starting with the byte after the offset value and
ending with the byte specified by the offset plus the length. The total
of the offset and the length cannot exceed 1000.
You cannot specify both the length and the end-pattern options in
the same content command.
begin-pattern expression1 (Optional) Specifies the beginning pattern of the HTTP packet
content payload and the pattern string to match before hashing. If you
do not specify a beginning pattern, the ACE starts parsing
immediately following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part
of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
When matching data strings, the period (.) and question mark (?)
characters do not have a literal meaning in regular expressions. Use
brackets ([]) to match these symbols (for example, enter
www[.]xyz[.]com instead of www.xyz.com). You can also use a
backslash (\) to escape a dot (.) or a question mark (?).
end-pattern expression2 (Optional) Specifies the pattern that marks the end of hashing. If you
do not specify either a length or an ending pattern, the ACE continues
to parse the data until it reaches the end of the field or the end of the
packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
You cannot specify both the length and the end-pattern options in
the same content command.2-1320
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines The contents of an HTTP packet may change over time with only a portion remaining constant
throughout a transaction between the client and a server. You can configure the ACE to use the constant
portion of the HTTP packet content to make persistent connections to a specific server. To define the
portion of the packet content that you want the ACE to use, you specify offset and length values and a
beginning and ending pattern. The ACE stores these values in the sticky table.
Examples To create an HTTP packet content specification that the ACE will use to stick traffic to a server, enter:
host1/Admin(config-sticky-content)# content offset 250 length 750 begin-pattern abc123.*
To remove the HTTP packet content specification from the configuration, enter:
host1/Admin(config-sticky-content)# no content
Related Commands (config) sticky http-content
(config-sticky-content) replicate sticky
To instruct the ACE to replicate HTTP content sticky table entries on the standby ACE, use the replicate
sticky command. Use the no form of this command to restore the ACE to its default of not replicating
HTTP content sticky table entries.
replicate sticky
no replicate sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky HTTP content configuration mode
Admin and user contexts
Command History
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1321
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate HTTP content sticky table entries
on the standby ACE so if a switchover occurs, the new active ACE can maintain existing sticky
connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate HTTP content sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-content)# replicate sticky
To restore the ACE default of not replicating HTTP content sticky table entries, enter:
host1/Admin(config-sticky-content)# no replicate sticky
Related Commands (config) sticky http-content
(config-sticky-content) serverfarm
To complete a sticky group configuration, you must configure a server farm entry for the group. To
configure a server farm entry for a sticky group, use the serverfarm command. Use the no form of this
command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
ACE Appliance Release Modification
A3(1.0) This command was introduced.
name1 Identifier of an existing server farm that you want to associate with
the sticky group. You can associate one server farm with each sticky
group. Enter a name as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm is unavailable, the ACE uses the configured backup server farm.
The backup server farm becomes sticky when you enter the sticky
keyword. Enter a name as an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.2-1322
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
Command Modes Sticky HTTP content configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with an HTTP content sticky group and specify a sticky backup server farm,
enter:
host1/Admin(config-sticky-content)# serverfarm SFARM1 backup BKUP_SFARM2 sticky
aggregate-state
To dissociate a server farm from an HTTP content sticky group, enter:
host1/Admin(config-sticky-content)# no serverfarm
Related Commands (config) sticky http-content
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied
to the state of all the real servers in that server farm and in the backup
server farm, if configured. The ACE declares the primary server farm
down if all real servers in the primary server farm and all real servers
in the backup server farm are down.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1323
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
(config-sticky-content) static content
To configure a static HTTP content sticky table entry, use the static content command. Use the no form
of this command to remove the static entry from the sticky table.
static content value rserver name [number]
no static content value rserver name [number]
Syntax Description
Command Modes Sticky HTTP content configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure the ACE to use static sticky table entries based on the HTTP content and optionally,
the real server name and port. Static sticky HTTP content entries remain constant over time. You can
configure multiple static content entries, but only one unique real-server name can exist for a given static
content string. When you configure a static entry, the ACE enters it into the sticky table immediately.
You can configure a maximum of 4096 static sticky entries in the ACE.
Examples To configure a static sticky entry based on the HTTP content and the server name and port number, enter:
host1/Admin(config-sticky-content)# static content STINGRAY rserver SERVER1 4000
To remove the static HTTP content entry from the sticky table, enter:
host1/Admin(config-sticky-content)# no static content STINGRAY rserver SERVER1 4000
Related Commands (config) sticky http-content
value Content string value. Enter an unquoted text string with no spaces
and a maximum of 255 alphanumeric characters. You can enter a text
string with spaces provided that you enclose the entire string in
quotation marks (“).
rserver name Specifies that the static entry is based on the real server name. Enter
the name of an existing real server as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
number (Optional) Port number of the real server. Enter an integer from 1 to
65535.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1324
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Content Configuration Mode Commands
(config-sticky-content) timeout
To configure an HTTP content sticky timeout, use the timeout minutes command. Use the no form of
this command to reset the sticky timeout to the default of 1440 minutes (24 hours).
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky HTTP content configuration mode
Admin and user contexts
Command History
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps the HTTP content sticky information
for a client connection in the sticky table after the latest client connection terminates. The ACE resets
the sticky timer for a specific sticky-table entry each time that the ACE opens a new connection matching
that entry.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out HTTP content sticky table
entries even if active connections exist after the sticky timer expires, use the timeout activeconns
command.
Examples To specify a timeout value of 720 minutes, enter:
host1/Admin(config-sticky-content)# timeout 720
To reset the timeout to the default value of 1440 minutes (24 hours), enter:
host1/Admin(config-sticky-content)# no timeout 720
To specify that the ACE time out HTTP content sticky table entries even if active connections exist after
the sticky timer expires, enter:
host1/Admin(config-sticky-content)# timeout activeconns
minutes Number of minutes that the ACE remembers the last real server to
which a client made a sticky connection. Enter an integer from 1 to
65535. The default timeout value is 1440 minutes (24 hours).
activeconns Specifies that sticky entries are timed out when the sticky timer
expires even if there are active connections.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1325
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
To restore the ACE to its default of not timing out HTTP content sticky entries if active connections exist
for those entries, enter:
host1/Admin(config-sticky-content)# no timeout activeconns
Related Commands (config) sticky http-content
Sticky HTTP Header Configuration Mode Commands
Sticky HTTP header configuration mode commands allow you to create an HTTP header sticky group
to enable the ACE to stick client connections to the same real server based on HTTP headers. To access
sticky HTTP header configuration mode, use the sticky http-header command. The prompt changes to
(config-sticky-header). Use the no form of this command to remove the sticky group from the
configuration.
sticky http-header name1 name2
no sticky http-header name1 name2
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups in the ACE.
name1 HTTP header name. Enter an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters. Alternatively, you can
enter one of the standard HTTP headers described in Table 1-23.
name2 Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1326
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
By default, the maximum number of bytes that the ACE parses to check for a cookie, HTTP header, or
URL is 2048. If a cookie, HTTP header, or URL exceeds the default value, the ACE drops the packet
and sends a RST (reset) to the client browser. You can increase the number of bytes that the ACE parses
using the (config-parammap-http) set header-maxparse-length command in HTTP parameter-map
configuration mode.
You can also change the default behavior of the ACE when a cookie, header, or URL exceeds the
maximum parse length using the (config-parammap-http) length-exceed command in HTTP
parameter-map configuration mode.
Table 1-23 lists and describes the standard HTTP header names.
Ta b l e 1-23 HTTP Header Names
Field Name Description
Accept Semicolon-separated list of representation schemes (content type
metainformation values) that will be accepted in the response to the request.
Accept-Charset Character sets that are acceptable for the response. This field allows clients
that can understand more comprehensive or special-purpose character sets
to signal that capability to a server that can represent documents in those
character sets.
Accept-Encoding Restricts the content encoding that a user will accept from the server.
Accept-Language ISO code for the language in which the document is written. The language
code is an ISO 3316 language code with an optional ISO 639 country code
to specify a national variant.
Authorization Specifies that the user agent wants to authenticate itself with a server,
usually after receiving a 401 response.
Cache-Control Directives that must be obeyed by all caching mechanisms on the
request/response chain. The directives specify behavior intended to prevent
caches from adversely interfering with the request or response.
Connection Allows the sender to specify connection options.
Content-MD5 MD5 digest of the entity body that provides an end-to-end integrity check.
Only a client or an origin server can generate this header field.
Expect Used by a client to inform the server about the behaviors that the client
requires.
From E-mail address of the person who controls the requesting user agent.
Host Internet host and port number of the resource being requested, as obtained
from the original URI given by the user or referring resource. The Host field
value must represent the naming authority of the origin server or gateway
given by the original URL.
If-Match Used with a method to make it conditional. A client that has one or more
entities previously obtained from the resource can verify that one of those
entities is current by including a list of their associated entity tags in the
If-Match header field. This feature allows efficient updates of cached
information with a minimum amount of transaction overhead. It is also
used, on updating requests, to prevent inadvertent modification of the
wrong version of a resource. As a special case, the asterisk (*) value
matches any current entity of the resource.2-1327
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
Examples To create a group for HTTP header stickiness, enter:
host1/Admin(config-sticky-header)# sticky http-header Host GROUP4
To remove the sticky group from the configuration, enter:
host1/Admin(config-sticky-header)# no sticky http-header Host GROUP4
Related Commands show running-config
show sticky database
(config) sticky http-cookie
(config) sticky ip-netmask
(config-sticky-header) header
To configure the HTTP header offset and length, use the header command. Use the no form of this
command to remove the HTTP header offset and length values from the configuration.
header offset number1 [length number2]
no header offset number1 [length number2]
Pragma Pragma directives that are understood by servers to which the directives are
relevant. The syntax is the same as for other multiple-value fields in HTTP.
For example, the accept field is a comma-separated list of entries for which
the optional parameters are separated by semicolons.
Referer Address (URI) of the resource from which the URI in the request was
obtained.
Transfer-Encoding What (if any) type of transformation has been applied to the message body
in order to safely transfer it between the sender and the recipient.
User-Agent Information about the user agent (for example, a software program
originating the request). This information is for statistical purposes, the
tracing of protocol violations, and automated recognition of user agents for
tailoring responses to avoid user agent limitations.
Via Used by gateways and proxies to indicate the intermediate protocols and
recipients between the user agent and the server on requests and between
the origin server and the client on responses.
Table 1-23 HTTP Header Names (continued)
Field Name Description2-1328
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
Syntax Description
Command Modes Sticky HTTP header configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE stores header offset and length values in the sticky table.
You can configure the ACE to use a portion of an HTTP header to make persistent connections to a
specific server. To define the portion of the HTTP header that you want the ACE to use, you specify
HTTP header offset and length values. The offset and length can vary from 0 to 1000 bytes. The ACE
sticks the connection based on that portion of the HTTP header that starts with the byte after the offset
value and ends with the byte specified by the offset plus the length. The total bytes represented by the
header offset and length cannot exceed 1000.
Examples To configure the header offset and length, enter:
host1/Admin(config-sticky-header)# header offset 300 length 900
To remove the HTTP header offset and length values from the configuration, enter:
host1/Admin(config-sticky-header)# no header offset 300 length 900
Related Commands (config) sticky http-header
offset number1 Specifies the portion of the HTTP header that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore
starting with the first byte of the HTTP header. Enter an integer from
0 to 999. The default is 0, which indicates that the ACE does not
exclude any portion of the header.
length number2 (Optional) Specifies the length of the portion of the HTTP header
(starting with the byte after the offset value) that the ACE uses for
sticking the client to the server. Enter an integer from 1 to 1000. The
default is 1000.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1329
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
(config-sticky-header) replicate sticky
To instruct the ACE to replicate HTTP header sticky table entries on the standby ACE, use the replicate
sticky command. Use the no form of this command to restore the ACE to its default of not replicating
HTTP header sticky table entries.
replicate sticky
no replicate sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky HTTP header configuration mode
Admin and user contexts
Command History
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate HTTP header sticky table entries
on the standby ACE so if a switchover occurs, the new active ACE can maintain existing sticky
connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate HTTP header sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-header)# replicate sticky
To restore the ACE to its default of not replicating HTTP header sticky table entries, enter:
host1/Admin(config-sticky-header)# no replicate sticky
Related Commands (config) sticky http-header
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1330
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
(config-sticky-header) serverfarm
To complete a sticky group configuration, you must configure a server farm entry for the group. To
configure a server farm entry for a sticky group, use the serverfarm command. Use the no form of this
command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
Command Modes Sticky HTTP header configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
name1 Identifier of an existing server farm that you want to associate with
the sticky group. You can associate one server farm with each sticky
group. Enter a name as an unquoted text string with no spaces and a
maximum of 64 characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm is unavailable, the ACE uses the configured backup server farm.
The backup server farm becomes sticky when you enter the sticky
keyword. Enter a name as an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied
to the state of all the real servers in that server farm and in the backup
server farm, if configured. The ACE declares the primary server farm
down if all real servers in the primary server farm and all real servers
in the backup server farm are down.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1331
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with a sticky group and specify a sticky backup server farm, enter:
host1/Admin(config-sticky-header)# serverfarm SFARM1 backup BKUP_SFARM2 sticky
aggregate-state
To dissociate a server farm from a sticky group, enter:
host1/Admin(config-sticky-header)# no serverfarm
Related Commands (config) serverfarm
(config) sticky http-header2-1332
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
(config-sticky-header) static header-value
To configure a static header, use the static header-value command. Use the no form of this command
to remove a static header from the configuration.
static header-value value rserver name [number]
no static header-value value rserver name [number]
Syntax Description
Command Modes Sticky HTTP header configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure the ACE to use static header sticky entries based on HTTP header values and
optionally, real server names and ports. Static sticky header values remain constant over time. You can
configure multiple static header entries, but only one unique real-server name can exist for a given static
header sticky value.
When you configure a static entry, the ACE enters it into the sticky table immediately. You can create a
maximum of 4096 static sticky entries in the ACE.
Examples To configure a static header, enter:
host1/Admin(config-sticky-header)# static header-value CORVETTE rserver SERVER1 4000
To remove a static header from the configuration, enter:
host1/Admin(config-sticky-header)# no static header-value CORVETTE rserver SERVER1 4000
Related Commands (config) sticky http-header
value Header string value. Enter an unquoted text string with no spaces and
a maximum of 255 alphanumeric characters. Alternatively, you can
enter a text string with spaces provided that you enclose the entire
string in quotation marks (“).
rserver name Specifies the hostname of an existing real server. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
number (Optional) Port number of the real server. Enter an integer from 1 to
65535.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1333
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky HTTP Header Configuration Mode Commands
(config-sticky-header) timeout
To configure an HTTP header sticky timeout, use the timeout minutes command. Use the no form of this
command to reset the sticky timeout to the default of 1440 minutes.
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky HTTP header configuration mode
Admin and user contexts
Command History
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps the HTTP header sticky information
for a client connection in the sticky table after the latest client connection terminates. The ACE resets
the sticky timer for a specific sticky-table entry each time that the ACE opens a new connection matching
that entry.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out HTTP header sticky table entries
even if active connections exist after the sticky timer expires, use the timeout activeconns command.
Examples To specify a timeout value of 720 minutes, enter:
host1/Admin(config-sticky-header)# timeout 720
To reset the timeout to the default value of 1440 minutes (24 hours), enter:
host1/Admin(config-sticky-header)# no timeout 720
To specify that the ACE time out HTTP header sticky table entries even if active connections exist after
the sticky timer expires, enter:
host1/Admin(config-sticky-content)# timeout activeconns
minutes Length of time in minutes that the ACE ACE remembers the last real
server to which a client made a sticky connection. Enter an integer
from 1 to 65535. The default timeout value is 1440 minutes (24
hours).
activeconns Specifies that sticky entries are timed out when the timer expires even
if there are active connections.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1334
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
To restore the ACE to its default of not timing out HTTP header sticky entries if active connections exist
for those entries, enter:
host1/Admin(config-sticky-header)# no timeout activeconns
Related Commands (config) sticky http-header
Sticky IP Configuration Mode Commands
Sticky IP configuration mode commands allow you to create a sticky group for IP address stickiness. To
create a sticky group and access sticky IP configuration mode, use the sticky ip-netmask command. The
prompt changes to (config-sticky-ip). Use the no form of this command to remove the sticky group from
the configuration.
sticky {v6-prefix prefix_length | ip-netmask netmask} address {source | destination | both} name
no sticky {v6-prefix prefix_length | ip-netmask netmask} address {source | destination | both}
name
Syntax Description
Command Modes Configuration mode
v6-prefix prefix_length IPv6 prefix that specifies how many of the most significant bits
(MSBs) of the IPv6 address are used for the network identifier. Enter
an integer from 1 to 128.
netmask Network mask that the ACE applies to the IP address. Enter a
network mask in dotted-decimal notation (for example,
255.255.255.0).
Note (ACE module only) If you configure a network mask other
than 255.255.255.255 (/32), the ACE may populate the sticky
entries only on one of its two network processors which may
reduce the number of available sticky entries by 50 percent.
This reduction in resources can cause problems when heavy
sticky use occurs on the ACE.
address {source | destination
| both}
Specifies the IP address used for stickiness. Enter one of the
following keywords:
• source—Specifies that the ACE use the client source IP address
to stick the client to a server. You use this keyword in web
application environments.
• destination—Specifies that the ACE use the destination address
specified in the client request to stick the client to a server. You
use this keyword in caching environments.
• both—Specifies that the ACE use both the source IP address and
the destination IP address to stick the client to a server.
name Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.2-1335
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups on the ACE.
Examples IPv6 Example
To create a sticky group that uses IPv6 address stickiness based on both the source IPv6 address and the
destination IPv6 address, enter:
host1/Admin(config)# sticky v6-prefix 64 address both GROUP1
host1/Admin(config-sticky-ip)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky v6-prefix 64 address both GROUP1
IPv4 Example
To create a sticky group that uses IPv4 address stickiness based on both the source IP address and the
destination IPv4 address, enter:
host1/Admin(config)# sticky ip-netmask 255.255.255.255 address both GROUP1
host1/Admin(config-sticky-ip)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky ip-netmask 255.255.255.255 address both GROUP1
Related Commands show running-config
show sticky database
(config) sticky http-cookie
(config) sticky http-header
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added the v6-prefix keyword and argument.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added the v6-prefix keyword and argument.2-1336
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
(config-sticky-ip) replicate sticky
To instruct the ACE to replicate IP address sticky table entries on the standby ACE, use the replicate
sticky command. Use the no form of this command to restore the ACE to its default of not replicating
IP address sticky table entries.
replicate sticky
no replicate sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky IP configuration mode
Admin and user contexts
Command History
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate IP address sticky table entries on
the standby ACE so that, if a switchover occurs, the new active ACE can maintain existing sticky
connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate IP address sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-ip)# replicate sticky
To restore the ACE default of not replicating IP address sticky table entries, enter:
host1/Admin(config-sticky-ip)# no replicate sticky
Related Commands (config) sticky ip-netmask
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1337
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
(config-sticky-ip) serverfarm
To complete a sticky group configuration, you must configure a server farm entry for the group. To
configure a server farm entry for a sticky group, use the serverfarm command. Use the no form of this
command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
Command Modes Sticky IP configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
name1 Identifier of an existing server farm that you want to associate with
the sticky group. You can associate one server farm with each sticky
group. Enter a name as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm is unavailable, the ACE uses the configured backup server farm.
The backup server farm becomes sticky when you enter the sticky
keyword. Enter a name as an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied
to the state of all the real servers in that server farm and in the backup
server farm, if configured. The ACE declares the primary server farm
down if all real servers in the primary server farm and all real servers
in the backup server farm are down.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1338
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with a sticky group and specify a sticky backup server farm, enter:
host1/Admin(config-sticky-ip)# serverfarm SFARM1 backup BKUP_SFARM2 sticky aggregate-state
To dissociate a server farm from a sticky group, enter:
host1/Admin(config-sticky-ip)# no serverfarm
Related Commands (config) sticky ip-netmask
(config-sticky-ip) static client source
To configure static sticky-IP table entries for IPv6 or IPv4, use the static client command. Use the no
form of this command to remove the static entry from the sticky table.
The syntax of this command varies according to the address option that you chose when you created the
sticky group using the (config) sticky ip-netmask command. If you configured the sticky group with
the source option, the syntax of this command is as follows:
static client source ip_address rserver name [number]
no static client source ip_address rserver name [number]
If you configured the sticky group with the destination option, the syntax of this command is as follows:
static client destination ip_address rserver name [number]
no static client destination ip_address rserver name [number]
If you configured the sticky group with the both option, the syntax of this command is as follows:
static client source ip_address destination ip_address rserver name [number]
no static client source ip_address destination ip_address rserver name [number]
Syntax Description source ip-address Specifies that the static entry is based on the source IP address. Enter
an IP address in dotted-decimal notation (for example,
192.168.12.15).
rserver name Specifies that the static entry is based on the real server name. Enter
the name of an existing real server as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.2-1339
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
Command Modes Sticky IP configuration mode
Admin and user contexts
Command History
Usage Guidelines You can configure static sticky table entries based on the IPv6 or IPv4 source IP address, the destination
IP address, or the real server name and port. Static sticky-IP values remain constant over time and you
can configure multiple static entries. When you configure a static entry, the ACE enters it into the sticky
table immediately. You can configure a maximum of 4096 static sticky entries in the ACE.
Examples IPv6 Example
To configure a static sticky entry based on the source IP address, the destination IP address, and the
server name and port number, enter:
host1/Admin(config-sticky-ip)# static client source 2001:DB8:12::15 destination
2001:DB8:27::3 rserver SERVER1 2000
To remove the static entry from the sticky table, enter:
host1/Admin(config-sticky-ip)# no static client source 2001:DB8:12::15 destination
2001:DB8:27::3 rserver SERVER1 2000
IPv4 Example
To configure a static sticky entry based on the source IP address, the destination IP address, and the
server name and port number, enter:
host1/Admin(config-sticky-ip)# static client source 192.168.12.15 destination 172.16.27.3
rserver SERVER1 2000
To remove the static entry from the sticky table, enter:
host1/Admin(config-sticky-ip)# no static client source 192.168.12.15 destination
172.16.27.3 rserver SERVER1 2000
number (Optional) Port number of the real server. Enter an integer from 1 to
65535.
destination ip-address Specifies that the static entry is based on the destination IP address.
Enter an IP address in dotted-decimal notation (for example,
172.16.27.3).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
A5(1.0) Added IPv6 support.
ACE Appliance Release Modification
A1(7) This command was introduced.
A5(1.0) Added IPv6 support.2-1340
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
Related Commands (config) sticky ip-netmask2-1341
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky IP Configuration Mode Commands
(config-sticky-ip) timeout
To configure an IP address sticky timeout, use the timeout minutes command. Use the no form of this
command to reset the sticky timeout to the default of 1440 minutes (24 hours).
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky IP configuration mode
Admin and user contexts
Command History
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps (if possible) the IP address sticky
information for a client connection in the sticky table after the latest client connection terminates. The
ACE resets the sticky timer for a specific sticky-table entry each time that the ACE opens a new
connection or receives a new HTTP GET on an existing connection matching that entry. High connection
rates may cause the sticky table entries to age out prematurely.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out IP address sticky table entries
even if active connections exist after the sticky timer expires, use the timeout activeconns command.
Examples To specify a timeout value of 720 minutes, enter:
host1/Admin(config-sticky-ip)# timeout 720
To specify that the ACE time out IP address sticky table entries even if active connections exist after the
sticky timer expires, enter:
host1/Admin(config-sticky-ip)# timeout activeconns
To restore the ACE to its default of not timing out IP address sticky entries if active connections exist,
enter:
host1/Admin(config-sticky-ip)# no timeout activeconns
minutes Number of minutes that the ACE remembers the last real server to
which a client made a sticky connection. Enter an integer from 1 to
65535. The default timeout value is 1440 minutes (24 hours).
activeconns Specifies that sticky entries are timed out when the timer expires even
if there are active connections.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1342
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
Related Commands (config) sticky ip-netmask
Sticky Layer 4 Payload Configuration Mode Commands
Sticky Layer 4 payload configuration mode commands allow you to configure the ACE to stick client
connections to the same real server based on a string in the payload portion of the Layer 4 protocol
packet. To create a Layer 4 payload sticky group and access sticky Layer 4 payload configuration mode,
use the sticky layer4-payload command. The prompt changes to (config-sticky-l4payloa). Use the no
form of this command to remove the sticky group from the configuration.
sticky layer4-payload name
no sticky layer4-payload name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups on the ACE.
Examples To create a sticky group that uses Layer 4 payload stickiness, enter:
host1/Admin(config)# sticky layer4-payload L4_PAYLOAD_GROUP
host1/Admin(config-sticky-l4payloa)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky layer4-payload L4_PAYLOAD_GROUP
name Unique identifier of the sticky group. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1343
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
Related Commands show running-config
show sticky database2-1344
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
(config-sticky-l4payloa) layer4-payload
To define the portion of the payload that you want the ACE to match, use the layer4-payload command.
Using this command, you can specify payload offset and length values and a beginning and ending
pattern based on a regular expression. The ACE stores these values in the sticky table and uses them to
stick a client to a particular server. Use the no form of this command to remove the Layer 4 payload
specification from the sticky table.
layer4-payload [offset number1] [length number2] [begin-pattern expression1]
[end-pattern expression2]
no layer4-payload [offset number1] [length number2] [begin-pattern expression1]
[end-pattern expression2]
Syntax Description offset number1 (Optional) Specifies the portion of the payload that the ACE uses to
stick the client on a particular server by indicating the bytes to ignore
starting with the first byte of the payload. Enter an integer from 0 to
999. The default is 0, which indicates that the ACE does not exclude
any portion of the payload.
length number2 (Optional) Specifies the length of the portion of the payload (starting
with the byte after the offset value) that the ACE uses for sticking the
client to the server. Enter an integer from 1 to 1000. The default is the
entire payload.
The offset and length can vary from 0 to 1000 bytes. If the payload is
longer than the offset but shorter than the offset plus the length of the
payload, the ACE sticks the connection based on that portion of the
payload starting with the byte after the offset value and ending with
the byte specified by the offset plus the length. The total of the offset
and the length cannot exceed 1000.
You cannot specify both the length and the end-pattern options in
the same layer4-payload command.
begin-pattern expression1 (Optional) Specifies the beginning pattern of the Layer 4 payload and
the pattern string to match before hashing. If you do not specify a
beginning pattern, the ACE starts parsing immediately following the
offset byte. You cannot configure different beginning and ending
patterns for different server farms that are part of the same traffic
classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
When matching data strings, the period (.) and question mark (?)
characters do not have a literal meaning in regular expressions. Use
brackets ([]) to match these symbols (for example, enter
www[.]xyz[.]com instead of www.xyz.com). You can also use a
backslash (\) to escape a dot (.) or a question mark (?).2-1345
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
Command Modes Sticky Layer 4 payload configuration mode
Admin and user contexts
Command History
Usage Guidelines A Layer 4 payload may change over time with only a portion remaining constant throughout a
transaction between the client and a server. You configure the ACE to use either a specific portion or the
constant portion of a Layer 4 payload to make persistent connections to a specific server. To define the
portion of the payload that you want the ACE to use, you specify payload offset and length values and a
beginning and ending pattern. The ACE stores these values in the sticky table.
Examples To create a Layer 4 payload specification that the ACE will use to stick traffic to a server, enter:
host1/Admin(config-sticky-l4payloa)# layer4-payload offset 250 length 750 begin-pattern
abc123.*
To remove the Layer 4 payload specification from the configuration, enter:
host1/Admin(config-sticky-l4payloa)# no layer4-payload
Related Commands (config) sticky layer4-payload
end-pattern expression2 (Optional) Specifies the pattern that marks the end of hashing. If you
do not specify either a length or an ending pattern, the ACE continues
to parse the data until it reaches the end of the field or the end of the
packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Enter an unquoted text string with no spaces and a maximum of
255 alphanumeric characters for each pattern that you configure. You
can enter a text string with spaces if you enclose the entire string in
quotation marks (“). The ACE supports the use of regular expressions
for matching string expressions.
You cannot specify both the length and the end-pattern options in
the same layer4-payload command.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1346
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
(config-sticky-l4payloa) replicate sticky
To instruct the ACE to replicate Layer 4 payload sticky table entries on the standby ACE, use the
replicate sticky command. Use the no form of this command to restore the ACE to its default of not
replicating Layer 4 payload sticky table entries.
replicate sticky
no replicate sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky Layer 4 payload configuration mode
Admin and user contexts
Command History
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate Layer 4 payload sticky table entries
on the standby ACE so if a switchover occurs, the new active ACE can maintain existing sticky
connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate Layer 4 payload sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-l4payloa)# replicate sticky
To restore the ACE default of not replicating Layer 4 payload sticky table entries, enter:
host1/Admin(config-sticky-l4payloa)# no replicate sticky
Related Commands (config) sticky layer4-payload
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1347
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
(config-sticky-l4payloa) response sticky
To instruct the ACE to parse the response bytes from a server and perform sticky learning, use the
response sticky command. Use the no form of this command to restore the ACE to its default of not
parsing the response from a server.
response sticky
no response sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky Layer 4 payload configuration mode
Admin and user contexts
Command History
Usage Guidelines Use this command when you want the ACE to parse both the request from the client and the response
from the server. Sticky learning allows the ACE to populate the sticky database with a hash of the
response bytes from a server. The next time a client request arrives with those same bytes, then the ACE
sticks the client to the same server.
Examples To instruct the ACE to perform sticky learning on responses from a server, enter:
host1/Admin(config-sticky-l4payloa)# response sticky
To restore the ACE default of not performing sticky learning on responses from a server, enter:
host1/Admin(config-sticky-l4payloa)# no response sticky
Related Commands (config) sticky layer4-payload
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1348
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
(config-sticky-l4payloa) serverfarm
To complete a sticky group configuration, you must configure a server farm entry for the group. To
configure a server farm entry for a sticky group, use the serverfarm command. Use the no form of this
command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
Command Modes Sticky Layer 4 payload configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
name1 Identifier of an existing server farm that you want to associate with the sticky
group. You can associate one server farm with each sticky group. Enter a name
as an unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you want the
ACE to use as a backup server farm. If the primary server farm is unavailable, the
ACE uses the configured backup server farm. The backup server farm becomes
sticky when you enter the sticky keyword. Enter a name as an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied to the state
of all the real servers in that server farm and in the backup server farm, if
configured. The ACE declares the primary server farm down if all real servers in
the primary server farm and all real servers in the backup server farm are down.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1349
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with a Layer 4 payload sticky group and specify a sticky backup server farm,
enter:
host1/Admin(config-sticky-l4payloa)# serverfarm SFARM1 backup BKUP_SFARM2 sticky
aggregate-state
To dissociate a server farm from a Layer 4 payload sticky group, enter:
host1/Admin(config-sticky-l4payloa)# no serverfarm
Related Commands (config) sticky layer4-payload
(config-sticky-l4payloa) static layer4-payload
To configure static Layer 4 payload sticky table entries, use the static layer4-payload command. Use
the no form of this command to remove the static entry from the sticky table.
static layer4-payload value rserver name [number]
no static layer4-payload value rserver name [number]
Syntax Description
Command Modes Sticky Layer 4 payload configuration mode
Admin and user contexts
Command History
value Payload string value. Enter an unquoted text string with no spaces
and a maximum of 255 alphanumeric characters. You can enter a text
string with spaces if you enclose the entire string in quotation marks
(“).
rserver name Specifies that the static entry is based on the real server name. Enter
the name of an existing real server as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
number (Optional) Port number of the real server. Enter an integer from 1 to
65535.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1350
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky Layer 4 Payload Configuration Mode Commands
Usage Guidelines You can configure static sticky table entries based on the Layer 4 payload and optionally, the real server
name and port. Static sticky Layer 4 payload values remain constant over time. You can configure
multiple static payload entries, but only one unique real-server name can exist for a given static payload
value. When you configure a static entry, the ACE enters it into the sticky table immediately. You can
configure a maximum of 4096 static sticky entries in the ACE.
Examples To configure a static sticky entry based on the Layer 4 payload and the server name and port number,
enter:
host1/Admin(config-sticky-l4payloa)# static layer4-payload STINGRAY rserver SERVER1 4000
To remove the static Layer 4 payload entry from the sticky table, enter:
host1/Admin(config-sticky-l4payloa)# no static layer4-payload STINGRAY rserver SERVER1
4000
Related Commands (config) sticky layer4-payload
(config-sticky-l4payloa) timeout
To configure a Layer 4 payload sticky timeout, use the timeout minutes command. Use the no form of
this command to reset the sticky timeout to the default of 1440 minutes (24 hours).
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky Layer 4 payload configuration mode
Admin and user contexts
Command History
ACE Appliance Release Modification
A3(1.0) This command was introduced.
minutes Number of minutes that the ACE remembers the last real server to
which a client made a sticky connection. Enter an integer from 1 to
65535. The default timeout value is 1440 minutes (24 hours).
activeconns Specifies that sticky entries are timed out when the sticky timer
expires even if there are active connections.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1351
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RADIUS Configuration Mode Commands
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps the Layer 4 payload sticky
information for a client connection in the sticky table after the latest client connection terminates. The
ACE resets the sticky timer for a specific sticky-table entry each time that the ACE opens a new
connection matching that entry.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out Layer 4 payload sticky table
entries even if active connections exist after the sticky timer expires, use the timeout activeconns
command.
Examples To specify a timeout value of 720 minutes, enter:
host1/Admin(config-sticky-l4payloa)# timeout 720
To specify that the ACE time out Layer 4 payload sticky table entries even if active connections exist
after the sticky timer expires, enter:
host1/Admin(config-sticky-l4payloa)# timeout activeconns
To restore the ACE to its default of not timing out Layer 4 payload sticky entries if active connections
exist, enter:
host1/Admin(config-sticky-l4payloa)# no timeout activeconns
Related Commands (config) sticky layer4-payload
Sticky RADIUS Configuration Mode Commands
Sticky RADIUS configuration mode commands allow you to configure the ACE to stick client
connections to the same real server based on a RADIUS attribute. To create a RADIUS attribute sticky
group and access sticky RADIUS configuration mode, use the sticky radius framed-ip command. The
prompt changes to (config-sticky-radius). Use the no form of this command to remove the sticky group
from the configuration.
sticky radius framed-ip [calling-station-id | username] name
no sticky radius framed-ip [calling-station-id | username] name
Syntax Description
ACE Appliance Release Modification
A3(1.0) This command was introduced.
calling-station-id (Optional) Specifies stickiness based on the RADIUS framed IP
attribute and the calling station ID attribute.2-1352
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RADIUS Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups on the ACE.
Examples To create a sticky group that uses RADIUS attribute stickiness, enter:
host1/Admin(config)# sticky radius framed-ip calling-station-id RADIUS_GROUP
host1/Admin(config-sticky-radius)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky radius framed-ip calling-station-id RADIUS_GROUP
Related Commands show running-config
show sticky database
username (Optional) Specifies stickiness based on the RADIUS framed IP
attribute and the username attribute.
name Unique identifier of the RADIUS sticky group. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1353
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RADIUS Configuration Mode Commands
(config-sticky-radius) replicate sticky
To instruct the ACE to replicate RADIUS attribute sticky table entries on the standby ACE, use the
replicate sticky command. Use the no form of this command to restore the ACE to its default of not
replicating RADIUS sticky group table entries.
replicate sticky
no replicate sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky RADIUS configuration mode
Admin and user contexts
Command History
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate RADIUS attribute sticky table
entries on the standby ACE so if a switchover occurs, the new active ACE can maintain existing sticky
connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate RADIUS attribute sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-radius)# replicate sticky
To restore the ACE default of not replicating RADIUS attribute sticky table entries, enter:
host1/Admin(config-sticky-radius)# no replicate sticky
Related Commands (config) sticky radius framed-ip
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1354
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RADIUS Configuration Mode Commands
(config-sticky-radius) serverfarm
To complete a RADIUS attribute sticky group configuration, you must configure a server farm entry for
the group. To configure a server farm entry for a sticky group, use the serverfarm command. Use the no
form of this command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
Command Modes Sticky RADIUS configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
name1 Identifier of an existing server farm that you want to associate with the sticky
group. You can associate one server farm with each sticky group. Enter a name as
an unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you want the ACE
to use as a backup server farm. If the primary server farm is unavailable, the ACE
uses the configured backup server farm. The backup server farm becomes sticky
when you enter the sticky keyword. Enter a name as an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied to the state of
all the real servers in that server farm and in the backup server farm, if configured.
The ACE declares the primary server farm down if all real servers in the primary
server farm and all real servers in the backup server farm are down.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1355
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RADIUS Configuration Mode Commands
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with a RADIUS attribute sticky group and specify a sticky backup server farm,
enter:
host1/Admin(config-sticky-radius)# serverfarm SFARM1 backup BKUP_SFARM2 sticky
aggregate-state
To dissociate a server farm from a RADIUS attribute sticky group, enter:
host1/Admin(config-sticky-radius)# no serverfarm
Related Commands (config) sticky radius framed-ip
(config-sticky-radius) timeout
To configure a RADIUS sticky timeout, use the timeout minutes command. Use the no form of this
command to reset the sticky timeout to the default of 1440 minutes (24 hours).
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky RADIUS configuration mode
Admin and user contexts
Command History
minutes Number of minutes that the ACE remembers the last real server to
which a client made a sticky connection. Enter an integer from 1 to
65535. The default timeout value is 1440 minutes (24 hours).
activeconns Specifies that sticky entries are timed out when the sticky timer
expires even if there are active connections.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1356
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps the RADIUS attribute sticky group
information for a client connection in the sticky table after the latest client connection terminates. The
ACE resets the sticky timer for a specific sticky-table entry each time that the ACE opens a new
connection matching that entry.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out RADIUS sticky group table
entries even if active connections exist after the sticky timer expires, use the timeout activeconns
command.
Examples To specify a timeout value of 720 minutes, enter:
host1/Admin(config-sticky-radius)# timeout 720
To specify that the ACE time out RADIUS sticky group table entries even if active connections exist after
the sticky timer expires, enter:
host1/Admin(config-sticky-radius)# timeout activeconns
To restore the ACE to its default of not timing out RADIUS sticky group entries if active connections
exist, enter:
host1/Admin(config-sticky-radius)# no timeout activeconns
Related Commands (config) sticky radius framed-ip
Sticky RTSP Header Configuration Mode Commands
Sticky RTSP header configuration mode commands allow you to create an RTSP header sticky group to
enable the ACE to stick client connections to the same real server based on the RTSP Session header
field. To access sticky RTSP header configuration mode, use the sticky rtsp-header command. The
prompt changes to (config-sticky-header). Use the no form of this command to remove the sticky group
from the configuration.
sticky rtsp-header Session name1
no sticky rtsp-header Session name1
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Session RTSP Session header field. The ACE supports only the RTSP Session
header field for stickiness.
name1 Unique identifier of the RTSP sticky group. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.2-1357
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups in the ACE.
Examples To create a group for RTSP header stickiness, enter:
host1/Admin(config)# sticky rtsp-header Session RTSP_GROUP
host1/Admin(config-sticky-header)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky rtsp-header Session RTSP_GROUP
Related Commands show running-config
show sticky database
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1358
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
(config-sticky-header) header
To configure the RTSP Session header offset and length, use the header command. Use the no form of
this command to remove the RTSP Session header offset and length values from the configuration.
header offset number1 [length number2]
no header offset number1 [length number2]
Syntax Description
Command Modes Sticky RTSP header configuration mode
Admin and user contexts
Command History
Usage Guidelines The ACE stores header offset and length values in the sticky table.
You can configure the ACE to use a portion of the RTSP header to make persistent connections to a
specific server. To define the portion of the RTSP header that you want the ACE to use, you specify RTSP
header offset and length values. The offset and length can vary from 0 to 1000 bytes. The ACE sticks the
connection based on that portion of the RTSP header that starts with the byte after the offset value and
ends with the byte specified by the offset plus the length. The total bytes represented by the header offset
and length cannot exceed 1000.
Examples To configure the header offset and length, enter:
host1/Admin(config-sticky-header)# header offset 300 length 900
To remove the RTSP header offset and length values from the configuration, enter:
host1/Admin(config-sticky-header)# no header offset 300 length 900
offset number1 Specifies the portion of the RTSP Session header that the ACE uses
to stick the client on a particular server by indicating the bytes to
ignore starting with the first byte of the RTSP header. Enter an integer
from 0 to 999. The default is 0, which indicates that the ACE does not
exclude any portion of the header.
length number2 (Optional) Specifies the length of the portion of the RTSP header
(starting with the byte after the offset value) that the ACE uses for
sticking the client to the server. Enter an integer from 1 to 1000. The
default is 1000.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1359
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
Related Commands (config) sticky http-header2-1360
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
(config-sticky-header) replicate sticky
To instruct the ACE to replicate RTSP header sticky table entries on the standby ACE, use the replicate
sticky command. Use the no form of this command to restore the ACE to its default of not replicating
RTSP header sticky table entries.
replicate sticky
no replicate sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky RTSP header configuration mode
Admin and user contexts
Command History
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate RTSP header sticky table entries on
the standby ACE so if a switchover occurs, the new active ACE can maintain existing sticky connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate RTSP header sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-header)# replicate sticky
To restore the ACE to its default of not replicating RTSP header sticky table entries, enter:
host1/Admin(config-sticky-header)# no replicate sticky
Related Commands (config) sticky rtsp-header
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1361
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
(config-sticky-header) serverfarm
To complete an RTSP header sticky group configuration, you must configure a server farm entry for the
group. To configure a server farm entry for a sticky group, use the serverfarm command. Use the no
form of this command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
Command Modes Sticky RTSP header configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
name1 Identifier of an existing server farm that you want to associate with
the sticky group. You can associate one server farm with each sticky
group. Enter a name as an unquoted text string with no spaces and a
maximum of 64 characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm is unavailable, the ACE uses the configured backup server farm.
The backup server farm becomes sticky when you enter the sticky
keyword. Enter a name as an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied
to the state of all the real servers in that server farm and in the backup
server farm, if configured. The ACE declares the primary server farm
down if all real servers in the primary server farm and all real servers
in the backup server farm are down.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1362
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with a sticky group and specify a sticky backup server farm, enter:
host1/Admin(config-sticky-header)# serverfarm SFARM1 backup BKUP_SFARM2 sticky
aggregate-state
To dissociate a server farm from a sticky group, enter:
host1/Admin(config-sticky-header)# no serverfarm
Related Commands (config) serverfarm
(config) sticky rtsp-header
(config-sticky-header) static header-value
To configure a static header, use the static header-value command. Use the no form of this command
to remove a static header from the configuration.
static header-value value rserver name [number]
no static header-value value rserver name [number]
Syntax Description
Command Modes Sticky RTSP header configuration mode
Admin and user contexts
Command History
value Header value. Enter an unquoted text string with no spaces and a
maximum of 255 alphanumeric characters. You can enter a text string
with spaces provided that you enclose the entire string in quotation
marks (“).
rserver name Specifies the hostname of an existing real server. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
number (Optional) Port number of the real server. Enter an integer from 1 to
65535.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1363
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky RTSP Header Configuration Mode Commands
Usage Guidelines You can configure the ACE to use static header sticky entries based on the value of the RTSP Session
header field and optionally, real server names and ports. Static sticky header values remain constant over
time. You can configure multiple static header entries, but only one unique real-server name can exist
for a given static header sticky value.
When you configure a static entry, the ACE enters it into the sticky table immediately. You can create a
maximum of 4096 static sticky entries in the ACE.
Examples To configure a static RTSP header sticky entry, enter:
host1/Admin(config-sticky-header)# static header-value 12345678 rserver SERVER1 3000
To remove the static RTSP header entry from the sticky table, enter:
host1/Admin(config-sticky-header)# no static header-value 12345678 rserver SERVER1 3000
Related Commands (config) sticky rtsp-header
(config-sticky-header) timeout
To configure an RTSP header sticky timeout, use the timeout minutes command. Use the no form of this
command to reset the sticky timeout to the default of 1440 minutes.
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky RTSP header configuration mode
Admin and user contexts
Command History
ACE Appliance Release Modification
A3(1.0) This command was introduced.
minutes Number of minutes that the ACE remembers the last real server to
which a client made a sticky connection. Enter an integer from 1 to
65535. The default timeout value is 1440 minutes (24 hours).
activeconns Specifies that sticky entries are timed out when the timer expires even
if there are active connections.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1364
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky SIP Header Configuration Mode Commands
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps the RTSP header sticky information
for a client connection in the sticky table after the latest client connection terminates. The ACE resets
the sticky timer for a specific sticky-table entry each time that the ACE opens a new connection matching
that entry.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out RTSP header sticky table entries
even if active connections exist after the sticky timer expires, use the timeout activeconns command.
Examples To specify a timeout value of 720 minutes, enter:
host1/Admin(config-sticky-header)# timeout 720
To reset the timeout to the default value of 1440 minutes (24 hours), enter:
host1/Admin(config-sticky-header)# no timeout 720
To specify that the ACE time out RTSP header sticky table entries even if active connections exist after
the sticky timer expires, enter:
host1/Admin(config-sticky-content)# timeout activeconns
To restore the ACE to its default of not timing out RTSP header sticky entries if active connections exist
for those entries, enter:
host1/Admin(config-sticky-header)# no timeout activeconns
Related Commands (config) sticky rtsp-header
Sticky SIP Header Configuration Mode Commands
Sticky SIP header configuration mode commands allow you to create a SIP header sticky group to enable
the ACE to stick client connections to the same real server based on the SIP Call-ID header field. To
access sticky SIP header configuration mode, use the sticky sip-header command. The prompt changes
to (config-sticky-header). Use the no form of this command to remove the sticky group from the
configuration.
sticky sip-header name1 name2
no sticky sip-header name1 name2
Syntax Description
ACE Appliance Release Modification
A3(1.0) This command was introduced.
name1 SIP header field. The ACE supports only the SIP Call-ID header field
for stickiness. Enter Call-ID.
name2 Unique identifier of the SIP sticky group. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.2-1365
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky SIP Header Configuration Mode Commands
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the sticky feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
You can create a maximum of 4096 sticky groups in the ACE.
Examples To create a group for SIP header stickiness, enter:
host1/Admin(config)# sticky sip-header Call-ID SIP_GROUP
host1/Admin(config-sticky-header)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky sip-header Call-ID SIP_GROUP
Related Commands show running-config
show sticky database
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1366
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky SIP Header Configuration Mode Commands
(config-sticky-header) replicate sticky
To instruct the ACE to replicate SIP header sticky table entries on the standby ACE, use the replicate
sticky command. Use the no form of this command to restore the ACE to its default of not replicating
SIP header sticky table entries.
replicate sticky
no replicate sticky
Syntax Description This command has no keywords or arguments.
Command Modes Sticky SIP header configuration mode
Admin and user contexts
Command History
Usage Guidelines If you are using redundancy, you can configure the ACE to replicate SIP header sticky table entries on
the standby ACE so if a switchover occurs, the new active ACE can maintain existing sticky connections.
The timer of a sticky table entry on the standby ACE is reset every time the entry is synchronized with
the active ACE entry. Thus, the standby sticky entry may have a lifetime up to twice as long as the active
entry. However, if the entry expires on the active ACE or a new real server is selected and a new entry is
created, the old entry on the standby ACE is replaced.
Examples To instruct the ACE to replicate SIP header sticky table entries on the standby ACE, enter:
host1/Admin(config-sticky-header)# replicate sticky
To restore the ACE to its default of not replicating SIP header sticky table entries, enter:
host1/Admin(config-sticky-header)# no replicate sticky
Related Commands (config) sticky sip-header
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1367
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky SIP Header Configuration Mode Commands
(config-sticky-header) serverfarm
To complete a SIP header sticky group configuration, you must configure a server farm entry for the
group. To configure a server farm entry for a sticky group, use the serverfarm command. Use the no
form of this command to dissociate a server farm from a sticky group.
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
no serverfarm
Syntax Description
Command Modes Sticky SIP header configuration mode
Admin and user contexts
Command History
Usage Guidelines If all the servers in the primary server farm fail, the ACE sends all connections to the backup server farm.
When the primary server farm comes back up (at least one server becomes active):
• If the sticky option is enabled, then:
– All new sticky connections that match existing sticky table entries for the real servers in the
backup server farm are stuck to the same real servers in the backup server farm.
– All new non-sticky connections and those sticky connections that do not have an entry in the
sticky table are load balanced to the real servers in the primary server farm.
name1 Identifier of an existing server farm that you want to associate with
the sticky group. You can associate one server farm with each sticky
group. Enter a name as an unquoted text string with no spaces and a
maximum of 64 characters.
backup name2 (Optional) Specifies the identifier of an existing server farm that you
want the ACE to use as a backup server farm. If the primary server
farm is unavailable, the ACE uses the configured backup server farm.
The backup server farm becomes sticky when you enter the sticky
keyword. Enter a name as an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
sticky (Optional) Specifies that the backup server farm is sticky.
aggregate-state (Optional) Specifies that the state of the primary server farm is tied
to the state of all the real servers in that server farm and in the backup
server farm, if configured. The ACE declares the primary server farm
down if all real servers in the primary server farm and all real servers
in the backup server farm are down.
ACE Module Release Modification
A2(1.0) This command was introduced.
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1368
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky SIP Header Configuration Mode Commands
• If the sticky option is not enabled, then the ACE load balances all new connections to the real servers
in the primary server farm.
• Existing non-sticky connections to the servers in the backup server farm are allowed to complete in
the backup server farm.
You can fine-tune the conditions under which the primary server farm fails over and returns to service
by configuring a partial server farm failover. For details about partial server farm failover, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
Examples To associate a server farm with a sticky group and specify a sticky backup server farm, enter:
host1/Admin(config-sticky-header)# serverfarm SFARM1 backup BKUP_SFARM2 sticky
aggregate-state
To dissociate a server farm from a sticky group, enter:
host1/Admin(config-sticky-header)# no serverfarm
Related Commands (config) serverfarm
(config) sticky sip-header
(config-sticky-header) static header-value
To configure a static header, use the static header-value command. Use the no form of this command
to remove a static header from the configuration.
static header-value value rserver name [number]
no static header-value value rserver name [number]
Syntax Description
Command Modes Sticky SIP header configuration mode
Admin and user contexts
Command History
value SIP header value. Enter an unquoted text string with no spaces and a
maximum of 255 alphanumeric characters. You can enter a text string
with spaces provided that you enclose the entire string in quotation
marks (“).
rserver name Specifies the hostname of an existing real server. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric
characters.
number (Optional) Port number of the real server. Enter an integer from 1 to
65535.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1369
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky SIP Header Configuration Mode Commands
Usage Guidelines You can configure the ACE to use static header sticky entries based on the value of the SIP Call-ID
header field and optionally, real server names and ports. Static sticky header values remain constant over
time. You can configure multiple static SIP header entries, but only one unique real-server name can
exist for a given static SIP header sticky value.
When you configure a static entry, the ACE enters it into the sticky table immediately. You can create a
maximum of 4096 static sticky entries in the ACE.
Examples To configure a static SIP header sticky entry, enter:
host1/Admin(config-sticky-header)# static header-value 12345678 rserver SERVER1 3000
To remove the static SIP header entry from the sticky table, enter:
host1/Admin(config-sticky-header)# no static header-value 12345678 rserver SERVER1 3000
Related Commands (config) sticky sip-header
(config-sticky-header) timeout
To configure a SIP header sticky timeout, use the timeout minutes command. Use the no form of this
command to reset the sticky timeout to the default of 1440 minutes.
timeout {minutes | activeconns}
no timeout {minutes | activeconns}
Syntax Description
Command Modes Sticky SIP header configuration mode
Admin and user contexts
Command History
ACE Appliance Release Modification
A3(1.0) This command was introduced.
minutes Number of minutes that the ACE remembers the last real server to
which a client made a sticky connection. Enter an integer from 1 to
65535. The default timeout value is 1440 minutes (24 hours).
activeconns Specifies that sticky entries are timed out when the timer expires even
if there are active connections.
ACE Module Release Modification
A2(1.0) This command was introduced.2-1370
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
Sticky SIP Header Configuration Mode Commands
Usage Guidelines The sticky timeout specifies the period of time that the ACE keeps the SIP header sticky information for
a client connection in the sticky table after the latest client connection terminates. The ACE resets the
sticky timer for a specific sticky-table entry each time that the ACE opens a new connection matching
that entry.
By default, the ACE times out a sticky table entry when the timeout for that entry expires and no active
connections matching that entry exist. To specify that the ACE time out SIP header sticky table entries
even if active connections exist after the sticky timer expires, use the timeout activeconns command.
Examples To specify a timeout value of 720 minutes, enter:
host1/Admin(config-sticky-header)# timeout 720
To reset the timeout to the default value of 1440 minutes (24 hours), enter:
host1/Admin(config-sticky-header)# no timeout 720
To specify that the ACE time out SIP header sticky table entries even if active connections exist after the
sticky timer expires, enter:
host1/Admin(config-sticky-content)# timeout activeconns
To restore the ACE to its default of not timing out SIP header sticky entries if active connections exist
for those entries, enter:
host1/Admin(config-sticky-header)# no timeout activeconns
Related Commands (config) sticky sip-header
ACE Appliance Release Modification
A3(1.0) This command was introduced.2-1371
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
TACACS+ Configuration Mode Commands
TACACS+ Configuration Mode Commands
TACACS+ configuration mode commands allow you to configure multiple Terminal Access Controller
Access Control System Plus (TACACS+) servers as a named AAA server group. You can specify the IP
address of one or more previously configured TACACS+ servers that you want added to or removed from
a AAA server group, with a dead-time interval for the TACACS+ server group.
For details about creating a TACACS+ server group, see the Security Guide, Cisco ACE Application
Control Engine.
To create a TACACS+ server group and access TACACS+ server configuration mode, enter the aaa
group server tacacs+ command in configuration mode. The CLI prompt changes to (config-tacacs+).
Use the no form of this command to remove a TACACS+ server group.
aaa group server tacacs+ group_name
no aaa group server tacacs+ group_name
Syntax Description
Command Modes Configuration mode
Admin and user contexts
Command History
Usage Guidelines The commands in this mode require the AAA feature in your user role. For details about role-based
access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control
Engine.
A server group is a list of server hosts. The ACE allows you to configure multiple AAA servers as a
named server group. You group the different AAA server hosts into distinct lists. The ACE searches for
the server hosts in the order in which you specify them within a group. You can configure a maximum
of 10 server groups for each context in the ACE.
You can configure server groups at any time, but you must enter the aaa authentication login or the aaa
accounting default commands to apply the groups to the AAA service.
Examples To create a TACACS+ server group, enter:
host1/Admin(config) aaa group server tacacs+ TACACS+_Server_Group1
host1/Admin(config-tacacs+)# server 172.16.56.76
group_name Name assigned to the group of TACACS+ servers. Enter an unquoted text string with
no spaces and a maximum of 64 alphanumeric characters.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1372
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
TACACS+ Configuration Mode Commands
host1/Admin(config-tacacs+)# server 172.16.56.79
host1/Admin(config-tacacs+)# server 172.16.56.82
Related Commands (config) aaa accounting default
(config) aaa authentication login
(config-tacacs+) deadtime
To specify a dead-time interval for the TACACS+ server group, use the deadtime command. Use the no
form of this command to reset the TACACS+ server group dead-time request to the default of 0.
deadtime minutes
no deadtime minutes
Syntax Description
Command Modes TACACS+ configuration mode
Admin and user contexts
Command History
Usage Guidelines During the dead-time interval, the ACE sends probe access-request packets to verify that the TACACS+
server is available and can receive authentication requests. The dead-time interval starts when the server
does not respond to an authentication request transmission. When the server responds to a probe
access-request packet, the ACE retransmits the authentication request to the server.
Use of the deadtime command causes the ACE to mark as dead any TACACS+ servers that fail to
respond to authentication requests. Using this command prevents the wait for the request to time out
before trying the next configured server. The ACE skips a TACACS+ server that is marked as dead by
additional requests for the duration of minutes.
Examples To globally configure a 15-minute dead-time for TACACS+ servers that fail to respond to authentication
requests, enter:
host1/Admin(config-tacacs+)# deadtime 15
minutes Length of time that the ACE skips a nonresponsive TACACS+ server for transaction
requests. Valid entries are from 0 to 1440 (24 hours). The default is 0.
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1373
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
TACACS+ Configuration Mode Commands
To reset the TACACS+ server dead-time request to the default of 0, enter:
host1/Admin(config-tacacs+)# no deadtime 15
Related Commands (config) aaa group server2-1374
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
TACACS+ Configuration Mode Commands
(config-tacacs+) server
To specify the IP address of one or more previously configured TACACS+ servers that you want added
to or removed from a AAA server group, use the server command. Use the no form of this command to
remove the TACACS+ server from the AAA server group.
server ip_address
no server ip_address
Syntax Description
Command Modes TACACS+ configuration mode
Admin and user contexts
Command History
Usage Guidelines You can add multiple TACACS+ servers to the AAA server group by entering multiple server commands
in this mode. The same server can belong to multiple server groups.
Examples To add servers to a TACACS+ server group, enter:
host1/Admin(config-tacacs+)# server 172.16.56.76
host1/Admin(config-tacacs+)# server 172.16.56.79
host1/Admin(config-tacacs+)# server 172.16.56.82
To remove a server from a TACACS+ server group, enter:
host1/Admin(config-tacacs+)# no server 172.16.56.76
Related Commands (config) aaa group server
ip_address IP address of the TACACS+ server. Enter the address in dotted-decimal IP notation (for
example, 192.168.11.1).
ACE Module Release Modification
3.0(0)A1(2) This command was introduced.
ACE Appliance Release Modification
A1(7) This command was introduced.2-1375
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
TACACS+ Configuration Mode Commands2-1376
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
VM Configuration Mode Commands
VM Configuration Mode Commands
The VM configuration commands allow you to create a VM controller (VMware vCenter Server) and
configure its attributes on the ACE for the dynamic workload scaling (DWS) feature. The ACE uses the
VM controller to obtain load information about the local virtual machines (VMs). To configure a VM
controller, use the vm-controller command. The CLI prompt changes to (config-vm). For information
about the commands in VM configuration mode, see the commands in this section.
Use the no form of this command to remove the VM controller from the configuration.
vm-controller name
no vm-controller name
Syntax Description
Command Modes Configuration mode
Admin context only
Command History
Usage Guidelines All commands in this mode require the Admin user role. For details about role-based access control
(RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure a VM controller, enter:
host1/Admin(config)# vm-controller VCENTER1
To remove a VM controller from the configuration, enter:
host1/Admin(config)# no vm-controller VCENTER1
Related Commands show vm-controller
(config-vm) credentials
(config-vm) url
name Name of an existing VM controller (vCenter) that the ACE queries for VM
load information. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-1377
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
VM Configuration Mode Commands
(config-vm) credentials
To configure the credentials that the ACE uses to log in to the VM controller in a DWS configuration,
use the credentials command. Use the no form of this command to remove the VM controller credentials
from the ACE configuration.
credentials {username} {[encrypted] password}
no credentials {username} {[encrypted] password}
Syntax Description
Command Modes VM configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure the credentials that the ACE uses to log in to the VM controller, enter:
host1/Admin(config-vm)# credentials admin encrypted myvmpassphrase
To remove the VM controller login credentials from the ACE configuration, enter:
host1/Admin(config-vm)# no credentials admin encrypted myvmpassphrase
Related Commands show vm-controller
(config-vm) url
username Username that the ACE uses to access the VM controller. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
encrypted (Optional) Specifies that the ACE encrypts the VM controller password.
password Password that the ACE uses to access the VM controller. The password does
not appear in the output of the show running-config command whether the
password is encrypted or not. Enter an unquoted text string with no spaces and
a maximum of 64 alphanumeric characters.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.2-1378
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Chapter 2 CLI Commands
VM Configuration Mode Commands
(config-vm) url
To configure the URL of the VM controller (vCenter) in a DWS configuration, use the url command.
Use the no form of this command to remove the URL of the local VM controller from the ACE
configuration.
url string
no url string
Syntax Description
Command Modes VM configuration mode
Admin context only
Command History
Usage Guidelines This command requires the Admin user role. For details about role-based access control (RBAC) and
user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
Examples To configure the URL of the VM controller, enter:
host1/Admin(config-vm)# url https://192.168.12.15/sdk
To remove the URL of the VM controller from the ACE configuration, enter the following command:
host1/Admin(config-vm)# no url https://192.168.12.15/sdk
Related Commands show vm-controller
(config-vm) credentials
string Specifies the host name or IP address of the local VM controller. Enter an
unquoted text string with no spaces and a maximum of 255 alphanumeric
characters. You must append “/sdk” at the end of the host name or IP address
string.
ACE Module/Appliance
Release Modification
A4(2.0) This command was introduced.IN-1
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
C L I C O M M A N D S U M M A R Y B Y M O D E
Action List Modify Configuration
Mode Commands 2-457
(config-actlist-modify) description 2-458
(config-actlist-modify) header delete 2-459
(config-actlist-modify) header insert 2-461
(config-actlist-modify) header rewrite 2-462
(config-actlist-modify) ssl header-insert 2-464
(config-actlist-modify) ssl url rewrite location 2-473
Action List Optimization
Configuration Mode Commands
(config-actlist-optm) appscope 2-475
(config-actlist-optm) cache 2-476
(config-actlist-optm) delta 2-478
(config-actlist-optm) description 2-479
(config-actlist-optm) dynamic etag 2-480
(config-actlist-optm) flashforward 2-481
(config-actlist-optm) flashforward-object 2-481
Authentication Group Configuration
Mode Commands 2-483
(config-authgroup) cert 2-484
Chaingroup Configuration Mode
Commands 2-485
(config-chaingroup) cert 2-486
Class Map Configuration Mode
Commands 2-488
(config-cmap) description 2-490
(config-cmap) match access-list 2-491
(config-cmap) match any 2-493
(config-cmap) match anyv6 2-494
(config-cmap) match destination-address 2-495
(config-cmap) match port 2-497, 2-500
(config-cmap) match source-address 2-502
(config-cmap) match virtual-address 2-504
Class Map FTP Inspection
Configuration Mode Commands 2-507
(config-cmap-ftp-insp) description 2-508
(config-cmap-ftp-insp) match request-method 2-509
Class Map Generic Configuration
Mode Commands 2-510
(config-cmap-generic) description 2-511
(config-cmap-generic) match class-map 2-513
(config-cmap-generic) match layer4-payload 2-514
(config-cmap-generic) match source-address 2-516
Class Map HTTP Inspection
Configuration Mode Commands 2-517
(config-cmap-http-insp) description 2-519
(config-cmap-http-insp) match content 2-520
(config-cmap-http-insp) match content length 2-522
(config-cmap-http-insp) match cookie secondary 2-523,
2-936CLI Command Summary By Mode
IN-2
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-cmap-http-insp) match header 2-524
(config-cmap-http-insp) match header length 2-528
(config-cmap-http-insp) match header mime-type 2-530
(config-cmap-http-insp) match port-misuse 2-533
(config-cmap-http-insp) match request-method 2-534
(config-cmap-http-insp) match transfer-encoding 2-535
(config-cmap-http-insp) match url 2-537
(config-cmap-http-insp) match url length 2-538
Class Map HTTP Load Balancing
Configuration Mode Commands 2-539
(config-cmap-http-lb) description 2-541
(config-cmap-http-lb) match cipher 2-544
(config-cmap-http-lb) match class-map 2-542
(config-cmap-http-lb) match http content 2-545
(config-cmap-http-lb) match http cookie 2-546
(config-cmap-http-lb) match http header 2-547
(config-cmap-http-lb) match http url 2-550
(config-cmap-http-lb) match source-address 2-552
Class Map Management Configuration
Mode Commands 2-553
(config-cmap-mgmt) description 2-554
(config-cmap-mgmt) match protocol 2-556
Class Map RADIUS Load Balancing
Configuration Mode Commands 2-558
(config-cmap-radius-lb) description 2-560
(config-cmap-radius-lb) match radius attribute 2-561
Class Map RTSP Load Balancing
Configuration Mode Commands 2-562
(config-cmap-rtsp-lb) description 2-564
(config-cmap-rtsp-lb) match class-map 2-565
(config-cmap-rtsp-lb) match rtsp header 2-566
(config-cmap-rtsp-lb) match rtsp url 2-567
(config-cmap-rtsp-lb) match source-address 2-570
Class Map SIP Inspection
Configuration Mode Commands 2-571
(config-cmap-sip-insp) description 2-572
(config-cmap-sip-insp) match called-party 2-573
(config-cmap-sip-insp) match calling-party 2-575
(config-cmap-sip-insp) match content 2-577
(config-cmap-sip-insp) match im-subscriber 2-578
(config-cmap-sip-insp) match message-path 2-579
(config-cmap-sip-insp) match request-method 2-582
(config-cmap-sip-insp) match third-party
registration 2-583
(config-cmap-sip-insp) match uri 2-585
Class Map SIP Load Balancing
Configuration Mode Commands 2-586
(config-cmap-sip-lb) description 2-588
(config-cmap-sip-lb) match class-map 2-589
(config-cmap-sip-lb) match sip header 2-590
(config-cmap-sip-lb) match source-address 2-593
Clear Exec Mode Commands
clear access-list 2-9
clear accounting log 2-10
clear acl-merge statistics 2-10
clear arp 2-11
clear buffer stats 2-12
clear capture 2-13
clear cde 2-14
clear cfgmgr internal history 2-14
clear conn 2-16
clear cores 2-17
clear crypto session-cache 2-19
clear dc 2-20CLI Command Summary By Mode
IN-3
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
clear debug-logfile 2-20
clear fifo stats 2-21
clear ft 2-23
clear icmp statistics 2-24
clear interface 2-25
clear ip 2-26, 2-27
clear line 2-27
clear logging 2-29
clear netio stats 2-29
clear np 2-31
clear ntp 2-32
clear probe 2-32
clear processes log 2-34
clear rserver 2-34
clear rtcache 2-35
clear screen 2-37
clear serverfarm 2-37
clear service-policy 2-38
clear ssh 2-40
clear startup-config 2-41
clear stats 2-42
clear sticky database 2-44
clear syn-cookie 2-46
clear tcp statistics 2-46
clear telnet 2-47
clear udp statistics 2-48
clear user 2-48
clear vnet stats 2-49
clear xlate 2-51
clock set 2-53
Configuration Mode Commands 2-262
(config) aaa accounting default 2-263
(config) aaa authentication login 2-265
(config) aaa group server 2-266
(config) access-group 2-267
(config) access-list ethertype 2-270
(config) access-list extended 2-272
(config) access-list remark 2-281
(config) access-list resequence 2-282
(config) action-list type modify http 2-283
(config) arp 2-287
(config) banner 2-289
(config) boot system image 2-290
(config) buffer threshold 2-292
(config) class-map 2-294
(config) clock summer-time 2-300
(config) clock timezone 2-297
(config) config-register 2-301
(config) context 2-303
(config) crypto chaingroup 2-304, 2-305
(config) crypto csr-params 2-309
(config) crypto ocspserver 2-310
(config) crypto rehandshake enabled 2-312
(config) dci-device 2-377
(config) domain 2-313
(config) end 2-314
(config) exit 2-314
(config) ft auto-sync 2-315
(config) ft connection-sync disable 2-317
(config) ft group 2-318
(config) ft interface vlan 2-320
(config) ft peer 2-321
(config) ft track host 2-322
(config) ft track hsrp 2-323
(config) ft track interface 2-324
(config) hostname 2-314, 2-325, 2-326, 2-385
(config) hw-module 2-326
(config) interface 2-327
(config) ip dhcp relay 2-330
(config) ip domain-list 2-332
(config) ip domain-lookup 2-333
(config) ip domain-name 2-335
(config) ip name-server 2-337
(config) ip route 2-338
(config) ipv6 nd learned-interval 2-341
(config) ipv6 nd retries 2-342CLI Command Summary By Mode
IN-4
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config) ipv6 nd sync disable 2-343
(config) ipv6 nd sync-interval 2-344
(config) kalap udp 2-345
(config) ldap-server host 2-346
(config) ldap-server port 2-347
(config) ldap-server timeout 2-348
(config) line console 2-349
(config) line vty 2-350
(config) logging buffered 2-353
(config) logging console 2-355
(config) logging device-id 2-357
(config) logging enable 2-359
(config) logging facility 2-360
(config) logging fastpath 2-361
(config) logging history 2-362
(config) logging host 2-364
(config) logging message 2-366
(config) logging monitor 2-368
(config) logging persistent 2-369
(config) logging queue 2-370
(config) logging standby 2-373
(config) logging supervisor 2-374
(config) logging timestamp 2-375
(config) logging trap 2-376
(config) login timeout 2-352
(config) ntp 2-379
(config) object-group 2-380
(config) optimize 2-382
(config) parameter-map type 2-285, 2-382
(config) peer hostname 2-385
(config) peer shared-vlan-hostid 2-386
(config) policy-map 2-388
(config) probe 2-392
(config) radius-server attribute nas-ipaddr 2-395
(config) radius-server deadtime 2-396
(config) radius-server host 2-397
(config) radius-server key 2-400
(config) radius-server retransmit 2-401
(config) radius-server timeout 2-402
(config) rate-limit 2-371
(config) regex compilation-timeout 2-403
(config) resource-class 2-404
(config) role 2-405
(config) rserver 2-406
(config) script file 2-407
(config) serverfarm 2-408
(config) service-policy 2-409
(config) shared-vlan-hostid 2-411
(config) snmp-server community 2-412
(config) snmp-server contact 2-414
(config) snmp-server enable traps 2-415
(config) snmp-server engineid 2-418
(config) snmp-server host 2-420
(config) snmp-server location 2-421
(config) snmp-server trap link ietf 2-422
(config) snmp-server trap-source vlan 2-423
(config) snmp-server unmask-community 2-424
(config) snmp-server user 2-425
(config) ssh key 2-428
(config) ssh maxsessions 2-429
(config) ssl-proxy service 2-430
(config) static 2-431
(config) sticky http-content 2-433
(config) sticky http-cookie 2-434
(config) sticky http-header 2-436
(config) sticky ip-netmask 2-438
(config) sticky layer4-payload 2-439
(config) sticky radius framed-ip 2-440
(config) sticky rtsp-header 2-441
(config) sticky sip-header 2-442
(config) switch-mode 2-443
(config) tacacs-server deadtime 2-445
(config) tacacs-server host 2-446
(config) tacacs-server key 2-448
(config) tacacs-server timeout 2-449
(config) telnet maxsessions 2-451
(config) timeout xlate 2-452, 2-453
(config) username 2-454CLI Command Summary By Mode
IN-5
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config) vm-controller 2-456
Console Configuration Mode
Commands 2-595
(config-console) databits 2-596
(config-console) parity 2-597
(config-console) speed 2-598
(config-console) stopbits 2-599
Context Configuration Mode
Commands 2-600
(config-context) allocate-interface 2-601
(config-context) description 2-603
(config-context) member 2-604
CSR Parameters Configuration Mode
Commands 2-605
(config-csr-params) common-name 2-606
(config-csr-params) country 2-607
(config-csr-params) email 2-608
(config-csr-params) locality 2-609
(config-csr-params) organization-name 2-611
(config-csr-params) organization-unit 2-612
(config-csr-params) serial-number 2-613
(config-csr-params) state 2-614
DCI Configuration Mode
Commands 2-615
(config-dci) credentials 2-616
(config-dci) ip-address 2-617
Domain Configuration Mode
Commands 2-618
(config-domain) add-object 2-620
Exec Mode Commands 2-2
backup 2-3
capture 2-5
changeto 2-6
checkpoint 2-8
clear (See Clear Exec Mode Commands)
compare 2-54
configure 2-55
copy capture 2-56
copy checkpoint 2-57
copy core 2-59
copy disk0 2-60
copy ftp 2-62
copy image 2-63
copy licenses 2-65
copy probe 2-66
copy running-config 2-68
copy sftp 2-70
copy startup-config 2-69
copy tftp 2-72
crypto crlparams 2-73
crypto delete 2-74
crypto export 2-75
crypto generate csr 2-76
crypto generate key 2-77
crypto import 2-78
crypto verify 2-82
debug 2-83
delete 2-86
dir 2-87
dm 2-89
exit 2-90
format flash 2-91
ft switchover 2-93
gunzip 2-94
invoke context 2-95
license 2-96
mkdir disk0 2-97CLI Command Summary By Mode
IN-6
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
move disk0 2-98
np session 2-99
ping 2-101
reload 2-103
reprogram bootflash 2-104
restore 2-105
rmdir disk0 2-107
set dc 2-110
set sticky-ixp 2-111
setup 2-108
show (See Show Exec Mode Commands) 2-112
ssh 2-246
system internal 2-248
system watchdog 2-249
tac-pac 2-251
telnet 2-253
terminal 2-254
traceroute 2-255
undebug all 2-256
untar disk0 2-258
write 2-259
xml-show 2-260
FT Group Configuration Mode
Commands 2-622
(config-ft-group) associate-context 2-623
(config-ft-group) inservice 2-624
(config-ft-group) peer 2-625
(config-ft-group) peer priority 2-626
(config-ft-group) preempt 2-627
(config-ft-group) priority 2-628
FT Interface Configuration Mode
Commands 2-629
(config-ft-intf) ip 2-630
(config-ft-intf) peer ip 2-632
(config-ft-intf) shutdown 2-633
FT Peer Configuration Mode
Commands 2-634
(config-ft-peer) ft-interface vlan 2-635
(config-ft-peer) heartbeat 2-636
(config-ft-peer) query-interface 2-637
FT Track Host Configuration Mode
Commands 2-638
(config-ft-track-host) peer priority 2-640
(config-ft-track-host) peer probe 2-641
(config-ft-track-host) peer track-host 2-643
(config-ft-track-host) priority 2-645
(config-ft-track-host) probe 2-646
(config-ft-track-host) track-host 2-647
FT Track HSRP Configuration Mode
Commands 2-648
(config-ft-track-hsrp) peer priority 2-649
(config-ft-track-hsrp) peer track-hsrp 2-650
(config-ft-track-hsrp) priority 2-651
(config-ft-track-hsrp) track-hsrp 2-652
FT Track Interface Configuration Mode
Commands 2-653
(config-ft-track-interface) peer priority 2-654
(config-ft-track-interface) peer track-interface
vlan 2-655
(config-ft-track-interface) priority 2-656
(config-ft-track-interface) track-interface vlan 2-657
ICMP
types 2-277, 2-765CLI Command Summary By Mode
IN-7
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Interface Configuration Mode
Commands 2-658
(config) ipv6 nd interval 2-340
(config-if) access-group 2-660
(config-if) alias 2-661
(config-if) arp 2-663, 2-664
(config-if) bridge-group 2-666
(config-if) carrier-delay 2-667
(config-if) channel-group 2-668
(config-if) description 2-669
(config-if) duplex 2-670, 2-732
(config-if) fragment chain 2-671
(config-if) fragment min-mtu 2-672
(config-if) fragment timeout 2-673
(config-if) ft-port 2-674
(config-if) icmp-guard 2-675
(config-if) ip address 2-677
(config-if) ip df 2-680
(config-if) ip dhcp relay enable 2-681
(config-if) ip dhcp relay server 2-682
(config-if) ip options 2-683
(config-if) ip route inject vlan 2-684
(config-if) ip ttl minimum 2-685
(config-if) ipv6 dhcp relay enable 2-687
(config-if) ipv6 dhcp relay fwd-interface 2-688
(config-if) ipv6 dhcp relay server 2-689
(config-if) ipv6 enable 2-691
(config-if) ipv6 extension-header 2-692
(config-if) ipv6 fragment chain 2-693
(config-if) ipv6 fragment min-mtu 2-694
(config-if) ipv6 fragment timeout 2-695
(config-if) ipv6 mtu 2-698
(config-if) ipv6 nd dad-attempts 2-699
(config-if) ipv6 nd icmp-guard 2-696
(config-if) ipv6 nd managed-config-flag 2-700
(config-if) ipv6 nd ns-interval 2-701
(config-if) ipv6 nd other config flag 2-702
(config-if) ipv6 nd prefix 2-703
(config-if) ipv6 nd ra hop-limit 2-705
(config-if) ipv6 nd ra interval 2-706
(config-if) ipv6 nd ra lifetime 2-707
(config-if) ipv6 nd ra suppress 2-708
(config-if) ipv6 nd reachable-time 2-709
(config-if) ipv6 nd retransmission-time 2-710
(config-if) ipv6 neighbor 2-711
(config-if) ipv6 normalization 2-712
(config-if) ipv6 route inject vlan 2-714
(config-if) ipv6 verify reverse-path 2-715
(config-if) ip verify reverse-path 2-686
(config-if) mac address autogenerate 2-716
(config-if) mac-sticky enable 2-717
(config-if) mtu 2-719
(config-if) nat-pool 2-720
(config-if) normalization 2-721
(config-if) normalization send-reset 2-723
(config-if) peer ip address 2-723
(config-if) port-channel load-balance 2-726
(config-if) qos trust cos 2-727
(config-if) remove-eth-pad 2-728
(config-if) service-policy input 2-729
(config-if) shutdown 2-730
(config-if) switchport access vlan 2-734
(config-if) switchport trunk allowed vlan 2-736
(config-if) switchport trunk native vlan 2-738
(config-if) syn-cookie 2-739
(config-if) udp 2-741
KAL-AP UDP Configuration Mode
Commands 2-743
(config-kalap-upd) ip address 2-744
LDAP Configuration Mode
Commands 2-745
(config-ldap) attribute user-profile 2-746
(config-ldap) baseDN 2-748CLI Command Summary By Mode
IN-8
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-ldap) filter search-user 2-749
(config-ldap) server 2-750
Line Configuration Mode
Commands 2-751
(config-line) session-limit 2-752
Object Group Configuration Mode
Commands 2-753
(config-objgrp-netw) description 2-754
(config-objgrp-netw) host 2-755
(config-objgrp-netw) ip_address 2-757
(config-objgrp-serv) description 2-759, 2-760
Optimize Configuration Mode
Commands 2-474, 2-767
(config-optimize) appscope-log 2-768
(config-optimize) concurrent-connections 2-769
(config-optimize) debug-level 2-770
Parameter Map Connection
Configuration Mode Commands 2-772
(config-parammap-conn) description 2-774
(config-parammap-conn) exceed-mss 2-775
(config-parammap-conn) nagle 2-776
(config-parammap-conn)
random-sequence-number 2-777
(config-parammap-conn) rate-limit 2-778
(config-parammap-conn) reserved-bits 2-779
(config-parammap-conn) set ip tos 2-780
(config-parammap-conn) set tcp ack-delay 2-781
(config-parammap-conn) set tcp buffer-share 2-782
(config-parammap-conn) set tcp mss min 2-784
(config-parammap-conn) set tcp
reassembly-timeout 2-786
(config-parammap-conn) set tcp syn-retry 2-786
(config-parammap-conn) set tcp timeout 2-787
(config-parammap-conn) set tcp
wan-optimization 2-788
(config-parammap-conn) set tcp window-scale 2-790
(config-parammap-conn) set timeout inactivity 2-791
(config-parammap-conn) slowstart 2-792
(config-parammap-conn) syn-data 2-793
(config-parammap-conn) tcp-options 2-794
(config-parammap-conn) urgent-flag 2-798
(config-parammap-dns) description 2-800
(config-parammap-generi) description 2-804
(config-parammap-http) cookie-error-ignore 2-809
(config-parammap-http) description 2-810
(config-parammap-optmz) description 2-838
(config-parammap-rtsp) description 2-855
(config-parammap-sip) description 2-865
(config-parammap-skinny) description 2-859
(config-parammap-ssl) description 2-880
Parameter Map DNS Configuration
Mode Commands 2-799
(config-parammap-dns) timeout query 2-801
Parameter Map Generic Configuration
Mode Commands 2-801
(config-parammap-generi) case-insensitive 2-803
(config-parammap-generi) set max-parse-length 2-805
Parameter Map HTTP Configuration
Mode Commands 2-806
(config-parammap-http) case-insensitive 2-808
(config-parammap-http) compress 2-811
(config-parammap-http) header modify
per-request 2-813
(config-parammap-http) length 2-815
(config-parammap-http) parsing non-strict 2-816CLI Command Summary By Mode
IN-9
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-parammap-http) persistence-rebalance 2-817
(config-parammap-http) server-conn reuse 2-819
(config-parammap-http) set
content-maxparse-length 2-820
(config-parammap-http) set
header-maxparse-length 2-822
(config-parammap-http) set
secondary-cookie-delimiters 2-823
(config-parammap-http) set
secondary-cookie-start 2-824
Parameter Map Optimization HTTP
Configuration Mode Commands 2-825
(config-parammap-optmz) appscope
optimize-rate-percent 2-826
(config-parammap-optmz) basefile
anonymous-level 2-827
(config-parammap-optmz) cache key-modifier 2-828
(config-parammap-optmz) cache parameter 2-831
(config-parammap-optmz) cache-policy request 2-834
(config-parammap-optmz) cache-policy response 2-835
(config-parammap-optmz) cache ttl 2-833
(config-parammap-optmz) canonical-url 2-836
(config-parammap-optmz) clientscript-default 2-837
(config-parammap-optmz) delta 2-839
(config-parammap-optmz) expires-setting 2-841
(config-parammap-optmz) extract meta 2-842
(config-parammap-optmz) flashforward
refresh-policy 2-843
(config-parammap-optmz) ignore-server-content 2-844
(config-parammap-optmz) parameter-summary
parameter-value-limit 2-845
(config-parammap-optmz)
post-content-buffer-limit 2-846
(config-parammap-optmz) rebase 2-847
(config-parammap-optmz)
request-grouping-string 2-848
(config-parammap-optmz) server-header 2-849
(config-parammap-optmz) server-load 2-850
(config-parammap-optmz) utf8 threshold 2-852
Parameter Map RTSP Configuration
Mode Commands 2-852
(config-parammap-rtsp) case-insensitive 2-854
(config-parammap-rtsp) set
header-maxparse-length 2-856
Parameter Map SCCP Configuration
Mode Commands 2-857
(config-parammap-skinny) enforce-registration 2-860
(config-parammap-skinny) message-id max 2-861
(config-parammap-skinny) sccp-prefix-len 2-862
Parameter Map SIP Configuration
Mode Commands 2-863
(config-parammap-sip) im 2-865
(config-parammap-sip) max-forward-validation 2-866
(config-parammap-sip) software-version 2-867
(config-parammap-sip) strict-header-validation 2-868
(config-parammap-sip) timeout 2-870
(config-parammap-sip) uri-non-sip 2-871
Parameter Map SSL Configuration
Mode Commands 2-872
(config-parammap-ssl) authentication-failure 2-873
(config-parammap-ssl) cdp-errors ignore 2-876
(config-parammap-ssl) cipher 2-877
(config-parammap-ssl) close-protocol 2-879
(config-parammap-ssl) expired-crl reject 2-881
(config-parammap-ssl) purpose-check disabled 2-882
(config-parammap-ssl) queue-delay timeout 2-883
(config-parammap-ssl) session-cache timeout 2-885
(config-parammap-ssl) version 2-887CLI Command Summary By Mode
IN-10
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Policy Map Class Configuration Mode
Commands 2-892
(config-pmap-c) appl-parameter generic
advanced-options 2-893, 2-894
(config-pmap-c) appl-parameter http
advanced-options 2-895
(config-pmap-c) appl-parameter rtsp
advanced-options 2-896
(config-pmap-c) appl-parameter sip
advanced-options 2-897
(config-pmap-c) appl-parameter skinny
advanced-options 2-898
(config-pmap-c) connection 2-899
(config-pmap-c) inspect 2-900
(config-pmap-c) kal-ap primary-oos 2-904
(config-pmap-c) kal-ap-tag 2-906
(config-pmap-c) loadbalance policy 2-907
(config-pmap-c) loadbalance vip advertise 2-908
(config-pmap-c) loadbalance vip icmp-reply 2-909
(config-pmap-c) loadbalance vip inservice 2-910
(config-pmap-c) loadbalance vip udp-fast-age 2-911
(config-pmap-c) nat dynamic 2-912
(config-pmap-c) nat static 2-913
(config-pmap-c) ssl-proxy 2-916
Policy Map Configuration Mode
Commands 2-888
(config-pmap) class 2-890
(config-pmap) description 2-891
Policy Map FTP Inspection Class
Configuration Mode Commands 2-922
(config-pmap-ftp-ins-c) deny 2-923
(config-pmap-ftp-ins-c) mask-reply 2-924
Policy Map FTP Inspection
Configuration Mode Commands 2-917
(config-pmap-ftp-ins) class 2-919
(config-pmap-ftp-ins) description 2-920
(config-pmap-ftp-ins) match request-method 2-921
Policy Map FTP Inspection Match
Configuration Mode Commands 2-924
(config-pmap-ftp-ins-m) deny 2-926
(config-pmap-ftp-ins-m) mask-reply 2-927
Policy Map Inspection HTTP Class
Configuration Mode Commands 2-956
(config-pmap-ins-http-c) passthrough log 2-957
(config-pmap-ins-http-c) permit 2-958
(config-pmap-ins-http-c) reset 2-959
(config-pmap-ins-http-m) passthrough log 2-961
Policy Map Inspection HTTP
Configuration Mode Commands 2-927
(config-pmap-ins-http) class 2-929
(config-pmap-ins-http) description 2-931
(config-pmap-ins-http) match content 2-932
(config-pmap-ins-http) match content length 2-934
(config-pmap-ins-http) match
content-type-verification 2-935
(config-pmap-ins-http) match header 2-939
(config-pmap-ins-http) match header length 2-942
(config-pmap-ins-http) match header mime-type 2-944
(config-pmap-ins-http) match port-misuse 2-947
(config-pmap-ins-http) match request-method 2-948
(config-pmap-ins-http) match strict-http 2-950
(config-pmap-ins-http) match transfer-encoding 2-952
(config-pmap-ins-http) match url 2-953
(config-pmap-ins-http) match url length 2-955CLI Command Summary By Mode
IN-11
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Policy Map Inspection HTTP Match
Configuration Mode Commands 2-959
(config-pmap-ins-http-m) permit 2-962
(config-pmap-ins-http-m) reset 2-963
Policy Map Inspection SIP Class
Configuration Mode Commands 2-979
(config-pmap-ins-sip-c) log 2-980
(config-pmap-ins-sip-c) reset 2-982
(config-pmap-sip-ins-c) drop 2-980
(config-pmap-sip-ins-c) permit 2-981
Policy Map Inspection SIP
Configuration Mode Commands 2-964
(config-pmap-ins-sip) class 2-966
(config-pmap-ins-sip) description 2-967
(config-pmap-ins-sip) match called-party 2-968
(config-pmap-ins-sip) match calling-party 2-969
(config-pmap-ins-sip) match content length 2-970
(config-pmap-ins-sip) match im-subscriber 2-972
(config-pmap-ins-sip) match message-path 2-973
(config-pmap-ins-sip) match request-method 2-974
(config-pmap-ins-sip) match third-party
registration 2-976
(config-pmap-ins-sip) match uri 2-978
Policy Map Inspection SIP Match
Configuration Mode Commands 2-983
(config-pmap-ins-sip-m) drop 2-984
(config-pmap--ins-sip-m) permit 2-985
(config-pmap-ins-sip-m) reset 2-986
Policy Map Inspection Skinny
Configuration Mode Commands 2-986
(config-pmap-ins-skinny) description 2-988
(config-pmap-ins-skinny) match message-id 2-989
Policy Map Inspection Skinny Match
Configuration Mode Commands 2-990
(config-pmap-ins-skinny-m) reset 2-991
Policy Map Load Balancing Class
Configuration Mode Commands
(config-pmap-lb-c) compress 2-1027
Policy Map Load Balancing Generic
Class Configuration Mode
Commands 2-999
(config-pmap-lb-generic-c) drop 2-1000
(config-pmap-lb-generic-c) forward 2-1001
(config-pmap-lb-generic-c) serverfarm 2-1002
(config-pmap-lb-generic-c) set ip tos 2-1003
(config-pmap-lb-generic-c) sticky-serverfarm 2-1004
Policy Map Load Balancing Generic
Configuration Mode Commands 2-992
(config-pmap-lb-generic) class 2-994
(config-pmap-lb-generic) description 2-996
(config-pmap-lb-generic) match layer4-payload 2-997
(config-pmap-lb-generic) match source-address 2-998
Policy Map Load Balancing Generic
Match Configuration Mode
Commands 2-1004
(config-pmap-lb-generic-m) drop 2-1006
(config-pmap-lb-generic-m) forward 2-1006CLI Command Summary By Mode
IN-12
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
(config-pmap-lb-generic-m) serverfarm 2-1007
(config-pmap-lb-generic-m) set ip tos 2-1009
(config-pmap-lb-generic-m) sticky-serverfarm 2-1010
Policy Map Load Balancing HTTP Class
Configuration Mode Commands 2-1025
(config-pmap-lb-c) action 2-1026
(config-pmap-lb-c) drop 2-1029
(config-pmap-lb-c) forward 2-1030
(config-pmap-lb-c) insert-http 2-1031
(config-pmap-lb-c) nat dynamic 2-1032
(config-pmap-lb-c) serverfarm 2-1033
(config-pmap-lb-c) set ip tos 2-1035
(config-pmap-lb-c) ssl-proxy client 2-1036
(config-pmap-lb-c) sticky-serverfarm 2-1037
Policy Map Load Balancing HTTP
Configuration Mode Commands 2-1011
(config-pmap-lb) class 2-1012
(config-pmap-lb) description 2-1013
(config-pmap-lb) match cipher 2-1014
(config-pmap-lb) match http content 2-1016
(config-pmap-lb) match http cookie 2-1017
(config-pmap-lb) match http header 2-1019
(config-pmap-lb) match http url 2-1023
(config-pmap-lb) match source-address 2-1024
Policy Map Load Balancing HTTP
Match Configuration Mode
Commands 2-1038
(config-pmap-lb-m) action 2-1038, 2-1040
(config-pmap-lb-m) drop 2-1041
(config-pmap-lb-m) forward 2-1043
(config-pmap-lb-m) insert-http 2-1044
(config-pmap-lb-m) serverfarm 2-1045
(config-pmap-lb-m) set ip tos 2-1046
(config-pmap-lb-m) ssl-proxy client 2-1047
(config-pmap-lb-m) sticky-serverfarm 2-1048
Policy Map Load Balancing RADIUS
Class Configuration Mode
Commands 2-1055
(config-pmap-lb-radius-c) drop 2-1056
(config-pmap-lb-radius-c) forward 2-1057
(config-pmap-lb-radius-c) serverfarm 2-1058
(config-pmap-lb-radius-c) set ip tos 2-1059
(config-pmap-lb-radius-c) sticky-serverfarm 2-1060
Policy Map Load Balancing RADIUS
Configuration Mode Commands 2-1049
(config-pmap-lb-radius) class 2-1051
(config-pmap-lb-radius) description 2-1053
(config-pmap-lb-radius) match radius attribute 2-1054
Policy Map Load Balancing RADIUS
Match Configuration Mode
Commands 2-1060
(config-pmap-lb-radius-m) drop 2-1062
(config-pmap-lb-radius-m) forward 2-1063
(config-pmap-lb-radius-m) serverfarm 2-1064
(config-pmap-lb-radius-m) set ip tos 2-1065
(config-pmap-lb-radius-m) sticky-serverfarm 2-1066
Policy Map Load Balancing RDP Class
Configuration Mode Commands 2-1069
(config-pmap-lb-rdp-c) drop 2-1071
(config-pmap-lb-rdp-c) forward 2-1072
(config-pmap-lb-rdp-c) serverfarm 2-1073
(config-pmap-lb-rdp-c) set ip tos 2-1074
(config-pmap-lb-rdp-c) sticky-serverfarm 2-1075CLI Command Summary By Mode
IN-13
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Policy Map Load Balancing RDP
Configuration Mode Commands 2-1066
(config-pmap-lb-rdp) class 2-1068
(config-pmap-lb-rdp) description 2-1069
Policy Map Load Balancing RTSP Class
Configuration Mode Commands 2-1084
(config-pmap-lb-rtsp-c) drop 2-1085
(config-pmap-lb-rtsp-c) forward 2-1086
(config-pmap-lb-rtsp-c) serverfarm 2-1087
(config-pmap-lb-rtsp-c) set ip tos 2-1088
(config-pmap-lb-rtsp-c) sticky-serverfarm 2-1089
Policy Map Load Balancing RTSP
Configuration Mode Commands 2-1076
(config-pmap-lb-rtsp) class 2-1078
(config-pmap-lb-rtsp) description 2-1079
(config-pmap-lb-rtsp) match rtsp header 2-1080
(config-pmap-lb-rtsp) match rtsp source-address 2-1082
(config-pmap-lb-rtsp) match rtsp url 2-1083
Policy Map Load Balancing RTSP
Match Configuration Mode
Commands 2-1090
(config-pmap-lb-rtsp-m) drop 2-1091
(config-pmap-lb-rtsp-m) forward 2-1092
(config-pmap-lb-rtsp-m) serverfarm 2-1093
(config-pmap-lb-rtsp-m) set ip tos 2-1094
(config-pmap-lb-rtsp-m) sticky-serverfarm 2-1095
Policy Map Load Balancing SIP Class
Configuration Mode Commands 2-1102
(config-pmap-lb-sip-c) drop 2-1103
(config-pmap-lb-sip-c) forward 2-1104
(config-pmap-lb-sip-c) serverfarm 2-1105
(config-pmap-lb-sip-c) set ip tos 2-1106
(config-pmap-lb-sip-c) sticky-serverfarm 2-1107
Policy Map Load Balancing SIP
Configuration Mode Commands 2-1095
(config-pmap-lb-sip) class 2-1097
(config-pmap-lb-sip) description 2-1099
(config-pmap-lb-sip) match sip header 2-1100
(config-pmap-lb-sip) match source-address 2-1101
Policy Map Load Balancing SIP Match
Configuration Mode Commands 2-1108
(config-pmap-lb-sip-m) drop 2-1109
(config-pmap-lb-sip-m) forward 2-1110
(config-pmap-lb-sip-m) serverfarm 2-1111
(config-pmap-lb-sip-m) set ip tos 2-1112
(config-pmap-lb-sip-m) sticky-serverfarm 2-1113
Policy Map Management Class
Configuration Mode Commands 2-1117
(config-pmap-mgmt-c) deny 2-1118
(config-pmap-mgmt-c) permit 2-1119
Policy Map Management
Configuration Mode Commands 2-1113
(config-pmap-mgmt) class 2-1115
(config-pmap-mgmt) description 2-1117
Policy Map Optimization Class
Configuration Mode Commands 2-1128
(config-pmap-optmz-c) action 2-1128CLI Command Summary By Mode
IN-14
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Policy Map Optimization
Configuration Mode Commands 2-1119
(config-pmap-optmz) class 2-1121
(config-pmap-optmz) description 2-1122
(config-pmap-optmz) match http cookie 2-1123
(config-pmap-optmz) match http header 2-1124
(config-pmap-optmz) match http url 2-1127
Policy Map Optimization Match
Configuration Mode Commands 2-1129
(config-pmap-optmz-m) action 2-1130
Probe Configuration Mode
Commands 2-1132
(config-probe-probe_type) append-port-hosttag 2-1135
(config-probe-probe_type) community 2-1137
(config-probe-probe_type) connection term 2-1138
(config-probe-probe_type) credentials 2-1139
(config-probe-probe_type) description 2-1140
(config-probe-probe_type) domain 2-1142
(config-probe-probe_type) expect address 2-1143
(config-probe-probe_type) expect regex 2-1145
(config-probe-probe_type) expect status 2-1147
(config-probe-probe_type) faildetect 2-1148
(config-probe-probe_type) hash 2-1149
(config-probe-probe_type) header 2-1150
(config-probe-probe_type) interval 2-1153
(config-probe-probe_type) ip address 2-1154
(config-probe-probe_type) nas ip address 2-1156
(config-probe-probe_type) oid 2-1157
(config-probe-probe_type) open 2-1159
(config-probe-probe_type) passdetect 2-1160
(config-probe-probe_type) port 2-1162
(config-probe-probe_type) receive 2-1164
(config-probe-probe_type) request command 2-1165
(config-probe-probe_type) request method 2-1166
(config-probe-probe_type) script 2-1167
(config-probe-probe_type) send-data 2-1168
(config-probe-probe_type) ssl cipher 2-1169
(config-probe-probe_type) ssl version 2-1171
(config-probe-probe_type) version 2-1171
(config-probe-sip-udp) rport enable 2-1173
Probe SNMP OID Configuration Mode
Commands 2-1174
(config-probe-snmp-oid) threshold 2-1176
(config-probe-snmp-oid) type absolute max 2-1178
(config-probe-snmp-oid) weight 2-1180
Probe VM Configuration Mode
Commands 2-1181
(config-probe-vm) interval 2-1182
(config-probe-vm) load 2-1183
(config-probe-vm) vm-controller 2-1185
Radius Configuration Mode
Commands 2-1186
(config-radius) deadtime 2-1188
(config-radius) server 2-1189
Real Server Host Configuration Mode
Commands 2-1190
(config-rserver-host) conn-limit 2-1191
(config-rserver-host) description 2-1193
(config-rserver-host) fail-on-all 2-1194
(config-rserver-host) inservice 2-1195
(config-rserver-host) ip address 2-1196
(config-rserver-host) probe 2-1198
(config-rserver-host) rate-limit 2-1199
(config-rserver-host) weight 2-1201CLI Command Summary By Mode
IN-15
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Real Server Redirect Configuration
Mode Commands 2-1202
(config-rserver-redir) conn-limit 2-1204
(config-rserver-redir) description 2-1206
(config-rserver-redir) inservice 2-1207
(config-rserver-redir) probe 2-1208
(config-rserver-redir) rate-limit 2-1209
(config-rserver-redir) webhost-redirection 2-1210
Resource Configuration Mode
Commands 2-1212
(config-resource) limit-resource 2-1213
Role Configuration Mode
Commands 2-1216
(config-role) description 2-1217
(config-role) rule 2-1218
Server Farm Host Configuration Mode
Commands 2-1221
(config-sfarm-host) description 2-1223, 2-1224, 2-1257
(config-sfarm-host) failaction 2-1225
(config-sfarm-host) fail-on-all 2-1228
(config-sfarm-host) inband-health check 2-1230
(config-sfarm-host) partial-threshold 2-1233
(config-sfarm-host) predictor 2-1234
(config-sfarm-host) probe 2-1240
(config-sfarm-host) retcode 2-1242
(config-sfarm-host) rserver 2-1244
(config-sfarm-host) transparent 2-1245
Server Farm Host Predictor
Configuration Mode Commands 2-1246
(config-sfarm-host-predictor) autoadjust 2-1248
(config-sfarm-host-predictor) weight
connection 2-1250
Server Farm Host Real Server
Configuration Mode Commands 2-1251
(config-sfarm-host-rs) backup-rserver 2-1253
(config-sfarm-host-rs) conn-limit 2-1254
(config-sfarm-host-rs) cookie-string 2-1255
(config-sfarm-host-rs) fail-on-all 2-1258
(config-sfarm-host-rs) inservice 2-1260
(config-sfarm-host-rs) probe 2-1262
(config-sfarm-host-rs) rate-limit 2-1263
(config-sfarm-host-rs) weight 2-1264
Server Farm Redirect Configuration
Mode Commands 2-1265
(config-sfarm-redirect) description 2-1267
(config-sfarm-redirect) failaction 2-1268
(config-sfarm-redirect) predictor 2-1270
(config-sfarm-redirect) probe 2-1276
(config-sfarm-redirect) rserver 2-1277
Server Farm Redirect Predictor
Configuration Mode Commands 2-1279
(config-sfarm-redirect-predictor) autoadjust 2-1281
(config-sfarm-redirect-predictor) weight
connection 2-1283
Server Farm Redirect Real Server
Configuration Mode Commands 2-1284
(config-sfarm-redirect-rs) backup-rserver 2-1286
(config-sfarm-redirect-rs) conn-limit 2-1287
(config-sfarm-redirect-rs) inservice 2-1288
(config-sfarm-redirect-rs) probe 2-1290
(config-sfarm-redirect-rs) rate-limit 2-1291
(config-sfarm-redirect-rs) weight 2-1292CLI Command Summary By Mode
IN-16
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Show Exec Mode Commands 2-112
show aaa 2-113
show access-list 2-114
show accounting log 2-115
show acl-merge 2-117
show action-list 2-118
show arp 2-119
show backup 2-121
show banner motd 2-122
show bootvar 2-123
show buffer 2-125
show capture 2-127
show cde 2-129
show cfgmgr 2-130
show checkpoint 2-132
show clock 2-134
show conn 2-135
show conn sticky 2-228
show context 2-136
show copyright 2-137
show crypto 2-138
show dc 2-141
show debug 2-145
show domain 2-148
show download information 2-149
show eobc 2-150
show fifo 2-152
show file 2-153
show fragment 2-155
show ft 2-156
show hardware 2-158
show hyp 2-159
show icmp statistics 2-159
show interface 2-161
show inventory 2-163
show ip 2-164
show ipcp 2-167
show ipv6 2-168
show kalap udp load 2-170
show lcp event-history 2-172
show ldap-server 2-173
show license 2-174
show line 2-176
show logging 2-177
show login timeout 2-179
show nat-fabric 2-180
show netio 2-181
show nexus-device 2-182
show np 2-184
show ntp 2-188
show optimization-global 2-189
show parameter-map 2-190
show probe 2-191
show processes 2-192
show pvlans 2-193
show radius-server 2-194
show resource allocation 2-195
show resource internal 2-196
show resource usage 2-198
show restore 2-201
show role 2-203
show rserver 2-204
show running-config 2-206
show scp 2-208
show script 2-209
show security internal event-history 2-211
show serverfarm 2-212
show service-policy 2-214
show snmp 2-216
show ssh 2-218
show startup-config 2-220
show stats 2-221
show sticky cookie-insert group 2-223
show sticky database 2-224
show sticky hash 2-227
show syn-cookie 2-229
show system 2-230CLI Command Summary By Mode
IN-17
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
show tacacs-server 2-232
show tcp statistics 2-233
show tech-support 2-234
show telnet 2-235
show terminal 2-236
show udp statistics 2-237
show user-account 2-238
show users 2-239
show version 2-240
show vlans 2-242
show vm-controller 2-243
show vnet 2-244
show xlate 2-245
SSL Parameter-Map Configuration
Mode Commands
(config-parammap-ssl) rehandshake enable 2-884
SSL Proxy Configuration Mode
Commands 2-1294
(config-ssl-proxy) authgroup 2-1295
(config-ssl-proxy) cert 2-1297
(config-ssl-proxy) chaingroup 2-1299
(config-ssl-proxy) crl 2-1300
(config-ssl-proxy) key 2-1302
(config-ssl-proxy) ocspserver 2-1304
(config-ssl-proxy) revcheckprio 2-1306
(config-ssl-proxy) ssl advanced-options 2-1308
Sticky Cookie Configuration Mode
Commands 2-1309
(config-sticky-cookie) cookie insert 2-1310
(config-sticky-cookie) cookie offset 2-1311
(config-sticky-cookie) cookie secondary 2-1312
(config-sticky-cookie) replicate sticky 2-1313
(config-sticky-cookie) serverfarm 2-1314
(config-sticky-cookie) static cookie-value 2-1315
(config-sticky-cookie) timeout 2-1316
Sticky HTTP Content Configuration
Mode Commands 2-1317
(config-sticky-content) content 2-1318
(config-sticky-content) replicate sticky 2-1320
(config-sticky-content) serverfarm 2-1321
(config-sticky-content) static content 2-1323
(config-sticky-content) timeout 2-1324
Sticky HTTP Header Configuration
Mode Commands 2-1325
(config-sticky-header) header offset 2-1327
(config-sticky-header) replicate sticky 2-1329
(config-sticky-header) serverfarm 2-1330
(config-sticky-header) static header-value 2-1332
(config-sticky-header) timeout 2-1333
Sticky IP Configuration Mode
Commands 2-1334
(config-sticky-ip) replicate sticky 2-1336
(config-sticky-ip) serverfarm 2-1337
(config-sticky-ip) static client source 2-1338
(config-sticky-ip) timeout 2-1341
Sticky Layer 4 Payload Configuration
Mode Commands 2-1342
(config-sticky-l4payloa) layer4-payload 2-1344
(config-sticky-l4payloa) replicate sticky 2-1346, 2-1347
(config-sticky-l4payloa) serverfarm 2-1348
(config-sticky-l4payloa) static layer4-payload 2-1349
(config-sticky-l4payloa) timeout 2-1350CLI Command Summary By Mode
IN-18
Command Reference, Cisco ACE Application Control Engine
OL-25339-01
Sticky RADIUS Configuration Mode
Commands 2-1351
(config-sticky-radius) replicate sticky 2-1353
(config-sticky-radius) serverfarm 2-1354
(config-sticky-radius) timeout 2-1355
Sticky RTSP Header Configuration
Mode Commands 2-1356
(config-sticky-header) replicate sticky 2-1358, 2-1360
(config-sticky-header) serverfarm 2-1361
(config-sticky-header) static header-value 2-1362
(config-sticky-header) timeout 2-1363
Sticky SIP Header Configuration Mode
Commands 2-1364
(config-sticky-header) replicate sticky 2-1366
(config-sticky-header) serverfarm 2-1367
(config-sticky-header) static header-value 2-1368
(config-sticky-header) timeout 2-1369
TACACS+ Configuration Mode
Commands 2-1371
(config-tacacs+) deadtime 2-1372
(config-tacacs+) server 2-1374
VM Configuration Mode
Commands 2-1376
(config-vm) credentials 2-1377
(config-vm) url 2-1378
© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 73
Reference Guide
Cisco Aironet Antennas and Accessories
Overview
Executive Overview
This antenna reference guide explains issues and concerns about antennas used with a Cisco
®
Aironet
®
wireless
LAN system or wireless bridge system. It details deployment and design, limitations and capabilities, and basic
theories of antennas. This document also contains information about the Cisco antennas and accessories, as well
as installation scenarios, regulatory information, and technical specifications and diagrams of the available
antennas.
Overview of Antennas
Each Cisco Aironet radio product is designed to perform in a variety of environments. Implementing the antenna
system can greatly improve coverage and performance.
To optimize the overall performance of a Cisco wireless LAN, it is important to understand how to maximize radio
coverage with the appropriate antenna selection and placement. An antenna system comprises numerous
components, including the antenna, mounting hardware, connectors, antenna cabling, and in some cases, a
lightning arrestor. For a consultation, please contact a Cisco Aironet partner at:
http://tools.cisco.com/WWChannels/LOCATR/jsp/partner_locator.jsp.
Cisco partners can provide onsite engineering assistance for complex requirements.
Radio Technologies
In the mid-1980s, the U.S. Federal Communications Commission (FCC) modified Part 15 of the radio spectrum
regulation, which governs unlicensed devices. The modification authorized wireless network products to operate in
the industrial, scientific, and medical (ISM) bands using spread spectrum modulation. This type of modulation had
formerly been classified and permitted only in military products. The ISM frequencies are in three different bands,
located at 900 MHz, 2.4 GHz, and 5 GHz. This document covers both the 2.4- and 5-GHz bands.
The ISM bands typically allow users to operate wireless products without requiring specific licenses, but this will
vary in some countries. In the United States, there is no requirement for FCC licenses. The products themselves
must meet certain requirements to be certified for sale, such as operation under 1-watt transmitter output power
(in the United States) and maximum antenna gain or effective isotropic radiated power (EIRP) ratings.
The Cisco Aironet product lines utilize both the 2.4- and 5-GHz bands. In the United States, three bands are
defined as unlicensed and known as the ISM bands. The ISM bands are as follows:
? 900 MHz (902-928 MHz)
? 2.4 GHz (2.4-2.4835 GHz) - IEEE 802.11b
? 5 GHz (5.15-5.35 and 5.725-5.825 GHz) - IEEE 802.11a, HIPERLAN/1 and HIPERLAN/2. This band is also
known as the UNII band, and has three subbands: UNII1 (5.150-5.250 GHz), UNII2 (5.250-5.350 GHz), and
UNII3 (5.725-5.825 GHz). © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 73
Each set of bands has different characteristics. The lower frequencies exhibit better range, but with limited
bandwidth and hence lower data rates. The higher frequencies have less range and are subject to greater
attenuation from solid objects.
802.11 Modulation Techniques
The IEEE 802.11 standard makes provisions for the use of several different modulation techniques to encode the
transmitted data onto the RF signal. These modulation techniques are used to enhance the probability of the
receiver correctly receiving the data and thus reducing the need for retransmissions. The techniques vary in their
complexities and robustness to RF signal propogation impairments.
Direct-Sequence Spread Spectrum
The direct-sequence spread spectrum (DSSS) approach involves encoding redundant information into the RF
signal. Every data bit is expanded to a string of chips called a chipping sequence or Barker sequence. The
chipping rate, as mandated by the U.S. FCC, is 10 chips at the 1- and 2-Mbps rates and 8 chips at the 11-Mbps
rate. So, at 11 Mbps, 8 bits are transmitted for every one bit of data. The chipping sequence is transmitted in
parallel across the spread spectrum frequency channel.
Frequency-Hopping Spread Spectrum
Frequency-hopping spread spectrum (FHSS) uses a radio that moves or hops from one frequency to another at
predetermined times and channels. The regulations require that the maximum time spent on any one channel is
400 milliseconds. For the 1- and 2-Mb FHSS systems, the hopping pattern must include 75 different channels, and
must use every channel before reusing any one. For wide-band frequency hopping (WBFH) systems, which permit
up to 10-Mb data rates, the rules require the use of at least 15 channels, and they cannot overlap. With only 83
MHz of spectrum, WBFH limits the systems to 15 channels, thus causing scalability issues.
In every case, for the same transmitter power and antennas, a DSSS system will have greater range, scalability,
and throughput than an FHSS system. For this reason, Cisco has chosen to support only direct-sequence systems
in the spread spectrum products.
Orthogonal Frequency Division Multiplexing
The orthogonal frequency division multiplexing (OFDM) used in 802.11a and 802.11g data transmissions offers
greater performance than the older direct-sequence systems. In the OFDM system, each tone is orthogonal to the
adjacent tones and therefore does not require the frequency guard band needed for direct sequence. This guard
band lowers the bandwidth efficiency and wastes up to 50 percent of the available bandwidth. Because OFDM is
composed of many narrow-band tones, narrow-band interference degrades only a small portion of the signal, with
little or no effect on the remainder of the frequency components.
Antenna Properties and Ratings
An antenna gives the wireless system three fundamental properties - gain, direction, and polarization. Gain is a
measure of increase in power. Direction is the shape of the transmission pattern. A good analogy for an antenna
is the reflector in a flashlight. The reflector concentrates and intensifies the light beam in a particular direction
similar to what a parabolic dish antenna would do to a RF source in a radio system.
Antenna gain is measured in decibels, which is a ratio between two values. The gain of a specific antenna is
compared to the gain of an isotropic antenna. An isotropic antenna is a theoretical antenna with a uniform threedimensional radiation pattern (similar to a light bulb with no reflector). dBi is used to compare the power level of a © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 73
given antenna to the theoretical isotropic antenna. The U.S. FCC uses dBi in its calculations. An isotropic antenna
is said to have a power rating of 0 dB, meaning that it has zero gain/loss when compared to itself.
Unlike isotropic antennas, dipole antennas are real antennas. Dipole antennas have a different radiation pattern
compared to isotropic antennas. The dipole radiation pattern is 360 degrees in the horizontal plane and 75
degrees in the vertical plane (assuming the dipole antenna is standing vertically) and resembles a donut in shape.
Because the beam is “slightly” concentrated, dipole antennas have a gain over isotropic antennas of 2.14 dB in
the horizontal plane. Dipole antennas are said to have a gain of 2.14 dBi (in comparison to an isotropic antenna).
Some antennas are rated in comparison to dipole antennas. This is denoted by the suffix dBd. Hence, dipole
antennas have a gain of 0 dBd (= 2.14 dBi).
Note that the majority of documentation refers to dipole antennas as having a gain of 2.2 dBi. The actual figure is
2.14 dBi, but is often rounded up.
Types of Antennas
Cisco offers several different styles of antennas for use with access points and bridges in both 2.4-GHz and 5-GHz
products. Every antenna offered for sale has been FCC-approved. Each type of antenna will offer different
coverage capabilities. As the gain of an antenna increases, there is some tradeoff to its coverage area. Usually
high-gain antennas offer longer coverage distances, but only in a certain direction. The radiation patterns below
will help to show the coverage areas of the styles of antennas that Cisco offers: omnidirectional, Yagi, and patch
antennas.
Omnidirectional Antennas
An omnidirectional antenna (Figure 1) is designed to provide a 360-degree radiation pattern. This type of antenna
is used when coverage in all directions from the antenna is required. The standard 2.14-dBi “Rubber Duck” is one
style of omnidirectional antenna.
Figure 1. Omnidirectional Antenna
Directional Antennas
Directional antennas come in many different styles and shapes. An antenna does not offer any added power to the
signal; it simply redirects the energy it receives from the transmitter. By redirecting this energy, it has the effect of
providing more energy in one direction, and less energy in all other directions. As the gain of a directional antenna
increases, the angle of radiation usually decreases, providing a greater coverage distance, but with a reduced
coverage angle. Directional antennas include patch antennas (Figure 2), Yagi antennas (Figure 3), and parabolic
dishes. Parabolic dishes have a very narrow RF energy path, and the installer must be accurate in aiming these
types of antennas these at each other. © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 73
Figure 2. Directional Patch Antenna
Figure 3. Yagi Antenna
Diversity Antenna Systems
Diversity antenna systems are used to overcome a phenomenon known as multipath distortion or multipath
interference. A diversity antenna system uses two identical antennas, located a small distance apart, to provide
coverage to the same physical area.
Multipath Distortion
Multipath interference occurs when an RF signal has more than one path between a receiver and a transmitter.
This occurs in sites that have a large amount of metallic or other RF reflective surfaces.
Just as light and sound bounce off of objects, so does RF. This means there can be more than one path that RF
takes when going from a transmit (TX) and receive (RX) antenna. These multiple signals combine in the RX
antenna and receiver to cause distortion of the signal.
Multipath interference can cause the RF energy of an antenna to be very high, but the data would be
unrecoverable. Changing the type of antenna and location of the antenna can eliminate multipath distortion
(Figure 4). © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 73
Figure 4. Multipath Distortion
You can relate multipath distortion to a common occurrence in your car. As you pull up to a stop, you may notice
static on the radio. But as you move forward a few inches or feet, the station starts to come in more clearly. By
rolling forward, you move the antenna slightly, out of the point where the multiple signals converge.
How Diversity Antenna Systems Reduce Multipath Distortion
A diversity antenna system can be compared to a switch that selects one antenna or another, never both at the
same time. The radio in receive mode will continually switch between antennas listening for a valid radio packet.
After the beginning sync of a valid packet is heard, the radio will evaluate the sync signal of the packet on one
antenna, and then switch to the other antenna and evaluate. Then the radio will select the best antenna and use
only that antenna for the remaining portion of that packet.
On transmit, the radio will select the same antenna it used the last time it communicated to that given radio. If a
packet fails, it will switch to the other antenna and retry the packet.
One caution with diversity antenna systems is that they are not designed for using two antennas covering two
different coverage cells. The problem in using it this way is that if antenna number 1 is communicating to device
number 1 while device number 2 (which is in the antenna number 2 cell) tries to communicate, antenna number 2
is not connected (due to the position of the switch), and the communication fails. Diversity antennas should cover
the same area from only a slightly different location.
With the introduction of the latest direct-spread physical layer chips, and the use of diversity antenna systems,
direct-spread systems have equaled or surpassed frequency-hopping systems in handling multipath interference.
While the introduction of WBFH does increase the bandwidth of frequency-hopping systems, it drastically affects
the ability to handle multipath issues, further reducing its range compared to present direct-spread systems in
sites that are highly RF reflective.
Wireless LAN Design
Before the physical environment is examined, it is critical to identify the mobility of the application, the means for
coverage, and system redundancy. An application such as point-to-point, which connects two or more stationary
users, may be best served by a directional antenna, while mobile users will generally require a number of
omnidirectional micro cells. These individual micro cells can be linked together through the wired LAN
infrastructure or by using the wireless repeater functionality built into every Cisco Aironet access point.
The Physical Environment
After mobility issues are resolved, the physical environment must be examined. While the area of coverage is the
most important factor for antenna selection, it is not the sole decision criterion. Building construction, ceiling
height, internal obstructions, available mounting locations, and the customer’s aesthetic desires also must be
considered. © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 73
Cement and steel construction have different radio propagation characteristics. Internal obstructions such as
product inventory and racking in warehousing environments are factors. In outdoor environments, many objects
can affect antenna patterns, including trees, vehicles, and buildings, to name a few.
The Network Connections
Cisco Aironet access points use a 10/100/1000-Mb Ethernet connection. Typically the access point is in the same
location as the antenna. While it may seem that the best place to put the access point is in a wiring closet with the
other network components, such as switches, hubs, and routers, this is not the case. The antenna must be placed
in an area that provides the best coverage (determined by a site survey).
Many people new to wireless LANs want to locate the access points in the wiring closet and connect the antenna
using RF coax. Antenna cable introduces losses in the antenna system on both the transmitter and the receiver.
As the length of cable increases, so does the amount of loss introduced. To operate at optimum efficiency, cable
runs should be kept as short as possible. (See the Cabling section in this document for more information.)
Building Construction
The density of the materials used in a building's construction determines the number of walls the RF signal can
pass through and still maintain adequate coverage. Following are a few examples. The actual effect on the RF
must be tested at the site, and therefore a site survey is recommended.
Paper and vinyl walls have very little effect on signal penetration. Solid walls and floors and precast concrete walls
can limit signal penetration to one or two walls without degrading coverage. This may vary widely based on any
steel reinforcing within the concrete. Concrete and concrete block walls may limit signal penetration to three or
four walls. Wood or drywall typically allow for adequate penetration through five or six walls. A thick metal wall
reflects signals, resulting in poor penetration. Steel-reinforced concrete flooring will restrict coverage between
floors to perhaps one or two floors.
Recommendations for some common installation environments are outlined below:
? Warehousing/manufacturing: In most cases, these installations require a large coverage area.
Experience has shown that an omnidirectional antenna mounted at 20 to 25 feet typically provides the best
overall coverage. Of course, this also depends upon the height of the racking, material on the rack, and
ability to locate the antenna at this height. Mounting the antenna higher will sometimes actually reduce
coverage, as the angle of radiation from the antenna is more outward than down. The antenna should
be placed in the center of the desired coverage cell and in an open area for best performance. In cases
where the radio unit will be located against a wall, a directional antenna such as a patch or Yagi can be
used for better penetration of the area. The coverage angle of the antenna will affect the coverage area.
? Small office/small retail store: The standard dipole may provide adequate coverage in these areas
depending on the location of the radio device. However, in a back corner office a patch antenna may
provide better coverage. It can be mounted to the wall above most obstructions for best performance.
Coverage of this type antenna depends on the surrounding environment.
? Enterprise/large retail store: In most cases, these installations require a large coverage area. Experience
has shown that omnidirectional antennas mounted just below the ceiling girders or just below the drop
ceiling typically provide the best coverage (this will vary with stocking, type of material, and building
construction). The antenna should be placed in the center of the desired coverage cell and in an open area
for best performance. In cases where the radio unit will be located in a corner, or at one end of the building,
a directional antenna such as a patch or Yagi can be used for better penetration of the area. © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 73
Also, for areas that are long and narrow - such as long rows of racking - a directional antenna at one end
may provide better coverage. The radiation angle of the antennas will also affect the coverage area.
? Point-to-point: When connecting two points together (such as a wireless bridge), the distance,
obstructions, and antenna location must be considered. If the antennas can be mounted indoors and the
distance is very short (several hundred feet), the standard dipole or mast mount 5.2 dBi omnidirectional
may be used. An alternative is to use two patch antennas. For very long distances (1/2 mi. or more),
directional high-gain antennas must be used. These antennas should be installed as high as possible, and
above obstructions such as trees, buildings, and so on; and if directional antennas are used, they must be
aligned so that their main radiated power lobes are directed at each other. With a line-of-site configuration,
distances of up to 25 miles at 2.4 GHz and 12 miles at 5 GHz can be reached using parabolic dish
antennas, if a clear line-of-site is maintained. With the use of directional antennas, fewer interference
possibilities exist and there is less possibility of causing interference to anyone else.
? Point-to-multipoint bridge: In this case (in which a single point is communicating to several remote
points), the use of an omnidirectional antenna at the main communication point must be considered. The
remote sites can use a directional antenna that is directed at the main point antenna.
Cabling
As stated above, cabling introduces losses into the system, negating some of the gain an antenna introduces and
reducing range of the RF coverage.
Interconnect Cable
Attached to all antennas (except the standard dipoles), this cable provides a 50 ohm impedance to the radio and
antenna, with a flexible connection between the two items. It has a high loss factor and should not be used except
for very short connections (usually less than 10 feet). Typical length on all antennas is 36 in. (or 12 in. on some
outdoor antennas).
Low-Loss/Ultra-Low-Loss Cable
Cisco offers two styles of cables for use with the 2.4-GHz and 5-GHz product lines. These cables provide a much
lower loss factor than standard interconnect cable, and they can be used when the antenna must be placed at any
distance from the radio device. While these are low-loss cables, they should still be kept to a minimum length.
There are two types of cable supplied by Cisco for mounting the antenna away from the radio unit. The 100- and
150-foot cables are LMR600 type cable, while the 20- and 50-foot cables are LMR400 type cables. All four lengths
are supplied with one RP-TNC plug and one RP-TNC jack connector attached. This allows for connection to the
radio unit and to the interconnect cable supplied on the antennas.
Connectors
According to the U.S. Federal Code of Regulations, products used in the 2.4- and 5-GHz ISM bands manufactured
after June 1994 must either use connectors that are unique and nonstandard (meaning not readily available on the
market by the average user) or be designed to be professionally installed (“professional” here indicates a person
trained in RF installation and regulations). Since many of the 2.4-GHz products are installed by non-RF trained
personnel, these products must comply with the unique connector ruling. The Cisco outdoor access and bridge
products are designed for installation by a RF professional, and therefore may use a standard N style connector.
Cisco Aironet indoor products use reverse polarity-TNC (RP-TNC) connectors. While they are similar to the normal
TNC connectors, they cannot be mated to the standard connectors.
To ensure compatibility with Cisco Aironet products, use antennas and cabling from Cisco. © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 73
Mounting Hardware
Each antenna requires some type of mounting. The standard dipole antenna simply connects to the RP-TNC
connector on the unit. Mast mount antennas are designed to mount to a variety of mast diameters and each
comes with mounting hardware for attachment. The Yagi antennas have an articulating mount option. Patch
antennas are designed to mount flat against a wall or ceiling, and ceiling-mount antennas are equipped with a
drop-ceiling cross-member attachment. The 2.4-GHz 21-dBi parabolic dish mounts to a 1.625- up to a 2.375-in.
mast. In this dish antenna, fine-threaded turn-buckles allow accurate aiming of the antenna.
For most indoor applications, a .75- or 1-in. electrical conduit provides a suitable mounting. For outdoor
applications, use a heavy galvanized or aluminum wall mast that will withstand the wind-loading rating of the
selected antenna.
Lightning Arrestors
When using outdoor antenna installations, it is always possible that an antenna will suffer damage from potential
charges developing on the antenna and cable, or surges induced from nearby lightning strikes. The Cisco Aironet
lightning arrestor is designed to protect 2.4-GHz to 5.8- GHz radio equipment from static electricity and lightninginduced surges that travel on coaxial transmission lines. Both systems need to be properly grounded as identified
in the hardware installation manuals of the products. These protection mechanisms will not prevent damage in the
event of a direct lightning hit.
Theory of Operation
The Cisco Aironet Lightning Arrestor (Figure 5) prevents energy surges from reaching the RF equipment by the
shunting effect of the device. Surges are limited to less than 50 volts, in about .0000001 seconds (100
nanoseconds). A typical lightning surge is about .000002 (2 micro seconds).
Figure 5. Cisco Aironet Lightning Arrestor
The accepted IEEE transient (surge) suppression is .000008 seconds (8 micro seconds). The Cisco Aironet
Lightning Arrestor is a 50-ohm transmission line with a gas discharge tube positioned between the center
conductor and ground. This gas discharge tube changes from an open circuit to a short circuit almost
instantaneously in the presence of voltage and energy surges, providing a path to ground for the energy surge. © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 73
Installation
This arrestor is designed to be installed between your antenna cable and the Cisco Aironet access point.
Installation should be indoors, or inside a protected area. A good ground must be attached to the arrestor. This
can be accomplished by attaching a ground lug to the arrestor and using a heavy wire (number 6 solid copper) to
connect the lug to a good earth ground (see Figure 6).
Understanding RF Power Values
Radio frequency (RF) signals are subject to various losses and gains as they pass from transmitter through cable
to antenna, through air (or solid obstruction), to receiving antenna, cable, and receiving radio. With the exception
of solid obstructions, most of these figures and factors are known and can be used in the design process to
determine whether an RF system such as a WLAN will work.
Decibels
The decibel (dB) scale is a logarithmic scale used to denote the ratio of one power value to another. For example:
X1`dB = 10 log10 (Power A/Power B)
An increase of 3 dB indicates a doubling (2x) of power. An increase of 6 dB indicates a quadrupling (4x) of power.
Conversely, a decrease of 3 dB reduces power by one half, and a decrease of 6 dB results in a one fourth of the
power. Some examples are shown below in Table 1.
Table 1. Decibel Values and Corresponding Factors
Increase Factor Decrease Factor
0 dB 1 x (same) 0 dB 1 x (same)
1 dB 1.25 x -1 dB 0.8 x
3 dB 2 x -3 dB 0.5 x
6 dB 4 x -6 dB 0.25 x
10 dB 10 x -10 dB 0.10 x
12 dB 16 x -12 dB 0.06 x
20 dB 100 x -20 dB 0.01 x
30 dB 1000 x -30 dB 0.001 x
40 dB 10,000 x -40 dB 0.0001 x
Power Ratings
WLAN equipment is usually specified in decibels compared to known values. Transmit Power and Receive
Sensitivity are specified in “dBm,” where “m” means 1 milliwatt (mW). So, 0 dBm is equal to 1 mW; 3 dBm is equal
to 2 mW; 6 dBm is equal to 4 mW, and so on, as shown in Table 2.
Table 2. Common mW Values to dBm Values
dBm mW dBm mW
0 dBm 1 mW 0 dBm 1 mW
1 dBm 1.25 mW -1 dBm 0.8 mW
3 dBm 2 mW -3 dBm 0.5 mW
6 dBm 4 mW -6 dBm 0.25 mW
7 dBm 5 mW -7 dBm 0.20 mW
10 dBm 10 mW -10 dBm 0.10 mW © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 73
dBm mW dBm mW
12 dBm 16 mW -12 dBm 0.06 mW
13 dBm 20 mW -13 dBm 0.05 mW
15 dBm 32 mW -15 dBm 0.03 mW
17 dBm 50 mW -17 dBm 0.02 mw
20 dBm 100 mW -20 dBm 0.01 mW
30 dBm 1000 mW (1 W) -30 dBm 0.001 mW
40 dBm 10,000 mW (10 W) -40 dBm 0.0001 mW
Outdoor Range
The range of a wireless link is dependent upon the maximum allowable path loss. For outdoor links, this is a
straightforward calculation as long as there is clear line of sight between the two antennas with sufficient
clearance for the Fresnel zone. For line of sight, you should be able to visibly see the remote locations antenna
from the main site. (Longer distances may require the use of binoculars). There should be no obstructions
between the antennas themselves. This includes trees, buildings, hills, and so on.
As the distance extends beyond six miles, the curve of the earth (commonly called earth bulge) affects installation,
requiring antennas to be placed at higher elevations.
Fresnel Zone
Fresnel zone is an elliptical area immediately surrounding the visual path. It varies depending on the length of the
signal path and the frequency of the signal. The Fresnel zone can be calculated, and it must be taken into account
when designing a wireless link (Figure 6).
Figure 6. Fresnel Zone
Based on both line-of-sight and Fresnel zone requirements, Table 3 provides a guideline on height requirements
for 2.4-GHz antennas as various distances. This refers to height above any obstacles located in the middle of the
RF path.
Table 3. Guideline on Height Requirements for 2.4-GHz Antennas
Wireless Link Distance (miles) Approx. Value “F” (60% Fresnel
Zone) Ft. at 2.4 GHz
Approx. Value “C” (Earth
Curvature)
Value “H” (mounting Ht.) Ft. with
No Obstructions
1 10 3 13
5 30 5 35
10 44 13 57
15 55 28 83
20 65 50 115
25 72 78 150 © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 73
Cisco.com provides an Outdoor Bridge Range Calculation Utility for both 2.4-GHz and 5-GHz products. This utility
calculates the Fresnel zone and maximum range based upon cable types and lengths, transmitter and receiver
models, and antennas. The utility can be found at:
http://www.cisco.com/en/US/products/hw/wireless/ps458/products_tech_note09186a008009459b.shtml
A 10-dB fade margin is included for 2.4-GHz calculations, while the included 5-dB fade margin for 5-GHz
calculations is sufficient for dependable communications in all weather conditions. The distances given are only
theoretical and should only be used to determine the feasibility of a particular design.
Outdoors, every increase of 6-dB will double the distance. Every decrease of 6-dB will halve the distance. Shortercable runs and higher-gain antennas can make a significant difference to the range. The following links provide
range calculations for the outdoor mesh products:
? Cisco Aironet 1520 Series:
http://www.cisco.com/en/US/partner/products/ps11451/products_implementation_design_guides_list.htm
? Cisco Aironet 1550 Series:
http://www.cisco.com/en/US/partner/products/ps8368/products_implementation_design_guides_list.html
Regulations
North America
Connectors
In 1985, the FCC enacted standards for the commercial use of spread-spectrum technology in the ISM frequency
bands. Spread spectrum is currently allowed in the 900-, 2400-, and 5200- MHz bands.
In 1989, the FCC drafted an amendment governing spread-spectrum systems in the unlicensed ISM band, and
Congress enacted this amendment into law in 1990. This amendment is commonly referred to as the “new rules”
or “’94 rules” because it impacts all spread-spectrum products manufactured after June 23, 1994. Products
manufactured before June 23, 1994, are not affected by the amendment.
The FCC 1994 rules are intended to discourage use of amplifiers, high-gain antennas, or other means
of significantly increasing RF radiation. The rules are further intended to discourage “home brew” systems that are
installed by inexperienced users and that - either accidentally or intentionally - do not comply with FCC regulations
for use in the ISM band.
Both the original rules and the amendments sought to enable multiple RF networks to “coexist” with minimum
impact on one another by exploiting properties of spread-spectrum technology. Fundamentally, the FCC 1994
rules intend to limit RF communications in the ISM band to a well-defined region, while ensuring multiple systems
can operate with minimum impact on one another. These two needs are addressed by limiting the type and gain of
antennas used with a given system, and by requiring a greater degree of RF energy “spreading.”
Antenna Gain and Power Output
FCC regulations specify maximum power output and antenna gain. For the UNII3 band, the FCC limits the
transmitter power to 1 watt or 30 dBm, and the antenna gain of an omnidirectional antenna to 6 dBi. For directional
antennas operating in a point-to-point system, gains of up to 23 dBi are permitted. For antennas with gain higher
than 23 dBi, the transmitter output power must be reduced 1 dB for every 1 dB above 23 dBi increase in the
antenna gain. © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 73
At 2.4 GHz, the maximum transmitter power is also 1 watt. Using this maximum power, the maximum antenna gain
is 6 dBi. However, the regulations also define the maximum values in regards to the following two different system
scenarios.
Point-to-Point and Point-to-Multipoint Systems
In point-to-multipoint systems, the FCC has limited the maximum EIRP to 36 dBm. EIRP = TX power + antenna
gain. For every dB that the transmitter power is reduced, the antenna may be increased by 1 dB. Thus, 29 dBm
TX, +7 dB antenna = 36 dBm EIRP; 28 dBm TX +8 dB antenna = 36 dBm EIRP.
The Cisco Aironet 2.4-GHz bridge transmitter power is 20 dBm, which is 10 dBm lower than maximum. This then
allows the use of antennas up to 10 dB over the initial 6 dBi limit, or 16 dBi.
In point-to-point systems for 2.4-GHz systems using directional antennas, the rules have changed. Because a
high-gain antenna has a narrow beamwidth, the likelihood is great that it will cause interference to other area
users. Under the rule change, for every dB the transmitter is reduced below 30 dBm, the antenna may be
increased from the initial 6 dBi, by 3 dB. Thus, a 29-dB transmitter means 9-dBi antenna; a 28-dB transmitter
means 12-dBi antenna. Because we are operating at 20 dBm, which is 10 dB below the 30 dBm level, we can
increase the antenna gain by 30 dB. Note that Cisco has never tested, and therefore has not certified, any
antenna with gain greater than 21 dBi.
The main issue that comes up here is: What differentiates a point-to-point from a multipoint system.
In Figure 7, point A communicates to a single point (point B), and point B communicates to a single point A;
therefore, it is simple to see that both locations see this as a point-to-point installation.
In Figure 8, point A communicates to more than one (or multiple) points; therefore, point A is operating in a
multipoint configuration, and the largest antenna permitted is 16 dBi. Point B or point C can each communicate to
only one point (point A); therefore, point B and point C actually operate in a single-point or point-to-point operation,
and a larger antenna may be used.
Figure 7. Point-to-Point Wireless Bridge Solution
Figure 8. Point-to-Multipoint Wireless Bridge Solution © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 73
Amplifiers
In the FCC rules, Section 15.204-Part C states: “External radio frequency power amplifiers shall not be marketed
as separate products.” Part D states: “Only the antenna with which an intentional radiator (transmitter) is originally
authorized may be used with the intentional radiator." This means that unless the amplifier manufacturer submits
the amplifier for testing with the radio and antenna, it cannot be sold in the United States. If it has been certified, it
must be marketed and sold as a complete system, including transmitter, antenna, and coaxial cable. It also must
be installed exactly this way.
If you are using a system that includes an amplifier, remember that these rules concerning power are still in effect.
If the amplifier is one-half (.5) watt (27 dBm), this means in a multipoint system, the maximum antenna gain is only
9 dBi, and in a point-to-point system it is only 15 dBi.
ETSI
The European Telecommunication Standardization Institute (ETSI) has developed standards that have been
adopted by many European countries as well as many others. Under the ETSI regulations, the power output and
EIRP regulations are much different than in the United States.
Antenna Gain and Power Output
The ETSI regulations specify maximum EIRP as 20 dBm. Since this includes antenna gain, this limits
the antennas that can be used with a transmitter. To use a larger antenna, the transmitter power must be reduced
so that the overall gain of the transmitter, plus the antenna gain, less any losses in coax, is equal to or less than
+20 dBm. This drastically reduces the overall distance an outdoor link can operate.
Amplifiers
Since the ETSI regulation has such a low EIRP, the use of amplifiers is typically not permitted in any ETSI system.
Frequencies and Channel Sets
IEEE 802.11b/g Direct Sequence Channels
Fourteen channels are defined in the IEEE 802.11b/g direct-sequence channel set. Each direct-sequence channel
as transmitted is 22 MHz wide; however, the channel center separation is only 5 MHz. This leads to channel
overlap such that signals from neighboring channels can interfere with each other. In a 14-channel directsequence system (11 usable in the United States), only three nonoverlapping (and hence, noninterfering)
channels, 25 MHz apart, are possible (for example, channels 1, 6, and 11).
This channel spacing governs the use and allocation of channels in a multiple-access-point environment such as
an office or campus. Access points are usually deployed in “cellular” fashion within an enterprise, where adjacent
access points are allocated nonoverlapping channels. Alternatively, access points can be collocated using
channels 1, 6, and 11 to deliver 33 Mbps bandwidth to a single area (but only 11 Mbps to a single client).
The channel allocation scheme is illustrated in Figure 9, and the available channels in the different regulatory
domains are defined in Table 4. © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 73
Figure 9. IEEE 802.11b/g DSSS Channel Allocations
Table 4 shows the channels permitted in the corresponding approval areas.
Table 4. DSSS PHY Frequency Channel Plan
Channel Regulatory Domains (Maximum Conducted Average Power Levels in dBm)
ID
Frequency
(MHz)
-A -C -E -I -J -K -N -P -S -T
2400-2484 MHz
Mode B G B G B G B G B G B G B G B G B G B G
1 2412 X X X X X X X X X X X X X X X X X X
2 2417 X X X X X X X X X X X X X X X X X X
3 2422 X X X X X X X X X X X X X X X X X X
4 2427 X X X X X X X X X X X X X X X X X X
5 2432 X X X X X X X X X X X X X 17 X X X X X X
6 2437 X X X X X X X X X X X X X X X X X X X X
7 2442 X X X X X X X X X X X X X X X X X X X X
8 2447 X X X X X X X X X X X X X X X X X X X X
9 2452 X X X X X X X X X X X X X X X X X X X 17
10 2457 X X X X X X X X X X X X X X X X X X X X
11 2462 X X X X X X X X X X X X X X X X X X X X
12 2467 X X X X X X X X X X X X X X
13 2472 X X X X X X X X X X X X X X
14 2484 X X © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 73
IEEE 802.11a Channels
The 802.11a specification today specifies four channels for the UNII1 band, four channels for the UNII2 band, and
four channels for the UNII3 band. These channels are spaced at 20 MHz apart and are considered noninterfering;
however, they do have a slight overlap in frequency spectrum. It is possible to use adjacent channels in adjacent
cell coverage, but it is recommended when possible to separate adjacent cell channels by at least 1 channel.
Figure 10 shows the channel scheme for the 802.11 bands, and Table 5 lists the North American frequency
allocations.
Figure 10. 802.11a Channel Allocation
Table 5. 802.11a Frequency Plan
Regulatory Domain Frequency Band Channel Number Centre Frequencies
USA ? UNII lower band
? 5.15-5.25 GHz
? 36
? 40
? 44
? 48
? 5.180 GHz
? 5.200 GHz
? 5.220 GHz
? 5.240 GHz
USA ? UNII middle + extended
? 5.25-5.700 GHz
? 52
? 56
? 60
? 64
? 100
? 104
? 108
? 112
? 116
? 120
*
? 124
*
? 128
*
? 132
? 5.260 GHz
? 5.280 GHz
? 5.300 GHz
? 5.320 GHz
? 5.500 GHz
? 5.520 GHz
? 5.540 GHz
? 5.560 GHz
? 5.580 GHz
? 5.600 GHz
? 5.620 GHz
? 5.640 GHz
? 5.660 GHz © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 73
Regulatory Domain Frequency Band Channel Number Centre Frequencies
? 136
? 140
? 5.680 GHz
? 5.700 GHz
USA ? UNII upper band
? 5.725-5.825 GHz
? 149
? 153
? 157
? 161
? 5.745 GHz
? 5.765 GHz
? 5.785 GHz
? 5.805 GHz
USA ? ISM band
? 5.725-5.825 GHz
? 149
? 153
? 157
? 161
? 165
? 5.745 GHz
? 5.765 GHz
? 5.785 GHz
? 5.805 GHz
? 5.825 GHz
*
Not supported in US due to weather radars.
Cisco Aironet Antenna Descriptions
Table 6 below defines the various 2.4 GHz antennas that are offered by Cisco for the Cisco Aironet product line,
and Table 7 lists the available antennas for the Cisco Aironet 5 GHz bridge products. Table 8 defines the 2
antennas that are offered for use with the Cisco Aironet 1250 Series Access Points.
Table 6. 2.4 GHz Antennas with RP-TNC connectors
Cisco Part Number Antenna Type Description Gain
AIR-ANT2422DB-R
AIR-ANT4941
Black dipole, 1 port Single black dipole antenna with an RP-TNC connector. The antenna
provides indoor omnidirectional coverage and is designed for use in the 2400-
2500 MHz frequency band. It has a 90-degree articulation radius. It can be
used with all radios that utilize an RP-TNC antenna connector.
2.2 dBi
AIR-ANT2422DW-R
AIR-ANT2422DW-R=
White dipole, 1 port Single white dipole antenna with an RP-TNC connector. The antenna
provides indoor omnidirectional coverage and is designed for use in the 2400-
2500 MHz frequency band. It has a 90-degree articulation radius. It can be
used with all radios that utilize an RP-TNC antenna connector.
2.2 dBi
AIR-ANT2422DG-R
AIR-ANT2422DG-R=
Gray dipole, 1 port Single gray dipole antenna with an RP-TNC connector. The antenna provides
indoor omnidirectional coverage and is designed for use in the 2400-2500
MHz frequency band. It does not articulate as the other dipole antennas. It
can be used with all radios that utilize an RP-TNC antenna connector.
2.2 dBi
AIR-ANT2422SDW-R
AIR-ANT2422SDW-R=
White monopole, 1
port
Single white monopole antenna with RP-TNC connector. The antenna
provides indoor omnidirectional coverage and is designed for use in the 2400-
2500 MHz frequency band. It does not articulate as the other dipole antennas.
It can be used with the 1260 and 3500 access points.
2.2 dBi
AIR-ANT2450S-R Sector, 1 port Wall mount indoor/outdoor antenna with RP-TNC connector for use with any
2.4 GHz radio. Capable of covering large areas. The plenum rated cable is
36” long.
5 dBi
AIR-ANT1728 Omnidirectional Ceiling-mount indoor antenna with RP-TNC connector - This antenna was
designed for WLAN applications with frequencies of 2400-2500 MHz. The
antenna is omni directional and has a nominal gain of 5.2 dBi. It comes with a
clip that allows it to be mounted to a drop-ceiling cross member.
5.2 dBi
AIR-ANT2506 Omnidirectional, 1
port
Mast-mount indoor/outdoor antenna with a RP-TNC connector - This antenna
was designed for WLAN applications for frequencies of 2400-2500 MHz. The
antenna is omnidirectional and has a nominal gain of 5.2 dBi. It is designed to
be mounted on a round mast.
5.2 dBi
AIR-ANT2460P-R Patch, 1 port Wall mount, indoor/outdoor directional patch antenna. Designed for use with
any radio that features an RP-TNC antenna connector. For use in the 2400-
2500 MHz frequency band. The pigtail cable is plenum rated, 36”long.
6 dBi
AIR-ANT2485P-R Patch, 1 port Wall mount indoor/outdoor antenna with a RP-TNC connector-Designed for
use with any radio that features a RP-TNC connector. For use in the 2400-
2500 MHz frequency band. The plenum rated pigtail cable is 36”long.
8.5 dBi © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 73
Cisco Part Number Antenna Type Description Gain
AIR-ANT2410Y-R Yagi, 1 port High-gain outdoor directional antenna with a RP-TNC connector - This WLAN
antenna is a completely enclosed yagi. It is designed to be used as a bridge
antenna between two networks or for point-to-point communications The gain
is 10 dBi and the half-power beamwidth is 55 degrees. This antenna is
normally mounted on a mast and is vertically polarized.
10 dBi
AIR-ANT24120 Omnidirectional, 1
port
Mast mount outdoor high gain antenna with a RP-TNC connector - This
antenna was designed for WLAN applications for frequencies of 2400-2500
MHz. The antenna is omni directional and has a nominal gain of 12 dBi. This
design uses an elevated center-feed to produce an elevation pattern with very
little “squint” or beam-tilt. It is designed to be mounted on a round mast.
12 dBi
AIR-ANT1949 Yagi, 1 port High-gain outdoor directional antenna with a RP-TNC connector - This WLAN
antenna is a completely enclosed 16-element yagi. It is designed to be used
as a bridge antenna between two networks or for point-to-point
communications The gain is 13.5 dBi and the half-power beamwidth is 30
degrees. This antenna is normally mounted on a mast and is vertically
polarized.
13.5 dBi
AIR-ANT2414S-R Sector, 1 port Mast mount outdoor sector antenna with a RP-TNC connector - This antenna
was designed for WLAN applications for frequencies of 2400-2500 MHz. The
antenna is directional and has a nominal gain of 14 dBi. Its flexible mounting
bracket allows for either mast or wall mounting options.
14 dBi
AIR-ANT3338 Dish, 1 port Very high-gain outdoor antenna with a RP-TNC connector - This WLAN
antenna is a parabolic dish designed to be used as a bridge antenna between
two networks or for point-to-point communications. It consists of an aluminum
parabolic reflector and feed antenna. The antenna features a rugged mount. It
also offers 20 degree fine adjustment for both horizontal and vertical planes.
The antenna is provided with hardware for mast mounting.
21 dBi
AIR-ANT24020V-R= Omnidirectional, 2
port
Ceiling mount indoor antenna with two RP-TNC connectors. Supports
diversity antennas in a single package for areas where multipath problems
exist. The pigtail cable is plenum rated and 36” long.
2.0 dBi
AIR-ANT2452V-R Omnidirectional, 2
port
Pillar-mount diversity, indoor antenna with two RP-TNC connectors. Antenna
is ideal for the retail or hospital environment. Includes 36 in. of white RG-58
cable with a separation of coaxial cables that are joined together to form a 10
in. length. Included are two mounting brackets that will keep the antenna 6 in.
off the wall.
5.2 dBi
AIR-ANT2465P-R Patch, 2 port Wall-mount indoor/outdoor antenna with two RP-TNC connectors-Similar to
AIR-ANT2460P-R, but providing diversity antennas in the same package for
areas where multipath problems exist. The pigtail cable is plenum rated and
36” long.
6.5 dBi
AIR-ANT2430V-R= Omnidirectional, 3
port
Ceiling-mount indoor omni-directional antenna with three cables terminating
in RP-TNC connectors. For use with 802.11n access points. For use in the
2400-2500 MHz frequency band. The pigtail cables are plenum rated and 36”
long each.
3 dBi
Air-ANT2440NV-R= Omnidirectional, 3
port
Wall or mast -mount 2.4 GHz indoor/outdoor omni-directional antenna with
three cables terminating in RP-TNC connectors. For use with 802.11n access
points. The pigtail cables are plenum rated and 36” long each.
4 dBi
AIR-ANT2460NP-R= Patch, 3 port Wall or mast -mount 2.4 GHz indoor/outdoor patch antenna with three cables
terminating in RP-TNC connectors. For use with 802.11n access points. The
pigtail cables are plenum rated and 36” long each.
6 dBi
Table 7. 5 GHz Antennas with RP-TNC connectors
Cisco Part Number Antenna Type Description Gain
AIR-ANT5135DB-R
AIR-ANT5135D-R
Omnidirectional, 1
port
Single black dipole antenna with an RP-TNC connector. The antenna
provides indoor omnidirectional coverage and is designed for use in the 5
GHz frequency band. It has a 90-degree articulation radius. It can be used
with radios that utilize an RP-TNC antenna connector.
3.5 dBi
AIR-ANT5135DW-R
AIR-ANT5135DW-R=
Omnidirectional, 1
port
Single white dipole antenna with an RP-TNC connector. The antenna
provides indoor omnidirectional coverage and is designed for use in the 5
GHz frequency band. It has a 90-degree articulation radius. It can be used
with radios that utilize an RP-TNC antenna connector.
3.5 dBi
AIR-ANT5135DG-R
AIR-ANT5135DG-R=
Omnidirectional, 1
port
Indoor-only gray, non-articulating dipole like omnidirectional antenna for 5
GHz. It can be used with radios that utilize an RP-TNC antenna connector.
3.5 dBi © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 73
Cisco Part Number Antenna Type Description Gain
AIR-ANT5160V-R Omnidirectional, 1
port
Indoor or outdoor use omnidirectional 5 GHz antenna for use with the
1200 Series and the 802.11a module (AIR-RM22A). Can be mast or
ceiling mounted.
6 dBi
AIR-ANT5195P-R Patch, 1 port Wall or Mast Mount Patch Antenna - Designed for use indoor or outdoors,
this antenna comes with a wall mount and a plate that adapts to
articulating mounting hardware (AIR-ACC2662), which is sold separately.
It has a plenum rated pigtail cable of 36 in.
9.5 dBi
AIR-ANT5145V-R Omnidirectional, 2
port
Indoor-only ceiling mounted diversity omnidirectional 5 GHz antenna 4.5 dBi
AIR-ANT5170P-R Patch, 2 port Wall Mount diversity patch antenna with RP-TNC Connectors - Designed
for use in both indoor and outdoor applications. It comes with wall mount
hardware, and has a gain of 7 dBi. It has a plenum rated pigtail cable of
36”.
7 dBi
AIR-ANT5140V-R= Omnidirectional, 3
port
Ceiling mount indoor omni-directional antenna with three cables
terminating in RP-TNC connectors. Designed for use with 802.11n access
points. The plenum rated pigtail cables are 36” long each.
4 dBi
AIR-ANT5140NV-R= Omnidirectional, 3
port
Wall or mast mount 5GHz indoor/outdoor omni-directional antenna with
three cables terminating in RP-TNC connectors. Designed for use with
802.11n access points. The plenum rated pigtail cables are 36” long each.
4 dBi
AIR-ANT5160NP-R= Patch, 3 port Indoor or outdoor wall mounted 5 GHz patch antenna. with three cables
terminating in RP-TNC connectors. Designed for use with 802.11n access
points. The plenum rated pigtail cables are 36” long each.
6 dBi
Table 8. Dual Band Antennas for 2.4 and 5 GHz Access Points with RP-TNC Connectors
Cisco Part Number Antenna Type Description Gain
AIR-ANT2451V-R= Omnidirectional 4 port Ceiling Mount Omni-directional Antenna - Designed for use indoor, this
antenna comes with ceiling mount hardware. It has 4 plenum rated
pigtail cables, 18 inches each, with 4 right angle RP-TNC connectors.
2.4 GHz: 2 dBi
5 GHz: 3 dBi
AIR-ANT2451NV-R= Omnidirectional, 6 port Ceiling Mount Omni-directional Antenna - Designed for use indoor, this
antenna comes with ceiling mount hardware. It has 6 plenum rated
pigtail cables, 18 inches each, with 6 RP-TNC connectors.
2.4 GHz: 2 dBi
5 GHz: 3 dBi
AIR-ANT25137NP-R= Patch, 6 port Designed for high density wireless applications such as stadiums and
arena. Wall mounted patch antenna with 6 plenum rated pigtail cables,
36 inches each and 6 RP-TNC connectors. Only certified for use with
AP3502P access point
2.4 GHz: 13 dBi
5 GHz: 7 dBi
Table 9. 2.4 GHz and 5 GHz Access Point and Bridge Antennas with N Type Connectors
Cisco Part Number Antenna Type Description Gain
AIR-ANT2420V-N Omnidirectional 2.4 GHz omnidirectional antenna for mesh access points. Suitable for
use on Cisco Aironet 1520 Series Mesh Access Points. It is only 5
inches long, mounts directly to the access point, and has no cable
attachments.
2 dBi
AIR-ANT2450V-N (=) Omnidirectional 2.4 GHz omnidirectional antenna for mesh access points. Suitable for
use on Cisco Aironet 1520 Series Mesh Access Points. It mounts
directly to the access point and has no cable attachments.
5 dBi
AIR-ANT2455V-N= Omnidirectional 2.4 GHz omnidirectional antenna for mesh access points. Suitable for
use on Cisco Aironet 1520 Series Mesh Access Points. It mounts
directly to the access point and has no cable attachments.
5.5 dBi
AIR-ANT2480V-N (=) Omnidirectional 2.4 GHz omnidirectional antenna for mesh access points. Suitable for
use on Cisco Aironet 1520 Series Mesh Access Points. It mounts
directly to the access point and has no cable attachments
8 dBi
AIR-ANT5140V-N (=) Omnidirectional 5 GHz omnidirectional antenna for mesh access points. Suitable for use
on Cisco Aironet 1520 Series Mesh Access Points. It mounts directly to
the access point and has no cable attachments.
4 dBi
AIR-ANT5175V-N (=) Omnidirectional A 7.5 dBi antenna which supports 4900-5825 MHz. It has a 12” pigtail
cable and a N-type connector.
7.5 dBi
AIR-ANT5180V-N (=) Omnidirectional 5 GHz omnidirectional antenna for mesh access points. Suitable for use
on Cisco Aironet 1520 Series Mesh Access Points. It mounts directly to
the access point and has no cable attachments.
8 dBi © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 73
Cisco Part Number Antenna Type Description Gain
AIR-ANT58G9VOA-N Omnidirectional An omnidirectional antenna, for use with the Cisco Aironet 1400 Series
Wireless Bridge. This non-diversity, vertically polarized antenna
operates in the UNII-3 band (5725 to 5825 MHz). The antenna is
designed to be mast mounted in an outdoor environment. The antenna
is not compatible with other Cisco Aironet radio products operating in the
5 GHz frequency band.
9 dBi
AIR-ANT58G10SSA-N Sector A sector antenna for use with the Cisco Aironet 1400 Series Wireless
Bridge. This non-diversity symmetric antenna operates in the UNII-3
band (5725-5825 MHz). The antenna is designed to be mounted
outdoors on a mast or a suitable vertical surface. The antenna is not
compatible with other Cisco Aironet radio products operating in the 5
GHz frequency band.
9.5 dBi
AIR-ANT5114P-N= Patch 5 GHz, 14 dBi patch antenna for use in the 4950-5850 MHz frequency
band. The antenna has an N-type connector, and will require a separate
low loss cable for mounting to the access point. Articulating mount
included. Fits mast pole sizes 2” diameter maximum
14 dBi
AIR-ANT5117S-N= Sector 5 GHz, 17 dBi sector antenna for use in the 4950-5850 MHz frequency
band. The antenna has an N-type connector, and will require a separate
low loss cable for mounting to the access point. Fits mast pole sizes 1.5
to 3” diameter maximum.
17 dBi
AIR-ANT58G28SDA-N Dish A parabolic dish antenna for use with the Cisco Aironet 1400 Series
Wireless Bridge. This non-diversity parabolic antenna operates in the
UNII-3 band (5725-5825 MHz). The antenna is designed to be mounted
outdoors on a mast. The antenna is designed to be used at the hub or
client site of a point-to-point installation, or point-to-multipoint client
sites, providing extended range. The antenna is not compatible with
other Cisco Aironet radio products operating in the 5 GHz frequency
band.
28 dBi
Table 10. 2.4 GHz and 5 GHz Dual-band Antennas with N Type Connectors
Cisco Part Number Antenna Type Description Gain
AIR-ANT2547V-N (=) Omnidirectional 2.4 GHz, 4 dBi and 5 GHz 7 dBi dual band omnidirectional antenna.
which utilizes an N-type connector. It mounts directly to the access
point and has no cable attachments
2.4 GHz: 4 dBi
5 GHz: 7 dBi
Table 11. 2.4 GHz and 5 GHz Access Point and Bridge Integrated Antennas
Cisco Part Number Antenna Type Description Gain
Integrated AP1130AG
Antenna
Omnidirectional Diversity antenna package for both 2.4 GHz and 5 GHz designed for
high performance in both ceiling and wall mount applications.
Antennas provide hemispherical coverage and cannot be removed
from the Access Point. No connectors are offered for additional
external antennas.
2.4 GHz: 3 dBi
5 GHz: 4.5 dBi
Integrated AP 1040
Antenna
2.4 GHz: 2 dBi
5 Ghz: 4 dBi
802.11n antenna package for both 2.4 GHz and 5 GHz designed
for high performance in both ceiling and wall mount applications.
Antennas provide hemispherical coverage and cannot be removed
from the Access Point. No connectors are offered for additional
external antennas.
2.4 GHz: 4 dBi
5 Ghz: 3 dBi
Integrated AP 1140
Antenna
Omnidirectional 802.11n antenna package for both 2.4 GHz and 5 GHz designed
for high performance in both ceiling and wall mount applications.
Antennas provide hemispherical coverage and cannot be removed
from the Access Point. No connectors are offered for additional
external antennas.
2.4 GHz: 4 dBi
5 Ghz: 3 dBi
Integrated AP 3500i
Antenna
Omnidirectional 802.11n antenna package for both 2.4 GHz and 5 GHz designed
for high performance in both ceiling and wall mount applications.
Antennas provide hemispherical coverage and cannot be removed
from the Access Point. No connectors are offered for additional
external antennas.
2.4 GHz: 4 dBi
5 Ghz: 3 dBi
Integrated OEAP600
Antenna
Omnidirectional 802.11n antenna package for both 2.4 GHz and 5 GHz designed
for high performance in both ceiling and wall and desk mount
applications. Antennas provide hemispherical coverage and cannot be
removed from the Access Point. No connectors are offered for
additional external antennas.
2.4 GHz: 2 dBi
5 Ghz: 2 dBi © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 73
Cisco Part Number Antenna Type Description Gain
Integrated BR1310G
Patch Antenna
Integrated Patch 2402-2497 MHz Patch Array Antenna. When the captured antenna
version is ordered, this antenna is attached to the 1300 AP/Bridge and
provides an integrated solution with exceptional gain. This antenna
cannot be removed for use with other radios.
13 dBi
Integrated BR1410
Patch Antenna
Integrated Patch 5.8 GHz UNII-3 Patch antenna. When the captured antenna version is
ordered, this antenna is attached to the BR1410 bridge and provides for
an integrated solution with exceptional gain. The antenna is not
compatible with other Cisco Aironet radio products operating in the 5
GHz frequency band.
22.5 dBi
Integrated AP 1550
Antenna
Omnidirectional 802.11n antenna package for both 2.4 GHz and 5 GHz When the
integrate antenna version is ordered, this antenna is attached to the
Access Point and provides omnidirectional coverage in a low-profile
package. No connectors are offered for additional external antennas.
2.4 GHz: 4 dBi
5 Ghz: 3 dBi
Cisco Aironet Cable Descriptions
Table 12 below defines the cables available for interconnecting the antennas and the radio devices for the Cisco
Aironet product line.
Table 12. Cisco Cables
Cisco Part Number Type of Cable Description Loss at 2.4 GHz Loss at 5.8 GHz
AIR-CAB005LL-N Interconnect 5-ft low loss cable, one straight N connector, one
90-degree N connector
0.5 dB 0.8 dB
AIR-CAB005LL-R Interconnect 5-ft low loss cable, one RP-TNC plug, one RP-TNC
jack
0.5 dB 0.8 dB
AIR-CAB010LL-N Interconnect 10-ft low loss cable, one straight N connector, one
90-degree N connector
0.9 dB 1.5 dB
AIR-CAB020LL-R Interconnect 20-ft low loss cable, one RP-TNC plug, one
RP-TNC jack
1.3 dB 2.5 dB
AIR-CAB050LL-R Interconnect 50-ft low loss cable, one RP-TNC plug, one
RP-TNC jack
3.4 dB 5.75 dB
AIR-CAB100ULL-R Interconnect 100-ft ultra low loss cable, one RP-TNC plug, one
RP-TNC jack
4.4 dB 7.25 dB
AIR-CAB150ULL-R Interconnect 150-ft ultra low loss cable, one RP-TNC plug, one
RP-TNC jack
6.6 dB 11 dB
AIR-ACC2537-060 Bulkhead Extender 5-ft (60 inches) RG-58 type cable with one RP-TNC
plug and one RP-TNC jack
2 dB 3 dB
Table 13. Accessories
Cisco Part Number Name Description
AIR-ACC2662 Yagi Articulating Mount This mount permits the Yagi antenna to be mounted to a flat surface or a mast, and then be
adjusted in both horizontal and vertical angles.
AIR-ACC245LA-R Lightning Arrestor Supports both 2.4 GHz and 5 GHz operation. Provides lightning and related energy surges at
the antenna from reaching the radio circuitry. A ground ring is included.
Cisco Aironet Antenna Specifications
The following section provides detailed descriptions, including physical and electrical specifications for the
antennas offered by Cisco for the Cisco Aironet product line. Full detailed installation guides for each antenna can
be found at the following:
http://www.cisco.com/en/US/products/hw/wireless/ps469/prod_installation_guides_list.html© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 73
2.2 dBi Dipole
AIR-AT2422DB-R=/AIR-ANT4941
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.484 GHz
VSWR Less than 2:1
Power 5 watts
Gain 2.2 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 65 degrees
Antenna Connector RP-TNC
Cable Length none
Dimensions 5.5 in.
Mounting To RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 73
2.2 dBi Dipole
AIR-ANT2422DW-R
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.484 GHz
VSWR Less than 2:1
Power 5 watts
Gain 2.2 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 65 degrees
Antenna Connector RP-TNC
Cable Length None
Dimensions 5.5 in.
Mounting To RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 73
2.2 dBi Dipole
AIR-ANT2422DG-R
Dimensions And Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.484 GHz
VSWR Less than 2:1
Power 5 watts
Gain 2.2 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 65 degrees
Antenna Connector RP-TNC
Cable Length None
Dimensions 3.9 in.
Mounting To RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 73
2.2 dBi Monopole
AIR-ANT2422SDW-R
Dimensions And Mounting
Specifications
Azimuth and Elevation Plane Radiation Pattern
Frequency Range 2400 - 2500 MHz
VSWR Less than 2:1
Gain 2.2 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 50 degrees
Antenna Connector RP-TNC
Cable Length None
Dimensions 1.7 in.
Mounting To RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 73
5 dBi Sector
AIR-ANT2450S-R
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.5 GHz
VSWR 1.5 or less
Gain 5.0 dBi
Polarization Linear vertical
Azimuth 3dB Beamwidth 135 degrees
Elevations 3dB Beamwidth 54 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 6 x 3 x 2 in (15.2 x 7.6 x 5 cm)
Mounting Wall Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 73
5.2 dBi Ceiling Mount Omnidirectional
AIR-ANT1728
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.83 GHz
VSWR Less than 2:1, 1.5:1 Nominal
Gain 5.2 dBi
Polarization Vertical
Azimuth 3dB Beamwidth Omnidirectional 360 degrees
Elevations Plan (3dB Beamwidth) 36 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 m)
Dimensions 11.25 in. x 1 in. (28.57 cm x 2.54)
Mounting Drop ceiling cross member - indoor only © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 73
5.2 dBi Mast Mount Omnidirectional
AIR-ANT2506
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.83 GHz
VSWR Less than 2:1, 1.5:1 Nominal
Gain 5.2 dBi
Polarization Vertical
Azimuth 3dB Beamwidth Omnidirectional 360 degrees
Elevations Plan (3dB Beamwidth) 36 degrees
Antenna Connector RP-TNC
Cable Length 3 ft (91 m)
Dimensions 11.5 in. x 1.125 in. (29.21 cm x 2.85 cm)
Mounting Mast mount - indoor/outdoor © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 73
6 dBi Wall Mount Directional
AIR-ANT2460P-R
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.5 GHz
VSWR Less than 2:1
Gain 6 dBi
Polarization Vertical
Azimuth 3dB Beamwidth 75 degrees
Elevation Plan (3dB Beamwidth) 73 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 4.1 in. x 3.9 in. x .75 in. (10.41 cm x 9.90 cm x 1.90 cm)
Mounting Wall Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 73
8.5 dBi Wall Mount
AIR-ANT2485P-R
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.5 GHz
VSWR 2:1 Max, 1.5:1 Nominal
Gain 8.5 dBi
Polarization Vertical
Azimuth 3dB Beamwidth 66 degrees
Elevations 3dB Beamwidth 56 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 5.3 in. x 5.3 in. x .90 in. (13.5 cm x 13.5 cm x 2.2 cm)
Mounting Wall Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 73
10 dBi Wall/Mast Mount YAGI
AIR-ANT2410Y-R
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.483 GHz
VSWR Less than 2:1
Gain 10 dBi
Polarization Vertical
Azimuth 3dB Beamwidth 55 degrees
Elevations Plan 3dB Beamwidth 47 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 3 in. x 7.25 in. (7.62 cm x 18.42 cm)
Mounting Wall/Mast Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 73
12 dBi Mast Mount Omnidirectional
AIR-ANT24120
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2400-2500 MHz
VSWR 1.5:1
Gain 12 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omnidirectional 360 degrees
Elevation (3dB Beamwidth) 7 degrees
Antenna Connector RP-TNC
Cable Length 1 ft. (30.48 cm)
Dimensions 42 in. x 1.25 in. (106.68 cm x 3.17 cm)
Wind Rating 125 MPH
Mounting Mast Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 73
13.5 dBi Mast/Wall Mount YAGI
AIR-ANT1949
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.83 GHz
VSWR Less than 2:1, 1.5:1 Nominal
Gain 13.5 dBi
Front to Back Ratio Greater than 25 dB
Polarization Vertical
Azimuth 3dB Beamwidth 30 degrees
Elevations 3dB Beamwidth 25 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 18 in. x 3 in. (45.72 cm x 7.62 cm)
Wind Rating 110 MPH
Mounting Mast/Wall Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 73
14 dBi Mast Mount Sector
AIR-ANT2414S-R
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.5 GHz
VSWR 1.5:1
Gain 14 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth 90 degrees
Elevations 3dB Beamwidth 8.5 degrees
Antenna Connector RP-TNC
Cable Length 5 ft. (152.4 cm)
Dimensions 36 in. x 6 in. x 4 in. (91.44 cm x 15.24 cm x 10.16 cm)
Mounting Mast Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 73
21 dBi Mast Mount Parabolic Dish
AIR-ANT3338
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.83 GHz
VSWR Less than 1.8:1, 15:1 Nominal
Power 5 watts
Gain 21 dBi
Front to Back Ratio Greater than 25 dB
Maximum Side Lobe -17 dB
Polarization Vertical
Azimuth 3dB Beamwidth 12 degrees
Elevation 3dB Beamwidth 12 degrees
Antenna Connector RP-TNC
Cable Length 2 ft. (60.96 cm)
Dimensions 24 in. x 15.5 in. (60.96 cm x 39.37 cm)
Wind Rating 110 MPH
Mounting Mast Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 73
2 dBi Omnidirectional, 2 element
AIR-ANT24020V-R=
Dimensions and Mounting Specifications Left Antenna Patterns Right Antenna Patterns
Frequency Range 2.4-2.5 GHz
VSWR 1.5:1
Gain 2.2 dBi
Polarization Vertical
Azimuth 3dB Beamwidth 360 degrees
Elevations Plan (3dB Beamwidth) 97 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 6.9 in. x 3 in. x .90 in. (17.5 cm x 7.6 cm x 2.5 cm)
Mounting Ceiling Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 73
5.2 dBi Wall Mount
AIR-ANT2452V-R
Dimensions and Mounting Specifications Left Antenna Patterns Right Antenna Patterns
Frequency Range 2.4-2.5 GHz
VSWR < 2:1
Gain 5 dBi
Polarization Vertical
Azimuth 3dB Beamwidth 360 degrees
Elevations Plan (3dB Beamwidth) 27 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 11 in. x 5 in. x 1 in. (27.2 cm x 12.7 cm x 2.5 cm)
Mounting Wall Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 73
6.5 dBi Wall Mount
AIR-ANT2465P-R
Dimensions and Mounting Specifications Left Antenna Patterns Right Antenna Patterns
Frequency Range 2.4-2.5 GHz
VSWR 1.7:1 Nominal
Gain 6.5 dBi
Polarization Vertical
Azimuth 3dB Beamwidth 75 degrees
Elevations Plan (3dB Beamwidth) 57 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 5 in. x 6.7 in. x .90 in. (12.7 cm x 17.0 cm x 2.2 cm)
Mounting Wall Mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 73
Omnidirectional, 3 element Ceiling Mount
AIR-ANT2430V-R=
Antenna A Radiation Pattern Antenna B Radiation Pattern Antenna C Radiation Pattern
Frequency Range 2402 - 2485 MHz;
VSWR 2:1
Gain 3 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth 60
Antenna Connector (3) RP-TNC male
Cable Length 36 in (91.4 cm) plenum rated
Dimensions 12.1in . x 4.2 in x 1.6 in (30.7 cm x 10.6cm x 4.0 cm)
Mounting Ceiling © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 73
Omnidirectional, 3 element Wall Mount
AIR-ANT2440NV-R=
Antenna A Radiation Pattern Antenna B Radiation Pattern Antenna C Radiation Pattern
Frequency Range 2402 - 2484 MHz;
VSWR 2:1
Gain 4 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth 36
Antenna Connector (3) RP-TNC male
Cable Length 36 in (91.4 cm) plenum rated
Dimensions 8.6 in x 6.3 in dia. (21.8 cm x 16 cm dia.)
Mounting Wall mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 73
6 dBi Patch, 3 element Wall Mount
AIR-ANT2460NP-R=
Antenna A Radiation Pattern Antenna B Radiation Pattern Antenna C Radiation Pattern
Frequency Range 2402 - 2484 MHz;
VSWR 2:1
Gain 6 dBi
Polarization Linear
Azimuth 3dB Beamwidth 80 degrees
Elevations 3dB Beamwidth 75 degrees
Antenna Connector (3) RP-TNC male
Cable Length 36 in (91.4 cm) plenum rated
Dimensions 5.8 in x 11.25 in x 1.13 in (14.7 cm x 28.6 cm x 2.9 cm)
Mounting Wall mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 73
3.5 dBi Dipole
AIR-ANT5135D-R
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.15-5.85 GHz
VSWR 2:1 or better
Gain 3.5 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 40 degrees
Antenna Connector RP-TNC
Cable Length none
Dimensions 5.3 in. (13.46 cm)
Mounting RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 73
3.5 dBi Dipole
AIR-ANT5135DW-R
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.15-5.85 GHz
VSWR 2:1 or better
Gain 3.5 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 40 degrees
Antenna Connector RP-TNC
Cable Length none
Dimensions 5.3 in. (13.46 cm)
Mounting RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 73
3.5 dBi Dipole
AIR-ANT5135DG-R
Dimensions and Mounting
Specifications
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.15-5.85 GHz
VSWR 2:1 or better
Gain 3.5 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 40 degrees
Antenna Connector RP-TNC
Cable Length none
Dimensions 3.6 in. (9.14 cm)
Mounting RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 73
2.2 dBi Monopole
AIR-ANT5135SDW-R
Dimensions And Mounting
Specifications
Azimuth and Elevation Plane Radiation Pattern
Frequency Range 5150 - 5850 MHz
VSWR Less than 2:1
Gain 2.2 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 40 degrees
Antenna Connector RP-TNC
Cable Length None
Dimensions 1.7 in.
Mounting To RP-TNC Connector © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 73
6 dBi Omnidirectional
AIR-ANT5160V-R
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.15-5.85 GHz
VSWR 2:1 or better
Gain 6 dBi
Polarization Vertical
Azimuth 3dB Beamwidth Omnidirectional 360 degrees
Elevation 3dB Beamwidth 17 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 12 in. x 1 in. (30.48 cm x 2.54 cm) © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 73
9.5 dBi Patch Wall or Articulating Mast Mount
AIR-ANT5195P-R
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.1-5.8 GHz
VSWR 2:1 or better
Gain 9.5 dBi
Polarization Linear and vertical
Azimuth Plane 50 degrees
Elevation Plane 43 degrees
Connectors RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 5.1 in. x 5.1 in. x 1.0 in. (12.9 cm x 12.9 cm x 2.5 cm)
Mounting Wall mount or articulating mast mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 73
4.5 dBi Diversity Omnidirectional
AIR-ANT5145V-R
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.15-5.85 GHz
VSWR 2:1 or better
Gain 4.5 dBi
Polarization Linear
Azimuth 3dB Beamwidth Diversity Omnidirectional
Elevations 3dB Beamwidth 50 degrees
Antenna Connector RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 6.75 in. x 4.1 in. x 1 in. (17.15 cm x 10.41 x 2.54 cm)
Mounting Drop ceiling cross member mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 73
7 dBi Diversity Patch Wall Mount
AIR-ANT5170P-R
Dimensions and Mounting Specifications Left Antenna Radiation Pattern Right Antenna Radiation Pattern
Frequency Range 5.1-5.8 GHz
VSWR 2:1 or better
Gain 7 dBi
Polarization Linear and vertical
Azimuth Plane 70 degrees
Elevation Plane 50 degrees
Connectors RP-TNC
Cable Length 3 ft. (91 cm)
Dimensions 5.7 in x 4.3 in. x 0.7 in. (14.5 cm x 10.9 cm x 1.8 cm)
Mounting Wall mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 73
Omnidirectional, 3 element Ceiling Mount
AIR-ANT5140V-R=
Antenna A Radiation Pattern Antenna B Radiation Pattern Antenna C Radiation Pattern
Frequency Range 4900 - 5850 MHz
VSWR 1.5:1
Gain 4 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth 45 degrees
Antenna Connector (3) RP-TNC male
Cable Length 36 in (91.4 cm) plenum rated
Dimensions 6.9 in . x 3 in x 1 in (17.5 cm x 7.6cm x 2.5 cm)
Mounting Ceiling © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 73
Omnidirectional, 3 element Wall Mount
AIR-ANT5140NV-R=
Antenna A Radiation Pattern Antenna B Radiation Pattern Antenna C Radiation Pattern
Frequency Range 5150 - 5850 MHz
VSWR 2:1
Gain 4 dBi
Polarization Linear
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth 36
Antenna Connector (3) RP-TNC male
Cable Length 36 in (91.4 cm) plenum rated
Dimensions 8.6in x 6.3 in dia. (21.8 cm dia x 16 cm dia.)
Mounting Wall mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 73
6 dBi Patch, 3 element Wall Mount
AIR-ANT5160NP-R=
Antenna A Radiation Pattern Antenna B Radiation Pattern Antenna C Radiation Pattern
Frequency Range 5150 - 5850 MHz
VSWR 2:1
Gain 6 dBi
Polarization Linear
Azimuth 3dB Beamwidth 65 degrees
Elevations 3dB Beamwidth 65 degrees
Antenna Connector (3) RP-TNC male
Cable Length 36 in (91.4 cm) plenum rated
Dimensions 4 in x 7 in x 1 in (10.2 cm x 17.8 cm x 2.5 cm)
Mounting Wall mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 73
Dual Band Ceiling Mount Omnidirectional, 2 element
AIR-ANT2451V-R=
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.5 GHz; 5.1-5.8GHz
VSWR 2:1
Gain ? 2 dBi in 2.4 GHz
? 3 dBi in 5 GHz
Polarization Linear
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth ? 80 degrees in 2.4 GHz
? 50 degrees in 5 GHz
Antenna Connector (4) Right angle RP-TNC male
Cable Length 18in (45.7 cm) plenum rated
Dimensions 8.5 in. x 6 in. x .93 in (21.5 cm x 15.2 cm x 2.4cm)
Mounting Ceiling © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 73
Dual Band Ceiling Mount Omnidirectional, 3 element
AIR-ANT2451NV-R=
2.4 GHz Radiation Pattern 2.4 GHz Radiation Pattern 2.4 GHz Radiation Pattern
5 GHz Radiation Pattern 5 GHz Radiation Pattern 5 GHz Radiation Pattern
Frequency Range 2.400 - 2.500 GHz;
5.150 - 5.850 GHz
VSWR 2:1
Gain ? 2.5 dBi in 2.4 GHz
? 3.5 dBi in 5 GHz
Polarization Linear
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth ? 63 degrees in 2.4 GHz
? 55 degrees in 5 GHz
Antenna Connector (6) Right angle RP-TNC male
Cable Length 36 in (91.4 cm) plenum rated
Dimensions 8.6 in dia. x 1.8 in (21.8 cm x 4.6cm)
Mounting Ceiling © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 73
Dual Band Patch Antenna
AIR-ANT25137NP-R=
2.4 GHz, 4 dBi Azimuth Plane
Radiation Pattern
5 GHz, 3 dBi Azimuth Plane
Radiation Pattern
2.4 GHz, 4 dBi Elevation Plane
Radiation Pattern
5 GHz, 3 dBi Elevation Plane
Radiation Pattern
Frequency Range ? 2.4-2.5GHz
? 5.15-5.85 GHz
Gain ? 2.4 GHz: 13 dBi
? 5 GHz: 7 dBi
Polarization Cable A = Horizontal, Cables B and C = Vertical
Azimuth 3dB Beamwidth 2.4 GHz = 36 degrees 5 GHz = 55 degrees
Elevations 3dB Beamwidth 2.4 GHz = 36 degrees 5 GHz = 48 degrees
Antenna Connector RP-TNC
Mounting Integrated
Dimensions (w/out mount) 18 in x 13 in x 2 in (45.7 cm x 33 cm x 5.1 cm)
Antenna Type MIMO Patch Array © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 73
2 dBi Direct Mount Omnidirectional
AIR-ANT2420V-N
Dimensions and Mounting Specifications
Frequency Range 2.4-2.5 GHz
VSWR <2:1
Gain 2 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth TBD degrees
Antenna Connector N-male
Cable Length none
Dimensions 5 in. x 1 in. (12.7 cm x 2.54 cm)
Mounting Direct Mount
Wind Rating (Operational) 125 mph
Wind Rating (Survival) 165 mph © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 73
5 dBi Direct Mount Omnidirectional
AIR-ANT2450V-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.5 GHz
VSWR 1:7:1
Gain 5dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth 30 degrees
Antenna Connector N-male
Cable Length none
Dimensions 11 in. x 1 in. (27.93 cm x 2.54 cm)
Mounting Direct Mount
Wind Rating (Operational) 125 mph
Wind Rating (Survival) 165 mph © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 73
5.5 dBi Omnidirectional
AIR-ANT2455V-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.83 GHz
VSWR 2:1 or better
Gain 5.5 dBi
Polarization Linear
Azimuth Plane Omnidirectional
Elevation Plane 25 degrees
Connectors N
Cable Length none
Dimensions 12.5 in. x 1 in. (31.75 cm x 2.54 cm)
Mounting Direct mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 73
8 dBi Omnidirectional
AIR-ANT2480V-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.5 GHz
VSWR 1:6:1
Gain 8 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth 10 degrees
Elevations Plan (3dB Beamwidth) Omnidirectional
Antenna Connector N-male
Cable Length none
Dimensions 19.5 in. x 7/8 in. (49.52 cm x 2.22 cm)
Mounting Direct Mount
Wind Rating (operational) 100 mph
Wind Rating (survival) 165 mph © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 73
4 dBi Direct Mount Omnidirectional
AIR-ANT5140V-N
Dimensions and Mounting Specifications
Frequency Range 5.25 - 5.875 GHz
VSWR <2:1
Gain 4 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth TBD degrees
Antenna Connector N-male
Cable Length none
Dimensions 5 in. x 1 in. (12.7 cm x 2.54 cm)
Mounting Direct Mount
Wind Rating (Operational) 125 mph
Wind Rating (Survival) 165 mph © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 60 of 73
7.5 dBi Omnidirectional
AIR-ANT5175V-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 4.9-5.8 GHz
VSWR 2:1 or better
Gain 7.5 dBi for 5GHz bands. 6 dBi for 4.9GHz bands.
Polarization Linear
Azimuth Plane Omnidirectional
Elevation Plane 16 degrees
Connectors N
Cable Length 1 ft. (0.30 m)
Dimensions 11.65 in. x 1 in. (29.5 cm x 2.54 cm)
Mounting Direct mount © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 73
8 dBi Direct Mount Omnidirectional
AIR-ANT5180V-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 4.9-5.85 GHz
VSWR 1:7:1
Gain 8 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omnidirectional
Elevations Plane (3dB Beamwidth) 16 degrees
Antenna Connector N-male
Cable Length none
Dimensions 11 in. x 1 in. (27.93 cm x 2.54 cm)
Mounting Direct Mount
Wind Rating (operational) 125 mph
Wind Rating (survival) 165 mph © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 73
9 dBi MAST Mount Omnidirectional
AIR-ANT58G9VOA-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.725-5.825 GHz
Antenna Connector N-Male
VSWR 1.5:1 Nominal
Maximum Power 4 watts
Gain 9 dBi
Polarization Vertical
Dimensions 20.25 in x .64 in.
Cable Length 4.9 ft. (1.5 m)
Mounting 1.5-2.5 in. Mast mount
Azimuth 3dB Beamwidth Omnidirectional
Wind Speed (operational) 100 MPH
Elevations Plan (3dB Beamwidth) 6 degrees
Wind Speed (survival) 125 MPH
Beamtilt © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 73
9.5 dBi Mast Mount Sector
AIR-ANT58G10SSA-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.725-5.825 GHz
VSWR 1.5:1 Nominal
Gain 9.5 dBi
Polarization H or V
Azimuth 3dB Beamwidth 60 degrees
Elevations Plan (3dB Beamwidth) 60 degrees
Antenna Connector N-Male
Dimensions 4.9 ft. (1.5 m)
Maximum Power 4 watts
Temperature (Operating) -20°F Min, +60°C Max
Mounting 1.5-2.5 in. Mast mount
Wind Speed (Operational) 100 MPH
Wind Speed (Survival) 125 MPH © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 73
14 dBi Patch
AIR-ANT5114P-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 4.9-5.85 GHz
VSWR 2:1
Gain ? 4.9-5.4 GHz: 13 dBi
? 5.4-5.85 GHz: 14 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth 25 degrees
Elevations Plane (3dB Beamwidth) 29 degrees
Antenna Connector N-female
Cable Length 1 ft. (0.30 m)
Dimensions 4 1/8 in. x 4 1/8 in. (1.27 cm x 1.27 cm)
Mounting Wall or mast © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 65 of 73
17 dBi Sector
AIR-ANT5117S-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 4.9-5.85 GHz
VSWR 2:1
Gain 17 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth 90 degrees
Elevations Plane (3dB Beamwidth) 8 degrees
Antenna Connector N-female
Cable Length None
Dimensions 24 1/2 in. x 2 1/2 in. (30.48 cm x 2.54 cm)
Mounting Mast mount
Wind Rating (Operational) 125 mph
Wind Rating (Survival) 165 mph © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 66 of 73
28 dBi Mast Mount Dish - 5.8 GHz
AIR-ANT58G28SDA-N
Dimensions and Mounting Specifications Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.725-5.825 GHz
Wind Speed (survival) 125 MPH
VSWR 1.5:1 Nominal
Antenna Connector N-Male
Dimensions 4.9 ft (1.5 m)
Gain 28 dBi
Maximum Power 4 watts
Polarization V or H
Azimuth 3dB Beamwidth 4.75 degrees
Mounting 1.5-2.5 in. Mast mount
Elevations Plan (3dB BW) 4.75 degrees
Wind Speed (operational) 100 MPH
Dimensions 29 in. Diameter © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 73
Dual Band Omnidirectional
AIR-ANT2547V-N=
2.4 GHz Azimuth Plane Radiation Pattern 2.4 GHz Elevation Plane Radiation Pattern
5 GHz Azimuth Plane Radiation Pattern 5 GHz Elevation Plane Radiation Pattern
Frequency Range 2400-2483 MHz
5150 - 5875 MHz
VSWR 2:1
Gain ? 4 dBi in 2.4 GHz
? 7 dBi in 5 GHz
Polarization Linear, vertical
Azimuth 3dB Beamwidth Omni
Elevations 3dB Beamwidth ? 30 degrees in 2.4 GHz
? 14 degrees in 5 GHz
Antenna Connector N-type male
Cable Length none
Dimensions 11.1 in. x 1.25 in.dia. (28.2 cm x 3.2 cm dia)
Mounting Direct mount
Wind Rating (operational) 100 mph (161 km/h)
Wind Rating (survival) 165 mph (265 km/h) © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 68 of 73
Cisco Aironet 1130 Series Integrated Antenna
2.4 GHz, 3 dBi Azimuth Plane
Radiation Pattern
5 GHz, 4.5 dBi Azimuth Plane
Radiation Pattern
2.4 GHz, 3 dBi Elevation Plane
Radiation Pattern
5 GHz, 4.5 dBi Elevation Plane
Radiation Pattern
Frequency Range ? 2.4-2.5GHz
? 5.15-5.8 GHz
Gain ? 2.4 GHz: 3 dBi
? 5 GHz: 4.5 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 50 degrees
Antenna Connector Integrated
Mounting Integrated
Antenna Type Omnidirectional © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 69 of 73
Cisco Aironet 1040, 1140, 3500i Series Integrated Antennas
*
2.4 GHz, 4 dBi Azimuth Plane
Radiation Pattern
5 GHz, 3 dBi Azimuth Plane
Radiation Pattern
2.4 GHz, 4 dBi Elevation Plane
Radiation Pattern
5 GHz, 3 dBi Elevation Plane
Radiation Pattern
Frequency Range ? 2.4-2.5GHz
? 5.15-5.85 GHz
Gain ? 2.4 GHz: 4 dBi
? 5 GHz: 3 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 2.4 GHz = 120 degrees, 5 GHz = 120 degrees
Antenna Connector Integrated
Mounting Integrated
Antenna Type Omnidirectional
Note: Same integrated antennas used on these devices but AP-1040 only has two elements per band © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 70 of 73
Cisco Aironet OEAP600 Series Integrated Antenna
2.4 GHz, 4 dBi Azimuth Plane
Radiation Pattern
5 GHz, 3 dBi Azimuth Plane
Radiation Pattern
2.4 GHz, 4 dBi Elevation Plane
Radiation Pattern
5 GHz, 3 dBi Elevation Plane
Radiation Pattern
Frequency Range ? 2.4-2.5GHz
? 5.15-5.85 GHz
Gain ? 2.4 GHz: 2 dBi
? 5 GHz: 2 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 2.4 GHz = 120 degrees, 5 GHz = 120 degrees
Antenna Connector Integrated
Mounting Integrated
Antenna Type Omnidirectional © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 71 of 73
Cisco Aironet 1300 Series Integrated Antenna
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 2.4-2.83 GHz
Antenna Type 2 x 2 Patch Array
Gain 13 dBi
Polarization Linear Vertical
VSWR 1.5:1 VSWR Nominal
E-Plane 3 dB Beamwidth 36 degrees
H-Plane 3 dB Beamwidth 38 degrees © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 72 of 73
Cisco Aironet 1400 Series Integrated Antenna
Azimuth Plane Radiation Pattern Elevation Plane Radiation Pattern
Frequency Range 5.725 to 5.825 GHz
Antenna Type Patch Array
Gain 22.5 dBi
Polarization Linear Vertical
VSWR 1.5:1 VSWR Nominal
E-Plane 3 dB Beamwidth 10 degrees
H-Plane 3 dB Beamwidth 12 degrees © 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 73 of 73
Cisco Aironet 1550 Series Integrated Antenna
2.4 GHz, 4 dBi Azimuth Plane
Radiation Pattern
5 GHz, 3 dBi Azimuth Plane
Radiation Pattern
2.4 GHz, 4 dBi Elevation Plane
Radiation Pattern
5 GHz, 3 dBi Elevation Plane
Radiation Pattern
Frequency Range ? 2.4-2.5GHz
? 5.15-5.85 GHz
Gain ? 2.4 GHz: 4 dBi
? 5 GHz: 3 dBi
Polarization Linear, Vertical
Azimuth 3dB Beamwidth Omnidirectional
Elevations 3dB Beamwidth 2.4 GHz = 120 degrees, 5 GHz = 120 degrees
Antenna Connector Integrated
Mounting Integrated
Antenna Type Omnidirectional
Printed in USA C07-60002-16 06/11
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco SAFE Reference Guide
Cisco Validated Design
Revised: July 8, 2010, OL-19523-01
Text Part Number: OL-19523-01Cisco Validated Design
The CVD program consists of systems and solutions designed, tested, and documented to facilitate
faster, more reliable, and more predictable customer deployments. For more information visit
www.cisco.com/go/designzone.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS
(COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND
ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM
A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS
BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER
PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN
TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON
FACTORS NOT TESTED BY CISCO.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network
are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To
You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco
Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare,
GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime
Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert,
StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates
in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0809R)
Cisco SAFE Reference Guide
© 2009 Cisco Systems, Inc. All rights reserved.iii
Cisco SAFE Reference Guide
OL-19523-01
C O N T E N T S
Preface i-i
C H A P T E R 1 SAFE Overview 1-1
Executive Summary 1-1
SAFE Introduction 1-2
Cisco Security Control Framework (SCF) 1-2
Architecture Lifecycle 1-3
SAFE Architecture 1-5
Architecture Principles 1-5
SAFE Axioms 1-6
SAFE Design Blueprint 1-10
Enterprise Core 1-12
Intranet Data Center 1-12
Enterprise Campus 1-13
Enterprise Internet Edge 1-13
Enterprise WAN Edge 1-14
Enterprise Branch 1-14
Management 1-14
C H A P T E R 2 Network Foundation Protection 2-1
Key Threats in the Infrastructure 2-1
Infrastructure Device Access Best Practices 2-2
Protect Local Passwords 2-2
Implement Notification Banners 2-3
Enforce Authentication, Authorization and Accounting (AAA) 2-4
Secure Administrative Access 2-6
Routing Infrastructure Best Practices 2-8
Restrict Routing Protocol Membership 2-8
Control Route Propagation 2-10
Logging of Status Changes 2-11
Device Resiliency and Survivability Best Practices 2-12
Disable Unnecessary Services 2-12
Infrastructure Protection ACLs (iACLs) 2-14Contents
iv
Cisco SAFE Reference Guide
OL-19523-01
Control Plane Policing (CoPP) 2-14
Port Security 2-15
Redundancy 2-16
Network Telemetry Best Practices 2-16
Time Synchronization (NTP) 2-17
NTP Design for Remote Offices 2-17
NTP Design at the Headquarters 2-18
Local Device Traffic Statistics 2-20
Per-Interface Statistics 2-20
Per-Interface IP Feature Information 2-20
Global IP Traffic Statistics 2-21
System Status Information 2-21
Memory, CPU and Processes 2-21
Memory and CPU Threshold Notifications 2-22
System Logging (Syslog) 2-22
SNMP 2-23
Network Policy Enforcement Best Practices 2-24
Access Edge Filtering 2-24
IP Spoofing Protection 2-24
Switching Infrastructure Best Practices 2-25
Restrict Broadcast Domains 2-26
Spanning Tree Protocol Security 2-26
Port Security 2-27
VLAN Best Common Practices 2-27
Threats Mitigated in the Infrastructure 2-28
C H A P T E R 3 Enterprise Core 3-1
Key Threats in the Core 3-1
Enterprise Core Design 3-1
Design Guidelines for the Core 3-2
Threats Mitigated in the Core 3-3
C H A P T E R 4 Intranet Data Center 4-1
Key Threats in the Intranet Data Center 4-3
Data Center Design 4-3
Data Center Core 4-4
IP Routing Design and Recommendations 4-5
Data Center Aggregation Layer 4-6Contents
v
Cisco SAFE Reference Guide
OL-19523-01
IP Routing Design and Recommendations 4-7
Aggregation Layer and Firewalls 4-9
Leveraging Device Virtualization to Integrate Security 4-9
Virtual Context Details 4-10
Deployment Recommendations 4-12
Caveats 4-13
Services Layer 4-13
Server Load Balancing 4-14
Application Control Engine 4-14
Web Application Security 4-15
Web Application Firewall 4-15
Cisco ACE and Web Application Firewall Deployment 4-16
IPS Deployment 4-18
Caveats 4-20
Cisco ACE, Cisco ACE Web Application Firewall, Cisco IPS Traffic Flows 4-21
Access Layer 4-23
Recommendations 4-23
Virtual Access Layer 4-24
Server Virtualization and Network Security 4-24
Policy Enforcement 4-26
Visibility 4-27
Isolation 4-30
Endpoint Security 4-33
Infrastructure Security Recommendations 4-33
Attack Prevention and Event Correlation Examples 4-34
Virtual Context on ASA for ORACLE DB Protection 4-34
Web Application Firewall Preventing Application Attacks 4-35
Using Cisco ACE and Cisco ACE WAF to Maintain Real Client IP Address as Source in Server
Logs 4-37
Using IDS for VM-to-VM Traffic Visibility 4-40
Using IDS and Cisco Security MARS for VM Traffic Visibility 4-41
Alternative Design 4-42
Threats Mitigated in the Intranet Data Center 4-44
C H A P T E R 5 Enterprise Campus 5-1
Key Threats in the Campus 5-2
Enterprise Campus Design 5-2
Multi-Tier 5-4
Virtual Switch System (VSS) 5-6Contents
vi
Cisco SAFE Reference Guide
OL-19523-01
Routed Access 5-7
Campus Access Layer 5-8
Campus Access Layer Design Guidelines 5-9
Endpoint Protection 5-9
Access Security Best Practices 5-10
Campus Distribution Layer 5-16
Campus Distribution Layer Design Guidelines 5-18
Campus IPS Design 5-18
Campus Distribution Layer Infrastructure Security 5-19
Campus Services Block 5-21
Network Access Control in the Campus 5-22
Cisco Identity-Based Networking Services 5-23
Deployment Considerations 5-23
Deployment Best Practices 5-28
NAC Appliance 5-33
Deployment Considerations 5-34
Deployment Best Practices 5-36
NAC Operation and Traffic Flow 5-42
NAC Profiler 5-45
Deployment Best Practices 5-46
Threat Mitigated in the Enterprise Campus 5-50
C H A P T E R 6 Enterprise Internet Edge 6-1
Key Threats in Internet Edge 6-3
Design Guidelines for the Enterprise Internet Edge 6-3
Edge Distribution Layer 6-5
Design Guidelines and Best Practices 6-5
Infrastructure Protection Best Practices 6-6
Internet Edge Cisco IPS Design Best Practices 6-6
Corporate Access/DMZ Block 6-8
Design Guidelines for Corporate Access/DMZ Block 6-9
E-mail and Web Security 6-15
IronPort SensorBase 6-16
Web Security Appliance Best Practices 6-17
The E-mail Security Appliance 6-21
E-mail Data Flow 6-22
Redundancy and Load Balancing of an E-mail Security Appliance 6-23
Best Practices and Configuration Guidelines for ESA Implementation 6-24Contents
vii
Cisco SAFE Reference Guide
OL-19523-01
Service Provider Block 6-27
Design Guidelines and Best Practices for the SP Edge Block 6-28
Security Features for BGP 6-29
Infrastructure ACL Implementation 6-33
Remote Access Block 6-34
Design Guidelines for the Remote Access Block 6-35
Threats Mitigated in the Internet Edge 6-38
C H A P T E R 7 Enterprise WAN Edge 7-1
Key Threats in the Enterprise WAN Edge 7-3
WAN Edge Aggregation 7-4
Design Guidelines for the WAN Edge Aggregation 7-5
Secure WAN Connectivity in the WAN Edge 7-5
Technology Options 7-6
Routing Security in the WAN Edge Aggregation 7-7
Design Considerations 7-9
Service Resiliency in the WAN Edge Aggregation 7-10
IKE Call Admission Control 7-11
QoS in the WAN Edge 7-11
Network Policy Enforcement in the WAN Edge Aggregation 7-13
Design Considerations 7-13
WAN Edge ACLs 7-14
Firewall Integration in the WAN Edge 7-15
uRPF on the WAN Edge 7-15
Secure Device Access in the WAN Edge Aggregation 7-15
Telemetry in the WAN Edge Aggregation 7-16
Design Considerations 7-17
NetFlow on the WAN Edge 7-17
WAN Edge Distribution 7-18
Design Guidelines for the WAN Edge Distribution 7-19
IPS Integration in the WAN Edge Distribution 7-19
Design Considerations 7-22
Implementation Options 7-23
Routing Security in the WAN Edge Distribution 7-23
Service Resiliency in the WAN Edge Distribution 7-24
Switching Security in the WAN Edge Distribution 7-25
Secure Device Access in the WAN Edge Distribution 7-25
Telemetry in the WAN Edge Distribution 7-26
Design Considerations 7-26Contents
viii
Cisco SAFE Reference Guide
OL-19523-01
Threats Mitigated in the Enterprise WAN Edge 7-27
C H A P T E R 8 Enterprise Branch 8-1
Key Threats in the Enterprise Branch 8-3
Design Guidelines for the Branch 8-4
Secure WAN Connectivity in the Branch 8-4
Routing Security in the Branch 8-5
Design Considerations 8-7
Service Resiliency in the Branch 8-8
QoS in the Branch 8-9
Design Considerations 8-11
Network Policy Enforcement in the Branch 8-11
Additional Security Technologies 8-12
Design Considerations 8-12
WAN Edge ACLs 8-12
Access Edge iACLs 8-13
Design Considerations 8-14
Firewall Integration in the Branch 8-14
IOS Zone-based Firewall (ZBFW) Integration in a Branch 8-14
Design Considerations 8-16
ASA Integration in a Branch 8-17
IPS Integration in the Branch 8-18
Design Considerations 8-19
Implementation Option 8-20
IPS Module Integration in a Cisco ISR 8-20
IPS Module Integration in a Cisco ASA 8-21
Switching Security in the Branch 8-23
Design Considerations 8-26
DHCP Protection 8-26
ARP Spoofing Protection 8-26
Endpoint Security in the Branch 8-27
Design Considerations 8-27
Complementary Technology 8-28
Secure Device Access in the Branch 8-28
Design Considerations 8-29
Telemetry in the Branch 8-29
Design Considerations 8-30
Threats Mitigated in the Enterprise Branch 8-30Contents
ix
Cisco SAFE Reference Guide
OL-19523-01
C H A P T E R 9 Management 9-1
Key Threats in the Management Module 9-2
Management Module Deployment Best Practices 9-3
OOB Management Best Practices 9-5
IB Management Best Practices 9-6
Remote Access to the Management Network 9-9
Network Time Synchronization Design Best Practices 9-10
Management Module Infrastructure Security Best Practices 9-11
Terminal Server Hardening Considerations 9-12
Firewall Hardening Best Practices 9-13
Threats Mitigated in the Management 9-14
C H A P T E R 10 Monitoring, Analysis, and Correlation 10-1
Key Concepts 10-2
Access and Reporting IP address 10-3
Access Protocols 10-3
Reporting Protocols 10-4
Events, Sessions and Incidents 10-4
CS-MARS Monitoring and Mitigation Device Capabilities 10-5
Cisco IPS 10-5
Event Data Collected from Cisco IPS 10-5
Verify that CS-MARS Pulls Events from a Cisco IPS Device 10-5
IPS Signature Dynamic Update Settings 10-6
Cisco ASA Security Appliance 10-7
Event Data Collected from Cisco ASA 10-8
Verify that CS-MARS Pulls Events from a Cisco ASA Security Appliance 10-9
Cisco IOS 10-9
Event Data Collected from a Cisco IOS Router or Switch 10-9
Verify that CS-MARS Pulls Events from a Cisco IOS Device 10-10
Cisco Security Agent (CSA) 10-10
Verify that CS-MARS Receives Events from CSA 10-13
Cisco Secure ACS 10-14
Verify that CS-MARS Receives Events from CS-ACS 10-16
CS-MARS Design Considerations 10-17
Global/Local Architecture 10-17
CS-MARS Location 10-18
CS-MARS Sizing 10-18
Deployment Best Practices 10-19Contents
x
Cisco SAFE Reference Guide
OL-19523-01
Network Foundation Protection (NTP) 10-19
Monitoring and Mitigation Device Selection 10-19
Cisco IPS 10-19
Cisco ASA 10-20
Cisco IOS Devices 10-22
Deployment Table 10-23
Analysis and Correlation 10-24
Network Discovery 10-24
Data Reduction 10-26
Attack Path and Topological Awareness 10-28
NetFlow 10-30
C H A P T E R 11 Threat Control and Containment 11-1
Endpoint Threat Control 11-1
Network-Based Threat Control 11-2
Network-Based Cisco IPS 11-2
Deployment Mode 11-3
Scalability and Availability 11-3
Maximum Threat Coverage 11-3
Cisco IPS Blocking and Rate Limiting 11-4
Cisco IPS Collaboration 11-4
Network-Based Firewalls 11-5
Cisco IOS Embedded Event Manager 11-5
Global Threat Mitigation 11-5
Cisco IPS Enhanced Endpoint Visibility 11-7
CSA and Cisco IPS Collaborative Architecture 11-8
Deployment Considerations 11-9
Inline Protection (IPS) and Promiscuous (IDS) Modes 11-9
One CSA-MC to Multiple Cisco IPS Sensors 11-10
One Sensor to Two CSA-MCs 11-10
Virtualization 11-10
IP Addressing 11-10
Deployment Best Practices 11-10
Cisco Security Agent MC Administrative Account 11-11
Cisco Security Agent Host History Collection 11-11
Adding CSA-MC System as a Trusted Host 11-12
Configuring Cisco IPS External Product Interface 11-13
Leveraging Endpoint Posture Information 11-14
Cisco Security Agent Watch Lists 11-16Contents
xi
Cisco SAFE Reference Guide
OL-19523-01
Cisco IPS Event Action Override 11-17
Validating Cisco Secure Agent and Cisco IPS Integration 11-18
Unified Management and Control 11-20
CSM and CS-MARS Cross-Communication Deployment Considerations 11-22
Registering CSM with CS-MARS 11-23
Registering CS-MARS in CSM 11-24
CSM and CS-MARS Linkage Objectives 11-26
Firewall Cross Linkages 11-27
Cisco IPS Cross Linkages 11-29
Cisco IPS Event Action Filter 11-31
CSM Automatic Cisco IPS Updates 11-32
Cisco IPS Threat Identification and Mitigation 11-33
C H A P T E R 12 Cisco Security Services 12-1
Strategy and Assessments 12-2
Deployment and Migration 12-2
Remote Management 12-2
Security Intelligence 12-2
Security Optimization 12-2
A P P E N D I X A Reference Documents A-1Contents
xii
Cisco SAFE Reference Guide
OL-19523-01i
Cisco SAFE Reference Guide
OL-19523-01
Preface
Document Purpose
This guide discusses the Cisco SAFE best practices, designs and configurations, and provides network
and security engineers with the necessary information to help them succeed in designing, implementing
and operating secure network infrastructures based on Cisco products and technologies.
Document Audience
While the target audience is technical in nature, business decision makers, senior IT leaders, and systems
architects can benefit from understanding the design driving principles and fundamental security
concepts.
Document Organization
The following table lists and briefly describes the chapters and appendices of this guide:
Chapter Description
Chapter 1, “SAFE Overview.” Provides high-level overview of the Cisco SAFE design.
Chapter 2, “Network Foundation
Protection.”
Describes the best practices for securing the enterprise network infrastructure.
This includes setting a security baseline for protecting the control and
management planes as well as setting a strong foundation on which more
advanced methods and techniques can subsequently be built on.
Chapter 3, “Enterprise Core.” Describes the core component of the Cisco SAFE design. It describes types of
threats that targets the core and the best practices for implementing security
within the core network.
Chapter 4, “Intranet Data Center.” Describes the intranet data center component of the Cisco SAFE design. It
provide guidelines for integrating security services into Cisco recommended
data center architectures.
Chapter 5, “Enterprise Campus.” Describes the enterprise campus component of the Cisco SAFE design. It covers
the threat types that affect the enterprise campus and the best practices for
implementing security within the campus network.ii
Cisco SAFE Reference Guide
OL-19523-01
Preface
Chapter 6, “Enterprise Internet Edge.” Describes the enterprise Internet edge component of the Cisco SAFE design. It
covers the threat types that affect the Internet edge and the best practices for
implementing security within the enterprise Internet edge network.
Chapter 7, “Enterprise WAN Edge.” Describes the enterprise WAN edge component of the Cisco SAFE design. It
covers the threat types that affect the enterprise WAN edge and the best practices
for implementing security within the WAN edge network.
Chapter 8, “Enterprise Branch.” Describes enterprise branch component of the Cisco SAFE design. It covers the
threat types that affect the enterprise branch and the best practices for
implementing security within the branch network.
Chapter 9, “Management.” Describes the management component of the Cisco SAFE design. It covers the
threat types that affects the management module and the best practices for
mitigation those threats.
Chapter 10, “Monitoring, Analysis, and
Correlation.”
Describes the security tools used for monitoring, analysis, and correlations of
the network SAFE design network resources.
Chapter 11, “Threat Control and
Containment.”
Describes the threat control and containment attributes of the Cisco SAFE
design.
Chapter 12, “Cisco Security Services.” Describes the security services designed to support the continuous solution
lifecycle.
Chapter A, “Reference Documents.” Provides a list of reference documents where users can obtain additional
information.
Glossary Lists and defines key terms and acronyms used in this guide.
Chapter Descriptioniii
Cisco SAFE Reference Guide
OL-19523-01
Preface
About the Authors
This section provides information about the authors who developed the content of this guide.
Justin Chung, Manager, CMO Enterprise Solutions Engineering (ESE), Cisco Systems
Justin is a Technical Marketing Manager with over twelve years of experience in the networking
industry. During his eleven years at Cisco, he managed various security solutions such as Dynamic
Multipoint VPN (DMVPN), Group Encrypted Transport VPN (GET VPN), VRF-Aware IPSec,
Network Admission Control (NAC), and others. He is a recipient of the Pioneer Award for the
GET VPN solution. He is currently managing the Enterprise WAN Edge, Branch, and Security
solutions.
Martin Pueblas, CCIE#2133, CISSP#40844—Technical Leader, CMO Enterprise Solutions
Engineering (ESE), Cisco Systems
Martin is the lead system architect of the Cisco SAFE Security Reference Architecture.
He is a network security expert with over 17 years of experience in the networking industry. He
obtained his CCIE certification in 1996 and CISSP in 2004. Martin joined Cisco in 1998 and has
held a variety of technical positions. Started as a Customer Support Engineer in Cisco’s Technical
Assistance Center (TAC) in Brussels, Belgium. In 1999 moved to the United States where soon
became technical leader for the Security Team. Martin’s primary job responsibilities included
acting as a primary escalation resource for the team and delivering training for the support
organization. At the end of 2000, he joined the Advanced Engineering Services team as a Network
Design Consultant, where he provided design and security consulting services to large
corporations and Service Providers. During this period, Martin has written a variety of technical
documents including design guides and white papers that define Cisco’s best practices for security
and VPNs. Martin joined Cisco’s Central Marketing Organization in late 2001, where as a
Technical Marketing Engineer, he focused on security and VPN technologies. In late 2004, he
joined his current position acting as a security technical leader. As part of his current
responsibilities, Martin is leading the development of security solutions for enterprises.
Alex Nadimi, Technical Marketing Engineer, CMO Enterprise Solutions Engineering (ESE),
Cisco Systems
Alex has been at Cisco for 14 years. His expertise include security, VPN technologies, MPLS, and
Multicast. Alex has authored several design guides and technical notes.
Alex has over 15 years experience in the computer, communications, and networking fields. He is
a graduate of University of London and Louisiana State University.iv
Cisco SAFE Reference Guide
OL-19523-01
Preface
Dan Hamilton, CCIE #4080 —Technical Leader, CMO Enterprise Solutions Engineering
(ESE), Cisco Systems
Dan has over 15 years experience in the networking industry. He has been with Cisco for 9 years.
He joined Cisco in 2000 as a Systems Engineer supporting a large Service Provider customer. In
2004, he became a Technical Marketing Engineer in the Security Technology Group (STG)
supporting IOS security features such as infrastructure security, access control and Flexible Packet
Matching (FPM) on the Integrated Security Routers (ISRs), mid-range routers and the Catalyst
6500 switches. He moved to a Product Manager role in STG in 2006, driving the development of
new IOS security features before joining the ESE Team in 2008.
Prior to joining Cisco, Dan was a network architect for a large Service Provider, responsible for
designing and developing their network managed service offerings.
Dan has a Bachelor of Science degree in Electrical Engineering from the University of Florida.
Sherelle Farrington, Technical Leader, CMO Enterprise Solutions Engineering (ESE), Cisco
Systems
Sherelle is a technical leader at Cisco Systems with over fifteen years experience in the networking
industry, encompassing service provider and enterprise environments in the US and Europe.
During her more than ten years at Cisco, she has worked on a variety of service provider and
enterprise solutions, and started her current focus on network security integration over four years
ago. She has presented and published on a number of topics, most recently as co-author of the
Wireless and Network Security Integration Solution design guide, and the Network Security
Baseline paper. v
Cisco SAFE Reference Guide
OL-19523-01
Preface
David Anderson, CCIE #7660, CISSP#57547—Senior Technical Marketing Engineer, CMO
Enterprise Solutions Engineering (ESE), Cisco Systems
David is a Senior Technical Marketing Engineer in CMO - Enterprise Solutions Engineering
(ESE), Cisco Systems. In this role, David focuses on security and virtualization in data center
solutions. David also works cross-functionally to develop data center solutions with Cisco
business units and partners.
David joined Cisco in 1999 as a solution engineer for service provider dial-access architectures.
His roles at Cisco include Systems Engineer, Technical Marketing Engineer, and Senior Product
Manager. In 2001 David was part of the initial team that began focusing on data center related
solutions for Cisco. After several years, he moved to the role of Senior Technical Marketing
Engineer and Product Manager to help establish and grow the Cisco Network Admission Control
product line.
David is a frequent speaker at Cisco Live (Networkers) and other industry events and forums. Prior
to joining Cisco, David was a Senior Network Engineer for the Department of Emergency
Communications and E-911 Center in San Francisco. David holds CCIE and CISSP certifications
and has a Bachelor of Science degree in Management Information Systems from Florida State
University.
Srinivas Tenneti, CCIE#10483—Technical Marketing Engineer, CMO Enterprise Solutions
Engineering (ESE), Cisco Systems
Srinivas is a Technical Marketing Engineer for WAN and branch architectures in Cisco's ESE
team. Prior to joining the ESE team, Srinivas worked two years in Commercial System
Engineering team where he worked on producing design guides, and SE presentations for channel
partners and SEs. Before that, he worked for 5 years with other Cisco engineering teams. Srinivas
has been at Cisco for 8 years.vi
Cisco SAFE Reference Guide
OL-19523-01
PrefaceC H A P T E R
1-1
Cisco SAFE Reference Guide
OL-19523-01
1
SAFE Overview
Executive Summary
The ever-evolving security landscape presents a continuous challenge to organizations. The fast
proliferation of botnets, the increasing sophistication of network attacks, the alarming growth of
Internet-based organized crime and espionage, identity and data theft, more innovative insider attacks,
and emerging new forms of threats on mobile systems are examples of the diverse and complex real
threats that shape today's security landscape.
As a key enabler of the business activity, networks must be designed and implemented with security in
mind to ensure the confidentiality, integrity, and availability of data and system resources supporting the
key business functions. The Cisco SAFE provides the design and implementation guidelines for building
secure and reliable network infrastructures that are resilient to both well-known and new forms of
attacks.
Achieving the appropriate level of security is no longer a matter of deploying point products confined to
the network perimeters. Today, the complexity and sophistication of threats mandate system-wide
intelligence and collaboration. To that end, the Cisco SAFE takes a defense-in-depth approach, where
multiple layers of protection are strategically located throughout the network, but under a unified
strategy. Event and posture information is shared for greater visibility and response actions are
coordinated under a common control strategy.
The Cisco SAFE uses modular designs that accelerate deployment and that facilitate the implementation
of new solutions and technologies as business needs evolve. This modularity extends the useful life of
existing equipment, protecting capital investments. At the same time, the designs incorporate a set of
tools to facilitate day-to-day operations, reducing overall operational expenditures.
This guide discusses the Cisco SAFE best practices, designs and configurations, and aims to provide
network and security engineers with the necessary information to help them succeed in designing,
implementing and operating secure network infrastructures based on Cisco products and technologies.
While the target audience is technical in nature, business decision makers, senior IT leaders and systems
architects can benefit from understanding the design driving principles and fundamental security
concepts.1-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
SAFE Introduction
The Cisco SAFE uses the Cisco Security Control Framework (SCF), a common framework that drives
the selection of products and features that maximize visibility and control, the two most fundamental
aspects driving security. Also used by Cisco's Continuous Improvement Lifecycle, the framework
facilitates the integration of Cisco's rich portfolio of security services designed to support the entire
solution lifecycle.
Cisco Security Control Framework (SCF)
The Cisco SCF is a security framework aimed at ensuring network and service availability and business
continuity. Security threats are an ever-moving target and the SCF is designed to address current threat
vectors, as well as track new and evolving threats, through the use of best common practices and
comprehensive solutions. Cisco SAFE uses SCF to create network designs that ensure network and
service availability and business continuity. Cisco SCF drives the selection of the security products and
capabilities, and guides their deployment throughout the network where they best enhance visibility and
control.
SCF assumes the existence of security policies developed as a result of threat and risk assessments, and
in alignment to business goals and objectives. The security policies and guidelines are expected to define
the acceptable and secure use of each service, device, and system in the environment. The security
policies should also determine the processes and procedures needed to achieve the business goals and
objectives. The collection of processes and procedures define security operations. It is crucial to business
success that security policies, guidelines, and operations do not prevent but rather empower the
organization to achieve its goals and objectives.
The success of the security policies ultimately depends on the degree they enhance visibility and control.
Simply put, security can be defined as a function of visibility and control. Without any visibility, there
is no control, and without any control there is no security. Therefore, SCF’s main focus is on enhancing
visibility and control. In the context of SAFE, SCF drives the selection and deployment of platforms and
capabilities to achieve a desirable degree of visibility and control.
SCF defines six security actions that help enforce the security policies and improve visibility and
control. Visibility is enhanced through the actions of identify, monitor, and correlate. Control is
improved through the actions of harden, isolate, and enforce. See Figure 1-1.1-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
Figure 1-1 Security Actions
In an enterprise, there are various places in the network (PINs) such as data center, campus, and branch.
The SAFE designs are derived from the application of SCF to each PIN. The result is the identification
of technologies and best common practices that best satisfy each of the six key actions for visibility and
control. In this way, SAFE designs incorporate a variety of technologies and capabilities throughout the
network to gain visibility into network activity, enforce network policy, and address anomalous traffic.
As a result, network infrastructure elements such as routers and switches are used as pervasive, proactive
policy-monitoring and enforcement agents.
Architecture Lifecycle
Since business and security needs are always evolving, the Cisco SAFE advocates for the on-going
review and adjustment of the implementation in accordance to the changing requirements. To that end,
the Cisco SAFE uses the architecture lifecycle illustrated in Figure 1-2.
Cisco Security Control Framework Model
Identify
Total Visibility
Identify, Monitor, Collect, Detect and
Classify Users, Traffic, Applications and
Protocols
Complete Control
Monitor Correlate Harden
Harden, Strengthen Resiliency, Limit
Access, and Isolate Devices, Users,
Traffic, Applications and Protocols
Isolate Enforce
• Identify,
Classify and
Assign TrustLevels to
Subscribers,
Services and
Traffic
• Monitor,
Performance,
Behaviours,
Events and
Compliance,
with Policies
• Identify
Anomalous
Traffic
• Collect,
Correlate and
Analyze
System-Wide
Events
• Identify,
Notify and
Report on
Significant
Related
Events
• Harden
Devices,
Transport,
Services and
Applications
• Strengthen
Infrastructure
Resiliency,
Redundancy
and Fault
Tolerance
• Isolate
Subscribers,
Systems and
Services
• Contain and
Protect
• Enforce
Security
Policies
• Migrate
Security
Events
• Dynamically
Respond to
Anomalous
Envent
2266581-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
Figure 1-2 SAFE Architecture Lifecycle
1. The cycle starts with planning, which must include a threat and risk assessment aimed at identifying
assets and the current security posture. Planning should also include a gap analysis to unveil the
strengths and weaknesses of the current architecture.
2. After the initial planning, the cycle continues with the design and selection of the platforms,
capabilities, and best practices needed to close the gap and satisfy future requirements. This results
in a detailed design to address the business and technical requirements.
3. The implementation follows the design. This includes the deployment and provisioning of platforms
and capabilities. Deployment is typically executed in separate phases, which requires a plan
sequencing.
4. Once the new implementation is in place, it needs to be maintained and operated. This includes the
management and monitoring of the infrastructure as well as security intelligence for threat
mitigation.
5. Finally, as business and security requirements are continuously changing, regular assessments need
to be conducted to identify and address possible gaps. The information obtained from day-to-day
operations and from adhoc assessments can be used for these purposes.
As Figure 1-2 illustrates, the process is iterative and each iteration results in an implementation better
suited to meet the evolving business and security policy needs.
More information on Cisco SCF can be found at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/CiscoSCF.html
Optimize Plan
Design
Implement
Operate
2261421-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
SAFE Architecture
The Cisco SAFE consists of design blueprints based on the Cisco Validated Designs (CVDs) and proven
security best practices that provide the design guidelines for building secure and reliable network
infrastructures. The Cisco SAFE design blueprints implement defense-in-depth by strategically
positioning Cisco products and capabilities across the network and by leveraging cross platform network
intelligence and collaboration. To that end, multiple layers of security controls are implemented
throughout the network, but under a common strategy and administration. At the same time, the design
blueprints address the unique requirements of the various PINs present in an enterprise; products and
capabilities are deployed where they deliver the most value while at the same time best facilitating
collaboration and operational efficiency. The Cisco SAFE design blueprints also serve as the foundation
for vertical and horizontal security solutions developed to address the requirements of specific industries
such as retail, financial, healthcare, and manufacturing. In addition, Cisco security services are
embedded as an intrinsic part of Cisco SAFE. The Cisco security services support the entire solution
lifecycle and the diverse security products included in the designs.
Architecture Principles
The Cisco SAFE design blueprints follow the principles described below.
Defense-in-Depth
In the Cisco SAFE, security is embedded throughout the network by following a defense-in-depth
approach, and to ensure the confidentiality, integrity, and availability of data, applications, endpoints,
and the network itself. For enhanced visibility and control, a rich set of security technologies and
capabilities are deployed in multiple layers, but under a common strategy. The selection of technologies
and capabilities is driven by the application of the Cisco SCF.
Modularity and Flexibility
The Cisco SAFE design blueprints follow a modular design where all components are described by
functional roles rather than point platforms. The overall network infrastructure is divided into functional
modules, each one representing a distinctive PIN such as the campus and the data center. Functional
modules are then subdivided into more manageable and granular functional layers and blocks (for
example, access layer, edge distribution block), each serving a specific role in the network.
The modular designs result in added flexibility when it comes to deployment, allowing a phased
implementation of modules as it best fits the organization's business needs. The fact that components are
described by functional roles rather than point platforms facilitate the selection of the best platforms for
given roles and their eventual replacement as technology and business needs evolve. Finally, the
modularity of the designs also accelerates the adoption of new services and roles, extending the useful
life of existing equipment and protecting previous capital investment.
Service Availability and Resiliency
The Cisco SAFE design blueprints incorporate several layers of redundancy to eliminate single points
of failure and to maximize the availability of the network infrastructure. This includes the use of
redundant interfaces, backup modules, standby devices, and topologically redundant paths. In addition,
the designs also use a wide set of features destined to make the network more resilient to attacks and
network failures.1-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
Regulatory Compliance
The Cisco SAFE implements a security baseline built-in as intrinsic part of the network infrastructure.
The security baseline incorporates a rich set of security practices and functions commonly required by
regulations and standards, facilitating the achievement of regulatory compliance.
Strive for Operational Efficiency
The Cisco SAFE is designed to facilitate management and operations throughout the entire solution
lifecycle. Products, capabilities, and topologies were carefully selected to maximize the visibility and
control of the individual safeguards, while providing a unified view of the overall status of the network.
Designs were conceived with simplicity to accelerate provisioning and to help troubleshoot and isolate
problems quickly, effectively reducing the operative expenditures. Central points of control and
management are provided with the tools and procedures necessary to verify the operation and
effectiveness of the safeguards in place.
Auditable Implementations
The Cisco SAFE designs accommodate a set of tools to measure and verify the operation and the
enforcement of safeguards across the network, providing a current view of the security posture of the
network, and helping assess compliance to security policies, standards, and regulations.
Global Information Sharing and Collaboration
The Cisco SAFE uses the information sharing and collaborative capabilities available on Cisco's
products and platforms. Logging and event information generated from the devices in the network is
centrally collected, trended, and correlated for maximum visibility. Response and mitigation actions are
centrally coordinated for enhanced control.
SAFE Axioms
Network environments are built out of a variety of devices, services, and information of which
confidentiality, integrity, and availability may be compromised. Properly securing the network and its
services requires an understanding of these network assets and their potential threats. The purpose of
this section is to raise awareness on the different elements in the network that may be at risk.
Infrastructure Devices Are Targets
Network infrastructures are not only built up with routers and switches, but also with a large variety of
in-line devices including, but not limited to, firewalls, intrusion prevention systems, load balancers, and
application acceleration appliances. All these infrastructure devices may be subject to attacks designed
to target them directly or that indirectly may affect network availability. Possible attacks include
unauthorized access, privilege escalation, distributed denial-of-service (DDoS), buffer overflows, traffic
flood attacks, and much more.
Generally, network infrastructure devices provide multiple access mechanisms, including console and
remote access based on protocols such as Telnet, rlogin, HTTP, HTTPS, and SSH. The hardening of
these devices is critical to avoid unauthorized access and compromise. Best practices include the use of
secure protocols, disabling unused services, limiting access to necessary ports and protocols, and the
enforcement of authentication, authorization and accounting (AAA).
However, infrastructure devices are not all the same. It is fundamental to understand their unique
characteristics and nature in order to properly secure them. The primary purpose of routers and switches
is to provide connectivity; therefore, default configurations typically allow traffic without restrictions. 1-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
In addition, the devices may have some of the services enabled by default which may not be required for
a given environment. This presents an opportunity for exploitation and proper steps should be taken to
disable the unnecessary service.
In particular, routers’ responsibilities are to learn and propagate route information, and ultimately to
forward packets through the most appropriate paths. Successful attacks against routers are those able to
affect or disrupt one or more of those primary functions by compromising the router itself, its peering
sessions, and/or the routing information. Because of their Layer-3 nature, routers can be targeted from
remote networks. Best practices to secure routers include device hardening, packet filtering, restricting
routing-protocol membership, and controlling the propagation and learning of routing information.
In contrast to routers, switches’ mission is to provide LAN connectivity; therefore, they are more
vulnerable to Layer 2-based attacks, which are most commonly sourced inside the organization.
Common attacks on switched environments include broadcast storms, MAC flooding, and attacks
designed to use limitations on supporting protocols such as Address Resolution Protocol (ARP),
Dynamic Host Configuration Protocol (DHCP), and Spanning Tree Protocol (STP). Best practices for
securing switches include device hardening, restricting broadcast domains, SPT security, ARP
inspection, anti-spoofing, disabling unused ports, and following VLAN best practices.
Firewalls, load balancers, and in-line devices in general are also subject to unauthorized access and
compromise; consequently, their hardening is critical. Like any other infrastructure devices, in-line
devices have limited resources and capabilities and as a result they are potentially vulnerable to resource
exhaustion attacks as well. This sort of attacks is designed to deplete the processing power or memory
of the device. This may be achieved by overwhelming the device capacity in terms of connections per
second, maximum number of connections, or number of packets per second. Attacks may also target
protocol and packet-parsing with malformed packets or protocol manipulation. Security best practices
vary depending on the nature of the in-line device.
Services Are Targets
Network communications depend on a series of services including, but not limited to, Domain Name
System (DNS), Network Time Protocol (NTP), and DHCP. The disruption of such services may result
in partial or total loss of connectivity, and their manipulation may serve as a platform for data theft,
denial-of-service (DoS), service abuse, and other malicious activity. As a result, a growing number and
a variety of attacks are constantly targeting infrastructure services.
DNS provides for resolution between user-friendly domain names and logical IP addresses. As most
services on the Internet and intranets are accessed by their domain names and not their IP addresses, a
disruption on DNS most likely results in loss of connectivity. DNS attacks may target the name servers
as well as the clients, also known as resolvers. Some common attacks include DNS amplification attacks,
DNS cache poisoning and domain name hijacking. DNS amplification attacks typically consist of
flooding name servers with unsolicited replies, often in response to recursive queries. DNS cache
poisoning consists of maliciously changing or injecting DNS entries in the server caches, often used for
phishing and man-in-the-middle attacks. Domain name hijacking refers to the illegal act of someone
stealing the control of a domain name from its legal owner.
Best practices for mitigation include patch management and the hardening of the DNS servers, using
firewalls to control DNS queries and zone traffic, implementing IPS to identify and block DNS-based
attacks, etc.
NTP, which is used to synchronize the time across computer systems over an IP network, is used for a
range of time-based applications such as user authentication, event logging, and process scheduling, etc.
The NTP service may be subjected to a variety of attacks ranging from NTP rogue servers, the insertion
of invalid NTP information, to DoS on the NTP servers. Best practices for securing NTP include the use
of NTP peer authentication, the use of access control lists, and device hardening, etc.1-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
DHCP is the most widely deployed protocol for the dynamic configuration of systems over an IP
network. Two of the most common DHCP attacks are the insertion of rogue DHCP servers and DHCP
starvation. Rogue DHCP servers are used to provide valid users with incorrect-configuration information
to prevent them from accessing the network. Also, rogue DHCP servers are used for man-in-the-middle
(MITM) attacks, where valid clients are provided with the IP address of a compromised system as a
default gateway. DHCP starvation is another common type of attack. It consists of exhausting the pool
of IP addresses available to the DHCP server for a period of time, and it is achieved by the broadcasting
of spoofed DHCP requests by one or more compromised systems in the LAN. Best practices for securing
DHCP includes server hardening and use of DHCP security features available on switches such as DHCP
snooping and port security, etc.
Endpoints Are Targets
A network endpoint is any system that connects to the network and that communicates with other entities
over the infrastructure. Servers, desktop computers, laptops, network storage systems, IP phones,
network-enabled mobile devices, and IP-enabled video systems are all examples of endpoints. Due to
the immense diversity of hardware platforms, operating systems, and applications, endpoints present
some of the most difficult challenges from a security perspective. Updates, patches, and fixes of the
various endpoint components typically are available from different sources and at different times,
making it more difficult to maintain systems up-to-date. In addition to the platform and software
diversity, portable systems like laptops and mobile devices are often used at WiFi-hot-spots, hotels,
employee's homes and other environments outside of the corporate controls. In part because of the
security challenges mentioned above, endpoints are the most vulnerable and the most successfully
compromised devices.
The list of endpoint threats is as extensive and diverse as the immense variety of platforms and software
available. Examples of common threats to endpoints include malware, worms, botnets, and E-mail spam.
Malware is malicious software designed to grant unauthorized access and/or steal data from the victim.
Malware is typically acquired via E-mail messages containing a Trojan or by browsing a compromised
Web site. Key-loggers and spyware are examples of malware, both designed to record the user behavior
and steal private information such as credit card and social security numbers. Worms are another form
of malicious software that has the ability to automatically propagate over the network. Botnets are one
of the fastest growing forms of malicious software and that is capable of compromising very large
numbers of systems for E-mail spam, DoS on web servers and other malicious activity. Botnets are
usually economically motivated and driven by organized cyber crime. E-mail spam consists of
unsolicited E-mail, often containing malware or that are part of a phishing scam.
Securing the endpoints requires paying careful attention to each of the components within the systems,
and equally important, ensuring end-user awareness. Best practices include keeping the endpoints
up-to-date with the latest updates, patches and fixes; hardening of the operating system and applications;
implementing endpoint security software; securing web and E-mail traffic; and continuously educating
end-users about current threats and security measures.
Networks Are Targets
Entire network segments may also be target of attacks such as theft of service, service abuse, DoS,
MITM, and data loss to name a few. Theft of service refers to the unauthorized access and use of network
resources; a good example is the use of open wireless access points by unauthorized users. Network
service abuse costs organizations millions of dollars a year and consists of the use of network resources
for other than the intended purposes; for example, employee personal use of corporate resources.
Networks may also be subject to DoS attacks designed to disrupt network service and MITM attacks
used to steal private data.1-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
Network attacks are among the most difficult to deal with because they typically take advantage of an
intrinsic characteristic in the way the network operates. Network attacks may operate at Layer 2 or Layer
3. Layer-2 attacks often take advantage of the trustful nature of certain Layer-2 protocols such as STP,
ARP, and CDP. Some other Layer-2 attacks may target certain characteristics of the transport media,
such as wireless access. Some Layer-2 attacks may be mitigated through best practices on switches,
routers, and wireless access points.
Layer 3-based attacks make use of the IP transport and may involve the manipulation of routing
protocols. Examples of this type of attacks are distributed DoS (DDoS), black-holing, traffic diversion.
DDoS works by causing tens or hundreds of machines to simultaneously send spurious data to a target
IP address. The goal of such an attack is not necessarily to shut down a particular host, but also to make
an entire network unresponsive. Other frequent Layer-3 attacks consist in the injection of invalid route
information into the routing process to intentionally divert traffic bounded to a target network. Traffic
may be diverted to a black-hole, making the target network unreachable, or to a system configured to act
as a MITM. Security best practices against Layer 3-based network attacks include device hardening,
anti-spoofing filtering, routing protocol security, and network telemetry, firewalls, and intrusion
prevention systems.
Applications Are Targets
Applications are coded by people and therefore are subject to numerous errors. Care needs to be taken
to ensure that commercial and public domain applications are up-to-date with the latest security fixes.
Public domain applications, as well as custom developed applications, also require code review to ensure
that the applications are not introducing any security risks caused by poor programming. This may
include scenarios such as how user input is sanitized, how an application makes calls to other
applications or the operating system itself, the privilege level at which the application runs, the degree
of trust that the application has for the surrounding systems, and the method the application uses to
transport data across the network.
Poor programming may lead to buffer overflow, privilege escalation, session credential guessing, SQL
injection, cross-site scripting attacks to name a few. Buffer overflow attacks are designed to trigger an
exception condition in the application that overwrites certain parts of memory, causing a DoS or
allowing the execution of an unauthorized command. Privilege escalation typically results from the lack
of enforcement authorization controls. The use of predictable user credentials or session identifications
facilitates session hijacking and user impersonation attacks. SQL injection is a common attack in web
environments that use backend SQL and where user-input is not properly sanitized. Simply put, the
attack consists in manipulating the entry of data to trigger the execution of a crafted SQL statement.
Cross-site scripting is another common form of attack that consists in the injection of malicious code on
web pages, and that it gets executed once browsed by other users. Cross-site scripting is possible on web
sites where users may post content and that fail to properly validate user's input.
Application environments can be secured with the use of endpoint security software and the hardening
of the operating system hosting the application. Firewalls, intrusion prevention systems, and XML
gateways may also be used to mitigate application-based attacks.1-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
SAFE Design Blueprint
The Cisco SAFE designs were created following the architecture principles and in compliance with the
SAFE axioms. With increasingly sophisticated attacks, point security solutions are no longer effective.
Today's environments require higher degrees of visibility that is only attainable with infrastructure-wide
security intelligence and collaboration. To that end, the Cisco SAFE design blueprints use the various
forms of network telemetry present on Cisco networking equipment, security appliances, and endpoints
to obtain a consistent and accurate view of the network activity. As part of the event monitoring,
analysis, and correlation, logging and event information generated by routers, switches, firewalls,
intrusion prevention systems, and endpoint protection software are collected, trended, and correlated.
The architecture also uses the collaborative nature between security platforms such as intrusion
prevention systems, firewalls, and endpoint protection software.
SCF defines six security actions that help enforce the security policies and improve visibility and
control. Visibility is enhanced through the actions of identify, monitor, and correlate. By delivering
infrastructure-wide security intelligence and collaboration, the Cisco SAFE design blueprints can
effectively offer the following:
• Enhanced visibility—Infrastructure-wide intelligence provides an accurate vision of network
topologies, attack paths, and the extent of the damage.
• Identify threats—Collecting, trending, correlating, and logging event information help identify the
presence of security threats, compromises, and data leak.
• Confirm compromises—By being able to track an attack as it transits the network, and by having
visibility on the endpoints, the architecture can confirm the success or failure of an attack.
• Reduce false positives—Endpoint and system visibility help identify whether a target is in fact
vulnerable to a given attack.
• Reduce volume of event information—Event correlation dramatically reduces the number of events,
saving security operator's precious time and allowing them to focus on what is most important.
• Determine the severity of an incident—Enhanced endpoint and network visibility allows the
architecture to dynamically increase or reduce the severity level of an incident based on the degree
of vulnerability of the target and the context of the attack.
• Reduce response times—Having visibility over the entire network makes it possible to determine
attack paths and identify the best places to enforce mitigation actions.
The Cisco SAFE uses the infrastructure-wide intelligence and collaboration capabilities provided by
Cisco products to control and mitigate well-known and zero-day attacks. Under the Cisco SAFE design
blueprints, intrusion protection systems, firewalls, network admission control, endpoint protection
software, and monitoring and analysis systems work together to identify and dynamically respond to
attacks. As part of threat control and containment, the designs have the ability to identify the source of
a threat, visualize its attack path, and to suggest, and even dynamically enforce, response actions.
Possible response actions include the isolation of compromised systems, rate limiting, packet filtering,
and more.
Control is improved through the actions of harden, isolate, and enforce. Following are some of the
objectives of the Cisco SAFE design blueprints:
• Adaptive response to real-time threats—Source threats are dynamically identified and may be
blocked in real-time.
• Consistent policy enforcement coverage—Mitigation and containment actions may be enforced at
different places in the network for defense in-depth.
• Minimize effects of attack—Response actions may be dynamically triggered as soon as an attack is
detected, minimizing damage.1-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
• Common policy and security management—A common policy and security management platform
simplifies control and administration, and reduces operational expense.
Enterprise networks are built with routers, switches, and other network devices that keep the
applications and services running. Therefore, properly securing these network devices is critical for
continued business operation. The network infrastructure is not only often used as a platform for attacks
but is also increasingly the direct target of malicious activity. For this reason, the necessary measures
must be taken to ensure the security, reliability, and availability of the network infrastructure. The Cisco
SAFE provides recommended designs for enhanced security and best practices to protect the control and
management planes of the infrastructure. The architecture sets a strong foundation on which more
advanced methods and techniques can subsequently be built on.
Best practices and design recommendations are provided for the following areas:
• Infrastructure device access
• Device resiliency and survivability
• Routing infrastructure
• Switching infrastructure
• Network policy enforcement
• Network telemetry
• Network management
The design blueprint follows a modular design where the overall network infrastructure is divided into
functional modules, each one representing a distinctive PIN. Functional modules are then subdivided
into more manageable and granular functional layers and blocks, each serving a specific role in the
network.
Figure 1-3 illustrates the Cisco SAFE design blueprint.1-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
Figure 1-3 Cisco SAFE Design Blueprint
Each module is carefully designed to provide service availability and resiliency, to facilitate regulatory
compliance, to provide flexibility in accommodating new services and adapt with the time, and to
facilitate administration.
The following is a brief description of the design modules. Each module is discussed in detail later in
this guide.
Enterprise Core
The core is the piece of the infrastructure that glues all the other modules. The core is a high-speed
infrastructure whose objective is to provide a reliable and scalable Layer-2/Layer-3 transport. The core
is typically implemented with redundant switches that aggregate the connections to the campuses, data
centers, WAN edge, and Internet edge. For details about the enterprise core, refer to Chapter 3,
“Enterprise Core.”
Intranet Data Center
Cisco SAFE includes an Intranet data center design capable of hosting a large number of systems for
serving applications and storing significant volumes of data. The data center design also hosts the
network infrastructure that supports the applications, including routers, switches, load balancers,
application acceleration devices to name some. The intranet data center is designed to serve internal
users and applications, and that are not directly accessible from the Internet to the general public.
Partner
Extranet
WAN
Internet
Internet Edge
E-Commerce
Campus
Data Center
Management
Teleworker
Branch
M
M
IP
IP
IP
Core
WAN Edge
2266591-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
The following are some of the key security attributes of Cisco SAFE intranet data center design:
• Service availability and resiliency
• Prevent DoS, network abuse, intrusions, data leak, and fraud
• Ensure data confidentiality, integrity, and availability
• Content control and application level inspection
• Server and application protection and segmentation
For details about the intranet data center, refer to Chapter 4, “Intranet Data Center.”
Enterprise Campus
The enterprise campus provides network access to end users and devices located at the same
geographical location. It may span over several floors in a single building, or over multiple buildings
covering a larger geographical area. The campus may also host local data, voice, and video services.
Cisco SAFE includes a campus design that allows campus users to securely access any corporate or
Internet resources from the campus infrastructure.
From a security perspective, the following are the key attributes of the Cisco SAFE campus design:
• Service availability and resiliency
• Prevent unauthorized access, network abuse, intrusions, data leak, and fraud
• Ensure data confidentiality, integrity, and availability
• Ensure user segmentation
• Enforce access control
• Protect the endpoints
For details about the enterprise campus, refer to Chapter 5, “Enterprise Campus.”
Enterprise Internet Edge
The Internet edge is the network infrastructure that provides connectivity to the Internet, and that acts
as the gateway for the enterprise to the rest of the cyberspace. The Internet edge services include public
services DMZ, corporate Internet access and remote access VPN. The Cisco SAFE design blueprint
incorporates an Internet edge design that allows users at the campuses to safely access E-mail, instant
messaging, web-browsing, and other common services over the Internet. The Cisco SAFE Internet edge
design also accommodates Internet access from the branches over a centralized Internet connection at
the headquarters, in case the organization's policies mandates it.
The following are some of the key security attributes of the Cisco SAFE Internet edge design:
• Service availability and resiliency
• Prevent intrusions, DoS, data leak, and fraud
• Ensure user confidentiality, data integrity, and availability
• Server and application protection
• Server and application segmentation
• Ensure user segmentation
• Content control and inspection
For details about the enterprise Internet edge, refer to Chapter 6, “Enterprise Internet Edge.”1-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
Enterprise WAN Edge
The WAN edge is the portion of the network infrastructure that aggregates the WAN links that connect
geographically distant branch offices to a central site or regional hub site. The WAN can be either owned
by the same enterprise or provided by a service provider, the later being the most common option. The
objective of the WAN is to provide users at the branches the same network services as campus users at
the central site. The Cisco SAFE includes a WAN edge design that allows branches and remote offices
to securely communicate over a private WAN. The design accommodates the implementation of
multiple WAN clouds for redundancy or load balancing purposes. In addition, an Internet connection
may also be used as a secondary backup option.
From a security perspective, the following are the key attributes of the Cisco SAFE WAN edge design:
• Service availability and resiliency
• Prevent DoS, network abuse, intrusions, data leak, and fraud
• Provide confidentiality, integrity, and availability of data transiting the WAN
• Deliver secure Internet WAN backup
• Ensure data confidentiality, integrity, and availability
• Ensure user segmentation
For details about the the enterprise WAN edge, refer to Chapter 7, “Enterprise WAN Edge.”
Enterprise Branch
Branches provide connectivity to users and devices at the remote location. They typically implement one
or more LANs, and connect to the central sites via a private WAN or an Internet connection. Branches
may also host local data, voice, and video services. The Cisco SAFE includes several branch designs
that allow users and devices to securely access the branch resources. The Cisco SAFE branch designs
accommodate one or two WAN clouds, as well as a backup Internet connection. Depending on the
enterprise access policies, direct Internet access may be allowed while in other cases Internet access may
be only permitted through a central Internet connection at the headquarters or regional office. In the later
case, the Internet link at the branch would likely be used solely for WAN backup purposes.
The following are the key security attributes of the Cisco SAFE branch designs:
• Service availability and resiliency
• Prevent unauthorized access, network abuse, intrusions, data leak, and fraud
• Provide confidentiality, integrity, and availability of data transiting the WAN
• Ensure data confidentiality, integrity, and availability
• Ensure user segmentation
• Protect the endpoints
For details about the enterprise enterprise branch, refer to Chapter 8, “Enterprise Branch.”
Management
The architecture design includes a management network dedicated to carrying control and management
plane traffic such as NTP, SSH, SNMP, syslog, etc. The management network combines out-of-band
(OOB) management and in-band (IB) management, spanning all the building blocks. At the
headquarters, an OOB management network may be implemented as a collection of dedicated switches
or based on VLAN isolation.1-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE Introduction
For details about management, refer to Chapter 9, “Management.”1-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 1 SAFE Overview
SAFE IntroductionC H A P T E R
2-1
Cisco SAFE Reference Guide
OL-19523-01
2
Network Foundation Protection
This chapter describes the best practices for securing the network infrastructure itself. This includes
setting a security baseline for protecting the control and management planes as well as setting a strong
foundation on which more advanced methods and techniques can subsequently be built on. Later in this
chapter, each design module is presented with the additional security design elements required to
enhance visibility and control and to secure the data plane.
The following are the key areas of baseline security:
• Infrastructure device access
• Routing infrastructure
• Device resiliency and survivability
• Network telemetry
• Network policy enforcement
• Switching infrastructure
For more detailed information on deployment steps and configurations, refer to the Network Security
Baseline document at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook.ht
ml
Key Threats in the Infrastructure
The following are some of the expected threats to the network infrastructure:
• Denial-of-service (DoS)
• Distributed DoS (DDoS)
• Unauthorized access
• Session hijacking
• Man-in-the-middle (MITM) attack
• Privilege escalation
• Intrusions
• Botnets
• Routing protocol attacks
• Spanning tree attacks2-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Infrastructure Device Access Best Practices
• Layer 2 attacks
Infrastructure Device Access Best Practices
Securing the network infrastructure requires securing the management access to these infrastructure
devices. If the infrastructure device access is compromised, the security and management of the entire
network can be compromised. Consequently, it is critical to establish the appropriate controls in order
to prevent unauthorized access to infrastructure devices.
Network infrastructure devices often provide a range of different access mechanisms, including console
and asynchronous connections, as well as remote access based on protocols such as Telnet, rlogin, HTTP,
and SSH. Some mechanisms are typically enabled by default with minimal security associated with
them; for example, Cisco IOS software-based platforms are shipped with console and modem access
enabled by default. For this reason, each infrastructure device should be carefully reviewed and
configured to ensure only supported access mechanisms are enabled and that they are properly secured.
The key measures to securing both interactive and management access to an infrastructure device are as
follows:
• Restrict device accessibility—Limit the accessible ports and restrict the permitted communicators
and the permitted methods of access.
• Present legal notification—Display legal notice developed in conjunction with company legal
counsel for interactive sessions.
• Authenticate access—Ensure access is only granted to authenticated users, groups, and services.
• Authorize actions—Restrict the actions and views permitted by any particular user, group, or
service.
• Ensure the confidentiality of data—Protect locally stored sensitive data from viewing and copying.
Consider the vulnerability of data in transit over a communication channel to sniffing, session
hijacking, and man-in-the-middle (MITM) attacks.
• Log and account for all access—Record who accessed the device, what occurred, and when for
auditing purposes.
Protect Local Passwords
Passwords should generally be maintained and controlled by a centralized AAA server. However, the
Cisco IOS and other infrastructure devices generally store some sensitive information locally. Some
local passwords and secret information may be required such as for local fallback in the case of AAA
servers not being available, special-use usernames, secret keys, and other password information.
Global password encryption, local user-password encryption, and enable secret are features available in
the Cisco IOS to help secure locally stored sensitive information:
• Enable automatic password encryption with the service password-encryption global command.
Once configured, all passwords are encrypted automatically, including passwords of locally defined
users.
• Define a local enable password using the enable secret global command. Enable access should be
handled with an AAA protocol such as TACACS+. The locally configured enable password will be
used as a fallback mechanism after AAA is configured.2-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Infrastructure Device Access Best Practices
• Define a line password with the password line command for each line you plan to use to administer
the system. Note that line passwords are used for initial configuration and are not in effect once
AAA is configured. Also note that some devices may have more than 5 VTYs.
Note that the encryption algorithm used by the service password-encryption command is a Vigenere
cipher (Type 7) that can be easily reversed. Consequently, this command is primarily useful for keeping
unauthorized individuals from viewing passwords in the configuration file simply by looking over the
shoulder of an authorized user.
Cisco IOS offers support for a stronger encryption algorithm (Type 5) for some locally stored passwords
and this should be leveraged whenever available. For example, define local users using the secret
keyword instead of the password keyword, and use enable secret instead of enable password.
The following configuration fragment illustrates the use of the recommended commands:
service password-encryption
enable secret
line vty 0 4
password
Implement Notification Banners
It is recommended that a legal notification banner is presented on all interactive sessions to ensure that
users are notified of the security policy being enforced and to which they are subject. In some
jurisdictions, civil and/or criminal prosecution of an attacker who breaks into a system is easier, or even
required, if a legal notification banner is presented, informing unauthorized users that their use is in fact
unauthorized. In some jurisdictions, it may also be forbidden to monitor the activity of an unauthorized
user unless they have been notified of the intent to do so.
Legal notification requirements are complex and vary in each jurisdiction and situation. Even within
jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel to
ensure that it meets company, local, and international legal requirements. This is often critical to
securing appropriate action in the event of a security breach.
In cooperation with the company legal counsel, statements that may be included in a legal notification
banner include the following:
• Notification that system access and use is permitted only by specifically authorized personnel, and
perhaps information about who may authorize use.
• Notification that unauthorized access and use of the system is unlawful, and may be subject to civil
and/or criminal penalties.
• Notification that access and use of the system may be logged or monitored without further notice,
and the resulting logs may be used as evidence in court.
• Additional specific notices required by specific local laws.
From a security standpoint, rather than a legal, a legal notification banner should not contain any specific
information about the device, such as its name, model, software, location, operator, or owner because
this kind of information may be useful to an attacker.
The following example displays the banner after the user logs in:
banner login #
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.2-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Infrastructure Device Access Best Practices
Unauthorized attempts and actions to access or use this system may result in civil and/or
criminal penalties.
All activities performed on this device are logged and monitored.
#
Note In Cisco IOS, a number of banner options are available, including banner motd, banner login, banner
incoming, and banner exec. For more information on these commands, refer to the Cisco IOS Command
Reference on cisco.com.
Enforce Authentication, Authorization and Accounting (AAA)
AAA is an architectural framework for configuring the following set of independent security functions
in a consistent, modular manner:
• Authentication—Enables users to be identified and verified prior to them being granted access to the
network and network services.
• Authorization—Defines the access privileges and restrictions to be enforced for an authenticated
user.
• Accounting—Provides the ability to track user access, including user identities, start and stop times,
executed commands (such as command-line interface (CLI) commands), number of packets, and
number of bytes.
AAA is the primary and recommended method for access control. All management access (SSH, Telnet,
HTTP, and HTTPS) should be controlled with AAA.
Due to the fact that RADIUS does not support command authorization, the protocol is not as useful as
TACACS+ when it comes to device administration. TACACS+ supports command authorization,
allowing the control of which command can be executed on a device and which cannot. For this reason,
this guide focuses on TACACS+ and not on RADIUS. For information on how to configure RADIUS for
device management, refer to the Network Security Baseline or the Cisco IOS user documentation on
cisco.com.
The following are the best practices for enabling TACACS+ on Cisco IOS:
• Enable AAA with the aaa new-model global command. Configure the aaa session-id common
command to ensure the session ID is maintained across all AAA packets in a session.
• Define server groups of all AAA servers. If possible, use a separate key per server. Set source IP
address for TACACS+ communications, preferably use the IP address of a loopback or the
out-of-band (OOB) management interface.
• Define a login authentication method list and apply it to console, VTY, and all used access lines.
Use TACACS+ as the primary method and local authentication as fallback. Do not forget to define
a local user for local fallback.
• Authenticate enable access with TACACS+, and use local enable as fallback method. Configure a
TACACS+ enable password per user.
• Configure exec authorization to ensure access only to users whose profiles are configured with
administrative access. TACACS+ profiles are configured with the Shell (exec) attribute. Define
fallback method; use local if local usernames are configured with privilege level, or if authenticated
otherwise. To grant automatic enable access to a TACACS+, configure the user or group profile with
the “privilege level” attribute to 15.2-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Infrastructure Device Access Best Practices
• Enforce console authorization: By default, authorization on the console port is not enforced. It is a
good practice to enable console authorization with the aaa authorization console command to
ensure access is granted only to users with an administrative access privilege.
• Enable command authorization for privilege level 15: By default, administrative access to IOS has
a privilege level 15. Enable the command authorization command for the privilege level 15 and
any other if defined.
• Activate the exec accounting command to monitor shell connections. Enable the accounting
command for the privilege levels to be used. Activate system accounting for system-level events.
Note Enable access can be automatically granted as a result of exec authorization. To that end,
TACACS+ user or group profiles need to be configured to set the privilege level to 15. Console
access may still require the use of an enable password. If using Cisco Secure Access Control
Server (ACS), each user can be configured with a unique enable password. User profiles may
also be configured to use the authentication password as enable.
The following configuration fragment illustrate the use of TACACS+:
! Enable AAA
aaa new-model
!
! Ensure common session ID
aaa session-id common
!
! Define server attributes
tacacs-server host single-connection key
tacacs-server host single-connection key
!
! Define server group
aaa group server tacacs+
server
server
!
! Define the source interface to be used to communicate with the TACACS+ servers
ip tacacs source-interface
!
! Set method list to enable login authentication
aaa authentication login group local-case
!
! Authenticate enable access
aaa authentication enable default group enable
!
! Define method list to enforce exec authorization
aaa authorization exec group if-authenticated
!
! Enforce console authorization
aaa authorization console
!
! Define method list to authorize the execution of administrative level commands
aaa authorization commands 15 group none
!
! Enable accounting
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group
aaa accounting commands 15 default start-stop group
aaa accounting system default start-stop group
!
! Enforce method lists to console and vty access lines
line con 0
login authentication 2-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Infrastructure Device Access Best Practices
!
line vty 0 4
authorization exec
login authentication
authorization commands 15
!
Secure Administrative Access
Follow these best practices for securing administrative access:
• Enable SSH access when available rather the unsecure Telnet. Use at a minimum 768-bit modulus
size.
• Avoid HTTP access. If possible use HTTPS instead of clear-text HTTP.
• Disable unnecessary access lines. Disabled those ports that are not going to be used with the no exec
command.
• Per used line, explicitly define the protocols allowed for incoming and outgoing sessions.
Restricting outgoing sessions prevent the system from being used as a staging host for other attacks.
It should be noted, however, that outgoing Telnet may be required to manage integrated modules
such as the Cisco IPS Network Module for Cisco ISR routers.
• Use access-class ACLs to control the sources from which sessions are going to be permitted. The
source is typically the subnet where administrators reside. Use extended ACLs when available and
indicate the allowed protocols.
• Reserve the last VTY available for last resort access. Configure an access-class to ensure this VTY
is only accessed by known and trusted systems.
• Set idle and session timeouts—Set idle and session timeouts in every used line. Enable TCP
keepalives to detect and close hung sessions.
Note HTTP access uses default login authentication and default exec authorization. In addition, privilege level
for the user must be set to level 15.
Note CS-MARS SSH device discovery does not support 512-byte keys. For compatibility, use SSH modulus
size equal to or larger than 768 bits.
The following configuration fragments illustrate the best practices for enabling SSH access:
! Prevent hung sessions in case of a loss of connection
service tcp-keepalives-in
!
! Define access class ACL to be used to restrict the sources of SSH sessions.
access-list remark ACL for SSH
access-list permit tcp any eq 22
access-list permit tcp any eq 22
access-list deny ip any any log-input
!
! ACL for last resort access
access-list permit tcp host any eq 22
access-list deny ip any any log-input
! Configure a hostname and domain name
hostname 2-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Infrastructure Device Access Best Practices
ip domain-name
!
! Generate an RSA key pair, automatically enabling SSH.
crypto key generate rsa
!
! SSH negotiation timeout of 30 seconds
ip ssh timeout 30
!
! SSH authentication attempts of 2 before an interface reset
ip ssh authentication-retries 2
!
! Enforce line access class ACL, access methods and timeouts for VTYs 0 to 3.
line vty 0 3
access-class in
!
! Incoming access via SSH only
transport input ssh
!
! No outgoing connections permitted
transport output none
!
! Incoming access not permitted if the request does not specify the transport protocol
transport preferred none
!
! Idle timeout of 3 minutes
session-timeout 3
!
! EXEC timeout of 3 minutes
exec-timeout 3 0
!
! Enforce access of last resource on VTY 4.
line vty 4
access-class in
transport input ssh
transport output none
transport preferred none
session-timeout 3
exec-timeout 3 0
!
The following configuration fragments illustrate the best practices for enabling HTTPS access.
! Enforce default login authentication and exec authorization
aaa authentication login default group local-case
aaa authorization exec default group local
!
! Define ACL to control the sources for HTTPS sessions
access-list permit
access-list deny any log
!
! Disable HTTP and enable HTTPS
no ip http server
ip http secure-server
!
! Enforce HTTPS ACL and enable AAA
ip http access-class
ip http authentication aaa
!
! Restrict access to telnet. HTTPS access mode uses they telnet keyword.
line vty 0 4
transport input telnet2-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Routing Infrastructure Best Practices
For configuration guidance for Telnet and HTTP, refer to the Network Security Baseline document at the
following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook.ht
ml
Routing Infrastructure Best Practices
Routing is one of the most important parts of the infrastructure that keeps a network running, and as
such, it is absolutely critical to take the necessary measures to secure it. There are different ways routing
can be compromised, from the injection of illegitimate updates to DoS specially designed to disrupt
routing. Attacks may target the router devices, the peering sessions, and/or the routing information.
The Cisco SAFE design blueprints make use of the following measures to effectively secure the routing
plane:
• Restrict routing protocol membership— Limit routing sessions to trusted peers, validate origin, and
integrity of routing updates.
• Control route propagation—Enforce route filters to ensure only valid routing information is
propagated. Control routing information exchange between routing peers and between redistributing
processes.
• Log status changes—Log the status changes of adjacency or neighbor sessions.
Restrict Routing Protocol Membership
Many dynamic routing protocols, particularly interior gateway protocols, implement automatic peer
discovery mechanisms that facilitate the deployment and setup of routers. By default, these mechanisms
operate under the assumption that all peers are to be trusted, making it possible to establish peering
sessions from bogus routers and to inject false routing data. Fortunately, the Cisco IOS provides a series
of recommended features designed to restrict routing sessions to trusted peers and that help validate the
origin and integrity of routing updates:
• Enable neighbor authentication to ensure the authenticity of routing neighbor and the integrity of
their routing updates. Available for BGP, IS-IS, OSPF, RIPv2 and EIGRP. Use Message Digest
Algorithm Version 5 (MD5) authentication rather than insecure plain text authentication. To
function properly, neighbor authentication must be enabled on both ends of the routing session.
• Use the passive-interface default command when enabling routing on network ranges matching a
large number of interfaces. The passive-interface default command changes the configuration logic
to a default passive, preventing the propagation of routing updates on an interface unless the
interface is expressly configured with the the no passive-interface command. This allows to
selectively enable the propagation of routing updates over the interfaces that are expected to be part
of the routing process.
• When using BGP, enable TTL security check, also known as Generalized TTL Security Mechanism
(GTSM, RFC 3682). TTL security check prevents routing-based DoS attacks, unauthorized peering
and session reset attacks launched from systems not directly connected to the same subnet as the
victim routers. To work properly, TTL security check must be configured on both ends of the BGP
session.2-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Routing Infrastructure Best Practices
Note The effects of the passive-interface command vary depending on the routing protocol. In RIP
and IGRP, the passive-interface command stops the router from sending updates on the selected
interface, but the router continues listening and processing updates received from neighbors on
that interface. In EIGRP and OSPF, the passive-interface command prevents neighbor sessions
to be established on the selected interface. This stops not only routing updates from being
advertised, but it also suppresses incoming routing updates.
Note TTL security check needs to be enabled at both ends of the peering session, otherwise BGP
sessions will not be established.
The following configuration fragment shows how to enable OSPF MD5 neighbor authentication on an
IOS router.
! OSPF MD5 authentication
interface
ip ospf message-digest-key md5
!
router ospf
network area
area authentication message-digest
The following configuration template shows the configuration of EIGRP MD5 neighbor authentication
on an IOS router. Note that EIGRP MD5 authentication is enabled on an interface or subinterface, and
once configured the router stops processing routing messages received from that interface or
subinterface until the peers are also configured for message authentication. This does interrupt routing
communications on your network.
key chain
key 1
key-string
!
interface
ip authentication mode eigrp md5
ip authentication key-chain eigrp
!
router eigrp
network
!
The following example shows the configuration of BGP MD5 neighbor authentication on an IOS router.
Note that once BGP MD5 authentication is enabled for a peer, no peering session will be established
until the peer is also configured for message authentication. This interrupts routing communications on
your network.
router bgp
no synchronization
bgp log-neighbor-changes
network
neighbor remote-as
neighbor password
!
In the following example, all interfaces running EIGRP are configured as passive, while the Serial 0
interface is enabled:
router eigrp 10
passive-interface default
no passive-interface Serial0
network 10.0.0.02-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Routing Infrastructure Best Practices
In Cisco IOS software, the TTL security check can be enabled per peer with the neighbor ttl-security
command:
router bgp as-number
neighbor ip-address ttl-security hops hop-count
Control Route Propagation
Route filtering is another important tool to secure the routing infrastructure. Most routing protocols
allow the configuration of route filters that prevent specific routes from being propagated throughout
the network. In terms of security, these filters are useful because they help ensure that only legitimate
networks are advertised; and networks that are not supposed to be propagated are never advertised (i.e.,
networks falling within the private address space (RFC 1918) should not be advertised out to the
Internet).
Route filtering can be divided in two forms, filtering of routing information exchanged between routing
peers and filtering of the routing information exchanged between routing processes in the same router
as a result of redistribution. Both forms of route filtering are covered in this chapter.
• Implement peer prefix filtering at the edges—Implement inbound filters at the edges to ensure only
the expected routes are introduced into the network. Balance between higher control and associated
operational burden. Deploy filters at edges where invalid routing information may be most likely
introduced from; for example, at the WAN edge. Controlling incoming routing updates at the WAN
edge not only mitigates the introduction of bogus routes at the branches, but it also prevents a dual
access branch from becoming a transit network.
• If route redistribution is required, enforce redistribution filters to strictly control which routes are
advertised. Implementing route redistribution filters helps contain the effects of the potential
injection of invalid routes, prevents loops, and helps maintain network stability.
• Enforce route filters at stub routers—Branches and remote locations with stub networks, enforce
route filters to prevent the propagation of invalid routing information.
• Neighbor logging—Enable the logging of status changes of neighbor sessions on all routers.
The following example illustrates the use of inbound filters at the WAN edge:
! Incoming route filter applied at the WAN edge and that only allows the branch subnet.
!
router eigrp
network
distribute-list 39 in
!
access-list 39 permit
If using EIGRP, use the eigrp stub connected command to ensure propagation of directly connected
networks only:
router eigrp
network
eigrp stub connected
If using other protocols, use outbound filters:
! Outbound route filter applied at the branch router.
!2-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Routing Infrastructure Best Practices
router ospf
distribute-list 33 out
!
access-list 33 permit
The following example illustrates the use of route-map with the redistribute command. In this
example, routes are being redistribute between EIGRP and RIP. Route map rip-to-eigrp prevents the
import of network 10.0.0.0/8 into EIGRP. Likewise, route map eigrp-to-rip prevents the import of
network 20.0.0.0/8 into RIP.
route-map rip-to-eigrp deny 10
match ip address 1
route-map rip-to-eigrp permit 20
!
route-map eigrp-to-rip deny 10
match ip address 2
route-map eigrp-to-rip permit 20
!
router eigrp 100
network 10.0.0.0
redistribute rip route-map rip-to-eigrp
!
router rip
network 20.0.0.0
redistribute eigrp 1 route-map eigrp-to-rip
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 20.0.0.0 0.255.255.255
Logging of Status Changes
Frequent neighbor status changes (up or down) and resets are common symptoms of network
connectivity and network stability problems that should be investigated. These symptoms may also
indicate ongoing attacks against the routing infrastructure. Logging the status changes of neighbor
sessions is a good practice that helps identify such problems and that facilitates troubleshooting. In most
routing protocols, status change message logging is enabled by default. When enabled, every time a
router session goes down, up, or experiences a reset, the router generates a log message. If syslog is
enabled, the message is forwarded to the syslog server; otherwise is kept in the router’s internal buffer.
Status change message logging is disabled by default in BGP; to enable it, use the bgp
log-neighbor-changes router command. By default, EIGRP and OSPF log status changes. If disabled,
it can be enabled with use the eigrp log-neighbor-changes router command for EIGRP and the
log-adjacency-changes router command for OSPF.
The following example logs neighbor changes for BGP in router configuration mode:
router bgp 10
bgp log-neighbor-changes2-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Device Resiliency and Survivability Best Practices
Device Resiliency and Survivability Best Practices
Routers and switches may be subject to attacks designed to or that indirectly affect the network
availability. Possible attacks include DoS based on unauthorized and authorized protocols, Distributed
DoS, flood attacks, reconnaissance, unauthorized access, and more. This section presents the following
collection of best practices destined to preserve the resiliency and survivability of routers and switches,
helping the network maintain availability even during the execution of an attack:
• Disable unnecessary services
• Infrastructure protection ACLs
• Control plane policing (CoPP)
• Port security
• Redundancy
Disable Unnecessary Services
To facilitate deployment, Cisco routers and switches come out of the box with a list of services turned
on that are considered appropriate for most network environments. However, since not all networks have
the same requirements, some of these services may not be needed and therefore can be disabled.
Disabling these unnecessary services has two benefits: it helps preserve system resources and eliminates
the potential of security exploits on the disabled services.
Note As an alternative, the Cisco IOS software provides the AutoSecure CLI command that helps
disable these unnecessary services, while enabling other security services.
Note Before disabling a service, ensure the service is not needed.
The following are some general best practices:
• Identify open ports—Use the show control-plane host open-ports command to see what UDP/TCP
ports the router is listening to and determine which services need to be disabled.
• Global services disabled by default—Unless explicitly needed, ensure finger, identification
(identd), and TCP and UPD small servers remain disabled on all routers and switches.
• Global services enabled by default—Unless explicitly needed, BOOTP, IP source routing, and PAD
services should be disabled globally on all routers.
• IP directed broadcast—Ensure directed broadcasts remain disabled on all interfaces.
• When to disable CDP—Disable CDP on interfaces where the service may represent a risk; for
example, on external interfaces such as those at the Internet edge, and data-only ports at the campus
and branch access.
• Access and externally facing ports—Unless required, disable MOP, IP redirects, and Proxy ARP on
all access and externally-facing interfaces. This typically includes access lines at campuses and
branches, and externally-facing ports such those at the Internet edge.
The following is an example of the show control-plane host open-ports command:
cr18-7200-3#show control-plane host open-ports
Active internet connections (servers and established)2-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Device Resiliency and Survivability Best Practices
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:63771 172.26.150.206:49 IOS host service ESTABLIS
udp *:49 172.26.150.206:0 TACACS service LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
cr18-7200-3#
Note The show control-plane host open-ports command was introduced in the Cisco IOS Release 12.3(4)T.
For earlier versions, use the show ip sockets command to identify open UDP ports, and the show tcp
brief all and show tcp tcb commands to see open TCP ports. For more information, refer to Chapter 5,
“Network Telemetry,” of the Network Security Baseline document at the following URL:
https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap5.html#w
p1057909.
! Global Services disabled by default
no ip finger
no ip identd
no service tcp-small-servers
no service udp-small-servers
!
! Disable BOOTP, IP Source Routing and PAD global services
no ip source-route
no ip bootp server
no service pad
! Disable IP directed broadcasts on all interfaces
interface
no ip directed-broadcast
To ensure CDP is disabled on an interface, either use the show cdp interface command or check if the
interface configuration contains the no cdp enable command.
In the following example, CDP has been left enable on interface FastEthernet 2/1, and it was explicitly
disabled on FastEthernet 2/0:
Router#show cdp interface FastEthernet 2/1
FastEthernet2/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Routershow cdp interface FastEthernet 2/0
Router#
Router #sh run int fastEthernet 2/0
Building configuration...
Current configuration : 163 bytes
!
interface FastEthernet2/0
ip address 198.133.219.5 255.255.255.0
no cdp enable
end
! Disable MOP, IP Redirects,
interface
no mop enabled
no ip redirects2-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Device Resiliency and Survivability Best Practices
no ip proxy-arp
Infrastructure Protection ACLs (iACLs)
Infrastructure protection access control lists (iACLs) is an access control technique that shields the
network infrastructure from internal and external attacks. The iACLs is a technique based on extended
ACLs developed initially by Internet service providers (ISPs) to protect their network infrastructures,
but that uses concepts that can be leveraged by enterprises as well
In a nutshell, iACLs are extended ACLs designed to explicitly permit authorized control and
management traffic bound to the infrastructure equipment such as routers and switches, while denying
any other traffic directed to the infrastructure address space. For example, an iACL deployed at an ISP
peering edge is configured to explicitly permit BGP sessions from known peers, while denying any other
traffic destined to the ISP’s peering router as well as to the rest of the infrastructure address space.
iACLs are most useful when deployed at the network edges, where the infrastructure becomes accessible
to internal or external users; and at administrative borders, where equipment or links under different
administration meet. In an enterprise, iACLs may be deployed at the many network edges:
• WAN edge—Protecting the core infrastructure from possible threats coming from remote branch
offices and partner locations.
• Campus/Branch access—Protecting the infrastructure from possible attacks originated from the
LANs.
• Internet edge— Edge filters may be designed to function as an iACL to shield the infrastructure from
external threats.
While there is a common structure for building iACLs, the actual ACL entries will vary dramatically
depending the environment. An iACL built without the proper understanding of the protocols and the
devices involved may end up being ineffective and may even result in a self-inflecting DoS condition.
For this reason, the best approach to building an iACL is to start with a discovery ACL to identify the
traffic patterns and not to control access. The iACL should only be enforced once the protocols and ports
legitimately used by the infrastructure are well understood. It is also recommended to start with a relaxed
iACL first, and then adjust the entries to make it more granular as the effects of the iACL are monitored.
Chapter 4 of the Network Security Baseline describes the iACL structure and recommended
methodology. Chapter 8 of this document provides a practical example of building an iACL from a
discovery ACL.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook.ht
ml
Control Plane Policing (CoPP)
Control Plane Policing (CoPP) is a security infrastructure feature that protects the control plane of
routers and switches by enforcing QoS policies that regulate the traffic processed by the main system
CPU (route or switch processor). With CoPP, these QoS policies are configured to permit, block, or
rate-limit the packets handled by the main CPU. This helps protects the control plane of routers and
switches from a range of attacks, including reconnaissance and direct DoS.
CoPP uses the modular QoS command-line interface (MQC) for its policy configuration. MQC allows
the separation of traffic into classes, and allows the user to define and apply distinct QoS policies to each
class. The QoS policies can be configured to permit all packets, drop all packets, or drop only those
packets exceeding a specific rate-limit.2-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Device Resiliency and Survivability Best Practices
CoPP is available on a wide range of Cisco platforms, which all deliver the same basic functionality.
However, CoPP has been enhanced on some platforms to use the benefits of the particular hardware
architectures. As a result, some platforms provide advanced forms of CoPP. Non-distributed platforms
implement a centralized software-based CoPP model, while some distributed platforms provide
enhanced versions of CoPP: distributed and hardware-based. In addition, as a result of the hardware
differences, CoPP protocol support may vary depending on the platform.
Similarly to iACLs, while there is a common structure for configuring CoPP classes, the actual traffic
classes and policers will vary dramatically depending the environment. Implementing CoPP without the
proper understanding of the protocols and the devices involved may end up being ineffective and may
even result in a self-inflecting DoS condition. For this reason the best approach to COPP is to start with
a discovery ACL to identify the traffic classes. CoPP policies should only be enforced once the protocols
and ports legitimately used by the infrastructure are well understood. It is also recommended to start by
not enforcing any rate limits to each one of the traffic classes, and to configure them gradually as the
effects of CoPP are monitored.
Chapter 4 of the Network Security Baseline describes the CoPP structure and recommended
methodology.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook.ht
ml
Port Security
An attacker can mount a DoS attack against infrastructure devices by using MAC flooding to cause MAC
address table exhaustion, as well as other Layer-2 Content Addressable Memory (CAM) overflow
attacks. This type of attack can be addressed with a Cisco feature called Port Security. Port Security helps
mitigate MAC flooding and other Layer-2 CAM overflow attacks by restricting the MAC addresses that
are allowed to send traffic on a particular port. Once Port Security is enabled on a port, only packets with
a permitted source MAC address are allowed to pass through the port. A permitted MAC address is
referred to as a secure MAC address.
Port Security builds a list of secure MAC addresses in one of two ways, configurable on a per-interface
basis:
• Dynamic learning of MAC addresses—Defines a maximum number of MAC addresses that will be
learnt and permitted on a port. Useful for dynamic environments, such as at the access edge.
• Static configuration of MAC addresses—Defines the static MAC addresses permitted on a port.
Useful for static environments, such as a serverfarm, a lobby, or a Demilitarized Network (DMZ).
Typical deployment scenarios consist of the following:
• A dynamic environment, such as an access edge, where a port may have Port Security-enabled with
the maximum number of MAC addresses set to one, enabling only one MAC address to be
dynamically learnt at any one time, and a protect response action.
• A static, controlled environment, such as a serverfarm or a lobby, where a port may have Port
Security enabled with the server or lobby client MAC address statically defined and the more severe
response action of shutdown.
• A Voice-over-IP (VoIP) deployment, where a port may have Port Security enabled with the
maximum number of MAC addresses defined as three. One MAC address is required for the
workstation, and depending on the switch hardware and software one or two MAC addresses may
be required for the phone. In addition, it is generally recommended that the security violation action
be set to restrict so that the port is not entirely taken down when a violation occurs.2-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
In Cisco IOS, Port Security can be enabled on an interface using the switchport port-security
command. The example below shows dynamic Port Security, restricted to two MAC addresses, being
applied to an interface with a security violation mode of restrict, such as may be deployed on a
VoIP-enabled port.
interface gigabitethernet0/1
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
The following example illustrates how a port can be restricted for use by only one specific host, with the
defined MAC address, such as may be employed in a lobby environment.
interface gigabitethernet0/2
switchport port-security maximum 1
switchport port-security mac-address 1000.2000.3000
switchport port-security violation restrict
switchport port-security
Redundancy
Networks are built out of numerous hardware and software components that may fail or that may be
subject to attacks. Implementing redundant designs helps eliminate single points-of-failure, improving
the availability of the network and making it more resistant to attacks. There are different ways one can
implement redundancy, from deploying simple backup interfaces up to building complete redundant
topologies. Certainly, making every single component redundant is costly; therefore, design redundancy
where most needed and according to the unique requirements of your network.
Cisco SAFE design blue prints are built with a wide range of options for redundancy:
• Backup and redundant interfaces
• Element redundancy—Use of redundant processors and modules.
• Standby devices—Active-standby and active-active failover, first the redundancy protocols such as
HSRP, VRRP, and GLBP.
• Topological redundancy—Designs built with redundant paths at both network and data-link layers.
Network Telemetry Best Practices
In order to operate and ensure availability of a network, it is critical to have visibility and awareness into
what is occurring on the network at any given time. Network telemetry offers extensive and useful
detection capabilities that can be coupled with dedicated analysis systems to collect, trend, and correlate
observed activity.
Baseline network telemetry is both inexpensive and relatively simple to implement. This section
highlights the baseline forms of telemetry recommended for network infrastructure devices, including
the following:
• Time synchronization
• Local device traffic statistics
• System status information2-17
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
• CDP best common practices
• Syslog
• SNMP
• ACL logging
• Accounting
• Archive configuration change logger
• Packet capture
More information on network telemetry and the critical role it plays in security can be found in the
whitepaper How to Build a Cisco Security Operations Center. This whitepaper provides an overview of
the principles behind security operations, along with guidance on how to build a security operations
center. The whitepaper is available at the following URL:
http://www.cisco.com/en/US/solutions/collateral/ns341/ns524/ns546/ns310/net_implementation_white
_paper0900aecd80598c16.html
Time Synchronization (NTP)
Time synchronizations is critical for event analysis and correlation, thus enabling NTP on all
infrastructure components is a fundamental requirement.
When implementing NTP, considered the following best common practices:
• Prefer a hierarchical NTP design versus a flat design. Hierarchical designs are preferred because
they are highly stable, scalable, and provide most consistency. A good way to design a hierarchical
NTP network is by following the same structure as the routing architecture in place.
• Use a common, single time zone across the entire infrastructure to facilitate the analysis and
correlation of events.
• Control which clients and peers can talk to an NTP server, and enable NTP authentication.
NTP Design for Remote Offices
Branch offices are typically aggregated at one or more WAN edge routers that can be leveraged in the
NTP design. At the headquarters, there is likely an internal time servers at a secured segment. Unless
there is an in-house atomic or GPS-based clock, these internal time servers will be synchronized with
external time sources. Following the routing design, the WAN edge routers may be configured as time
servers with a client/server relationship with the internal time servers, and the branch routers may be
configured as clients (non-time servers) with a client/server relationship with the WAN edge routers.
This design is depicted in Figure 2-1.2-18
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
Figure 2-1 NTP Design for the WAN Edge and Remote Offices
NTP Design at the Headquarters
At the headquarters or main office, an existing OOB management network can be used. Transporting
NTP over the OOB network flattens and simplifies the design. In this scenario, all routers and switches
may be configured as clients (non-time servers) with a client/server relationship with the internal time
servers located at a secured segment. These internal time servers are synchronized with external time
sources. This design is illustrated in Figure 2-2.
Figure 2-2 NTP Design Leveraging an OOB Management Network
The following configuration fragments illustrate the configuration of NTP client:
! Enables timestamp information for debug messages
service timestamps debug datetime localtime show-timezone msec
!
! Enables timestamp information for log messages
service timestamps log datetime localtime show-timezone msec
!
! Sets the network-wide zone to GMT
External
Time
Source
NTP
Server
OOB
Branch Routers
NTP Clients
Edge Routers
NTP Servers with Redundancy
226660
IDS/IPS Routers Firewall
NTP Server
Switches
NTP Clients
External
Time
Source
2266612-19
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
clock timezone GMT 0
!
! To periodically update the hardware clock, if present
ntp update-calendar
!
! Sets source IP address
ntp source
!
! Defines servers
ntp server
ntp server
!
! Enables authentication
ntp authentication-key 10 md5
ntp trusted-key 10
ntp authenticate
The following configuration fragments illustrate the configuration of NTP server:
! Enables timestamp information for debug messages
service timestamps debug datetime localtime show-timezone msec
!
! Enables timestamp information for log messages
service timestamps log datetime localtime show-timezone msec
!
! Sets the network-wide zone to GMT
clock timezone GMT 0
!
! To periodically update the hardware clock, if present
ntp update-calendar
!
! Sets source IP address
ntp source
!
!Restrict the IP addresses of the servers and peers this server will communicate with.
access-list remark ACL for NTP Servers and Peers
access-list permit
!
ntp access-group peer
!
! Restrict the IP addresses of the clients that can communicate with this server.
access-list remark ACL for NTP Client
access-list permit
access-list deny any log
!
ntp access-group serve-only
!
! Enables authentication
ntp authentication-key 10 md5
ntp trusted-key 10
ntp authenticate
!
! Defines server and peer
ntp server
ntp peer
For more information on NTP design best practices, refer to Network Time Protocol: Best Practices
White Paper
http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml2-20
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
Local Device Traffic Statistics
Local device statistics are the most basic and ubiquitous form of telemetry available. They provide
baseline information such as per-interface throughput and bandwidth statistics, enabled features and
global per-protocol traffic statistics.
In Cisco IOS, this information is accessed from the CLI. The format of a command output, as well as the
command itself and its options, vary by platform. It is important to review and understand these
differences. The most commonly used commands can be aliased to enable greater operational ease of
use.
Per-Interface Statistics
In Cisco IOS, per-interface statistics are available, which include throughput (pps) and bandwidth (bps)
information. Per-interface statistics can be accessed with the show interface command.
Cisco IOS routers are set by default to use a 5-minute decaying average for interface statistics. Setting
the decaying average to one-minute provides more granular statistics. The length of time for which data
is used to compute load statistics can be changed by using the load-interval interface configuration
command.
interface
load-interval 60
The Cisco IOS pipe command and its parsing options may also be used to target specific information in
the interface output. For example, to quickly view the one-minute input and output rates on an interface:
Router#show interface | include 1 minute
1 minute input rate 54307000 bits/sec, 17637 packets/sec
1 minute output rate 119223000 bits/sec, 23936 packets/sec
Note High input or output rates over a period of a minute or so can be very helpful in detecting anomalous
behavior.
Clearing the interface counters is often necessary to see what is occurring in a particular instance.
However, ensure useful information is not being discarded prior to doing so. To clear interface counters:
Router#clear counters
Per-Interface IP Feature Information
In Cisco IOS, per-interface feature information provides information about the IP features configured on
an interface. In particular, this command is useful to identify the number or name of the ACL being
enforced, in order to check the ACL counter hits. Per-interface feature information can be accessed with
the show ip interface command:
Router#show ip interface
The show ip interface command also provides per-interface uRPF dropped packet statistics. The Cisco
IOS pipe command and its parsing options can be used to quickly access this information, as shown
below.
Router#show ip interface | include 1 verification
!2-21
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
Router#show ip interface FastEthernet 2/0| include verification
IP verify source reachable-via ANY
794407 verification drops
1874428129 suppressed verification drops
Global IP Traffic Statistics
In Cisco IOS, global IP statistics provide a lot of useful information, including per-protocol counts for
ICMP, TCP, UDP, and multicast traffic. Global IP traffic statistics can be accessed with the show ip
traffic command. This command is very useful for general troubleshooting, as well as for detecting
anomalies.
Router#show ip traffic
The show ip traffic command also provides global uRPF dropped packet statistics. The Cisco IOS pipe
command and its parsing options may be used to quickly access this information, as shown below.
Router#show ip traffic | include RPF
0 no route, 124780722 unicast RPF, 0 forced drop
System Status Information
Memory, CPU and Processes
A basic indication of a potential issue on a network infrastructure device is high CPU. In Cisco IOS,
information about CPU utilization over a 5-second, 1-minute, and 5-minute window is available with the
command show processes cpu.
The Cisco IOS pipe command and its parsing options may be used to exclude information which is not
consuming any CPU.
Router#show processes cpu | exclude 0.00%__0.00%__0.00%
CPU utilization for five seconds: 38%/26%; one minute: 40%; five minutes: 43%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
5 192962596 13452649 14343 0.00% 0.52% 0.44% 0 Check heaps
15 4227662201540855414 274 0.65% 0.50% 0.49% 0 ARP Input
26 2629012683680473726 71 0.24% 0.29% 0.36% 0 Net Background
50 9564564 11374799 840 0.08% 0.07% 0.08% 0 Compute load avg
51 15291660 947844 16133 0.00% 0.03% 0.00% 0 Per-minute Jobs
58 15336356 92241638 166 0.08% 0.02% 0.00% 0 esw_vlan_stat_pr
67 10760516 506893631 21 0.00% 0.01% 0.00% 0 Spanning Tree
68 31804659682556402094 1244 7.02% 7.04% 7.75% 0 IP Input
69 25488912 65260648 390 0.00% 0.03% 0.00% 0 CDP Protocol
73 16425564 11367610 1444 0.08% 0.02% 0.00% 0 QOS Stats Export
81 12460616 1020497 12210 0.00% 0.02% 0.00% 0 Adj Manager
82 442430400 87286325 5068 0.65% 0.73% 0.74% 0 CEF process
83 68812944 11509863 5978 0.00% 0.09% 0.11% 0 IPC LC Message H
95 54354632 98373054 552 0.16% 0.12% 0.13% 0 DHCPD Receive
96 61891604 58317134 1061 1.47% 0.00% 4.43% 0 Feature Manager
High CPU utilization values for the IP input process is a good indicator that traffic ingressing or
egressing the device is contributing meaningfully to the CPU load. The amount of process-driven traffic
versus interrupt-driven traffic is also important.
Understanding the network devices deployed in your network and their normal status is key to
establishing a baseline, from which anomalies may be detected.2-22
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
Memory and CPU Threshold Notifications
Cisco IOS offers the ability to send a notification upon CPU and memory thresholds being exceeded:
• Memory threshold—Enable memory threshold syslog notification to alert when available free
memory falls below recommended levels. A good practice is to set the free memory threshold to a
10 percent of the total memory. Use the show memory command to see the total memory and
available free memory.
• Enable critical system logging protection—When a router is overloaded by processes, the amount
of available memory might fall to levels insufficient for it to issue critical notifications. Reserve a
region of 1000 Kilobytes of memory to be used by the router for the issuing of critical notifications.
• Enable CPU threshold SNMP trap notification—Increases in CPU load on routers and switches
often indicate an event is taking place, therefore enabling the notification of high CPU conditions is
always recommended. However, keep in mind that high CPU is not always an indicator of malicious
activity, and other sources of information should be considered.
The following configuration fragment illustrates the above concepts:
Router#show memory
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 6572AD00 915231348 27009876 888221472 374721396 361583220
I/O C000000 67108864 5856500 61252364 61233808 61232028
…
Router#
The total system processor memory is 915,231,348 bytes, so the processor threshold is set to 91,523
Kilobytes. The total system I/O memory is 67,108,864 bytes, therefore the threshold is set to 6,710
Kilobytes:
memory free low-watermark processor 91523
memory free low-watermark io 6710
memory reserve critical 1000
snmp-server enable traps cpu threshold
snmp-server host traps cpu
System Logging (Syslog)
Syslog provides invaluable operational information, including system status, traffic statistics, and device
access information. For this reason, syslog is recommended on all network devices.
Follow these practices when enabling syslog:
Step 1 Enable timestamps for debugging and logging messages. Adding timestamps to messages facilitates
analysis and correlation.
Step 2 Enable system message logging to a local buffer. This allows accessing the logging information directly
from the router or switch in case of communication failure with the syslog server. It is important to note
that local buffers are circular in nature so that newer messages overwrite older messages after the buffer
is filled.
Step 3 Set the severity level of messages to be logged. Messages at or numerically lower than the specified level
are logged. With respect to the severity level, the more information is logged the better; therefore,
logging messages of all severity levels would be ideal. However, this may result in an overwhelming
volume of messages. A good practice is to enable more detailed logging on critical systems or systems
that may more accessible to external or remote users, such as equipment on the Internet and WAN edges,
and only log critical alerts for the rest of the infrastructure.2-23
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Telemetry Best Practices
Step 4 Set the source IP address of syslog messages to the address of an administrative loopback interface or
OOB interface.
Step 5 Disable the logging of messages to the console. This helps keep the console free of messages.
! Enable timestamps for debugging and logging messages.
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!
! Enable system message logging to a local buffer.
logging buffered
!
! Logging for critical equipment.
logging trap informational
logging rate-limit 1 except 3
!
! Logging for non-critical equipment.
logging trap critical
!
! Define the syslog servers to be used.
logging facility
!
! Set the source IP address of syslog messages.
! logging source-interface
SNMP
SNMP provides a standardized framework and a common language used for the monitoring and
management of devices in a network. It provides valuable system and event information, therefore it
should be enabled throughout the network infrastructure.
In case SNMP access is not required, make sure it is disabled. The no snmp-server command disables
all running versions of SNMP (SNMPv1, SNMPv2C, and SNMPv3) on the device.
When SNMP is required, follow these best practices:
Step 1 Restrict what systems can access the SNMP agent running on the router or switch. Be as specific as
possible, for instance, only permitting access from the SNMP management stations.
Step 2 If using SNMPv3 (recommended), enforce an SNMP view that restricts the download of full IP routing
and ARP tables.
Step 3 If SNMP v3 is supported, enable only SNMP v3 and with the maximum security level supported by the
SNMP managers, using encrypted communication (priv) where feasible. The engine ID of an SNMP v3
SNMP manager is required in order to enable SNMP v3.
Step 4 Set the source IP address for SNMP traps to the address used on the administrative loopback interface
of OOB interface.
The following configuration example is for SNMPv1 restricting access to read-only and from a single
SNMP host. For SNMPv3 configuration, refer to the Network Security Baseline.
access-list remark ACL for SNMP access to device
access-list permit 2-24
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Network Policy Enforcement Best Practices
access-list deny any log
snmp-server community RO
Network Policy Enforcement Best Practices
Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a
network conforms to the network policy, including the IP address range and traffic types. Anomalous
packets should be discarded as close to the edge of the network as possible, thereby minimizing the risk
of exposure.
This section highlights the key steps to implementing baseline network policy enforcement, including
the following:
• Access edge filtering
• IP spoofing protection
Access Edge Filtering
Network Security Baseline is focused on securing the network infrastructure itself, the control and
management planes. Access edge filtering in this context is implemented to enforce policy on what
traffic is permitted to be directed towards the network infrastructure devices themselves.
In Cisco IOS, access edge filtering for control and the data planes is achieved using ACLs developed to
protect the infrastructure. These are referred to as infrastructure protection ACLs (iACLs). For details
about iACLs, refer to “Infrastructure Protection ACLs (iACLs)” section on page 2-14.
IP Spoofing Protection
Spoofing protection involves discarding traffic that has an invalid source address. Network security
baseline includes source IP spoofing protection based on BCP38/RFC 2827 ingress traffic filtering.
Packets with spoofed source IP addresses represent a security risk as they are often used to conduct an
attack, in order to evade traceability and bypass access controls. They may also be used to direct an
attack at a spoofed source, something known as a reflection attack.
Spoofed traffic with an invalid source IP address may include traffic from either of the following:
• RFC1918, DSUA or non-allocated IP address range
• Valid IP network address range, but not originating from the associated legitimate network
Implementing BCP38/RFC 2827 ingress traffic filtering to address source IP address spoofing renders
the use of invalid source IP addresses ineffective, forcing attacks to be initiated from valid, reachable IP
addresses. This is beneficial since it enables greater success in tracing the originator of an attack.
Cisco offers the following techniques for BCP38 ingress traffic filtering:
• Access Control Lists (ACLs)
ACLs are the traditional technique for filtering forged source IP addresses. However, ACLs are not
dynamic in nature, requiring manual configuration changes, and may have an impact on the
performance of a device. It is thus recommended that ACLs are used only in a limited manner, as a
complement to uRPF, for strict, static policies, such as filtering RFC 1918, DSUA and non-allocated
IP addresses. They may also be used to complement uRPF loose mode for source IP address 2-25
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Switching Infrastructure Best Practices
spoofing protection when uRPF strict mode is not possible. Chapter 6, “Enterprise Internet Edge”
and Chapter 7, “Enterprise WAN Edge” provide the guidelines for edge ACLs designed for IP
spoofing protection.
• uRPF
uRPF offers a dynamic technique for enabling BCP38/RFC 2827 ingress traffic filtering, discarding
packets with invalid source IP addresses based on a reverse-path look-up. Its dynamic nature
provides the key advantages of offering minimal operational overhead and a scalable, timely
enforcement technique. In addition, uRPF generally introduces minimal performance impact to a
device on which it is enabled. uRPF is typically deployed as an edge technology in order to be most
effective, minimizing the valid IP address space range and enforcing the discard of anomalous
packets as close to their origin as possible.
• IP Source Guard
This feature is used in switched environments to prohibit the use of forged MAC and source IP
addresses. This feature is deployed on Layer-2 switching devices and is primarily designed for
DHCP segments. Hosts with static address may also be supported, though additional operational
complexity is introduced by doing so.
• DHCP Secured IP Address Assignment and DHCP Authorized ARP
These Cisco IOS features are available on routers supported on the T-train and offer similar
functionality in a routing environment as IP Source Guard in a switching environment. They are used
in routed environments where the local router is also the local DHCP server to prohibit the use of
forged MAC and source IP addresses
Deploying uRPF at the Internet edge as shown in the following example:
! Configure uRPF strict mode on the internal interfaces
interface
ip verify unicast source reachable-via rx
!
! Configure uRPF loose mode on Internet facing interfaces
interface
ip verify unicast source reachable-via any
Switching Infrastructure Best Practices
Baseline switching security is concerned with ensuring the availability of the Layer-2 switching
network. This section highlights the key steps to securing and preserving the switching infrastructure,
including the following:
• Restrict broadcast domains
• Spanning Tree Protocol (STP) security
• Port Security
• VLAN best common practices2-26
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Switching Infrastructure Best Practices
Restrict Broadcast Domains
By definition, LAN switches are responsible for forwarding unknown frames, multicast frames and
broadcast frames throughout the LAN segment, forming a broadcast domain. While broadcast domains
facilitate Layer-2 connectivity between systems on a LAN segment, designing networks with
unnecessarily large broadcast domains has potential drawbacks.
First, in large networks, the flooding of unknown, multicast and broadcast frames may degrade
performance, even to the point of breaking connectivity. In addition, a broadcast domain defines a failure
domain, whereby typically all systems and switches on the same LAN segment suffer during a failure.
Therefore, the larger the broadcast domain, the bigger the impact of a failure. Finally, larger broadcast
domains increase the chances of security incidents.
To avoid the challenges described above, it is a good practice to segment broadcast domains into multiple
IP subnets or VLANs using a hierarchical design. The use of hierarchical design principles provides the
foundation for implementing scalable and reliable LANs. A hierarchical design like the one proposed in
the campus design helps restrict the size of broadcast domains, improving convergence, easing
deployments, and reducing the scope of failure domains. This is done by isolating a VLAN to a single
wiring closet or single switch.
Spanning Tree Protocol Security
STP is a link management protocol, defined in the IEEE 802.1D, for bridged networks. STP provides
path redundancy while preventing undesirable loops in networks consisting of multiple active paths.
STP is a useful protocol but, unfortunately, the existing versions of the protocol were conceived with no
security in mind and, as a result, are both vulnerable to several types of attacks. STP does not implement
any authentication and encryption to protect the exchange of BPDUs. Because of the lack of
authentication, anyone can speak to a STP-enabled device. An attacker could very easily inject bogus
BPDUs, triggering a topology recalculation. A forced change to the STP topology could lead to a denial
of service condition, or leave the attacker as a man-in-the-middle. In addition, because BPDUs are not
encrypted, it is fairly simple to intercept BPDUs in transit, revealing important topology information.
STP introduces some security risks but, in topologies where a loop-free design is not possible, STP
should be used along with the Cisco features developed to address its risks. Not using STP would result
in a loop becoming another attack vector.
Cisco IOS offers a number of features that help protect bridged networks using STP against the common
attacks. The following are the recommended best practices:
• Disable VLAN dynamic trunk negotiation trunking on user ports
• Use Per-VLAN Spanning Tree (PVST)
• Configure BPDU Guard
• Configure STP Root Guard
• Disable unused ports and put them into an unused VLAN
• Implement Port Security
• Enable traffic storm control
! Disable dynamic trunking on all switching access lines
interface type slot/port
switchport mode access
!2-27
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Switching Infrastructure Best Practices
! Enable BPDU guard on end user ports and other ports not expected to participate in
Spanning Tree
interface type slot/port
spanning-tree portfast
spanning-tree bpduguard enable
!
! In some switching platforms interfaces are enabled by default. It is a good practice to
disable all unused ports and place them into an unused VLAN
interface type slot/port
shutdown
switchport access vlan
Port Security
Port Security helps mitigate MAC flooding and other Layer-2 CAM overflow attacks by restricting the
MAC addresses that are allowed to send traffic on a particular port. Port Security is covered in more
detailed in the “Device Resiliency and Survivability Best Practices” section on page 2-12.
VLAN Best Common Practices
VLAN hopping is an attack vector which provides a client with unauthorized access to other VLANs on
a switch. This type of attack can be easily mitigated by applying the following best common practices:
• Always use a dedicated VLAN ID for all trunk ports
• Disable all unused ports and put them in an unused VLAN
• Do not use VLAN 1 for anything
• Configure all user-facing ports as non-trunking (DTP off)
• Explicitly configure trunking on infrastructure ports
• Use all tagged mode for the native VLAN on trunks
• Set the default port status to disable2-28
Cisco SAFE Reference Guide
OL-19523-01
Chapter 2 Network Foundation Protection
Threats Mitigated in the Infrastructure
Threats Mitigated in the Infrastructure
Ta b l e 2-1 Infrastructure Threat Mitigation Features
Botnets
DoS on
Infrastructu
re
DDoS on
Infrastru
cture
Unauthorized
Access Intrusions
Routing
Protocol
Attacks L2 Attacks Visibility Control
AAA Yes Yes Yes Yes
SNMP
Authentication
Yes Yes Yes Yes
SSH Yes Yes Yes Yes
Strong Password
Policy
Yes Yes Yes
Session ACLs Yes Yes Yes Yes Yes Yes
Router Neighbor
Authentication
Yes Yes Yes Yes
Route Filtering Yes Yes Yes Yes
iACL Yes Yes Yes Yes Yes Yes Yes Yes
CoPP Yes Yes Yes Yes Yes Yes Yes Yes
System and
Topological
Redundancy
Yes Yes Yes Yes Yes YesC H A P T E R
3-1
Cisco SAFE Reference Guide
OL-19523-01
3
Enterprise Core
The core is the piece of the network infrastructure that glues all the other modules together. The core is
a high-speed infrastructure whose objective is to provide a reliable and scalable Layer-2/Layer-3
transport. It routes and switches traffic as fast as possible from one network module to another such as
campuses, data center, WAN edge, and Internet edge.
The core network is not expected to provide end customer services by itself. Rather, it is a building block
used to enable other modules within the network to provide these services to the end devices. External
IP traffic is never destined to the core network infrastructure. Generally, the only packets destined to
these devices are internal control and management traffic generated by other network elements or
management stations within the same administrative domain.
Key Threats in the Core
The following are some of the threat vectors affecting the enterprise core:
• Service disruption—DoS and DDoS attacks on the infrastructure.
• Unauthorized access—Intrusions, unauthorized users, escalation of privileges, unauthorized access
to restricted infrastructure, and routing protocol attacks.
• Data disclosure and modification—Packet sniffing, man-in-the-middle (MITM) attacks of data
while in transit.
Enterprise Core Design
The core module in the SAFE architecture is nearly identical to the core module of any other network
architecture. Standard implementation guidelines were followed in accordance with the core,
distribution, and access layer deployments commonly seen in well-designed Cisco-based networks. It is
implemented with redundant switches that aggregate the connections from the various places in the
network (PINs) such as campuses, data centers, WAN edge, and Internet edge as shown in Figure 3-1.3-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 3 Enterprise Core
Design Guidelines for the Core
Figure 3-1 Enterprise Core Topology
Design Guidelines for the Core
The primary role of security in the enterprise core module is to protect the core itself, not to apply policy
to mitigate transit threats traversing through the core. Such threats should be filtered at the network edge
or within other network modules to mitigate transit attack traffic from adversely affecting authorized
transit traffic. A well designed network edge security policy will greatly limit the exposure of the
network core to attacks. However, human error, misconfiguration, change management, and exception
cases dictate that core security mechanisms must be defined and deployed in support of the
defense-in-depth principles. These core policies help to mitigate the risk to the core if edge policies are
inadvertently bypassed.
Effective core security demands the implementation of various security measures in a layered approach
and guided under a common strategy. These measures include enabling security at the edge and within
the networks connecting to the core and securing the core switches themselves. The core switches are
secured following the infrastructure baseline security principles explained in Chapter 2, “Network
Foundation Protection.” This includes restricting and controlling administrative device access, securing
the routing infrastructure, and protecting the management and control planes.
For complete details on implementing and monitoring infrastructure baseline security best practices
including configuration examples, refer to Chapter 2, “Network Foundation Protection.” The following
summarizes the baseline security best practices specific to securing the enterprise core infrastructure. It
lists techniques for securing the control and management planes providing a strong foundation on which
more advanced methods and techniques can subsequently be built on.
The following are the key areas of the Network Foundation Protection (NFP) baseline security best
practices applicable to securing the enterprise core:
• Infrastructure device access—Implement dedicated management interfaces to the out-of-band
(OOB) management network
1
, limit the accessible ports and restrict the permitted communicators
and the permitted methods of access, present legal notification, authenticate and authorize access
using AAA, log and account for all access, and protect locally stored sensitive data (such as local
passwords) from viewing and copying.
• Routing infrastructure—Authenticate routing neighbors, implement route filtering, use default
passive interfaces, and log neighbor changes.
• Device resiliency and survivability—Disable unnecessary services, filter and rate-limit
control-plane traffic, and implement redundancy.
Core
Campus
Data Center
WAN Edge
Internet Edge
226153
1. For more information on implementing an OOB management network, refer to Chapter 9, “Management.”3-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 3 Enterprise Core
Threats Mitigated in the Core
• Network telemetry—Implement NTP to synchronize time to the same network clock; maintain
device global and interface traffic statistics; maintain system status information (memory, CPU, and
process); and log and collect system status, traffic statistics, and device access information.
Threats Mitigated in the Core
Table 3-1 summarizes the techniques used by the SAFE architecture design to mitigate threats to the
enterprise core infrastructure.
Ta b l e 3-1 Core Threat Mitigation Features
DoS on
Infrastructure
DDoS on
Infrastructure
Unauthorized
Access Intrusions
Routing
Protocol
Attacks Botnets Visibility Control
System and
Topological
Redundancy
Yes Yes Yes Yes Yes
Disabling
Unneeded
Services
Yes Yes Yes Yes Yes Yes
Strong
Password Policy
Yes Yes Yes
AAA Yes Yes Yes Yes
SSH Yes Yes Yes
SNMP
Authentication
Yes Yes Yes Yes
Session ACLs Yes Yes Yes Yes Yes Yes
Router
Neighbor
Authentication
Yes Yes Yes Yes
CoPP Yes Yes Yes Yes Yes Yes Yes
NetFlow,
Syslog
Yes3-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 3 Enterprise Core
Threats Mitigated in the CoreC H A P T E R
4-1
Cisco SAFE Reference Guide
OL-19523-01
4
Intranet Data Center
The Intranet data center houses most of the critical applications and data for the enterprise. Refining the
Intranet data center is an act of constant planning. The infrastructure design, power and cooling, cabling,
and location must all be carefully thought out.
Security is often seen as an add-on service. In reality, security should be considered as part of the core
infrastructure requirements. Because a key responsibility of security for the data center is to maintain
the availability of services, the ways in which security affects traffic flows, scalability, and failures must
be carefully considered.
The goal of this chapter is to provide guidelines for integrating security services into Cisco
recommended data center architectures.
This chapter will focus on three areas of data center security: isolation; policy enforcement; and
visibility. These are described briefly in the summaries that follow:
• Isolation—Isolation can provide the first layer of security for the data center and server farm.
Depending on the goals of the design it can be achieved through the use of firewalls, access lists,
VLANs, virtualization, and physical separation. A combination of these can provide the appropriate
level of security enforcement to the server farm applications and services.
• Policy Enforcement—There is no shortage on the variety of traffic flows, protocols, and ports
required to operate within the data center. Traffic flows can be sourced from a variety of locations,
including client to server requests, server responses to requests, server originated traffic, and
server-to-server traffic. Because of the amount of traffic flows and the variety of sources, policy
enforcement in the data center requires a considerable amount of up-front planning. Couple this with
a virtualized environment, and the challenges of policy enforcement and visibility become greater.
• Visibility—Data centers are becoming very fluid in the way they scale to accommodate new virtual
machines and services. Server virtualization and technologies such as VMotion allow new servers
to be deployed and to move from one physical location to another with little requirement for manual
intervention. When these machines move and traffic patterns change, this can create a challenge for
security administrators to maintain visibility and ensure security policy enforcement.
The security services described in this document have been integrated into the architecture with these
areas in mind. Since security models can differ depending on the business goals of the organization,
compliance requirements, the server farm design, and the use of specific features (such as device
virtualization), there is no magic blueprint that covers all scenarios. However, the basic principles
introduced here for adding security to the data center architecture can hold true for a variety of scenarios.
In addition, virtualization is driving change in the way data centers are being architected. Server
virtualization is becoming a prevalent tool for consolidation, power savings, and cost reduction. It is also
creating new challenges for infrastructure and security teams to be able to provide consistent levels of
isolation, monitoring, and policy enforcement—similar to what is available for physical servers and
systems today.4-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Device virtualization is providing new design opportunities and options for creating flexible data center
architectures. Features that provide control plane and data plane isolation are offering a multitude of
design options for device placement, Layer-2 and Layer-3 designs, and service integration.
Figure 4-1 illustrates an overview of a typical data center security environment.
Figure 4-1 Data Center Security Overview
Security for virtualization and virtualized security are not one in the same. Both are key for providing
policy enforcement for these new architectures. Both topics are discussed in this chapter with an
emphasis placed on design and deployment.
Data Center Firewalls
Initial filter for DC ingress
and egress traffic. Virtual
Context used to split policies
for server-to-server filtering
DC Core
Data Center Aggregation
Security Services Layer
Infrastructure Security
Data Center Services Layer
Access Layer
Virtual Access Layer
226559
VM VM VM
VM VM VM
L2 Security features are available within the
physical server for each VM. Features include
ACLs, CISF, Port Security, Netflow ERSPAN,
QoS, CoPP, VN Tag
ACLs, CISF, Port
Security, QoS, CoPP,
VN Tag
IPS/IDS: provide traffic
analysis and forensics
Network Analysis: provide
traffic monitoring and data
analysis
Infrastructure Security features
are enabled to protect device,
traffic plane, and control plane.
VDC provides internal/external
segmentation
XML Gateway: protect
and optimize Web-based
services
Additional Firewall
Services for Server Farm
specific protection
Server Load Balancing
masks servers and
applications
Application Firewall
mitigates XSS, HTTP,
SQL, XML based attacks4-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Key Threats in the Intranet Data Center
Key Threats in the Intranet Data Center
Today’s security administrators do not have easy jobs. Threats facing today IT security administrators
have grown from the relatively trivial attempts to wreak havoc on networks into sophisticated attacks
aimed at profit and the theft of sensitive corporate data. Implementation of robust data center security
capabilities to safeguard sensitive mission-critical applications and data is a cornerstone in the effort to
secure enterprise networks.
The Intranet data center is primarily inward facing and most clients are on the internal enterprise
network. The Intranet data center is still subject to external threats, but must also be guarded against
threat sources inside of the network perimeter.
Attack vectors have moved higher in the stack to subvert network protection and aim directly at
applications. HTTP-, XML-, and SQL-based attacks are useful efforts for most attackers because these
protocols are usually allowed to flow through the enterprise network and enter the intranet data center.
The following are some of the threat vectors affecting the Intranet data center:
• Unauthorized access
• Interruption of service
• Data loss
• Data modification
Unauthorized access can include unauthorized device access and unauthorized data access. Interruption
of service, data loss, and data modification can be the result of targeted attacks. A single threat can target
one or more of these areas. Specific threats can include the following: privilege escalation; malware;
spyware; botnets; denial-of-service (DoS); traversal attacks (including directory, URL); cross-site
scripting attacks; SQL attacks; malformed packets; viruses; worms; and, man-in-the-middle.
Data Center Design
The architectures discussed in this document are based on the Cisco data center design best practice
principles. This multi-layered data center architecture is comprised of the following key components:
core, aggregation, services, and access. This architecture allows for data center modules to be added as
the demand and load increases. The data center core provides a Layer-3 routing module for all traffic in
and out of the data center. The aggregation layer serves as the Layer-3 and Layer-2 boundary for the data
center infrastructure. In these design, the aggregation layer also serves as the connection point for the
primary data center firewalls. Services such as server load balancers, intrusion prevention systems,
application-based firewalls, network analysis modules, and additional firewall services are deployed at
the services layer. The data center access layer serves as a connection point for the serverfarm. The
virtual-access layer refers to the virtual network that resides in the physical servers when configured for
virtualization.
A visual overview of this topology is provided in Figure 4-2.4-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Core
Figure 4-2 Solution Topology
This chapter provides information on the integration of security services within the data center
infrastructure. The Layer-2 and Layer-3 infrastructure details are highlighted from a security connection
and traffic flow standpoint, but are not be covered in great depth in this document. There are several
Cisco Validated Design (CVD) guides that offer a great amount of detail on the underlying data center
infrastructure.
For more information on the integration of services with a Cisco Nexus 7000, refer to Implementing
Nexus 7000 in the Data Center Aggregation Layer with Services at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/nx_7000_dc.html
For more information on the integration of dedicated services switches, refer to Data Center Service
Integration: Service Chassis Design Guide at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/dc_servchas/service-chassis_
design.html
Data Center Core
The data center core module provides Layer-3 connectivity between the data center and the campus
network. The core is a centralized Layer-3 routing module in which one or more data center aggregation
layers connect. This usually serves as the initial entry point from the campus network into the data center
infrastructure.
Catalyst
6500
Catalyst
6500
Nexus
7000
ASA
5580
Core
Aggregation Layer
Layer
Services
Layer
ASA
5580
Nexus
7000
Catalyst
6500
Catalyst
4900s
Catalyst
6500 VSS
Catalyst 3100 VBS
Catalyst
6500s
Nexus
5000s
ACE WAF
IDS/IPS IDS/IPS
ACE
Module
ACE
Module
226530
Access
Layer4-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Core
IP Routing Design and Recommendations
Routing adjacencies from the core are formed to the campus core and the data center aggregation
switches. In this design, the data center core is configured for Enhanced Interior Gateway Routing
Protocol (EIGRP) to communicate with the campus core and the network with Open Shortest Path First
(OSPF) to communicate with the data center. The core routers are redistributing EIGRP and OSPF.
Figure 4-3 illustrates an example data center core routing design.
Figure 4-3 Data Center Core Routing Design
Routing is critical for the enterprise network and for access to data center services. Routing can be
compromised either intentionally or unintentionally in several ways.
Incorrect neighbor peering leads to an injection of incorrect routes; this could also lead to routing loops
and denial-of-service for the data center. To prevent this problem there are several measures that should
be incorporated as part of the data center routing design. These measure include the following:
• Route peer authentication
• Route filtering
• Log neighbor changes
Authenticating peers before establishing a routing adjacency will help prevent incorrect neighbor
peering that could lead to routing loops, routing manipulation, and service interruption. It is important
to also correctly filter routes. It might not always be desirable to have all routes populated on all data
center devices. In the example illustrated in Figure 4-3, the Not-So-Stubby Area (NSSA) area is being
used to limit the amount of routes being propagated inside the data center. It is also important to properly
filter routes when performing any routing redistribution. This means properly setting metrics and
Po99
10.8.162.3/24
10.8.152.3/24
10.8.0.x/24
.1 .1
.2 .2
10.8.1.x/24
10.8.2.x/24
RID:8.8.8.1 RID:8.8.8.2
RID:3.3.3.1 RID:3.3.3.2
10.8.162.2/24
10.8.152.2/24
OSPF Area 0
N7k1-VDC1
Data
Center
Core1
Data
Center
Core2
N7k2-VDC1
.1 .2 10.8.3.x/24
.24 .26
.25 .27
10.242.10.x/31
10.242.10.x/31
EIGRP 1
Campus
Core1
Campus
Core2
(SVI 3) (SVI 3)
226560
.1 .24-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Aggregation Layer
filtering specific routes from being forwarded during the redistribution between two routing protocols;
this prevents routing loops from occurring. If not filtered correctly, routes being exchanged between
protocols with different administrative distances and metrics can cause the route to be repeatedly
redistributed and re-advertised via each protocol. Logging all neighbor changes provides visibility into
the occurrence of peering problems and alerts administrators to possible issues.
The following output provides an example of the authentication configurations being for both EIGRP
and OSPF.
Enhanced IGRP Interface Configuration
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 eigrp-chain
logging event link-status
OSPF Global Configuration
router ospf 8
area 0 authentication message-digest
passive-interface default
Interface X/X
ip ospf authentication message-digest
ip ospf authentication-key 3 9125d59c18a9b015
logging event link-status
For more information on secure routing, refer to the Network Security Baseline document located at the
following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/securebaseboo
k.html
Data Center Aggregation Layer
The aggregation switches used in this design are a pair of Cisco Nexus 7000 Series switches. They serve
as a high performance 10-Gigabit aggregation point for data center traffic and services.
The Cisco Nexus 7000 introduces the concept of Virtual Device Context (VDC). The VDC feature allows
for the virtualization of the control plane, data plane, and management plane of the Cisco Nexus 7000.
From a security standpoint this virtualization capability can provide an enhanced security model.
Because the VDCs are logically separate devices, each can have different access, data, and management
policies defined.
Note In-depth details on VDCs and how they fit into the overall data center design can be found in the data
center best practice guides For more information on the integration of services with a Cisco Nexus 7000
refer to Implementing Nexus 7000 in the Data Center Aggregation Layer with Services at
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/nx_7000_dc.html
This chapter focuses on the integration of VDCs and security services.
The design described in this chapter includes a single pair of data center aggregation switches divided
into four separate logical switches. Two VDCs have been created in each Cisco Nexus 7000—VDC1 and
VDC2. This provides an inside and outside isolation point at the data center aggregation layer. The
outside VDC provides Layer-3 connectivity to the data center core. The inside VDC provides Layer-2 4-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Aggregation Layer
connectivity to the data center services and serverfarm. In order for traffic to flow from the outside VDC
to the inside VDC, the traffic must either be routed or bridged through an external device. In this design,
traffic forwarding between VDC1 and VDC2 is performed by external firewalls.
IP Routing Design and Recommendations
The IP routing design provides isolation. The outside VDC is a member of OSPF Area 0 and is a
neighbor of the data center core routers. This allows routes to propagate in and out of the data center and
to the rest of the enterprise network. The inside VDC is configured as a NSSA area in OSPF. The inside
VDC only receives a default route from the outside. This prevents the entire routing table from
propagating farther into the data center. Figure 4-4 illustrates an example routing design based on these
principles.
Figure 4-4 Routing Topology
The following command listing illustrates the Cisco Nexus 7000 VDC1 OSPF configuration. VLAN 161
is carried to the outside interface of the Cisco ASA firewall.
The following shows the Nexus 7000 VDC1 OSPF configuration. VLAN 161 is carried to the outside
interface of the Cisco ASA firewall.
interface Vlan161
no shutdown
ip address 10.8.162.3/24
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
ip router ospf 8 area 0.0.0.81
ACE2
ASA2
ASA2
ASA1
Po99
Po99
10.8.152.5 10.8.152.6
10.8.162.3/24
10.8.152.3/24
10.8.0.x/24
.1 .2
.1 .1
.2 .2
10.8.1.x/24
10.8.2.x/24
RID:8.8.8.1 RID:8.8.8.2
RID:3.3.3.1 RID:3.3.3.2
10.8.162.2/24
10.8.152.2/24
OSPF NSSA Area 81
OSPF Area 0
ASA1
ACE1
SS1 N7k1-VDC2 N7k2-VDC2 SS2
N7k1-VDC1
Cat6k Cat6k
N7k2-VDC1
VRF1 VRF2 VRF2 VRF1
10.8.162.5 10.8.162.6
.1 .2 (SVI 3) 10.8.3.x/24 (SVI 3)
RID:4.4.4.1 RID:5.5.5.1 RID:4.4.4.2 RID:5.5.5.2
226531
VLAN
161
VLAN
162
VLAN
164
VLAN
162
151
1524-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Aggregation Layer
ip pim sparse-mode
ip igmp version 3
hsrp 1
authentication text c1sc0
preempt delay minimum 180
priority 20 forwarding-threshold lower 0 upper 0
timers 1 3
ip 10.8.162.1
The following is the routing configuration on Nexus 7000 VDC1:
router ospf 8
router-id 3.3.3.1
area 81 nssa
default-information originate
area 0.0.0.0 range 10.8.0.0/24
area 0.0.0.0 range 10.8.1.0/24
area 0.0.0.0 range 10.8.2.0/24
area 0.0.0.0 range 10.8.3.0/24
area 0.0.0.81 range 10.8.128.0/18
area 0.0.0.0 authentication message-digest
area 0.0.0.81 authentication message-digest
timers throttle spf 10 100 5000
timers throttle lsa router 1000
timers throttle lsa network 1000
auto-cost reference-bandwidth 10000
The following shows the Cisco Nexus 7000 VDC2 OSPF configuration. VLAN 164 is resides between
the services switch and VDC2 on the Nexus 7000. Two virtual routing and forwarding (VRF) instances
have been created and serve as default gateways for the server farm subnets.
interface Vlan164
no shutdown
vrf member servers1
ip address 10.8.162.5/24
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 3 b2255cb5a7107f1b
ip router ospf 8 area 0.0.0.81
ip pim sparse-mode
ip igmp version 3
hsrp 2
authentication text c1sc0
preempt delay minimum 180
priority 20 forwarding-threshold lower 0 upper 0
timers 1 3
ip 10.8.162.7
router ospf 8
vrf servers1
router-id 4.4.4.1
area 81 nssa
area 0.0.0.81 authentication message-digest
timers throttle spf 10 100 5000
timers throttle lsa router 1000
timers throttle lsa network 1000
vrf servers2
router-id 5.5.5.1
area 81 nssa
area 0.0.0.81 authentication message-digest
timers throttle spf 10 100 5000
timers throttle lsa router 1000
timers throttle lsa network 10004-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Aggregation Layer
The following output from the show ip route command on the Cisco Nexus 7000 VDC2 shows the
default route from VDC1 and routes to several virtual machines advertised from VLANs 3000 and 3001.
dca-n7k1-vdc2# sh ip route
IP Route Table for VRF "default"
'*' denotes best ucast next-hop '**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
0.0.0.0/32, 1 ucast next-hops, 0 mcast next-hops
*via Null0, [220/0], 4w2d, local, discard
10.8.3.0/24, 1 ucast next-hops, 0 mcast next-hops, attached
*via 10.8.3.3, Vlan3000, [0/0], 2w4d, direct
10.8.3.0/32, 1 ucast next-hops, 0 mcast next-hops, attached
*via 10.8.3.0, Null0, [0/0], 2w4d, local
! <...>
Just as with the data center core, protective measures should be incorporated as part of the data center
aggregation layer routing design. These action include the following:
• Route peer authentication
• Route filtering
• Log neighbor changes
Aggregation Layer and Firewalls
Leveraging Device Virtualization to Integrate Security
The aggregation layer provides an excellent filtering point and first layer of protection for the data center.
This layer provides a building block for deploying firewall services for ingress and egress filtering. The
Layer-2 and Layer-3 recommendations for the aggregation layer also provide symmetric traffic patterns
to support stateful packet filtering.
Because of the performance requirements, this design uses a pair of Cisco ASA 5580 firewalls connected
directly to the aggregation switches. The Cisco ASA5580's meet the high performance data center
firewall requirements by providing 10-Gbps of stateful packet filtering.
In this design, the Cisco ASA firewalls are configured in transparent mode. This means the firewalls are
configured in a Layer-2 mode and will bridge traffic between interfaces. The Cisco ASA firewalls have
been configured for multiple contexts using the virtual context feature. This virtualization feature allows
the firewall to be divided into multiple logical firewalls each supporting different interfaces and policies.
The firewalls are configured in an active-active design. This design allows load sharing across the
infrastructure based on the active Layer-2 and Layer-3 traffic paths. Each firewall has been configured
for two virtual contexts. Virtual context 1 is active on the ASA 1 and virtual context 2 is active on ASA
2. This corresponds to the active Layer-2 spanning tree path and the Layer-3 Hot Standby Routing
Protocol (HSRP) configuration.
An example of each firewall connection is shown in Figure 4-5.4-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Aggregation Layer
Figure 4-5 Cisco ASA Virtual Contexts and Cisco Nexus 7000 Virtual Device Contexts
Virtual Context Details
The contexts on the firewall provide different forwarding paths and policy enforcement depending on
the traffic type and destination. Incoming traffic that is destined for the data center services layer (ACE,
WAF, IPS, and so on) is forwarded from VDC1 on the Cisco Nexus 7000 to virtual context 1 on the Cisco
ASA over VLAN 161. The inside interface of virtual context 1 is configured on VLAN 162. The Cisco
ASA filters the incoming traffic and then in this case bridges the traffic to the inside interface on VLAN
162. VLAN 162 is carried to the services switch where traffic has additional services applied. The same
applies to virtual context 2 on VLANs 151 and 152. This context is active on ASA 2. The output below
shows each context configuration and the current failover state.
The contexts are created under the system management context and the interface pairings are assigned.
context dca-vc1
allocate-interface Management0/0.1
allocate-interface TenGigabitEthernet5/0.161 outside
allocate-interface TenGigabitEthernet5/1.162 inside
config-url disk0:/dca-vc1.cfg
join-failover-group 1
context dca-vc2
allocate-interface Management0/0.2
allocate-interface TenGigabitEthernet7/0.151 outside
allocate-interface TenGigabitEthernet7/1.152 inside
config-url disk0:/t
join-failover-group 2
The configuration can also been seen by logging into the Cisco Adaptive Security Device Manager
(ASDM) management GUI. See Figure 4-6.
Po99
Po99
226561
ASA1
10.8.152.5
161
162
151
152
10.8.152.3
10.8.162.3
ASA2
VRF1
SVI-161
SVI-151
VRF2
10.8.152.6
10.8.152.2
10.8.162.2
N7k2-VDC2
N7k2-VDC1
VRF1
SVI-161
SVI-151
VRF2
hsrp.7
hsrp.1
hsrp.7
ASA2
ASA2
N7k1-VDC2
N7k1-VDC1
10.8.162.5 10.8.162.6
hsrp.14-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Aggregation Layer
Figure 4-6 Cisco ASDM Screenshot of Virtual Contexts
Note There are three virtual device contexts shown in the Cisco ASDM output. The third context (dca-vc3) is
described in the “Virtual Context on ASA for ORACLE DB Protection” section on page 4-34.
To view the command line configuration, log into the ASA and issue the changeto command to view
each device context. The following is an overview of the dynamic content adapter (DCA)-VC1 virtual
context interface configuration:
firewall transparent
hostname dca-vc1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Management0/0.1
mac-address 00a0.c900.0102
nameif management
security-level 100
ip address 172.26.146.x 255.255.254.0
management-only
!
interface outside
nameif north
security-level 100
!
interface inside
nameif south
security-level 0
!
Issue the changeto command to view another context. The following is an overview of the DCA-VC2
virtual context interface configuration:
firewall transparent
hostname dca-vc2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted4-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Data Center Aggregation Layer
names
!
interface Management0/0.2
nameif management
security-level 100
ip address 172.26.146.x 255.255.254.0
management-only
!
interface outside
nameif north
security-level 100
!
interface inside
nameif south
security-level 0
The following show failover command output example illustrates the current failover state for context
1 and context 2.
This host: Primary
Group 1 State: Active
Active time: 1010495 (sec)
Group 2 State: Standby Ready
Active time: 281093 (sec)
Deployment Recommendations
The firewalls enforce access policies for the data center. Most, if not all, of the requests for the enterprise
data center will be sourced from the internal network. The internal firewalls provide a line of defense for
the data center assets. Using a multi-layered security model to provide protection for the enterprise data
center from internal or external threats is a best practice for creating a multi-layered security model.
The firewall policy will differ based on the organizational security policy and the types of applications
deployed. In most cases a minimum of the following protocols will be allowed: Domain Name System
(DNS), Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol over Secure Sockets Layer
(HTTPS), Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), routing protocols,
unified communications, voice-over-IP (VoIP) protocols, video protocols, multicast, terminal services,
Internet Control Message Protocol (ICMP) to some extent, and a host of others.
Regardless of the number of ports and protocols being allowed either to and from the data center or from
server-to-server, there are some baseline recommendations that will serve as a starting point for most
deployments.
The firewalls should be hardened in a similar fashion to the infrastructure devices. The following
configuration notes apply:
• Use HTTPS for device access. Disable HTTP access.
• Configure Authentication, Authorization, and Accounting (AAA) for role-based access control and
logging. Use a local fallback account in case the AAA server is unreachable.
• Use out-of-band management and limit the types of traffic allowed over the management
interface(s).
• Use Secure Shell (SSH). Disable Telnet.
• Use Network Time Protocol (NTP) servers.
Object groups can be used to group similar items for easier management and to save memory when
creating access lists. The following is an example of using the object-groups command.
object-group service DC_services tcp
port-object eq www 4-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
port-object eq https
port-object eq smtp
port-object eq dns
port-object eq ftp
object-group service DC_services udp
port-object eq dns
object-group icmp-type DC_ICMP
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo
object-group service DC_ICMP_1
description (Generated by Cisco SM from Object "DC_ICMP")
service-object icmp echo
service-object icmp unreachable
service-object icmp time-exceeded
service-object icmp echo-reply
Note This is a basic example of protocols that might need to be enabled for data center communications.
Access list implementation on the firewalls will be highly dependant on the organizational security
policy and the specific applications in the data center.
Note Depending on traffic types and policies, the goal might not be to send all traffic flows to the services
layer. Some incoming application connections, such as those from a DMZ or client batch jobs (such as
backup), might not need load balancing or additional services. As an alternative, another context on the
firewall could be deployed to support the VLANs that are not forwarded to the services switches.
Caveats
When using transparent mode on the Cisco ASA firewalls, there must be an IP address configured for
each context. This is required to bridge traffic from one interface to another and to manage each Cisco
ASA context. When managing the Cisco ASA from Cisco Security Manager (CSM) or Cisco Security
MARS (CS-MARS), this address is also used to manage and view each context separately. At this time,
while in transparent mode, you are not able to allocate the same VLAN across multiple interfaces for
management purposes. A separate VLAN will be used to manage each context. The VLANs created for
each context can be bridged back to the primary management VLAN on an upstream switch if desired.
This provides a workaround and does not require new network-wide management VLANs and IP subnets
to be allocated to manage each context.
Services Layer
Data center security services can be deployed in a variety of combinations. The type and the combination
of security deployed depend largely on the business model of the organization. The services deployed in
this design are used in a combination to provide isolation, application protection, and visibility into data
center traffic flows. From a larger viewpoint, it is also important to consider the scalability of security
services in the data center. The goal of these designs is to provide a modular approach to deploying
security by allowing additional capacity to easily be added for each service. Additional web application
firewalls, Intrusion Prevention Systems (IPS), firewalls, and monitoring services can all be scaled
without requiring a re-architecture of the overall data center design. Figure 4-7 illustrates how the
services layer fits into the data center security environment.4-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
Figure 4-7 Data Center Security and the Services Layer
Server Load Balancing
Application Control Engine
This design features use of the Cisco Application Control Engine (ACE) service module for the Cisco
Catalyst 6500. The Cisco ACE is designed as an application and server scaling tool, but it has security
benefits as well. The Cisco ACE can mask the servers real IP address and provide a single IP for clients
to connect over a single or multiple protocols such as HTTP, HTTPS, FTP, an so on.
In this design, the Cisco ACE is also used to scale the web application firewall appliances. The web
application firewalls are configured as a serverfarm and the Cisco ACE is distributing connections to the
web application firewall pool.
As an added benefit, the Cisco ACE can store server certificates locally. This allows the Cisco ACE to
proxy Secure Socket Layer (SSL) connections for client requests and forward the client request in clear
text to the server. The following configuration fragment shows the SSL proxy service configuration on
the Cisco ACE module.
ssl-proxy service SSL_PSERVICE_CRACKME
key my2048RSAkey.PEM
cert crackme-cert.pem
In this design, the Cisco ACE is terminating incoming HTTPS requests and decrypting the traffic prior
to forwarding it to the web application firewall farm. The web application firewall and subsequent Cisco
IPS devices can now view the traffic in clear text for inspection purposes.
Po99
Po99
226562
ASA1
10.8.152.5
190
161
162
162
164
151
152
10.8.152.3
10.8.162.3
ASA1
VRF1
SVI-161
SVI-151
VRF2
10.8.152.6
10.8.152.2
10.8.162.2
N7k2-VDC2
N7k2-VDC1
VRF2
SVI-161
SVI-151
VRF1
hsrp.7
hsrp.1
hsrp.7
IPS
WAF
ACE
ASA2
ASA2
N7k1-VDC2
N7k1-VDC1
10.8.162.5 10.8.162.6
hsrp.1
IPS
WAF
ACE24-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
Note Some compliance standards and security policies dictate that traffic is encrypted from client to server. It
is possible to modify the design so traffic is re-encrypted on the Cisco ACE after inspection prior to
being forwarded to the server.
Web Application Security
Web Application Firewall
The Cisco ACE Web Application Firewall (WAF) provides firewall services for web-based applications.
It secures and protects web applications from common attacks, such as identity theft, data theft,
application disruption, fraud and targeted attacks. These attacks can include cross-site scripting (XSS)
attacks, SQL and command injection, privilege escalation, cross-site request forgeries (CSRF), buffer
overflows, cookie tampering, and denial-of-service (DoS) attacks.
In the data center design, the two web application firewall appliances are configured as a cluster and are
load balanced by the Cisco ACE module. Each of the web application firewall cluster members can be
seen in the Cisco ACE Web Application Firewall Management Dashboard.
The Management Dashboard of the Cisco ACE Web Application Firewall is shown in Figure 4-8.
Figure 4-8 Web Application Firewall Management Dashboard
The two web application firewall cluster members in Figure 4-8 are: 172.26.147.201 and 172.26.147.203
The Cisco ACE WAF acts as a reverse proxy for the web servers it is configured to protect. The Virtual
Web Application is used to create a virtual URL that will be used to intercept incoming client
connections. You can configure one more virtual web applications based on the protocol and port as well
as the policy you want applied. In the example in Figure 4-9, a Virtual Web Application called Crack Me
is defined. The virtual URL is set to intercept all incoming HTTP traffic on port 81. 4-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
Figure 4-9 Web Application Firewall Virtual Web Application (Crack Me)
The destination server IP address in this example is the Cisco ACE. Because the web application firewall
is being load balanced by the Cisco ACE, it is configured as a one-armed connection to the Cisco ACE
to both send and receive traffic. This is the recommended deployment model and will be described in the
next section.
Cisco ACE and Web Application Firewall Deployment
The Cisco ACE WAF is deployed in a one-armed design and is connected to the Cisco ACE over a single
interface.
The connection information for the Cisco ACE and web application firewall cluster is shown in
Figure 4-10.4-17
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
Figure 4-10 Cisco ACE Module and Web Application Firewall Integration
The following command listing example shows the Cisco ACE interface configuration. VLAN 162 is the
north side of the Cisco ACE facing the Cisco ASA firewall, VLAN 163 is the south side to the IPS, and
VLAN 190 is the VLAN between the Cisco ACE and the web application firewall cluster.
interface vlan 162
description ** North Side facing ASA**
bridge-group 161
no normalization
no icmp-guard
access-group input BPDU
access-group input ALLOW_TRAFFIC
service-policy input aggregate-slb-policy
no shutdown
interface vlan 163
description ** South Side facing Servers **
bridge-group 161
no normalization
no icmp-guard
access-group input BPDU
access-group input ALLOW_TRAFFIC
no shutdown
interface vlan 190
ip address 10.8.190.2 255.255.255.0
alias 10.8.190.1 255.255.255.0
peer ip address 10.8.190.3 255.255.255.0
no normalization
no icmp-guard
access-group input ALLOW_TRAFFIC
service-policy input L4_LB_VIP_HTTP_POLICY
no shutdown
ASA1
10.8.152.5
10.8.152.3
10.8.162.3
ASA2
ACE
SS1
N7k1-VDC2
N7k1-VDC1
VRF1
SVI-161
SVI-151
VRF2
10.8.162.5
226565
WAF
hsrp.1
hsrp.7
161
162
190
164
1624-18
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
In this portion of the Cisco ACE configuration, a probe has been created to track the availability of the
web server via a HTTP Get of the URL. This is then tied to the web application firewall farm. It is
recommend this method is used to ensure that connections are not forwarded from the Cisco ACE to the
web application firewall farm if the web servers are not available.
probe http CRACKME
port 81
interval 2
passdetect interval 5
request method get url /Kelev/view/home.php
expect status 200 200
rserver host waf1
ip address 10.8.190.210
inservice
rserver host waf2
ip address 10.8.190.211
inservice
serverfarm host sf_waf
probe CRACKME
rserver waf1 81
inservice
rserver waf2 81
inservice
To ensure session persistence (the same connection stays on the same web application firewall
appliance), the Cisco ACE has been configured to use cookie-sticky as shown in the following
configuration example:
sticky http-cookie wafcookie wafstkygrp
cookie insert
replicate sticky
serverfarm sf_waf
For detailed information on the Cisco ACE configuration, refer to the Service Traffic Patterns document
at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_serv_pat.html
IPS Deployment
The Intrusion Prevention System (IPS) provides deep packet and anomaly inspection to protect against
both common and complex embedded attacks.
The IPS devices used in this design are Cisco IPS 4270s with 10-Gigabit Ethernet modules. Because of
the nature of IPS and the intense inspection capabilities, the amount of overall throughput varies
depending on the active policy. The default IPS policies were used for the examples presented in this
document.
In this design, the IPS appliances are configured for VLAN pairing. Each IPS is connected to the services
switch with a single 10-Gigabit Ethernet interface. In this example, VLAN 163 and VLAN 164 are
configured as the VLAN pair. See Figure 4-11.4-19
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
Figure 4-11 IPS VS0 and VS1 (IDS)
The IPS deployment in the data center leverages EtherChannel load balancing from the service switch.
This method is recommended for the data center because it allows the IPS services to scale to meet the
data center requirements. This is shown in the Figure 4-12.
Figure 4-12 IPS ECLB in the Services Layer
A port channel is configured on the services switch to forward traffic over each 10-Gigabit link to the
receiving IPS. Since the Cisco IPS does not support Link Aggregate Control Protocol (LACP) or Port
Aggregation Protocol (PAgP), the port channel is set to “on” to ensure no negotiation is necessary for
the channel to become operational as illustrated in the following show command output.
dca-newSS1# sh run int port2
Building configuration...
Current configuration : 177 bytes
!
ASA1
10.8.152.5
10.8.152.3
10.8.162.3
ASA2
ACE
SS1
N7k1-VDC2
N7k1-VDC1
VRF1
SVI-161
SVI-151
VRF2
10.8.162.5
226567
WAF
hsrp.1
hsrp.7
161
162
190
164
162
163,164
IPS4-20
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
interface Port-channel2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 163,164
switchport mode trunk
switchport nonegotiate
mtu 9216
end
It is very important to ensure all traffic for a specific flow goes to the same Cisco IPS. To best accomplish
this, it is recommended to set the hash for the Port Channel to source and destination IP address as
illustrated in the following example:
dca-newSS1(config)# port-channel load-balance src-dst-ip
dca-newSS1# sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip enhanced
mpls label-ip
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
MPLS: Label or IP
Each EtherChannel can support up to eight ports per channel. This design can scale up to eight
Cisco IPS 4270s per channel. Figure 4-13 illustrates Cisco IPS EtherChannel load balancing.
Figure 4-13 Cisco IPS EtherChannel Load Balancing
Caveats
Spanning tree plays an important role for IPS redundancy in this design. Under normal operating
conditions traffic, a VLAN will always follow the same active Layer-2 path. If a failure occurs (service
switch failure or a service switch link failure), spanning tree would converge and the active Layer-2
traffic path would change to the redundant service switch and Cisco IPS appliances. Multiple failure
scenarios were tested with average failover times between 2 to 4 seconds.
Service Switch
Up 8 IPS per
EtherChannel
channel
226568
IPS1
IPS2
IPS 3 to 84-21
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
Cisco ACE, Cisco ACE Web Application Firewall, Cisco IPS Traffic Flows
The security services in this design reside between the inner and outer VDCs on the Cisco Nexus 7000.
All security services are running in a Layer-2 transparent configuration. As traffic flows from VDC1 to
the outside Cisco ASA context, it is bridged across VLANs and forwarded through each security service
until it reaches the inside VDC2 where it is routed directly to the correct server or application.
Figure 4-14 illustrates the service flow for client-to-server traffic through the security services in the red
traffic path. In this example, the client is making a web request to a virtual IP address (VIP) defined on
the Cisco ACE virtual context.
Figure 4-14 Security Service Traffic Flow (Client to Server)
The following steps describe the associated stages in Figure 4-14.
1. Client is directed through OSPF route found on Cisco Nexus 7000-1 VDC1 to the active Cisco ASA
virtual context transparently bridging traffic between VDC1 and VDC2 on the Cisco Nexus 7000.
2. The transparent Cisco ASA virtual context forwards traffic from VLAN 161 to VLAN 162 towards
Cisco Nexus 7000-1 VDC2.
3. VDC2 shows spanning tree root for VLAN 162 through connection to services switch SS1. SS1
shows spanning tree root for VLAN 162 through the Cisco ACE transparent virtual context.
4. The Cisco ACE transparent virtual context applies an input service policy on VLAN 162, this
service policy named AGGREGATE_SLB has the virtual VIP definition. The VIP rules associated
with this policy enforce SSL-termination services and load-balancing services to a web application
ASA1
10.8.152.5
10.8.152.3
10.8.162.3
VLAN 161
VLAN 162
VLAN 190
VLAN 163, 164
VLAN 164
VLAN 163
VLAN 161
SS1
N7k1-VDC2
N7k1-VDC1
VRF1
SVI-161
SVI-151
VRF2
10.8.162.5
Po2
226541
WAF
Cluster
WAF Devices
IP: 10.8.190.210
IP: 10.8.190.211
1
4
2
7
5
3
6
Server
VLANs
Interface VLAN 190
IP: 10.8.190.2
Input Service Policy: L4_LB_VIP_HTTP_POLICY
VIP:10.8.162.200
Interface VLAN 162
IP: 10.8.190.2
Input Service Policy: AGGREGATE_SLB_POLICY
VIP:10.8.162.200
IPS1 vs0
IPS2 vs0
8
Bridged
VLANs
Bridged
VLANs
hsrp.1
hsrp.14-22
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Services Layer
firewall serverfarm. The state of the web application firewall serverfarm is determined via HTTP
based probes. The request is forwarded to a specific web application firewall appliance defined in
the Cisco ACE serverfarm. The client IP address is inserted as an HTTP header by the Cisco ACE
to maintain the integrity of server-based logging within the farm. The source IP address of the
request forwarded to the web application firewall is that of the originating client—in this example,
10.7.54.34.
5. In this example, the web application firewall has a virtual web application defined named Crack Me.
The web application firewall appliance receives the HTTP request on port 81 that was forwarded
from the Cisco ACE. The web application firewall applies all the relevant security policies for this
traffic and proxies the request back to a VIP (10.8.162.200) located on the same virtual Cisco ACE
context on VLAN interface 190.
6. Traffic is forwarded from the web application firewall on VLAN 163. A port channel is configured
to carry VLAN 163 and VLAN 164 on each member trunk interface. The Cisco IPS receives all
traffic on VLAN 163, performs inline inspection, and forwards the traffic back over the port channel
on VLAN 164.
By using this model security services are integrated into the architecture and provide isolation without
the need to reallocate pools of IP addresses and re-engineering multiple routing schemes.4-23
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Access Layer
Access Layer
In this design, the data center access layer provides Layer-2 connectivity for the serverfarm. In most
cases the primary role of the access layer is to provide port density for scaling the serverfarm. See
Figure 4-15.
Figure 4-15 Data Center Access Layer
Recommendations
Security at the access layer is primarily focused on securing Layer-2 flows. Using VLANs to segment
server traffic and associating access control lists (ACLs) to prevent any undesired communication are
best practice recommendations. Additional security mechanisms that can be deployed at the access layer
include private VLANs (PVLANs), the Catalyst Integrated Security Features—which include Dynamic
Address Resolution Protocol (ARP) inspection, Dynamic Host Configuration Protocol (DHCP)
Snooping, and IP Source Guard. Port security can also be used to lock down a critical server to a specific
port.
The access layer and virtual access layer serve the same logical purpose. The virtual access layer is a
new location and a new footprint of the traditional physical data center access layer. The detailed access
layer discussion will focus on the virtual access layer and the available security features. These features
are also applicable to the traditional physical access layer.
Catalyst
6500
Catalyst
6500
Nexus
7000
ASA
5580
Access
Layer
ASA
5580
Nexus
7000
Catalyst
6500
Catalyst
4900s
Catalyst
6500 VSS
Nexus
5000s
ACE WAF
IDS/IPS IDS/IPS
ACE
Module
ACE
Module
2265694-24
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
Virtual Access Layer
Server Virtualization and Network Security
Virtualization is changing the way data centers are architected. Server virtualization is creating new
challenges for security deployments. Visibility into virtual machine activity and isolation of server
traffic becomes more difficult when virtual machine-sourced traffic can reach other virtual machines
within the same server without being sent outside the physical server.
In the traditional access model, each physical server is connected to an access port. Any communication
to and from a particular server or between servers goes through a physical access switch and any
associated services such as a firewall or a load balancer. But what happens when applications now reside
on virtual machines and multiple virtual machines reside within the same physical server? It might not
be necessary for traffic to leave the physical server and pass through a physical access switch for one
virtual machine to communicate with another. Enforcing network policies in this type of environment
can be a significant challenge. The goal remains to provide many of the same security services and
features used in the traditional access layer in this new virtual access layer.
The virtual access layer resides in and across the physical servers running virtualization software. Virtual
networking occurs within these servers to map virtual machine connectivity to that of the physical server.
A virtual switch is configured within the server to provide virtual machine ports connectivity. The way
in which each virtual machine connects, and to which physical server port it is mapped, is configured on
this virtual switching component. While this new access layer resides within the server, it is really the
same concept as the traditional physical access layer. It is just participating in a virtualized environment.
Figure 4-16 illustrates the deployment of a virtual switching platform in the context of this environment.4-25
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
Figure 4-16 Cisco Nexus 1000V Data Center Deployment
In the VMware environment, virtual machines are configured and managed on VMware’s Virtual Center.
When a server administrator wants to initialize a new virtual machine and assign the policies (including
virtual port assignment) this is all performed in Virtual Center.
This brings some contention into who is responsible for networking and security policy and this layer.
In a virtual environment, it is possible for the server administrator to provision dozens of virtual
machines and assign VLANs and policies—without requiring the involvement of the network and
security teams. Since the virtual machines all reside in the same physical server that is already connected
to the network, this is a very easy task. In most cases the network and security policies have already been
predefined for the servers. A server administrator uses a pre-assigned VLAN for server connectivity that
also has associated policies. Once again, this VLAN is associated to a virtual port and a virtual machine
within the Virtual Center. There are several ongoing issues with this type of environment.
Miscommunication or a simple mistake can lead to misconfiguration and subsequently the wrong VLAN
and policy being mapped to a virtual machine. Visibility into the virtual machine environment is also
very limited for the network and security teams. In most cases the server teams have no desire to become
network engineers and would rather simply apply a predefined network policy for their servers.
The Cisco Nexus 1000V is a new virtual switching platform supported on VMware ESX version 4 (or
newer release versions). The Cisco Nexus 1000V provides many of the same physical access switch
capabilities at a virtual switching footprint. The Cisco Nexus 1000V is comprised of two components:
the Virtual Supervisor Module (VSM) and the Virtual Ethernet Module (VEM). The VSM acts in a
similar fashion to a traditional Cisco supervisor module. The networking and policy configurations are
performed on the VSM and applied to the ports on each VEM. The VEM is similar to a traditional Cisco
N7k1-VDC2 N7k2-VDC2
VSS-ACC
Po71
Po72
DC-5020-1
Po1 Po2 Po3
DC-5020-2
Trunking
Uplinks
APC with
src-mac
hash
VEMs
Po151
VSM
ESX3.5 ESX4
IP
IP
IP
IP
IP
IP
IP
IP
IP
226570
vSwitch
Nexus 10004-26
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
line card and provides the ports for host connectivity. The VEM resides in the physical server as the
virtual switching component. Virtual machine ports—and the definition of how they connect to the
physical server ports—are all mapped within each VEM. One VEM can exist on each VMware server,
but you can manage multiple VEMs from one VSM. The VSM is offered as either a physical appliance
or it can be configured as a virtual machine.
There is a significant management benefit with using the Cisco Nexus 1000V. The VSM communicates
with Virtual Center through the VMware API. When a network policy is defined on the
Cisco Nexus 1000V it is updated in Virtual Center and displayed as a Port Group. The network and
security teams can configure a pre-defined policy and make it available to the server administrators in
the same manner they are used to applying policies today. The Cisco Nexus 1000V policies are defined
through a feature called port profiles.
Policy Enforcement
Port profiles allow you to configure network and security features under a single profile which can be
applied to multiple interfaces. Once you define a port profile, you can inherit that profile and any setting
defined on one or more interfaces. You can define multiple profiles—all assigned to different interfaces.
As part of this design, two configuration examples follow. You can see two port profiles (vm180 and
erspan) have been defined. Port profile vm180 has been assigned to virtual Ethernet ports 9 and 10. And
port profile erspan has been assigned to virtual Ethernet port 8.
Note The ip flow monitor command is in reference to Encapsulated Remote Switched Port Analyzer
(ERSPAN) and will be discussed in the next section.
port-profile vm180
vmware port-group pg180
switchport mode access
switchport access vlan 180
ip flow monitor ESE-flow input
ip flow monitor ESE-flow output
no shutdown
state enabled
interface Vethernet9
inherit port-profile vm180
interface Vethernet10
inherit port-profile vm180
port-profile erspan
capability l3control
vmware port-group
switchport access vlan 3000
no shutdown
system vlan 3000
state enabled
interface Vethernet8
mtu 9216
inherit port-profile erspan
Once the port profile is configured on the Cisco Nexus 1000V, it can be applied to a specific virtual
machine as a port group in the VMware Virtual Center. Figure 4-17 shows that port profiles pg180 and
erspan are available as port groups in the Virtual Center.4-27
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
Figure 4-17 VMware Virtual Center Port Group
There are multiple security benefits of this feature. First, network security policies are still defined by
the network and security administrators and are applied to the virtual switch in the same way that they
are on the physical access switches today. Second, once the features are defined in a port profile and
assigned to an interface the server administrator need only pick the available port group and assign it to
the virtual machine. This alleviates the changes of misconfiguration and overlapping or non-compliant
security policies being applied.
Visibility
Server virtualization brings new challenges for visibility into what is occurring at the virtual network
level. Traffic flows can now occur within the server between virtual machines without needing to
traverse a physical access switch. If a virtual machine is infected or compromised it might be more
difficult for administrators to spot without the traffic forwarding through security appliances.
Encapsulated Remote Switched Port Analyzer (ERSPAN) is a very useful tool for gaining visibility into
network traffic flows. This feature is supported on the Cisco Nexus 1000V. ERSPAN can be enabled on
the Cisco Nexus 1000V and traffic flows can be exported from the server to external devices. See
Figure 4-18.4-28
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
Figure 4-18 Cisco Nexus 1000V and ERSPAN IDS and NAM at Services Switch
In this design, ERSPAN forwards copies of the virtual machine traffic to the Cisco IPS appliance and the
Cisco Network Analysis Module (NAM). Both the Cisco IPS and Cisco NAM are located at the service
layer in the service switch. A new virtual sensor (VS1) has been created on the existing Cisco IPS
appliances to only provide monitoring for the ERSPAN session from the server. Up to four virtual
sensors can be configured on a single Cisco IPS and they can be configured in either intrusion prevention
system (IPS) or instruction detection system (IDS) mode. In this case the new virtual sensor VS1 has
been set to IDS or monitor mode. It receives a copy of the virtual machine traffic over the ERSPAN
session from the Cisco Nexus 1000V.
Two ERSPAN sessions have been created on the Cisco Nexus 1000V. Session 1 has a destination of the
Cisco NAM and session 2 has a destination of the Cisco IPS appliance. Each session terminates on the
6500 service switch. The ERSPAN configuration on the Cisco Nexus 1000V is shown in the following
example.
port-profile erspan
capability l3control
vmware port-group
switchport access vlan 3000
no shutdown
system vlan 3000
state enabled
!
monitor session 1 type erspan-source
description - to SS1 NAM via VLAN 3000
source interface Vethernet8 both
N7k1-VDC2 N7k2-VDC2 N7k2-VDC2
5020-1
hsrp.1
5020-2
VLAN 3000
Trunking Uplinks
with VLAN 3000
vmk1
VEM (10.8.3.100)
ESX4
Nexus 1000
VEthernet 8
226547
NAM
SS1
IDS1
ERSPAN DST
IP: 10.8.33.4
ID:1
ID:24-29
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
destination ip 10.8.33.4
erspan-id 1
ip ttl 64
ip prec 0
ip dscp 0
mtu 1500
no shut
monitor session 2 type erspan-source
description - to SS1 IDS1 via VLAN 3000
source interface Vethernet8 both
destination ip 10.8.33.4
erspan-id 2
ip ttl 64
ip prec 0
ip dscp 0
mtu 1500
no shut
The corresponding ERSPAN configuration on the Cisco Catalyst 6500 services switch is shown in the
following configuration.
monitor session 1 type erspan-source
description N1k ERSPAN - dcesx4n1 session 1
source vlan 3000
destination
erspan-id 1
ip address 10.8.33.4
!
monitor session 3 type erspan-destination
description N1k ERSPAN to NAM
destination analysis-module 9 data-port 2
source
erspan-id 1
ip address 10.8.33.4
monitor session 2 type erspan-source
description N1k ERSPAN - dcesx4n1 session 2
source vlan 3000
destination
erspan-id 2
ip address 10.8.33.4
!
monitor session 4 type erspan-destination
description N1k ERSPAN to IDS1
destination interface Gi3/26
source
erspan-id 2
ip address 10.8.33.4
Using a different ERSPAN-id for each session provides isolation. A maximum number of 66 source and
destination ERSPAN sessions can be configured per switch. ERSPAN can have an effect on overall
system performance depending on the number of ports sending data and the amount of traffic being
generated. It is always a good recommendation to monitor the system performance when you enable
ERSPAN to verify the overall effects on the system.
Note You must permit protocol type header “0x88BE” for ERSPAN Generic Routing Encapsulation (GRE)
connections.4-30
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
Isolation
Server-to-server filtering can be performed using ACLs on the Cisco Nexus 1000V. In the configuration
example that follows, we use an IP ACL to block communication between two virtual machines. In this
example, there are two virtual machines (10.8.180.230 and 10.8.180.234) on the same physical server.
In order to block communication from VM 10.8.180.230 to VM 10.8.180.234, an ACL is used on the
Cisco Nexus 1000V. Because the server-to-server traffic never leaves the physical server, the ACL
provides an excellent method for segmenting this traffic.
Prior to defining and applying the ACL, the 10.8.180.230 virtual machine is allowed to communicate
directly to the 10.8.180.234 virtual machine through a variety of methods. By default, ping, Telnet, and
FTP traffic types are all allowed. Figure 4-19 shows the general traffic flow between the virtual
machines, while the command output listing that follows illustrate traffic activity.
Figure 4-19 VM-to-VM Traffic
C:\Documents and Settings\Administrator> ping 10.8.180.234
Pinging 10.8.180.234 with 32 bytes of data:
Reply from 10.8.180.234: bytes=32 time<1ms TTL=128
Reply from 10.8.180.234: bytes=32 time<1ms TTL=128
Reply from 10.8.180.234: bytes=32 time<1ms TTL=128
Reply from 10.8.180.234: bytes=32 time<1ms TTL=128
Ping statistics for 10.8.180.234:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Administrator> ftp 10.8.180.234
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator> ftp 10.8.180.234
Connected to 10.8.180.234.
220 Microsoft FTP Service
User (10.8.180.234:(none)):
Po2
VM
10.8.180.230
VM
10.8.180.234 2265724-31
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
C:\Documents and Settings\Administrator> telnet 10.8.180.234 80
GET HTTP://10.8.180.234
Under Construction
|
|
Under Construction
The site you are trying to view does not currently have a default page. It may be in the
process of being upgraded and configured.
Please try this site again later. If you still experience the proble
m, try contacting the Web site administrator.
If you are the Web site administrator and feel you have received
this message in error, please see "Enabling and Disabling Dynamic Content&q
uot; in IIS Help.
…
Note The preceding Telnet example opens a Telnet connection to port 80—the web server port on
10.8.180.234. A simple GET command provides a brief amount of reconnaissance information.
There are two options for adding an access list to the virtual Ethernet interfaces to block communication.
The ACL can be defined and the access group can be applied to a port profile. All interfaces configured
for the port profile will inherit the access-group setting. If you have specific ACLs you wish to configure
on an interface you can apply the access group directly to the virtual Ethernet interface in addition to the
port profile. The port profile will still apply but the access group will only be applied to the specific
interface instead of all interfaces that have inherited the particular port profile.
In this example, an ACL is created and applied to virtual Ethernet 13. The 10.8.180.230 virtual machine
resides on virtual Ethernet 8 and the 10.8.180.234 virtual machine resides on virtual Ethernet 13. Access
groups on the Cisco Nexus 1000V must be applied inbound. To block traffic from .230 to .234 we will
create an ACL and apply it inbound on virtual Ethernet 13. See Figure 4-20 and the configuration listing
that follows.4-32
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Virtual Access Layer
Figure 4-20 VM-to-VM Traffic Blocked by Port ACL on Cisco Nexus 1000
dcvsm(config)# ip access-list s-to-s
dcvsm(config-acl)# deny ip host 10.8.180.230 host 10.8.180.234
dcvsm(config-acl)# permit ip any any
dcvsm(config-if)# int vethernet 13
dcvsm(config-if)# ip port access-group s-to-s in
dcvsm(config-if)# exit
interface Vethernet8
ip port access-group s-to-s in
inherit port-profile vm180
We can now retest to verify that traffic is blocked from 10.8.180.230 to 10.8.180.234.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator> ping 10.8.180.234
Pinging 10.8.180.234 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.8.180.234:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Documents and Settings\Administrator> telnet 10.8.180.234 80
Connecting To 10.8.180.234...Could not open connection to the host, on port 80:
Connect failed
C:\Documents and Settings\Administrator> ftp 10.8.180.234
> ftp: connect :Connection timed out
ftp>
Po2
VM
10.8.180.230
VM
10.8.180.234 226573
Vethernet 13
Ip port access-group s-to-s in4-33
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Endpoint Security
The Nexus 1000V virtual switch establishes traditional security features for the virtual server
environment.. Additional security features available on the Cisco Nexus 1000V include the following:
• Private VLANs
• Port security
• Cisco Catalyst integrated security features for anti-spoofing
Endpoint Security
The great variety in server hardware types, operating systems, and applications represents a clear
challenge to security. The operating systems and applications must be protected regardless if residing
on a physical server or on a virtual machine.
Properly securing the endpoints requires the adoption of the appropriate technical controls. The Cisco
Security Agent, or CSA, is used as a baseline for providing endpoint security. CSA takes a proactive and
preventative approach, using behavior-based security to focus on preventing malicious activity on the
host. Malicious activity is detected and blocked, independent of the type of malware, spyware, adware,
or virus affecting the host.
Once deployed on an endpoint, when an application attempts an operation, the agent checks the
operation against the application's security policy, making a real-time allow or deny decision on the
continuation of that operation, and determining whether logging of the operation request is appropriate.
CSA provides defense-in-depth protection against spyware and adware by combining security policies
that implement distributed firewall, operating system lockdown and integrity assurance, malicious
mobile code protection, and audit event collection capabilities in default policies for servers and
desktops.
CSA security policies are created and managed on the CSA Management Center (CSA-MC). MC also
provides centralized reporting and global correlation.
CSA deployment and the integration capabilities between CSA and Cisco Network IPS are discussed in
Chapter 11, “Threat Control and Containment.”
For complete details about deploying CSA in a network, refer to the Rapid Deployment Guide for Cisco
Security Agent 6.0 for Desktops at the following URL:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5057/deployment_guide_c07-501928.
html
Infrastructure Security Recommendations
The following section highlights some of the baseline security recommendations and examples used for
the data center infrastructure.
• Infrastructure device access ( TACACS+, SSH, AAA, and login banner)
• Disable specific services
• Secure OOB management
• NetFlow
• Syslog
• NTP4-34
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
Detailed infrastructure security recommendations can be found inChapter 2, “Network Foundation
Protection.”
Attack Prevention and Event Correlation Examples
Virtual Context on ASA for ORACLE DB Protection
The example described in this section leverages the virtualization capability on the Cisco ASA firewall.
An additional virtual context is created on the Cisco ASA and designated to reside between the servers
and an Oracle database. The goal is not to prevent any server from communicating with the database,
but rather to control which servers can access the database. For example, in most cases it is not necessary
for a presentation (web) server to communicate directly with the database. This would usually be
performed from an application server. If a web server in the environment was compromised this would
prevent the attacker from gaining direct access to the critical information stored on the database. Another
firewall could be provisioned for this task, but if there is available capacity on the existing firewall pair
this allows for the firewalls to be fully utilized with very minimal design changes.
This topology is shown in Figure 4-21.
Figure 4-21 Cisco ASA Virtual Context 3 to Protect Oracle DB
The database has an IP address that is on VLAN 141 and the default gateway resides on VRF1. Because
the firewall is operating in transparent mode it can integrate into this environment with minimal changes
to the network. A new context (VC3) is created on the firewall, the outside interface is assigned to VLAN
141, and the inside interface is assigned to VLAN 142. In transparent mode, the Cisco ASA is simply
bridging these two VLANs. Because the Cisco ASA is in transparent mode, there is no need to
reconfigure any IP addresses on either the VLAN 141 gateway or on the Oracle database. Traffic to and
Po99
N7k1-VDC2 N7k2-VDC2
hsrp.1 10.8.141.3 hsrp.1 10.8.141.2
ASA2-vc3
E3/2 E3/2
E3/3 E3/3
ASA1-vc3
E2/37 E2/38
141
142
Bond142: 10.8.141.151
Oracle
DB
142
226574
VRF1 VRF1
E2/38 E2/37
141
SS1 SS2
163,164
162
164
163
163,164
IPS1 IPS2
ACE1 ACE24-35
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
from the Oracle database is simply bridge between VLAN 141 and VLAN 142. This is an inline
transparent service to both VRF1 and the database. As traffic enters the Cisco ASA, stateful packet
filtering is performed and traffic is inspected before being forwarded to the database.
Any server traffic not sourced in the 141 VLAN will pass through the Cisco ASA for inspection. See
Figure 4-22.
Figure 4-22 Example of Server to Database Access Through Virtual Firewall Context
Web Application Firewall Preventing Application Attacks
The Cisco ACE WAF can protect servers from a number of highly damaging application-layer
attacks—including command injection, directory traversal attacks, and cross-site (XSS) attacks.
In this design, the Cisco ACE WAF devices are being load balanced by the Cisco ACE to increase
scalability. The Cisco ACE also provides another security benefit, it is servicing inbound HTTPS
requests. This means the incoming client HTTPS session is terminated on the Cisco ACE and forwarded
to the Cisco ACE WAF in clear text. The Cisco ACE WAF is now able to inspect all connections as
HTTP before they are forwarded to the web servers.
In example that follows in Figure 4-23, we demonstrate the Cisco ACE WAF detecting a URL traversal
attack between a client and a virtual machine. The client has an IP address of 10.7.52.33 and the web
server is a virtual machine with an IP address of 10.8.180.230.
Po99
N7k1-VDC2 N7k2-VDC2
STP Root
hsrp.1
ASA1-vc3 ASA2-vc3
E2/37 E2/38
VLAN 141
VLAN 142
Bond142: 10.8.141.151
Oracle
DB
VLAN 142
Srv-A
226545
VRF1 VRF1
E2/38 E2/37
VLAN 1414-36
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
Figure 4-23 Cisco ACE WAF Attack Prevention
The client uses a URL traversal (appending specific characters to the end of the URL) in an attempt to
gain additional information about the web server. This event is identified and triggered on the Cisco
ACE WAF as a traversal attack. See Figure 4-24.
Figure 4-24 Cisco ACE WAF Incidents Showing Attack
The The event details show the attack specifics and the attacker information. See Figure 4-25.
N7k1-VDC2 N7k2-VDC2 N7k2-VDC2
5020-1 5020-2
Po2
10.7.52.33
https://10.8.162.200/KELev/view/home.php
226575
SS1
IDS1
ERSPAN DST
IP: 10.8.33.4
ID:24-37
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
Figure 4-25 Cisco ACE WAF Event Viewer Attack Details
The Cisco ACE WAF can be set to monitor or enforce specific rules. In either case, visibility into what
is occurring at the application layer is greatly enhanced.
Using Cisco ACE and Cisco ACE WAF to Maintain Real Client IP Address as
Source in Server Logs
For server administrators and security teams, it can be very important to have the incoming client’s IP
address available in the server logs for any necessary forensic analysis.
The Cisco ACE by itself can be configured to retain the real client’s IP address and pass it to the server.
If the Cisco ACE WAF is deployed between the Cisco ACE and the web servers, the server log by default
reflects the IP address of the Cisco ACE WAF as being the client. Because the Cisco ACE WAF is acting
as a proxy for the servers, this is the expected behavior, but the Cisco ACE WAF has the ability to
maintain the client’s source IP address in the transaction because it is forwarded to the server.
A new profile can be created to preserve the client’s IP address for transactions traversing the Cisco ACE
WAF. For the purposes of this design example, new profile named My Client Insert has been created.
See Figure 4-26.
Figure 4-26 Cisco ACE WAF with My Client Insert Profile Defined4-38
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
Edit the profile and modify the HTTP header processing settings. Click the check box for the Insert
“X-Forwarded-For” header with client’s IP address and select the option appending to existing
value. See Figure 4-27.
Figure 4-27 My Client Insert Profile Definition
The My Client Insert profile has been assigned to the Crack Me virtual web application. See Figure 4-28.4-39
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
Figure 4-28 Virtual Web Application Crack Me Details
Figure 4-29 shows a screen capture of a trace taken on the web server 10.8.180.230. The client used in
this test had a source IP of 10.7.54.34. The client IP address is correctly reflected in the trace on the web
server.
Figure 4-29 Cisco ACE and WAF HTTP Header Insertion of Source IP Address Captured from
Server4-40
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
Using IDS for VM-to-VM Traffic Visibility
In the design example illustrated in this section, ERSPAN on the Cisco Nexus 1000V is leveraged to
forward a copy of virtual machine-to-virtual machine traffic to the IDS at the services layer. The attacker
is using the web server (10.8.180.230) to send malformed URL requests to the virtual server
(10.8.180.234). Both virtual machines reside on the same physical server. See Figure 4-30.
Figure 4-30 Using ERSPAN to IDS for VM -to-VM Traffic
The attempt triggers a signature on the IDS and is logged for investigation. See Figure 4-31.
Figure 4-31 IDS Event Log of VM to VM Attack
N7k1-VDC2 N7k2-VDC2 N7k2-VDC2
5020-1 5020-2
Po2
10.8.180.230 10.8.180.234 226582
SS1
IDS1
ERSPAN DST
IP: 10.8.33.4
ID:24-41
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Attack Prevention and Event Correlation Examples
Using IDS and Cisco Security MARS for VM Traffic Visibility
As previously discussed, server virtualization introduces some new challenges to the network and
security teams. When virtual machines can communicate directly with other virtual machines without
the traffic ever leaving the server, it can prove difficult to maintain any visibility into traffic flows. This
example illustrates using ERSPAN on the Cisco Nexus 1000V to forward traffic to the IDS virtual sensor
1 (VS1) discussed in the “Virtual Access Layer” section on page 4-24. Cisco Security MARS is
monitoring the Cisco IPS devices including IDS VS1 to provide event correlation and anomaly detection.
In this example, a vulnerability scan from another machine on the network is performed against a web
server running on a virtual machine. The attacker’s IP address is 10.7.52.33 and the IP address of the
web server is 10.8.180.230. The web server is connected to a virtual Ethernet port on the Cisco Nexus
1000V virtual switch.
When the scan is initiated and reaches the Cisco Nexus 1000V, the web server a copy of the traffic is
forwarded over the ERSPAN session to the IDS. See Figure 4-32.
Figure 4-32 Using IDS and Cisco Security MARS to View Attack Information Against VM
The scan from the client to the server triggers several IDS signatures and the corresponding event logs.
See Figure 4-33.
N7k1-VDC2 N7k2-VDC2 N7k2-VDC2
5020-1 5020-2
Trunking Uplinks
with VLAN 3000
vmk1
VEM (10.8.3.100)
ESX4
10.8.180.230
Nexus 1000
VEthernet 8
226584
SS1
IDS1
ERSPAN DST
IP: 10.8.33.4
ID:2
10.7.52.334-42
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Alternative Design
Figure 4-33 IDS Events for Scan Against VM
Cisco Security MARS detects the events through the configured rules and logs the sweeps as an event
or incident. See Figure 4-34.
Figure 4-34 Cisco Security MARS Incident for IDS Events of Attack Against VM
An otherwise undetected scan against a web server has been detected by the IDS and logged as an
incident on Cisco Security MARS.
Alternative Design
In some cases, it might not be desirable to use an inline Cisco IPS in the data center environment. The
topology can be easily modified to accommodate IDS devices in promiscuous mode.
The IDS will only receive a copy of the traffic through either Switched Port Analyzer (SPAN) or VLAN
Access Control List (VACL) capture instead of residing in the active traffic flow. Because the IDS is
not in the active traffic path, there is also no need for bridging VLAN 163 and VLAN 164. VLAN 164
can be removed. VLAN 163 now goes from the Cisco ACE module directly to the Cisco Nexus 7000
internal VDC2. See Figure 4-35 for an illustration of this environment.4-43
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Alternative Design
Figure 4-35 Data Center Security Services with IDS in Promiscuous Mode
ASA1
10.8.152.5
10.8.152.3
10.8.162.3
VLAN 161
VLAN 162
VLAN 190
SPAN or VACL
Capture
VLAN 164
VLAN 163
VLAN 161
SS1
N7k1-VDC2
N7k1-VDC1
VRF1
SVI-161
SVI-151
VRF2
10.8.162.5
Po2
226589
WAF
Cluster
WAF Devices
IP: 10.8.190.210
IP: 10.8.190.211
1
4
2
6
5
3
Copy
Server
VLANs
Interface VLAN 190
IP: 10.8.190.2
Input Service Policy: L4_LB_VIP_HTTP_POLICY
VIP:10.8.162.200
Interface VLAN 162
IP: 10.8.190.2
Input Service Policy: AGGREGATE_SLB_POLICY
VIP:10.8.162.200
IDS1 vs0
IDS2 vs0
7
Bridged
VLANs
hsrp.1
hsrp.14-44
Cisco SAFE Reference Guide
OL-19523-01
Chapter 4 Intranet Data Center
Threats Mitigated in the Intranet Data Center
Threats Mitigated in the Intranet Data Center
Table 4-1 summarizes the threats mitigated with the data security design described in chapter.
Ta b l e 4-1 Threats Mitigated with Data Center Security Design
Botnets DoS
Unauthorized
Access
Spyware,
Malware
Network
Abuse
Data
Leakage Visibility Control
Routing Security Yes Yes Yes Yes Yes
Service Resiliency Yes Yes Yes
Network Policy
Enforcement
Yes Yes Yes Yes Yes
Application Control
Engine (ACE)
Yes Yes Yes Yes
Web Application
Firewall (WAF)
Yes Yes Yes Yes Yes
IPS Integration Yes Yes Yes Yes Yes
Switching Security Yes Yes Yes Yes
Endpoint Security Yes Yes Yes Yes Yes Yes Yes Yes
Secure Device
Access
Yes Yes Yes Yes Yes
Telemetry Yes Yes Yes Yes YesC H A P T E R
5-1
Cisco SAFE Reference Guide
OL-19523-01
5
Enterprise Campus
The enterprise campus is the portion of the infrastructure that provides network access to end users and
devices located at the same geographical location. It may span over several floors in a single building,
or over multiple buildings covering a larger geographical area. The campus typically connects to a
network core that provides access to the other parts of the network such as data centers, WAN edge, other
campuses, and the Internet edge modules.
This chapter covers the best practices for implementing security within a campus network. It does not
provide design guidance or recommendations on the type of distribution-access design that should be
deployed within a campus network such as multi-tier, virtual switching system (VSS), or routed access
designs. This chapter discusses the security best practices applicable to these designs.
For information on the various campus distribution-access designs, see the Enterprise Campus 3.0
Architecture: Overview and Framework Document at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html
From a security perspective, the following are the key requirements to be satisfied by the campus design:
• Service availability and resiliency
• Prevent unauthorized access, network abuse, intrusions, data leak, and fraud
• Ensure data confidentiality, integrity, and availability
• Ensure user segmentation
• Enforce access control
• Protect the endpoints
• Protect the infrastructure5-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Key Threats in the Campus
Key Threats in the Campus
The following are some of the key threats that affect the campus:
• Service disruption—Botnets, malware, adware, spyware, viruses, DoS attacks (buffer overflows and
endpoint exploitation), Layer-2 attacks, and DDoS on services and infrastructure.
• Unauthorized access—Intrusions, unauthorized users, escalation of privileges, IP Spoofing, and
unauthorized access to restricted resources.
• Data disclosure and modification—Sniffing, man-in-the-middle (MITM) attacks of data while in
transit.
• Network abuse—Peer-to-peer and instant messaging abuse, out-of-policy browsing, and access to
forbidden content.
• Data leak—From servers and user endpoints, data in transit and in rest.
• Identity theft and fraud—On servers and end users, phishing, and E-mail spam.
Enterprise Campus Design
The campus design follows a modular hierarchical design comprising of core, distribution, and access
layers. An optional services block using a set of switches providing distribution/access services may be
implemented to host certain services for the local campus users. The modular hierarchical design
segregates the functions of the network into separate building blocks to provide for availability,
flexibility, scalability, and fault isolation. Redundancy is achieved by implementing switches in pairs,
deploying redundant links, and implementing dynamic routing protocols. This results in a full
topological redundancy as illustrated in Figure 5-1. 5-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Enterprise Campus Design
Figure 5-1 Campus Design
In the typical hierarchical model, the individual network modules such as the data center, WAN edge,
Internet edge, and other campuses are interconnected using the core layer switches. As discussed in
Chapter 3, “Enterprise Core,” the core serves as the backbone for the network. The core needs to be fast
and extremely resilient because every building block depends on it for connectivity. A minimal
configuration in the core reduces configuration complexity limiting the possibility for operational error.
The distribution layer acts as a services and control boundary between the access and core layers. It
aggregates switches from the access layer and protects the core from high-density peering requirements
from the access layer. Additionally, the distribution block provides for policy enforcement, access
control, route aggregation, and acts as an isolation demarcation between the access layer and the rest of
Campus Services Core
Access
Distribution
IP
IP
IP
IP
LWAPP LWAPP
226678
NAC
NAC5-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Enterprise Campus Design
the network. Typically, deployed as a pair (or multiple pairs) of Layer 3 switches for redundancy, the
distribution layer uses Layer-3 switching for its connectivity to the core layer and Layer 2 trunks or
Layer 3 point-to-point routed interfaces for its connectivity to the access layer.
The access layer is the first point of entry into the network for edge devices, end stations, and IP phones.
The switches in the access layer are connected to two separate distribution-layer switches for
redundancy. The access switches in the access layer can connect to the distribution layer switches using
Layer 2 trunks or Layer-3 point-to-point routed interfaces.
Within the enterprise campus, an optional campus services block may be deployed to provide application
services to end users and devices within the campus network such as centralized LWAPP wireless
controllers and IPv6 ISATAP tunnel termination. Additionally, for small campuses that only require a
few servers, this block could also be used to host a small number of localized foundational servers such
as local DHCP, DNS, FTP, and NAC Profiler servers. For larger campuses requiring many servers, a
data center design should be deployed to host these servers using the security best practices described
in Chapter 4, “Intranet Data Center.”
There are three basic choices for deploying the distribution-access design within a campus network.
They include:
• Multi-Tier, page 5-4
• Virtual Switch System (VSS), page 5-6
• Routed Access, page 5-7
While all three of these designs use the same basic physical topology and cable plant, there are
differences in where the Layer-2 and Layer-3 boundaries exist, how the network topology redundancy is
implemented, and how load-balancing works-along with a number of other key differences between each
of the design options. The following sections provide a short description of each design option. A
complete description for each of these design models can be found within the Enterprise Campus 3.0
Architecture: Overview and Framework document at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html
Multi-Tier
In a multi-tier distribution-access design, all the access switches are configured to run in Layer-2
forwarding mode and the distribution switches are configured to run both Layer-2 and Layer-3
forwarding. VLAN-based trunks are used to extend the subnets from the distribution switches down to
the access layer. A default gateway protocol such as Hot Standby Router Protocol (HSRP) or Gateway
Load Balancing Protocol (GLBP) is run on the distribution layer switches along with a routing protocol
to provide upstream routing to the core of the campus. One version of spanning tree and the use of the
spanning tree hardening features (such as Loopguard, Rootguard, and BPDUGuard) are configured on
the access ports and switch-to-switch links as appropriate.
Note It is a good practice to implement Per VLAN Spanning Tree (PVST). PVST defines a separate instance
of spanning tree for each VLAN configured in the network, making the network more resilient from
attacks against spanning tree. Cisco switches support several versions of PVST, including PVST+ and
Rapid-PVST+. Rapid-PVST+ provides faster convergence of the spanning tree by using Rapid Spanning
Tree Protocol (RSTP).5-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Enterprise Campus Design
The multi-tier design has two basic variations that primarily differ only in the manner in which VLANs
are defined. In the looped design, one-to-many VLANs are configured to span multiple access switches.
As a result, each of these spanned VLANs has a spanning tree or Layer-2 looped topology. The other
alternative—loop-free— design follows the current best practice guidance for the multi-tier design and
defines unique VLANs for each access switch as shown in Figure 5-2.
Figure 5-2 Multi-Tier Design
The detailed design guidance for the multi-tier distribution block design can be found in the campus
section of the Cisco Design Zone website at http://www.cisco.com/go/designzone
Core
Access
Distribution
VLAN 3 – Voice
VLAN 103 - Data
VLAN 2 – Voice
VLAN 102 - Data
VLAN n – Voice
VLAN 100 + N - Data 226773
Layer 3
Layer 2
Si Si
Si Si5-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Enterprise Campus Design
Virtual Switch System (VSS)
In the VSS design, the distribution switch pair acts as a single logical switch. By converting the
redundant physical distribution switches into a single logical switch, a significant change is made to the
topology of the network. Rather than an access switch configured with two uplinks to two distribution
switches and needing a control protocol to determine which of the uplinks to use, now the access switch
has a single multi-chassis Etherchannel (MEC) upstream link connected to a single distribution switch.
This design is illustrated in Figure 5-3.
Figure 5-3 VSS Design
For details on the design of the virtual switching distribution design, see the upcoming virtual switch
distribution block design guide at http://www.cisco.com/go/designzone
Core
Access
Distribution
VLAN 3 – Voice
VLAN 103 - Data
VLAN 2 – Voice
VLAN 102 - Data
VLAN n – Voice
VLAN 100 + N - Data 226774
Layer 3
Layer 2
Si Si5-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Enterprise Campus Design
Routed Access
In a routed access design, the access switches act as a full Layer-3 routing node providing both Layer-2
and Layer-3 switching and acts as the Layer 2/3 demarcation point in the campus network design.
Layer-3 point-to-point routed interfaces are used to connect to the distribution switches. Each access
switch is configured with unique voice, data, and any other required VLANs. In addition, in a routed
access design, the default gateway and root bridge for these VLANs exists on the access switch.
Figure 5-4 illustrates the Layer-3 routed access design.
Figure 5-4 Routed Access Design
The detailed design guidance for the routed access distribution block design can be found in the campus
section of the Cisco Design Zone site at http://www.cisco.com/go/designzone
Core
Access
Distribution
VLAN 3 – Voice
VLAN 103 - Data
VLAN 2 – Voice
VLAN 102 - Data
VLAN n – Voice
VLAN 100 + N - Data 226679
Layer 3
Layer 2
Si Si
Si
Si Si Si
Si5-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
Campus Access Layer
The campus access layer is the first tier or edge of the campus where end devices such as end-user
workstations, printers, and cameras attach to the wired portion of the network. Additionally, this is also
where devices such as IP phones and wireless access points (APs) are attached to extend the network out
from the access switches. Each access switch is deployed with redundant links to the distribution layer
switches. See Figure 5-5.
Figure 5-5 Campus Access Module Design
Campus Services Core
Access
Distribution
IP
IP
IP
IP
LWAPP LWAPP
226680
NAC
NAC5-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
Campus Access Layer Design Guidelines
The campus access layer provides the demarcation point between the network infrastructure and the end
devices that use the network infrastructure. It is the first line of defense in the network against threats
generated by devices connecting to them. This section discusses the various security measures used for
securing the campus access layer, including the following:
• Securing the endpoints using endpoint security software
• Securing the access infrastructure and protecting network services including DHCP, ARP, IP
spoofing protection and protecting against inadvertent loops using Network Foundation Protection
(NFP) best practices and Catalyst Integrated Security Features (CISF).
Endpoint Protection
Network endpoints are defined as any systems that connect to the network and communicate with other
entities over the network infrastructure such as servers, desktop computers, laptops, printers, and IP
phones. These endpoints can vary greatly in hardware types, operating systems, and applications making
it very difficult to keep them updated with latest patches to vulnerabilities and virus signature files. In
addition, portable devices such as laptops can be used at hotels, employee’s homes, and other places
outside the corporate controls making it difficult to protect these devices. The list of threats to these
endpoints include malware, adware, spyware, viruses, worms, botnets, and E-mail spam.
The vulnerability of any particular endpoint can impact the security and availability of an entire
enterprise. Thus, endpoint security is a critical element of an integrated, defense-in-depth approach to
protecting both clients and servers themselves and the network to which they connect. The first step in
properly securing the endpoints requires end-user awareness and the adoption of the appropriate
technical controls. End-users must be continuously educated on current threats and the security
measures needed for keeping endpoints up-to-date with the latest updates, patches, and fixes. In addition,
this must be complemented by implementing a range of security controls focused on protecting the
endpoints such as endpoint security software, network-based intrusion prevention systems, and web and
E-mail traffic security.
Endpoint security software must harden the endpoint against an initial attack as well the activities
associated with compromised endpoints. The key elements include the following:
• Protection against known attacks— Signature-based threat detection and mitigation such as known
worms and viruses.
• Protection against zero-day or unpatched attacks—Behavioral-based threat detection and mitigation
such as attempts to load an unauthorized kernel driver, capture keystrokes, buffer overflows, modify
system configuration settings, and inset code into other processes.
• Policy enforcement—Visibility and protection against non-compliant behavior such as data loss,
unauthorized access, and network and application abuse.
These elements are addressed by host-based intrusion prevention systems (HIPS) such as the Cisco
Security Agent (CSA). The Cisco SAFE leverages CSA on end-user workstation and servers to provide
endpoint security. CSA takes a proactive and preventative approach, using behavior-based and
signature-based security to focus on preventing malicious activity on the host. Cisco Security Agents are
centrally managed using the Management Center for Cisco Security Agents (CSA-MC) including
behavioral policies, data loss prevention, and antivirus protection. The CSA-MC also provides
centralized reporting and global correlation. 5-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
CSA can be deployed in conjunction with IPS to enhance threat visibility within the network. CSA can
provide endpoint posture information to IPS to reduce false-positives and allow dynamic quarantine of
compromised hosts. For more information on CSA and IPS collaboration, refer to Chapter 11, “Threat
Control and Containment.”
Access Security Best Practices
In addition to protecting the endpoints themselves, the infrastructure devices and network services such
as DHCP and ARP also need to be protected. Cisco SAFE leverages the NFP security best practices and
the Catalyst Integrated Security Features (CISF) for hardening the access switches in the campus access
layer. This includes restricting and controlling administrative access, protecting the management and
control planes, securing the dynamic exchange of routing information, and securing the switching
infrastructure.
The following are the key areas of the NFP best practices applicable to securing the access layer
switches. All best practices listed below are applicable to the access switches in all three
distribution-access design models unless otherwise noted:
• Infrastructure device access
– Implement dedicated management interfaces to the out-of-band (OOB) management network;
for more information on implementing an OOB management network, refer to Chapter 9,
“Management.”
– Limit the accessible ports and restrict the permitted communicators and the permitted methods
of access.
– Present legal notification.
– Authenticate and authorize access using AAA.
– Log and account for all access.
– Protect locally stored sensitive data (such as local passwords) from viewing and copying.
• Routing infrastructure
– Authenticate routing neighbors.
– Use default passive interfaces.
– Log neighbor changes.
– Implement EIGRP stub routing.
Note Routing infrastructure protection is only applicable in the access layer of a routed access design
since Layer-3 routing is enabled between the access and distribution switches. In a multi-tier and
VSS design, this is enabled in the distribution layer.
• Device resiliency and survivability
– Disable unnecessary services.
– Filter and rate-limit control-plane traffic.
– Implement redundancy.
• Network telemetry
– Implement NTP to synchronize time to the same network clock.
– Maintain and monitor device global and interface traffic statistics. 5-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
– Maintain system status information (memory, CPU, and process).
– Log and collect system status, traffic statistics, and device access information.
• Network policy enforcement
– Implement management and infrastructure ACLs (iACLs).
Note iACLs are only applicable in the access layer of a routed access design where the routed edge
interface is on the access switches. In a multi-tier and VSS design, this is enabled in the
distribution layer.
– Protect against IP spoofing using IP Source Guard on access ports and uRPF on routed edge
interfaces.
Note URPF is only applicable in the access layer of a routed access design where the routed edge
interface is on the access switches. In a multi-tier and VSS design, this is enabled in the
distribution layer.
For more information on many of the NFP security best practices listed above, including design and
configuration guidelines for each of the areas, refer to the Chapter 2, “Network Foundation Protection.”
Additional details and requirements for implementing switching security and infrastructure ACLs in the
campus access layer are provided in the following subsections.
Switching Security
The campus access layer switching infrastructure must be resilient to attacks including direct, indirect,
intentional, and unintentional types of attacks. In addition, they must offer protection to users and
devices within the Layer 2 domain. The key measures for providing switching security on the access
switches include the following:
• Restrict broadcast domains
• Spanning Tree Protocol (STP) Security—Implement Rapid Per-VLAN Spanning Tree (Rapid
PVST+), BPDU Guard, and STP Root Guard to protect against inadvertent loops
• DHCP Protection—Implement DHCP snooping on access VLANs to protect against DHCP
starvation and rogue DHCP server attacks
• IP Spoofing Protection—Implement IP Source Guard on access ports
• ARP Spoofing Protection—Implement dynamic ARP inspection (DAI) on access VLANs
• MAC Flooding Protection—Enable Port Security on access ports
• Broadcast and Multicast Storm Protection—Enable storm control on access ports
• VLAN Best Common Practices
– Restrict VLANs to a single switch
– Configure separate VLANs for voice and data
– Configure all user-facing ports as non-trunking (DTP off)
– Disable VLAN dynamic trunk negotiation trunking on user ports
– Explicitly configure trunking on infrastructure ports rather than autonegotiation
– Use VTP transparent mode5-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
– Disable unused ports and place in unused VLAN
– Do not use VLAN 1 for anything
– Use all tagged mode for native VLAN on trunks
Port Security Considerations
Port security builds a list of secure MAC addresses in one of the following two ways, configurable on a
per-interface basis:
• Dynamic learning of MAC addresses—Defines a maximum number of MAC addresses that will be
learned and permitted on a port. This is useful for dynamic environments, such as at the access edge.
• Static configuration of MAC addresses—Defines the static MAC addresses permitted on a port. This
is useful for static environments, such as a serverfarm, a lobby, or a demilitarized network (DMZ).
Typical port security deployment scenarios consist of the following:
• A dynamic environment, such as an access edge, where a port may have port security enabled with
the maximum number of MAC addresses set to one, enabling only one MAC address to be
dynamically learned at a time, and a security violation action of protect enabled.
• A static, controlled environment, such as a serverfarm or a lobby, where a port may have port
security enabled with the server or lobby client MAC address statically defined and the more severe
security violation response action of shutdown is enabled.
• A VoIP deployment, where a port may have port security enabled with the maximum number of
MAC addresses defined as three. One MAC address is required for the workstation, and depending
on the switch hardware and software, one or two MAC addresses may be required for the phone. In
addition, it is generally recommended that the security violation action be set to restrict so that the
port is not entirely taken down when a violation occurs.
For more information on switching security, including design and configuration guidelines for many
areas highlighted above, refer to the Chapter 2, “Network Foundation Protection.” The specific
requirements and implementation of DHCP protection, ARP spoofing protection and storm protection in
the campus access layer are covered in detail below.
DHCP Protection
DHCP protection is critical to ensure that a client on an access edge port is not able to spoof or
accidentally bring up a DHCP server, nor exhaust the entire DHCP address space by using a
sophisticated DHCP starvation attack. Both these attacks are addressed with the Cisco IOS DHCP
snooping feature that performs two key functions to address these attacks:
• Rogue DHCP Server Protection—If reserved DHCP server responses (DHCPOFFER, DHCPACK,
and DHCPNAK) are received on an untrusted port (such as an access port), the interface is shut
down.
• DHCP Starvation Protection—Validates that the source MAC address in the DHCP payload on an
untrusted (access) interface matches the source MAC address registered on that interface.
DHCP snooping is enabled on a per-VLAN basis and all interfaces in that VLAN are untrusted by
default. Consequently, an interface hosting a DHCP server must be explicitly defined as trusted.
Note DHCP snooping rate-limiting should be enabled to harden the switch against a resource
exhaustion-based DoS attack.5-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
A sample DHCP snooping configuration on a Catalyst 4500 deployed in a routed access design is shown
below. Similar configuration can be used in a multi-tier or VSS design. An example DHCP snooping
rate-limit value of 15 pps is shown. The recommended rate-limit value depends on whether it is applied
on trusted or untrusted interfaces, access or trunk ports, the size of the access switch, and the amount of
acceptable DHCP traffic.
!
! On each interface in a VLAN where DHCP Snooping is to be enforced (access data and voice
VLANs)
! Rate limit DHCP snooping to ensure device resiliency
interface x/x
switchport access vlan 120
switchport mode access
switchport voice vlan 110
ip dhcp snooping limit rate 15
!
! Define the VLANs on which to enforce DHCP Snooping in global configuration mode
ip dhcp snooping vlan 100,110,120
! DHCP Option 82 is not being used, so it is disabled
no ip dhcp snooping information option
! Enable DHCP Snooping
ip dhcp snooping
!
! Enable automatic re-enablement of an interface shutdown due to the DHCP rate limit being
exceeded
errdisable recovery interval 120
errdisable recovery cause dhcp-rate-limit
!
For more information on the DHCP snooping feature, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/dhcp.html
ARP Spoofing Protection
ARP spoofing protection ensures that a client on an access edge port is not able to perform a MITM
attack by sending a gratuitous ARP that presents its MAC address as that associated with a different IP
address, such as that of the default gateway. This attack is addressed with the Cisco IOS Dynamic ARP
Inspection (DAI) feature that validates that the source MAC and IP address in an ARP packet received
on an untrusted interface matches the source MAC and IP address registered on that interface.
DAI is enabled on a per-VLAN basis and all interfaces in that VLAN are untrusted by default.
Consequently, a device that does not use DHCP, such as the default gateway, ARP inspection must be
bypassed by either explicitly defining the interface it is connected to as trusted, or creating an ARP
inspection ACL to permit the source MAC and IP address of that device.
The following is a sample DAI configuration on a Cisco Catalyst 4500 deployed in a routed access
design. Similar configuration can be used in a multi-tier or VSS design. The ARP inspection rate-limit
of 100 pps is given as an example. The recommended value depends on the individual network
environment, including type of access switch and the amount of valid ARP request traffic.
!
! Define the VLANs on which to enforce DAI (e.g. access and voice VLANs)
ip arp inspection vlan 100,110,120
!
! Enable automatic re-enablement of an interface shut down due to the DAI rate limit being
exceeded
errdisable recovery cause arp-inspection
errdisable recovery interval 120
!
! On each interface in a VLAN where DAI is enforced, rate limit DAI to ensure device
resiliency5-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
interface x/x
switchport access vlan 120
switchport mode access
switchport voice vlan 110
ip arp inspection limit rate 100
!
For more information on the DAI feature, refer to the Infrastructure Protection on Cisco Catalyst 6500
and 4500 Series Switches whitepaper at the following URL:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.
pdf
Traffic Storm Protection
When a large amount of broadcast (and/or multicast) packets congest a network, the event is referred to
as a broadcast storm. A storm occurs when broadcast or multicast packets flood the subnet, creating
excessive traffic and degrading network performance. Storm control prevents LAN interfaces from
being disrupted by these broadcast and multicast storms. Errors in the protocol-stack implementation,
mistakes in network configurations, or users issuing a denial-of-service (DoS) attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus
and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets
of a specified type received within the 1-second time interval and compares the measurement with a
predefined suppression-level threshold. Once the suppression-level threshold is reached, the port blocks
traffic until the traffic falls below the threshold level.
The following is a sample storm-control configuration on a Cisco Catalyst 4500 deployed in a routed
access design. Similar configuration can be used in a multi-tier or VSS design. The threshold value of 1
percent is given as an example. The recommended value depends on the broadcast and multicast traffic
characteristics of individual networks. Different networks may have varying degrees of acceptable
broadcast or multicast traffic.
! Configure broadcast storm-control and define the upper level suppression threshold on
! the access ports
! Configure a trap to be sent once a storm is detected
interface x/x
switchport access vlan 120
switchport mode access
switchport voice vlan 110
storm-control broadcast level 1.00
storm-control action trap
! Enable multicast suppression on ports that already have broadcast suppression enable
! This is configured in the global configuration
storm-control broadcast include multicast
For more information on configuring Storm control, refer to the Infrastructure Protection on Cisco
Catalyst 6500 and 4500 Series Switches whitepaper at the following URL:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.
pdf
Infrastructure ACLs
Proper network policy-enforcement at the edge of a network ensures that traffic entering the network
conforms to the general and corporate network policy. Direct access to the infrastructure devices and
management network should be strictly controlled to minimize the risk of exposure. Infrastructure ACLs
(iACLs) are deployed to restrict direct access to the network infrastructure address space and should be
deployed closest to the edge as possible. In addition, management ACLs are deployed to restrict access
to the address space assigned to the management network. In a routed access design, iACLs are applied
on the client gateway interface on the access switches. If the access switches connect to an OOB 5-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Access Layer
management network, management ACLs are applied on the interface connecting to the OOB
management network. If they are being managed in-band, then the management ACLs should be
incorporated into the iACLs.
The following should be considered when implementing iACLs:
• A carefully planned addressing scheme will simplify deployment and management.
• Ping and traceroute traffic can be allowed to facilitate troubleshooting.
• Block client access to addresses assigned to the infrastructure devices.
• Block client access to addresses assigned to the network management subnet.
• Permit client transit traffic.
A sample configuration fragment for an access edge iACL in Cisco IOS is provided below. For detailed
information on defining iACLs, refer to Chapter 2, “Network Foundation Protection.”
! Define Campus Edge infrastructure ACL
ip access-list extended campus_iACL
! permit clients to perform ping and traceroutes needed for troubleshooting
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
permit icmp any any echo
! Deny Client Access to Network Infrastructure Address Space
deny ip any
deny ip any
! Permit All Other Client Traffic not destined to Infrastructure addresses (transit
traffic)
permit ip any any
! Apply Campus Edge iACL to the client default gateway interface on access switch
interface Vlan100
description VLAN 100 - Client Data VLAN
ip address 10.240.100.1 255.255.255.0
ip access-group campus_iACL in
Note It is not necessary to specify the particular access subnet as the source address in the ACL entries if IP
source address validation is already being enforced; for example, through IP Source Guard on the access
ports. This enables generic and consistent iACLs to be deployed across the enterprise access edge,
thereby minimizing the operational overhead.
Management ACLs are used to restrict traffic to and from the OOB management network. If the access
switches connect directly to an OOB management network using a dedicated management interface,
management access-lists using inbound and outbound access-groups are applied to the management
interface to only allow access to the management network from the IP address assigned to the
management interface assigned to the managed device and, conversely, only allow access from the
management network to that management interface address. Data traffic should never transit the devices
using the connection to the management network. In addition, the management ACL should only permit
protocols that are needed for the management of these devices. These protocols could include SSH,
NTP, FTP, SNMP, TACACS+ , e tc.
For further information on the OOB management best practices and sample management ACL
configuration, refer to Chapter 9, “Management.”5-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Distribution Layer
Operational Considerations
The operational management of the switching infrastructure can be greatly enhanced by using
Smartports macros on a Cisco switch. Smartports macros enable customized port templates to be defined
according to corporate policy and applied to ports on an as-needed basis. Each SmartPort macro is a set
of CLI commands that the user define. SmartPort macro sets do not contain new CLI commands; each
SmartPort macro is a group of existing CLI commands. When the user apply a SmartPort macro on an
interface, the CLI commands contained within the macro are configured on the interface. When the
macro is applied to an interface, the existing interface configurations are not lost. The new commands
are added to interface and are saved in the running configuration file. In addition, there are Cisco default
Smartports macros embedded in the switch software that can be used. The use of SmartPort macros
ensures consistent policy enforcement, eases operations and avoids misconfiguration. For more
information on Smartports macros, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/macro.htm
l
Campus Distribution Layer
The campus distribution layer acts as a services and control boundary between the campus access layer
and the enterprise core. It is an aggregation point for all of the access switches providing policy
enforcement, access control, route and link aggregation, and the isolation demarcation point between the
campus access layer and the rest of the network. The distribution switches are implemented in pairs and
deployed with redundant links to the core and access layers. In large campus networks, there may be
several pairs of distribution layer switches. In those cases, each of the security best practices described
in this section should be applied to every distribution layer switch pairs.
Figure 5-6 highlights the distribution layer in the overall campus hierarchical design.5-17
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Distribution Layer
Figure 5-6 Campus Distribution Layer
Campus Services Core
Access
Distribution
IP
IP
IP
IP
LWAPP LWAPP
226681
NAC
NAC5-18
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Distribution Layer
Campus Distribution Layer Design Guidelines
The campus distribution layer provides connectivity to the enterprise core for clients in the campus
access layer. It aggregates the links from the access switches and serves as an integration point for
campus security services such as IPS and network policy enforcement. This section discusses the various
security measures used for securing the campus distribution layer including the following:
• Protecting the endpoints using network-based intrusion prevention
• Protection the infrastructure using NFP best practices
Campus IPS Design
IPS provide filtering of known network worms and viruses, DoS traffic, and directed hacking attacks.
This functionality is highly beneficial in a campus environment by quickly identifying attacks and
providing forensic information so that attacks can be cleaned up before substantial damage is done to
network assets. IPS is designed to monitor and permit all traffic that is not malicious and can be deployed
with a single campus-wide protection policy allowing for a pervasive campus-wide IPS deployment.
To get the most benefit, IPS needs to cover a majority of the network segments in a campus. Since the
distribution switches provide the aggregation point for all of the access switches and provides
connectivity and policy services for traffic flows between the access layer and the rest of the network, it
is recommended that IPS devices be deployed in the distribution layer.
• Deploying IPS in a campus network is driven by three key design considerations:
• Deployment Model, page 5-18
• Scalability and Availability, page 5-19
• Traffic Symmetry, page 5-19
Deployment Model
Cisco IPS appliances and modules can be deployed in inline or promiscuous mode, typically referred to
as IPS or IDS modes. When deployed in the inline mode, the Cisco IPS is placed in the traffic path. This
allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus
providing a strong protective service. IPS inline mode enables automatic threat detection and mitigation
capabilities that offer some clear advantages in terms of timely threat mitigation and degree of
protection. In addition, signature tuning enables the automated response actions to be tuned according
to customer policy. Since IPS is in the data path, however, it is critical to ensure that the deployment is
well designed, architected and tuned to ensure that it does not have a negative impact on network latency,
convergence, and service availability. Additionally, when deployed in the inline mode, traffic is bridged
through the sensors by pairing interfaces or VLANs within the sensor. This requires additional VLANs
and modifications to be made to the campus architecture to accommodate the IPS insertion.
Cisco IPS can also be deployed in promiscuous mode. In this mode, the IPS is not in the data path, but
rather performs passive monitoring, with traffic being passed to it through a monitoring port using traffic
mirroring techniques such as Switched Port Analyzer (SPAN), Remote SPAN (RSPAN), or VLAN ACL
(VACL) capture. The Cisco IPS sensor analyzes a copy of the monitored traffic rather than the actual
forwarded packet. Upon detection of anomalous behavior, management systems are informed of an event
and operational staff can subsequently decide what action, if any, to take in response to an incident. The
time between threat detection and mitigation may thus be extended and requires a manual response. 5-19
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Distribution Layer
The decision to deploy IPS in inline mode or promiscuous mode varies based on the goals and policies
of an enterprise. Deploying IPS inline has some clear advantages from a security perspective with its
timely threat detection and mitigation, but requires some architecture modifications and careful planning
to ensure network latency, convergence, and availability is not compromised. Deploying IPS in
promiscuous mode avoids architectural changes, but it provides a lesser degree of security.
Scalability and Availability
For scalability, Cisco offers a range of different IPS platforms that can be deployed according to a
particular customer's needs. For networks with a high level of activity and traffic, IPS appliances can be
used. For networks with a lower level of activity and traffic or where integrated security is preferred,
Cisco IPS modules are viable options.
For increased scalability and high availability, multiple IPS sensors can be bundled together using a
load-balancing mechanism. IPS load-balancing can be accomplished using the EtherChannel
load-balancing (ECLB) feature within a switch to perform intelligent load-balancing across the IPS
devices. In addition, multiple IPS sensors may also be deployed by using a load-balancing module or
appliance such as the ACE module.
Traffic Symmetry
For maximum visibility, the IPS sensors must be able to see traffic in both directions. For this reason, it
is important to ensure the symmetry of the traffic as it traverses or reaches the IPS sensor.
Symmetrical traffic flows offer a number of important benefits, including enhanced threat detection,
reduced vulnerability to IPS evasion techniques, and improved operations through reduced
false-positives and false-negatives. Consequently, this is a key design element. For example, if multiple
IPS exist in a single flow for availability and scalability purposes, maintaining symmetric flows requires
some consideration of the IPS integration design. There are a number of options available to ensure
symmetric traffic flows, including:
• Copy traffic across all IPS senders—Use of SPAN, VLAN ACL (VACL) capture, or taps to duplicate
traffic across all IPS, ensuring any single IPS sees all flows. This can become a challenge once more
than two IPS are involved and results in all IPS being loaded with the active traffic flows.
• Integration of an IPS switch—Topological design to consolidate traffic into a single switch, thereby
leveraging the switch to provide predictable and consistent forward and return paths through the
same IPS. This is simple design, but introduces a single point-of-failure.
• Routing manipulation—Use of techniques such as path cost metrics or policy-based routing (PBR)
to provide predictable and consistent forward and return paths through the same switch and,
consequently, the same IPS. This is cost-effective design, but introduces some complexity and
requires an agreement from network operations (NetOps).
• Sticky load-balancing—Insertion of a sticky load-balancing device, such as the ACE module, to
provide predictable and consistent forward and return paths through the same IPS. This is a flexible
design, but introduces additional equipment to deploy and manage.
For more information on Cisco IPS, refer to the following URL: http://www.cisco.com/go/ips
Campus Distribution Layer Infrastructure Security
In addition to deploying IPS within the Campus distribution layer, the distribution layer switches also
need to be protected. These switches should be hardened following the best practices described in the
Chapter 2, “Network Foundation Protection.” The following bullets summarize the key NFP areas for
securing the distribution layer infrastructure devices. All best practices listed below are applicable to the
access switches in all three distribution-access design models unless otherwise noted.5-20
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Distribution Layer
• Infrastructure device access—Implement dedicated management interfaces to the OOB
management network, limit the accessible ports and restrict the permitted communicators and the
permitted methods of access, present legal notification, authenticate and authorize access using
AAA, log and account for all access, and protect locally stored sensitive data (such as local
passwords) from viewing and copying.
Note For more information on implementing an OOB management network, refer to Chapter 9,
“Management.”
• Routing infrastructure—Authenticate routing neighbors, implement route filtering, implement
EIGRP stub routing, use default passive interfaces, and log neighbor changes.
Note Route filtering and EIGRP stub routing in the distribution layer are only recommended for
a multi-tier or VSS design where the routed edge interface is on the distribution switches. In
a routed access design, these features are used in the access layer.
• Device resiliency and survivability—Disable unnecessary services, filter and rate-limit
control-plane traffic, and implement redundancy.
• Network telemetry—Implement NTP to synchronize time to the same network clock, maintain
device global and interface traffic statistics, maintain system status information (memory, CPU, and
process), log and collect system status, traffic statistics, and device access information, and enable
NetFlow.
• Network policy enforcement
– Implement management ACLs and iACLs to restrict access to infrastructure and management
devices.
Note iACLs are only applicable in the distribution layer of a multi-tier design where the routed
edge interface is on the distribution switches. In a routed access design, this is enabled in
the access layer.
– Apply uRPF to block packets with spoofed IP addresses.
Note uRPF is only applicable in the distribution layer of a multi-tier design where the routed edge
interface is on the distribution switches. In a routed access design, this is enabled in the
access layer.
• Secure switching infrastructure—Restrict broadcast domains, harden spanning tree to prevent
against inadvertent loops, and apply VLAN best practices.
Note VLAN and spanning tree best practices are only applicable in the distribution layer of a
multi-tier design where Layer 2 extends to the distribution layer switches. 5-21
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Campus Services Block
Campus Services Block
Within the enterprise campus, the primary role of the services block is to provide application services to
end users and devices within the campus network such as centralized LWAPP wireless controllers and
IPv6 ISATAP tunnel termination. Additionally, for small campuses that only require a few servers, this
block could also optionally be used to host a small number of localized foundational servers such as local
DHCP, DNS, FTP, NAC Profiler servers. For larger campuses requiring many servers, a data center
design should be deployed to host these servers using the security best practices described in the
Chapter 4, “Intranet Data Center.”
The campus services block connects to the core switches using a pair of services switches using
redundant Layer-3 links as shown in Figure 5-7.
Figure 5-7 Campus Services Block Design Diagram
Campus Services Core
Access
Distribution
IP
IP
IP
IP
LWAPP LWAPP
226690
NAC
NAC5-22
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
In Figure 5-7, a pair of switches are shown that are acting as a collapsed distribution-access layer
providing Layer 2 and Layer 3 services for the devices hosted in the services network segment. These
switches also provides for routing separation and policy enforcement for the devices residing in this
network.
Given the level of access that employees have to the services located in the campus services block, it is
critical that they are protected from internally originated attacks. Simply relying on effective passwords
does not provide for a comprehensive attack mitigation strategy. Using host and network-based IPS,
private VLANs, switch security, stateful firewalls for access control, and good system administration
practices (such as keeping systems up to date with the latest patches), provides a much more
comprehensive response to attacks.
The same security best practices to secure servers in the data center should be applied to securing the
campus services block. These best practices can be found in Chapter 4, “Intranet Data Center.”
Network Access Control in the Campus
In today's diverse workplaces, consultants, contractors, and even guests require access to network
resources over the same LAN connections as regular employees. As data networks become increasingly
indispensable in day-to-day business operations, the possibility that unauthorized people will gain
access to controlled or confidential information also increases.
One of the most vulnerable points of the network is the access edge. The access layer is where end users
connect to the network. In the past, corporations have largely relied on physical security to protect this
part of the network. Unauthorized users were not allowed to enter a secure building where they could
plug into the network. Today, contractors and consultants regularly have access to secure areas. Once
inside, there is nothing to prevent a contractor from plugging into a wall jack and gaining access to the
corporate network. There is no need to enter an employee cube to do this. Conference rooms frequently
offer network access through wall jacks or even desktop switches. Once connected to the network,
everyone (employees, contractors, consultants, guests, and malicious users) has access to all the
resources on the network.
To protect against unauthorized access to controlled or confidential information, customers are
demanding that network access-control be embedded within the network infrastructure. This allows for
greater flexibility in expanding the application of network access-control throughout the network.
Campus network designs should provide identity- or role-based access controls for systems connecting
to them. Implementing role-based access controls for users and devices help reduce the potential loss
of sensitive information by enabling organizations to verify a user or devices' identity, privilege level,
and security policy compliance before granting network access. Security compliance could consist of
requiring antivirus software, OS updates or patches. Unauthorized, or noncompliant devices can be
placed in a quarantine area where remediation can occur prior to gaining access to the network.
Cisco SAFE design uses the following network access control solutions:
• Cisco Identity-Based Network Networking Services (IBNS)
• Cisco NAC Appliance
Cisco IBNS solution is a set of Cisco IOS software services designed to enable secure user and host
access to enterprise networks powered by Cisco Catalyst switches and wireless LANs. It provides
standards-based network access control at the access layer by using the 802.1X protocol to secure the
physical ports where end users connect. 802.1X is an IEEE standard for media-level (Layer 2) access
control, offering the capability to permit or deny network connectivity based on the identity of the end
user or device enabling enterprise policy enforcement of all users and hosts, whether managed or 5-23
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
unmanaged. In addition to holistic access-control provided by 802.1X, IBNS also offers device-specific
access-control through MAC-Authentication Bypass (MAB) and user-based access-control through
Web- Auth.
The Cisco Network Admission Control (NAC) Appliance uses the network infrastructure to enforce
security policy compliance on all devices seeking to access network computing resources. With NAC
Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless,
and remote users and their machines prior to network access. It identifies whether networked devices
such as laptops, IP phones, or game consoles are compliant with your network's security policies and
repairs any vulnerability before permitting access to the network. Noncompliant machines are redirected
into a quarantine area, where remediation occurs at the discretion of the administrator.
The choice of which NAC solution to use depends on the security goals and the direction of the network
design. For networks using or moving towards 802.1x-based wired or wireless access and interested in
identity-based access control, Cisco IBNS solution should be considered. For networks requiring
role-based access control using posture assessments to ensure security compliance, Cisco NAC
Appliance should be considered.
The Cisco Identity-Based Networking Services (IBNS) and NAC Appliance access control solutions are
discussed in the following sections.
Cisco Identity-Based Networking Services
Cisco IBNS is an integrated solution comprising several Cisco products that offer authentication and
identity-based access control to secure network connectivity and resources. With Cisco IBNS, you can
facilitate greater security and enable cost-effective management of changes throughout your network. A
secure IBNS framework helps enterprises better manage employee mobility, reduce network access
expenses and boost overall productivity while lowering operating costs.
This section of the document provides high-level design recommendations for deploying Cisco IBNS in
a campus network along with covering important planning and deployment considerations. For complete
details on Cisco IBNS including configuration details, refer to the Cisco IBNS site at the following:
www.cisco.com/go/ibns
Deployment Considerations
Cisco IBNS provides customized access to the network based on a person's (or device's) identity.
Therefore, a well-defined security policy should be created to provide broad guidelines for who can
access which corporate resources and under what conditions. The following sections cover some of the
things that should be considered for implementing an IBNS solution that that suits your network.
User and Device Categories
When implementing an IBNS solution, the first and most fundamental question that must be answered
is: Who gets what access? Once answered, categories of users and devices that connect to your network
can be defined. For initial deployments, use broad categories for users and devices (e.g., employee,
managed asset, unknown Asset). The simpler the policy, the smoother and more successful your initial
deployment will be. Once basic access control has been successfully deployed, more granular groups
and policies can be deployed to move towards a more highly differentiated model of access control.
Once categories of users and devices on the network are defined, use the guidelines from your security
policy to map each category to a network access level. The example in Table 5-1, while very simple, has
been used as the basis for many successful deployments.5-24
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
• The Pre-Authentication category refers to the level of access that a user or device will get before
its identity has been determined. Under a very strict security policy, this level could be no access.
Alternatively, it could be limited to a small set of services (such as DHCP, DNS, TFTP) that would
allow devices that depend on immediate network access (e.g. a device that needs to download its
operating system or a device that needs enough connectivity to perform a web-authentication) to
function normally even before its identity has been established.
• The Failed Authentication category refers to the level of access that a user or device will get if it
fails to provide valid credentials. Under a very strict security policy, this could be no access (this is
the default). However, if the policy is no access, a manual process must be provided by which
legitimate users can remediate their credentials (e.g., renew an expired password). An example of a
manual process might be to have employees take their laptops to a physically secure location where
an IT administrator can update the credential. Such a process can be resource-intensive, both in
terms of end-user education and IT support. Therefore, if your security policy permits, you might
want to consider modifying the default Failed Authentication access to permit a small set of
services that would allow a device to automatically update or request credentials.
User and Device Identification Authentication
Authentication is the process by which the network establishes the identity of devices and users that are
attempting to connect. To be able to authenticate users and devices, you must first decide what kind of
credentials is acceptable for valid identification. Ideally, strong forms of identification such as digital
certificates or properly encrypted usernames and password should be used. A much weaker form of
identification would be the MAC address of the connecting device.
Acceptable credentials is determined by the method that is used to validate those credentials. The
authentication method determines how a device submits its credentials to the network. 802.1X is an
IEEE standard that defines a process by which a device can submit strong credentials like digital
certificates and passwords using a client (called a supplicant). 802.1X is a strong authentication method
and is preferred in all cases where the device can support the required client. The specific details of
which credentials are accepted and how they are submitted are determined by what is known as the EAP
method. Common EAP methods include PEAP-MSCHAPv2 (for username/password credentials) and
EAP-TLS (for certificate-based credentials).
For devices that do not support the required 802.1X client, a supplementary form of authentication must
be used. MAC-Authentication Bypass (MAB) is a secondary authentication method in which the access
switch detects the device's MAC address and submits it as a form of identification.
Once the type of credential is chosen, it must be validated. A database of allowed devices and their
credentials and (for certificate-based authentication) a certificate chain of trust is required for
authentication. If MAC address-based authentication is used, then a database of valid MAC addresses to
validate against is required as well.
Ta b l e 5-1 User and device category access levels for initial deployment
Category Network Access Level
Employee Full Access (Intranet & Internet)
Managed Asset Full Access (Intranet & Internet)
Unknown Device Connectivity services (DHCP, DNS, TFTP) only
Pre-Authentication Connectivity services only
Failed Authentication Connectivity services only5-25
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
In most cases, there is no need to build a credential database from scratch. For example, many
organizations already possess a database of valid users and computers in the form of Microsoft Active
Directory. Some organizations also maintain databases with the MAC addresses of corporate assets.
Very often, these databases can be re-used for 802.1X and MAB. Using these databases will greatly
simplify your 802.1X deployment.
Levels of Authorization
Authorization is the process by which an endpoint is granted a certain level of access to the network. In
an identity-enabled network, network access should correspond to the authenticated identity of the
endpoint. But an endpoint's network access can also depend on where the endpoint is in the
authentication process. When planning a deployment, consider what access the endpoint should have at
each of these stages:
• Pre-authentication
• Successful authentication
• Failed authentication
The authorization options available in each stage are discussed in detail below.
Pre-Authentication
By default, endpoints are not authorized for network access prior to authentication. Before a device has
successfully authenticated via 802.1X or MAB, the port allows no traffic other than that required for
authentication. Access to the port is effectively closed. While very secure, this method of access control
can cause problems for devices that need network access before they authenticate (e.g., PXE devices that
boot an OS from the network) or devices that are sensitive to delays in network access that may result
from the authentication process.
As an alternative, it is possible to configure Cisco switches for two other levels of Pre-Authentication
authorization: Open Access and Selectively Open Access.
Open Access is the opposite of the default Pre-Authentication authorization. With Open Access, all
traffic is allowed through the port before authentication. While Open Access is obviously not an effective
way to enforce network access control, it does have an important role in initial stages of deploying
802.1X. This will be discussed later in the section on the Monitor Mode deployment scenario.
Selectively Open Access represents a middle-ground between the default Closed access and Open
Access. With Selectively Open Access, you can use a default port access-lists (ACLs) to permit or deny
specific traffic (e.g., permit TFTP and DHCP traffic to allow PXE devices to boot before they
authenticate).
Table 5-2 summarizes the pre-authentication access levels.
Ta b l e 5-2 pre-authentication access levels
Pre-Authentication Access Level Implementation
No Access Default —Closed
Open Access Open
Selectively Open Access Open with port ACL to control access5-26
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Successful Authentication
After a successful authentication, the port is, by default, opened up completely and all traffic is allowed
in the configured native VLAN of the port. This is a simple, binary decision: anyone who successfully
authenticates by any method is granted full access. To achieve differentiated access based on the identity
of the authenticated user or device, it is necessary to use dynamic access control with VLANs and/or
ACLs.
When post-authentication access is implemented with VLANs, the switch dynamically assigns a VLAN
to a port based on the identity of the device that authenticated. Engineers could be assigned the ENG
VLAN while accountants could be assigned the FINANCE VLAN. While this form of dynamic
authorization is a powerful tool for differentiating access for different user groups, it comes at a cost.
Supporting multiple VLANs on every switch may require changes to the network architecture and
addressing scheme. In addition, VLANs isolate traffic at Layer 2 in the OSI stack so dynamic VLAN
assignment by itself cannot restrict access to specific subnets (at Layer 3) or applications (Layer 4 and
above). However, dynamic VLAN assignment does provide the foundation for virtualizing IT resources
using network virtualization solutions.
When successful authentication authorization is implemented with ACLs, the switch dynamically
assigns an ACL to a port based on the identity of the device that authenticated. Engineers could be
assigned an ACL that permits access to engineering subnets and applications while accountants get a
different ACL. While ACLs do not achieve the same level of logical isolation that VLANs provide,
dynamic ACLs can be deployed without changing the existing network architecture and addressing
schemes. On the other hand, care must be taken to ensure that the dynamic ACLs do not overwhelm the
TCAM capacity of the access switch. Well-summarized networks and good network design are essential
to the creation of short but effective ACLs.
When deciding between dynamic VLANs and dynamic ACLs, another factor to consider is the form of
Pre-Authentication authorization that you have chosen to implement. Dynamic ACLs work well with any
kind of Pre-Authentication authorization. Dynamic VLAN assignment, on the other hand, does not
typically work well with Open or Selectively Open Pre-Authentication authorization. When
Pre-Authentication authorization is Open, devices can receive IP addresses on the switchport VLAN
subnet at link up. If a different VLAN is assigned as the result of an authentication, the old address will
not be valid on the new VLAN. 802.1X-capable devices with modern supplicants can typically detect
the VLAN change and request a new address on the new VLAN but clientless devices (such as printer)
will not be able to.
The different kinds of authorization available after successful authentication and the deployment
considerations for each method are summarized in Table 5-3.
Ta b l e 5-3 Successful Authentication
Post-Authentication
Authorization Method
Impact to
Network
Architecture TCAM impact
Compatible
Pre-Authentication
Methods Notes
Default “Open” Minimal None Closed May be sufficient for
simple deployments
or as a first step for
more complex
deployments.5-27
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Failed Authentication
After a failed authentication, the port is, by default, left in the same state as it was before authentication
was attempted. If the port was in the default Closed state before authentication, it will remain closed after
a failed authentication. If the port was in a Selectively Open state before authentication, it will remain
that way: open in the statically configured VLAN and subject to the default port ACL.
Since failed authentications revert to the pre-authentication authorization, it is necessary to decide
whether the chosen pre-authentication network access is adequate for endpoints that fail authentication.
If not, it may be necessary to modify your pre-authentication network authorization policy or to utilize
some of the mechanisms available for modifying the default Failed Authentication network access levels.
User and Device Physical Connectivity
Hosts connect to the access layer switches in several ways. The simplest connection is a direct
point-to-point connection of one host to one switch port. In IBNS deployments, this is sometimes
referred to as "single host mode." Single host mode is the most secure form of connection and the default
mode on Cisco switches enabled for 802.1X and MAB. A switch running 802.1X in single host mode
will only allow one device at a time on that port. If another device appears on the port, the switch shuts
down the port as a security precaution. Because only one device is allowed to connect to the port, there
is no possibility of another device snooping the traffic from the authenticated device. A port in
single-host mode effectively prevents casual port-piggybacking.
Although it is the most secure mode, single host mode is not always sufficient. One common exception
to the point-to-point connection assumption is IP Telephony. In IP Telephony deployments, two devices
are often connected to the same switch port: the phone itself and a PC behind the phone. In this case,
a new host mode, "multi-domain," is required. With multi-domain host mode, the switch allows two
devices to authenticate and gain access to the network: one voice device in the voice VLAN and one
data device in the data VLAN.
Some deployments include devices that include multiple virtual machines even though there is
physically only one connected device. Cisco switches support a third host mode, "multi-auth," that
allows each virtual machine to access the port after being authenticated. The multi-auth host mode is a
superset of multi-domain host mode, meaning that the multi-auth host mode allows one voice device in
the voice VLAN and any number of data devices in the data VLAN.
Dynamic VLAN Significant None Closed Required for network
virtualization.
Provides logical
isolation of traffic at
L2.
Dynamic ACL Minimal Significant All Does not support
network
virtualization.
Provides access
control at Layer 3 and
Layer 4.
Table 5-3 Successful Authentication (continued)5-28
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
The most appropriate host mode to configure on the switch is determined by how hosts are connecting
to the network. 802.1X is most effective when it is most restrictive. If IP Telephony is not deployed, don't
configure multi-domain host mode. If there are no virtual machines with unique MAC addresses on the
same physical host, do not configure multi-auth host mode. If possible, use the same host-mode
throughout your network. Using a standardized configuration will minimize operational costs.
Table 5-4 summarizes the available host modes.
Deployment Best Practices
Once it has been determined how users and devices will be authenticated, what network access they will
be granted before and after authentication, and how devices will be allowed to connect to the network,
the next step is to deploy the solution. The SAFE design leverages a phased deployment strategy. The
next couple of sections will look at three generic deployment scenarios that can be rolled out as a
three-phase deployment (or two-phase, depending on your ultimate design goals). IBNS deployments are
most successful when implemented in phases, gradually adding in network access restrictions to
minimize impact to end users.
The three scenarios discussed below are as follows:
• Monitor Mode, page 5-28
• Low Impact Mode, page 5-30
• High Security Mode, page 5-31
Monitor Mode
Monitor mode is the first phase of a three-phase (or two-phase) IBNS deployment. In this phase, access
is not physically prevented, but visibility into who is connecting is obtained. Having this visibility
provides invaluable insight into who is getting access, who has an operational 802.1X client, who is
already known to existing identity stores, who has credentials, etc. As a side benefit, some intruders may
be deterred by the simple knowledge that someone is watching. In addition, it prepares the network for
the access-control phases as described in the next couple of sections.
When deploying IBNS in Monitor Mode, authentication (802.1X and MAB) is enabled without
enforcing any kind of authorization. There is no impact to users or endpoints of any kind: they continue
to get exactly the same kind of network access that they did before you deployed IBNS. The
authorization level Pre-Authentication is the same as after Successful Authentications and Failed
Authentications access: completely open. In the background, however, the network is querying each
endpoint as it connects and validates its credentials. By examining the authentication and accounting
records (at the ACS server), it is possible to determine the information in Table 5-5.
Ta b l e 5-4 Host Modes
With this Endpoint… …Use this Host Mode
Point-to-point only (PC, printer, etc) Single-host
IP Telephony Multi-domain
Virtual Machines (with or without IP
Telephony)
Multi-auth5-29
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Combining the information in authentication and accounting records results in very detailed knowledge
of each endpoint that connects to the network including: username, IP address, MAC address, port and
switch where connected, time of connection, etc.
After implementing the Monitor Mode phase, the network will immediately begin authenticating users
and devices and you will have visibility into who and what is connecting to the network. This visibility
information includes which endpoints (PC, printer, camera, etc.) are connecting to your network; where
they connected; whether they are 802.1X capable or not; and whether they have valid credentials.
Additionally, you will know if the endpoints are known valid MAC addresses via the failed MAB
attempts.
The primary benefit of Monitor Mode is that it enables IT administrators to proactively address any
issues that would impact end users once access control is enabled.
These issues are summarized in Table 5-6.
Ta b l e 5-5 Authentication and Accounting Records
Endpoints on the Network How Determined
All endpoints/users with 802.1X clients and valid credentials Passed 802.1X Authentication
Records
All endpoints/users with 802.1X clients and invalid credentials Failed 802.1X Authentication
Records
All endpoints without 802.1X clients and known MAC
addresses
Passed MAB Authentication Records
All endpoints without 802.1X clients and known MAC
addresses
Failed MAB Authentication Records
Ports with multiple connected devices Multiple Authentications Records for
the same port on same switch.
Ta b l e 5-6 Monitor Mode Values
To Do Key Issue Remediation
Analyze 802.1X failures. Are these valid devices or users that
should be allowed access but are
failing 802.1X?
Update credentials for valid devices and
users so they will pass 802.1X.
Analyze MAB success. Are there any devices doing MAB
that should be capable of 802.1X?
Update those devices with supplicants
and credentials so they can authenticate
using 802.1X
Analyze MAB failures Are there managed assets that should
be allowed access to the network but
are failing MAB?
Update your asset database with these
MAC addresses.
Analyze ports that have
multiple devices on
them.
Are these rogue hubs or valid virtual
machines?
Remove rogue devices. Note ports that
may legitimately require support for
multiple hosts per port.5-30
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Once all the issues uncovered by deploying IBNS in Monitor Mode are addressed, the next step is to
deploy identity-based access control. The next two scenarios describe common ways to deploy access
control. Many customers will choose to implement Low Impact Mode only. Others may start with Low
Impact Mode to help assess the impact of access control to end users and then later move on to High
Security Mode. Other customers may move straight from Monitor Mode to High Security Mode.
Low Impact Mode
Low Impact Mode provides an incremental increase in the level of port-based access control without
impacting the existing network infrastructure. Low Impact Mode does not require the addition of any
new VLANs nor does it impact your existing network addressing scheme. With Low Impact Mode, as
little or as much access control can be enforced.
Low Impact Mode builds on top of Monitor Mode. In Monitor Mode, the Pre-Authentication
authorization level was completely open. In Low Impact Mode, the Pre-Authentication level is
selectively open. The difference is that Low Impact Mode adds an ingress port ACL that specifies exactly
what traffic will be allowed before authentication. This ACL can be as restrictive or permissive as the
corporate network security policy requires.
In Low Impact Mode, a successful authentication causes the switch to download a dynamic ACL (dACL)
that is applied on top of the ingress port ACL. The contents of the dACL will be determined by the
identity of the user or device that authenticated. In a simple deployment, an employee or managed asset
that authenticates successfully could receive a permit ip any any dACL that fully opens up the port.
More complex deployments could assign different ACLs based on different classes of employee. For
example, engineers might be assigned a dACL that permits all engineering related subnets, whereas
accountants could be assigned a different dACL that denies access to engineering subnets but permitted
all other access.
With the dACL implementation, the switch will substitute the source address of each access-list element
with the source address of the authenticated host, ensuring that only that host is allowed by the dACL.
Devices that fail authentication (via 802.1X or MAB) will continue to have their access limited by the
ingress port ACL defined by the Pre Authentication or Fail Authentication access policies.
Because Low Impact Mode can be deployed with little or no change to the existing campus network
design, it is attractive to deploy access control without altering the existing VLAN infrastructure or IP
addressing scheme as will be described in the following High Security Mode section. Additional VLANs
requires additional IT overhead and in some cases customers may not control the VLAN infrastructure
at all (e.g., at a branch office where the Service Provider owns the routers and has implemented MPLS).
In the latter case, ACL-based enforcement is the only choice for port-based access control. When
ACL-based access enforcement is deployed, the following items need to be considered:
• The current implementation of dACLs requires a pre-configured static port ACL on every access
port that may download an ACL. If the switch attempts to apply a dACL to a port without a
pre-existing port ACL, the authorization will fail and users will not be able to gain access (even if
they present valid credentials and pass authentication).
• The static port ACL is a port-based ACL, it applies to both the data VLAN and, if present, the voice
VLAN. The switch performs source address substitution on the dACL, traffic from the phone will
not be permitted by a dACL downloaded by a data device authenticating behind the phone. This
means that both the phone and any devices behind the phone must authenticate individually and
download their own dACL and the host mode on the port must be multi-domain.
• Cisco switches use Ternary Content Addressable Memory (TCAM) to support wire-rate ACL
enforcement. TCAM is a limited resource which varies by platform. If the TCAM is exhausted,
switching performance can be degraded. It is important to verify that the access switches have
sufficient TCAM to support the number and length of ACLs (static and dynamic) that IBNS
deployment will require. 5-31
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
• Dynamic (or "downloadable") ACLs extend the standard RADIUS protocol in order to optimize the
downloading process and support ACLs of arbitrary size. Use the Cisco ACS server as the AAA
server to support downloadable ACLs.
• Because the switch performs source substitution on the source address of the dynamic ACL, the
switch does not enforce the dACL until it learns the source address of the authenticated host. IP
address learning is enabled by the IP Device Tracking feature on the switch.
• When designing ingress port ACLs, this ACL will restrict access before authentication and after
failed authentications. The ingress port ACL must be designed with this in mind. For example, if
you want employees that fail 802.1X because of an expired certificate to be able to download a new
certificate, you should consider allowing access to the CA server in the ingress ACL. Or, if you want
a contractor that fails 802.1X or MAB to be able to access the Internet or VPN to a home network,
you should also allow that traffic in the ingress port ACL.
In many cases, Low Impact Mode will be the final step in the IBNS deployment. If this mode sufficiently
provides the needed access control, then the only "next step" will be monitoring the network and
fine-tuning ACLs as required by the corporate security policy. However, if the network security
requirements evolve and pre-authentication access no longer meets the security requirements, IBNS
deployment can move to the next phase: High Security Mode.
Additionally, if Low Impact mode does not meet the network and design security requirements in the
first place, the Low Impact Mode can be skipped altogether and the deployment can move straight to the
High Security Mode phase from the Monitoring Mode phase.
High Security Mode
High Security Mode returns to a more traditional deployment model of 802.1X. In a properly prepared
network, High Security Mode provides total control over network access at Layer 2.
In High Security Mode, the port is kept completely closed until a successful authentication takes place.
There is no concept of Pre-Authentication access. For users and devices that successfully complete
802.1X, this is not typically an issue since 802.1X authentication is usually very quick assuming a single
sign-on (SSO) deployment where credentials are automatically gleaned from the device or user. In
environments that require manual log-on (e.g., with a pop-up window to enter username and password),
there may be some delay.
For devices that cannot perform 802.1X, however, there may be a significant delay in network access.
Since the switch always attempts the strongest secure authentication method first, non-802.1X-capable
devices must wait until the switch times out the 802.1X authentication and falls back to MAB as a
secondary authentication method. To avoid the delays associated with MAB in High Security Mode,
configure the switch to perform MAB first, before 802.1X. This enable non-802.1X devices to get
immediate access after successful MAB.
After a successful authentication, network access will, by default, change from completely closed to
completely open. To add more granular access control, High Security Mode uses dynamic VLAN
assignment to isolate different classes of users into different broadcast domains. Devices that can't
authenticate or fail to authenticate retain the same level of access that they had before authentication. In
the case of the High Security Mode, devices will have no access at all.
By isolating traffic from different classes of users into separate VLANs, High Security Mode provides
the foundation for virtualized network services.
For more information on network virtualization solutions, refer to the following URL:
http://www.cisco.com/en/US/netsol/ns658/networking_solutions_package.html5-32
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Deploying High Security Mode with VLAN assignment can have an impact on the network architecture.
The following considerations should be noted when deploying IBNS in the High Security Mode
Scenario:
• Dynamic VLAN assignment requires that every dynamic VLAN be supported on every access
switch to which a user might connect and authenticate. This requirement has several repercussions:
If you have three user groups to which you wish to assign unique VLANs - Engineering, Finance,
HR - then every access switch must have those three VLANs defined by name (the number of the
VLAN does not have to be the same). If the switch attempts to apply a non-existent VLAN to a port,
the authorization will fail and users will not be able to gain access (even if they presented valid
credentials and passed authentication).
• Supporting multiple VLANs per access switch is non-trivial from an IP addressing perspective.
Good campus design principles dictate a single subnet per VLAN with no VLAN spanning more
than one switch. The IP addressing scheme should support multiple subnets per switch in such a
way that that does not over-burden the control and data planes of the campus distribution block. The
fewer the VLANs, the more manageable and scalable the solution will be.
• If you choose to change the order of authentication to perform MAB before 802.1X, be aware that
this will mean that every device (even those capable of 802.1X) will be subject to MAB. This could
increase the amount of control plane traffic in the network. If there are devices in the network that
might pass both 802.1X and MAB, be sure to either 1) ensure that no 802.1X-capable devices are in
the MAB database; or 2) configure the switch to prioritize 802.1X over MAB so that the port will
process an 802.1X authentication after a successful MAB authentication.
• If some level of access is needed for devices that fail 802.1X (for example, to allow employees with
expired certificates to download a new certificate), it is possible to configure the solution to grant
limited access based on the type of authentication method that failed. If 802.1X fails, the switch can
be configured to open the port into a special VLAN -- the Auth-Fail VLAN -- for this purpose. The
switch can also be configured to "fail back" to a MAB authentication if 802.1X fails. However,
802.1X with failover to MAB should typically not be deployed if the authentication order has been
changed to do MAB first.
• There may be devices on the network that cannot perform 802.1X and cannot pass MAB (for
example, contractors with no supplicants that need to VPN to their home network). For unknown
MAC addresses that fail MAB, it is possible to configure the Cisco ACS server with an unknown
MAC address policy. Such a policy allows ACS to instruct the switch to allow devices with
unknown MACs into a dynamically assigned VLAN. In essence, an unknown MAC policy enables
a dynamic version of the Auth-Fail VLAN for failed MAB attempts.5-33
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Deployment Scenarios Summary
Table 5-7 provides a quick summary of the three deployment scenarios discussed in the previous
sections:
Deploying IBNS in a Monitor Mode and adding in access control in a phased transition, 802.1X can be
deployed with minimal impact to the end users. For more information on Cisco IBNS including
configuration specifics on deploying the different deployment scenarios outlined in this section, please
see the deployment guide at www.cisco.com/go/ibns.
NAC Appliance
Cisco NAC Appliance is a network access control solution that integrates with the network infrastructure
to enforce security policy compliance at the network level. Access is controlled based on device
compliance status, device behavior, and user credentials. It identifies whether networked devices such
as laptops, IP phones, or printers seeking access to the network are compliant with your network's
security policies and noncompliant devices or redirected to a quarantine area for remediation.
Cisco NAC provides a scalable access control solution using a central policy decision component and a
distributed security enforcement component at the network level. The Cisco NAC solution consists of
the following components:
• Cisco NAC Manager—Provides a web-based interface for creating security policies and managing
online users. It can also act as an authentication proxy for authentication servers on the backend such
as an ACS. Administrators can use Cisco NAC Manager to establish user roles, compliance checks,
and remediation requirements. Cisco NAC Manager communicates with and manages the Cisco
NAC Server, which is the enforcement component of the Cisco NAC.
Ta b l e 5-7 Deployment Scenario Summary Table
Deployment
Scenario Best for… Auth Types Host Mode Pre-Auth
Successful
Auth Failed Auth
Monitor Mode All Customers
(Initial
Deployment)
802.1X &
MAB
multi-auth Open Open Open
Low Impact Mode Customers
seeking simple
access control
with minimal
impact to end
users and
network
infrastructure
802.1X &
MAB
single-aut
h
(non-IPT)
multi-dom
ain (IPT)
Selectivel
y Open
Dynamic
ACL
Selectively
Open
High Security
Mode
Customers
seeking the
security of
traditional
802.1X with L2
traffic isolation
and/or network
virtualization
802.1X &
MAB
single-aut
h
(non-IPT)
multi-dom
ain (IPT)
Closed Dynamic
VLAN
Closed (or
Auth-Fail
VLAN)5-34
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
• Cisco NAC Server—Performs device compliance checks as users attempt to access the network.
This security enforcement device is deployed at the network level. Cisco NAC Server can be
implemented in band or out of band, in Layer 2 or Layer 3, and as a virtual gateway or as a real IP
gateway. It can be deployed locally or centrally.
• Cisco NAC Agent—This lightweight, read-only agent runs on an endpoint device. It performs deep
inspection of a local device's security profile by analyzing registry settings, services, and files on
the endpoint. Through this inspection, it can determine whether a device has a required hotfix, runs
the correct antivirus software version, or runs other security software, such as Cisco Security Agent.
Cisco NAC Agent is available as both a persistent agent and as a Web-based, dissolvable agent that
is installed and removed on the client at the time of authentication.
• Cisco NAC Profiler—Provides device profiling by keeping a real-time, contextual inventory of all
devices in a network, including non-authenticating devices such as IP phones, printers, and
scanners. It facilitates the deployment and management of the Cisco NAC Appliance by discovering,
tracking, and monitoring the location, types, and behavior of all LAN-attached endpoints. It can also
use the information about the device to apply appropriate Cisco NAC policies.
• Cisco NAC Guest Server—The optional Cisco NAC Guest Server simplifies the provisioning,
notification, management, and reporting of guest users on wired and wireless networks, offloading
from IT staff much of the challenges commonly associated with supporting corporate visitors. The
Secure Guest service enhances IT's ability to protect its own organization's assets, employees, and
information from guests and their devices while providing secure and flexible network access to
meet visitors' business needs.
Note The Cisco NAC Guest Server was listed for completeness. However, it was not included in this phase of
the SAFE project and will not be covered in this design guide. It will be covered in a later phase of the
project. For more information on the NAC Guest Server, refer to www.cisco.com/go/nac.
Deployment Considerations
Cisco NAC Appliance provides access control to the network based on their role in the network and
security policy compliance. Security policies can include specific antivirus or anti-spyware software,
OS updates, or patches. When deploying the NAC Appliance solution in a campus network, consider the
following:
• In-Band (IB) and Out-of-Band (OOB) Mode, page 5-34
• High Availability, page 5-36
This section covers the above deployment considerations. The NAC profiler deployment integration is
covered in the “NAC Profiler” section on page 5-45.
In-Band (IB) and Out-of-Band (OOB) Mode
The NAC server is the enforcement server and acts as a gateway between the untrusted (managed)
network and the trusted network. The NAC server enforces the policies that have been defined in the
NAC Manager web admin console, including network access privileges, authentication requirements,
bandwidth restrictions, and client system requirements. The NAC Server can be deployed in IB or OOB
mode. In IB mode, the NAC server is always inline with the user traffic (before and after posture
assessment). In OOB mode, the NAC server is only inline during the process of authentication, posture
assessment, and remediation. Once a user's device has successfully logged on, its traffic traverses the
switch port directly without having to go through the NAC Server.5-35
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
The NAC server can also operate in one of the following IB or OOB modes:
• IB virtual gateway (Layer-2 transparent bridge mode)—Operates as a bridge between the untrusted
network and an existing gateway, while providing posture assessment, filtering and other services
inline.
• IB Real-IP gateway (Layer-3 routing mode)—Operates as the default gateway for the untrusted
network.
• OOB virtual gateway (Layer-2 transparent bridge mode)—Operates as a virtual gateway during
authentication and certification, before the user is switched out-of-band to the access network.
• OOB Real-IP gateway (Layer-3 routing mode)—Operates as a Real-IP Gateway during
authentication and certification, before the user is switched out-of-band and connected directly to
the access network.
In virtual gateway deployments, the NAC server operates as a standard Ethernet bridge. This
configuration is typically used when the untrusted network already has a gateway and you do not wish
to alter the existing configuration. In the Real-IP gateway configuration, the NAC server operates as the
default gateway for untrusted network (managed) clients. The NAC server can be one hop or multiple
hops away.
Consider the following when deciding whether to deploy an IB or OOB NAC solution:
In-band (IB)
• Typically deployed for segments that need continuous user management in the form of
source/destination/protocol bandwidth controls.
• Required for wireless.
• Deployed where one switch port supports multiple end stations.
• Deployed where the network infrastructure is partially or fully non-Cisco.
• Time to production is generally much quicker.
• Deployed in 'Real-IP' mode when users are multiple hops away from the NAC Server.
• Direct traffic to the untrusted interface using 802.1q or policy-based routing for users or VLANs
that need to become certified.
• Remote locations can have their own NAC Server or become certified when user comes to main site
to access shared resources.
Out-of-Band (OOB)
• Deployed in networks where high network throughput is required (e.g., large campuses).
• Ensure switch types and IOS/Cat OS types meet the latest compatibility list.
• Allow for greater time for deployment and preparation.
• SNMP and the use of MAC or link up/down traps becomes the mechanism for OOB. Ensure that all
community strings match as well as traps arrive at the NAC Manager without interference from an
ACL/firewall.
• If deploying into a network with VoIP, MAC notification is required on the access switch if PCs will
be plugged into the back of the phone. MAC notification is preferable to link-state notification as a
means of trap reporting because it is quicker.
• Microsoft operating systems below Windows 2000 have a more delayed response to VLAN/DHCP
changes.
• OOB is only supported when the access layer switch is a supported Cisco switch.5-36
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Real IP (Layer-3) OOB NAC deployments are the recommended option for routed access campus
designs. The following sections will focus on the deployment best practices for integrating the Real IP
OOB NAC solution within the campus design.
High Availability
It is recommended that the NAC solution be deployed using a high availability design to ensure the
availability of the network access control security. In a high availability design, each of the NAC
components are deployed in pairs using active/standby stateful failover configurations.
When the NAC Manager and NAC server pairs are configured in an active/standby failover
configuration, the active unit does all the work and the standby unit monitors the active unit and keeps
its database synchronized via direct failover connection between the servers. A virtual IP address is
configured and always resides on the active server. Both units exchange UDP heartbeat packets every 2
seconds and if the heartbeat timer expires, stateful failover occurs. The virtual IP (service IP) address
should be used for the SSL certificate. Ethernet 2 on the active and standby units should be used for the
failover link connection used to share heartbeat packets and database synchronization information. In
the case of the NAC server pairs, most of the NAC server configuration is stored on the NAC Manager
and when the NAC server failover occurs the NAC Manager pushes the configuration to the standby NAC
server when it becomes active.
In addition to the heartbeat, the NAC server can also failover due to Eth0 or Eth1 link failure. This is
accomplished by configuring two IP addresses external to the NAC server, one on the trusted network
and the other on the untrusted network. The active and standby NAC server will send ICMP ping packets
via Eth0 to the IP address on the trusted network and ICMP ping packets via Eth1 to the IP address on
the untrusted network. The status of these pings packets is communicated between the NAC servers via
the heartbeat signal. If the active and standby NAC servers can ping both external IPs, no failover occurs.
If the active and standby NAC server cannot ping either of the external IPs, no failover occurs. If active
NAC server cannot ping either of the external IPs, but standby NAC server can ping it, failover occurs.
Deployment Best Practices
When deploying the NAC Appliance solution into a campus network, consider the following to ensure
pervasive coverage seamless integration with the campus architecture:
• NAC Server and Manager Placement, page 5-36
• Access Switch VLAN Requirements, page 5-39
• Client Redirection to the NAC Server, page 5-39
• NAC Agent Considerations, page 5-40
• Client Authentication , page 5-41
This section of the document will provide deployment best practice recommendations for integrating a
Layer-3 OOB NAC deployment into a routed access campus design. For information on integrating an
IB NAC deployment or integration of NAC into a multi-tier access design, refer to the following URL:
www.cisco.com/go/nac
NAC Server and Manager Placement
Placement of the NAC components within the campus design is important to provide pervasive coverage
and ensure that the individual components can communicate with each other as needed. This section
outlines the recommended placement of the NAC components in an Layer-3 routed access campus
design.
Some of the communication requirements between the NAC components are as follows:5-37
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
• The users and devices that need to be certified needs to communicate with the NAC Server for
authentication and posture assessment.
• The NAC Manager needs to communicate with the NAC servers in order to manage the security
policies, online users, and provide proxy authentication to external authentication servers.
• The NAC Manager must communicate with the access switches that the clients are connecting to in
order to enforce proper network policy.
• The collectors running on the NAC servers must be able to communicate with the NAC profiler in
order to send endpoint profile information that it has gathered.
• The NAC collectors need to communicate with the access switches to obtain endpoint profile and
mapping information.
• The NAC profiler must communicate with the NAC Manager create NAC policies based on endpoint
profile data.
• The NAC Manager needs to communicate with external authentication servers if using external
authentication servers to authenticate the users.
Placement of the NAC solution components into an Layer-3 routed campus access design is shown in
Figure 5-8.5-38
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Figure 5-8 Campus NAC Server and Manager Integration
The NAC Manager is placed in the NOC management segment. The NOC management segment needs
to provide the connectivity the NAC Manager needs to communicate with the access switches via SNMP.
It is recommended that this communication occur over the out-of-band management access that the NOC
segment has to the switches outside of the data path traffic.
The NAC Manager also needs to communicate with the NAC server’s trusted interface. The NAC server
does not have an OOB management interface so the communication occurs over the data path. If a
firewall is used between the NAC Servers and NAC Managers, the appropriate access rules must be
permitted to allow proper communication. If NAT is used on the firewall to hide the NOC management
addresses from the data path, a static NAT translation must exist for the NAC Managers IP address.
The trusted and untrusted interfaces on the NAC server connects to the distribution switches. The trusted
and untrusted interfaces need to be in separate VLANs (VLAN 300 and 400 in Figure 5-8 above). The
active and standby NAC servers are connected to different switches for redundancy. The users that want
to connect to the network need to access the untrusted interface on the NAC server for authentication
and posture assessment. The distribution switches aggregate all the connections from the access switches
making it easy to redirect all the unauthenticated users to the NAC server.
Failover
Core
NOC
226697
VLAN 100 – Access
VLAN 110 – Voice
VLAN 120 – Authentication
VLAN 200 – Access
VLAN 210 – Voice
VLAN 220 – Authentication
VLANs 2, 300, 400
SVI
400
SVI
2
SVI
300
SVI
400
SVI
2
SVI
300
NAC Server
(Active)
NAC Manager
(Active)
NAC Manager
(Standby)
NAC Server
(Standby)
Dist SW 2
Dist SW 1
300 400
300 400
U
L3
L3
L3
L3
T
U T
IP
IP
IP
IP5-39
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
The trusted VLAN (VLAN 400) and the untrusted VLAN (VLAN 300) are trunked across the
distribution switches along with the VLAN for Layer-3 route peering (VLAN 2). HSRP is used between
the trusted SVI (400) and the untrusted SVI (300) for resiliency.
Access Switch VLAN Requirements
The access switches should be configured with at least three VLANs as follows:
• Authentication VLAN (120, 220)—Users are placed in this VLAN prior to NAC certification
• Access VLAN (100, 200)—Users are placed in this VLAN after NAC certification
• Voice VLAN (110, 210)—VLAN for IP phones
The default VLAN configuration for all NAC managed ports should be the authentication VLAN. The
NAC Manager will place the interface into the authentication VLAN once a user connects; however, if
there is a communication failure between the NAC Manager and the access switch, preconfiguring all
the managed interfaces in the authentication VLAN prevents a user from accessing the network if there
is a NAC failure. If a user is connected behind an IP phone and there is a data VLAN and voice VLAN
configured on the interface, the NAC Manager only changes the data VLAN and not the voice VLAN.
Client Redirection to the NAC Server
When a user connects to the access switch that has not been certified by the NAC server, the user will be
placed in the authentication VLAN. The user should not have access to any part of the network from the
authentication VLAN except for the NAC server and the remediation servers in the quarantine segment.
Access lists are applied on the authentication SVI to enforce this. The access-lists should only allow the
following:
• UDP port 8906 to the virtual IP of the NAC Server—Used by the NAC agent to communicate with
the server
• TCP port 80 (http)—If NAC agent is not used, NAC authentication is done via web interface
• TCP port 443 (https)—If NAC agent is not used, NAC authentication is done via web interface
(HTTP is redirected to use HTTPS)
• UDP port 67 (bootps)—Needed for DHCP IP requests
• UDP 53 (domain) —Needed for DNS resolution
• Traffic to the remediation servers on the quarantine segment— Depending on how antivirus updates
or OS patches are distributed, you will need to permit this traffic
In addition to configuring access lists on the authentication SVI, you will need to configure policy-based
routing to redirect all web traffic (TCP port 80 and 443) to the NAC server. Using policy-based routing
to redirect all web-based traffic to the NAC server will allow a user to open a browser to any website and
get automatically redirected to the NAC server for authentication. The user will not need to know or
manually type the IP address or host name of the NAC server in their browser. The policy-based routing
policy will need to be applied to all Layer-3 interfaces peering the with the access switches to ensure all
traffic will be redirected to the NAC server regardless of what path is taken.
If the NAC Agent is used, the discovery host configured on the client should point to the untrusted
interface of the NAC server. This should be configured on the NAC Agent kit prior to distributing to the
clients.
Once the client is certified by the NAC server, the client is placed in the access VLAN to gain access to
the network and traffic will bypass the NAC server. Network access enforcement now occurs on the
access switches. In NAC Layer-3 OOB deployments, the NAC server only facilitates authentication and
posture assessment. 5-40
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Note If using the NAC Agent, you will need to add an ACL entry to block UDP port 8906 on the access VLAN
SVI. Otherwise, the NAC Agent login screen will continue to appear even after the user is certified by
NAC.
NAC Agent Considerations
Users who need to be certified by NAC can access the NAC server using the NAC Agent or using web
login. Posture assessments can only be done when the NAC Agent is used. When the NAC Agent is not
used, only authentication can be done.
The NAC Agent is a lightweight, read-only agent that runs on an endpoint device. The Cisco NAC Agent
is available as both a persistent agent and as a web-based, dissolvable agent that is installed and removed
on the client at the time of authentication.
Persistent NAC Agent
The persistent NAC Agent provides local-machine, agent-based vulnerability assessment and
remediation for client machines. Users download and install the NAC Agent (read-only client software),
which can check the host registry, processes, applications, and services. The NAC Agent can be used to
perform Windows updates or antivirus/anti-spyware definition updates, launch qualified remediation
programs, distribute files uploaded to the NAC Manager, and distribute website links to remediation
websites in order for users to download files to fix their systems, or simply distribute
information/instructions.
The following steps outline the login process using the persistent NAC Agent:
Step 1 Users login using the NAC Agent.
Step 2 The agent gets the requirements configured for the user role/operating system from the NAC Server.
Step 3 The agent checks for the required packages.
Step 4 The agent sends a report back to the NAC Manager (via the NAC Server).
If requirements are met on the client, the user is allowed network access. If requirements are not met,
the agent presents a dialog to the user for each unmet requirement. The dialog (configured in the New
Requirement form) provides the user with instructions and the action to take for the client machine to
meet the requirement.
NAC Web Agent
The Cisco NAC Web Agent provides temporal vulnerability assessment for client machines. Users
launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary
directory on the client machine via ActiveX control or Java applet. When the user terminates the Web
Agent session, the Web Agent logs the user off of the network and their user ID disappears from the
online users list.
The following steps outline the login process using the NAC Web Agent:
Step 1 Users login using the NAC Web Agent.
Step 2 Web Agent gets the requirements configured for the user role/OS from the NAC Server.
Step 3 Web Agent checks the host registry, processes, applications, and services for required packages.5-41
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Step 4 Web Agent sends a report back to the NAC Manager (via the NAC Server).
If requirements are met on the client, the user is allowed network access. If requirements are not met,
the Web Agent presents a dialog to the user for each unmet requirement. The dialog (configured in the
New Requirement form) provides the user with instructions and the action to take for the client machine
to meet the requirement. Alternatively, if the specified requirements are not met, users can choose to
accept restricted network access (if you have enabled that option) while they try to remediate the client
machine so that it meets requirements for the user login role. You can set up a restricted user role to
provide access to only limited applications/network resources in the same way you configure a standard
user login role.
It is recommended that NAC be deployed using the NAC Agent on employee endpoints. Vulnerability
assessments and automated remediation can only be done using the NAC Agent. Additionally, once the
user is certified, they need to obtain a new IP address in the access VLAN. The NAC Agent can refresh
the IP address on the user’s machine without requiring the switch port to be bounced. Without the NAC
Agent, the NAC Manager needs to bounce the switch port to force DHCP refresh or the user will have
to manually force a DHCP refresh. Users connected behind IP phones should always use the NAC Agent
since bouncing the port will cause the IP phone to reboot.
Client Authentication
Part of the NAC certification process requires clients to authenticate prior to being granted network
access. Authentication can be accomplished using a local username and password database configured
on the NAC Manager or using external authentication servers. By connecting the Clean Access Manager
to external authentication sources, you can use existing user data to authenticate users in the untrusted
network.
When working with existing backend authentication servers, Cisco supports the following authentication
protocol types:
• Kerberos
• Remote Authentication Dial-In User Service (RADIUS)
• Windows NT (NTLM Auth Server)
• Lightweight Directory Access Protocol (LDAP)
When using external authentication servers, the NAC Manager is the authentication client that
communicates with the backend auth server. Figure 5-9 illustrates the authentication flow.
Figure 5-9 NAC Authentication Flow Using External Auth Servers
It is recommended that external authentication servers are used for NAC appliance deployments. It
greatly simplifies management of user credentials by providing a central location for maintaining
username and passwords. The choice of which option is used is dependant on a customer’s environment
and existing authentication techniques.
End User
Auth Server
(RADIUS, LDAP,
Windows NT, Kerberos)
NAC
Server
NAC
Manager
User provides
credentials to
NAC Server via
Web login or
NAC Agent
NAC Server
provides
credentials to
NAC Manager
NAC Manager
verifies credentials
with backend
auth server
2266985-42
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
For information on configuring backend authentication servers, refer to the configuration guides for
NAC appliance at the following URL:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAM/m_auth.html
NAC Operation and Traffic Flow
Figure 5-10 illustrates the process that occurs during NAC authentication and posture assessment for a
user that is running the NAC Agent.
Figure 5-10 Traffic Flow with NAC Agent
1
5
7
8
11
12
3 10
Core
NOC
226699
VLAN 100 – Access
VLAN 110 – Voice
VLAN 120 – Authentication
VLAN 200 – Access
VLAN 210 – Voice
VLAN 220 – Authentication
VLANs 2, 300, 400
SVI
400
SVI
2
SVI
300
SVI
400
SVI
2
SVI
300
NAC Server
(Active)
CAM
(Active)
Failover
CAM
(Standby)
NAC Server
(Standby)
Dist SW 2
Dist SW 1
300 400
300 400
U
L3
L3
L3
L3
T
U T
IP
IP
1
11
2 4
6
7
9
10
13
IP
IP5-43
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
The following steps provide details of what occurs in the process shown in Figure 5-10:
Step 1 User connects to switch port.
Step 2 Switch sends SNMP MAC notification trap to the NAC Manager informing it that a new device has
connected to the network.
Step 3 NAC Manager checks its database to see if user is certified.
Step 4 If user is not certified, user is placed in the authentication VLAN
Step 5 The NAC agent starts sending discovery packets destined to NAC Server untrusted port.
Step 6 ACL on untrusted VLAN allows NAC Agent traffic through. ACL will block all other traffic not destined
to the NAC Server or Remediation servers, hence infected machines unable to propagate.
Step 7 Agent discovers NAC Server and the user is prompted for authentication and goes thru posture
assessment.
Step 8 If users needs remediation, remediation occurs manually or via the NAC agent.
Step 9 Step 8 Once user is authenticated, the NAC Server informs the NAC Manager that the user is certified.
Step 10 The NAC Manager moves user to Trusted Access vlan via SNMP write.
Step 11 The NAC agent forces a DHCP refresh to obtain an IP address in the Access VLAN.
Step 12 User gets access to network and completely bypasses NAC Server.
Step 13 ACL on trusted Access VLAN blocks NAC Agent discovery packets.5-44
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Figure 5-11 illustrates the process that occurs during NAC authentication and posture assessment for a
user that is not running the NAC Agent.
Figure 5-11 Traffic Flow without NAC Agent
The following steps provide details of what occurs in the process shown in Figure 5-11:
Step 1 User connects to switch port.
Step 2 Switch sends SNMP MAC notification trap to the NAC Manager informing it that a new device has
connected to the network.
Step 3 NAC Manager checks its database to see if user is certified.
Step 4 If user is not certified, user is placed in the authentication VLAN.
Step 5 The user opens a web browser and points to any website and the browser is redirected to the NAC
Server’s untrusted port via the policy-based routing policy on the distribution switches.
1
5
7 11
3 9 10
1
5
11
11
Core
NOC
226700
VLAN 100 – Access
VLAN 110 – Voice
VLAN 120 – Authentication
VLAN 200 – Access
VLAN 210 – Voice
VLAN 220 – Authentication
VLANs 2, 300, 400
SVI
400
SVI
2
SVI
300
SVI
400
SVI
2
SVI
300
NAC Server
(Active)
CAM
(Active)
Failover
CAM
(Standby)
NAC Server
(Standby)
Dist SW 2
Dist SW 1
300 400
300 400
U
L3
L3
L3
L3
T
U T
IP
IP
1
11
2 4
6
7
8
9
10
IP
IP5-45
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Step 6 ACL on untrusted VLAN allows this traffic through. ACL blocks all other traffic not destined to the NAC
Server or remediation servers; therefore, infected machines are unable to propagate.
Step 7 Web login Active X or java applet agent is downloaded and user is prompted for login.
Step 8 Once user is healthy and certified, the NAC Server informs the NAC Manager that the user is certified.
Step 9 The NAC Manager moves user to trusted access VLAN via SNMP write.
Step 10 The NAC Manager bounces the switch port to force a DHCP refresh to obtain an IP address in the access
VLAN.
Step 11 User gets access to network and completely bypasses NAC Server.
NAC Profiler
The Cisco NAC Profiler enables network administrators to efficiently deploy and manage NAC solutions
in enterprise networks of varying scale and complexity by identifying, locating and determining the
capabilities of all attached network endpoints, regardless of device type, in order to ensure and maintain
appropriate network access. The Cisco NAC Profiler is an agentless system that discovers, catalogs, and
profiles all endpoints connected to a network.
Typically, devices such as printers, FAX machines, IP Telephones and Uninterruptible Power Supplies,
are not capable of running a NAC client. This means that in the deployment of NAC solutions, special
purpose devices such as these do not have an agent available, nor do they provide a means by which a
user can manually intervene through a browser. In this case, the ports connecting these endpoints must
either be provisioned to circumvent the NAC system (e.g., placed on a special VLAN) or alternatively,
the NAC system configured to recognize these devices via their unique hardware address in order to
provide them access without direct participation in the admission control protocol. This typically
requires that the NAC system be made aware of these endpoints by MAC address so that they can be
admitted based on that credential alone with no further interaction with the NAC system. In the case of
Cisco NAC Appliance, non-NAC devices such as these are accommodated via the Device Filters list on
the NAC Manager.
In addition, the endpoint profiling information obtained by the NAC Profiler can be leveraged by the
Cisco IBNS solution. The Profiler can be used by ACS as the backend database for MAB authentication.
In the same way the Profiler adds entries to the device filters list on the NAC Manager, the information
can be used for white listing MAC addresses for IBNS MAB authentication.
Cisco NAC Profiler provides endpoint profiling and behavior monitoring functions to allow
administrators to understand the types of devices connecting to the network, their location and their
abilities relative to the state of the port on which they currently reside. Endpoint profiling and behavior
monitoring can be deployed in enterprise networks ranging from hundreds to tens of thousands of users.
Once endpoints are profiled, the profiler can automatically apply NAC polices and update the device
filter list on the NAC Manager.
Endpoint profiling and behavior monitoring requires the following functional components:
• Cisco NAC Profiler Server appliance
• Collector component on the NAC Server (Cisco NAC Appliance) 5-46
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Deployment Best Practices
The following subsections cover the best practices for deploying the NAC Profiler in a routed-access
campus design. Recommendations for the following deployment areas are provided:
• NAC Profiler Placement, page 5-46
• High Availability, page 5-47
• NAC Collector Modules, page 5-48
NAC Profiler Placement
The NAC Profiler communicates with the NAC Collector modules running on the NAC Servers. It is
recommended that the NAC Profiler server be placed in the NOC alongside the NAC Manager. However,
if the firewall protecting the management network is performing NAT to hide the Management addresses
from the data path of the network, then the NAC Profiler needs to be placed on the inside of your network
where no NAT is being performed between the profiler server and the collectors. The communication
between the NAC Profiler Server and the NAC Collectors does not work if the address of the NAC
Profiler is being NAT'ed. In this case, the NAC Profiler server can be placed in the Campus Services
Block connecting to the Core switches to provide central access to all the collectors deployed within the
Campus. Stateful firewalls and IPS are used to protect the Profiler server and any other devices attached
to the security service switch as depicted in Figure 5-12.5-47
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Figure 5-12 Campus NAC Profiler Design Diagram
High Availability
As with the NAC Manager and NAC Server, the Profiler server should be deployed for HA and should
be deployed in an active/standby stateful failover configuration. Similar to the NAC Manager, the active
profiler does all the work and the standby profiler monitors the active profiler and keeps its database
synchronized via direct failover connection between the servers. A virtual IP address is configured and
always resides on the active server. The virtual IP (service IP) address should be used for the SSL
certificate. Ethernet 1 on both units should be used for the failover link connection used to share
heartbeat packets and database synchronization information.
The collector functionality resides on the NAC Servers. If the NAC servers are configured in
active/standby mode, it is recommended that the collectors be configured in this mode as well to provide
redundancy. When configured in active/standby failover mode, only the active collector will collect
endpoint profiling information and send it to the active profiler server. The active collector will coincide
with the active NAC server.
Core
NOC
226701
VLAN 100 – Access
VLAN 110 – Voice
VLAN 120 – Authentication
VLAN 200 – Access
VLAN 210 – Voice
VLAN 220 – Authentication
VLANs 2, 300, 400
SVI
400
SVI
2
SVI
300
SVI
400
SVI
2
SVI
300
NAC Server
(Active)
CAM
(Active)
Profiler
(Standby)
Failover
CAM
(Standby)
NAC Server
(Standby)
Dist SW 2
Dist SW 1
300 400
300 400
U
L3
L3
L3
L3
T
U T
IP
IP
Profiler
(Active)
IP
IP
NAC NAC5-48
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
Some of the key things to consider when deploying the collectors in HA mode are as follows:
• The NAC Collector uses the Virtual IP address of the NAC server to communicate with the Profiler.
• The NAC Collector HA pair is added as a single entry in the Profiler and communicates to the virtual
IP address of the CAS. This needs to be configured as a client connection.
• Only one of the collectors are actively collecting endpoint profile information and sending it to the
Profiler server.
• The name of the collector must be the same on both the active and standby collector.
• For the NetTrap Collector Module, SNMP traps for MAC Notification, linkup/linkdown status
should be sent to the virtual IP address of the NAC Server.
• For the NetWatch collector module, both distribution switches must span traffic going to and coming
from the access switches to both the active and standby collectors/servers.
NAC Collector Modules
The Cisco NAC Profiler server houses the database that contains all of the endpoint information gathered
from the associated collectors including device type, location, and behavioral attributes. In addition, the
Profiler Server presents the web-based interfaces and communicates with the NAC Manager to keep the
device's filters list current and relevant. There are also forwarder modules that serve as middleware and
facilitate secure communications between the Profiler server and the collectors. The Profiler server also
provides a module that can receive and analyze data from other sources such as NetFlow records
exported from NetFlow-enabled infrastructure devices (e.g., routers) or other NetFlow collectors. This
information is combined with the information gathered from the collectors and is used to further profile
the network attached endpoints.
The Cisco NAC Profiler Collectors reside on the same appliance with the Cisco NAC Appliance server
and consists of a number of software modules that discover information about the network attached
endpoints including a network mapping module (NetMap), an SNMP trap receiver/analyzer (NetTrap),
a passive network analysis module (NetWatch), and an active inquiry module (NetInquiry). The major
functions of the collector are to gather all of the data about the endpoints communicating to/through the
NAC server, and to minimize and aggregate the information that is sent over the network to the Profiler
server.
Table 5-8 summarizes the functions of the collector.
Ta b l e 5-8 Collector Modules
Module Name Purpose and functionality
NetMap SNMP module that queries network devices for the following types of information:
• System
• Interface
• Bridge
• 802.1x
• Routing and IP
NetTrap Reports link state changes and new MAC notifications
NetWatch Passive network traffic analyzer 5-49
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Network Access Control in the Campus
It is not recommended to enable all the collector modules on the collector. Rather, only enable the ones
that are needed. Otherwise, it might overload the collector. The following summarizes the recommended
mandatory and optional modules that should be enabled.
Mandatory Collector Modules (Recommended)
• NetTrap—This module listens for SNMP traps sent by switches for new-mac notification or Link
Up/Down notifications. This module sends all new MAC addresses to Profiler for profiling. This
feature is defined per switch on the SNMP-Server configuration command line on Cisco IOS.
• NetMap—This module sits on the Collector and is responsible for doing SNMP polling of the access
switches that the users connect to at timed intervals. The Collector SNMP polls the remote switches
for specific MIB information with read access to the switch. This polling provides things like
mac-address to port information, interfaces, link status, dot1x information, system information, and
so forth.
• NetWatch (SPAN)—NetWatch module can listen on a SPAN destination port of a switch and send
the ingested traffic information back to the Profiler. A NAC server requires an additional interface
on each NAC server to collect this data. This module is essential because profiler is based primarily
on DHCP information passed by devices and some other application traffic matching.
Optional Collector Modules
• NetRelay—(Netflow) is configured on each router on a per interface basis and the destination is the
virtual management IP address of the NAC Server. A Netflow agent sits on the NAC Server and
parses the Netflow information based on your traffic rules and networks configured on the Profiler.
• NetInquiry—This is a passive and active mechanism based on things like TCP Open ports. For
example, the NAC Server does a SYN/ACK and then drops the connection in order to poll a
particular subnet range or ranges for open TCP ports. If there is a response, it sends the information
to the Profiler with the IP address and TCP port polled.
For a routed-access campus design, it is recommended that all three mandatory modules and the passive
mechanism of the NetInquiry module be enabled. The passive mechanism of the NetInquiry module
allows to restrict the information the collector will process based on a list of subnet ranges entered. In
the case of the campus design, the subnet ranges should include the subnet ranges for the authentication,
access and voice VLANs on the access switches and the subnet range for the DHCP server. It is not
recommended to enable the active mechanism of NetInquiry. This can overload the NAC server with
extra processing and hardware resources like memory and CPU utilization if not configured properly.
NetInquiry Active profiling module that can be used with TCP open port and some application
rules
NetRelay Receives and processes NetFlow export packets directly from switches or other
NetFlow data sources
Table 5-8 Collector Modules (continued)5-50
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Threat Mitigated in the Enterprise Campus
The screenshot in Figure 5-13 depicts the configuration of the passive mechanism of the NetInquiry
module
Figure 5-13 Passive Mechanism of NetInquiry
Note Leave ping sweep and DNS collection disabled; u se this as a last resort. Ping sweep and DNS collection
triggers pings and nslookups on the range of IP subnets added under Network block (see Figure 5-13).
This is not recommended and rarely used.
SPAN or NetFlow can be used, based on the deployment and customer requirements, but only one or the
other is recommended on a NAC server due to the amount of traffic that is sent to the collector modules
and the other NAC functionalities that the NAC server has to perform. With NetFlow, vital informational
pieces can be lost about devices (for example, DHCP vendor information, URL destinations, web client
info, and web server information). In the case of the campus design where the collectors are connected
to the distribution switches, SPANing the ports that are connected to the access switches will show all
information coming from the access layer. In this case SPAN provides more information and NetFlow
information would not be needed and would only create more overhead with the duplicate information.
NetFlow is more suited for situations where SPAN would not provide all the information such as
switches at remote sites.
For detailed instructions for configuring the NAC Profiler server and NAC Collectors in a Layer-3 OOB
NAC design, refer to the NAC Profiler and NAC SERVER Collectors in a Layer 3 Out-of-Band
Configuration Guide at the following URL:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a30ad7.sht
ml
Threat Mitigated in the Enterprise Campus
Ta b l e 5-9 Enterprise Campus Threat Mitigation Features
IP Spoofing Botnets DoS/DDoS
Layer 2
Attacks
Unauthorized
Access
Spyware,
Malware,
Adware
Network
Abuse
Data
Leakage Visibility Control
Host-based
Intrusion
Prevention
Systems
(CSA)
Yes Yes Yes Yes Yes Yes Yes
Edge Filtering Yes Yes Yes Yes Yes5-51
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Threat Mitigated in the Enterprise Campus
VLAN
Segregation
Yes Yes Yes Yes Yes
IPS Yes Yes Yes Yes Yes Yes
NAC Yes Yes Yes Yes Yes Yes
IBNS Yes Yes Yes Yes
Port Security Yes Yes Yes Yes
DHCP
Snooping
Yes Yes Yes Yes
IP Source
Guard
Yes Yes Yes Yes
Dynamic ARP
Inspection
Yes Yes Yes Yes
Table 5-9 Enterprise Campus Threat Mitigation Features (continued)5-52
Cisco SAFE Reference Guide
OL-19523-01
Chapter 5 Enterprise Campus
Threat Mitigated in the Enterprise CampusC H A P T E R
6-1
Cisco SAFE Reference Guide
OL-19523-01
6
Enterprise Internet Edge
The Internet edge is the network infrastructure that provides connectivity to the Internet and that acts as
the gateway for the enterprise to the rest of the cyberspace. The Internet edge serves other building
blocks—referred to by Cisco as Places-in-the-network (PINs)—that are present in a typical enterprise
network. This modular building-block approach enables flexibility and customization in network design
to meet the needs of customers and business models of differing sizes and requirements.
Figure 6-1 shows the Internet edge infrastructure as part of an enterprise network. The Internet edge
infrastructure serves most areas of the enterprise network, including the data center, campus, and remote
branches. The proper design and implementation of the Internet edge infrastructure is crucial to ensure
the availability of Internet services to all enterprise users. The Internet edge infrastructure includes the
following functional elements:
• Service Provider (SP) Edge
This border part of the Internet edge infrastructure consists of routers that interface directly to the
Internet. Internet-facing border routers peer directly to the Internet SP. Careful consideration must
be made to routing design, redundancy, and security of these border routers.
• Corporate Access and DMZ
One of the major functions of the Internet edge is to allow for safe and secure Internet access by
corporate users while providing services to the general public. The firewalls in this module secure
these functions through implementation enforcement of stateful firewall rules and application-level
inspection. Users at the campuses may access email, instant messaging, web browsing, and other
common services through the Internet edge firewalls. Optionally, the same infrastructure may serve
users at the branches that are mandated to access the Internet over a centralized connection.
Public-facing services, such as File Transfer Protocol (FTP) servers and websites, can be provided
by implementing a de-militarized zone (DMZ) within this network domain. The web application
firewall is another appliance that protects web servers from application-layer attacks (such as XML).
The web application firewall also resides in the DMZ infrastructure and provides primary security
for Hypertext Transfer Protocol (HTTP)-based and E-commerce applications.
• Remote Access
The remote access infrastructure that provides corporate access to remote users through protocols
such as Secure Socket Layer (SSL) Virtual Private Networking (VPN) and Easy VPN.
• Edge Distribution
The edge distribution infrastructure provides the interface for the Internet edge network devices to
the rest of the enterprise network. Appliances, such as the Web Security Appliances (WSA), reside
in this part of the network. Within the edge distribution infrastructure, you can also implement an
Intrusion Prevention Appliance (IPS) to guard against worms, viruses, denial-of-service (DoS)
traffic, and directed attacks. 6-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
• Branch Backup
Some branches may adopt an Internet connection to provide a backup link to a WAN network. This
backup functionality may be performed by using dedicated appliances, such as a Cisco ASR 1000
Series router. The branch backup functionality is implemented within at Internet WAN edge block
in the Enterprise WAN edge module.
The Internet edge module provides many of the essential Internet-based services used in enterprise
networking environments (see Figure 6-1). Providing these services in a secure manner is essential to
business continuity and availability. The best practices for securing these services in the context of
Internet edge are presented in this chapter.
Figure 6-1 Internet Edge Infrastructure as part of an Enterprise Network
Internet
ISP A
ISP B
Distribution
Service Provider Edge
Web
Security
Appliance
Email Security
Appliance
Web DNS
Corporate Access/DMZ
Core
Remote Access VPN
226633
www6-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Key Threats in Internet Edge
Key Threats in Internet Edge
The Internet edge is a public-facing network infrastructure and is particularly exposed to large array of
external threats. Some of the expected threats are as follows:
• Denial-of-service (DoS), distributed DoS (DDoS)
• Spyware, malware, and adware
• Network intrusion, takeover, and unauthorized network access
• E-mail spam and viruses
• Web-based phishing, viruses, and spyware
• Application-layer attacks (XML attacks, cross scripting, and so on)
• Identity theft, fraud, and data leakage
Design Guidelines for the Enterprise Internet Edge
This section focuses on the overall design of the Internet edge module in the SAFE design. The Internet
edge network can be divided into several functional blocks. Each functional block has its own design
and security considerations:
• Service Provider Edge—This block is composed by the Internet-facing border routers. The primary
function of the border routers is to route traffic between the organization's network and the Internet.
These routers also act as the first line of defense against external attacks. The SAFE design
accommodates a redundant Internet connection. To that end, the two border routers at the edge
connect to the Internet through dual Internet Service Providers (ISP)—ISP-A and ISP-B, as shown
in Figure 6-1. The two border routers provide redundancy and run external Border Gateway Protocol
(eBGP). The eBGP allows efficient policy-based routing and prevents leakage of routes from one
ISP to another. The border routers also run Performance Routing (PfR) to optimize traffic flows and
improve performance. With PfR enabled, load balancing between border routers is possible without
the need for storing the full Internet routing on the border routers. For outgoing traffic to the
Internet, PfR also enables the routers to make intelligent decisions in choosing an optimized path
based on the traffic characteristics of each ISP. This improves the overall performance of outgoing
Internet traffic. For PfR implementation details, refer to Transport Diversity: Performance Routing
(PfR). The border routers should be secured following the device hardening best practices outlined
in Chapter 2, “Network Foundation Protection.”
• Corporate Access and DMZ —A pair of firewalls provide stateful access control and deep packet
inspection. These firewalls are deployed to protect the organization's internal resources and data
from external threats by preventing incoming access from the Internet; to protect public resources
served by the DMZ by restricting incoming access to the public services and by limiting outbound
access from DMZ resources out to the Internet; and to control user's Internet-bound traffic. To that
end, firewalls are configured to enforce access policies, keep track of connection status, and inspect
packet payloads. The firewalls are configured in active/standby mode for redundancy purposes. The
DMZ hosts services such as the E-mail Security Appliance, HTTP, Domain Name System (DNS),
and FTP. The web application firewall also resides in the DMZ. The web application firewall
provides perimeter security for application-based attacks that the firewall cannot guard against and
can provide safeguards for key applications, such as business-to-business transactions. In most cases
the data center implements its own web application firewall. The web application firewall on the
DMZ can provide the first line of defense for commerce applications and protect any web servers
on the DMZ from application-layer attacks. IronPort Email Security Appliance (ESA) may be
deployed at the DMZ to protect email communications.6-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Design Guidelines for the Enterprise Internet Edge
• Remote Access VPN—One essential function of the Internet-edge module is to provide secure access
to remote workers. Many different approaches can be taken, depending on particular requirements
and policies within the enterprise. Access for remote clients can be implemented using SSL VPN
with thin clients. Clients in this case are only allowed access to specific HTTP services within the
enterprise. This is in contrast to full client remote access in which clients have full access to all
services within the enterprise and experience the same level of service as internal corporate users.
It is recommended that two separate firewalls are used to provide remote access functionality.
Although a single pair of firewalls could be leveraged for both remote access and corporate access,
it is a good practice to keep them separate. Remote access may be further secured by requiring user
authentication and authorization, and enforcing granular per user or per group access control
policies.
• Edge Distribution—The Enterprise Internet Edge module implements a layer of distribution
switches that aggregate services common to the various blocks present in the module. The
distribution switches reside in the inside network of the firewalls and connect to the core switches,
making it accessible to other parts of the enterprise network. URL filtering, content inspection, and
intrusion prevention are examples of services that may be aggregated at the distribution layer.
Ironport Web Security Appliance (WSA) may be deployed at this layer to enforce acceptable use
policies for Web access, content inspection, and to block malware, spyware and other threats. The
WSA is a web proxy and sits logically in the path between corporate users and the Internet edge
firewalls. Proper placement and configuration of these appliances provides secure web access,
content security and threat mitigation for web services. Cisco Intrusion Prevention Systems (IPS)
may be implemented in this part of the Internet edge infrastructure. Logically, the IPSs are placed
between the firewall and core routers, protecting the enterprise from threats originating from campus
and remote users. 6-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Edge Distribution Layer
Edge Distribution Layer
The position of the edge distribution layer within the Internet edge network is shown Figure 6-2.
Figure 6-2 Edge Distribution in Internet Edge
This section addresses the following edge distribution topics:
• Design Guidelines and Best Practices
– Infrastructure Protection Best Practices
– Internet Edge Cisco IPS Design Best Practices
Design Guidelines and Best Practices
The Internet edge distribution layer refers to the part of the network that aggregates common services
used by the various blocks in the Internet Edge module, that resides within the inside network, and that
is adjacent to the core network. Common services include web security with the WSA, and intrusion
protection with Cisco IPS. It is a good practice to deploy WSA at the distribution layer, as close to the
clients as possible. Per contrary, the ESA should be deployed as close to the Internet as possible with a
reasonable level of firewall protection (i.e., within the DMZ). The deployment of WSA and ESA are
discussed in detail in the “E-mail and Web Security” section on page 6-15. Other functions covered in
this section include connectivity and routing to and from the core and implementation of the Cisco IPS
appliances.
Internet
ISP A
ISP B
Distribution
Service Provider Edge
Web
Security
Appliance
Email Security
Appliance
Web DNS
Corporate Access/DMZ
Core
Remote Access VPN
226753
www6-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Edge Distribution Layer
Infrastructure Protection Best Practices
Infrastructure protection plays an important role in the Internet edge distribution block. The following
best practices are recommended:
• All infrastructure protection hardening, such as management access control lists (ACL),
authentication, control plane policing, or Layer-2 hardening, must be implemented on the inner
switches.
• Routing protocols between switches and Cisco ASAs and core routers must be authenticated.
• Use separate interfaces for management of the WSA.
• Disable unnecessary services, such as Telnet, HTTP, and the like on the data interfaces for the WSA
in order to prevent even inside corporate users from taking advantage of open ports.
Internet Edge Cisco IPS Design Best Practices
The Cisco SAFE Internet edge design leverages the Cisco IPS to provide protection against threats
originating from both inside and outside the enterprise. When implemented in inline mode, the Cisco
IPS inspects all transit traffic and automatically blocks all malicious packets. The Cisco IPS can also be
deployed in promiscuous mode, in which the sensor does not reside in the traffic path. In promiscuous
mode, the Cisco IPS is able to identify and generate alarms whenever malicious traffic is seen, but the
sensor cannot block the attack in real-time by itself. To ensure adequate threat visibility and detection,
Cisco IPS sensors must be maintained with the latest signature database. This can be automated by using
CSM.
When deployed in inline mode, the Cisco IPS sensor is configured to bridge traffic between interface or
VLAN pairs. The sensor inspects the traffic as it is bridged between the interfaces or VLANs. Figure 6-3
shows the placement of Cisco IPS in the context of Internet edge infrastructure.6-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Edge Distribution Layer
Figure 6-3 Internet Edge with Integrated Cisco IPS
By implementing the Cisco IPS at the distribution layer, the sensors can inspect traffic from all sources,
whether from the Internet, remote-access clients, or corporate users. In addition, traffic destined to the
DMZ or corporate users can be monitored. Figure 6-3 shows how the Cisco IPS can inspect traffic from
corporate users or from users accessing public-facing services at the DMZ.
The deployment framework for the Cisco IPS is as follows:
• The Cisco IPS is logically located between the edge firewalls and the distribution switches.
• Cisco IPS is configured to enable it to send alarms to a CS-MARS appliance. CSM and Cisco
Intrusion Detection System Device Manager (IDM) GUI interfaces can be used to monitor the
Intrusion Detection System (IDS). CSM and CS-MARS are located in the out-of-band management
network.
• Two Cisco IPS devices are used for redundancy.
• Because the Cisco IPS loses visibility into the traffic flows with asymmetrical data paths, it is a good
practice to ensure symmetrical paths by fine tuning spanning tree parameters and by implementing
the firewalls in active/standby mode. With correct tuning of spanning tree and by firewalls
implemented in standby/active mode, a single Cisco IPS is actively inspecting traffic at any point in
time while the other is idle.
Redundancy can be achieved very easily when using Cisco ASAs in active/standby mode. In this case,
only a single Cisco IPS is actively monitoring traffic for both directions at any time. If a link fails, the
other Cisco IPS inspects traffic.
SP2
Core
Corpnet
ASA’s
226754
Internet
Network
Applications
DMZ
Branch/
WAN
Data
Center
Campus
SP16-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Corporate Access/DMZ Block
Corporate Access/DMZ Block
The location of the corporate access/DMZ network infrastructure within the Internet edge network is
shown in Figure 6-4.
Figure 6-4 Corporate Access/DMZ in Internet Edge
Corporate access/DMZ design is an essential aspect of the overall Internet edge design. Most enterprise
customers must provide Internet access for all employees. However, this comes with security challenges.
The challenge is to provide Internet access, but at the same time block malicious traffic from entering
the corporate network. The first step is to deploy a firewall with proper policies configured.
The design considerations for the Cisco Application Control Engine (ACE) Web Application Firewall
appliance is covered in this section. The Cisco ACE Web Application Firewall provides perimeter
security functionality and protection for public-facing, web-based services located within the DMZ.
This section addresses three key topics:
• How to provide corporate access
• How to implement the firewall policy
• How to implement the Cisco ACE Web Application Firewall at the DMZ
Internet
ISP A
ISP B
Distribution
Service Provider Edge
Web
Security
Appliance
Email Security
Appliance
Web DNS
Corporate Access/DMZ
Core
Remote Access VPN
226757
www6-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Corporate Access/DMZ Block
Design Guidelines for Corporate Access/DMZ Block
The corporate access policies are enforced by Internet edge firewalls. Two Cisco ASAs are used in order
to provide redundancy. They are used in active/standby mode. This simplifies Cisco IPS deployment and
ensures that no traffic loss occurs in the event of a failover.
The key objectives of firewall requirements are as follows:
• All corporate users must be able to access the Internet.
• All HTTP/HTTPS traffic must pass through the WSA.
• Only web, E-mail, and some Internet Control Message Protocol (ICMP) traffic are allowed into the
network.
• Cisco ASAs should be hardened.
• Cisco ASAs should be configured for redundancy.
• The Cisco ACE Web Application Firewall serves all web servers on the DMZ and all public
addresses of the web servers must point to the Cisco ACE Web Application Firewall.
• Secure device access by limiting accessible ports, authentication for access, specifying policy for
permitable action for different groups of people, and proper logging of events.
• Disable Telnet and HTTP; allow only secure shell (SSH) and HTTPS.
• Secure firewall routing protocols by implementing Message Digest 5 (MD5) authentication.
• Enable firewall network telemetry functionality by using features such as Network Time Protocol
(NTP), logging, and NetFlow.
Figure 6-5 illustrates traffic flow through a firewall in a corporate access environment.
Figure 6-5 Traffic Flow for Typical Corporate Access
www
Internet
IronPort Corporate
User
Web
Server
2266506-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Corporate Access/DMZ Block
As shown in Figure 6-5, all the corporate users should pass through the WSA to reach the Internet. The
Cisco ASA should not allow any web traffic to go out that does not originate from the WSA, with the
exception of the ESA, Cisco Security MARS, and CSM that need to access the Internet for updates. The
different logical interfaces on the Cisco ASA can be used to separate the DMZ, SP-facing interfaces, and
the inside corporate infrastructure. See Figure 6-6.
Figure 6-6 Cisco ASA Physical Interface Layout
The following lists the importance of each particular interface:
• management—This interface is used for management traffic, including AAA, HTTPS, and so on.
• dmz2—This interface is used to host the web servers and web application firewall.
• emailservices—This interface is used to host the IronPort ESA.
• corpnet—This is the gateway interface for all the corporate users.
• Failover Interface—This is the interface used to facilitate communication and status between
standby/active firewalls.
• externalservices—This is the interface connected to the outside world (which in this scenario is
connected to the border routers).
The Cisco ASDM management tool can be used to verify firewall rules, monitor events, and configure
the Cisco ASAs. Figure 6-7 and Figure 6-8 illustrate information available through the Cisco ASDM.
mgmt failover
external
services
web
proxy
services
corpnet corpnet
dmz2 mgmt
IronPort
dmz2
226651
DMZ
WAF
Appliance
NOC/MGMT
Internet
Core
www6-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Corporate Access/DMZ Block
Figure 6-7 Cisco ASDM Screen Capture—Device Information and Status Page6-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Corporate Access/DMZ Block
Figure 6-8 Cisco ASDM Screen Capture—Firewall Access Rules Page
As shown in Figure 6-7 and Figure 6-8, the Cisco ASDM can be used to configure firewall rules and
monitor a variety of statistics and system parameters. The following configuration steps illustrate the
process necessary to implement the security best practices for the Internet edge firewalls.
Note The 64.104.0.0/16 and 198.133.219.0/24 address blocks used in the examples provided below are
reserved for the exclusive use of Cisco Systems, Inc.
Step 1 Define the inter-interface and intra-interface security policy. The configuration that follows allows
traffic to flow between the interfaces and within an interface of same security-level. This is required if
two or more interfaces on the firewall are configured with the same security level.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Step 2 Define the object groups. The configuration that follows allows objects—such as IP hosts or networks,
protocols, ports, and ICMP types—to be collected into object groups. This simplifies deployment and
makes it easier to deploy future servers or hosts without modifying the ACLs.
object-group network NETWORK_APPLICATION_HOSTS
network-object 198.133.219.55 255.255.255.255 <-- This is Iron Port E-mail server
network-object 198.133.219.59 255.255.255.255 <-- This is web application firewall
object-group protocol NETWORK_APPLICATION_PROTOCOL
protocol-object tcp
protocol-object udp6-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Corporate Access/DMZ Block
object-group service services1 tcp-udp
description DNS Group
port-object eq domain
object-group service services2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group icmp-type ICMP_TRAFFIC
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo
object-group service ICMP_TRAFFIC_1
description (Generated by Cisco SM from Object "ICMP_TRAFFIC")
service-object icmp echo
service-object icmp unreachable
service-object icmp time-exceeded
service-object icmp echo-reply
Step 3 Define the key services that are to be visible to the outside world. In the design presented here, the web
application firewall appliance and IronPort E-mail servers are visible to outside. As a result, static NAT
translations for these services must be defined. The following example commands illustrate this
configuration.
static (dmz2,externalservices) tcp 198.133.219.59 www 10.244.20.110 www netmask
255.255.255.255
static (emailservices,externalservices) 198.133.219.55 10.244.30.11 netmask
255.255.255.255
Step 4 Define the Protocol Address Translation (PAT) and NAT pool for corporate access as illustrated in the
following configuration.
global (externalservices) 20 198.133.219.129-198.133.219.254 netmask 255.255.255.128
global (externalservices) 20 198.133.219.128 netmask 255.255.255.255
nat (corpnet) 20 access-list corp-net
nat (VPN-termination) 2 10.246.10.0 255.255.255.0
Step 5 Define the ACL for allowing external access as illustrated in the following configuration.
access-list OUTSIDE_IN extended permit tcp any object-group NETWORK_APPLICATION_HOSTS eq
domain
access-list OUTSIDE_IN extended permit tcp any object-group NETWORK_APPLICATION_HOSTS
object-group services2
Note Defining object groups greatly simplifies deploying the firewall policy.
Step 6 Define the ACL to prevent the inside users from trying to access the Internet without going to the
IronPort appliance as illustrated in the following configuration.
access-list WEB_ACCESS extended permit tcp host 10.245.255.250 any eq www
access-list WEB_ACCESS extended permit tcp host 10.242.50.99 any eq www
access-list WEB_ACCESS extended permit tcp host 10.242.50.96 any eq www
access-list WEB_ACCESS extended deny tcp any any eq www
access-list WEB_ACCESS extended permit ip any any
Step 7 Apply the ACL WEB_ACCESS to corpnet and apply the ACL OUTSIDE_IN to externalservices as
illustrated in the following configuration.
access-group OUTSIDE_IN in interface externalservices
access-group WEB_ACCESS in interface corpnet6-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Corporate Access/DMZ Block
Web Application Firewall
The web application firewall acts as a reverse proxy for the web servers that it is configured to protect.
The virtual web application is used to create a virtual URL that will be used to intercept incoming client
connections. You can configure one more virtual web applications based on the protocol and port, as well
as the policy you want to be applied. Covering every aspect of web application firewall configuration
and policy management is beyond the scope of this publication. Only basic implementation steps as they
pertain to the Internet edge architecture are addressed. For more details, refer to the web application
firewall reference guide listed in Appendix A, “Reference Documents.”
Basic configuration of network services is handled through the console port or a keyboard. The policy
configuration and management are done through a GUI via HTTPS. The web application firewall can be
configured with a virtual address that acts as the IP address of a web server. The web application
firewalls can then point to the actual web server and inspect all traffic destined for the web server.
The logical placement and deployment model of web application firewall is shown in Figure 6-9.
Figure 6-9 Cisco Application Control Engine (ACE) Web Application Firewall Logical Placement
The following are some of the best practices that should be used when implementing web application
firewall:
• The web application firewall is implemented as one-armed design with the single interface
connecting to the DMZ.
• Configure the web application firewall to retain the source IP address if the traffic is directed to
appliances in the data center.
• It is recommended that HTTPS traffic directed to the data center, not be encrypted as the Cisco ACE
• module in data center will perform the load-balancing and decryption while also providing higher
performance.
• The web application firewall in the Internet edge and the web application firewall in data center to
be configured in the same cluster.
Core
Attack
Stopped
by WAF
WAF
226654
Border
Routers
Internet
Remote
Client
Ecommerce
Clients
Firewalls
XML Attacks to DMZ
or Web Servers
XML Aware
Web Server
Applications
DMZ
WAF Network
Services
HTTPservices6-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
For more information on best practices, configuration steps and threat control and monitoring capability
of the web application firewall, refer to the web application firewall reference guide listed in
Appendix A, “Reference Documents.”
Examples of the GUI interface used to view rules and monitor events are shown in Figure 6-10 and
Figure 6-11.
Figure 6-10 Cisco ACE Web Application Firewall—Viewing Rules and Signatures
Figure 6-11 Cisco ACE Web Application Firewall—Viewing Event Log Viewer
E-mail and Web Security
To implement the best practices for the ESA and WSA, a good understanding of the SenderBase
SensorBase network is required. The ESA and WSA use the information gathered by the SenderBase
SensorBase network to make decisions about threat level of websites and senders of received E-mails.
The following section summarizes the operation and advantages of the SenderBase SensorBase network.6-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
IronPort SensorBase
The IronPort ESA and WSA use the SensorBase network to gain a real-time view into security threats
and stop E-mail spam and E-mails from malicious sites. The SensorBase network is an extensive network
that monitors global E-mail and web traffic for anomalies, viruses, malware and other and abnormal
behavior. It queries a significant percentage of all global E-mail and web traffic and uses tens of
parameters to determine spam E-mail sites and malicious or compromised websites.
SensorBase examines more than 90 different parameters about E-mail traffic and 20 different parameters
about web traffic. Parameters tracked include global sending volume, complaint levels, "spamtrap"
accounts, whether a sender's DNS resolves properly and accepts return mail, country of origin, blacklist
information, probability that URLs are appearing as part of a spam or virus attack, open proxy status,
use of hijacked IP space, valid and invalid recipients, and other parameters. By using sophisticated
algorithms, SensorBase creates a reputation score for domains and websites that ranges from -10 to +10.
This score is analogous to credit scores for individuals and is used to determine risk. Every ESA
implemented at the enterprise can dynamically lookup reputation scores for domains of each E-mail it
receives, or each website to which it is connected. The appliance can use preconfigured policies to drop,
monitor, or quarantine E-mails from suspect mail sites-and to drop connections to malicious websites.
Figure 6-12 depicts the operation of the IronPort SensorBase network.
Figure 6-12 IronPort SensorBase Network
IronPort
SenderBase
IP Blacklists
and
Whitelists
SpamCop, SpamHaus
(SBL), NJABL,
Bonded Sender
Compromised
Host Lists
Downloaded files,
linking URLs,
threat heuristics
Web site
Composition
Data
SORBS, OPM,
DSBL
Other Data
Fortune 1000, length of
sending history, location,
where the domain is
hosted, how long has it
been registered, how long
has the site been up
Spamvertized URLs,
phishing URLs,
spyware sites
Domain
Blacklists and
Safelists
Reputation
Score
226635
Global
Volume Data
Over 100,000
organizations, email
traffic, Web traffic
Message
Composition
Data
Message size,
attachment volume,
attachment types,
URLs, host names
SpamCop, ISPs,
customer
contributions
Complaint
Reports
Spam, phishing,
virus reports
Spam Traps6-17
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Web Security Appliance Best Practices
The function of the WSA is to monitor and mitigate any abnormal web activity between corporate users
and the outside world. The WSA is logically located in the path between corporate web users and the
Internet. In effect, the WSA acts as a web proxy for the corporate users residing inside the network. This
logical placement of the WSA implies proper configuration of the browser. There are three different
ways clients may interact with WSA:
• Explicit mode without use of Proxy Auto Configuration (PAC) files—This requires manual
configuration of the browser to point to the WSA as its proxy. This choice does not support
redundancy, does not work with multiple WSAs, and requires changes to every browser in the
enterprise network. This is the preferred method to test and verify proper operation of the WSA.
• Explicit mode with use of PAC files—In this mode, the proxy information is stored in a file that can
be downloaded automatically or the file’s location can be referenced manually. The advantage of this
mode is that more than one proxy can be referenced in the files and used by the browser. This allows
for load balancing and redundancy of WSAs. You can use Dynamic Host Configuration Protocol
(DHCP) or DNS to download the files automatically to the browser. This eliminates the need to
manually configure each browser separately.
• Transparent mode with Web Cache Communications Protocol (WCCP)—In this mode, the web
traffic is transparently directed to the WSA using WCCP redirection and does not require any
adjustments to the browser. This mode requires the configuration of a WCCP-enabled firewall,
router or Layer-3 switch to direct client traffic to the appliance. Care should be taken when
asymmetrical traffic flows exist in the network. This is a good method for load sharing and
redundancy.
It is recommended that explicit mode be initially implemented. You may use this mode with the use of
PAC files for initial testing-and then transition to WCCP for final implementation. As mentioned in the
preceding description, with PAC files, you may achieve load balancing and redundancy between multiple
WSAs. Alternatively, WCCP-based transparent mode may be used if you require weighted
load-balancing or source and destination hashing. More sophisticated load-balancing is also possible
with the use of a Layer-4 load balancer, such as Cisco Application Control Engine (ACE). Figure 6-13
illustrates the manual proxy configuration in Microsoft Internet Explorer.6-18
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Figure 6-13 Example Browser Configuration Window for Setting up WSA Reference
To implement explicit mode without using PAC files, use the proxy server configuration setting shown
in Figure 6-13 and manually enter the IP address of the WSA. The use automatic configuration script
configuration is used to indicate the location of the PAC file used by the browser; with WCCP
redirection, you do not configure anything. Similar configuration options are available for other popular
browsers.
Other recommendations and best practices for WSA deployment are as follows:
• The edge firewalls should be configured to allow only outgoing HTTP or Hypertext Transfer
Protocol over SSL (HTTPS) connections sourced from the WSA and other devices requiring such
access—such as ESA and Cisco Security Monitoring, Analysis and Response System
(Cisco Security MARS), or Cisco Security Manager (CSM). This would prevent users from
bypassing the WSA in order to directly connect to the Internet.
• Determine the IP address of the WSA to which all browsers will point as a web proxy.
• Configure all browsers in the organization to point to the WSA either through PAC or manual
configuration. Once the location of the PAC files are configured, no other changes to the browser
are necessary. If using WCCP, end-station configuration is not needed.
• If an upstream proxy is present, configure the WSA to point to the upstream proxy.
• Determine policies for handling HTTPS traffic and configure WSA to enforce those policies.
• Configure the WSA policies and actions to be taken for the different ranges in the Web Reputation
Score. Based on the reputation score, the WSA can pass, monitor, or drop web traffic.
• Configure enforcement policies for your organization through the URL filter available on the WSA.
URL filters allow blocking or monitoring of users based on the website categories users visit.
• In creating policies for encrypted traffic. It is recommended that a white list of well-known sites be
created through which traffic to those sites is allowed to pass. This saves resources on the WSA. It
is also good practice to monitor traffic for other sites that use encryption. 6-19
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
• If a no split-tunneling policy is enforced at the branches, then the browsers on all branches should
point to the WSA. This practice will ensure that all Internet traffic flows through the corporate
network and is passed through and monitored by the WSA.
• Use a separate interface to connect to the management network.
You can use the WSA reporting tools to monitor web activity and to look for any malicious activity. The
screen shots in Figure 6-14 through Figure 6-16 illustrate the monitoring capabilities available.
Figure 6-14 WSA Reporting Window—Web Site Activity6-20
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Figure 6-15 WSA Reporting Window—URL Categories
The Web-Site activity screen allows the administrator to determine what websites were blocked from the
user and the reason for blocking access. A website can be blocked because of a bad reputation score,
because spyware or malware was detected by anti-malware, or due to URL filtering. The URL filtering
window categorizes all the visited websites and shows the amount of traffic and number of blocked
transactions for each category. The client website window in Figure 6-16 shows the website activity for
each client that can be used for enforcing acceptable-use policies.6-21
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Figure 6-16 WSA Reporting Window—Client Web Activity
The E-mail Security Appliance
E-mail is a medium through which spyware and viruses can be propagated. In addition to outside threats,
E-mail spam and malicious malware can reduce employee productivity. The ESA is a type of firewall
and threat monitoring appliance for Simple Mail Transfer Protocol (SMTP) traffic (TCP port 25).
Logically speaking, the ESA acts as a Mail Transfer Agent (MTA) within the E-mail delivery chain.
There are multiple deployment approaches for the security appliance depending on the number of
interfaces used. ESA may be deployed with a single physical interface to transfer emails to and from
both the Internet and the internal mail servers. If desired, two physical interfaces may be used, one for
email transfer to and from the Internet, and another one for email communications to the internal servers.
In the former approach, the ESA would reside on the DMZ, while in the later, the ESA would have an
interface connecting to the DMZ and the other one connecting to the inside network. In this case, the
DMZ-based interface would send and receive E-mail to and from the Internet. The inside network
interface would be used to deliver E-mail to the internal mail server.
This guide follows the single-interface model as it is the simplest and most commonly deployed.
Figure 6-17 shows both deployment models.6-22
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Figure 6-17 IronPort ESA Deployment Models
E-mail Data Flow
Consider a sender somewhere in the Internet first sending an E-mail to a mail server. The E-mail server
resolves the E-mail domain name to the public IP address of the domain and sends the E-mail using
SMTP to the corresponding IP address. Upon receiving the E-mail, the enterprise firewall translates the
public IP address of the ESA to the DMZ IP address and forwards traffic to the ESA. The ESA then does
a DNS query on the sender domain name, compares the IP address of the sender to its own SensorBase
database, and determines the reputation score of the sender. It rejects the E-mail if it falls within a
pre-configured reputation score. A typical dataflow for inbound E-mail traffic is shown in Figure 6-18.
DMZ
inside
Exchange
Server
ESA
ESA
One Interface Deployment
Inner
Switches
226640
Internet
Core
Internet
DMZ
inside
Exchange
Server
Two Interface Deployment
Inner
Switches
Internet
Core
Internet6-23
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Figure 6-18 Typical Data Flow for Inbound E-mail Traffic
Redundancy and Load Balancing of an E-mail Security Appliance
Redundancy is often a requirement, a failure of an ESA can cause mail service outage. There are multiple
ways to configure redundancy; the simplest one is to add the second appliance with an equal cost
secondary MX record, as shown in Figure 6-19. In this method, traffic will be shared across two or more
ESAs. A more advanced design would include a load-balancing platform for balancing traffic among
multiple appliances.
Figure 6-19 IronPort E-mail Appliance High Availability Environment
10
9
Cisco Email
Appliance
Local
Services
Receiver retrieves mail
from server
Mail server stores email
for retrieval by receiver
Mail server
1
Sender sends and email
to xyz@domain X
4
Email server sends mail
to a.b.c.d using SMTP
2 What is IP address of domain X
3
Domain X IP address is a.b.c.d
Public IP address of ESA
7
8
ESA sends mail to
preconfigured
mail server
5
Firewall translates Public address of
ESA to private address of ESA and
sends it to ESA
6
ESA does a DNS query on sender domain and
checks the received IP address in its reputation
database, and drops, quarantines email based
on policy
226641
Mail
Server
226642
Primary
ESA
Secondary
ESA
Firewall Switch Switch6-24
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Best Practices and Configuration Guidelines for ESA Implementation
The first task when implementing an ESA in the enterprise is to define firewall rules. Important
considerations when defining firewall rules are as follows:
• A static address must be defined on the firewall to translate a publicly accessible IP address for the
E-mail server to a private IP address used by the ESA.
• It is recommended that the ESA be configured to access a DNS in the outside network, rather than
the internal DNS. This means that the firewall must allow ESA do perform DNS queries and receive
DNS replies.
• The ESA downloads the latest SensorBase information, virus updates, and so on through
HTTP/HTTPS connections. Again firewall rules must allow HTTP/HTTPS traffic from the ESA.
• SMTP routes must be set to point to inside E-mail servers.
• Either the same interface or a separate interface can be used for incoming or outgoing mail. If the
same interface is used, you will need to relay mail on the interface.
• Use a separate interface to connect to the management network.
• Use separate subnets for different organizational domains. This simplifies the configuration of
policies in the WSA for different groups of users.
IronPort has a very intuitive and powerful configuration web interface. The network, interface, and
SMTP routing information can be configured using the wizard. Firewall rules and Network Address
Translation (NAT) are configured on the Cisco Adaptive Security Appliances (ASA). IronPort ESA is a
functionally rich appliance. The following guidelines give the implementation framework and the
actions necessary to implement an ESA on the network. A more detailed discussion of the IronPort ESA
can be found at the following URL: http://www.ironport.com/resources/whitepapers.html
Step 1 Determine IP addresses, domain names, and networks with which the ESA will be configured.
Step 2 Obtain a public address for the ESA.
Step 3 Create SMTP routes to the private E-mail servers.
Step 4 Create firewall rules to allow in TCP port 25 (SMTP), UDP, and TCP port 53 (DNS).
Step 5 Create firewall rules to allow HTTP/HTTPS so that the ESA can contact SensorBase and get virus
protection updates.
Step 6 Configure the ESA with DNS and the default route.
Step 7 Configure the management interface.
Step 8 Configure incoming and outgoing E-mail policies and content filters to match the requirements of the
enterprise organization.
From a security perspective, you can use the monitoring functionality available in the ESA’s GUI to
manage and react to threats. The screen shots for some of the monitoring tools are presented in
Figure 6-20 and Figure 6-21.6-25
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Figure 6-20 ESA Monitoring Screen—Virus Outbreaks
The virus outbreak screen (Figure 6-20) shows the different viruses detected, action taken, and total
number of outbreaks. The message analysis screen (Figure 6-21) categorizes different types of threats
that were blocked and provides statistical analysis of total threats received.6-26
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
E-mail and Web Security
Figure 6-21 ESA Monitoring Screen—Message Analysis6-27
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Service Provider Block
Service Provider Block
The Service Provider (SP) edge block is a critical part of the Internet edge because it provides the
interface to the public Internet infrastructure. The following topics are covered in this section:
• Design Guidelines and Best Practices for the SP Edge Block, page 6-28
• Security Features for BGP, page 6-29
• Infrastructure ACL Implementation, page 6-33
Figure 6-22 illustrates the SP edge block topology.
Figure 6-22 Service Provider Block Topology
Internet
ISP A
ISP B
Distribution
Service Provider Edge
Web
Security
Appliance
Email Security
Appliance
Web DNS
Corporate Access/DMZ
Core
Remote Access VPN
226755
www6-28
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Service Provider Block
Figure 6-23 illustrates an example of the interface with the SP environment via Border Gateway Protocol
(BGP).
Figure 6-23 BGP Design
Design Guidelines and Best Practices for the SP Edge Block
Figure 6-24 illustrates the topology used to implement a BGP-based, SP-edge block environment. The
configuration examples presented in the subsequent descriptions depict best practices for this scenario
and are taken from this example topology.
Note The 64.104.0.0/16 and 198.133.219.0/24 address blocks used in the examples provided below
are reserved for the exclusive use of Cisco Systems, Inc.
Figure 6-24 BGP Topology Diagram
The following are the design recommendations for the SP edge:
• Use BGP as the routing protocol for all dynamic routing—both between the border routers and
between the border routers and SP.
• Have an independent autonomous system number. This will give the flexibility of advertising the
Internet prefix to different SPs.
Service
Provider 2
Service
Provider 1
Internet
Border
Router
Border
Router
iBGP
eBGP
eBGP
226646
Internet
64.104.10.124/30
64.104.10.124/30
AS 30000
64.104.10.104/30
64.104.10.108/30
.113 .114
.125 .126
BR1
BR2
SP1
SP2
198.133.219.0/24
AS 30001
AS 30002
AS 30003
2266476-29
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Service Provider Block
• Use PfR as path-optimization mechanism. This will ensure that the optimal path is selected between
the SPs—thereby increasing the application performance.
Harden the SP edge infrastructure by following the best practices described in Chapter 2, “Network
Foundation Protection.”
Security Features for BGP
The BGP support for the (time-to-live) TTL security check feature introduces a lightweight security
mechanism to protect eBGP peering sessions from CPU utilization-based attacks. These types of attacks
are typically brute force DoS attacks that attempt to disable the network by flooding the network with
IP packets that contain forged source and destination IP addresses.
TTL security check allows the configuration of a minimum acceptable TTL value for the packets
exchanged between two eBGP peers. When enabled, both peering routers transmit all BGP packets with
a TTL value of 255. An eBGP router will establish a peering session with another router only if that other
is an eBGP peer that sends packets with a TTL equal-to-or-greater-than an expected TTL value for the
peering session. The expected TTL value is calculated by subtracting the hop count configured for the
session to 255. All packets received with TTL values less than the expected value are silently discarded.
Although it is possible to forge the TTL field in an IP packet header, accurately forging the TTL count
to match the TTL count from a trusted peer is impossible unless the network to which the trusted peer
belongs has been compromised. For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html#wp1027184
Note The 64.104.0.0/16 and 198.133.219.0/24 address blocks used in the examples provided below are
reserved for the exclusive use of Cisco Systems, Inc.
The following configuration command example illustrates the command required to enable TTL security
on the SP edge router:
neighbor 64.104.10.114 ttl-security hops 2
Note This feature must be enabled on both sides of a connection (enterprise border router and the SP router).
The following show command verifies whether the TTL security feature is properly configured on the
router (the relevant line is highlighted):
IE-7200-3# show ip bgp neighbors
BGP neighbor is 64.104.10.114, remote AS 30001, external link
BGP version 4, remote router ID 172.26.191.176
BGP state = Established, up for 1w6d
Last read 00:00:53, last write 00:00:42, hold time is 180, keepalive interval is 60
seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 1 16-30
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Service Provider Block
Keepalives: 19943 20081
Route Refresh: 0 0
Total: 19945 20083
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 37589, neighbor version 37589/0
Output queue size : 0
Index 2, Offset 0, Mask 0x4
2 update-group member
Outbound path policy configured
Route map for outgoing advertisements is my_routes
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 1 1 (Consumes 416 bytes)
Prefixes Total: 1 1
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 8
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
route-map: 18758 0
Total: 18758 0
Number of NLRIs in the update sent: max 1, min 1
Address tracking is enabled, the RIB does have a route to 64.104.10.114
Connections established 1; dropped 0
Last reset never
External BGP neighbor may be up to 2 hops away.
Transport(tcp) path-mtu-discovery is enabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255
Local host: 64.104.10.113, Local port: 179
Foreign host: 64.104.10.114, Foreign port: 36929
Connection tableid (VRF): 0
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x47D127AC):
Timer Starts Wakeups Next
Retrans 19946 1 0x0
TimeWait 0 0 0x0
AckHold 20081 19750 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
ProcessQ 0 0 0x0
iss: 2105715872 snduna: 2106094887 sndnxt: 2106094887 sndwnd: 15700
irs: 2928015827 rcvnxt: 2928397480 rcvwnd: 15947 delrcvwnd: 437
SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, gen tcbs
Option Flags: nagle, path mtu capable, md5
IP Precedence value : 66-31
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Service Provider Block
Datagrams (max data segment is 1440 bytes):
Rcvd: 39763 (out of order: 0), with data: 20084, total data bytes: 381652
Sent: 39962 (retransmit: 1, fastretransmit: 0, partialack: 0, Second Congestion: 0), with
data: 19946, total data bytes: 379033
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
The routes learned from SP 1 should not be leaked to SP 2 and vice versa. To prevent the routes from
leaking, an as-path access list and the route-map command are used. The following commands are
required to implement this filtering:
• as-path filtering command
ip as-path access-list 20 permit ^$
ip as-path access-list 20 deny .*
• route-map command to match the as-path command
route-map my_routes permit 10
match as-path 20
• route-map command applied to the external peers
neighbor 64.104.10.114 route-map my_routes out
The following show command output presents the number of prefixes that are denied; this information
verifies that leakage is not happening between the border routers (output of interest is highlighted):
IE-7200-3# show ip bgp neighbors 64.104.10.114
BGP neighbor is 64.104.10.114, remote AS 30001, external link
BGP version 4, remote router ID 172.26.191.176
BGP state = Established, up for 1w6d
Last read 00:00:05, last write 00:00:44, hold time is 180, keepalive interval is 60
seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 1 1
Keepalives: 19968 20107
Route Refresh: 0 0
Total: 19970 20109
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 37623, neighbor version 37623/0
Output queue size : 0
Index 2, Offset 0, Mask 0x4
2 update-group member
Outbound path policy configured
Route map for outgoing advertisements is my_routes
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 1 1 (Consumes 312 bytes)
Prefixes Total: 1 1
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 6
Used as multipath: n/a 06-32
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Service Provider Block
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
route-map: 18773 0
Total: 18773 0
Number of NLRIs in the update sent: max 1, min 1
Address tracking is enabled, the RIB does have a route to 64.104.10.114
Connections established 1; dropped 0
Last reset never
External BGP neighbor may be up to 2 hops away.
Transport(tcp) path-mtu-discovery is enabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255
Local host: 64.104.10.113, Local port: 179
Foreign host: 64.104.10.114, Foreign port: 36929
Connection tableid (VRF): 0
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x47E81AEC):
Timer Starts Wakeups Next
Retrans 19971 1 0x0
TimeWait 0 0 0x0
AckHold 20106 19775 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
ProcessQ 0 0 0x0
iss: 2105715872 snduna: 2106095362 sndnxt: 2106095362 sndwnd: 15225
irs: 2928015827 rcvnxt: 2928397955 rcvwnd: 15472 delrcvwnd: 912
SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, gen tcbs
Option Flags: nagle, path mtu capable, md5
IP Precedence value : 6
Datagrams (max data segment is 1440 bytes):
Rcvd: 39812 (out of order: 0), with data: 20109, total data bytes: 382127
Sent: 40011 (retransmit: 1, fastretransmit: 0, partialack: 0, Second Congestion: 0), with
data: 19970, total data bytes: 379489
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
IE-7200-3#
IE-7200-3# show ip as-path-access-list
AS path access list 20
permit ^$
deny .*
IE-7200-3# show route-map my_routes
route-map my_routes, permit, sequence 10
Match clauses:
as-path (as-path filter): 20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
IE-7200-3#
IE-7200-3# show ip bgp route-map my_routes6-33
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Service Provider Block
BGP table version is 37619, local router ID is 198.133.219.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i198.133.219.0 64.104.20.4 0 100 0 i
*> 0.0.0.0 0 32768 i
IE-7200-3#
The BGP updates between the SPs and the border routers should be authenticated using passwords. The
following is a example of the required command:
neighbor 64.104.10.114 password 7 045802150C2E
The following is the BGP configuration for the border router.
router bgp 30000
bgp log-neighbor-changes
neighbor 64.104.10.114 remote-as 30001 ! <----- This is connection to SP1
neighbor 64.104.10.114 ttl-security hops 2 ! <---- TTL -security feature
neighbor 64.104.10.114 password 7 045802150C2E ! <---- Password protection
neighbor 64.104.20.4 remote-as 30000 ! <---- iBGP connection to the other Border router
maximum-paths ibgp 3 ! <--- Maximum mumber of paths to be allowed.
!
address-family ipv4
neighbor 64.104.10.114 activate
neighbor 64.104.10.114 route-map my_routes out
neighbor 64.104.20.4 activate
neighbor 64.104.20.4 next-hop-self
maximum-paths ibgp 3
no auto-summary
no synchronization
network 198.133.219.0
route-map my_routes permit 10
match as-path 20
!
ip as-path access-list 20 permit ^$ ! <-- Permit only if there is no as-path prepend
ip as-path access-list 20 deny .* ! <-- Deny if there is as-path prepend.
Infrastructure ACL Implementation
The Infrastructure ACL (iACL) forms the first layer of defense to the Internet edge module. The iACL
should be constructed following the best practices outlined in the Network Security Baseline document
(see Appendix A, “Reference Documents.”). The ACL example that follows protects the PIN from
several unwanted sources and illustrates how an iACL protects the border routers.
Note The 64.104.0.0/16 and 198.133.219.0/24 address blocks used in the examples provided below are
reserved for the exclusive use of Cisco Systems, Inc.
! The global address for IE pin is 198.133.219.0. The first three lines prevent fragments
from any source to this address space.
access-list 110 deny tcp any 198.133.219.0 0.0.0.255 fragments
access-list 110 deny udp any 198.133.219.0 0.0.0.255 fragments
access-list 110 deny icmp any 198.133.219.0 0.0.0.255 fragments
access-list 110 deny ip host 0.0.0.0 any ! prevent traffic from default route
access-list 110 deny ip 127.0.0.0 0.255.255.255 any ! prevent traffic from host address.6-34
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Remote Access Block
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any ! prevent traffic from special
multicast address space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any ! prevent spoofing traffic from
10.x.x.x address space.
access-list 110 deny ip 192.168.0.0 0.0.255.255 any ! prevent spoofing traffic from
192.168.x.x address space.
access-list 110 permit tcp host 64.104.10.114 host 64.104.10.113 eq bgp ! permit bgp
traffic only with the known service provider
access-list 110 permit tcp host 64.104.10.114 eq bgp host 64.104.10.113 ! same comment as
above.
access-list 110 deny ip 198.133.219.0 0.0.0.255 any ! prevent spoofing traffic, which is
traffic orginate from outside using the IE address space.
access-list 110 deny ip 10.240.0.0 0.15.255.255 any ! deny spoofing management traffic,
10.240.0.0 is the internal management address space.
access-list 110 permit ip any any
Remote Access Block
The position of the remote-access network infrastructure within the Internet edge network is shown in
Figure 6-25.
Figure 6-25 Remote Access Block in Internet Edge Network
Internet
ISP A
ISP B
Distribution
Service Provider Edge
Web
Security
Appliance
Email Security
Appliance
Web DNS
Corporate Access/DMZ
Core
Remote Access VPN
226756
www6-35
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Remote Access Block
In the Internet edge module, remote access provides access primarily to users connecting to network
resources from external locations, such as Internet hot spots, public access, and so on. Remote access
does not refer to access from remote offices or teleworkers. To provide access for remote users, there are
several technologies available, including Easy VPN, SSL VPN, and Virtual Tunnel Interfaces (VTI). The
principal function of remote access is to provide access to internal resources and applications. Common
examples are product information pages, blogs, FTP sites, and so on. Remote access functionality is
provided by using a separate pair of Cisco ASAs. Figure 6-26 shows the placement of the remote-access
firewalls in the context of Internet edge.
Figure 6-26 Placement of Remote Access Firewall
Design Guidelines for the Remote Access Block
This description focuses on an SSL VPN-based implementation. To implement SSL VPN, there are
several factors and best practices that are recommended. These can be summarized as follows:
• In simple deployments, the Cisco ASA can issue its own certificate. In a more complex enterprise
system, you can use a certificate issued and verified by a third-party vendor.
• Use redundant Cisco ASAs for reliability. In this design, an active/standby scenario is featured.
• It is recommended that the Cisco IPS be used to inspect traffic to or from remote users. Cisco IPS
sensors are placed at the distribution block, allowing the inspection of traffic after it is decrypted.
• Use Authentication, Authorization, and Accounting (AAA) for authentication of remote users.
The following configuration steps illustrate some of the practices to implement remote access using SSL
VPN.
Service
Provider 2
Service
Provider 1
Core
Corpnet
ASA’s
Network
Applications
DMZ
WAN
Edge
Data
Center
Campus
Remote
Access
ASA’s
2266486-36
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Remote Access Block
Note The 64.104.0.0/16 and 198.133.219.0/24 address blocks used in the examples provided below are
reserved for the exclusive use of Cisco Systems, Inc.
Step 1 Enable the HTTP server on the Cisco ASA.
http server enable
Step 2 Configure a different port for management purposes. This is required because WebVPN listens by
default on 443. As a result, a separate port is required for management.
http redirect management 445
Step 3 Enable WebVPN on outside interface.
webvpn
enable VPN-termination
Step 4 (Optional) Configure DNS.
dns -lookup inside
dns server-group DefaultDNS
name-server 10.244.30.10
domain-name cisco.com
Step 5 Define a group policy. The following example illustrates creating a group policy named executive.
group-policy executive internal
group-policy executive attributes
vpn-simultaneous-logins 25
vpn-tunnel-protocol webvpn
default-domain value cisco.com
Step 6 Define a tunnel policy. The following configuration illustrates creating a tunnel-policy named
executive-tunnel.
tunnel-group executive-tunnel type remote-access
tunnel-group executive-tunnel general-attributes
default-group-policy executive
tunnel-group executive-tunnel webvpn-attributes
group-alias executive enable
Step 7 Configure certificates. The SSL gateway uses a certificate as its identity for remote users. The gateway
can issue its own certificate and use it as its identity or use a certificate issued by a third-party vendor.
For a simple deployment, the gateway can use its own certificate. The following configuration example
illustrates configuration of a locally signed certificate:
crypto ca trustpoint LOCAL-TP
revocation-check crl none
enrollment self
fqdn IE-SSL-1.cisco.com
subject-name CN=198.133.219.40
serial-number
ip-address 198.133.219.40
crl configure
route-map my_routes permit 10
match as-path 20
!
ip as-path access-list 20 permit ^$ !<-- Permit only if there is no as-path prepend
ip as-path access-list 20 deny .* ! <-- Deny if there is as-path prepend.6-37
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Remote Access Block
You can use the Cisco Adaptive Security Device Manager (ASDM) tool to configure and monitor the
remote-access Cisco ASAs. With Cisco ASDM, you can monitor traffic statistics, look an interface status
and monitor events. An example of the Cisco ASDM monitoring capabilities is given in Figure 6-27.
Figure 6-27 ASDM Example Management and Monitoring Screen6-38
Cisco SAFE Reference Guide
OL-19523-01
Chapter 6 Enterprise Internet Edge
Threats Mitigated in the Internet Edge
Threats Mitigated in the Internet Edge
The threats mitigated using the various platforms and features described in this chapter are summarized
in Table 6-1.
Ta b l e 6-1 Internet Edge Threat Mitigation Features
DDos/DoS/
Worms
Unauthorized
Access
Spyware/
Malware/
Phishing/
Spam
Network
Abuse/Intrusion
Application
Layer Attack Visibility Control
Cisco IPS Yes Yes Yes Yes Yes Yes
Firewall Yes Yes Yes Yes Yes
IronPort C-Series
(ESA)
Yes Yes Yes
IronPort S-Series
(WSA)
Yes Yes Yes Yes Yes
Cisco Application
Control Engine
(ACE) Web
Application
Firewall
Yes Yes Yes
Secure Routing Yes Yes Yes Yes Yes
Secure Switching Yes Yes Yes Yes YesC H A P T E R
7-1
Cisco SAFE Reference Guide
OL-19523-01
7
Enterprise WAN Edge
The enterprise WAN edge, along with the enterprise branch, provides users at geographically disperse
remote sites with access to the same rich network services as users at the main site. The availability and
overall security of the WAN edge, and WAN transit, is thus critical to global business operations.
The challenge, from a security perspective, is enabling the enterprise to confidently embrace and extend
these rich global services and remote collaboration capabilities to all locations. This is achieved through
a defense-in-depth approach to security that extends and integrates consistent end-to-end security policy
enforcement and system-wide intelligence and collaboration across the entire enterprise network.
The aim of this chapter is to illustrate the role of the enterprise WAN edge in this end-to-end security
policy enforcement, including how to apply, integrate, and implement the SAFE guidelines to the WAN
edge. See Figure 7-1.
Figure 7-1 Enterprise WAN Edge
Business Applications
Collaboration Applications
Main Enterprise Site
Private WAN
Private WAN
Enterprise WAN Edge Empowered Branches
Internet
IP
2266627-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
The focus of the enterprise WAN edge is to provide VPN access for remote sites. From a functional
perspective, the enterprise WAN edge can be presented as two key areas:
• WAN edge aggregation
Performs WAN aggregation, site-to-site VPN termination, edge protection.
• WAN edge distribution
Provides connectivity to the core network, as well as the integration point for WAN edge services,
such as application optimization and IPS.
Remote access, teleworker, partner, customer, and Internet access are addressed in Chapter 6,
“Enterprise Internet Edge,” along with their related security guidelines.
A typical enterprise WAN edge architecture is illustrated in Figure 7-2.
Figure 7-2 Enterprise WAN Edge Functional Architecture
For more information on SAFE for the enterprise branch, see Chapter 8, “Enterprise Branch.”
M
WAN Edge Aggregation
Enterprise WAN Edge
226663
Internet
Core
WAN Edge Distribution
Management
Private WAN
Internet WAN
Private WAN
SP 1
Private WAN
SP 27-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Key Threats in the Enterprise WAN Edge
Key Threats in the Enterprise WAN Edge
The threats addressed in the WAN edge of an end-to-end enterprise architecture are focused on three key
areas:
• Malicious activity initiated by branch clients, including malware proliferation, botnet detection,
network and application abuse, and other malicious or non-compliant activity.
• WAN transit vulnerabilities, such as sniffing and man-in-the-middle (MITM) attacks.
• Attacks against the infrastructure itself, such as unauthorized access, privilege escalation, and
denial-of-service (DoS) attacks.
Web and E-mail threats posed to branch clients, such as malicious web sites, compromised legitimate
web sites, spam and phishing, are addressed in this guide by centralized web and E-mail security in the
Internet edge. For more information on this area, see Chapter 6, “Enterprise Internet Edge.”
The particular threat focus of an enterprise WAN edge, and the specific security objectives and
integration elements to mitigate these threats, are presented in Table 7-1.
The design and integration of each of these security elements into the WAN edge is addressed in the
following sections.
Ta b l e 7-1 Key Threats in the Enterprise WAN Edge
Threat Focus Threats Mitigated Security Objectives Security Integration
Malicious branch
client activity
Malware proliferation, botnets,
worms, viruses, Trojans
Application and network abuse
Detect and mitigate
threats
• IPS Integration
• Telemetr y
WAN transit threats Unauthorized access to network and
data such as through sniffing and
man-in-the-middle (MITM) attacks
Isolate and secure
WAN data and access
• Secure WAN Connectivity
Attacks against the
infrastructure
Unauthorized access to devices,
network, and data
Reconnaissance
DoS
Deliver resilient and
highly available
services
• Routing Security
• Service Resiliency
• Network Policy Enforcement
• Switching Security
• Secure Device Access
• Telemetr y7-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
WAN Edge Aggregation
WAN Edge Aggregation
The WAN edge aggregation block serves as the hub for remote sites and performs three key roles:
• WAN aggregation
May be implemented as a private and/or an Internet WAN edge aggregation, depending on the WAN
connectivity
• VPN termination
May include encryption, depending on the WAN connectivity, compliance, and customer
requirements
• Edge protection
Security policy enforcement on the network border
These roles may be consolidated in a single, unified WAN services platform such as the Cisco ASR 1000
Series, or implemented on dedicated devices, as illustrated in Figure 7-3.
Figure 7-3 Enterprise WAN Edge Aggregation
WAN Edge Aggregation
Enterprise WAN Edge
+ +
226664
WAN Edge Distribution Private WAN
Internet WAN
VPN
Termination
WAN
Aggregation
Security
QFP
QFP
QFP
QFP
Internet
Private WAN
SP 1
Private WAN
SP 2
M
Management7-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
Design Guidelines for the WAN Edge Aggregation
Security integration in the WAN edge aggregation block includes the following elements:
• Secure WAN Connectivity in the WAN Edge, page 7-5
• Routing Security in the WAN Edge Aggregation, page 7-7
• Service Resiliency in the WAN Edge Aggregation, page 7-10
• Network Policy Enforcement in the WAN Edge Aggregation, page 7-13
• Secure Device Access in the WAN Edge Aggregation, page 7-15
• Telemetry in the WAN Edge Aggregation, page 7-16
Secure WAN Connectivity in the WAN Edge
The WAN provides remote sites with access to centralized corporate services and business applications,
as well, in many cases, Internet services. As such, it is critical to service availability and business
operations. Consequently, the WAN must be properly secured to protect it against compromise,
including unauthorized access, and data loss and manipulation from sniffing or MITM attacks.
The security objective is to provide confidentiality, integrity, and availability of data as it transits the
WAN. The design and implementation of secure WAN connectivity is addressed as an end-to-end
system, incorporating both the WAN edge and the branch. The key design recommendations and
considerations presented below must be developed in conjunction with the branch WAN design and tie
together to provide an end-to-end, secure WAN.
There are three key elements to consider for secure WAN connectivity:
• Isolate WAN traffic
Segment corporate WAN traffic from other traffic on the WAN to enable the confidentiality and
integrity of data. This may be achieved, for example, through a dedicated point-to-point link, a
corporate managed VPN, a client-originated VPN or a service provider-managed MPLS service.
• Authenticate WAN access
Access to the corporate WAN must feature a strong authentication mechanism to prevent
unauthorized access to the network and data, such as a Public Key Infrastructure (PKI).
• Encrypt WAN traffic
If the WAN link is vulnerable to data loss and manipulation, or perhaps for compliance reasons, data
in-transit over the WAN may need to be encrypted.
The actual adoption and implementation of each of these elements will vary depending on a number of
aspects, including the WAN technology in use, customer vulnerability and risk assessment, and any
particular compliance requirements. For example, if the customer is a retail store passing credit card
information over the WAN, then the WAN should be highly secure and must be PCI-compliant.
In addition, service availability is a key aspect. This is addressed through service resiliency, including
device hardening and redundancy. For more information on this area of security, refer to the “Service
Resiliency in the WAN Edge Aggregation” section on page 7-10.7-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
The recommendation for secure WAN connectivity in the WAN edge includes the following:
• VPN for traffic isolation over the WAN
There are a number of VPN options and the choice will vary based on specific customer
requirements. DMVPN, for instance, offers support for VPN over both a private WAN and the
Internet, as well as multicast and dynamic routing. Consequently, DMVPN can be integrated to
enable a common VPN implementation if both these WAN types are deployed at remote sites.
• Public Key Infrastructure (PKI) for strong tunnel authentication
PKI provides secure, scalable, and manageable authentication that is critical to large-scale VPN
deployments. PKI also features the dynamic renewal and revocation of certificates that enables the
dynamic commissioning and decommissioning of branches with ease.
• Advanced Encryption Standard (AES) for strong encryption
Data over the Internet is vulnerable to sniffing; therefore, encryption is critical to data confidentially
and integrity. Data over a private WAN can also be encrypted for maximum security or for
compliance reasons.
For more information on VPN implementation and design, refer to the WAN Design section of
Appendix A, “Reference Documents.”
Note that the PKI itself must be properly secured by applying the SAFE principles to this infrastructure
and services, including hardening the devices, securing access , and minimizing its exposure to risk. For
more information on PKI implementation and design, refer to the WAN Design section of Appendix A,
“Reference Documents.”
Technology Options
• The WAN may be delivered using a range of different technologies, depending on the customer
requirements and the local service options. For more information on WAN technology options, refer
to the WAN Design section of Appendix A, “Reference Documents.”
• There are a range of VPN technology options available, including DMVPN, EZPN, IPSec and
GETVPN. For more information on VPN options, refer to the WAN Design section of Appendix A,
“Reference Documents.”
• Pre-shared keys (PSK) may be used as an alternative tunnel authentication mechanism for smaller
scale VPN deployments. PSK is simple to deploy but presents manageability challenges and its
security is dependent on the strength of the defined keys. Consequently, a strong password policy
must be enforced, including periodic updates. In addition, since a PSK is tied to a unique IP address,
sites with a dynamically assigned IP address require the use of wild card pre-shared keys. This
presents a security and operational challenge since, if the key is compromised, all spokes must be
provisioned with a new key.
• Some cryptographic features are subject to additional export and contract restrictions. For more
information, see the Export Restrictions section of Appendix A, “Reference Documents.”
• DES and 3DES are alternative encryption algorithms but are vulnerable to attack.7-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
Routing Security in the WAN Edge Aggregation
Routing in the WAN edge aggregation block is critical to service availability, and as such, it must be
properly secured to protect it against compromise, including unauthorized peering sessions and DoS
attacks that may attempt to inject false routes, and remove or modify routes.
The security of the routing is particularly important in the WAN edge, as it features a key network border,
supporting both an external and an internal routing domain. Consequently, it is critical, not only that the
external peering interface is properly secured, but that the routing information is properly filtered to
ensure that only necessary routes are advertised out and that only valid routes are propagated into the
internal routing table.
There are two routing domains to consider:
• External routing domain
Maximum routing security, including strict routing protocol membership and route redistribution
filtering to ensure only the VPN hub IP address is advertised.
• Internal routing domain
Routing security for internal interfaces is typically less stringent though should, at a minimum,
include neighbor authentication. In addition, route updates from the branches should be filtered to
ensure only valid prefixes are distributed.
The areas of focus, objectives and implementation options for routing security in the WAN edge
aggregation block are outlined in Table 7-2.
Ta b l e 7-2 Routing Security in the WAN Edge Aggregation
Routing Security Focus Routing Security Objectives Implementation
Restrict Routing Protocol
Membership
Restrict routing sessions to trusted peers and
validate the origin and integrity of routing
updates
• Routing peer definition
• Neighbor authentication
• BGP TTL Security Hack (BTSH)
• Default passive interface
Control Route Propagations Ensure only legitimate networks are advertised
and propagated
• Route redistribution filtering to
only advertise the VPN hub IP
address to the external routing
domain
• Peer prefix filtering to only
accept routes into the internal
routing domain for branch
subnets received over the VPN
tunnel
• Maximum prefix filtering to
restrict excessive route prefixes
Log Neighbor Changes Detect neighbor status changes that may indicate
network connectivity and stability issues, due to
an attack or general operations problems
• Neighbor logging on all routing
domains7-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
A sample implementation of secure routing in the Internet WAN edge module is shown below and it
integrates the SAFE guidelines to:
• Authenticate all routing peers.
• Only distribute the hub IP address out of the external routing domain. This is a loopback interface
that is common across the hub devices.
• Disable routing on all interfaces by default.
• Explicitly enable the internal routing domain on interfaces to the WAN edge distribution switches
and the VPN tunnels.
• Explicitly enable the external routing domain on interfaces to the private WAN.
• Only permit distribution into the internal routing domain of the branch subnets advertised from the
tunnel interfaces.
• Enable neighbor logging on all routing domains.
! Internal Routing Domain
router eigrp 1
network 10.56.0.0 0.0.255.255
network 10.0.0.0
no auto-summary
! Only accept route updates for the branch subnets over the VPN tunnel interfaces
distribute-list 30 in Tunnel0
! By default disables routing on all interfaces
passive-interface default
! Internal routing is permitted on interfaces to the WAN edge distribution switches and
the VPN tunnels
no passive-interface GigabitEthernet0/0/0
no passive-interface GigabitEthernet0/0/2
no passive-interface Tunnel0
! Enables neighbor logging
eigrp log-neighbor-changes
!
! External Routing Domain
router eigrp 100
network 192.168.0.0 0.0.255.255
no auto-summary
! Only distribute the hub IP address out
distribute-list DMVPNHUB out
! By default disables routing on all interfaces
passive-interface default
! Exterbal routing is permitted on interfaces to the Private WAN
no passive-interface GigabitEthernet0/0/3
no passive-interface GigabitEthernet0/0/4
! Enables neighbor logging
eigrp log-neighbor-changes
!
ip access-list standard DMVPNHUB
permit 192.168.34.1
!
! Branch Subnets permitted into the internal routing domain from the VPN tunnels
access-list 30 remark Branch EIGRP Routes
access-list 30 permit 10.200.0.0 0.0.255.255
access-list 30 permit 10.201.0.0 0.0.255.255
!
! Authenticate internal routing peers
key chain eigrp-auth
key 10
key-string
!7-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
! Authenticate external routing peers
key chain eigrp-auth-egp
key 11
key-string
!
interface Tunnel0
description Tunnel0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 eigrp-auth
!
interface Loopback0
ip address 192.168.34.1 255.255.255.255
!
interface GigabitEthernet0/0/0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 eigrp-auth
!
interface GigabitEthernet0/0/2
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 eigrp-auth
!
interface GigabitEthernet0/0/3
description WAN: MPLS
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-auth-egp
!
interface GigabitEthernet0/0/4
description WAN: MPLS
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-auth-egp
Note that neighbor logging is enabled by default in EIGRP; therefore, the eigrp log-neighbor-changes
command does not appear explicitly in the configuration.
For more information on routing security, including design and configuration guidelines for the areas
highlighted in Table 7-2, see Chapter 2, “Network Foundation Protection.”
Design Considerations
• Neighbor authentication and BTSH require identical configuration on routing peers in order to
accept routing updates. Consequently, the enterprise should work with their service provider to
enable these security features.
• If neighbor logging is enabled by default for a particular routing protocol, the logging commands
will not appear in the configuration. This is currently the case for EIGRP.7-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
Service Resiliency in the WAN Edge Aggregation
The resiliency of services provided by the WAN edge aggregation block is critical to the operation of all
remote sites. The WAN edge is also a key network border. Consequently, all infrastructure devices and
links must be resilient to targeted, indirect, malicious and unintentional attacks, as well as general failure
scenarios. This is particularly important since the edge devices have external interfaces.
Possible attacks include DoS attacks based on unauthorized and authorized protocols, distributed DoS
(DDoS) attacks, flood attacks, reconnaissance, and unauthorized access. General failure scenarios
include power outages, physical link failures, and device failures.
Service resiliency in the WAN edge aggregation block involves the following key design areas:
• Device resiliency
• Remote site service availability
• High availability
The areas of focus, objectives, and implementation options for service resiliency in the WAN edge
aggregation block are outlined in Table 7-3.
The particular considerations for IKE CAC and QoS in the WAN edge are covered in detail below. For
more information on the other service resiliency techniques, including design and configuration
guidelines, see Chapter 2, “Network Foundation Protection.”
Service resiliency should be complemented by network policy enforcement techniques that filter traffic
at the network edges, permitting only authorized services and originators to directly address the
infrastructure. These techniques restrict accessibility to the infrastructure in order to reduce exposure to
unauthorized access, DoS, and other network attacks. For more information, refer to the “Network Policy
Enforcement in the WAN Edge Aggregation” section on page 7-13.
Ta b l e 7-3 Service Resiliency in the WAN Edge Aggregation
Service Resiliency Focus Service Resiliency Objectives Implementation
Restrict attack surface Disable unnecessary services
Address known vulnerabilities
• Disable unnecessary services on all
infrastructure devices
• Patch infrastructure devices with updated
software
Harden the device Protect device resources from exhaustion
attacks by limiting, filtering and rate-limiting
traffic destined to the control plane.
• Memory protection
• Limit and rate-limit control plane traffic,
including service-specific considerations
(for example, IKE CAC)
• Implement CoPP/CoPPr, if available
Preserve and optimize
remote site services
Ensure any limited resources at a remote site,
such as a low bandwidth WAN link or a low
performance platform, are not overwhelmed,
and optimize their utilization.
• QoS—Egress, per-branch QoS on WAN
link to ensure availability of WAN edge
WAN link, branch WAN link and router.
• Application optimization
Implement redundancy Deploy device, link, and geographical diversity
to eliminate single points of failure
• Redundant devices
• Redundant links
• Redundant WAN providers
• Geographically diverse locations7-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
IKE Call Admission Control
One service commonly used in the WAN edge is Internet Key Exchange (IKE) for IPSec tunnel
establishment. IKE must be hardened to protect the VPN hub from device and resource exhaustion
attacks. These attacks may be malicious or generated by a large number of remote sites re-establishing
tunnels, perhaps as a result of a major network outage. The key objectives are as follows:
• Do not accept new tunnel requests if the system is already under load
• Limit the number of established tunnels, according to the platform and deployment requirements
• Limit the number of tunnels being negotiated, according to the platform and deployment
requirements
The following is a sample configuration for IKE call admission control (CAC), specifically to limit the
resources used by this service on an ASR.
! Enable global CAC to protect the device when it is under load
! Do not accept new IKE SA requests when the system resources in use reach this limit
call admission limit 70000
!
! Limit the number of dynamic tunnels supported
crypto call admission limit ike sa 750
!
! Limit the number of dynamic tunnels in-negotiation supported
crypto call admission limit ike in-negotiation-sa 750
!
For more information on IKE CAC, see the WAN Design section of Appendix A, “Reference
Documents.”
QoS in the WAN Edge
QoS is critical to the optimal performance and availability of business-critical services in a branch, even
under adverse network conditions, such as high data rates and worm outbreaks. In addition, since some
service control and all remote management is in-band, it is critical that QoS is employed to prioritize
control and management traffic.
The fundamental principles being to accurately classify and mark traffic at the access edge, then police
and schedule traffic at key network borders, particularly on links with limited resources that are subject
to congestion.
In the WAN edge, the main objectives of QoS are to preserve and optimize:
• Branch WAN link
Avoid congestion on a limited bandwidth branch link.
• Branch router availability
Avoid overwhelming limited resources on a branch edge router.
• Service availability
Prioritize business critical applications and those with particular traffic profile requirements, as well
as in-band control and remote management traffic.
QoS on the WAN edge is implemented through an egress QoS policy that should be enforced on a
per-branch basis in order to accommodate the particular WAN and platform characteristics of each
remote site. The DCSP markings can be trusted on the WAN edge as it is assumed that an ingress QoS
policy has been enforced on all the access edges to mark or remark QoS settings.7-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
QoS in the WAN edge is just one element of an end-to-end QoS implementation, including egress QoS
on the branch WAN link and ingress classification and marking on all access edges across the enterprise
network.
The following is a sample branch QoS configuration for the WAN edge router. The configuration
provided shows the QoS policy applied to the WAN edge router to control the traffic transeversing a
specific branch.
! Define the Egress QoS policy
! Prioritize voice, interactive video, call signaling and control traffic
policy-map child_ he4-2800-1
class Voice
priority percent 18
class Interactive-Video
priority percent 15
class Call-Signaling
bandwidth percent 5
class Network-Control
bandwidth percent 5
class Critical-Data
bandwidth percent 27
random-detect dscp-based
class Bulk-Data
bandwidth percent 4
random-detect dscp-based
class Scavenger
bandwidth percent 1
class class-default
bandwidth percent 25
random-detect
!
! Identify traffic to the branch
ip access-list extended he4-2800-1
permit ip any 10.200.1.0 0.0.0.255
permit ip any 10.201.1.0 0.0.0.255
!
! Enforce the QoS policy on this traffic
class-map match-all he4-2800-1
match access-group name he4-2800-1
!
! Enforce the policy on traffic over the VPN tunnel interfaces
interface Tunnel0
qos pre-classify
!
For more information on QoS, see the QoS Design section of Appendix A, “Reference Documents.”7-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
Network Policy Enforcement in the WAN Edge Aggregation
The WAN edge is a key network border and is thus a critical place to enforce a strong network policy.
This includes restricting the incoming traffic that is permitted on the WAN interfaces, blocking
unauthorized access and validating the source IP address of traffic. Anomalous traffic is discarded as
close to the edge of the network as possible, thereby minimizing the risk of exposure.
Possible threats include unauthorized access and IP spoofing that can be used to anonymously launch an
attack, bypass network access and policy enforcement controls, and snoop data through MITM attacks.
The areas of focus, objectives and implementation options for network policy enforcement in the WAN
edge are outlined in Table 7-4.
The particular considerations for these areas in the WAN edge are covered below. For more information
on network policy enforcement techniques, including design and configuration guidelines, see
Chapter 2, “Network Foundation Protection.”
Design Considerations
• Consistent network policy enforcement on all key network borders
A consistent network policy must be enforced on all key network borders, including the WAN edge,
the Internet edge and the access edge. On the access edge, infrastructure ACLs (iACLs) should
restrict accessibility to the infrastructure in order to reduce exposure to unauthorized access, DoS,
and other network attacks. In addition, IP spoofing protection must be enforced to ensure
traceability and effective policy enforcement. For more information on access edge policy
enforcement, see Chapter 5, “Enterprise Campus.” campus and Chapter 8, “Enterprise Branch.”
• Address space planning
Careful planning of the corporate address space facilitates the definition and maintenance of traffic
filtering that is used in many areas of security policy enforcement, including ACLs, firewalls, route
filtering and uRPF. It is recommended that a rational, summarized or compartmentalized IP address
scheme be employed across the enterprise, enabling a manageable and enforceable security policy,
offering a significant benefit to overall network security.
For more information on address space planning, see Chapter 2, “Network Foundation Protection.”
Ta b l e 7-4 Network Policy Enforcement in the WAN Edge Aggregation
Network Policy Enforcement
Focus
Network Policy Enforcement
Objectives Implementation
Filter Incoming Traffic Restrict incoming traffic to
authorized sources and for
authorized services only
• WAN edge ACLs applied
inbound on WAN
interfaces
• Firewall integration
• uRPF loose mode on WAN
interfaces
IP Spoofing Protection Ensure traffic is topologically
valid( i.e., sourced from a valid
address that is consistent with the
interface it is received on)7-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
WAN Edge ACLs
The primary objective of WAN edge ACLs is to restrict incoming traffic on the WAN links to only the
minimum required traffic and services, and only from authorized originators. This typically involves
permitting only the necessary routing updates from defined external routing peers, along with VPN
access for the remote sites.
In addition, standard ingress edge filtering is enforced, per BCP 38 and RFC2827, denying traffic with
illegitimate, invalid, or reserved source addresses.
A WAN edge ACL for site-to-site VPN only, will thus typically feature the following elements:
• Deny fragments
• Deny the corporate address space originating from external sources
• Deny RFC1918 private address space (10/8, 172.16/12, 192.168/16)
• Deny RFC3330 special use IPv4 addressing (0.0.0.0, 127/8, 192.0.2/24, 224/4)
• Permit routing updates from authorized, external peers
• Permit VPN with branches
• Permit ping and traceroute for troubleshooting
The following is a sample WAN edge ACL configuration:
access-list 120 remark SP WAN Edge ACL - MPLS A
access-list 120 remark deny Fragments
access-list 120 deny tcp any any log fragments
access-list 120 deny udp any any log fragments
access-list 120 deny icmp any any log fragments
access-list 120 remark deny Incoming with Source=Internal
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 remark deny RFC 3330 Special-Use Addresses
access-list 120 deny ip host 0.0.0.0 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 deny ip 192.0.2.0 0.0.0.255 any
access-list 120 deny ip 224.0.0.0 31.255.255.255 any
access-list 120 remark deny RFC 1918 Reserved Addresses
access-list 120 remark 10.0.0.0/8 and 192.168.0.0/16 omitted because they are being used
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
access-list 120 remark permit Incoming EIGRP from SP Neighbors
access-list 120 permit eigrp host 192.168.160.113 host 224.0.0.10
access-list 120 permit eigrp host 192.168.160.113 host 192.168.160.114
access-list 120 remark permit DMVPN with Branches
access-list 120 permit udp any host 192.168.34.1 eq isakmp
access-list 120 permit esp any host 192.168.34.1
access-list 120 remark permit Ping & Traceroute
access-list 120 permit icmp any host 192.168.160.114 ttl-exceeded
access-list 120 permit icmp any host 192.168.160.114 port-unreachable
access-list 120 permit icmp any host 192.168.160.114 echo-reply
access-list 120 permit icmp any host 192.168.160.114 echo
access-list 120 permit icmp any host 192.168.34.1 ttl-exceeded
access-list 120 permit icmp any host 192.168.34.1 port-unreachable
access-list 120 permit icmp any host 192.168.34.1 echo-reply
access-list 120 permit icmp any host 192.168.34.1 echo
access-list 120 deny ip any any log
!
! Apply the ACL to the particular WAN interface
interface GigabitEthernet0/0/3
description WAN: MPLS
ip address 192.168.160.114 255.255.255.248
ip access-group 120 in
!7-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
For more information on traffic filtering, see the Edge Filtering section of Appendix A, “Reference
Documents.”
Firewall Integration in the WAN Edge
Network policy enforcement on the WAN edge can be extended to include the enforcement of different
security policy domains through the integration of firewall functionality. A firewall provides additional
protection from unauthorized access, as well as stateful, application and protocol inspection.
This functionality can be implemented using an integrated firewall, such as IOS zone-based firewall
(ZBFW) in a unified WAN services platform, such as the Cisco ASR, or as a dedicated appliance, such
as the Cisco Adaptive Security Appliance (ASA).
For more information on firewall integration using the Cisco IOS ZBFW, see Chapter 8, “Enterprise
Branch.”
For more information on firewall integration using the Cisco ASA, see Chapter 6, “Enterprise Internet
Edge.”
uRPF on the WAN Edge
Unicast reverse path forwarding (uRPF) is complementary to WAN edge ACLs, providing dynamic
source IP address validation based on the local packet forwarding information. This enables topological
validation of source IP addresses.
uRPF strict mode offers the maximum degree of source IP address spoofing protection but is not always
possible, such as on a router multi-homed to multiple autonomous systems (AS), as is typical in a WAN
edge. uRPF loose mode is thus used to provide some degree of source IP address spoofing protection.
For instance, it may enable the filtering of undesirable traffic with a source IP address which does not
exist in the FIB, such as RFC 1918 and unallocated addresses, as well as those not advertised by a BGP
peer.
The following is a sample uRPF loose mode configuration:
! Enable uRPF loose mode on multi-homed WAN interfaces
interface GigabitEthernet0/0/3
description WAN: MPLS
ip address 192.168.160.114 255.255.255.248
ip verify unicast source reachable-via any
!
For more information on uRPF, see the IP Spoofing Protection section of Appendix A, “Reference
Documents.”
A key use of uRPF, independent of its deployment mode, is to enable source-based remote triggered
black hole (SRTBH). SRTBH is a highly effective, dynamic and highly efficient rapid reaction attack
tool to mitigate DDoS attacks.
For more information on SRTBH, see the DoS Protection section of Appendix A, “Reference
Documents.”
Secure Device Access in the WAN Edge Aggregation
Access to all infrastructure devices in the WAN edge aggregation block must be secured. If infrastructure
device access is compromised, the security and management of the entire network can be compromised.
Consequently, it is critical to establish the appropriate controls in order to prevent unauthorized access 7-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
to infrastructure devices. There will be some variations in the actual implementation of secure device
access, based on the particular device and software release, but all the fundamental objectives must be
applied:
• Restrict Device Accessibility
Limit the accessible ports and access services, restrict access to authorized services from authorized
originators only, enforce session management and restrict login vulnerability to dictionary and DoS
attacks.
• Present Legal Notification
Display legal notice, developed in conjunction with company legal counsel, for interactive sessions.
• Authenticate Access
Ensure access is only granted to authenticated users, groups, and services.
• Authorize Actions
Restrict the actions and views permitted by any particular user, group, or service.
• Ensure the Confidentiality of Data
Protect locally stored sensitive data from viewing and copying. Consider the vulnerability of data in
transit over a communication channel to sniffing, session hijacking and man-in-the-middle (MITM)
attacks.
• Log and Account for all Access
Record who accessed the device, what occurred, and when for auditing purposes.
For more information on secure device access, including design and configuration guidelines for the
areas outlined above, see Chapter 2, “Network Foundation Protection.”
In addition, the isolation of management access and management traffic is recommended in order to
provide an extra degree of security. This is typically employed using an out-of-band (OOB) network that
is physically independent of the data network and features limited and strictly controlled access.
For more information on implementing a management network, see Chapter 9, “Management.”
Telemetry in the WAN Edge Aggregation
The WAN edge serves as a key hub for remote sites and is vital to the service availability of a branch.
Visibility into its status and any anomalous activity taking place is thus critical to the timely and accurate
cross-network detection and mitigation of anomalies.
Telemetry is thus a fundamental element, enabled across all devices in the WAN edge, and integrated
with a centralized management system for event monitoring, analysis and correlation. The key elements
include the following:
• Synchronize Time
Synchronize all network devices to the same network clock by using Network Time Protocol (NTP)
to enable accurate and effective event correlation.
• Monitor System Status Information
Maintain visibility into overall device health by monitoring CPU, memory and processes.
• Implement CDP Best Common Practices
Enable CDP on all infrastructure interfaces for operational purposes but disable CDP on any
interfaces where CDP may pose a risk, such as external-facing interfaces.7-17
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Aggregation
• Enable Remote Monitoring
Leverage syslog, SNMP and additional telemetry techniques, such as Netflow, to a centralized
server, such as CS-MARS, for cross-network data aggregation. This enables detailed and behavioral
analysis of the data which is key to traffic profiling, anomaly-detection and attack forensics, as well
as general network visibility and routine troubleshooting.
For more information on telemetry, including design and configuration guidelines for the areas outlined
above, see Chapter 2, “Network Foundation Protection.”
For more information on remote monitoring, analysis and correlation, including syslog, SNMP, and
NetFlow, see Chapter 10, “Monitoring, Analysis, and Correlation.”
Design Considerations
• CDP is enabled by default in Cisco IOS and should be disabled on all external-facing interfaces. This
can be verified on a per interface basis using the show cdp interface command.
• As with secure device access, the isolation of management access and management traffic is
recommended using an out-of-band (OOB) network in order to provide an extra degree of security.
This is typically employed using an OOB network that is physically independent of the data network
and features limited and strictly controlled access. For more information on the implementation of
a management network, refer to Chapter 9, “Management.”
NetFlow on the WAN Edge
NetFlow is a highly valuable form of network telemetry that scales to large traffic volumes through the
use of flow-based data. This NetFlow data describes traffic conversations, including who is talking to
whom, over what protocols and ports, for how long, at what speed, for what duration, etc.
Enabling sampled NetFlow on the enterprise WAN edge provides highly valuable data for traffic analysis
and behavioral or relational anomaly-detection.
The following example illustrates the NetFlow configuration o the WAN edge routers:
! Defines the source and destination for NetFlow records
ip flow-export source Loopback1
ip flow-export destination 2055
!
! Enables random sampled NetFlow
flow-sampler-map CSMARS-SAMPLE
mode random one-out-of 100
!
! Enables NetFlow collecting for inbound traffic to the Tunnel0 interface
interface Tunnel0
description Tunnel0
ip flow ingress
flow-sampler CSMARS-SAMPLE
!
! Enables NetFlow collecting for inbound traffic to the physical interface
interface GigabitEthernet0/0/3
description WAN: MPLS
ip flow ingress
flow-sampler CSMARS-SAMPLE
!7-18
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
WAN Edge Distribution
Note Normally, if an OOB management network is implemented, NetFlow records would be exported using
the IP address of the management interface. Per design, the Cisco ASR does not support the export of
NetFlow records on the management interface; therefore, the export should be done in-band.
For more information on NetFlow, see the Telemetry section of Appendix A, “Reference Documents.”
WAN Edge Distribution
The WAN edge distribution block (see Figure 7-4) provides connectivity for remote sites from the WAN
edge aggregation block to the core network, and serves as the integration point for WAN edge services
such as application optimization and IPS.
It consists of Layer 3 switches, plus any additional hardware for WAN edge services, such as application
optimization and IPS.
Figure 7-4 Enterprise WAN Edge Distribution
M
WAN Edge Aggregation
Enterprise WAN Edge
226665
Core
WAN Edge Distribution
Management
Private WAN
Internet WAN7-19
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
Design Guidelines for the WAN Edge Distribution
Security integration in the WAN edge distribution includes the following elements:
• IPS Integration in the WAN Edge Distribution, page 7-19
• Routing Security in the WAN Edge Distribution, page 7-23
• Service Resiliency in the WAN Edge Distribution, page 7-24
• Switching Security in the WAN Edge Distribution, page 7-25
• Secure Device Access in the WAN Edge Distribution, page 7-25
• Telemetry in the WAN Edge Distribution, page 7-26
IPS Integration in the WAN Edge Distribution
The WAN edge serves as a hub to remote sites for corporate services and business applications, as well,
in many cases, for Internet services. As such, it provides a unique opportunity to implement centralized
IPS integration for threat detection and mitigation of malicious activity originating from remote sites.
This is particularly true if the WAN topology is hub and spoke and split-tunneling is not employed, so
that there is no direct Internet access local to the remote site.
Cisco IPS provides signature and reputation-based threat detection and mitigation for threats such as
worms, spyware, adware, network viruses, and application abuse. Its integration in a centralized
deployment model enables a scalable, highly available and cost-effective design, that also offers ease of
management advantages.
In addition, Cisco IPS collaboration with other Cisco devices provides enhanced visibility and control
through system-wide intelligence. This includes host-based IPS collaboration with Cisco Security Agent
(CSA), reputation-based filtering and global correlation using SensorBase, automated threat mitigation
with the WLAN controller (WLC), multi-vendor event correlation and attack path identification using
Cisco Security Monitoring, Analysis, and Response System (CS-MARS), and common policy
management using Cisco Security Manager (CSM). For more information on Cisco security
collaboration, see Chapter 10, “Monitoring, Analysis, and Correlation,” and Chapter 11, “Threat Control
and Containment.”
IPS integration involves three key design areas:
• Deployment mode
Inline or promiscuous mode, typically referred to as IPS or IDS.
• Scalability and availability
Ensures the ability to handle high traffic rates, along with the ongoing detection and mitigation of
threats, even under failure scenarios.
• Maximum threat coverage
Traffic symmetry to maintain the important benefits offered by symmetrical traffic flows, even in a
high availability and scalability design featuring multiple IPS.
IPS inline mode enables automatic threat detection and mitigation capabilities that offer some clear
advantages in terms of timely threat mitigation. IPS signature tuning enables the automated response
actions taken by Cisco IPS to be tuned and customized according to the customer environment and
policy.7-20
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
For scalability, Cisco offers a range of different IPS platforms that can be deployed according to
particular customer needs. For increased scalability and high availability, multiple IPS can be deployed
using an intelligent load-balanced design. This can be achieved using a dedicated load-balancing
appliance, such as the ACE module, the ether channel load-balancing (ECLB) feature of a Cisco switch
or policy-based routing (PBR).
Symmetrical traffic flows offer a number of important benefits, including enhanced threat detection,
reduced vulnerability to IPS evasion techniques and improved operations through reduced false positives
and false negatives. Consequently, leveraging the Cisco IPS Normalizer engine is a key design element.
If multiple IPS exist in a single flow, for instance for availability and scalability purposes, maintaining
symmetric flows requires some consideration of the IPS integration design. There are a number of
options available to ensure symmetric traffic flows, including the following:
• Copy traffic across IPS
Use of SPAN, VACL capture or TAPs to duplicate traffic across all IPS, ensuring any single IPS sees
all flows. This can become a challenge once more than two IPS are involved and results in all IPS
being loaded with the active traffic flows.
• Integration of an IPS switch
Topological design to consolidate traffic into a single switch, thereby leveraging the switch to
provide predictable and consistent forward and return paths through the same IPS. This is a simple
design but introduces a single point of failure.
• Routing manipulation
Use of techniques such as path cost metrics or policy-based routing (PBR) to provide predictable
and consistent forward and return paths through the same switch and, consequently, the same IPS.
This is a cost-effective design but introduces some complexity and requires an agreement from
network operations (NetOps).
• Sticky load-balancing
Insertion of a sticky load-balancing device, such as the Application Control Engine (ACE), to
provide predictable and consistent forward and return paths through the same IPS. This is an elegant
and flexible design but introduces additional equipment to deploy and manage.
A sample IPS integration in a WAN edge distribution block is shown in Figure 7-5. This IPS design
ensures that all traffic through the WAN edge distribution is monitored by the IPS and illustrates the use
of ECLB for high scalability and availability, along with IGP path cost manipulation to provide
symmetrical traffic flows. It also enables ease of future expansion by offering the ability to integrate
additional IPS by simply adding them to the ether-channel bundles on the switches.7-21
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
Figure 7-5 Sample IPS Integration in the WAN Edge Distribution
This IPS design features the following design elements:
1. A pair of VLANs on each switch for IPS integration. One logically facing the WAN edge (VLAN
12 on switch-1 and VLAN 17 on switch-2), and one logically facing the core (VLAN 13 on switch-1
and VLAN 18 on switch-2).
2. VLAN pairing on each IPS to bridge traffic back to the switch across its VLANs.
3. ECLB on the switch to perform sticky load-balancing of traffic across the IPS devices.
4. Layer 3 links and route manipulation, through EIGRP cost settings, to force traffic to and from each
ASR through a preferred switch for traffic symmetry.
5. Placement of all interfaces between the WAN distribution and the WAN edge, as well as the WAN
edge-facing IPS VLANs (VLANs 12 and 17), in a VRF in order to force all traffic between the WAN
edge and the core through the IPS.
The IPS policies being enforced on one of the IPS integrated in the WAN edge distribution are shown in
Figure 7-6.
Core
VLAN 12
ASR-IE
ASR-2
ASR-1
IPS-1 IPS-2
Switch-1
Core-1
Layer 3 Links
with IGP Path Cost Manipulation
ECLB of IPS
(VLAN 17 + 18)
Core-2
Switch-2
VLAN 18 VLAN 17
Internet
VRF: Branches
Private WAN
SP 1
Private WAN
SP 2
Branch
Branch
DMVPN
DMVPN
VLAN Pairing
on each IPS
ECLB of IPS
(VLAN 12 + 13)
VLAN pair per switch
for IPS integration
VLAN 13
4
3
1
2
3
5
226666
QFP
QFP
QFP7-22
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
Figure 7-6 Sample IPS Integration in the WAN Edge
For detailed information on the IPS products, platforms and features, as well as deployment options and
considerations, see the product pages. For details, refer to see the IPS section of Appendix A, “Reference
Documents.”
Design Considerations
• A centralized IPS deployment is highly effective in a hub-and-spoke topology where all remote site
traffic is forced though the WAN edge. Coverage is, however, limited to traffic passing through the
WAN edge distribution. Intra-branch traffic is not analyzed and branch-branch traffic monitoring
requires additional design steps to force traffic through the IPS.
• If all branch traffic must be monitored or, for instance, if remote sites have local, direct Internet
access through the use of split-tunneling, a distributed IPS deployment should be considered. For
more information on a distributed IPS deployment, see the Chapter 8, “Enterprise Branch.”
• A combination of centralized and distributed IPS enables the appropriate deployment model to be
chosen according to the needs of a particular branch, whilst maintaining consistent policy
enforcement.
• IPS inline mode requires a well designed, architected and tuned deployment to ensure there is no
negative impact on network and service availability.
• IPS integration should occur inside the WAN edge, after VPN termination and application
optimization, to ensure that the IPS receives clear text, unmodified traffic for monitoring.
• A design using route manipulation to provide traffic symmetry is required to ensure flows through
the same switch, since the selection of a particular IPS is specific to that switch ECLB index.7-23
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
• ECLB on a Cisco switch is performed based on the source and destination address of a traffic flow,
not on the bandwidth of a flow. Consequently, if there is a large amount of traffic on a single flow
(i.e., between a certain source and destination address) all that traffic will be passed to a single IPS.
The IPS integration design must, therefore, take this into consideration. For information, see the IPS
section of Appendix A, “Reference Documents.”
• A design using route manipulation to provide traffic symmetry must consider the traffic capacity of
the preferred paths. For instance, in the design above, since each ASR has a preferred route, if one
ASR fails, all traffic will be routed over the preferred path of that ASR, to a single switch.
Consequently, the preferred path must have sufficient bandwidth to accommodate the full traffic
capacity. This can be achieved by deploying high speed interfaces or enabling ECLB on multiple
interfaces on this preferred path to provide this high capacity link between the WAN edge and the
WAN edge distribution.
For additional IPS integration design guidelines, see Chapter 11, “Threat Control and Containment.”
Implementation Options
• IPS Promiscuous Mode
Cisco IPS can also be deployed in promiscuous mode. In promiscuous mode, the IPS performs
passive monitoring, with traffic being passed to it through a monitoring port. Upon detection of
anomalous behavior, management systems are informed of an event and operational staff can
subsequently decide what action, if any, to take in response to an incident. The time between threat
detection and mitigation may thus be extended.
Routing Security in the WAN Edge Distribution
Routing in the WAN edge distribution is critical to service availability, and as such, it must be Routing
in the WAN edge distribution block is critical to service availability, and as such, it must be properly
secured to protect it against compromise, including unauthorized peering sessions and DoS attacks that
may attempt to inject false routes, and remove or modify routes.
Devices in the WAN edge distribution do, however, have limited exposure to threats as they only
participate in the internal routing domain, have interfaces only to infrastructure devices, and are not
positioned on a key network border. Consequently, routing security in the WAN edge distribution block
is focused on the following:
• Neighbor authentication
Restrict routing sessions to trusted peers and validates the origin and integrity of routing updates.
• Neighbor logging
Provide visibility into neighbor status changes that may indicate network connectivity and stability
issues, due to an attack or general operations problems.
Neighbor authentication should be enabled on all interfaces participating in the routing domain and must
be enabled on both sides of a link. 7-24
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
The following configuration example shows the configuration of EIGRP MD5 neighbor authentication
on the WAN edge distribution switches:
key chain eigrp-auth
key 10
key-string
!
interface Vlan11
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 eigrp-auth
!
router eigrp 1
network 10.0.0.0
!
For more information on routing security, including design and configuration guidelines for the areas
outlined above, see Chapter 2, “Network Foundation Protection.”
Service Resiliency in the WAN Edge Distribution
The resiliency of services provided by the WAN edge distribution block is critical to the operation of all
remote sites. Consequently, all infrastructure devices and links must be resilient to targeted, indirect,
malicious and unintentional attacks, as well as general failure scenarios.
Possible attacks include DoS attacks based on unauthorized and authorized protocols, distributed DoS
(DDoS) attacks, flood attacks, reconnaissance and unauthorized access. General failure scenarios
include power outages, physical link failures and device failures.
Service resiliency in the WAN edge distribution block involves the following key design areas:
• Device resiliency
• High availability
The areas of focus, objectives and implementation options for service resiliency in the WAN edge
distribution block are outlined in Table 7-5.
Ta b l e 7-5 Service Resiliency in the WAN Edge Distribution
Service Resiliency Focus Service Resiliency Objectives Implementation
Restrict attack surface Disable unnecessary services • Disable unnecessary services
on all infrastructure devices
• Patch infrastructure devices
with updated software
Harden the device Protect device resources from
exhaustion attacks by limiting,
filtering and rate-limiting traffic
destined to the control plane.
• Memory protection
• Limit and rate-limit control
plane traffic
• Implement CoPP/CoPPr, if
available
Implement redundancy Deploy device, link and
geographical diversity to eliminate
single points of failure
• Redundant devices
• Redundant links
• Geographically diverse
locations7-25
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
For more information on service resiliency, including design and configuration guidelines for the areas
highlighted in Table 7-5 above, see Chapter 2, “Network Foundation Protection.”
Service resiliency should be complemented by network policy enforcement techniques that filter traffic
at the network edges, permitting only authorized services and originators to directly address the
infrastructure. These techniques restrict accessibility to the infrastructure in order to reduce exposure to
unauthorized access, DoS, and other network attacks. For more information, refer to the “Network Policy
Enforcement in the WAN Edge Aggregation” section on page 7-13.
Switching Security in the WAN Edge Distribution
Switching in the WAN edge distribution block is critical to service availability and, as such, it must be
properly secured to protect it against compromise, including unauthorized access and DoS attacks
through Spanning Tree Protocol (STP) manipulation and Layer-2 flooding.
The threat exposure of a switch in the WAN edge distribution block is, however, limited as all interfaces
are to infrastructure devices and there are no external interfaces. However, it is recommended that all the
key areas of focus be reviewed and applied, as outlined in the “Switching Infrastructure Best Practices”
section on page 2-25.
Secure Device Access in the WAN Edge Distribution
Access to all infrastructure devices in the WAN edge distribution block must be secured. If infrastructure
device access is compromised, the security and management of the entire network can be compromised.
Consequently, it is critical to establish the appropriate controls in order to prevent unauthorized access
to infrastructure devices.
There will be some variations in the actual implementation of secure device access, based on the
particular device and software release, but all the fundamental objectives must be applied:
• Restrict device accessibility
Limit the accessible ports and access services, restrict access to authorized services from authorized
originators only, enforce session management, and restrict login vulnerability to dictionary and DoS
attacks.
• Present legal notification
Display legal notice, developed in conjunction with company legal counsel, for interactive sessions.
• Authenticate access
Ensure access is only granted to authenticated users, groups, and services.
• Authorize actions
Restrict the actions and views permitted by any particular user, group, or service.
• Ensure the confidentiality of data
Protect locally stored sensitive data from viewing and copying. Consider the vulnerability of data in
transit over a communication channel to sniffing, session hijacking and man-in-the-middle (MITM)
attacks.
• Log and account for all access
Record who accessed the device, what occurred, and when for auditing purposes.
For more information on secure device access, including design and configuration guidelines for the
areas outlined above, see Chapter 2, “Network Foundation Protection.”7-26
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Design Guidelines for the WAN Edge Distribution
In addition, the isolation of management access and management traffic is recommended in order to
provide an extra degree of security. This is typically employed using an out-of-band (OOB) network that
is physically independent of the data network and features limited and strictly controlled access. For
more information on implementing a management network, see Chapter 9, “Management.”
Telemetry in the WAN Edge Distribution
The WAN edge serves as a key hub for remote sites and is vital to the service availability of a branch.
Visibility into its status and any anomalous activity taking place is thus critical to the timely and accurate
cross-network detection and mitigation of anomalies.
Telemetry is thus a fundamental element, enabled across all devices in the WAN edge and integrated with
dedicated analysis systems to collect, trend and correlate observed activity. The key elements include the
following:
• Synchronize time
Synchronize all network devices to the same network clock by using Network Time Protocol (NTP)
to enable accurate and effective event correlation.
• Monitor system status information
Maintain visibility into overall device health by monitoring CPU, memory and processes.
• Implement CDP best common practices
Enable CDP on all interfaces in order to facilitate operations. The WAN edge distribution block does
not feature any access or external-facing interfaces, so CDP does not pose a risk in this location.
• Enable remote monitoring
Leverage syslog, SNMP to a centralized server, such as CS-MARS, for cross-network data
aggregation. This enables detailed and behavioral analysis of the data which is key to traffic
profiling, anomaly-detection and attack forensics, as well as general network visibility and routine
troubleshooting.
For more information on telemetry, including design and configuration guidelines for the areas outlined
above, see Chapter 2, “Network Foundation Protection.”
For more information on remote monitoring, analysis and correlation, including syslog, SNMP, and
NetFlow, see Chapter 10, “Monitoring, Analysis, and Correlation.”
Design Considerations
• As with secure device access, the isolation of management access and management traffic is
recommended using an out-of-band (OOB) network in order to provide an extra degree of security.
This is typically employed using an OOB network that is physically independent of the data network
and features limited and strictly controlled access. For more information on the implementation of
a management network, refer to Chapter 9, “Management.”7-27
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Threats Mitigated in the Enterprise WAN Edge
Threats Mitigated in the Enterprise WAN Edge
Ta b l e 7-6 Enterprise WAN Edge Threat Mitigation Features
Botnets DoS
Unauthorized
Access
Malware,
Spyware
Application,
Network
Abuse
Data
Leakage Visibility Control
Secure WAN Connectivity Yes Yes Yes
Routing Security Yes Yes Yes Yes
Service
Resiliency
Device
Hardening
QoS
Redundancy
Yes Yes Yes
Network
Policy
Enforcement
WAN Edge
ACLs
Cisco Firewall
uRPF
Yes Yes Yes Yes Yes
Cisco IPS Integration Yes Yes Yes Yes
Switching Security Yes Yes Yes Yes
Secure Device Access Yes Yes Yes Yes
Telemetry Yes Yes Yes Yes Yes Yes7-28
Cisco SAFE Reference Guide
OL-19523-01
Chapter 7 Enterprise WAN Edge
Threats Mitigated in the Enterprise WAN EdgeC H A P T E R
8-1
Cisco SAFE Reference Guide
OL-19523-01
8
Enterprise Branch
The enterprise branch, along with the enterprise WAN edge, provides users at geographically disperse
remote sites access to the same rich network services as users in the main site. The availability and
overall security of the branch, the WAN edge, and the WAN transit, is thus critical to global business
operations.
The challenge, from a security perspective, is enabling the enterprise to confidently embrace and extend
these rich global services and remote collaboration capabilities to all locations. This is achieved through
a defense-in-depth approach to security that extends and integrates consistent end-to-end security policy
enforcement and system-wide intelligence and collaboration across the entire enterprise network.
The aim of this chapter is to illustrate the role of the enterprise branch in this end-to-end security policy
enforcement, including how to apply, integrate, and implement the SAFE guidelines. See Figure 8-1.
Figure 8-1 Enterprise Branch
Business Applications
Collaboration Applications
Main Enterprise Site
Private WAN
Private WAN
Enterprise WAN Edge Empowered Branches
Internet
IP
2266628-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
From a functional perspective, an enterprise branch typically includes the following:
• WAN edge device
Terminates the WAN link and may offer additional services, such as site-to-site VPN, local Internet
access, security, application optimization, and voice services. The device may be owned by the
enterprise or it may be owned and managed by a Service Provider (SP). The WAN link may be a
private network, the Internet, wireless, or a combination thereof.
• Switching infrastructure
Provides wired LAN access to clients and LAN distribution for local services.
• Local services infrastructure
Based on particular branch business needs, additional infrastructure may be deployed to support
local services such as voice, video, application servers, and wireless LAN, as well as security
services such as VPN, encryption, IPS, and firewall.
Remote access, teleworker, partner, customer, and Internet access are addressed in Chapter 6,
“Enterprise Internet Edge,” along with their related security guidelines.
Two typical enterprise branch architectures are illustrated in Figure 8-2.
Figure 8-2 Enterprise Branch Architecture
For more information about SAFE for the enterprise WAN edge, see Chapter 7, “Enterprise WAN Edge.”
Enterprise WAN Edge
226669
Internet
Private WAN
Private
WAN
Edge
Internet
WAN
Edge
Medium Performance Branch
IP
High Performance Branch
V
LWAPP
V
IP
LWAPP8-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Key Threats in the Enterprise Branch
The following section describes the threats that the branch is exposed to and the security technologies
integrated to address them.
Key Threats in the Enterprise Branch
The threats addressed in the branch of an end-to-end enterprise architecture are focused on the following
key areas:
• Malicious activity by branch clients, including malware proliferation, botnet detection, network and
application abuse, and other malicious or non-compliant activity.
• WAN transit vulnerabilities such as sniffing and man-in-the-middle (MITM) attacks.
• Attacks against the infrastructure itself, such as unauthorized access, privilege escalation, and
denial-of-service (DoS) attacks.
Web and E-mail threats posed to branch clients, such as malicious web sites, compromised legitimate
web sites, spam, and phishing, are addressed as part of a centralized deployment in Chapter 6,
“Enterprise Internet Edge.” This assumes that the branch is not using split-tunneling. If a branch does
use split-tunneling, whereby there is local Internet access directly from the branch, web security must
be implemented locally.
The particular threat focus of an enterprise branch, and the specific security objectives and integration
elements to mitigate these threats, are shown in Table 8-1.
The design and integration of each of these security elements into the branch is addressed in the
following section.
Ta b l e 8-1 Key Threats in the Enterprise Branch
Threat Focus Threats Mitigated Security Objectives Security Integration
Malicious branch client
activity
Malware proliferation,
botnets, worms, viruses,
Trojans
Application and network
abuse
Detect and mitigate threats • IPS Integration
• Endpoint Security
• Web Secur ity
1
• E-mail Security
1
1. Addressed as part of a centralized deployment in Chapter 6, “Enterprise Internet Edge,” assuming a non-split-tunneling policy at remote sites.
WAN transit threats Unauthorized access to
network and data such as
through sniffing and
man-in-the-middle
(MITM) attacks
Isolate and secure WAN
data and access
• Secure WAN Connectivity
Attacks against the
infrastructure
Unauthorized access to
devices, network and data
Reconnaissance
DoS
Deliver resilient and
highly available services
• Routing Security
• Service Resiliency
• Network Policy Enforcement
• Switching Security
• Secure Device Access
• Telemetry8-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Design Guidelines for the Branch
Security integration in the branch addresses the key threat areas locally through the following:
• Secure WAN Connectivity in the Branch, page 8-4
• Routing Security in the Branch, page 8-5
• Service Resiliency in the Branch, page 8-8
• Network Policy Enforcement in the Branch, page 8-11
• IPS Integration in the Branch, page 8-18
• Switching Security in the Branch, page 8-23
• Endpoint Security in the Branch, page 8-27
• Secure Device Access in the Branch, page 8-28
• Telemetry in the Branch, page 8-29
As mentioned earlier, web and E-mail security are addressed as part of a centralized deployment in the
Chapter 6, “Enterprise Internet Edge.” If localized web security is required, due to the use of
split-tunneling, Cisco offers a number of web and content security options, including the Cisco IronPort
S-Series, Cisco ASA.5500 Series, and Cisco IOS Content Filtering. For more information, see the Web
Security section of Appendix A, “Reference Documents.”
Secure WAN Connectivity in the Branch
The branch is reliant upon its WAN connectivity for access to centralized corporate services and
business applications, as well, in many cases, Internet services. As such, the WAN is critical to service
availability and business operations. Consequently, the WAN must be properly secured to protect it
against compromise, including unauthorized access, and data loss and manipulation from sniffing or
man-in-the-middle (MITM) attacks.
The security objective being to provide confidentiality, integrity and availability of data as it transits the
WAN.
The design and implementation of secure WAN connectivity is addressed as an end-to-end system,
incorporating both the branch and the WAN edge. The key design recommendations and considerations
are presented in “Secure WAN Connectivity in the WAN Edge” section on page 7-5, but must be
developed in conjunction with the branch WAN design and tie together to provide an end-to-end, secure
WAN.
The recommendation for secure WAN connectivity includes the following:
• VPN for traffic isolation over the WAN
There are a number of VPN options and the choice will vary based on specific customer
requirements. DMVPN, for example, offers support for VPN over both a private WAN and the
Internet, as well as multicast and dynamic routing. Consequently, DMVPN can be integrated to
enable a common VPN implementation if both of these WAN types are deployed at remote sites.
• Public Key Infrastructure (PKI) for strong tunnel authentication
PKI provides secure, scalable, and manageable authentication that is critical to large-scale VPN
deployments. PKI also features the dynamic renewal and revocation of certificates that enables the
dynamic commissioning and decommissioning of branches with ease.8-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
• Advanced Encryption Standard (AES) for strong encryption
Data over the Internet is vulnerable to sniffing; therefore, encryption is critical to data confidentially
and integrity. Data over a private WAN can also be encrypted for maximum security or for
compliance reasons.
For more information on VPN technologies and PKI, refer to the WAN Design section of Appendix A,
“Reference Documents.”
Routing Security in the Branch
Routing in the branch is critical to service availability, and as such, it must be properly secured to protect
it against compromise, including unauthorized peering sessions and DoS attacks that may attempt to
inject false routes, and remove or modify routes.
The security of the routing is particularly important in the branch as it features a key network border,
supporting both an external and an internal routing domain. Consequently, it is critical, not only that the
external peering interface is properly secured, but that the routing information is properly filtered to
ensure that only necessary routes are advertised out and that only valid routes are propagated into the
internal routing table.
There are two routing domains to consider:
• External routing domain
Maximum routing security, including strict routing protocol membership, routing domain
termination and route redistribution filtering to ensure only the necessary routes are advertised.
• Internal routing domain
Routing security for internal interfaces is typically less stringent though should, at a minimum,
include neighbor authentication. In addition, if dynamic routing is not being used within the branch
itself, the routing domain should be terminated on the edge device.8-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
The areas of focus, objectives and implementation options for routing security in the branch are outlined
in Table 8-2.
A sample implementation of secure routing in the branch module is shown below and it integrates the
SAFE guidelines to:
• Authenticate all routing peers.
• Disable routing on all interfaces by default.
• Explicitly enable the internal routing domain on the VPN tunnels.
• Explicitly enable the external routing domain on interfaces to the private WAN.
• Only permit distribution of the directly-connected and summary branch subnets over the internal
routing domain.
• Limit router participation in the external router domain to learning only, preventing the distribution
of any routes from the branch into that routing domain.
• Enable neighbor logging on all routing domains.
! Internal Routing Domain
router eigrp 1
! By default disables routing on all interfaces
passive-interface default
! Enables internal routing on the VPN tunnels
no passive-interface Tunnel0
no passive-interface Tunnel1
network 10.0.0.0
no auto-summary
! EIGRP stub routing to only advertise directly connected networks and summarized routes
Ta b l e 8-2 Routing Security in the Branch
Routing Security Focus Routing Security Objectives Implementation
Restrict Routing Protocol
Membership
Restrict routing sessions to trusted
peers and validate the origin and
integrity of routing updates
• Routing peer definition
• Neighbor authentication
• BGP TTL Security Hack (BTSH)
• Default passive interface
Control Route
Propagation
Ensure only legitimate networks are
advertised and propagated
• Terminate the external routing domain on the WAN
edge (e.g., using EIGRP stub routing)
1
• Only advertise required routes to the external
routing domain
• Terminate the internal routing domain if dynamic
routing not required in the branch (e.g., using
EIGRP stub routing)
1
• Advertise branch routes over the VPN to the internal
routing domain
1. Stub routing is not supported in OSPF, thus outbound filters should be enforced to restrict route propagation.
Log Neighbor Changes Detect neighbor status changes that
may indicate network connectivity and
stability issues, due to an attack or
general operations problems
• Neighbor logging on all routing domains8-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
eigrp stub connected summary
! Enables neighbor logging
eigrp log-neighbor-changes
!
! External Routing Domain
router eigrp 100
! By default disables routing on all interfaces
passive-interface default
! EGP is permitted on interfaces to the Private WAN
no passive-interface GigabitEthernet0/1
network 192.168.0.0 0.0.255.255
no auto-summary
! Router only accepts, but does not explicitly advertise, any routes.
eigrp stub receive-only
! Enables neighbor logging
eigrp log-neighbor-changes
!
! Authenticate internal routing peers
key chain eigrp-auth
key 10
key-string
!
! Authenticate external routing peers
key chain eigrp-auth-egp
key 11
key-string
!
interface Tunnel0
description Private WAN Tunnel
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 eigrp-auth
!
interface Tunnel1
description Internet Tunnel
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 eigrp-auth
!
interface GigabitEthernet0/1
description Private WAN
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-auth-egp
!
Note that neighbor logging is enabled by default in EIGRP; therefore, the eigrp log-neighbor-changes
command does not appear explicitly in the configuration.
For more information on routing security, including design and configuration guidelines , see Chapter 2,
“Network Foundation Protection.”
Design Considerations
• Neighbor authentication and BTSH require identical configuration on routing peers in order to
accept routing updates. Consequently, the enterprise should work with their service provider to
enable these security features.
• If neighbor logging is enabled by default for a particular routing protocol, the logging commands
will not appear in the configuration. For example, this is currently the case for EIGRP.8-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Service Resiliency in the Branch
The resiliency of services provided by the branch infrastructure itself is critical to the operation of the
remote site. The branch edge is also a key network border. Consequently, all infrastructure devices and
links must be resilient to targeted, indirect, malicious and unintentional attacks, as well as general failure
scenarios. This is particularly important since the edge devices have external interfaces.
Possible attacks include DoS attacks based on unauthorized and authorized protocols, distributed DoS
(DDoS) attacks, flood attacks, reconnaissance and unauthorized access. General failure scenarios
include power outages, physical link failures, and device failures.
Service resiliency in the branch involves the following three key design areas:
• Device resiliency
• Central site service availability
• High availability
The areas of focus, objectives , and implementation options for service resiliency in the branch are
outlined in Table 8-3.
The particular considerations for QoS in the branch are covered below. For more information on the other
service resiliency techniques, including design and configuration guidelines, see Chapter 2, “Network
Foundation Protection.”
Ta b l e 8-3 Service Resiliency in the Branch
Service Resiliency Focus Service Resiliency Objectives Implementation
Restrict attack surface Disable unnecessary services
Address known vulnerabilities
• Disable unnecessary services on all
infrastructure devices
• Patch infrastructure devices with updated
software
Harden the device Protect device resources from exhaustion
attacks by limiting, filtering and rate-limiting
traffic destined to the control plane.
• Memory protection
• Port security on access ports
• Limit and rate-limit control plane traffic,
including service-specific considerations
(e.g., DHCP snooping and DAI on access
switches
1)
• Implement CoPP/CoPPr, if available
Preserve and optimize
remote site services
Ensure any limited resources at a remote site,
such as a low bandwidth WAN link or a low
performance platform, are not overwhelmed,
and optimize their utilization.
• QoS: Ingress and egress QoS on the access
switch. Egress QoS on the WAN link.
• Application optimization
Implement redundancy
1
1. The level of redundancy implemented in a branch is typically dependent on the size, business need, and budget associated with a particular site. In some
cases, a decision may be taken to accept the risk associated with a particular failure scenario, in lieu, for example, of cost-saving.
Deploy device, link and geographical
diversity to eliminate single points of failure
• Redundant devices
• Redundant links
• Redundant WAN providers
• Geographically diverse locations8-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Service resiliency should be complemented by network policy enforcement techniques that filter traffic
at the network edges, permitting only authorized services and originators to directly address the
infrastructure. These techniques restrict accessibility to the infrastructure in order to reduce exposure to
unauthorized access, DoS, and other network attacks. For more information, refer to the “Network Policy
Enforcement in the Branch” section on page 8-11.
QoS in the Branch
QoS is critical to the optimal performance and availability of business-critical services in a branch, even
under adverse network conditions, such as high data rates and worm outbreaks. In addition, since some
service control and all remote management are in-band, it is critical that QoS is employed to accurately
classify, prioritize, control, and management traffic.
The fundamental principles are to accurately classify and mark traffic at the access edge, then police and
schedule traffic at key network borders, particularly on links with limited resources that are subject to
congestion.
In a branch QoS implementation, the primary elements are as follows:
• Ingress QoS on the access ports
Accurately identify, classify, mark and police ingress traffic.
• Egress QoS on the access ports
Queuing according to the defined service classes of the enterprise QoS policy.
• Egress QoS on the access switch uplink
Queuing according to the defined service classes of the enterprise QoS policy. The DCSP markings
can be trusted as the ingress QoS policy has been enforced to mark or remark QoS settings.
• Egress QoS on the WAN link
Queuing according to the defined service classes of the enterprise QoS policy to optimize usage of
the, typically limited, WAN resources. The DCSP markings can be trusted as the ingress QoS policy
has been enforced to mark or remark QoS settings. See Figure 8-3.
Figure 8-3 QoS in the Branch
226670
IP
Internet
Private WAN
• Egress QoS
on WAN
• Egress QoS
on uplink
• Ingress and Egress QoS
on access ports8-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
QoS in the branch is just one element of an end-to-end QoS implementation, including per-branch egress
QoS on the WAN edge and consistent ingress classification and marking across all access edges of the
enterprise network.
The following is a sample branch QoS configuration:
! Define the Egress QoS policy
! Prioritize voice, interactive video, call signaling and control traffic
policy-map WAN-Edge-QoS
class Voice
priority percent 18
class Interactive-Video
priority percent 15
class Call-Signaling
bandwidth percent 5
class Network-Control
bandwidth percent 5
class Critical-Data
bandwidth percent 27
random-detect dscp-based
class Bulk-Data
bandwidth percent 4
random-detect dscp-based
class Scavenger
bandwidth percent 1
class class-default
bandwidth percent 25
random-detect
!
! Enforce the QoS policy on this traffic types
class-map match-all Bulk-Data
match ip dscp af11 af12
class-map match-all Interactive-Video
match ip dscp af41 af42
class-map match-any Network-Control
match ip dscp cs6
match ip dscp cs2
class-map match-all Critical-Data
match ip dscp af21 af22
class-map match-any Call-Signaling
match ip dscp cs3
match ip dscp af31
class-map match-all Voice
match ip dscp ef
class-map match-all Scavenger
match ip dscp cs1
!
! Enforce the policy on traffic over the VPN tunnel interfaces
interface Tunnel0
qos pre-classify
!
interface GigabitEthernet0/1
description Private WAN
service-policy output WAN-Edge-QoS8-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Design Considerations
• Do not trust traffic on access ports.
• Perform ingress QoS as close to the source as possible.
• Perform QoS in hardware.
• Implement per-branch egress QoS on the WAN edge.
• Enforce a consistent ingress QoS policy across all access edges of the enterprise network.
• Complement QoS on the WAN with application optimization to maximize application performance
and WAN utilization.
For more information on QoS, see the QoS Design section of Appendix A, “Reference Documents.”
Network Policy Enforcement in the Branch
The branch features two key network borders: a WAN edge and an access edge. Thus, it is critical to
enforce a strong network policy on both these network borders. This includes restricting the incoming
traffic that is permitted, blocking unauthorized access and validating the source IP address of traffic on
both the WAN interfaces , and the access edge. Anomalous traffic is discarded as close to the edge of the
network as possible, thereby minimizing the risk of exposure.
Possible threats include unauthorized access and IP spoofing that can be used to anonymously launch an
attack, bypass network access and policy enforcement controls, and snoop data through MITM attacks
that combine IP and ARP spoofing.
The areas of focus, objectives, and implementation options for network policy enforcement in the
enterprise branch are listed in Table 8-4.
The particular considerations for WAN edge ACLs, access edge iACLs and firewall integration in a
branch are covered in detail below. For more information on the other network policy enforcement
techniques, including design and configuration guidelines, see Chapter 2, “Network Foundation
Protection.”
Ta b l e 8-4 Network Policy Enforcement in the Branch
Network Policy Enforcement
Focus
Network Policy Enforcement
Objectives Implementation
Filter Incoming Traffic Restrict incoming traffic to
authorized sources and for
authorized services only
• WAN edge ACLs applied inbound on WAN
interfaces
• Access edge iACLs applied inbound on the
access edge
• Firewall integration
IP Spoofing Protection Ensure traffic is topologically
valid, (i.e., sourced from a valid
address that is consistent with the
interface it is received on)
• uRPF loose mode on WAN interfaces
• IP Source Guard on access ports or uRPF on
Layer 3 access edge8-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Additional Security Technologies
If the enterprise security posture assessment determines that additional access and policy control
technologies are a required element of the corporate security policy, then this must be extended and
integrated to the branch.
Additional technologies may include 802.1X, Identity-Based Network Networking Services (IBNS) and
Network Admission Control (NAC). For more information, see the Identity-Based Network Services
section of Appendix A, “Reference Documents.”
Design Considerations
• Consistent network policy enforcement on all key network borders
A consistent network policy must be enforced on all key network borders, including the WAN edge,
the Internet edge and the access edge. For more information on edge policy enforcement for WAN
Edge, refer to Chapter 7, “Enterprise WAN Edge.” For more information on edge policy
enforcement for the Internet edge, refer to Chapter 6, “Enterprise Internet Edge.”
• Address space planning
Careful planning of the corporate address space facilitates the definition and maintenance of traffic
filtering that is used in many areas of security policy enforcement, including ACLs, firewalls, route
filtering, and uRPF. It is recommended that a rational, summarized, or compartmentalized IP address
scheme be used across the enterprise network, enabling a manageable and enforceable security
policy, offering a significant benefit to overall network security
For more information on address space planning, see Chapter 2, “Network Foundation Protection.”
• IP Spoofing Protection
Enforce IP spoofing protection on the access edge to enable generic and consistent access edge
iACLs to be enforced across the enterprise, thereby minimizing operational overhead. IP spoofing
protection removes the need to specify the particular access subnet as the source address in the ACL
entries, since the source IP address has already been validated.
For more information on IP spoofing protection, see Chapter 2, “Network Foundation Protection.”
WAN Edge ACLs
The primary objective of WAN edge ACLs is to restrict incoming traffic on the WAN links only to the
minimum required traffic and services, and only from authorized originators. This typically involves
permitting only the necessary routing updates from defined external routing peers, along with VPN
access to the WAN edge.
In addition, standard ingress edge filtering is enforced, per Bridge Control Protocol (BCP) 38 and
RFC2827, denying traffic with illegitimate, invalid, or reserved source addresses.
A WAN edge ACL for a branch with site-to-site VPN only, thus typically features the following
elements:
• Deny fragments
• Deny the corporate address space originating from external sources
• Deny RFC1918 private address space (10/8, 172.16/12, 192.168/16)
• Deny RFC3330 special use IPv4 addressing (0.0.0.0, 127/8, 192.0.2/24, 224/4)
• Permit routing updates from authorized, external peers8-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
• Permit VPN to WAN edge
• Permit ping and traceroute for troubleshooting
For more information on traffic filtering, see the Edge Filtering section of Appendix A, “Reference
Documents.”
Access Edge iACLs
The primary objective of iACLs on the access edge is to restrict client access to the network
infrastructure, thereby reducing the risk exposure of these devices. Consequently, direct traffic to the
infrastructure address space is blocked across all access edges of the enterprise.
In a branch, access edge iACLs are typically enforced on the branch edge router or, if a dedicated firewall
is deployed on the access edge, they are integrated into the firewall policy. This ensures ease of
operational management.
The following is a sample configuration (guidelines) for creating an iACL:
access-list 125 remark Client Access Edge iACL
! Permit Clients to perform ping and traceroute
access-list 125 remark Permit Client ping and traceroute
access-list 125 permit icmp any any ttl-exceeded
access-list 125 permit icmp any any port-unreachable
access-list 125 permit icmp any any echo-reply
access-list 125 permit icmp any any echo
! Permit VPN to Mgmt FW for local operational staff
access-list 125 remark Permit VPN to Mgmt FW
access-list 125 permit udp any host eq isakmp
access-list 125 permit esp any host
! Deny Client Access to Network Infrastructure Address Space
access-list 125 remark Deny Client to OOB Mgmt Network
access-list 125 deny ip any
access-list 125 remark Deny Client to NoC & Core
access-list 125 deny ip any
access-list 125 remark Deny Client to Internet Edge
access-list 125 deny ip any
access-list 125 remark Deny Client to WAN Edge
access-list 125 deny ip any
access-list 125 remark Deny Client to VPN Tunnels
access-list 125 deny ip any
access-list 125 remark Deny Client to Branch Infra
access-list 125 deny ip any
! Permit All Other Client Traffic
access-list 125 remark Permit Client Non-Infra traffic
access-list 125 permit ip any any
!
! Enforces ACL on Branch access port
interface GigabitEthernet0/0.10
description Wired Clients
ip access-group 125 in
Note that it is not necessary to specify the particular access subnet as the source address in the ACL
entries if IP source address validation is already being enforced; for example, through IP Source Guard
on the access ports. This enables generic and consistent iACLs to be deployed across the enterprise
access edge, thereby minimizing the operational overhead.
For more information on iACLs, see Chapter 2, “Network Foundation Protection.”8-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Design Considerations
• IP Spoofing Protection
Enforce IP spoofing protection on the access edge to enable generic and consistent access edge
iACLs to be enforced across the Enterprise, thereby minimizing operational overhead. IP spoofing
protection removes the need to specify the particular access subnet as the source address in the ACL
entries, since the source IP address has already been validated.
Firewall Integration in the Branch
Firewall integration in the branch enables the segmentation and enforcement of different security policy
domains. This provides enhanced protection from unauthorized access that may be required if, for
example, the branch features a point-of-sale (PoS) segment for credit card processing that requires PCI
compliance, if split-tunneling is being employed, if there is an unsecured wireless network or if there
are multiple user groups with different security policies to be enforced.
In addition, firewall integration offers more advanced, granular services , such as stateful inspection and
application inspection and control on Layer 2 through Layer 7. These advanced firewall services are
highly effective of detecting and mitigating TCP attacks and application abuse in HTTP, SMTP, IM/P2P,
voice, and other protocols.
The two common design criteria for firewall integration in a branch are cost and administrative domains
(i.e., who manages the infrastructure devices (NetOps, SecOps, SP)). A combination of these two factors
typically dictates the platform selection.
To meet the deployment criteria of each customer, Cisco offers two key firewall integration options:
• IOS Firewall
Cost-effective, integrated firewall that is typically implemented in the branch edge router. Cisco IOS
Firewall is offered as a classic, interface-based firewall or as a zone-based firewall (ZBFW) that
enables the application of policies to defined security zones.
• Adaptive Security Appliance (ASA) Series
Dedicated firewall enabling a highly scalable, high performance, high availability and fully featured
deployment on a range of platforms. It also supports distinct administrative domains, including a
separate NetOps and SecOps model, as well as deployments where the edge router is SP-owned and
managed.
For more information on firewall integration using either a Cisco IOS firewall or a Cisco ASA, see
the Firewall section of Appendix A, “Reference Documents.”
IOS Zone-based Firewall (ZBFW) Integration in a Branch
IOS ZBFW enables the creation of different security zones and the application of particular network
policies to each of these defined zones. The first design step is thus to determine the zones required,
based on the different network policies to be enforced. IOS ZBFW features an implicit deny for traffic
between zones and so zones need only be created for zones with traffic flows that will be permitted
between zones.
Typical security zones for a branch are as follows:
• VPN
Tunnel interfaces to WAN edge hubs
• Clients8-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Client VLAN interfaces
• Infrastructure
Management VLAN and integrated modules, such as switch, WLAN infrastructure, and IPS
Since there is an implicit deny, unless a branch is hosting externally-accessible services, the definition
of a WAN zone is not required, because traffic from the WAN is not, by default, permitted to pass through
the ISR to internal interfaces.
A sample baseline IOS ZBFW design for a branch, illustrating some sample zones and the associated
permit policies to be enforced, is shown in Figure 8-4.
Figure 8-4 Sample IOS ZBFW Integration in a Branch
The following sample configuration illustrates the use of ZBFW on the branch:
zone security vpn
description VPN to Corporate
zone security infra
description Infrastructure Devices
zone security clients
description Clients
zone-pair security clients-hq source clients destination vpn
service-policy type inspect clients-hq-policy
zone-pair security infra-hq source infra destination vpn
service-policy type inspect infra-hq-policy
zone-pair security hq-clients source vpn destination clients
service-policy type inspect hq-clients-policy
zone-pair security hq-infra source vpn destination infra
service-policy type inspect hq-infra-policy
zone-pair security infra-clients source infra destination clients
service-policy type inspect infra-clients-policy
policy-map type inspect infra-clients-policy
class type inspect frm-infra-class
Enterprise Branch
226671
IP
LWAPP
Internet
Private WAN
Infrastructure Zone Client Zone
VPN Zone
• Implicit deny for non-permitted flows
Tunnel0
Tunnel1
VPN Infrastructure Clients
VPN Permit Permit
Infrastructure Permit Permit
Clients Permit Deny8-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
inspect
class class-default
drop
policy-map type inspect infra-hq-policy
class type inspect frm-infra-class
pass
class class-default
drop
policy-map type inspect hq-infra-policy
class type inspect to-infra-class
pass
class class-default
drop
policy-map type inspect clients-hq-policy
class type inspect frm-clients-class
pass
class class-default
drop
policy-map type inspect hq-clients-policy
class type inspect to-clients-class
pass
class class-default
drop
class-map type inspect match-any to-infra-class
match access-group 104
class-map type inspect match-any to-clients-class
match access-group 103
class-map type inspect match-any frm-infra-class
match access-group 102
class-map type inspect match-any frm-clients-class
match access-group 101
!
access-list 101 remark Client Source
access-list 101 permit ip 10.200.1.0 0.0.0.255 any
access-list 102 remark Infra Source
access-list 102 permit ip 10.201.1.0 0.0.0.255 any
access-list 103 remark Clients Dest
access-list 103 permit ip any 10.200.1.0 0.0.0.255
access-list 104 remark Infra Dest
access-list 104 permit ip any 10.201.1.0 0.0.0.255
Design Considerations
• An implicit deny applies as soon as a single zone is created on the device. Consequently, even if an
interface is not placed in a zone, traffic will, by default, be denied.
• Policies are, by default, only applied to traffic flowing through the device, not to traffic directed to
the device itself. This behavior can be modified by defining policies for what is referred to as the
self zone.
• Once a baseline IOS zone-based firewall (ZBFW) design has been developed, advanced firewall
inspection can easily be integrated by simply modifying the policies being enforced.
For more information on IOS ZBFW, see the Firewall section of Appendix A, “Reference Documents.”8-17
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
ASA Integration in a Branch
The Adaptive Security Appliance (ASA) is a dedicated, fully featured firewall device enabling a
scalable, high performance and high availability design, depending on a particular branch needs. It also
provides support for separate management domains. See Figure 8-5.
The ASA is placed logically inline, between the branch access edge and the branch edge router, as well
as between any additional security domains, to enforce network policy at the branch. The ASA access
policy also typically includes access edge iACLs and, if the branch is hosting externally-accessible
services or the branch edge router is not owned and managed by the enterprise, WAN edge ACLs.
Figure 8-5 Sample ASA Integration in a Branch
The Cisco ASA enforces network access policies based on the security level of an interface, with a
default network access policy of an implicit permit for interfaces of the same security level, and an
implicit permit from a higher to a lower security level interface. It is recommended, however, to enforce
explicit policies as this provides maximum visibility into traffic flows.
For more information on the Cisco ASA, see the Firewall section of Appendix A, “Reference
Documents.”
A typical ASA deployment in a branch, as shown in Figure 8-5, illustrates the following:
• Access interfaces with a lower security level than the infrastructure interfaces. This ensures that, by
default, clients are not permitted access to other interfaces.
• Access interface network access rules can also integrate the access edge iACLs.
• An explicit permit must be defined for client access non-infrastructure addresses.
• Infrastructure interfaces with a high security level permits traffic flows, by default, to other
interfaces.
• There are no external interfaces on this ASA but, if they exist, they should be assigned the lowest
security level and a strong network policy enforced.
• As with standard ACLs, a final, explicit deny should be enforced to provide maximum visibility into
traffic being denied.
Enterprise Branch
226672
IP
LWAPP
Internet
Private WAN
Client Interfaces
Security level = 50
Infrastructure Interfaces
Security level = 100
ASA
Tunnel0
Tunnel1
Explicit permit for
non-infrastructure traffic8-18
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
A sample ASA branch configuration is shown in Figure 8-6, illustrating the network access policy being
enforced on a client access interface, including access edge iACLs.
Figure 8-6 Sample ASA Network Access Policy for a Client Access Interface
Additional policies can be enforced on the ASA, including application layer protocol inspection, IPS,
and QoS. For more information on the ASA, see the Firewall section of Appendix A, “Reference
Documents.”
IPS Integration in the Branch
Cisco IPS provides signature and reputation-based threat detection and mitigation for threats such as
worms, spyware, adware, network viruses, and application abuse. Its integration in a branch enables the
localized detection and mitigation of malicious and anomalous activity. This is highly effective at
enabling threats to be detected and mitigated in a timely manner and as close to the source as possible,
thereby reducing the possible impact on the rest of the corporate network.
In addition, Cisco IPS collaboration with other Cisco devices provides enhanced visibility and control
through system-wide intelligence. This includes host-based IPS collaboration with CSA,
reputation-based filtering and global correlation using SensorBase, automated threat mitigation with the
WLAN controller (WLC), multi-vendor event correlation and attack path identification using Cisco
Security Monitoring, Analysis, and Response System (CS-MARS), and common policy management
using Cisco Security Manager (CSM). For more information on Cisco security collaboration, see
Chapter 10, “Monitoring, Analysis, and Correlation,” and Chapter 11, “Threat Control and
Containment.”8-19
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
The general IPS design considerations of deployment mode, scalability, availability and maximum threat
coverage apply to a branch but the branch also, typically, introduces cost and management
considerations that must be taken into account.
The Cisco IPS includes a wide range of platform options that enable customers to select a platform that
is appropriate to their deployment criteria, as shown in Figure 8-7.
Figure 8-7 Cisco IPS Deployment Options
This wide range of IPS platforms shares a common set of signatures and can all be remotely managed
by a central management platform, such as Cisco Security Manager (CSM). This enables consistent, rich
signature and policy enforcement across the entire enterprise network, facilitating IPS tuning and
operations, while at the same time accommodating the particular design criteria of diverse locations.
In large branch locations that require high scalability and availability, multiple IPS can be deployed.
Design Considerations
• IOS IPS currently only supports a sub-set of the signatures supported by the IPS devices and
modules. In addition, IOS IPS does not currently support collaboration with other Cisco devices.
• The IPS modules provide a cost-effective IPS solution that maintains a consistent, rich signature set
across all enterprise network IPS.
• IPS modules enable operational staff to easily migrate from promiscuous to inline mode, through a
simple configuration change on the host platform.
• IPS modules offer limited scalability and availability that must be taken into account in a design.
• Symmetrical traffic flows offer a number of important benefits, including enhanced threat detection,
reduced vulnerability to IPS evasion techniques and improved operations through reduced false
positives and false negatives. Consequently, leveraging the Cisco IPS Normalizer engine is a key
design element. If multiple IPS exist in a single flow, for instance, in multiple edge routers,
maintaining symmetric flows requires careful consideration of the IPS integration design.
• It is recommended that IPS monitoring is performed on internal branch interfaces only in order to
focus threat detection and mitigation on internal threats. This avoids the local IPS and the
centralized monitoring station from being inundated with alerts that do not necessarily indicate a
risk.
Cisco IPS Series
• Cost-effective, softwarebased IPS
• Sub-set of signatures
Cisco IOS IPS
• Highly scalable, high availability,
hardware-based IPS
• Rich signature set and crossnetwork collaboration
• Enables separate administrative domain
• Dedicated appliances and integrated
modules for ISR, ASA and Catalyst 6500
– Flexible deployment options
– Consistent rich signatureset and
policy enforcement
2267728-20
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
• IPS can, alternately, be integrated in the enterprise WAN edge as a centralized IPS deployment. This
enables a scalable, highly available and cost-effective design, that also offers ease of management
advantages, since it typically features a smaller number of devices. The threat coverage offered by
this type of deployment must, however, be considered, since only traffic passing through the WAN
edge distribution block will be monitored. For more information on a centralized IPS deployment,
see Chapter 7, “Enterprise WAN Edge.”
• A combination of centralized and distributed IPS enables the appropriate deployment model to be
chosen according to the needs of a particular branch, while maintaining consistent policy
enforcement.
• IPS signature tuning enables the automated response actions taken by Cisco IPS to be tuned and
customized according to the customer environment and policy.
For more information on IPS design considerations as well as high scalability and availability IPS
designs, see “IPS Integration in the WAN Edge Distribution” section on page 7-19.
Implementation Option
• IPS Promiscuous Mode
Cisco IPS can also be deployed in promiscuous mode. In promiscuous mode, the IPS performs
passive monitoring, with traffic being passed to it through a monitoring port. Upon detection of
anomalous behavior, management systems are informed of an event and operational staff can
subsequently decide what action, if any, to take in response to an incident. The time between threat
detection and mitigation may thus be extended.
IPS Module Integration in a Cisco ISR
IPS integration in a small, cost-sensitive branch can leverage an IPS module integrated in the branch
edge ISR. Integration of an IPS module enables a consistent, rich signature set across all enterprise
network IPS.
IPS module integration is very simple to implement, with the IPS receiving traffic over the backplane of
the ISR. Once the module is installed, it is simply a case of enforcing IPS monitoring on the desired
interfaces. See Figure 8-8.
Figure 8-8 IPS Module Integration in a Cisco ISR
Enterprise Branch
226674
IP
LWAPP
Internet
Private WAN
IPS Module
ISR
ISR Backplane8-21
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
IPS monitoring is enforced on the ISR on a per-interface basis, as shown in the following example:
!
interface GigabitEthernet0/0.10
description Wired Clients
encapsulation dot1Q 10
ip address 10.200.1.1 255.255.255.128
ids-service-module monitoring inline
!
The IPS configuration is a standard, consistent IPS policy that is enforced across the enterprise, as shown
in Figure 8-9.
Figure 8-9 IPS Module in ISR Configuration
IPS Module Integration in a Cisco ASA
A branch with a Cisco ASA can integrate an IPS module in this ASA to provide a cost-effective,
integrated solution. Integration of an IPS module enables a consistent, rich signature set across all
enterprise network IPS.
IPS module integration is very simple to implement, with the IPS receiving traffic over the backplane of
the ASA. Once the module is installed, it is simply a case of enforcing IPS monitoring on the desired
interfaces. See Figure 8-10.8-22
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Figure 8-10 IPS Module Integration in a Cisco ASA
IPS monitoring is enforced on the ASA by applying a service policy on a per-interface basis, as
illustrated in Figure 8-11.
Figure 8-11 IPS Policy Enforcement on the ASA
The IPS configuration is a standard, consistent IPS policy that is enforced across the enterprise, as shown
in Figure 8-12.
Enterprise Branch
226675
IP
LWAPP
Internet
Private WAN
IPS Module
ASA
ASA Backplane8-23
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Figure 8-12 IPS Module in ASA Configuration
For more information on ASA integration in a branch, see the “ASA Integration in a Branch” section on
page 8-17.
Switching Security in the Branch
Switching in the branch is critical to network services; therefore, its security and resiliency is vital to
business operations. Consequently, the switching infrastructure and services themselves must be
resilient to attacks against them, and they must offer protection to users and devices against attacks
within their Layer 2 domain.
Possible attacks include DoS attacks through Spanning Tree Protocol (STP) manipulation, MAC
flooding, DHCP starvation and unknown, multicast and broadcast frame flooding, reconnaissance,
unauthorized access and MITM attacks through DHCP server spoofing, ARP spoofing, VLAN hopping,
and STP manipulation. These attacks may be targeted or indirect, malicious or unintentional, conducted
by authorized or unauthorized users, or performed by malware.
Consistent policies should be enforced across all enterprise switches including those in the campus,
branch, data center, Internet edge and WAN edge, though taking into consideration the role of each
switch, for example, if it is an access edge switch, a distribution switch or a core switch. Consequently,
switching security in the branch involves extending and applying these same switching security policies
to the branch switches.8-24
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
The areas of focus, objectives, and implementation options for switching security in a branch access
edge switch are listed in Table 8-5.
The following is a sample secure switching configuration:
Global Configuration
! Spanning Tree Security
spanning-tree mode pvst
spanning-tree portfast bpduguard default
! Enable DHCP Snooping on Access VLANs
ip dhcp snooping vlan 10,20
no ip dhcp snooping information option
ip dhcp snooping
! Enable DAI on Access VLANs with ARP ACLs for Default Gateway
ip arp inspection vlan 10,20
ip arp inspection filter staticIP vlan 10,20
arp access-list staticIP
permit ip host 10.200.1.1 mac host 0015.622e.8c88
permit ip host 10.200.1.129 mac host 0015.622e.8c88
! VTP Transparent Mode
Ta b l e 8-5 Switching Security in the Branch Access Edge Switch
Switching Security Focus Switching Security Objectives Implementation
Restrict Broadcast Domains Limit the Layer 2 domain in order
to minimize the reach and
possible extent of an incident
• Restrict each VLAN to an access switch.
1
1. Keeping VLANs unique to an access switch is an enterprise campus BCP. For more information on enterprise campus design see the Campus Design
section of Appendix A, “Reference Documents.”
Spanning Tree Protocol (STP)
Security
Restrict STP participation to
authorized ports only
• Rapid Per-VLAN Spanning Tree (PVST)
• BPDU Guard
• STP Root Guard
DHCP Protection Prevent rogue DHCP server and
DHCP starvation attacks
• DHCP Snooping on access VLANs
ARP Spoofing Protection Prevent ARP spoofing-based
MITM attacks
• Dynamic ARP Inspection (DAI) on access VLANs
2
2. ARP spoofing attacks are often conducted in combination with IP spoofing, in order to avoid traceability. Consequently, IP spoofing protection should
also be enforced on a switch. For more information on IP spoofing protection, see the Chapter 2, “Network Foundation Protection.”
IP Spoofing Protection Ensure traffic is topologically
valid, (i.e., sourced from a valid
address that is consistent with the
interface it is received on)
• IP Source Guard on access ports or uRPF on Layer 3
access edge
MAC Flooding Protection Prevent switch resource
exhaustion attacks that can cause
flooding of a Layer 2 domain
• Port security on access ports
VLAN Best Common
Practices
Apply VLAN security guidelines
across the infrastructure
• Define a port as a trunk, access or voice port rather
than enabling negotiation
• VTP transparent mode
• Disable unused ports and place in an unused VLAN
• Use all tagged mode for the native VLAN on trunks
• Traffic storm control8-25
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
vtp mode transparent
vlan 10
name DATA
!
vlan 20
name VOICE
!
vlan 201
name Mgmt
!
vlan 2000
name Unused
!
! Native VLAN Tagging
vlan dot1q tag native
!
! Access Port
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
switchport voice vlan 20
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
load-interval 60
priority-queue out
no snmp trap link-status
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
ip verify source
ip dhcp snooping limit rate 15
!
! Trunk Port to ISR
interface GigabitEthernet1/0/1
description Trunk to ISR
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,201
switchport mode trunk
ip arp inspection trust
load-interval 60
ip dhcp snooping limit rate 15
ip dhcp snooping trust
!
! Unused Port
interface GigabitEthernet1/0/4
switchport access vlan 2000
shutdown
no cdp enable
The particular considerations for DHCP protection and ARP spoofing protection in a branch are covered
in detail below. For more information on the other switching security techniques, including design and
configuration guidelines, see Chapter 2, “Network Foundation Protection.”8-26
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Design Considerations
• Rate-limiting must be enabled for both DHCP snooping and DAI in order to ensure that these
features do not create a DoS vector.
• If automatic recovery of an interface after a security violation is not enabled, the interface will
remain in an error-disabled state until it is manually recovered with a shutdown and no shutdown.
• DAI is highly effective for ARP spoofing protection in DHCP environments but must be bypassed
for any device that does not use DHCP. This is achieved either by explicitly defining the interface it
is connected to as trusted, or by creating an ARP inspection ACL to permit the source MAC and IP
address of that device.
• The operational management of the switching infrastructure can be greatly enhanced my leveraging
Smartports macros on a Cisco switch. Smartports macros enable customized port templates to be
defined according to corporate policy and applied to ports on an as-needed basis. This ensures
consistent policy enforcement, eases operations and avoids misconfiguration. For more information
on Smartports macros, see the Switching Security section of Appendix A, “Reference Documents.”
DHCP Protection
DHCP protection is critical to ensure that a client on an access edge port is not able to spoof or
accidentally bring up a DHCP server, nor exhaust the entire DHCP address space by using a
sophisticated DHCP starvation attack.
Both these attacks are addressed with the Cisco IOS DHCP snooping feature that performs two key
functions to address these attacks:
• Rogue DHCP Server Protection
If reserved DHCP server responses (DHCPOFFER, DHCPACK, and DHCPNAK) are received on
an untrusted port, the interface is shut down.
• DHCP Starvation Protection
Validates that the source MAC address in the DHCP payload on an untrusted interface matches the
source MAC address registered on that interface.
In addition, DHCP snooping rate-limiting must be enabled to harden the switch against a resource
exhaustion based DoS attack.
For more information on the DHCP Snooping feature, see the Switching Security section of Appendix A,
“Reference Documents.”
ARP Spoofing Protection
ARP spoofing protection ensures that a client on an access edge port is not able to perform a MITM
attack by sending a gratuitous ARP that presents its MAC address as that associated with a different IP
address, such as that of the default gateway.
This attack is addressed with the Cisco IOS Dynamic ARP Inspection (DAI) feature that validates that
the source MAC and IP address in an ARP packet received on an untrusted interface matches the source
MAC and IP address registered on that interface.
DAI is enabled on a per-VLAN basis and all interfaces in that VLAN are untrusted by default.
Consequently, for a device that does not use DHCP, such as the default gateway, ARP inspection must
be bypassed by either explicitly defining the interface it is connected to as trusted, or creating an ARP
inspection ACL to permit the source MAC and IP address of that device.8-27
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
In addition, DAI rate-limiting must be enabled to harden the switch against a resource exhaustion-based
DoS attack.
For more information on the DAI feature, see the Switching Security section of Appendix A, “Reference
Documents.”
Endpoint Security in the Branch
Enterprise clients and servers are exposed to a range of threats, including malware, botnets, worms,
viruses, trojans, spyware, theft of information, and unauthorized access. Consequently, the vulnerability
of any particular endpoint can impact the security and availability of an entire enterprise network.
Endpoint security is thus a critical element of an integrated, defense-in-depth approach to security,
protecting both the endpoint itself and the corporate network to which it connects. Consistent policies
should be enforced across all enterprise clients and servers, and so endpoint security in the branch
involves extending and applying these same security policies to branch endpoints.
Endpoint security must not only harden the endpoint against the initial attack, compromise and
subsequent activity, but also general malicious and non-compliant client activity. This is generally
referred to as host-based IPS and the key elements are as follows:
• Protection against known attacks
Signature-based threat detection and mitigation, such as known worms and viruses.
• Protection against zero-day or unpatched attacks
Behavioral-based threat detection and mitigation, such as attempts to load an unauthorized kernel
driver, buffer overflow, capture keystrokes, create rogue services, modify system configuration
settings and inset code into other processes.
• Policy enforcement
Host-based IPS functionality to support all these key elements is provided by the Cisco Security Agent
(CSA). CSA is deployed on all endpoints and centralized policy management and enforcement is
performed by the CSA Management Center (CSA-MC), enabling a common and consistent policy
enforcement across all enterprise endpoints.
For more information on CSA and endpoint security in the enterprise, see Chapter 5, “Enterprise
Campus.”
Design Considerations
• Endpoint security protects the client even when they are not connected to the corporate network,
such as at a hotel, a hotspot or home.
• CSA on enterprise endpoints is typically managed by a centralized CSA MC. CSA continues to
protect the endpoint, even when the CSA MC is not accessible and so a branch WAN outage is not
an issue.
• CSA policies that are enforced based on location-aware policies must take into consideration the fact
that the CSA MC may not always be reachable by branch endpoints. For instance, a policy that
blocks local network access if the CSA MC is not reachable may not be viable in a branch.
• User behavior is a key factor in endpoint and overall network security. This is becoming even more
critical as attacks evolve to focus on social engineering and targeted attacks. CSA can be leveraged
to reinforce user education and training by, for instance, advising users when they perform an
anomalous action, outlining the risks it presents and the associated corporate policy, before allowing
them to permit the action, along with, perhaps, a justification.8-28
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
Complementary Technology
Additional endpoint security includes the following:
• Cisco Security Services Client (CSSC)
The CSSC is a software supplicant that enables identity-based access and policy enforcement on a
client, across both wired and wireless networks. This includes the ability to enforce secure network
access controls, such as requiring the use of WPA2 for wireless access and automatically starting a
VPN connection when connected to a non-corporate network.
For more information on CSSC, see the Endpoint Security section of Appendix A, “Reference
Documents.”
• System and application hardening
It is critical that the operating system and applications running on an endpoint are hardened and
secured in order to reduce the attack surface and render the endpoint as resilient to attacks as
possible. This involves implementing a secure initial configuration, the regular review of
vulnerabilities and the timely application of any necessary updates and security patches.
• User education and training
End-users should receive ongoing education and training to make them aware of the role they play
in mitigating existing and emerging threats, including how to be secure online, protecting corporate
data, and minimizing their risk. This should be presented in a simple, collaborative way to reinforce
the defined corporate policies.
Secure Device Access in the Branch
Access to all infrastructure devices in the branch must be secured. If infrastructure device access is
compromised, the security and management of the entire network can be compromised. Consequently,
it is critical to establish the appropriate controls in order to prevent unauthorized access to infrastructure
devices.
There will be some variations in the actual implementation of secure device access, based on the
particular device and software release, but all the fundamental objectives must be applied:
• Restrict device accessibility
Limit the accessible ports and access services, restrict access to authorized services from authorized
originators only, enforce session management and restrict login vulnerability to dictionary and DoS
attacks
• Present legal notification
Display legal notice, developed in conjunction with company legal counsel, for interactive sessions.
• Authenticate access
Ensure access is only granted to authenticated users, groups, and services.
• Authorize actions
Restrict the actions and views permitted by any particular user, group, or service.
• Ensure the confidentiality of data
Protect locally stored sensitive data from viewing and copying. Consider the vulnerability of data in
transit over a communication channel to sniffing, session hijacking, and MITM attacks. 8-29
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Design Guidelines for the Branch
• Log and account for all access
Record who accessed the device, what occurred, and when for auditing purposes.
For more information on secure device access, including design and configuration guidelines for the
areas outlined above, see Chapter 2, “Network Foundation Protection.”
Design Considerations
• Remote Management
Remote management typically occurs in-band for remote sites; therefore, it is critical that
management access and management traffic be properly isolated, secured, and resilient to
challenging network events, such as high data rates and worm outbreaks. This is achieved through
service resiliency measures designed to ensure remote manageability even under adverse
circumstances, including device hardening and QoS. For more information on service resiliency, see
the “Service Resiliency in the Branch” section on page 8-8.
• Integrated IPS Module Access
It is generally recommended that outgoing access is not permitted on a device, unless explicitly
required. One example of such a requirement is access to an IPS module integrated in an ISR.
Console access to the integrated IPS module is only available through a reverse telnet from the host
ISR. Consequently, outgoing telnet must be permitted on the host ISR console and VTY lines.
Telemetry in the Branch
Telemetry must be extended to the branch in order to provide visibility into its status, as well as activity
on both the local network and its external interfaces. This enables the timely and accurate detection and
mitigation of anomalies. Consequently, telemetry is enabled across all infrastructure devices in the
branch and integrated with a centralized management system for event monitoring, analysis, and
correlation. The key elements include:
• Synchronize time
Synchronize all network devices to the same network clock by using Network Time Protocol (NTP)
to enable accurate and effective event correlation.
• Monitor system status information
Maintain visibility into overall device health by monitoring CPU, memory, and processes.
• Implement CDP best common practices
Enable CDP on all infrastructure interfaces for operational purposes but disable CDP on any
interfaces where CDP may pose a risk, such as external-facing interfaces.
• Enable remote monitoring
Use syslog and SNMP to a centralized server, such as CS-MARS, for cross-network data
aggregation. This enables detailed and behavioral analysis of the data which is key to traffic
profiling, anomaly-detection and attack forensics, as well as general network visibility and routine
troubleshooting.
For more information on telemetry, including design and configuration guidelines for the areas outlined
above, see Chapter 2, “Network Foundation Protection.”
For more information on remote monitoring, analysis and correlation, including syslog, SNMP and
NetFlow, see Chapter 10, “Monitoring, Analysis, and Correlation.”8-30
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Threats Mitigated in the Enterprise Branch
Design Considerations
• CDP is enabled by default in Cisco IOS and should be disabled on all external-facing interfaces. This
can be verified on a per interface basis using the command show cdp interface.
• CDP may pose a risk on access ports but it should be noted that some services, such as Cisco UC
phones, require CDP. Thus, care must be taken when disabling CDP.
• As with secure device access, the isolation of management access and management traffic is
recommended using an out-of-band (OOB) network in order to provide an extra degree of security.
This is typically employed using an OOB network that is physically independent of the data network
and features limited and strictly controlled access. For more information on the implementation of
a management network, refer to Chapter 9, “Management.”
• One key element to consider is that, since these are remote sites, telemetry and remote management
are typically in-band. It is thus critical that QoS is employed to accurately classify and prioritize
control and management traffic. This will ensure continuing service availability and remote
management even under adverse network conditions, such as high data rates and worm outbreaks.
Threats Mitigated in the Enterprise Branch
Ta b l e 8-6 Enterprise Branch Threat Mitigation Features
Botnets DoS
Unauthorized
Access
Phishing,
Spam
Malware,
Spyware
Application,
Network
Abuse
Data
Leakage Visibility Control
Secure WAN Connectivity Yes Yes Yes
Routing Security Yes Yes Yes Yes
Service
Resiliency
Device
Hardening
QoS
Redundancy
Yes Yes Yes
Network
Policy
Enforcement
WAN Edge
ACLs
Access Edge
iACLs
Cisco
Firewall
IP Source
Guard or
uRPF
Yes Yes Yes Yes Yes
Cisco IPS Integration Yes Yes Yes Yes
Switching Security Yes Yes Yes Yes
Endpoint Security Yes Yes Yes Yes Yes Yes Yes Yes Yes
Secure Device Access Yes Yes Yes Yes
Telemetry Yes Yes Yes Yes Yes8-31
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Threats Mitigated in the Enterprise Branch
Web and E-mail threats, such as malicious web sites, compromised legitimate web sites, spam, and
phishing, are addressed as part of a centralized deployment in the enterprise Internet edge (see Chapter 6,
“Enterprise Internet Edge.”) If a branch employs split-tunneling, whereby there is local Internet access
direct from the branch, web security must be implemented locally. This can be achieved using the Cisco
IronPort S-Series, Cisco ASA 5500 Series, or Cisco IOS Content Filtering. For more information, see
the Web Security section of Appendix A, “Reference Documents.”8-32
Cisco SAFE Reference Guide
OL-19523-01
Chapter 8 Enterprise Branch
Threats Mitigated in the Enterprise BranchC H A P T E R
9-1
Cisco SAFE Reference Guide
OL-19523-01
9
Management
The primary goal of the management module is to facilitate the secure management of all devices and
hosts within the enterprise network architecture. The management module is key for any network
security management and reporting strategy. It provides the servers, services, and connectivity needed
for the following:
• Device access and configuration
• Event collection for monitoring, analysis, and correlation
• Device and user authentication, authorization, and accounting
• Device time synchronization
• Configuration and image repository
• Network access control manager and profilers
Logging and reporting information flows from the network devices to the management hosts, while
content, configurations, and new software updates flow to the devices from the management hosts.
Key devices that exist in the Management Module relevant for security include the following:
• CS-MARS—Event Monitoring, Analysis, and Correlation (EMAC) system that provides
network-wide security intelligence and collaboration allowing quick identification and rapid
reaction to threats. CS-MARS collects, trends, and correlates logging and event information
generated by routers, switches, firewalls, intrusion prevention systems, Cisco Access Control
Servers (ACS) and the management center for Cisco Security Agents (CSA-MC). CS-MARS
collects network configuration and event information using protocols like syslog, SNMP, Telnet,
SSH, and NetFlow. In addition, CS-MARS integrates with Cisco Security Manager (CSM) to
provide a comprehensive security monitoring and management solution that addresses configuration
management, security monitoring, analysis, and mitigation.
• Cisco Security Manager (CSM)—Management application used to configure firewall, VPN, and
intrusion prevention services on Cisco network and security devices. CSM communicates with
Cisco network and security devices using telnet, SSH, HTTP, or HTTPs.
• Network Access Control (NAC) Manager—Communicates with and manages the Cisco NAC
Server. Provides a web-based interface for creating security policies, managing online users, and
acts as an authentication proxy for authentication servers on the backend such as ACS.
• Access Control Server (ACS)—Provides Authentication, Authorization, and Accounting (AAA)
services for routers, switches, firewalls, VPN services, and NAC clients. In addition, ACS also
interfaces with external backend Active Directory and LDAP authentication services.
• System administration host—Provides configuration, software images, and content changes on
devices from a central server.9-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Key Threats in the Management Module
• Configuration and software archive host—Provides repository for device configuration and system
image backup files.
• Network Time Protocol (NTP) server—Used for time synchronization.
• Firewall/VPN—Provides granular access control for traffic flows between the management hosts
and the managed devices for in-band management. Firewall also provides secure VPN access to the
management module for administrators located at the campus, branches and other places in the
network.
Note The best practices for enabling secure administrative access with protocols like SSH and SNMP are
provided in Chapter 2, “Network Foundation Protection.” Chapter 10, “Monitoring, Analysis, and
Correlation” describes the best practices for the secure configuration of device access and reporting
access required by CS-MARS.
Note The NAC Profiler server is typically deployed in the management module alongside the NAC Manager.
However, if NAT is being performed on the firewall protecting the management module from the data
network, then the NAC Profiler server needs to be located outside the management module such that
there is no NAT between the NAC server (acting as the collector) and NAC Profiler. For more
information, refer to the “NAC Appliance” section on page 5-33 and “NAC Profiler” section on
page 5-45.
Key Threats in the Management Module
The following are some of the expected threat vectors affecting the management module:
• Unauthorized Access
• Denial-of-Service (DoS)
• Distributed DoS (DDoS)
• Man-in-the-Middle (MITM) Attacks
• Privilege escalation
• Intrusions
• Network reconnaissance
• Password attacks
• IP spoofing9-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
Management Module Deployment Best Practices
The SAFE architecture design includes a management network module dedicated to carrying control and
management plane traffic such as NTP, SSH, SNMP, VPN, TACACS+, syslog, and NetFlow reporting.
The management module provides configuration management for nearly all devices in the network
through the use of two primary technologies: Cisco IOS routers acting as terminal servers and a
dedicated management network segment implemented either on separated hardware or VLANs. The
dedicated management network segment provides the primary method for managing network devices
using secure transport protocols such as SSH and HTTPS. Hardened terminal servers provide backup
console and CLI access to the network devices using the reverse-telnet function.
Because the management network has administrative access to nearly every area of the network, it can
be a very attractive target to hackers. The management module is built with several technologies
designed to mitigate those risks. The first primary threat is a hacker attempting to gain access to the
management network itself. This threat can only be mitigated through the effective deployment of
security features in the other modules in the enterprise to ensure the proper security is in place to prevent
unauthorized access to services within the management module. The remaining threats assume that the
primary line-of-defense has been breached. To mitigate the threat of a compromised device, access
control should be implemented using a firewall, and every device should be hardened and secured using
the baseline security best practices outlined in Chapter 2, “Network Foundation Protection.”
The management network combines out-of-band (OOB) management and in-band (IB) management
access to manage the various devices within the different PIN modules. OOB management is used for
devices at the headquarters and is accomplished by connecting dedicated management ports or spare
Ethernet ports on devices directly to the dedicated OOB management network hosting the management
and monitoring applications and services. The OOB management network can be either implemented as
a collection of dedicated hardware or based on VLAN isolation. IB management is used for remote
devices such as the branch site and access is provided through the data path using a firewalled connection
to the core network module. This connectivity is depicted in Figure 9-1. 9-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
Figure 9-1 Out-of-band and In-band Management Design
When deploying a management network some of the key components of the design include the
following:
• Securing the out-of-band Management network
• Securing the in-band Management access
• Providing secure remote access to the management network
• Synchronizing time using NTP
• Securing servers and other endpoint with endpoint protection software and operating system (OS)
hardening best practices
• Hardening the infrastructure using Network Foundation Protection (NFP) best practices
The following section will discuss each of these components.
WAN
Core
Switches
Out-of-Band Management
226703
In-Band Management
WAN
Edge
Routers
WAN
Distribution
Switches
Firewalls
Branch
Campus
Devices
Data Center
Devices
Admin
VPN
M
Console
Server
Console
Connectors
NTP
Server
CS-MARS
CS-ACS
Console
Server
Console
Connectors
CSM NAC
Manager
Admin
Host9-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
OOB Management Best Practices
The OOB network segment hosts console servers, network management stations, AAA servers, analysis
and correlation tools, NTP, FTP, syslog servers, network compliance management, and any other
management and control services. A single OOB management network may serve all the enterprise
network modules located at the headquarters. An OOB management network should be deployed using
the following best practices:
• Provide network isolation
• Enforce access control
• Prevent data traffic from transiting the management network
The OOB management network is implemented at the headquarters using dedicated switches that are
independent and physically disparate from the data network. The OOB management may also be
logically implemented with isolated and segregated VLANs. Routers, switches, firewalls, IPS, and other
network devices connect to the OOB network through dedicated management interfaces. The
management subnet should operate under an address space that is completely separate from the rest of
the production data network. This facilitates the enforcement of controls, such as making sure the
management network is not advertised by any routing protocols. This also enables the production
network devices to block any traffic from the management subnets that appears on the production
network links.
Devices being managed by the OOB management network at the headquarters connect to the
management network using a dedicated management interface or a spare Ethernet interface configured
as a management interface. The interface connecting to the management network should be a routing
protocol passive-interface and the IP address assigned to the interface should not be advertised in the
internal routing protocol used for the data network. Access-lists using inbound and outbound
access-groups are applied to the management interface to only allow access to the management network
from the IP address assigned to the management interface and, conversely, only allows access from the
management network to that management interface address. In addition, only protocols that are needed
for the management of these devices are permitted. These protocols could include SSH, NTP, FTP,
SNMP, TACACS+, etc. Data traffic should never transit the devices using the connection to the
management network.
A sample configuration demonstrating the best practices for applying access-list on the management
interface of a Cisco Catalyst switch is shown below:
! access-list to be applied inbound on the management interface
access-list permit icmp host
ttl-exceeded
access-list permit icmp host
port-unreachable
access-list permit icmp host
echo-reply
access-list permit icmp host echo
access-list permit tcp host eq tacacs host
established
access-list permit tcp host eq tacacs host
established
access-list permit tcp host < TACACS+-SVR-1> host eq tacacs
access-list permit tcp host < TACACS+-SVR-2> host eq tacacs
access-list permit udp host host eq ntp
access-list permit udp host host eq ntp
access-list permit tcp host eq 22
access-list permit tcp host eq ftp host gt 1023
established9-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
access-list permit tcp host eq ftp-data host gt
1023
access-list permit tcp host gt 1023 host gt 1023
established
access-list permit udp gt 1023 host
gt 1023
access-list permit udp host host eq snmp
access-list permit udp host host eq snmp
access-list permit udp host host eq snmp
access-list deny ip any any log
! access-list to be applied outbound on the management interface
access-list permit ip host
! Apply inbound and outbound access-lists on management interface
interface GigabitEthernet2/1
description Connection to the OOB Management network
no switchport
ip address
ip access-group in
ip access-group out
Note An explicit deny entry with the log keyword is included at the end of the access-list applied on the
inbound direction of the management interface. This triggers syslog events for traffic attempting to
access the device over the management network which is not permitted. This will provide visibility into
attacks and facilitate troubleshooting when needing to tune the access-list (e.g., identifying traffic which
should be allowed).
IB Management Best Practices
IB management provides management of devices over the same physical and logical infrastructure as the
data traffic. IB management is used for devices not located at the headquarters site and devices that do
not have a dedicated management interface or spare interface to be used as a management interface. IB
management network access should be deployed using the following best practices:
• Enforce access control using firewalls
• Classify and prioritize management traffic using QoS at remote sites
• Provide network isolation using NAT
• Enforce the use of encrypted, secure access, and reporting protocols
Firewalls are implemented to secure the OOB management network hosting the management and
monitoring servers from the rest of the network. The firewalls only allow access from the administrative
IP addresses of the devices being managed IB and only for the necessary protocols and ports. The
firewall is configured to allow protocols such as syslog, secure syslog, SSH, SSL, SNMP, NetFlow,
IPSec and protocols needed for the NAC Server to communicate with the NAC Manager (if NAC
Appliance is deployed) information into the management segment.9-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
In addition to providing access control for managing devices located at remote sites such as the branch
sites, firewalls are recommended to protect the management network from certain devices located in the
Internet Edge module. In the case of the Internet edge, any devices outside the edge firewalls deployed
in the Internet edge should be protected by a firewall. Despite being deployed at the headquarters, the
outer switches and border routers are located outside the edge firewall; therefore, their management
connections should be placed in a separate and firewalled segment. This practice is key to contain and
mitigate the compromise of any devices facing the Internet. Connecting the outer switches or the border
routers directly to the OOB network and without a firewall is highly discouraged, as it would facilitate
the bypass of the firewall protection. Figure 9-2 illustrates the OOB and IB management connections to
the devices in the Internet edge module.
Figure 9-2 Internet Edge Management Connectivity
When deploying IB management for remote sites, it is critical that QoS is employed to accurately
classify and prioritize control and management traffic to and from these sites. This will ensure
continuing service availability and remote management even under adverse network conditions, such as
high data rates and worm outbreaks. For more information on deploying QoS in the branch, refer to the
“QoS in the Branch” section on page 8-9.
Since the management subnet operates under an address space that is completely separate from the rest
of the production network, all IB management access occurs through a NAT process on the firewall.
Static NAT entries are used on the firewall to translate the non-routable management IP addresses to
prespecified production IP ranges that are routed in the routing protocol on the data network.
Internet
Outer
Switches
Out-of-Band Management
226704
In-Band Management
Internet Edge
Border
Routers
Firewalls
Core
Switches
Inner
Switches
M
Console
Server
NTP
Server
CS-MARS
CS-ACS
Console
Server
CSM NAC
Manager
Admin
Host9-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
The following sample ASA NAT configuration fragment illustrates the best practices for hiding the
management subnet address from the production network:
nat-control
global (outside) 1 interface
nat (inside) 1 255.255.255.0
! create static NAT entry for MARS
static (inside,outside) 10.242.50.99 netmask 255.255.255.255
! create a static NAT entry for ACS
static (inside,outside) 10.242.50.94 netmask 255.255.255.255
! create a static NAT entry for CSM
static (inside,outside) 10.242.50.95 netmask 255.255.255.255
! create a static NAT entry for Admin host
static (inside,outside) 10.242.50.92 netmask
255.255.255.255
! create a static NAT entry for FTP server
static (inside,outside) 10.242.50.96 netmask 255.255.255.255
! create a static NAT entry for NAC Manager
static (inside,outside) 10.242.50.110 netmask
255.255.255.255
Note Static NAT entries are used to translate addresses assigned to management servers inside
management subnet range to addresses that are in the outside address range that are routed in the
data network. In the above case, management inside addresses are translated to outside addresses
within the 10.242.50.0 subnet range.
The following sample inbound firewall policy fragment from the ASA firewall illustrates the best
practices for only allowing needed IB access the management network through the firewall protecting
OOB management network:
! Permit SDEE, syslog, secured syslog, NetFlow reporting, and SNMP traps to MARS
access-list OBB-inbound extended permit tcp any host 10.242.50.99 eq https
access-list OBB-inbound extended permit udp any host 10.242.50.99 eq snmptrap
access-list OBB-inbound extended permit udp any host 10.242.50.99 eq syslog
access-list OBB-inbound extended permit tcp any host 10.242.50.99 eq 1500
access-list OBB-inbound extended permit udp any host 10.242.50.99 eq 2055
! permit TACACS+ to the ACS server for device authentication
access-list OBB-inbound extended permit tcp any host 10.242.50.94 eq tacacs
! permit IPSec traffic to the firewall for remote VPN termination
access-list OBB-inbound extended permit esp any host 10.242.50.1
access-list OBB-inbound extended permit udp any eq isakmp host 10.242.50.1 eq isakmp
! permit traffic from the NAC Server to the NAC Manager
access-list OBB-inbound extended permit tcp host 10.240.10.36 host 10.242.50.110 eq https
access-list OBB-inbound extended permit tcp host 10.240.10.36 host 10.242.50.110 eq 1099
access-list OBB-inbound extended permit tcp host 10.240.10.36 host 10.242.50.110 eq 8995
access-list OBB-inbound extended permit tcp host 10.240.10.36 host 10.242.50.110 eq 8996
! permit traffic from the NAC Profiler to the NAC Manager
access-list OBB-inbound extended permit tcp host 10.240.50.10 host 10.242.50.110 eq ssh
! Apply the inbound access policy to the outside interface
access-group OBB-inbound in interface outside9-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
Remote Access to the Management Network
Another recommended best practice for IB management is to configure the firewall protecting the OOB
management network for client VPN termination for IB administrative access. This allows
administrators at the campus and remote locations to connect to the OOB management networks to
access the management servers over a secure VPN tunnel.
The following are best practices for enabling VPN termination for remote management network
connectivity:
• Create a VPN address pool within the management segment subnet range
• Create a NAT exception ACLs to prevent address translation for traffic going to the VPN pool
addresses from the OOB management addresses
• Enforce remote access authentication
• Configure a VPN idle timeout to ensure VPN tunnels do not stay up indefinitely
The following sample VPN configuration fragment on the ASA firewall illustrates these best practices.
This example uses pre-shared keys and TACACS+ for authentication and 3DES for encryption. PKI and
AES can also be used for stronger authentication and encryption:
! create VPN Pool of addresses from within the management subnet range
ip local pool vpnpool
! create NAT exception lists to prevent NAT to/from the VPN pool of addresses from OOB
interface addresses
access-list nonat extended permit ip 255.255.255.0
! assign the NAT exceptional ACL to the inside NAT configuration command
nat (inside) 0 access-list nonat
! define crypto maps and assign to outside interface facing inband network
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
! define isakmp policies
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
! define group-policy
group-policy clientgroup internal
! define VPN idle timeout
group-policy clientgroup attributes
vpn-idle-timeout 20
! define tunnel attributes including VPN address pool and authentication type
tunnel-group rtptacvpn type remote-access
tunnel-group rtptacvpn ipsec-attributes
pre-shared-key *
tunnel-group rtpvpn type remote-access
tunnel-group rtpvpn general-attributes9-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Deployment Best Practices
address-pool vpnpool
authentication-server-group tacacs-servers
authorization-server-group LOCAL
default-group-policy clientgroup
tunnel-group rtpvpn ipsec-attributes
pre-shared-key *
Network Time Synchronization Design Best Practices
Time synchronization using Network Time Protocol (NTP) for network and security devices is critical
for network-wide security event analysis and correlation. Enabling NTP on all infrastructure components
is a fundamental requirement. Time servers should be deployed at the headquarters on a secured network
segment such as in the Management network module. Internal time servers will be synchronized with
external time sources unless you have in-house atomic or GPS-based clock.
The following best common practices should be considered when implementing NTP:
• Deploy a hierarchical NTP design versus a flat design. Hierarchical designs are preferred because
they are highly stable, scalable, and provide most consistency. A good way to design a hierarchical
NTP network is by following the same structure as the routing architecture in place.
• Use a common, single time zone across the entire infrastructure to facilitate the analysis and
correlation of events.
• Control which clients and peers can talk to an NTP server.
• Enable NTP authentication.
For devices being managed through the OOB management network at the headquarters, transporting
NTP over the OOB network flattens and simplifies the design. In this scenario, all routers and switches
may be configured as clients (non-time servers) with a client/server relationship with the internal time
servers located within the OOB management network. These internal time servers are synchronized with
external time sources. This design is illustrated in Figure 9-3.
Figure 9-3 NTP Design Leveraging an OOB Management Network
Branch offices are typically aggregated at one or more WAN edge routers that can be leveraged in the
NTP design. Following the routing design, the WAN edge routers should be configured as time servers
with a client/server relationship with the internal time servers, and the branch routers may be configured
as clients (non-time servers) with a client/server relationship with the WAN edge routers. This design is
depicted in Figure 9-4.
IDS/IPS Routers Firewall
NTP Server
Switches
NTP Clients
External
Time
Source
2266619-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Infrastructure Security Best Practices
Figure 9-4 NTP Design for the WAN Edge and Remote Offices
Management Module Infrastructure Security Best Practices
In addition to protecting the servers and services in the management module using a firewall, the
Infrastructure devices also need to be protected. All routers, switches, firewalls, and terminal servers
should be hardened following the best practices described in Chapter 2, “Network Foundation
Protection.”
The following are the key areas of the baseline security applicable to securing the access layer switches:
• Infrastructure device access
– Implement dedicated management interfaces to the OOB management network.
– Limit the accessible ports and restrict the permitted communicators and the permitted methods
of access.
– Present legal notification.
– Authenticate and authorize access using AAA.
– Log and account for all access.
– Protect locally stored sensitive data (such as local passwords) from viewing and copying.
• Routing infrastructure
– Authenticate routing neighbors.
– Log neighbor changes.
• Device resiliency and survivability
– Disable unnecessary services.
– Filter and rate-limit control-plane traffic.
– Implement redundancy.
• Network telemetry
External
Time
Source
NTP
Server
OOB
Branch Routers
NTP Clients
Edge Routers
NTP Servers with Redundancy
2266609-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Infrastructure Security Best Practices
– Implement NTP to synchronize time to the same network clock.
– Maintain and monitor device global and interface traffic statistics.
– Maintain system status information (memory, CPU, and process).
– Log and collect system status, traffic statistics, and device access information.
• Network policy enforcement
– Implement management and infrastructure ACLs (iACLs).
Terminal Server Hardening Considerations
In general, the same best practices described in Chapter 2, “Network Foundation Protection,” should be
followed to harden the terminal servers. In addition to adopting these best practices for hardening the
terminal servers, there are a few important considerations that should be noted.
Typically, Telnet access to devices should be denied and a secure protocol such as SSH should be used.
However, in the case of routers acting as terminal servers, console access to network, and security
devices may require the use of reverse Telnet. Reverse access is also supported with SSH and it is highly
recommended, though this feature may not be always available.
Securing reverse access requires the hardening of the terminal (TTY) lines used to connect to the console
ports of the managed network and security devices. Inbound ACLs should be applied to the TTY lines
to restrict access to the console ports by permitting and denying access to the reverse SSH/Telnet ports
as warranted. In addition, session timeout values should be implemented on the TTY lines to restrict
connection from staying connected indefinitely. It is recommended that the timeout values match the
corresponding timeout values configured on the console ports of the managed devices. In cases where
the managed devices does not support console session timeout enforcement, the timeout values on the
TTY lines can be used to enforce the session timeouts for the device.
The following terminal server configuration fragment configures an inbound ACL on the TTY line to
restrict access to reverse SSH/telnet ports 2001 through 2006 only from hosts in the management subnet.
It also configures the session timeout values to 3 minutes.
! Configure extended ACL to permit access for reverse SSH/telnet ports 2001 thru 2006
access-list 113 permit tcp any range 2001 2006
access-list 113 deny ip any any log
!
line 1 16
! Configure a session timeout of 3 minutes
session-timeout 3
! Apply inbound ACL to restrict access to only ports 2001 through 2006 from the Management
Subnet
access-class 113 in
no exec
! Require users to authenticate to terminal server using AAA before accessing the
connected console ports of managed devices
login authentication authen-exec-list
transport preferred none
! Enable SSH for reverse access to connected console ports
transport input ssh
! Enable telnet for reverse telnet to connected console ports
transport input telnet
transport output none9-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Management Module Infrastructure Security Best Practices
Firewall Hardening Best Practices
The firewalls should be hardened in a similar fashion as the infrastructure routers and switches. The
following measures should be taken to harden the firewalls:
• Use HTTPS and SSH for device access
• Configure AAA for role-based access control and logging. Use a local fallback account in case AAA
server is unreachable.
• Use NTP to synchronize the time
• Authenticate routing neighbors and log neighbor changes
Management access to the firewalls should be restricted to SSH and HTTPS. SSH is needed for CLI
access and HTTPS is needed for the firewall GUI-based management tools such as CSM and ADSM.
Additionally, this access should only be permitted for users authorized to access the firewalls for
management purposes.
The following ASA configuration fragment illustrates the configuration needed to generate a 768 RSA
key pair and enabling SSH and HTTPS access for devices located in the management subnet.
Note CS-MARS requires a minimum modulus size of 768 bits or greater.
! Generate RSA key pair with a key modulus of 768 bits
crypto key generate rsa modulus 768
! Save the RSA keys to persistent flah memory
write memory
! enable HTTPS
http server enable
! restrict HTTPS access to the firewall to CSM on the inside interface
http 255.255.255.255 inside
! restrict SSH access to the firewall from the Admin management server located in the
management segment on the inside interface
ssh 255.255.255.255 inside
! Configure a timeout value for SSH access to 5 minutes
ssh timeout 5
Note SSH and HTTPS access would typically be restricted to a dedicated management interface over an OOB
management network. However, since the firewall protecting the management module connects to the
OOB network via its inside interface, a dedicated management interface is not used in this case.
Users accessing the firewalls for management are authenticated, authorized, and access is logged using
AAA. The following ASA configuration fragment illustrates the AAA configurations needed to
authenticate, authorize, and log user access to the firewall:
aaa-server tacacs-servers protocol tacacs+
reactivation-mode timed
aaa-server tacacs-servers host
key
aaa authentication ssh console tacacs-servers LOCAL
aaa authentication serial console tacacs-servers LOCAL
aaa authentication enable console tacacs-servers LOCAL
aaa authentication http console tacacs-servers LOCAL
aaa authorization command tacacs-servers LOCAL
aaa accounting ssh console tacacs-servers9-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Threats Mitigated in the Management
aaa accounting serial console tacacs-servers
aaa accounting command tacacs-servers
aaa accounting enable console tacacs-servers
aaa authorization exec authentication-server
! define local username and password for local authentication fallback
username admin password encrypted privilege 15
The routing protocol running between the OOB firewall and the core should be secured. The following
ASA configuration fragment illustrates the use of EIGRP MD5 authentication to authenticate the peering
session between the outside firewall interface and the core routers:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.242.50.1 255.255.255.0
authentication key eigrp 1 key-id 10
authentication mode eigrp 1 md5
As with the other infrastructure devices in the network, it is important to synchronize the time on the
firewall protecting the management module using NTP. The following configuration fragment illustrates
the NTP configuration needed on an ASA to enable NTP to an NTP server located behind the inside
interface:
ntp authentication-key 10 md5 *
ntp authenticate
ntp trusted-key 10
ntp server source inside
Threats Mitigated in the Management
Ta b l e 9-1 Management Threat Mitigation Features
Unauthorized
Access
DoS,
DDoS
MITM
Attacks
Privilege
Access Intrusions
Password
Attacks
IP
Spoofing Visibility Control
Firewall Yes Yes Yes Yes Yes Yes
AAA Yes Yes Yes Yes Yes Yes
OOB
Network
Yes Yes Yes Yes Yes Yes
VPN Yes Yes Yes Yes Yes
SSH Yes Yes Yes Yes Yes
Strong
Password
Policy
Yes Yes Yes Yes Yes Yes
Management
ACLS
Yes Yes Yes Yes Yes
iACLs Yes Yes Yes Yes Yes Yes9-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Threats Mitigated in the Management
NetFlow,
Syslog
Yes
Router
Neighbor
Authenticatio
n
Yes
Table 9-1 Management Threat Mitigation Features (continued)9-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 9 Management
Threats Mitigated in the ManagementC H A P T E R
10-1
Cisco SAFE Reference Guide
OL-19523-01
10
Monitoring, Analysis, and Correlation
The Cisco SAFE defense-in-depth approach results in the implementation of multiple layers security
safeguards throughout the network, and the leverage of the network infrastructure as a security tool.
Different forms of network telemetry present on each safeguard are leveraged to obtain a consistent and
accurate view of the network activity. Logging and event information generated by routers, switches,
firewalls, intrusion prevention systems, and endpoint protection software are globally collected, trended,
and correlated using CS-MARS. Given the complexity of today’s network environments, without central
correlation and analysis capabilities troubleshooting and identifying security incidents and threats in the
network would require hours if not days. The Cisco SAFE design blueprints leverage CS-MARS to
quickly identify and react to threats before they affect the rest of the network.
CS-MARS allows for infrastructure-wide security intelligence and collaboration, enabling the designs
to effectively:
• Identify threats—Collecting, trending, and correlating logging, flow, and event information help
identify the presence of security threats, compromises, and data leak.
• Confirm compromises—By being able to track an attack as it transits the network, and by having
visibility on the endpoints, the architecture can confirm the success or failure of an attack.
• Reduce false positives—Endpoint and system visibility help identify whether a target is in fact
vulnerable to a given attack.
• Reduce volume of event information—Event correlation dramatically reduces the number of events,
saving security operator’s precious time and allowing them to focus on what is most important.
• Determine the severity of an incident—The enhanced endpoint and network visibility allows the
architecture to dynamically increase or reduce the severity level of an incident according to the
degree of vulnerability of the target and the context of the attack.
• Reduce response times—Having visibility over the entire network makes it possible to determine
attack paths and identify the best places to enforce mitigation actions.10-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Key Concepts
Key Concepts
CS-MARS analysis and correlation is based on the processing of event and log information provided by
the various reporting and mitigation devices. In Cisco SAFE blueprints, reporting and mitigation devices
include Cisco ASA security appliances, Cisco IOS routers and switches, Cisco IPS appliances and
modules, Cisco Security Agent Management Console (CSA-MC), and Cisco Secure Access Control
Server (CS-ACS). This is illustrated in Figure 10-1 below. CS-MARS also has the ability to leverage
non-Cisco products. The list of Cisco and non-Cisco supported products can be found at the following
URL:
http://www.cisco.com/en/US/products/ps6241/products_device_support_tables_list.html
Figure 10-1 Event Monitoring, Analysis and Correlation
One important concept is that event information generated by the reporting devices is collected by
CS-MARS in two different ways: it is either push to CS-MARS from the device, or is pulled by
CS-MARS from the device. The collection type depends on the characteristics of the reporting device
such as the access protocols supported and the configuration choices. These and other important
concepts are explained next.
Note CS-MARS implements a customer parser that can be used to add support to unsupported applications or
systems. The parser uses regular expressions to interpret Simple Network Management Protocol
(SNMP) and syslog messages, and to map them into CS-MARS known message types.
M
IP
Internet
Campus Core Internet Edge
SNMP syslog
SDEE
SSH, NetFlow, syslog, SNMP
SSH, syslog, SNMP
SDEE
SSH, NetFlow
SDEE
SSH, NetFlow, SNMP
Tacacs
CS-MARS CS-ACS
CS-MC
22670510-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Key Concepts
Access and Reporting IP address
As some reporting and mitigation devices may have multiple interfaces and IP addresses, CS-MARS
allows the configuration of separate IP addresses for the collection of event information that is either
pulled by or push to CS-MARS. To that end, when adding a reporting or mitigation device in the web
interface, the user may specify an access IP address and a reporting IP address. For devices with a single
IP address, both access and reporting IP addresses should be configured as the same.
The access IP address is used by CS-MARS to either connect to the device with a remote administrative
session or connect to a remote server on which a file containing the device's configuration is stored. In
contrast, CS-MARS uses the reporting IP address to associate received messages with the correct device.
The reporting IP is the source IP address of event messages, logs, notifications, or traps that originate
from the device. The fundamental difference between the two types of IP addresses is that the reporting
IP address is treated passively by CS-MARS. CS-MARS does not query the device using this address;
such operations are performed using the access IP address.
If following the best practices discussed in the “Infrastructure Device Access Best Practices” section on
page 2-2, the reporting and mitigation devices should not grant access to CS-MARS unless the appliance
is configured as a trusted system from which administrative access should be allowed. At the same time,
the devices should be configured to treat the CS-MARS appliance as a trusted destination for log, event,
and trap information.
Note Only one reporting IP address is accepted per device. In order for CS-MARS to parse and correlate
events properly, all message types (NetFlow, syslog, etc) originating from the same device should come
from a common source IP address. If messages do not originate from a common IP address, one of the
message types is seen as coming from an unreported device, affecting correlation. In the case of Cisco
IOS devices, ensure that services such as NetFlow and syslog are bounded to the same IP address.
Access Protocols
The access type refers to the administrative protocol that CS-MARS uses to access a reporting device or
mitigation device. For most devices monitored by CS-MARS, you can choose from among the following
four administrative access protocols:
• SNMP—Provides administrative access to the device using a secured connection. It allows for the
discovery of the settings using SNMPwalk, such as routes, connected networks, Address Resolution
Protocol (ARP) tables, and address translations. If granted read-write access, SNMP also allows for
mitigation on any Layer-2 devices that support MIB2.
Note CS-MARS uses SNMP v1 to perform device discovery. If CS-MARS is unable to discover a
device and you are confident that the configuration settings are correct, verify that the device is
not expecting the authentication from CS-MARS to occur over an encrypted channel.
• Telnet—Provides full administrative access to the device using an unsecured connection. It allows
for the discovery of the settings, such as routes, connected networks, ARP tables, and address
translations. It also allows for mitigation on Layer-2 devices.
• Secure Shell (SSH)—Provides full administrative access to the device using a secured connection.
It allows for the discovery of the settings, such as routes, connected networks, ARP tables, and
address translations. It also allows for mitigation on Layer-2 devices. This access method is
recommended for mitigation device support; however, Telnet access can achieve the same results.10-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Key Concepts
Note Device discovery based on an SSH connection does not support 512-byte keys. The OpenSSH
client (OpenSSH_3.1p1) used by CS-MARS does not support a modulus size smaller than 768.
• Trivial File Transfer Protocol (TFTP)—Allows passive discovery of settings by providing
CS-MARS access to a file copy of the configuration running on the router. FTP does not support
mitigation, DTM, or discovery of dynamic settings, such as Network Address Translation (NAT) and
ARP tables. In addition, if the FTP access type for device types is selected, such as Cisco ASA and
Firewall Service Module (FWSM), you can only discover settings for the admin context. This access
method is the least preferred and most limited access method. To enable configuration discovery
using FTP access, you must place a copy the device's configuration file on an FTP server to which
the CS-MARS appliance has access. This FTP server must have user authentication enabled.
Reporting Protocols
CS-MARS leverages a variety of reporting protocols for the reception of event information. Depending
on the platform, the following options may be available:
• Syslog—System logging (syslog) may be used to provide information on session activity (setup,
teardown, and deny), NAT transactions, resource usage, and system status.
• SNMP—SNMP traps may used to send CS-MARS information indicating session activity (setup,
teardown, and deny), NAT transactions, resource usage, and system status.
• NetFlow—NetFlow data is used to profile the network usage, detect statistically significant
anomalous behavior, and to correlate anomalous behavior. NetFlow security event logging (NSEL)
provides information on session activity (setup, teardown, and deny) and NAT transactions.
• Security Device Event Exchange (SDEE)— SDEE is a protocol developed by a consortium led by
Cisco and designed for the secure exchange of network event information. Cisco IPS appliances and
modules, and Cisco IOS IPS use SDEE to communicate security events. At the same time,
CS-MARS leverages SDEE to pull configuration information, logs, and other information from
Cisco IPS appliances and modules.
Events, Sessions and Incidents
To facilitate the analysis of security incidents, CS-MARS interprets each security incident as a collection
of sessions, each one composed by one or more security events:
• Events—An event refers to a single alarm or message pushed to CS-MARS by the monitoring
reporting devices (syslogs, SNMP traps) or pulled by CS-MARS, the monitoring reporting devices
(IPS alerts, Windows log, etc)
• Sessions—A set of messages (events) that are correlated by the CS-MARS across NAT boundaries.
• Incidents—A set of sessions that match defined inspection rules. Rules are either included in the
CS-MARS system or defined by the administrator. An incident is a chain of correlated events that
describe an attack scenario.
Some examples of incidents are as follows:
– Reconnaissance activity followed by a penetration attempt, and further, followed by malicious
activity on the target host.
– Reconnaissance activity followed by denial-of-service (DoS) attempt.10-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
CS-MARS Monitoring and Mitigation Device Capabilities
This section explains the access protocols and mitigation capabilities supported by the platforms in the
Cisco SAFE designs.
Cisco IPS
CS-MARS extracts the logs from Cisco IPS 5.x and 6.x devices and modules using SDEE. SDEE
communications are secured with Secure Sockets Layer/Transport Layer Security (SSL/TLS).
Therefore, CS-MARS must have HTTPS access to the Cisco IPS sensor. This requires configuration of
the Cisco IPS sensor as well as CS-MARS.
To allow access, HTTPS access must be enabled on the Cisco IPS sensor, and the IP address of
CS-MARS must be defined as an allowed host, one that can access the sensor to pull events. In addition,
an administrative account to be used by CS-MARS should be configured locally on the Cisco IPS sensor.
As a best practice, this account should be set with a user role of viewer to ensure only the minimum
necessary access privileges are granted. This account should not be used for any other purposes.
Event Data Collected from Cisco IPS
There three types of event data that CS-MARS may extract from a Cisco IPS sensor:
• Event alerts—Alarm messages generated every time the Cisco IPS sensor identifies a match to a
signature. Information contained in the event alerts include signature ID, version and description,
severity, time, source and destination ports and IP addresses of the packets that triggered the event.
• Trigger packet data—Information of the first data packet that triggered a signature. This information
is useful for a deeper analysis and to help diagnose the nature of an attack. The trigger packet data
helps to visualize the data that was transmitted the instant the alarm was triggered. Trigger packet
data is available for those signatures configured with the "produce-verbose-alert" action
• Packet data (IP logging)—IP packet log, by default contains 30 seconds of packet data. This
information is useful for a much deeper analysis. The IP packet log provides a view of the packets
transmitted during and instants after the signature was triggered. IP packet logging is available for
signatures configured with the produce-verbose-alert action and the log-pair-packets action. In
addition, the pull IP logs option should be enabled for the Cisco IPS sensor under Admin > System
Setup > Security and Monitor Devices.
Note that, while trigger packet data and IP logging provide valuable information for the analysis of
security incidents, configuring IP logging and verbose alerts on the sensor is system-intensive and does
affect the performance of the sensor. In addition, it affects the performance of the CS-MARS appliance.
Because of these effects, be cautious in configuring signatures to generate IP logs.
Verify that CS-MARS Pulls Events from a Cisco IPS Device
The first step for verifying if CS-MARS can pull events from a Cisco IPS sensor is to confirm both are
able to communicate. To that end, select the test connectivity option under the Cisco IPS device
configuration (Admin > System Setup > Security and Monitor Devices). A “Connectivity Successful”
message indicates both systems are able to communicate.
The second step is to perform an action to knowingly trigger a signature on the Cisco IPS sensor. As an
example, type the following URL on a browser, replacing x.x.x.x by the IP address or hostname of a web
server located on a subnet monitored by the Cisco IPS sensor.10-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
http://x.x.x.x/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
This action should be interpreted as a WWW IIS unicode directory traversal attack, triggering Cisco IPS
signatures numbers 5114 and 5081. The event shown in Figure 10-2 should be seen at the incidents page.
Figure 10-2 Security Incident
IPS Signature Dynamic Update Settings
In Release 6.0 and later, Cisco IPS supports dynamic signature updates. CS-MARS can discover the new
signatures and correctly process and categorize received events that match those signatures. If this
feature is not configured, the events appear as unknown event type in queries and reports, and CS-MARS
does not include these events in inspection rules. These updates provide event normalization and event
group mapping, and they enable CS-MARS appliance to parse day-zero signatures from the IPS devices.
The downloaded update information is an XML file that contains the IPS signatures. However, this file
does not contain detailed information, such as vulnerability information. Detailed signature information
is provided in later CS-MARS signature upgrade packages just as with third-party signatures.
The screenshot in Figure 10-3 shows the configuration of dynamic IPS signature updates.10-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Figure 10-3 PS Signature Dynamic Update
Cisco ASA Security Appliance
CS-MARS requires administrative access to be able to discover the Cisco ASA firewall configuration
settings. Administrative access is possible via Telnet (not recommended) or SSH.
The following data is learned by CS-MARS as a result of the discovery operation:
• Route and ARP tables, which aid in network discovery and MAC address mapping.
• NAT and PAT translation tables, which aid in address resolution and attack path analysis, exposing
the real instigator of attacks.
• OS Settings, from which CS-MARS determines the correct ACLs to block detected attacks, which
paste into a management session with the Cisco firewall device.
In order to access the device, the Telnet/SSH access rules on the Cisco ASA firewall need to be
configured to grant access to the IP address of the CS-MARS appliance. Administrative access also
requires the use of an administrative account. The best practice is to use AAA and use a separate user
account dedicated for this sort of access. It is also recommended to define a local account on the Cisco
ASA for fallback access in case the AAA service is unavailable. Note that CS-MARS device
configuration only allows the definition of a single set of username and password credentials. Therefore,
fallback access will not succeed unless the local account is maintained up-to-date with the same
credentials as the ones configured on CS-MARS.
In the case of SSH access, keys should be generated with a minimum modulus size of 768.
On Cisco ASA appliances configured with multiple contexts, it is important to discover each one of the
contexts. Failing to do so affects the ability of CS-MARS to adequately learn the network topology.
Virtual contexts should be identified by CS-MARS automatically after the initial discovery of the Cisco
ASA appliance. Then, the reporting and access information of each context needs to be provided
individually.10-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Event Data Collected from Cisco ASA
The following information may be collected by CS-MARS from a Cisco ASA security appliance:
• Resource usage—Using SNMP read-only access, CS-MARS may monitor the device’s CPU and
memory usage, network usage, and device anomaly data. SNMP read-only access is also used to
discover device and network settings. SNMP access requires the definition of an access IP address
for the monitored device.
• Accept/deny logs—Syslog/SNMP trap information indicating session setup, teardown and deny, as
well as NAT translations. This information is useful for false-positive analysis. CS-MARS support
SNMPv1.
• NetFlow security event logging (NSEL)—Available on software Version 8.1 for ASA5580 and
Version 8.2 for other ASA platforms, provides the same type of information as syslog but more
efficiently, saving CPU cycles on both the Cisco ASA appliance and CS-MARS. Both connection
information and NAT translation data are combined in the same NSEL records, reducing the overall
number of records exported compared to syslog.
Cisco ASA appliances should take advantage of NSLE for higher efficiency and scalability. NSEL
requires the configuration of CS-MARS as a NetFlow collector on the Cisco ASA appliance.
There are some system status and other messages that are logged with syslog and not with NSEL. The
Cisco ASA appliance can be configured to disable the logging of any redundant messages generated by
syslog and NSLE. This is done by configuring the logging flow-export-syslogs disable command on the
Cisco ASA appliance.
Table 10-1 lists the disabled syslog messages
Note To be able to query events triggered with NetFlow, CS-MARS needs to be configured to always store
ASA NetFlow security event logs. Note that this may have an impact on the CS-MARS performance.
Ta b l e 10-1 Syslog Messages
Syslog Message Description Severity Level
106015 A TCP flow was denied because the first packet was not a SYN packet. Informational (6)
106023 A flow that is denied by an ingress ACL or an egress ACL that is attached
to an interface through the access-group command.
Warning ( 4)
106100 A flow that is permitted or denied by an ACL. Warning ( 4)
302013 and 302014 A TCP connection and deletion. Informational (6)
302015 and 302016 A UDP connection and deletion. Informational (6)
302017 and 302018 A GRE connection and deletion. Informational (6)
302020 and 302021 An ICMP connection and deletion. Informational (6)
313001 An ICMP packet to the security appliance was denied. Error (3)
313008 An ICMPv6 packet to the security appliance was denied. Error (3)
710003 An attempt to connect to the security appliance was denied. Error (3)10-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Note When monitoring a failover pair of Cisco firewall devices (PIX or ASA), designate the primary Cisco
firewall device as the device to be monitored. If failover occurs, the secondary device assumes the IP
address of the primary, which ensures that session correlation is maintained after the failover. The same
focus on the primary is true for performing any bootstrap operations. The secondary device will
synchronize with the configuration settings of the primary.
Verify that CS-MARS Pulls Events from a Cisco ASA Security Appliance
The first step is to ensure CS-MARS is able to communicate with the Cisco ASA Security appliance.
This can be verified by forcing a device discovery. Discovery is triggered under the Cisco ASA device
configuration (Admin > System Setup > Security and Monitor Devices).
An easy way to verify CS-MARS is receiving events from the Cisco ASA appliance is to generate
packets or connections expected to be blocked by the firewall’s policies. That should trigger “Denied
TCP/UDP request to Firewall” message as shown in Figure 10-4.
Figure 10-4 Denied TCP/UDP Request
Cisco IOS
CS-MARS requires administrative access to be able to discover routers and switches running Cisco IOS
software. Administrative access is possible via Telnet (not recommended), SNMP or SSH (most
recommended).
In order to access the device, Telnet/SSH access needs to be allowed to the IP address of the CS-MARS
appliance. In the case of SSH access, keys should be generated with a minimum modulus size of 768.
Administrative access also requires the use of an administrative account. The best practice is to use AAA
and use a separate user account dedicated for this sort of access. It is also recommended to define a local
account on the Cisco ASA for fallback access in case the AAA service is unavailable. Note that
CS-MARS device configuration only allows the definition of a single set of username and password
credentials. Therefore fallback access will not succeed unless the local account is maintained up-to-date
with the same credentials as the ones configured on CS-MARS.
Event Data Collected from a Cisco IOS Router or Switch
The following information may be collected by CS-MARS from a Cisco router or switch running Cisco
IOS software:
• Resource usage—Using SNMP read-only access, CS-MARS may monitor the device’s CPU and
memory usage, network usage, and device anomaly data. SNMP read-only access is also used to
discover device and network settings. SNMP access requires the definition of an access IP address
for the monitored device. CS-MARS supports SNMPv1.
• Syslog messages—The syslog messages provide information about activities on the network,
including accepted and rejected sessions. This information is useful for false-positive analysis. 10-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
• NetFlow—CS-MARS can leverage NetFlow Versions 1, 5, 7, and 9 data to profile the network
usage, to detect statistically significant anomalous behavior, and to correlate anomalous behavior to
events generated by other reporting systems.
• SDEE—CS-MARS uses SDEE to capture security event, logs, and configuration information from
Cisco IOS devices configured with Cisco IOS IPS.
The collection of NetFlow records allows CS-MARS to leverage the routing and switching infrastructure
for detecting anomalous behavior such as DDoS attacks and worm propagation. NetFlow information is
also leveraged for the computation of the Top N Reports (i.e., top destination ports, top sources, etc).
In order to identify traffic anomalies, CS-MARS computes a baseline of connection rates per flows. The
baseline starts to be computed as soon as NetFlow collection is configured on CS-MARS. After enough
flow information is collected over the course of roughly one week, CS-MARS switches into anomaly
detection mode where it looks for statistically significant behavior (i.e., the current connection rate
exceeds the mean by two to three times the standard deviation). CS-MARS continues to readjust the
baseline as it learns new traffic. After detecting an anomaly, CS-MARS starts to dynamically store the
full NetFlow records for the anomalous traffic, allowing the identification of useful contextual
information including source and destination IP addresses, and destination ports.
Verify that CS-MARS Pulls Events from a Cisco IOS Device
The first step is to ensure CS-MARS is able to communicate with the Cisco IOS device. This can be
verified by forcing a device discovery. Discovery is triggered under the Cisco IOS device configuration
(Admin > System Setup > Security and Monitor Devices).
For syslog and SNMP traps, an easy way to verify CS-MARS is receiving events from the Cisco IOS
device is to generate packets or connections expected to be blocked by an existing ACLs.
A simple way to verify if the CS-MARS appliance is receiving NetFlow records, is to open an SSH
session into the appliance and run a tcpdump port 2055 command. The tcpdump command will show
the details of NetFlow records exchanged over UDP/2055. The following is an example:
[pnadmin]$ tcpdump port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
07:42:08.836748 IP sfx13asa5580-1.cisco.com.260 > pnmars.2055: UDP, length 332
07:42:08.887558 IP sfx13asa5580-1.cisco.com.260 > pnmars.2055: UDP, length 176
07:42:21.946359 IP dca-core1.cisco.com.65532 > pnmars.2055: UDP, length 72
07:42:22.825689 IP sfx13asa5580-1.cisco.com.260 > pnmars.2055: UDP, length 176
07:42:22.877774 IP sfx13asa5580-1.cisco.com.260 > pnmars.2055: UDP, length 332
In case CS-MARS is configured to store NetFlow records, they can be viewed by running a query
matching event raw messages. This is done in the web interface under Query/Reports>Query.
Cisco Security Agent (CSA)
To enable CSA as a reporting system in CS-MARS, you must identify the CSA-MC as the reporting
device. The CSA-MC receives alerts from the CSA agents that it monitors, and it forwards those alerts
to CS-MARS as SNMP notifications.
When CS-MARS receives the SNMP notification, the source IP address in the notification is that of the
CSA agent that originally triggered the event, rather than the CSA-MC that forwarded it. Therefore,
CS-MARS requires host definitions for each of the CSA agents that can potentially trigger an event.
These definitions are added as sub-components under the device definition of the CSA-MC.10-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
As of CS-MARS, Release 4.1.1, the CS-MARS appliance discovers CSA agents as they generate alerts,
eliminating the need for manual configuration. CS-MARS parses the alert to identify the CSA agent
hostname and to discover the host operating system (OS). CS-MARS uses this information to add any
undefined agents as children of the CSA-MC as a host with either the generic Windows (all Windows)
or generic (Unix or Linux) OS value. It is still required to configure CSA-MC as a reporting system in
CS-MARS web interface.
Note The first SNMP notification from an unknown CSA agent appears to originate from the CSA-MC.
CS-MARS parses this notification and defines a child agent of the CSA-MC using the discovered
settings. Once the agent is defined, all subsequent messages appear to originate from the CSA agent.
Configuration of CSA-MC requires the definition of CS-MARS as SNMP-trap destination. This is done
under Events> Alerts, add new alert configuration, set SNMP host and community. Note that currently
CS-MARS supports SNMPv1. See Figure 10-5.
Figure 10-5 CSA-MC Configuration
Configuration on CS-MARS requires adding CSA-MC as a reporting device. This is done in CS-MARS
web interface by clicking Add under Admin> Security and Monitor Devices, and by selecting Add
SW Security apps on a new host as device type. Configuration also requires selecting the appropriate
CSA version as the reporting application and setting the reporting and access IP addresses.
See Figure 10-6 and Figure 10-7.10-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Figure 10-6 Adding Reporting Application to CS-MARS 10-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Figure 10-7 Adding Cisco CS-MC
Verify that CS-MARS Receives Events from CSA
The simplest way to verify if CS-MARS receives events from the CSA is to verify if clients are being
dynamically added as reporting devices. This can be seen in CS-MARS web interface, under Admin >
System Setup > Security and Monitor Devices. See Figure 10-8.
Figure 10-8 CSA Agents10-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Cisco Secure ACS
Cisco Secure ACS sever and the ACS Solutions Engine (SE) can be configured to forward CS-MARS
syslog messages to notify AAA activity such as successful authentication attempts, failed authentication
attempts, TACACST+ , and RADIUS accounting.
To that end, configure CS-ACS to forward the desired syslog events to CS-MARS. This is configured on
CS-ACS web interface, under System configuration> Logging. The following are some examples:
• PassedAuth—Cisco ACS passed authentications.
• FailedAuth—Cisco ACS failed attempts.
• RADIUSAcc—Cisco ACS RADIUS accounting.
• TACACSAcc—Cisco ACS TACACS+ accounting.
• TACACSAdmin—Cisco ACS TACACS+ administration.
Use a maximum message length of 500 bytes, which is required for CS-MARS.
The screenshot in Figure 10-9 illustrates CS-ACS configuration.
Figure 10-9 CS-ACS Configuration
On the CS-MARS, the Cisco Secure ACS server needs to be added as a reporting device. This requires
adding a new device in CS-MARS web interface and selecting Add SW Security apps on a new host
and then choosing the appropriate version of CS-ACS as a reporting applications. This is illustrated in
Figure 10-10 and Figure 10-11.10-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Figure 10-10 Adding CS-ACS10-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Monitoring and Mitigation Device Capabilities
Figure 10-11 Adding CS-ACS as a Reporting Application
Verify that CS-MARS Receives Events from CS-ACS
An easy way to verify if CS-MARS receives events from CS-ACS is to generate an incident by failing
access attempts to a device running AAA. Failed AAA authentication events should be found at the
incidents page on CS-MARS. See Figure 10-12.
Figure 10-12 Failed AAA Authentication10-17
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Design Considerations
CS-MARS Design Considerations
Global/Local Architecture
While CS-MARS can be deployed as standalone appliances, environments with high levels of activity
typically mandate the use of multiple appliances. There are two approaches that can be followed when
implementing multiple CS-MARS appliances in the network—use them as standalone devices or, more
preferably, leverage them as distributed systems managed by a global controller in a hierarchical design.
Using a global controller has the following advantages:
• It provides global visibility to the entire network.
• It enables linear scalability using a multi-layer hierarchy.
• It allows for departmental/regional administration
• It preserves bandwidth on WAN links.
Figure 10-13 illustrates CS-MARS hierarchical deployment.
Figure 10-13 CS-MARS Hierarchical Deployment
In a hierarchical deployment, multiple local controllers are deployed at different network locations. Each
local controller is responsible for receiving and pulling event data from the reporting devices at its
location. The local controller is also responsible of summarizing the information about the health of the
network.
The local controller performs the following functions:
• Collects all raw events
• Sessionizes events across different devices
• Fires inspection rules for incidents
• Determines false positives
• Delivers consolidated information in diagrams, charts, queries, reports, and notifications
• Detects inactive reporting devices
Global
Controller
Local
Controller
Local
Controller
Branch
Branch
Branch
Headquarters
22671710-18
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
CS-MARS Design Considerations
The global controller appliance is responsible for summarizing the findings of the local controllers, and
centralizing all reporting generated by the local controllers, providing a single aggregated view of the
network health. In addition, the global controller provides a single user interface for managing all local
controllers under its control. This includes centralized management for defining new device types,
inspection rules, and queries.
Global controller capabilities include:
• Aggregation of reports across the local controller (LC) deployment
• Defining rules, reports and user accounts for local controllers
Note Configuration of LC is done locally on the individual LC appliance.
• Remote, distributed upgrade of the LCs
CS-MARS Location
CS-MARS stores sensitive topological and configuration information, and it is one the key elements for
system-wide intelligence and collaboration. For this reason, CS-MARS needs to be placed in secured
environment. Cisco SAFE design places CS-MARS in the NOC/Management segment. The
NOC/Management segment is protected with the use of an IDS and an ASA security appliance, and
access from the network is controlled and restricted to the necessary services and systems.
Environments requiring the implementation of multiple CS-MARS appliances should follow the same
approach, placing them in a secure segment and ensuring the security of their communication channels.
CS-MARS Sizing
When planning a deployment, you must consider the ability of a CS- MARS appliance to process the
traffic expected from reporting devices on your network. Which models to purchase and where to place
them on the network depends on the anticipated, sustained events per second (EPS) and NetFlow flows
per second (FPS) predicted for that network or segment.
The following are the key considerations for deployment:
• Number of sites CS-MARS supports—The available bandwidth at hub and remote office, plus the
number and type of reporting devices provide an idea of the anticipated volume and rate of event
data. It also helps determine if the bandwidth available is sufficient.
• Requirements for high availability—Some CS-MARS models include RAID arrays and redundant
power supplies.
• Expected events per second—CS-MARS appliance models vary in their capacity of how many
events can be handled per second.
• Online storage capacity needed—Depending on the database size anticipated.
For more information on CS-MARS models, refer to the CS-MARS User documentation.
http://www.cisco.com/en/US/products/ps6241/tsd_products_support_configure.html10-19
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Deployment Best Practices
Deployment Best Practices
Network Foundation Protection (NTP)
When implementing network telemetry, it is important that dates and times are both accurate and
synchronized across all network infrastructure devices. Without time synchronization, CS-MARS may
not be able to correlate the different sources of telemetry properly. For this reason is fundamental that
CS-MARS and all its reporting and mitigation devices are synchronized with NTP.
When deploying a single, centralized CS-MARS appliance the best practice is to configure all reporting
and mitigation devices under the same time-zone. When using a hierarchical design, each local controller
may be placed into a different time-zone. The global controller is capable of offsetting the time-zone
differences.
NTP deployment best practices are covered in Chapter 2, “Network Foundation Protection.”
Monitoring and Mitigation Device Selection
As discussed earlier, multiple access and reporting mechanisms may be available for the same device,
and in some cases they may provide the same event information. At the same time, in most places in the
network, the same monitoring or mitigation functions may be implemented on different platforms.
Certainly, enabling all access and reporting mechanisms on all network devices is usually unnecessary,
and most likely results in duplicate information, wasting and potentially exhausting precious CS-MARS
resources. For this reason, CS-MARS deployment needs to be carefully planned. Part of this planning
should include the identification of the best devices for monitoring and mitigation purposes. Planning
should also identify the most appropriate access and monitoring mechanisms to be enabled on each one
of selected devices. Factors such as the topological location, processing capacity, and supported access
and mitigation methods should be considered.
The following are general recommendations of CS-MARS deployment for Cisco SAFE designs.
Cisco IPS
CS-MARS communicates with Cisco IPS appliances and modules using SDEE. The following are the
recommendations:
• Add all Cisco IPS appliances and modules to CS-MARS.
• If available, the administrative interface of the Cisco IPS sensor or module should connect to the
OOB management network or over a secured segment.
• Limit the address of all hosts or network that have permission to gain administrative access to the
sensor. Add the IP address of CS-MARS as a trusted host.
• Define a local administrative account to be used for CS-MARS access only. Specify the account
viewer access, which is the minimum level required for the device to be discovered.10-20
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Deployment Best Practices
Cisco ASA
Cisco ASA supports different access and reporting mechanisms. Which ones to use depend on several
factors such as the model of Cisco ASA.
The following are the recommendations for all Cisco ASA appliances:
• For maximum visibility, all Cisco ASA devices should be added to CS-MARS.
• If available, connect the management interface of the Cisco ASA appliance to the OOB management
network or over a secured segment.
• Configure SSH access to be used by CS-MARS discovery. Limit the address of all hosts or network
that have permission to gain administrative access to the appliance. Make sure the IP address of
CS-MARS is added to the SSH access list. Remember to use modulus size of 768 at a minimum
when creating the RSA key pair.
• Define an AAA administrative account and a local account to be used for CS-MARS access only.
Specify the accounts privilege access level 15. The local account is to be used as a fallback in case
AAA is not available. Ensure at all times the credentials of both accounts are synchronized with the
device configuration in CS-MARS.
• Configure SNMP read-only access for the monitoring of system resources. Enforce an ACL to limit
access to trusted systems. Make sure to add the IP address of CS-MARS as a trusted host. Use a
strong community name.
• Enable system logging (syslog) with an informational security level. A severity level of
informational is sufficient to capture session setups, teardowns, packet denies, and NAT
transactions. A severity level of debugging may be rarely required, for example in case HTPP and
FTP logs are needed (see note below). It is also a good practice to limit the rate at which system log
messages are generated in high activity environments. This is done with the logging rate-limit
command. Cisco ASA devices monitored in-band should also be configured with secure logging
(SSL/TLS-based).
Note When enabling trap debugging, the debug messages contain the HTTP URL address information.
Therefore, in CS-MARS you can create keyword-based rules matching against the firewall message
itself. For example, if the debug messages are enabled and users were logging to http://mail.cisco.com,
you could create keyword-based rules that matched against mail.cisco.com.
The following are the recommendations for Cisco ASA5580 appliances running software Version 8.1(1)
or later, and for all other Cisco ASA platforms running Version 8.2(1) or later:
• Enable NSEL for the reporting of session activity (setup, teardown, and deny) and NAT transactions.
• Configure the logging flow-export-syslogs disable command to ensure no duplicate messages are
sent to CS-MARS.
The following is an example of configuration for a Cisco ASA5580 running software Version 8.1(1).
Note that x.x.x.x is the IP address of the CS-MARS appliance.
! Enables export of NetFlow security logging
flow-export enable
! Defines the interface, IP address and UDP port to be used for reporting to CS-MARS
flow-export destination management x.x.x.x 2055
flow-export template timeout-rate 1
! Disables redundant system logging messages
logging flow-export-syslogs disable
!
! Configures syslog logging at informational level
logging trap informational10-21
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Deployment Best Practices
! Enables secure logging
logging host management x.x.x.x TCP/1500 secure
logging enable
no logging console
logging buffered debugging
!
! SNMP Configuration
snmp-server host management x.x.x.x poll community
snmp-server community
NetFlow configuration on Cisco ASA software Version 8.1(2) and later has been enhanced to support
the Modular Policy Framework. The following is a sample NetFlow configuration for Cisco ASAs
running software Version 8.1(2) and later. For syslog and SNMP sample configurations, see the example
provided above for software Version 8.1(1):
! Defines the interface, IP address and UDP port to be used for NetFlow logging to CS-MARS
flow-export destination inside x.x.x.x 2055
flow-export template timeout-rate 1
! Disables redundant system logging messages
logging flow-exports-syslogs disable
class-map flow_export_class
match any
policy-map flow_export_policy
class flow_export_class
flow-export event-type all destination x.x.x.x
service-policy flow_export_policy global
Note If you previously configured flow-export actions in Version 8.1(1) using the flow-export enable
command, and you upgrade to a later version, then your configuration will be automatically converted
to the new Modular Policy Framework flow-export event-type command. For more information, see the
8.1(2) release notes.
The following is an example configuration for Cisco ASAs running software Version 8.0 or earlier:
! Configures syslog logging at informational level
logging trap informational
! Enable secure logging
logging host management x.x.x.x TCP/1500 secure
logging enable
no logging console
logging buffered debugging
! SNMP configuration
snmp-server host management x.x.x.x poll community
snmp-server community 10-22
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Deployment Best Practices
Cisco IOS Devices
Cisco IOS routers and switches support different access and reporting mechanisms. The following are
recommendations for all Cisco IOS devices, independently from their location:
• If available, dedicate and interface for control and management. Connect the interface to the OOB
management network or over a secured segment.
• Configure SSH access to be used by CS-MARS discovery. Limit the address of all hosts or network
that have permission to gain administrative access to the appliance. Remember to use modulus size
of 768, at a minimum, when creating the RSA key pair. Configure the ACL applied to the
management interface to allow SSH sessions from the IP address of CS-MARS.
• Define an AAA administrative account and a local account to be used for CS-MARS access only.
Specify the accounts privilege access level 15. The local account is to be used as a fallback in case
AAA is not available. Ensure at all times the credentials of both accounts are synchronized with the
device configuration in CS-MARS.
• Configure SNMP read-only access for the monitoring of system resources. Use a strong community
name. To enable the collection of resource usage data, you must ensure that the CPU and memory
usage-specific events are logged by the reporting devices. Configure the ACL applied to the
management interface to allow SNMP queries from the IP address of CS-MARS.
• If the Cisco IOS router is configured with Cisco IOS IPS, configure SDEE access to allow HTTPS
connections from the CS-MARS appliance.
The following configuration fragment illustrates the commands used to enable CS-MARS to retrieve
events from the Cisco IOS IPS software.
ip http secure-server
! Sets maximum number of concurrent subscriptions
ip sdee subscriptions 2
! Sets the maximum number of SDEE events that can be stored in the event buffer
ip sdee events 500
! Send messages in SDEE format
ip ips notify sdee
! Not to send messages in syslog format
no ip ips notify log
The following configuration fragment illustrates the SNMP configuration. Note x.x.x.x corresponds to
the IP address of CS-MARS.
access-list 55 remark ACL for SNMP access to device
access-list 55 permit x.x.x.x
access-list 55 deny any log
snmp-server community csmars RO 55
snmp-server enable traps cpu threshold
snmp-server host x.x.x.x traps memory cpu
In the context of CS-MARS, NetFlow data is exported for two main uses, to identify any statistically
significant anomalous behavior and to populate the data used for top N reports. While NetFlow data is
valuable, its collection and export may consume resources on both network devices and CS-MARS. For
this reason, choose wisely where to enable NetFlow:
• Preferably, enable NetFlow collection and export on network devices that aggregate traffic, such as
campus distribution switches and data center core routers.
• Use NetFlow random sampling. Random sampled NetFlow provides NetFlow data for a subset of
traffic in a Cisco router by processing only one randomly selected packet out of n sequential packets
(n is a user-configurable parameter). Statistical traffic sampling substantially reduces consumption 10-23
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Deployment Best Practices
of router resources (especially CPU resources) while providing valuable NetFlow data. For the
purpose of CS-MARS, random sampled NetFlow provides the same quality of data needed to
identify traffic anomalies and to be used for top N reports.
The following configuration fragment provides an example of sampled NetFlow collection.
ip flow-export version 5
ip flow-export source GigabitEthernet1/3
ip flow-export destination x.x.x.x 2055
flow-sampler-map csmars-sample
mode random one-out-of 100
interface gig4/1
flow-sampler csmars-sample
ip flow ingress
Syslog provides invaluable operational information, including system status, traffic statistics and device
access information. The following are the deployment recommendations:
• Enable syslog on all routers and switches.
• Do not log to the console.
• Enable syslog rate-limiting where available. The syslog rate-limiting limits the rate of messages
logged per second, helping to ensure that syslog messages do not impact the CPU of either the
sending device or CS-MARS.
• Use trap-level informational for those devices configured with ACLs or any other security features
controlling passing traffic. Use trap-level critical for the rest. For example, configure informational
level on campus switches enforcing ACLs and configure critical level for core routers.
The following configuration template illustrates the syslog configuration.
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging buffered
logging trap informational
logging host x.x.x.x
logging rate-limit all 10
logging source-interface
no logging console
Deployment Table
Table 10-2 summarizes the access and monitoring protocol selections used in the Cisco SAFE design
blueprint.
Ta b l e 10-2 Deployment Model
Place in the Network Device and Function Methods
Campus Services ASA SSH, NetFLow, syslog (no-redundant, informational), SMNP RO
Services IPS SDEE
Campus IPS SDEE
Distribution Switches SSH, Sampled NetFLow, syslog (critical), SMNP RO
Access Switches SSH, syslog (informational), SMNP RO10-24
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Analysis and Correlation
Analysis and Correlation
In the context of threat control and containment, CS-MARS is responsible for the correlation of event
alarm and log information generated throughout the network to identify and timely mitigate threats. Such
functions require certain level of network intelligence on the network topology, device configurations
and traffic patters. Network topology and device configuration is learned by CS-MARS as monitoring
and mitigation devices are configured, or as a result of automatic network discovery (periodic
SNMP-based discovery). CS-MARS also leverages Cisco NetFlow for network traffic profiling.
CS-MARS uses the network intelligence to distinguish between a legitimate threats and false-positives,
and to effectively reduce the volume of event data presented to the users.
Network Discovery
CS-MARS gathers information on the network topology and device configuration as reporting devices
are added to the web interface and as a result of an automatic network discovery. The automatic network
discovery uses SNMP read-only access to discover and query the devices in the network. The network
discovery can be programmed to run periodically, or can be run on-demand. As not all network devices
would allow a SNMP-based discovery, Telnet (not recommended) and SSH are also leveraged in the
network discovery. Information gathered by CS-MARS as a result of a network discovery includes IP
addresses, IP routes, Layer-2 forwarding tables, NAT rules, access control lists (ACLs), and more.
To be more efficient, CS-MARS can be configured with the list of SNMP community strings and IP
networks to target during the network discovery. This is configured in CS-MARS web interface, under
Admin > System Setup > Community Strings and Networks. See Figure 10-14.
Internet Edge ASA SSH, NetFLow, syslog (no-redundant, informational), SMNP RO
IPS SDEE
Border Routers SSH, Sampled NetFLow, syslog (informational), SMNP RO
Inner Switches SSH, syslog (critical), SMNP RO
WAN Edge WAN/VPN Edge
Routers
SSH, Sampled NetFLow, syslog (informational), SMNP RO
Distribution Switches SSH, syslog (critical), SMNP RO
IPS SDEE
Branch Router SSH, syslog (informational), SMNP RO
ASA SSH, syslog (informational), SMNP RO
IPS SDEE
Branch Switch SSH, syslog (informational), SMNP RO
Data Center ASA SSH, NetFLow, syslog (no-redundant, informational), SMNP RO
IPS SDEE
DC Core Switches SSH, Sampled NetFLow, syslog (critical), SMNP RO
DC Distribution SSH, syslog (critical), SMNP RO
DC Access SSH, syslog (informational), SMNP RO
Core Core Switches SSH, syslog (critical), SMNP RO
Table 10-2 Deployment Model (continued)10-25
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Analysis and Correlation
Figure 10-14 Automatic Discovery
To control what networks are added to the network topology, a list of valid networks can be defined in
CS-MARS web interface, under Admin > System Setup > Valid Networks (see Figure 10-15).
Optionally, a SNMP target may be indicated for each network or IP range. The SNMP discovery process
starts by querying the SNMP target (if one was defined).
Figure 10-15 Valid Networks
Finally, network discoveries can be scheduled for a particular time and day in the week, month, etc. This
can be configured in CS-MARS web interface, under Admin > System Setup > Topology/Monitored
Device Update Scheduler. See Figure 10-16.10-26
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Analysis and Correlation
Figure 10-16 Topology Update Schedule
Data Reduction
One of the primary functions of CS-MARS is to analyze and correlate the alarm information gathered
from the reporting devices to distinguish real threats from false-positives and to reduce the amount of
data administrators need to pay attention to. This allows for the rapid identification and response to
threats.
CS-MARS uses its network intelligence to determine the context and the relevance of an incident. By
leveraging the contextual information, CS-MARS can determine if the target of an attack is in fact
vulnerable to the attack. CS-MARS also leverages its topological awareness to identify the path followed
by an attack, and to determine whether the target was reached or the attack was blocked by an
intermediate device such as a firewall or and IPS.
The snapshot in Figure 10-17 illustrates a system determined false-positive. The incident was generated
in response to a WWW IIS Unicode Directory traversal attack attempt. As the icon indicates,
CS-MARS determined the incident as a false-positive because the offending session has been denied by
an inline Cisco IPS.
Figure 10-17 System determined false positive
This snapshot in Figure 10-18 confirms the Cisco IPS inline had successfully blocked the attack.10-27
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Analysis and Correlation
Figure 10-18 Security Incident Details
Figure 10-19 shows the summary page. Highlight data reduction and determined false-positives.
Figure 10-19 Data Reduction10-28
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Analysis and Correlation
Attack Path and Topological Awareness
Thanks to its knowledge of the network topology and device configurations, CS-MARS is able to
visualize the path attacks follow in the network. This allows CS-MARS to identify possible mitigation
enforcement devices along the path, and to recommend the configuration command necessary to
effectively mitigate the threat. Possible response actions are discussed in Chapter 11, “Threat Control
and Containment.”
The screenshot in Figure 10-20 illustrates CS-MARS correlation. In this case, the system was able to
correlate several attacks from the same attacker system.
Figure 10-20 Event Correlation
In the example shown in Figure 10-21, anomalous activity included a reconnaissance TCP Port Sweep,
and later followed by two targeted attacks, WWW IIS Unicode directory traversal attack, and WWW ISS
Internet Printing Overflow.10-29
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Analysis and Correlation
Figure 10-21 Incident Detail
Finally, CS-MARS network intelligence allowed it to reconstruct the attack path and identify possible
mitigation points. See Figure 10-22.
Figure 10-22 Attack Path10-30
Cisco SAFE Reference Guide
OL-19523-01
Chapter 10 Monitoring, Analysis, and Correlation
Analysis and Correlation
NetFlow
As described earlier in chapter, CS-MARS is capable of leveraging NetFlow Versions 1, 5, 7 and 9 data
to profile the network usage, detect statistically significant anomalous behavior, and to correlate
anomalous behavior. This allows CS-MARS to leverage the network infrastructure to effectively identify
anomalous behavior such as DDoS attacks and worm propagation.
Figure 10-23 shows a DDoS attack initiated in the lab testing Internet edge topology. The graphs indicate
a sudden traffic surge.
Figure 10-23 Activity Graphs
The screenshot in Figure 10-24 provides more detailed information on the incident, including the
attacker’s IP address (198.133.219.128). It can be deduced that the attack consisted in a connection flood
to multiple destinations on port 80 (HTTP).
Figure 10-24 Incident DetailsC H A P T E R
11-1
Cisco SAFE Reference Guide
OL-19523-01
11
Threat Control and Containment
Cisco SAFE leverages the threat detection and mitigation capabilities available on Cisco firewalls,
Cisco Cisco IPS, Cisco Security Agents (CSA), Cisco Network Admission Control (NAC), and
web/E-mail security appliances. In addition, the alarm and event information generated by these devices
is centrally collected and correlated by the Cisco Security Monitoring, Analysis, and Response System
(CS-MARS) to identify the source of threats, visualize the attack paths, and to suggest and optionally
enforce response actions. Cisco IPS visibility is enhanced with the endpoint posture information
provided by CSA which reduces false-positives and allows for the dynamic quarantine of compromised
hosts. Cisco SAFE also leverages the linkage between Cisco Security Manager (CSM) and CS-MARS
to simplify management and to expedite troubleshooting and threat mitigation.
Following are some of the threat control and containment attributes of the Cisco SAFE design:
• Complete visibility—Infrastructure-wide intelligence provides an accurate vision of network
topologies, attack paths, and extent of the damage.
• Adaptive response to real-time threats—Source threats are dynamically identified and blocked in
real-time.
• Consistent policy enforcement coverage—Mitigation and containment actions may be enforced at
different places in the network for defense-in-depth.
• Minimize effects of attacks—Response actions may be immediately triggered as soon as an attack is
detected, thereby minimizing damage.
• Common policy and security management—A common policy and security management platform
simplifies control and administration, and reduces operational expense.
Endpoint Threat Control
Network endpoints include servers, desktop computers, laptops, printers, IP phones, and any other
systems that connect to the network. The great variety in hardware types, operating systems, and
applications represents a clear challenge to security. In addition, portable devices such as laptops can be
used at hotels and other places outside the corporate controls, further complicating the enforcement of
security policies and controls. Common threats to these endpoints include malware, adware, spyware,
viruses, worms, botnets, and E-Mail spam.
Properly securing the endpoints requires end-user awareness and the adoption of the appropriate
technical controls. Cisco SAFE advocates for the continuous education of end-users on current threats
and security measures. Furthermore, the Cisco SAFE design blueprints implement a range of security
controls designed to protect the endpoints. These include host Cisco IPS, network-based intrusion
prevention systems, and web and E-Mail traffic security. 11-2
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Network-Based Threat Control
As a host Cisco IPS, Cisco SAFE leverages CSA on end-user workstations and servers. CSA takes a
proactive and preventative approach, using behavior-based security to focus on preventing malicious
activity on the host. Malicious activity is detected and blocked, independent of the type of malware,
spyware, adware, or virus affecting the host.
Once deployed on an endpoint, whenever an application attempts an operation, the agent checks the
operation against the application’s security policy—making a real-time allow or deny decision on the
continuation of that operation and determining whether logging the operation request is appropriate.
Security policies are collections of rules that IT or security administrators assign to protect servers and
desktops, either individually or enterprise-wide. CSA provides defense-in-depth protection against
spyware and adware by combining security policies that implement distributed firewall, operating
system lockdown and integrity assurance, malicious mobile code protection, and audit-event collection
capabilities in default policies for servers and desktops.
CSAs are centrally managed with the CSA Management Center (CSA-MC), which in the Cisco SAFE
design is placed in a secure segment in the data center. The Management Center (MC) also provides
centralized reporting and global correlation.
For complete details about deploying CSA in a network, refer to the Rapid Deployment Guide for Cisco
Security Agent 6.0 for Desktops at the following URL:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5057/deployment_guide_c07-501928.
html
Network-Based Threat Control
Cisco SAFE leverages various forms of network-based threat control, including Cisco IPS sensors,
Cisco firewalls, Cisco NAC and web/E-Mail security. Cisco NAC and web/E-Mail security are
addressed in Chapter 5, “Enterprise Campus,” and Chapter 6, “Enterprise Internet Edge,” respectively.
Network-Based Cisco IPS
Cisco IPS modules and appliances are strategically deployed throughout the Cisco SAFE design
blueprints. Cisco IPS provides signature and reputation-based threat detection and mitigation for threats
such as worms, spyware, adware, network viruses, and application abuse.
The deployment mode and the platform selection in the Cisco SAFE design blueprints is driven by three
key design aspects:
• Deployment Mode, page 11-3
• Scalability and Availability, page 11-3
• Maximum Threat Coverage, page 11-3
• Cisco IPS Blocking and Rate Limiting, page 11-4
• Cisco IPS Collaboration, page 11-411-3
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Network-Based Threat Control
Deployment Mode
Cisco IPS appliances and modules can be deployed in inline or promiscuous mode, typically referred to
as Cisco IPS or IDS modes. When deployed in inline mode, the Cisco IPS is placed in the traffic path.
This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target,
thus providing a protective service. Cisco IPS inline mode enables automatic threat detection and
mitigation capabilities that offer some clear advantages in terms of timely threat mitigation. In addition,
signature tuning enables the automated response actions to be tuned according to customer policy. Since
the Cisco IPS is in the data path, it is critical to ensure that a deployment be well designed, architected,
and tuned to ensure that it does not have a negative impact on network and service availability.
Cisco IPS can also be deployed in promiscuous mode. In this mode, the Cisco IPS performs passive
monitoring, with traffic being passed to it through a monitoring port. The Cisco IPS sensor analyzes a
copy of the monitored traffic rather than the actual forwarded packet. Upon detection of anomalous
behavior, management systems are informed of an event and operational staff can subsequently decide
what action, if any, to take in response to an incident. The time between threat detection and mitigation
may thus be extended.
Scalability and Availability
For scalability, Cisco offers a range of IPS platforms with various levels of capacity and form factors
that can be deployed according to particular customer needs. The Cisco SAFE designs implement
Cisco IPS appliances on those places in the network (PINs) demanding the highest levels of throughout,
such as the data center, campus, and the WAN edge. Cisco IPS modules are also viable options for
environments where integrated security is preferred. At the branches, Cisco IPS modules are deployed
on routers or firewalls.
For increased scalability and high availability, multiple Cisco IPS can be bundle together using a
load-balancing mechanism. The Cisco SAFE campus design implements multiple appliances by
connecting them to a switch and Ether Channel load-balancing (ECLB) feature of the switch to perform
intelligent load balancing across the Cisco IPS devices. Multiple Cisco IPS sensors may also be
deployed by using a load-balancing module or appliance as the Cisco Application Control Engine (ACE)
module.
Maximum Threat Coverage
For maximum visibility, the Cisco IPS sensors must be able to see traffic in both directions. For this
reason, it is important to ensure the symmetry of the traffic as traverses or reaches the Cisco IPS sensor.
Symmetrical traffic flows offer a number of important benefits, including enhanced threat detection,
reduced vulnerability to Cisco IPS evasion techniques, and improved operations through reduced false
positives and false negatives. Consequently, this is a key design element. For example, if more than one
Cisco IPS exists in a single flow for availability and scalability purposes, maintaining symmetric flows
requires some consideration of the Cisco IPS integration design. There are a number of options available
to ensure symmetric traffic flows, including the following:
• Copy traffic across Cisco IPS—Use of SPAN, VLAN access control list (VACL) capture, or taps to
duplicate traffic across all Cisco IPS, ensuring any single Cisco IPS sees all flows. This can become
a challenge once more than two Cisco IPS are involved and results in all Cisco IPS being loaded
with the active traffic flows.
• Integration of an Cisco IPS switch—Topological design to consolidate traffic into a single switch,
thereby leveraging the switch to provide predictable and consistent forward and return paths through
the same Cisco IPS. This is simple design, but introduces a single point-of-failure.11-4
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Network-Based Threat Control
• Routing manipulation—Use of specific routing techniques, such as path cost metrics or
policy-based routing (PBR), to provide predictable and consistent forward and return paths through
the same switch and, consequently, the same Cisco IPS. This is a cost-effective design approach,
but it introduces complexity and requires an agreement from network operations (NetOps).
• Sticky load balancing—Insertion of a sticky load-balancing device, such as the Cisco ACE module,
to provide predictable and consistent forward and return paths through the same Cisco IPS. This is
flexible design, but introduces additional equipment to deploy and manage.
Cisco IPS Blocking and Rate Limiting
Cisco IPS sensors can be used in conjunction with routers, switches, and firewalls to dynamically
enforce blocking and rate limiting actions on those devices—and in response to suspicious events.
Blocking is configured at the signature level and, when triggered, the sensor updates the configuration
of the managed devices to enforce the block action.
There are three types of blocks:
• Host block—Blocks all traffic from a given IP address.
• Connection block—Blocks traffic from a given source IP address to a given destination IP address
and destination port.
• Network block—Blocks all traffic from a given network.
Caution Configuring a sensor to perform blocking at a very high rate, or to manage too many blocking devices
and interfaces, might result in the sensor not being able to apply blocks in a timely manner—or not being
able to apply blocks at all.
Cisco IPS sensors can also be configured to restrict the rate of specified traffic classes on network
devices. Rate-limiting responses are supported for the Host Flood and Net Flood engines, and the TCP
half-open SYN signature.
For more information on Cisco IPS capabilities, refer to the Cisco IPS Configuration Guide at the
following URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_g
uides_list.html
Cisco IPS Collaboration
In collaboration with other Cisco devices, the Cisco IPS provides enhanced visibility and control
through system-wide intelligence. This includes host-based IPS collaboration with the CSA (explained
later in this chapter), reputation-based filtering and global correlation using SensorBase, automated
threat mitigation with the WLAN Controller (WLC), multi-vendor event correlation and attack path
identification using CS-MARS, and common policy management using CSM.
Cisco IPS collaboration with the WLAN Controller is covered in detail in the Secure Wireless Design
Guide at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/ch8_2_SPMb.html11-5
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Global Threat Mitigation
Network-Based Firewalls
Cisco SAFE leverages the threat detection and mitigation capabilities available on Cisco firewalls.
Firewall abilities include identifying and dropping packets due to denial by access list, invalid packet
format, connection limits exceeded, protocol violations, and other abnormal conditions. Cisco firewalls
are also equipped with application-layer protocol inspection to allow the identification and automatic
mitigation of attacks based on protocol violation or manipulation. Other control mechanisms include the
enforcement of timeouts and connection limits which helps mitigate flood-based denial of service (DoS)
attacks.
For a detailed description of the deployment options and platforms implemented in each SAFE module,
refer to the applicable module chapter.
Cisco IOS Embedded Event Manager
Cisco IOS Embedded Event Manager (EEM) is a powerful and flexible subsystem in Cisco IOS that
provides real-time network event detection and on-board automation. Using EEM, customers can adapt
the behavior of network devices to align with business needs.
EEM is available on a wide range of Cisco platforms and customers can benefit from the capabilities of
EEM without upgrading to a new Cisco IOS version.
EEM supports more than 20 event detectors that are highly integrated with different Cisco IOS
components to trigger actions in response to network events. Customer business logic can be injected
into operations using EEM policies. These policies are programmed using either a simple CLI-based
interface or using Tool Command Language (Tcl) scripting language. EEM harnesses the significant
intelligence within Cisco devices to enable creative solutions including automated troubleshooting,
automatic fault detection and troubleshooting, and device configuration automation.
For more information about EEM, refer to the Cisco IOS Software Embedded Event Manager, Harnesses
Network Intelligence to Increase Availability at the following URL:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6550/prod_white_paper0900aecd803a
4dad_ps6815_Products_White_Paper.html
Global Threat Mitigation
As described in the previous section, CS-MARS develops network intelligence by understanding the
network topology and device configurations and by profiling network traffic. CS-MARS uses this
network intelligence to identify and mitigate threats before they affect other systems or PINs.
Upon identification of a legitimate network attack, CS-MARS is capable can visualize the attack path
and identify possible mitigation enforcement devices along the path. Attack paths can be visualized by
the user at both Layer2 and Layer 3. CS-MARS also provides the appropriate device commands that the
user can employ to mitigate the threat on the possible mitigation devices.11-6
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Global Threat Mitigation
Possible mitigation enforcement devices are devices that can deny the attack traffic flow and that are in
the attack path. CS-MARS provides mitigation support in two forms:
• For supported Layer-3 devices based on the Open Systems Interconnection (OSI), CS-MARS
provides the user with a suggested device and set of commands that can be used to halt an ongoing,
detected attack. This information can be used to manually block the attack.
• For supported Layer-2 devices, CS-MARS recommends a device and a set of commands to halt the
ongoing, detected attack, and provides a method for making the configuration changes on behalf of
the user.
As an example, Figure 11-1 illustrates an attack launched from the main campus.
Figure 11-1 incident Detail
The attack paths and the recommended action (ACL enforcement) determined by CS-MARS are
illustrated in Figure 11-2 and Figure 11-3.
Figure 11-2 Attack Paths Determined by CS-MARS11-7
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
Figure 11-3 Suggested Mitigation Commands
Cisco IPS Enhanced Endpoint Visibility
Cisco SAFE leverages the integration between CSA and Cisco IPS as a key component of Cisco SAFE
threat control and containment strategy. Residing on servers and desktops, CSAs have full visibility into
endpoints which allows CSAs to gather information that is not available to any other security component
on the network. The integration between CSA and Cisco IPS allows the sensor to use this valuable
information and thereby increase its visibility into endpoints and global threats.
The collaboration between CSA and Cisco IPS has the following benefits:
• Ability to use CSA endpoint information to influence Cisco IPS actions—By using the endpoint
contextual information, Cisco IPS determines the appropriate severity of a network threat and
instructs the adequate response action.
• Reduction of false positives—CSA provides OS-type and other endpoint posture information that
helps Cisco IPS determine the relevancy of a threat—reducing the chance of a false positive.
• Enhanced attack mitigation—Cisco IPS can use the watch list maintained by CSA. The watch list
helps Cisco IPS monitor the systems identified by CSA as suspicious or malicious, and helps
highlight any events associated with these systems.
• Dynamic host quarantine—The Cisco IPS has the ability to dynamically block hosts that have been
identified by CSA as malicious. This extends the quarantine capabilities from CSA to the Cisco IPS.11-8
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
CSA and Cisco IPS Collaborative Architecture
The architecture integrating CSA and Cisco IPS relies on the interaction of the following major
components:
• Cisco IPS —Any Cisco IPS platform running at minimum Cisco IPS Sensor Software Version 6.0,
configured either in inline protection mode (IPS) or promiscuous mode (IDS).
• CSAs—Host-based Cisco IPS software running on servers and desktops to be protected and
monitored.
• CSA-MC—A a standalone application that provides centralized security policy configuration,
monitoring, and administration for CSAs. In addition, CSA-MC performs global correlation based
on event and posture information generated by the CSAs. CSA-MC 5.0 or later is required to
integrate with the Cisco IPS.
The components of the architecture and their interactions are depicted in Figure 11-4.
Figure 11-4 Cisco Secure Agent/Cisco IPS Collaborative Architecture
The Cisco IPS sensor accesses this information via Secure Device Event Exchange (SDEE), a protocol
developed by a consortium (led by Cisco) that is designed for the secure exchange of network event
information. Communications between CSA-MC and Cisco IPS are protected with Secure Socket Layer
(SSL)/Transport Layer Security (TLS) encryption and Hypertext Transfer Protocol (HTTP)
authentication.
Note CSA-MC authenticates by providing X.509 certificates while the Cisco IPS sensor authenticates using
a username and password.
To start receiving information, a Cisco IPS sensor must open a SDEE subscription with CSA-MC. After
the communication channels are authenticated and established, two types of messages are exchanged
between CSA-MC and Cisco IPS sensors:
• CSA Posture Events—Contains host posture information collected by CSA- MC such as the IP
address and the OS type of the hosts running CSA. To receive posture events a Cisco IPS must open
a subscription. After the subscription is open, the CSA-MC sends an initial state message with the
IP addresses and OS types of all known agents. After the initial state, the CSA-MC keeps the Cisco
IPS informed through updates.
• Quarantine Events—Generated by CSA-MC to communicate the list of hosts that are being
quarantined to Cisco IPS sensors. A host is quarantined either manually by a CSA-MC administrator
or by rule-generated by global correlation. Quarantine events include the reason for the quarantine,
the protocol—such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or
Internet Control Message Protocol (ICMP)—associated with a rule violation, an indicator on
Cisco
Security
Agent
Cisco
Security
Agent MC
Cisco
IPS
Posture
Event
Information
SDEE
Subscription
SDEE Host
Posture and
Quarantine
Events
22673211-9
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
whether a rule-based violation was associated with an established TCP connection or a UDP session,
and the IP address of the host to be quarantined. Cisco IPS sensors must subscribe before they can
start receiving quarantine events. The CSA-MC sends an initial state message containing the list of
all the hosts under quarantine and reports any subsequent quarantine incidents via updates.
Deployment Considerations
In general, the same best practices used to deploy CSA and Cisco IPS as standalone products apply when
the two are implemented together in the same environment; therefore, it is always a good idea to follow
those principles whenever possible. In addition to adopting the design best practices for CSA and Cisco
IPS, there are few important considerations that should be noted when integrating the two products.
These are briefly summarized in the following sections:
• Inline Protection (IPS) and Promiscuous (IDS) Modes, page 11-9
• One CSA-MC to Multiple Cisco IPS Sensors, page 11-10
• One Sensor to Two CSA-MCs, page 11-10
• Virtualization, page 11-10
• IP Addressing, page 11-10
Inline Protection (IPS) and Promiscuous (IDS) Modes
CSA can be integrated with Cisco IPS sensors that are configured either in inline protection (IPS) mode
or promiscuous detection (IDS) mode. This results in greater flexibility because there are different valid
reasons why a network administrator might opt to deploy Cisco IPS in one mode or the other.
The Cisco SAFE campus design is capable of integrating sensors in both inline protection mode and
promiscuous detection mode. A sensor deployed inline at the distribution layer is capable of dynamically
blocking malicious packets as they move through the system, When deployed in promiscuous mode, the
sensor passively monitors traffic. These designs are illustrated in Figure 11-5.
Figure 11-5 Typical Cisco IPS/IDS Deployment Designs
Access Core Distribution
226733
Cisco
Security
Agents
Cisco IPS
Inline Mode
Cisco IPS
Promiscuous
Mode11-10
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
One CSA-MC to Multiple Cisco IPS Sensors
A single CSA-MC can serve multiple Cisco IPS sensors simultaneously. In cases where Cisco IPS
sensors are managed by different groups of administrators, their access to CSA-MC can be separated by
the use of different subscription credentials.
One Sensor to Two CSA-MCs
A single Cisco IPS sensor can be configured to interface with up to two CSA-MCs simultaneously.
Besides being crucial for redundancy purposes, this feature can be used to simplify the process of
upgrading the version of CSA-MC.
Virtualization
The CSA can be integrated with Cisco IPS systems configured with virtual sensors. When used with
virtualization, all information provided by the CSA-MC is global to the Cisco IPS sensor and, as a result,
can be used by all active virtual sensors.
IP Addressing
Both the CSA-MC and the Cisco IPS sensors identify hosts based on their IP addresses; therefore, both
should have a consistent view of the IP address space. Implementing the CSA-MC and Cisco IPS sensors
in different sides of a Network Address Translation (NAT) can lead to an incompatible view of the
address space. As a result, the Cisco IPS sensors might not be able to properly match the posture
information provided by the CSA-MC; one host might be seen by the CSA-MC and the Cisco IPS
sensors as two different systems—or two separate hosts might be confused as being a single host. In all
cases, an incompatible view of the address space reduces the quality of the integration and can result in
the enforcement of mitigation actions on the wrong hosts.
As a general best practice, avoid implementing NAT between CSA, CSA-MC, and the Cisco IPS sensors
whenever it is possible. When NAT is required, ensure CSA-MC and the Cisco IPS sensors are placed
on the same side of the translation—making sure they have the same IP address space visibility.
Deployment Best Practices
Integrating CSA and Cisco IPS requires the configuration of both CSA-MC and the Cisco IPS sensors.
For most scenarios, configuration consists of the following activities:
• Defining a CSA-MC administrative account to be used by Cisco IPS sensors in their SDEE
subscriptions.
• Enabling CSA host history collection.
• Adding CSA-MC as a trusted host in each Cisco IPS sensor.
• Configuring an external product interface in each Cisco IPS sensor.
The following sections describe the best practices that should be followed.
• Cisco Security Agent MC Administrative Account, page 11-11
• Cisco Security Agent Host History Collection, page 11-11
• Adding CSA-MC System as a Trusted Host, page 11-12
• Configuring Cisco IPS External Product Interface, page 11-1311-11
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
• Leveraging Endpoint Posture Information, page 11-14
• Cisco Security Agent Watch Lists, page 11-16
• Cisco IPS Event Action Override, page 11-17
• Validating Cisco Secure Agent and Cisco IPS Integration, page 11-18
Cisco Security Agent MC Administrative Account
Communications between the CSA and Cisco IPS are authenticated. The CSA- MC will not accept a
SDEE subscription for posture and quarantine information unless the requesting Cisco IPS sensor is
successfully authenticated. To that end, every Cisco IPS sensor must be preconfigured with the username
and password of a valid CSA-MC account granting a minimum of view privileges. The Cisco IPS sensor
provides the CSA-MC with this information when subscribing and the CSA- MC accepts or denies the
subscription based on the validity of the credentials.
Even though any of the existing administrative accounts in the CSA-MC with a minimum of view
privileges can be used, it is not recommended. For obvious security reasons, it is always a good practice
to create a new account to be used exclusively for CSA-to-Cisco IPS communications purposes. This
account should be given no more than the minimum required privileges (that is, monitor and view).
Figure 11-6 shows a snapshot taken from CSA-MC 6.0 showing the definition of Cisco IPSusr, an
account defined for the exclusive use of CSA/Cisco IPS communication.
Figure 11-6 Cisco Security Agent MC Administrative Account
Cisco Security Agent Host History Collection
Host history collection is a feature required for the integration between CSA and Cisco IPS. When
enabled, this feature maintains a two-week history of the previously listed host status changes which are
maintained for every host registered with the MC. The information includes host registration, test-mode
setting changes, learn-mode setting changes, IP address changes, Cisco Trust Agent (CTA) posture
changes, CSA version changes, and host active/inactive status changes.
Host history collection is configured in CSA-MC via Events > Status Summary. Under the Network
Status section, click No next to host history collection enabled and then click Enable in the popup
window. See Figure 11-7.11-12
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
Figure 11-7 Host History Collection
Adding CSA-MC System as a Trusted Host
Cisco IPS maintains a list of all the trusted hosts with which it communicates—including blocking
devices, SSL/TLS servers, and external products, such as CSA-MC. This list contains the digital
certificates of the trusted systems used by the Cisco IPS to establish secure connections.
As part of the CSA/Cisco IPS interface configuration, the system running CSA- MC must be added as a
trusted host. In the process of adding the system, the Cisco IPS retrieves the digital certificate of the
CSA-MC and displays its fingerprint—which is then presented to the administrator for approval. After
the administrator approves the associated fingerprint, the CSA-MC system is added as a trusted host.
Figure 11-8 is a snapshot of Cisco IPS Device Manager 6.2 showing host 172.26.146.135 (system
running CSA-MC) listed as a trusted host.
Figure 11-8 Cisco IPS Trusted Host11-13
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
Configuring Cisco IPS External Product Interface
Cisco IPS sensors are equipped with an external product interface designed to handle communications
with external security and management products such as the CSA-MC. This interface enables the Cisco
IPS sensors to take full-advantage of useful host posture and threat context information maintained by
CSA-MC—including the OS type of the systems protected with CSA and a list of IP addresses of
systems suspected of causing malicious activity. This grade of collaboration increases the overall
security effectiveness of the CSA/Cisco IPS combination as an end-to-end security solution.
Note With Cisco IPS Sensor Software 6.1, only two external interfaces can be defined. CSA-MC is the only
external product supported at this time.
The configuration of the Cisco IPS external product interface consists in the definition of
communication parameters, watch lists settings, and host posture settings (see Figure 11-9).
Figure 11-9 Cisco IPS External Product Interface
The following describe all the relevant parameters configured in the external product interface:
• General parameters
– External Product IP Address—IP address of the system hosting CSA-MC.
– Enable Receipt of Information—Enables/disables the external product interface.
• Communication settings—Defines the communication parameters.
– SDEE URL—Specifies the URL used to communicate with CSA-MC. A default SDEE URL is
provided. 11-14
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
– Port—Used for communications. Default port is 443.
– Use TLS—Indicates that secure TLS communication is enabled. Communication is always
protected with TLS, this parameter cannot be changed.
• Logging settings—Sets the username and password used in the communication with CSA-MC.
– Username—Username of the administrative account used to communicate with CSA-MC. This
account is defined in the CSA-MC.
– Password/Confirm Password—Password of the administrative account used to communicate
with CSA-MC.
• Watch list settings—This section of the configuration is used to enable or disable the reception of
watch lists. It also defines the values in which risk rating should be increased. Configuration is
described in the next section.
• Host posture settings—Defines how host posture information should be handled. Configuration is
described in the next section.
Leveraging Endpoint Posture Information
One of the key advantages of the CSA/Cisco IPS integration is that it gives the Cisco IPS sensor the
ability to use the OS type information identified by the CSAs. This information extends the endpoint
visibility of the Cisco IPS, helping it make smarter decisions and consequently reducing the chances for
false-positives.
A false-positive is an event where the Cisco IPS triggers an alarm in response to an activity that is
actually not malicious, or where the Cisco IPS triggers a response action that is out of proportion. The
problem of false-positives often occurs when the Cisco IPS fails to interpret the risk level associated
with the network event in question—typically due to the lack of context information. By using the OS
type information provided by CSA, the Cisco IPS can better determine the appropriate relative risk
associated with a particular event, thereby reducing the possibility of a false positive.
Starting with Cisco IPS Sensor Software 5.0, Cisco IPS alerts are evaluated under a sophisticated risk
rating mechanism that takes into consideration attack relevancy. Under this mechanism, each Cisco IPS
alarm is quantified with a numerical value between 0 and 100, called risk rating, which gives the user
an idea of the relative risk associated with the event triggering the alarm. In practice, risk rating is used
to either highlight events that require immediate attention when the sensor is configured in promiscuous
mode (IDS), or trigger response actions when the sensor is configured in inline protection mode (IPS).
Along all the variables used to calculate the risk rating, there is an Attach Relevancy Rating which
represents whether or not the target is believed to be vulnerable to the attack.
For a detailed description on how risk rating is calculated, refer to the following documents:
• Cisco IPS Configuration Guides
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configurati
on_guides_list.html
• Integrating Cisco Security Agent with Cisco Intrusion Prevention System
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper09
00aecd805c389a_ns441_Networking_Solutions_White_Paper.html
When integrated with CSA, Cisco IPS has the capacity to dynamically adjust the risk rating values based
on the OS type information imported from CSA, thereby helping it to determine the right risk level of
an event. This way, the Cisco IPS is capable of reducing the perceived severity of an attack when the
target OS type is found not to be vulnerable and of increasing it when the target OS is known to be
vulnerable. 11-15
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
To activate this functionality, the reception of endpoint posture information should be configured within
Cisco IPS external product interface. Under the Host Posture Settings section, complete the following:
• Enable Receipt of Host Postures— Enables/disables the reception of host posture information from
CSA-MC.
• Allow Unreachable Hosts’ Postures—Allows/denies the reception of host posture information for
hosts not reachable by CSA-MC. This option is useful in filtering the host postures with IP addresses
that might not be visible to the Cisco IPS or that might be duplicated across the network.
• Posture ACLs—By default all host postures are processed by the Cisco IPS. Posture ACLs provide
a mechanism to filter the network ranges from which host postures will be processed or ignored
(permitted or denied). This option is useful in filtering the host postures with IP addresses that might
not be visible to the Cisco IPS or that might be duplicated across the network.
Figure 11-10 is a snapshot of Cisco IPS Device Manager 6.2 that shows all the endpoint posture
information imported from CSA-MC.
Figure 11-10 Cisco IPS OS Identification
The following output is the detailed event information from Cisco IPS Device Manager 6.2,
corresponding to a Microsoft IIS 5.0 WebDav buffer overflow attack against system 10.240.50.100.
Using the endpoint posture information learned from CSA-MC, the Cisco IPS sensor knows the system
is Windows-based and, as a result, it determined to be relevant to the attack. Key information is
highlighted.
vIdsAlert: eventId=1234240033910687083 vendor=Cisco severity=high
originator:
hostId: sfx12-Cisco IPS4270-1
appName: sensorApp
appInstanceId: 434
time: Mar 10, 2009 22:45:38 UTC offset=0 timeZone=GMT00:00 11-16
Cisco SAFE Reference Guide
OL-19523-01
Chapter 11 Threat Control and Containment
Cisco IPS Enhanced Endpoint Visibility
signature: description=Long WebDAV Request id=5365 version=S258 type=other
created=20041119
subsigId: 0
sigDetails: SEARCH /...\x3c40000+ chars>...
marsCategory: Info/Misc
interfaceGroup: vs0
vlan: 15
participants:
attacker:
addr: 10.240.100.2 locality=OUT
port: 17185
target:
addr: 10.240.50.100 locality=OUT
port: 80
os: idSource=imported type=windows relevance=relevant
actions:
droppedPacket: true
deniedFlow: true
tcpOneWayResetSent: true
context:
fromTarget:
000000 48 54 54 50 2F 31 2E 31 20 34 31 34 20 52 65 71 HTTP/1.1 414 Req
! | |
