Command Reference vA5(1.0) and earlier, Cisco ACE Application Control Engine
Configuration Mode Commands
Downloads: This chapterpdf (PDF - 1.49MB) The complete bookPDF (PDF - 28.65MB) | Feedback

Configuration Mode Commands

Table Of Contents

Configuration Mode Commands

(config) aaa accounting default

(config) aaa authentication login

(config) aaa group server

(config) access-group

(config) access-list ethertype

(config) access-list extended

(config) access-list remark

(config) access-list resequence

(config) action-list type modify http

(config) action-list type optimization http

(config) arp

(config) banner

(config) boot system image:

(config) buffer threshold

(config) class-map

(config) clock timezone

(config) clock summer-time

(config) config-register

(config) context

(config) crypto authgroup

(config) crypto chaingroup

(config) crypto crl

(config) crypto crlparams

(config) crypto csr-params

(config) crypto ocspserver

(config) crypto rehandshake enabled

(config) domain

(config) end

(config) exit

(config) ft auto-sync

(config) ft connection-sync disable

(config) ft group

(config) ft interface vlan

(config) ft peer

(config) ft track host

(config) ft track hsrp

(config) ft track interface

(config) hostname

(config) hw-module

(config) interface

(config) ip dhcp relay

(config) ip domain-list

(config) ip domain-lookup

(config) ip domain-name

(config) ip name-server

(config) ip route

(config) ipv6 nd interval

(config) ipv6 nd learned-interval

(config) ipv6 nd retries

(config) ipv6 nd sync disable

(config) ipv6 nd sync-interval

(config) kalap udp

(config) ldap-server host

(config) ldap-server port

(config) ldap-server timeout

(config) line console

(config) line vty

(config) login timeout

(config) logging buffered

(config) logging console

(config) logging device-id

(config) logging enable

(config) logging facility

(config) logging fastpath

(config) logging history

(config) logging host

(config) logging message

(config) logging monitor

(config) logging persistent

(config) logging queue

(config) logging rate-limit

(config) logging standby

(config) logging supervisor

(config) logging timestamp

(config) logging trap

(config) nexus-device

(config) ntp

(config) object-group

(config) optimize

(config) parameter-map type

(config) peer hostname

(config) peer shared-vlan-hostid

(config) policy-map

(config) probe

(config) radius-server attribute nas-ipaddr

(config) radius-server deadtime

(config) radius-server host

(config) radius-server key

(config) radius-server retransmit

(config) radius-server timeout

(config) regex compilation-timeout

(config) resource-class

(config) role

(config) rserver

(config) script file name

(config) serverfarm

(config) service-policy

(config) shared-vlan-hostid

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server engineid

(config) snmp-server host

(config) snmp-server location

(config) snmp-server trap link ietf

(config) snmp-server trap-source vlan

(config) snmp-server unmask-community

(config) snmp-server user

(config) ssh key

(config) ssh maxsessions

(config) ssl-proxy service

(config) static

(config) sticky http-content

(config) sticky http-cookie

(config) sticky http-header

(config) sticky ip-netmask

(config) sticky layer4-payload

(config) sticky radius framed-ip

(config) sticky rtsp-header

(config) sticky sip-header

(config) switch-mode

(config) tacacs-server deadtime

(config) tacacs-server host

(config) tacacs-server key

(config) tacacs-server timeout

(config) telnet maxsessions

(config) timeout xlate

(config) udp

(config) username

(config) vm-controller


Configuration Mode Commands

Configuration mode commands allow you to configure global ACE parameters that affect the following contexts:

All contexts, when configured in the Admin context

A single user context, when configured in that context

Configuration mode also allows you to access all the ACE subordinate configuration modes. These modes provide parameters to configure the major features of the ACE, including access control lists (ACLs), application protocol inspection, fragmentation and reassembly, interfaces, Network Address Translation (NAT), persistence (stickiness), protocols, redundancy, routing, scripts, Secure Sockets Layer (SSL), server load balancing (SLB), TCP/IP normalization, users, and virtualization.

To access configuration mode, use the config command. The CLI prompt changes to (config).

See the individual command descriptions of all the configuration mode commands on the following pages.

Command Modes

Exec mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires one or more features assigned to your user role that allow configuration, such as AAA, interface, or fault-tolerant. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To access configuration mode, enter:

host1/Admin# config 
host1/Admin(config)#

Related Commands

show running-config
show startup-config

(config) aaa accounting default

To configure the default accounting method, use the aaa accounting default command. You specify either a previously created AAA server group that identifies separate groups of Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS) servers or the local database on the ACE. Use the no form of this command to remove the accounting method.

aaa accounting default {group group_name} {local} {none}

no aaa accounting default {group group_name} {local} {none}

Syntax Description

group group_name

Associates the accounting method with a TACACS+ or RADIUS server defined previously through the aaa group server command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

local

Specifies to use the local database on the ACE as the accounting method.

none

Specifies that the ACE does not perform password verification, which disables password verification. If you configure this option, users can log in without providing a valid password.

Note Only users with an Admin role can configure the none keyword.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To enable user accounting to be performed using remote TACACS+ servers, followed by local login as the fallback method, enter:

host1/Admin(config)# aaa accounting default group TacServer local

Related Commands

show aaa

show accounting log

(config) aaa authentication login

(config) aaa group server

(config) aaa authentication login

To configure the authentication method used for login to the ACE CLI, use the aaa authentication login command. Use the no form of this command to disable the authentication method.

aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable

no aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable

Syntax Description

console

Specifies the console port login authentication method, identified by the specified server group.

default

Specifies the default login authentication method (by console or by Telnet or Secure Shell [SSH] session) that is identified by the specified server group.

group group_name

Associates the login authentication process with a Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server defined through the aaa group server command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

local

Specifies to use the local database on the ACE as the login authentication method. If the server does not respond, then the local database is used as the fallback authentication method.

none

Specifies that the ACE does not perform password verification. If you configure this option, users can log in to the ACE without providing a valid password.

Note Only users with an Admin role can configure the none keyword.

error-enable

Enables the display of the login error message when the remote AAA servers fail to respond.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Use the error-enable option cautiously. If you specify none, any user will be able to access the ACE at any time.

To view the current display status, use the show aaa authentication login error-enable command. When a user attempts to log in, and the remote AAA servers do not respond to the authentication request, the ACE processes the login sequence by switching to local user database.

Examples

To enable console authentication using the TACSERVER server group, followed by local login as the fallback method, enter:

host1/Admin(config)# aaa authentication login console group TACSERVER local
 
   
Password verification remains enabled for login authentication.
 
   

To turn off password validation, enter:

host1/Admin(config)# aaa authentication login console group TACSERVER local none

Related Commands

show aaa

(config) aaa accounting default

(config) aaa group server

(config) aaa group server

To configure independent server groups of Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) servers, use the aaa group server command. Use the no form of this command to remove a server group.

aaa group server {ldap | radius | tacacs+} group_name

no aaa group server {ldap | radius | tacacs+} group_name

Syntax Description

ldap

Specifies an LDAP directory server group. For information about the commands in the LDAP server configuration mode, see the "LDAP Configuration Mode Commands" section.

radius

Specifies a RADIUS server group. For information about the commands in the RADIUS server configuration mode, see the "RADIUS Configuration Mode Commands" section.

tacacs+

Specifies a TACACS+ server group. For information about the commands in the TACACS+ server configuration mode, see the "TACACS+ Configuration Mode Commands" section.

group_name

Name for the LDAP, RADIUS, or TACACS+ server group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

A server group is a list of server hosts of a particular type. The ACE allows you to configure multiple TACACS+, RADIUS, and LDAP servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 10 server groups for each context in the ACE.

You can configure server groups at any time, but they take effect only when you apply them to the AAA service using the aaa authentication login or the aaa accounting default commands.

To create a AAA server group and access one of the three AAA server group configuration modes, enter the aaa group server ldap, aaa group server radius, or aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-ldap), (config-radius), or (config-tacacs+). In this mode, you specify the IP address of one or more previously configured servers that you want added to or removed from the server group.

Examples

To create a RADIUS server group and add a previously configured RADIUS server, enter:

(config)# aaa group server radius RAD_Server_Group1 
host1/Admin(config-radius)# server 192.168.252.1
host1/Admin(config-radius)# server 192.168.252.2
host1/Admin(config-radius)# server 192.168.252.3

Related Commands

show aaa

show running-config

(config) aaa accounting default

(config) aaa authentication login

(config) access-group

To apply an IPv4 or IPv6 access control list (ACL) to the inbound direction on all VLAN interfaces in a context and make the ACL active, use the access-group command. Use the no form of this command to remove an ACL from all interfaces in a context.

access-group input acl_name

no access-group input acl_name

Syntax Description

input

Specifies the inbound direction of all interfaces in a context on which you want to apply the ACL

acl_name

Identifier of an existing ACL that you want to apply to an interface


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A5(1.0)

Added IPv6 support.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A5(1.0)

Added IPv6 support.


Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Use this command to apply an IPv6 or an IPv4 ACL to a single interface or all interfaces in a context. You must apply an ACL to an interface to allow the passing of traffic on that interface. This command enables you to apply an ACL to all interfaces in a context in the inbound direction only and to allow traffic on all interfaces simultaneously. The following considerations apply:

You can use the access-group command in configuration mode only if there are no interfaces in the context to which you have applied an ACL previously using the (config-if) access-group command in interface configuration mode.

If you have applied an ACL globally to all interfaces in a context, you cannot apply an ACL to an individual interface using the (config-if) access-group command in interface configuration mode.

You can apply one Layer 2 ACL and one Layer 3 ACL globally to all interfaces in a context.

You can apply both a Layer 3 and a Layer 2 ACL to all Layer 2 bridge-group virtual interfaces (BVIs) in a context.

On Layer 3 virtual LAN (VLAN) interfaces, you can apply only Layer 3 ACLs. You can apply one IPv6 and one IPv4 ACL in each direction on a Layer 3 VLAN interface.

In a redundant configuration, the ACE does not apply a global ACL to the FT VLAN. For details about redundancy, see the Administration Guide, Cisco ACE Application Control Engine.

For complete details on ACLs, see the Security Guide, Cisco ACE Application Control Engine.

Examples

To apply an ACL named INBOUND to the inbound direction of all interfaces in the Admin context, enter:

host1/Admin(config)# access-group input INBOUND
 
   

To remove an ACL from all interfaces in the Admin context, enter:

host1/Admin(config)# no access-group input INBOUND

Related Commands

(config-if) access-group

show access-list

(config) access-list ethertype

To configure an EtherType access control list (ACL), use the access-list ethertype command. Use the no form of this command to remove the ACL from the configuration.

access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}

no access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}

Syntax Description

name

Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.

ethertype

Specifies a subprotocol of type: any, bpdu, ipv6, or mpls.

deny

Blocks connections on the assigned interface.

permit

Allows connections on the assigned interface.

any

Specifies any EtherType.

bpdu

Specifies bridge protocol data units.

ipv6

Specifies Internet Protocol version 6.

mpls

Specifies Multiprotocol Label Switching.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(2.4)

BPDU packets are not subjected to bandwidth policing in a bridge-mode configuration.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field instead of a type field. Bridge protocol data units (BPDUs) are exceptions because they are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.

You can permit or deny BPDUs. By default, all BPDUs are denied. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you permit BPDUs. BPDU packets are not subjected to bandwidth policing in a bridge-mode configuration.

You can configure an EtherType ACL only on a Layer 2 interface in the inbound direction.

When you specify the mpls keyword in an EtherType ACL, the ACE denies or permits both MPLS-unicast and MPLS-multicast traffic.

Examples

To configure an ACL that controls traffic based on its EtherType, enter:

(config)#  access-list INBOUND ethertype permit mpls

Related Commands

clear access-list

show access-list

(config) access-list extended

To create an extended ACL, use the access-list extended command. The two major types of extended ACLs are as follows:

Non-ICMP ACLs

ICMP ACLs

Use the no form of this command to delete the ACL.

IPv6 Syntax

For a non-ICMP extended ACL, the syntax is as follows:

access-list name [line number] extended {deny | permit}
{
protocol {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length
| object-group net_obj_grp_name} [operator port1 [port2]] {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length | object-group net_obj_grp_name} [operator port3 [port4]]}
| {
object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length | object-group net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length | object-group net_obj_grp_name}

no access-list name [line number] extended {deny | permit}
{
protocol {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length
| object-group net_obj_grp_name} [operator port1 [port2]] {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length | object-group net_obj_grp_name} [operator port3 [port4]]}
| {
object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length | object-group net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length | object-group net_obj_grp_name}

For an ICMP-extended ACL, the syntax is as follows:

access-list name [line number] extended {deny | permit}
{
icmpv6 {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length| object_group net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length| object_group network_grp_name} [icmp_type [code operator code1 [code2]]]}
| {
object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length| object-group net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length| object-group net_obj_grp_name}

no access-list name [line number] extended {deny | permit}
{
icmpv6 {anyv6 | host src_ipv6_address | src_ipv6_address/prefix_length| object_group net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length| object_group network_grp_name} [icmp_type [code operator code1 [code2]]]}
| {
object-group service_obj_grp_name} {anyv6 | host src_ipv6_address
| src_ipv6_address/prefix_length| object-group net_obj_grp_name} {anyv6 | host dest_ipv6_address | dest_ipv6_address/prefix_length| object-group net_obj_grp_name}

IPv4 Syntax

For a non-ICMP extended ACL, the syntax is as follows:

access-list name [line number] extended {deny | permit}
{
protocol {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name} [operator port3 [port4]]}
|{
object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

no access-list name [line number] extended {deny | permit}
{
protocol {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name} [operator port3 [port4]]}
|{
object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

For an ICMP-extended ACL, the syntax is as follows:

access-list name [line number] extended {deny | permit}
{
icmp {any | host src_ip_address | src_ip_address netmask | object_group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group network_grp_name} [icmp_type [code operator code1 [code2]]]}
|{
object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

no access-list name [line number] extended {deny | permit}
{
icmp {any | host src_ip_address | src_ip_address netmask | object_group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group network_obj_grp_name} [icmp_type [code operator code1 [code2]]]}
|{
object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

Syntax Description

name

Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.

line number

(Optional) Specifies the line number position where you want the entry that you are configuring to appear in the ACL. The position of an entry affects the lookup order of the entries in an ACL. If you do not configure the line number of an entry, the ACE applies a default increment and a line number to the entry and appends it at the end of the ACL.

extended

Specifies an extended ACL. Extended ACLs allow you to specify the destination IP address and subnet mask and other parameters not available with a standard ACL.

deny

Blocks connections on the assigned interface.

permit

Allows connections on the assigned interface.

protocol

Name or number of an IP protocol. Enter a protocol name or an integer from 0 to 255 that represents an IP protocol number from the following:

ah—(51) Authentication Header

eigrp—(88) Enhanced IGRP

esp—(50) Encapsulated Security Payload

gre—(47) Generic Routing Encapsulation

icmp—(1) Internet Control Message Protocol (See Table 1-1 for optional ICMPv4 messaging types)

icmpv6—(58) Internet Control Message Protocol (See Table 1-2 for optional ICMPv6 messaging types)

igmp—(2) Internet Group Management Protocol

ip—(0) Internet Protocol

ip-in-ip—(4) IP-in-IP Layer 3 tunneling protocol

ospf—(89) Open Shortest Path First

pim—(103) Protocol Independent Multicast

tcp—(6) Transmission Control Protocol

udp—(17) User Datagram Protocol

any

Specifies the network traffic from any IPv4 source.

anyv6

Specifies the network traffic from any IPv6 source.

host src_ipv6_address

Specifies the IPv6 address of the host from which the network traffic originates. Use this keyword and argument to specify the network traffic from a single IPv6 address.

host src_ip_address

Specifies the IP address of the host from which network traffic originates. Use this keyword and argument to specify the network traffic from a single IP address.

src_ipv6_address/
prefix_length

Traffic from a source defined by the IPv6 address and the prefix length. Use these arguments to specify network traffic from a range of IPv6 source addresses.

src_ip_address netmask

Traffic from a source defined by the IP address and the network mask. Use these arguments to specify the network traffic from a range of source IP addresses.

object-group network_obj_grp_
name

Specifies the identifier of an existing source network object group. To use object groups in an ACL, replace the normal network (source_address, mask, and so on), service (protocol operator port) or ICMP type (icmp_type) arguments with an object-group name.

operator

(Optional) Operand used to compare source and destination port numbers for TCP, TCP-UDP, and UDP protocols. The operators are as follows:

eq—Equal to.

gt—Greater than.

lt—Less than.

neq—Not equal to.

range—An inclusive range of port values. If you entered the range operator, enter a second port number value to define the upper limit of the range.

port1 [port2]

TCP or UDP source port name or number from which you permit or deny services access. Enter an integer from 0 to 65535. To enter an inclusive range of ports, enter two port numbers. Port2 must be greater than or equal to port1. See Table 1-3 for a list of well-known TCP port names and numbers and Table 1-4 for a list of well-known UDP port names and numbers.

dest_ipv6_address/prefix_length

IPv6 address of the network or host to which the packet is being sent and the prefix length of the IPv6 destination address. Use these arguments to specify a range of IPv6 destination addresses.

dest_ip_address netmask

Specifies the IP address of the network or host to which the packet is being sent and the network mask bits that are to be applied to the destination IP address. Use these arguments to specify a range of destination IP addresses.

anyv6

Specifies the network traffic that goes to any IPv6 destination.

any

Specifies the network traffic going to any destination.

host dest_ipv6_address

Specifies the IPv6 address of the destination of the packets in a flow. Use this keyword and argument to specify the network traffic destined to a single IPv6 address.

host destination_
address

Specifies the IP address and subnet mask of the destination of the packets in a flow. Use this keyword and argument to specify the network traffic destined to a single IP address.

operator

(Optional) Operand used to compare source and destination port numbers for TCP, TCP-UDP, and UDP protocols. The operators are as follows:

lt—Less than.

gt—Greater than.

eq—Equal to.

neq—Not equal to.

range—An inclusive range of port values. If you enter this operator, enter a second port number value to define the upper limit of the range.

port3 [port4]

TCP or UDP destination port name or number to which you permit or deny access to services. To enter an optional inclusive range of ports, enter two port numbers. Port4 must be greater than or equal to port3. See Table 1-3 for a list of well-known ports.

icmp_type

(Optional) Type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP types as described in Table 1-1.

code

(Optional) Specifies that a numeric operator and ICMP code follows.

operator

An operator that the ACE applies to the ICMP code number that follows. Enter one of the following operators:

lt—Less than.

gt—Greater than.

eq—Equal to.

neq—Not equal to.

range—An inclusive range of ICMP code values. When you use this operator, specify two code numbers to define the range.

code1, code2

ICMP code number that corresponds to an ICMP type. See Table 1-3. If you entered the range operator, enter a second ICMP code value to define the upper limit of the range.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.0)

This command was revised with the object-group keyword and associated keywords and arguments.

A5(1.0)

Added IPv6 support.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A2(1.0)

This command was revised with the object-group keyword and associated keywords and arguments.

A5(1.0)

Added IPv6 support.


Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination addresses as "any" and do not specify ports in an extended ACL.

For the source IP address and destination IP address netmasks, the ACE supports only standard subnet mask entries in an ACL. Wildcard entries and non-standard subnet masks are not supported.

For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.

You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs only in the inbound direction and only on Layer 2 interfaces.

If you create an ICMP extended ACL, you can optionally specify the type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP messaging types as described in Table 1-1 (ICMPv4) and Table 1-2 (ICMPv6).

ACLs have no effect on neighbor discovery (ND) packets and they are always permitted to and through the ACE. For more information about ND, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

Table 1-1 ICMPv4 Types 

ICMPv4 Code Number
ICMPv4 Type

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

mask-request

18

mask-reply

30

traceroute

31

conversion-error

32

mobile-redirect


Table 1-2 ICMPv6 Types 

ICMPv6 Code Number
ICMPv6 Type

1

unreachable

3

time-exceeded

4

parameter-problem

30

traceroute

128

echo

129

echo-reply

137

redirect

139

information-request

140

information-reply


Table 1-3 Well-Known TCP Port Numbers and Key Words 

Keyword
Port Number
Description

aol

5190

America-Online

bgp

179

Border Gateway Protocol

chargen

19

Character Generator

citrix-ica

1494

Citrix Independent Computing Architecture protocol

cmd

514

Same as exec, with automatic authentication

ctiqbe

2748

Computer Telephony Interface Quick Buffer Encoding

daytime

13

Daytime

discard

9

Discard

domain

53

Domain Name System

echo

7

Echo

exec

512

Exec (RSH)

finger

79

Finger

ftp

21

File Transfer Protocol

ftp-data

20

FTP data connections

gopher

70

Gopher

hostname

101

NIC hostname server

http

80

Hyper Text Transfer Protocol

https

443

HTTP over TLS/SSL

ident

113

Ident Protocol

imap4

143

Internet Message Access Protocol, version 4

irc

194

Internet Relay Chat

kerberos

88

Kerberos

klogin

543

Kerberos Login

kshell

544

Kerberos Shell

ldap

389

Lightweight Directory Access Protocol

ldaps

636

LDAP over TLS/SSL

login

513

Login (rlogin)

lotusnotes

1352

IBM Lotus Notes

lpd

515

Printer Service

matip-a

350

Mapping of Airline Traffic over Internet Protocol (MATIP) Type A

netbios-ssn

139

NetBIOS Session Service

nntp

119

Network News Transport Protocol

pcanywhere-data

5631

PC Anywhere data

pim-auto-rp

496

PIM Auto-RP

pop2

109

Post Office Protocol v2

pop3

110

Post Office Protocol v3

pptp

1723

Point-to-Point Tunneling Protocol, RFC 2637

rtsp

554

Real Time Streaming Protocol

sip

5060

Session Initiation Protocol

skinny

2000

Cisco Skinny Client Control Protocol (SCCP)

smtp

25

Simple Mail Transfer Protocol

sqlnet

1521

Structured Query Language Network

ssh

22

Secure Shell

sunrpc

111

Sun Remote Procedure Call

tacacs

49

Terminal Access Controller Access Control System

talk

517

Talk

telnet

23

Telnet

time

37

Time

uucp

540

UNIX-to-UNIX Copy Program

whois

43

Nicname

www

80

World Wide Web (HTTP)


Table 1-4 Well-Known UDP Key Words and Port Numbers 

Keyword
Port Number
Description

biff

512

Mail notification

bootpc

68

Bootstrap Protocol client

bootps

67

Bootstrap Protocol server

discard

9

Discard

dnsix

195

DNSIX Security protocol auditing (dn6-nlm-aud)

domain

53

Domain Name System

echo

7

Echo

isakmp

500

Internet Security Association Key Management Protocol

kerberos

88

Kerberos

mobile-ip

434

Mobile IP registration

nameserver

42

Host Name Server

netbios-dgm

138

NetBIOS datagram service

netbios-ns

137

NetBIOS name service

netbios-ssn

139

NetBIOS Session Service

ntp

123

Network Time Protocol

pcanywhere-
status

5632

PC Anywhere status

radius

1812

Remote Authentication Dial-in User Service

radius-acct

1813

RADIUS Accounting

rip

520

Routing Information Protocol

snmp

161

Simple Network Management Protocol

snmptrap

162

SNMP Traps

sunrpc

111

Sun Remote Procedure Call

syslog

514

System Logger

tacacs

49

Terminal Access Controller Access Control System

talk

517

Talk

tftp

69

Trivial File Transfer Protocol

time

37

Time

who

513

Who service (rwho)

wsp

9200

Connectionless Wireless Session Protocol

wsp-wtls

9202

Secure Connectionless WSP

wsp-wtp

9201

Connection-based WSP

wsp-wtp-wtls

9203

Secure Connection-based WSP

xdmcp

177

X Display Manager Control Protocol


Examples

IPv6 Examples

To configure an IPv6 TCP extended ACL, enter:

host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 2001:DB8:1::1/64 gt 
1024 2001:DB8:2::1 lt 4000 
 
   

To remove an entry from an extended ACL, enter:

host1/Admin(config)# no access-list INBOUND line 10
 
   

To control a ping, specify echo (128) (host to ACE).

To allow an external host with IP address 2001:DB8:1::2 to ping a host behind the ACE with an IP address of FC00:ABCD:1:2::5, enter:

host1/Admin(config)#  access-list INBOUND extended permit icmpv6 host 2001:DB8:1::2 host 
FC00:ABCD:1:2::5 echo code eq 0
 
   

To remove an entry from an ICMP ACL, enter:

host1/Admin(config)#  no access-list INBOUND extended permit icmpv6 host 2001:DB8:1::2 
echo
 
   

IPv4 Examples

To configure a TCP extended ACL, enter:

host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 
255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000 
 
   

To remove an entry from an extended ACL, enter:

host1/Admin(config)# no access-list INBOUND line 10
 
   

To allow an external host with IP address 192.168.12.5 to be able to ping a host behind the ACE with an IP address of 10.0.0.5, enter:

(config)#  access-list INBOUND extended permit icmp host 192.168.12.5 host 10.0.0.5 echo 
code eq 0
 
   

To remove an entry from an ICMP ACL, enter:

(config)#  no access-list INBOUND extended permit icmp host 192.168.12.5 echo
 
   

To use object groups for all available parameters, enter:

ISM/Admin(config)# access-list acl_name extended {deny | permit} object-group 
service_grp_name object-group network_grp_name object-group network_grp_name

Related Commands

clear access-list

show access-list

(config) access-list remark

You can add comments about an access control list (ACL) to clarify the function of the ACL. To add a comment to an ACL, use the access-list remark command. You can enter only one comment per ACL and the comment appears at the top of the ACL. Use the no form of this command to remove an ACL remark.

access-list name remark text

no access-list name remark text

Syntax Description

name

Unique identifier of the ACL. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

line number

(Optional) Specifies the line number position where you want the comments to appear in the ACL. If you do not specify a line number, the ACE applies a default increment and a line number to the remark and appends it at the end of the ACL.

remark text

Specifies any comments that you want to include about the ACL. Comments appear at the top of the ACL. Enter an unquoted text string with a maximum of 100 alphanumeric characters. You can enter leading spaces at the beginning of the text. Trailing spaces are ignored.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

If you delete an ACL using the no access-list name command, then the remarks are also removed.

Examples

To add an entry comment to an ACL, enter:

host1/Admin(config)# access-list INBOUND remark This is a remark
 
   

To remove entry comments from an ACL, enter:

(config)#  no access-list INBOUND line 200 remark

Related Commands

clear access-list

show access-list

(config) access-list resequence

To resequence the entries in an extended access control list (ACL) with a specific starting number and interval, use the access-list resequence command. Use the no form of this command to reset the number assigned to an ACL entry to the default of 10.

access-list name resequence number1 number2

no access-list name resequence number1 number2

Syntax Description

name

Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.

resequence

Specifies the renumbering of the entries in an ACL.

number1

Number assigned to the first entry in the ACL. Enter any integer. The default is 10.

number2

Number added to each entry in the ACL after the first entry. Enter any integer. The default is 10.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ability to resequence entries in an ACL is supported only for extended ACLs.

Examples

For example, to assign the number 5 to the first entry in the access list INBOUND and then number each succeeding entry by adding 15 to the preceding entry line number, enter:

host1/Admin(config)# access-list INBOUND resequence 5 15

Related Commands

clear access-list

show access-list

(config) action-list type modify http

Action list modify configuration mode commands allow you to configure ACE action lists. An action list is a named group of actions that you associate with a Layer 7 HTTP class map in a Layer 7 HTTP policy map. You can create an action list to modify an HTTP header or to rewrite an HTTP redirect URL for SSL. For information about the commands in action list modify configuration mode, see the "Action List Modify Configuration Mode Commands" section.

To create an action list, use the action-list type modify http command. The CLI prompt changes to (config-actlist-modify). Use the no form of this command to remove the action list from the configuration.

action-list type modify http name

no action-list type modify http name

Syntax Description

name

Unique name for the action list. Enter an unquoted text string with a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To create an action list, enter:

host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-modify)# 
 
   

To remove the action list from the configuration, enter:

host1/Admin(config)# no action-list type modify http HTTP_MODIFY_ACTLIST

Related Commands

show running-config

show stats

(config) action-list type optimization http

(ACE appliance only) Action list optimization configuration mode commands allow you to configure ACE action lists. An action list is a named group of actions that you associate with a Layer 7 HTTP optimization policy map. The action-list type command allows you to configure a series of application acceleration and optimization statements. After you enter this command, the system enters the action list optimization configuration mode.

For information about the commands in action list optimization configuration mode, see the "Action List Optimization Configuration Mode Commands" section.

To create an optimization action map for performing application acceleration and optimization, use the action-list type command in global configuration mode. The CLI prompt changes to (config-actlist-optm). Use the no form of this command to remove an action list from the ACE.

action-list type optimization http list_name

no action-list type optimization http list_name

Syntax Description

optimization http

Specifies an optimization HTTP action list. After you create the optimization HTTP type action list, you configure application acceleration and optimization functions in the action list optimization configuration mode. For information about the commands in action list optimization configuration mode, see the "Action List Optimization Configuration Mode Commands" section.

list_name

Name assigned to the action list. Enter a unique name as an unquoted text string with a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

After you configure the action list, you associate it with a specific statement in a Layer 7 HTTP optimization policy map. The Layer 7 optimization HTTP policy map activates an optimization HTTP action list that allows you to configure the specified optimization actions.

For information about the commands in action list optimization configuration mode, see the "Action List Optimization Configuration Mode Commands" section. For details about configuring the commands in the action list optimization configuration mode, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide.

Examples

To create an optimization HTTP action list, enter:

host1/Admin(config)# action-list type optimization http ACT_LIST1
host1/Admin(config-actlist-optm)#
 
   

To remove the action list from the configuration, enter:

host1/Admin(config)# no action-list type optimization http ACT_LIST1

Related Commands

show action-list

show running-config

(config) parameter-map type

(config) policy-map

(config) arp

To configure the Address Resolution Protocol (ARP) on the ACE to manage and map IP to Media Access Control (MAC) information to forward and transmit packets, use the arp command. Use the no form of this command to remove the ARP entry or reset a default value.

arp {ip_address mac_address | interval seconds | inspection enable [flood | no flood] | learned-interval seconds | learned-mode enable | rate seconds | ratelimit pps | retries number | sync disable | sync-interval seconds}

no arp {ip_address mac_address | interval | inspection enable | learned-interval | learned-mode enable | rate | ratelimit | retries | sync disable | sync-interval}

Syntax Description

ip_address mac_address

Static ARP entry in the ARP table that allows ARP responses from an IP address to a MAC address. Enter the IP address in dotted-decimal notation (for example, 172.16.56.76). Enter the MAC address in dotted-hexadecimal notation (for example, 00.60.97.d5.26.ab).

interval seconds

Specifies the interval in seconds that the ACE sends ARP requests to the configured hosts. Enter a number from 15 to 31526000. The default is 300.

inspection enable

Enables ARP inspection, preventing malicious users from impersonating other hosts or routers, known as ARP spoofing. The default is disabled.

flood

(Optional) Enables ARP forwarding of nonmatching ARP packets. The ACE forwards all ARP packets to all interfaces in the bridge group. This is the default setting.

no flood

(Optional) Disables ARP forwarding for the interface and drops non-matching ARP packets.

learned-interval seconds

Sets the interval in seconds when the ACE sends ARP requests for learned hosts. Enter a number from 60 to 31536000. The default is 14400.

learned-mode enable

Enables the ACE to learn MAC addresses if the command has been disabled. By default, for bridged traffic, the ACE learns MAC addresses from all traffic. For routed traffic, the ACE learns MAC addresses only from ARP response packets or from packets that are destined to the ACE (for example, a ping to a VIP or a ping to a VLAN interface).

rate seconds

Specifies the time interval in seconds between ARP retry attempts to hosts. Enter a number from 1 to 60. The default is 10.

ratelimit pps

Specifies the rate limit in packets per second for gratuitous ARPs sent by the ACE. Enter a number from 100 to 8192. The default is 512. Note that this keyword applies to the entire ACE.

retries number

Specifies the number of ARP attempts before the ACE flags the host as down. Enter a number from 2 to 15. The default is 3.

sync disable

Disables the replication of ARP entries. By default, ARP entry replication is enabled.

sync-interval seconds

Specifies the time interval between ARP sync messages for learned hosts. Enter an integer from 1 to 3600 seconds (1 hour). The default is 5 seconds.


Command Modes

Configuration mode

Admin and user contexts. The ratelimit keyword is available in the Admin context only.

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

3.0(0)A1(3)

This command was revised with the sync disable and sync-interval keywords.

3.0(0)A1(6.2a)

This command was revised with the ratelimit keyword.

A2(3.2)

The static arp this command now allows the configuration of a multicast MAC address.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(2.6)

The static arp this command now allows the configuration of a multicast MAC address.


Usage Guidelines

This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The static arp command in configuration mode now allows the configuration of the multicast MAC address for a host. The ACE uses this multicast MAC address while sending packets to the host. This enhancement allows the support of deployments that involve clustering (for example Checkpoint clustering). A host can be assigned an multicast MAC address with the arp command. The ACE does not learn the multicast MAC addresses for a host.

ARP inspection operates only on ingress bridged interfaces. By default, ARP inspection is disabled on all interfaces, allowing all ARP packets through the ACE. When you enable ARP inspection, the ACE uses the IP address and interface ID (ifID) of an incoming ARP packet as an index into the ARP table. The ACE then compares the MAC address of the ARP packet with the MAC address in the indexed static ARP entry in the ARP table and takes the following actions:

If the IP address, source ifID, and MAC address match a static ARP entry, the inspection succeeds and the ACE allows the packet to pass.

If the IP address and interface of the incoming ARP packet match a static ARP entry, but the MAC address of the packet does not match the MAC address that you configured in that static ARP entry, ARP inspection fails and the ACE drops the packet.

If the ARP packet does not match any static entries in the ARP table or there are no static entries in the table, then you can set the ACE to either forward the packet out all interfaces (flood) or to drop the packet (no-flood). In this case, the source IP address to MAC address mapping is new to the ACE. If you enter the flood option, the ACE creates a new ARP entry and marks it as LEARNED. If you enter the no-flood option, the ACE drops the ARP packet.

The ARP rate limit applies to all gratuitous ARPs sent for local addresses on new configurations, ACE reboot, and on MAC address changes.

When you change the ARP request internal for learned hosts and configured hosts, the new timeout does not take effect until the existing time is reached. If you want the new timeout to take effect immediately, enter the clear arp command to apply the new ARP interval (see the clear arp command).

For more information, see the Routing and Bridging Guide, Cisco ACE Application Control Engine

Examples

To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter:

host1/contexta(config)# arp 10.1.1.1 00.02.9a.3b.94.d9
 
   

To remove a static ARP entry, enter:

host1/contexta(config)# no arp 10.1.1.1 00.02.9a.3b.94.d9
 
   

To enable ARP inspection and to drop all nonmatching ARP packets, enter:

host1/contexta(config)# arp inspection enable no-flood
 
   

To configure the retry attempt interval of 15 seconds, enter:

host1/contexta(config)# arp rate 15
 
   

To reset the retry attempt interval to the default of 10 seconds, enter:

host1/contexta(config)# no arp rate
 
   

To disable the replication of ARP entries, enter:

host1/contexta(config)# sync disable

Related Commands

clear arp

show arp

(config) banner

Use the banner command to specify a message to display as the message-of-the-day banner when a user connects to the ACE CLI. Use the no form of this command to delete or replace a banner or a line in a multiline banner.

banner motd text

no banner motd text

Syntax Description

motd

Configures the system to display as the message-of-the-day banner when a user connects to the ACE.

text

Line of message text to be displayed as the message-of-the-day banner. The text string consists of all characters that follow the first space until the end of the line (carriage return or line feed). The # character functions as the delimiting character for each line. For the banner text, spaces are allowed but tabs cannot be entered at the CLI. Multiple lines in a message-of-the-day banner are handled by entering a new banner command for each line that you wish to add.

The banner message is a maximum of 80 alphanumeric characters per line, up to a maximum of 3000 characters (3000 bytes) total for a message-of-the-day banner. This maximum value includes all line feeds and the last delimiting character in the message.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To replace a banner or a line in a multiline banner, use the no banner motd command before adding the new lines.

To add multiple lines in a message-of-the-day banner, precede each line by the banner motd command. The ACE appends each line to the end of the existing banner. If the text is empty, the ACE adds a carriage return (CR) to the banner.

You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable, as follows:

$(hostname)—Displays the hostname for the ACE during run time.

$(line)—Displays the tty (teletypewriter) line or name (for example, /dev/console, /dev/pts/0, or 1).

To use the $(hostname) in single line banner motd input, include double quotation marks (") around the $(hostname) so that the $ is interpreted to a special character for the beginning of a variable in the single line. An example is as follows:

switch/Admin(config)# banner motd #Welcome to "$(hostname)"...#
 
   

Do not use the double quotation mark (") or the percent sign (%) as a delimiting character in a single line message string. Do not use the delimiting character in the message string.

For multiline input, double quotation marks (") are not required for the token because the input mode is different from the signal line mode. The ACE treats the double quotation mark (") as a regular character when you operate in multiline mode.

Examples

To add a message-of-the-day banner, enter:

host1/Admin(config)# banner motd #Welcome to the "$(hostname)".
host1/Admin(config)# banner motd Contact me at admin@admin.com for any
host1/Admin(config)# banner motd issues.#

Related Commands

show banner motd

(config) boot system image:

To set the BOOT environment variable, use the boot system image: command. Use the no form of this command to remove the name of the system image file.

boot system image:filename

no boot system image:filename

Syntax Description

filename

Name of the system image file.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can add several images to the BOOT environment variable to provide a fail-safe boot configuration. If the first file fails to boot the ACE, subsequent images that are specified in the BOOT environment variable are tried until the ACE boots or there are no additional images to attempt to boot. If there is no valid image to boot, the ACE enters ROM-monitor mode where you can manually specify an image to boot.

The ACE stores and executes images in the order in which you added them to the BOOT environment variable. If you want to change the order in which images are tried at startup, you can either prepend and clear images from the BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order.

If the file does not exist (for example, if you entered the wrong filename), then the filename is appended to the boot string, and this message displays:

Warning: File not found but still added in the bootstring.
 
   

If the file does exist, but is not a valid image, the file is not added to the bootstring, and this message displays:

Warning: file found but it is not a valid boot image.

Examples

ACE Module Example

To set the BOOT environment variable, enter:

host1/Admin(config)# boot system image:sb-ace.REL_1_0_0

ACE Appliance Example

To set the BOOT environment variable, enter:

host1/Admin(config)# boot system image:ace-t1k9-mzg.3.1.0.bin

Related Commands

show bootvar

(config) config-register

(config) buffer threshold

To set threshold levels for the NP buffers in the active and the standby ACEs and cause the active ACE to reboot if the thresholds are reached or exceeded, use the buffer threshold command. Use the no form of this command to .

buffer threshold active number1 standby number2 action reload

no buffer threshold active number1 standby number2 action reload

Syntax Description

active number1

Specifies the buffer threshold for the active redundant ACE or stand-alone ACE as a percentage. Enter 50, 75, 88, 95, or 100. There is no default value. In a redundant configuration, if the buffer usage of any NP reaches or exceeds the threshold and each of the NP's buffer usage in the standby ACE is below the configured standby threshold, the active ACE reboots and a switchover occurs. For a standalone ACE, if any of the NP's buffer usage exceeds the active value, then the ACE reboots.

standby number

Specifies the buffer threshold for the standby redundant ACE. Enter 10, 20, 30, 40, 50. There is no default value. In a redundant configuration, if the active ACE buffer usage reaches or exceeds the configured active threshold and the standby ACE buffer usage reaches or exceeds the standby threshold, the active ACE does not reboot and no switchover occurs. For a reload and a switchover to occur, the standby buffer usage of all NPs must be less than the configured standby threshold value.

action reload

Specifies that the ACE reloads when the buffer utilization exceeds the configured threshold. In a redundant configuration, a switchover occurs upon reload of the active ACE.


Command Modes

Configuration mode

Admin context only

Command History

ACE Release
Modification

A5(1.0)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE checks the status of NP buffer usage every five seconds to initiate the reload action if the buffer threshold is configured and reached, and to generate syslogs if necessary. If the buffer threshold command is configured and if the NP buffer usage reaches or exceeds the threshold, the ACE reloads. In a redundant configuration, a switchover occurs and the former standby ACE becomes the active ACE. In the absence of this command, the automatic reload feature is disabled. You can also use this command in a stand-alone ACE.

Examples

To specify the active NP buffer utilization threshold as 88 percent and the standby NP buffer utilization threshold as 40 percent, enter the following command:

host1/Admin(config)# buffer threshold active 88 standby 40 action reload
 
   

Related Commands

show np

(config) class-map

To create a Layer 3 and Layer 4 or a Layer 7 class map, use the class-map command. Use the no form of the command to remove a class map from the ACE.

class-map [match-all | match-any] map_name

class-map type {ftp inspect match-any | generic {match-all | match-any}} map_name

class-map type {http {inspect | loadbalance} | management | radius loadbalance |
rtsp loadbalance | sip {inspect | loadbalance}} [match-all | match-any] map_name

no class-map [match-all | match-any] map_name

no class-map type {ftp inspect match-any | generic {match-all | match-any}} map_name

no class-map type {http {inspect | loadbalance} | management | radius loadbalance |
rtsp loadbalance | sip {inspect | loadbalance}} [match-all | match-any] map_name

Syntax Description

match-all

Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if all the match criteria listed in the class map match the network traffic class in the class map (typically, match commands of different types). The default setting is to meet all of the match criteria (match-all) in a class map.

match-any

Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if only one of the match criteria listed in the class map matches the network traffic class in the class map (typically, match commands of the same type). The default setting is to meet all of the match criteria (match-all) in a class map.

map_name

Name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For a Layer 3 and Layer 4 class map, you enter the class map configuration mode and the prompt changes to (config-cmap).

type

Specifies the class map type that is to be defined. When you specify a class map type, you enter its corresponding class map configuration mode (for example, HTTP inspection configuration mode).

ftp inspect

Specifies a Layer 7 class map for the inspection of File Transfer Protocol (FTP) request commands. For information about commands in FTP inspection configuration mode, see the "Class Map FTP Inspection Configuration Mode Commands" section.

generic

Specifies a Layer 7 class map for generic TCP or UDP data parsing. For information about commands in class map generic configuration mode, see the "Class Map Generic Configuration Mode Commands" section.

http inspect | loadbalance

Specifies a Layer 7 class map for HTTP server load balancing (loadbalance keyword) or a Layer 7 class map for the HTTP deep packet application protocol inspection (inspect keyword) of traffic through the ACE.

For information about commands in class map HTTP inspection configuration mode, see the "Class Map HTTP Inspection Configuration Mode Commands" section. For information about commands in class map HTTP server load-balancing configuration mode, see the "Class Map HTTP Load Balancing Configuration Mode Commands" section.

management

Specifies a Layer 3 and Layer 4 class map to classify the IP network management protocols received by the ACE. For information about commands in class map management configuration mode, see the "Class Map Management Configuration Mode Commands" section.

radius loadbalance

Specifies a Layer 7 class map for RADIUS server load balancing of traffic through the ACE. For information about commands in RADIUS server load-balancing configuration mode, see the "Class Map RADIUS Load Balancing Configuration Mode Commands" section.

rtsp loadbalance

Specifies a Layer 7 class map for RTSP server load balancing of traffic through the ACE. For information about commands in RTSP server load-balancing configuration mode, see the "Class Map RTSP Load Balancing Configuration Mode Commands" section.

sip inspect | loadbalance

Specifies a Layer 7 class map for SIP server load balancing (loadbalance keyword) or a Layer 7 class map for the SIP deep packet application protocol inspection (inspect keyword) of traffic through the ACE.

For information about commands in class map SIP inspection configuration mode, see the "Class Map SIP Inspection Configuration Mode Commands" section. For information about commands in class map SIP server load-balancing configuration mode, see the "Class Map SIP Load Balancing Configuration Mode Commands" section.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.0)

This command was revised.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

This command was revised.


Usage Guidelines

This command requires the inspect, loadbalance, NAT, connection, SSL, or vip feature in your user role, depending on the type of class map that you want to configure. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Use the class map configuration mode commands to create class maps that classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified in the class map. The CLI prompt changes correspondingly to the selected class map configuration mode, for example, (config-cmap), (config-cmap-ftp-insp), (config-cmap-http-lb), or (config-cmap-mgmt).

A Layer 3 and Layer 4 class map contains match criteria that classifies the following:

Network traffic that can pass through the ACE based on source or destination IP address, source or destination port, or IP protocol and port

Network management traffic that can be received by the ACE based on the HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet protocols

A Layer 7 class map contains match criteria that classifies specific Layer 7 protocol information. The match criteria enables the ACE to do the following:

Perform server load balancing based on the HTTP cookie, the HTTP header, the HTTP URL, protocol header fields, or source IP addresses

Perform deep packet inspection of the HTTP protocol

Perform FTP request command filtering

The ACE supports a system-wide maximum of 8192 class maps.

For details about creating a class map, see the Administration Guide, Cisco ACE Application Control Engine.

When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any, the traffic that is evaluated must match one of the specified criteria (typically, match commands of the same type). If you specify match-all, the traffic that is evaluated must match all of the specified criteria (typically, match commands of different types).

Examples

To create a Layer 3 and Layer 4 class map named L4VIP_CLASS that specifies the network traffic that can pass through the ACE for server load balancing, enter:

host1/Admin(config)# class-map match-all L4VIP_CLASS
host1/Admin(config-cmap)#
 
   

To create a Layer 3 and Layer 4 class map named MGMT-ACCESS_CLASS that classifies the network management protocols that can be received by the ACE, enter:

host1/Admin(config)# class-map type management match-any MGMT-ACCESS_CLASS
host1/Admin(config-cmap-mgmt)# 
 
   

To create a Layer 7 class map named L7SLB_CLASS that performs HTTP server load balancing, enter:

host1/Admin(config)# class-map type http loadbalance match-any L7SLB_CLASS
host1/Admin(config-cmap-http-lb)# 
 
   

To create a Layer 7 class map named HTTP_INSPECT_L7CLASS that performs HTTP deep packet inspection, enter:

(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# 
 
   

To create a Layer 7 class map named FTP_INSPECT_L7CLASS that performs FTP command inspection, enter:

host1/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS
host1/Admin(config-cmap-ftp-insp)# 

Related Commands

show startup-config

(config) policy-map

(config) service-policy

(config) clock timezone

To set the time zone, use the clock timezone command. Use the no form of this command to configure independent server groups of Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) servers.

clock timezone {zone_name {+ | -} hours minutes} | {standard time_zone}

no clock timezone

Syntax Description

zone_name

8-letter name of the time zone (for example, PDT) to be displayed when the time zone is in effect. See Table 1-5 in the "Usage Guidelines" section for a list of the common time zone acronyms used for this argument.

hours

Hours offset from Coordinated Universal Time (UTC).

minutes

Minutes offset from UTC. Range is from 0 to 59 minutes.

standard time_zone

Sets the time to a standard time zone that include an applicable UTC hours offset. Enter one of the following well-known time zones:

ACST—Australian Central Standard Time as UTC + 9.5 hours

AKST—Alaska Standard Time as UTC -9 hours

AST—Atlantic Standard Time as UTC -4 hours

BST—British Summer Time as UTC + 1 hour

CEST—Central Europe Summer Time as UTC + 2 hours

CET—Central Europe Time as UTC + 1 hour

CST—Central Standard Time as UTC -6 hours

EEST—Eastern Europe Summer Time as UTC + 3 hours

EET—Eastern Europe Time as UTC + 2 hours

EST—Eastern Standard Time as UTC -5 hours

GMT—Greenwich Mean Time as UTC

HST—Hawaiian Standard Time as UTC -10 hours

IST—Irish Summer Time as UTC + 1 hour

MSD—Moscow Summer Time as UTC + 4 hours

MSK—Moscow Time as UTC + 3 hours

MST—Mountain Standard Time as UTC -7 hours

PST—Pacific Standard Time as UTC -8 hours

WEST—Western Europe Summer Time as UTC + 1 hour

WST—Western Standard Time as UTC + 8 hours


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.0)

The ACST keyword was introduced. It replaced the CST keyword, as UTC +9.5 hours.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

The ACST keyword was introduced. It replaced the CST keyword, as UTC +9.5 hours.


Usage Guidelines

The ACE keeps time internally in Universal Time Coordinated (UTC) offset, so this command is used only for display purposes and when the time is set manually.

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Table 1-5 lists common time zone acronyms used for the zone_name argument.

Table 1-5 Time Zone Acronyms 

Acronym
Time Zone Name and UTC Offset

Europe

BST

British Summer Time as UTC + 1 hour

CET

Central Europe Time as UTC + 1 hour

CEST

Central Europe Summer Time as UTC + 2 hours

EET

Eastern Europe Time as UTC + 2 hours

EEST

Eastern Europe Summer Time as UTC + 3 hours

GMT

Greenwich Mean Time as UTC

IST

Irish Summer Time as UTC + 1 hour

MSK

Moscow Time as UTC + 3 hours

MSD

Moscow Summer Time as UTC + 4 hours

WET

Western Europe Time as UTC

WEST

Western Europe Summer Time as UTC + 1 hour

United States and Canada

AST

Atlantic Standard Time as UTC -4 hours

ADT

Atlantic Daylight Time as UTC -3 hours

CT

Central Time, either as CST or CDT, depending on the place and time of the year

CST

Central Standard Time as UTC -6 hours

CDT

Central Daylight Saving Time as UTC -5 hours

ET

Eastern Time, either as EST or EDT, depending on the place and time of the year

EST

Eastern Standard Time as UTC -5 hours

EDT

Eastern Daylight Saving Time as UTC -4 hours

MT

Mountain Time, either as MST or MDT, depending on the place and time of the year

MDT

Mountain Daylight Saving Time as UTC -6 hours

MST

Mountain Standard Time as UTC -7 hours

PT

Pacific Time, either as PST or PDT, depending on the place and time of the year

PDT

Pacific Daylight Saving Time as UTC -7 hours

PST

Pacific Standard Time as UTC -8 hours

AKST

Alaska Standard Time as UTC -9 hours

AKDT

Alaska Standard Daylight Saving Time as UTC -8 hours

HST

Hawaiian Standard Time as UTC -10 hours

Australia

CST

Central Standard Time as UTC + 9.5 hours

EST

Eastern Standard/Summer Time as UTC + 10 hours (+11 hours during summer time)

WST

Western Standard Time as UTC + 8 hours


Examples

To set the time zone to PST and to set an UTC offset of -8 hours, enter:

host1/Admin(config)# clock timezone PST -8 0
 
   

To remove the clock time-zone setting, enter:

host1/Admin(config)# no clock timezone PST -8 0

Related Commands

(ACE appliance only) clock set

show clock

(config) clock summer-time

(config) clock summer-time

To configure the ACE to change the time automatically to summer time (daylight saving time), use the clock summer-time command. Use the no form of this command to remove the clock summer-time setting.

clock summer-time {daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time daylight_offset | standard time_zone}

no clock summer-time

Syntax Description

daylight_timezone_name

8-letter name of the time zone (for example, PDT) to be displayed when summer time is in effect. For a list of the common time zone acronyms used for this argument, see the "Usage Guidelines" section for the (config) clock timezone command.

start_week

Start week for summer time, ranging from 1 through 5.

start_day

Start day for summer time, ranging from Sunday through Saturday.

start_month

Start month for summer time, ranging from January through December.

start_time

Start time (military time) in hours and minutes.

end_week

End week for summer time, ranging from 1 through 5.

end_day

End day for summer time, ranging from Sunday through Saturday.

end_month

End month for summer time, ranging from January through December.

end_time

End time (military format) in hours and minutes.

daylight_offset

Number of minutes to add during summer time. Valid entries are from 1 to 1440. The default is 60.

standard time_zone

Sets the daylight time to a standard time zone that includes an applicable daylight time start and end range along with a daylight offset. Enter one of the following well-known time zones:

ADT—Atlantic Daylight Time: 2 a.m. first Sunday in April—2 a.m. last Sunday in October, + 60 minutes

AKDT—Alaska Standard Daylight Time: 2 a.m. first Sunday in April—2 a.m. last Sunday in October, + 60 minutes

CDT—Central Daylight Time: 2 a.m. first Sunday in April—2 a.m. last Sunday in October, + 60 minutes

EDT—Eastern Daylight Time: 2 a.m. first Sunday in April—2 a.m. last Sunday in October, + 60 minutes

MDT—Mountain Daylight Time: 2 a.m. first Sunday in April—
2 a.m. last Sunday in October, + 60 minutes

PDT—Pacific Daylight Time: 2 a.m. first Sunday in April—2 a.m. last Sunday in October, + 60 minutes


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The first part of the command specifies when summer time begins, and the second part of the command specifies when summer time ends. All times are relative to the local time zone; the start time is relative to standard time and the end time is relative to summer time. If the starting month is after the ending month, the ACE assumes that you are located in the southern hemisphere.

Examples

To specify that summer time begins on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00, with a daylight offset of 60 minutes, enter:

host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60
 
   

To remove the clock summer-time setting, enter:

host1/Admin(config)# no clock summer-time

Related Commands

show clock

(config) clock timezone

(config) config-register

To change the configuration register settings, use the config-register configuration command. Use the no form of this command to reset the config-register to its default setting.

config-register value

no config-register value

Syntax Description

value

Configuration register value that you want to use the next time that you restart the ACE.

For the ACE module, the supported value entries are as follows:

0—(default) Upon reboot, the ACE boots to ROM monitor. The ACE remains in ROM monitor mode at startup.

1—Upon reboot, the ACE boots the system image identified in the BOOT environment variable (see the (config) boot system image: command). The BOOT environment variable specifies a list of image files on various devices from which the ACE can boot at startup. If the ACE encounters an error or if the image is not valid, it will try the second image (if one is specified). If the second image also fails to boot, the ACE returns to ROM monitor.

For the ACE appliance, the supported value entries are as follows:

0x0—Upon reboot, the ACE boots to the GNU GRand Unified Bootloader (GRUB). From the GRUB boot loader, you specify the system boot image to use to boot the ACE. Upon startup, the ACE loads the startup-configuration file stored in Flash memory (nonvolatile memory) to the running-configuration file stored in RAM (volatile memory).

0x1—(default) Upon reboot, the ACE boots the system image identified in the BOOT environment variable (see (config) boot system image:). The BOOT environment variable specifies a list of image files on various devices from which the ACE can boot at startup. If the ACE encounters an error or if the image is not valid, it will try the second image (if one is specified). Upon startup, the ACE loads the startup-configuration file stored in Flash memory (nonvolatile memory) to the running-configuration file stored in RAM (volatile memory).


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can modify the boot method that the ACE uses at the next startup by setting the boot field in the software configuration register. The configuration register identifies how the ACE should boot.

For the ACE module, it also identifies where the system image is stored. You can modify the boot field to force the ACE to boot a particular system image at startup instead of using the default system image.

The config-register command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered.

Examples

ACE Module Example

To set the boot field in the configuration register to boot the system image identified in the BOOT environment variable upon reboot, enter:

host1/Admin(config)# config-register 1

ACE Appliance Example

To set the boot field in the configuration register to boot the system image identified in the BOOT environment variable upon reboot and to load the startup-configuration file stored in Flash memory, enter:

host1/Admin(config)# config-register 0x1

Related Commands

(config) boot system image:

(config) context

To create a context, use the context command. The CLI prompt changes to (config-context). A context provides a user view into the ACE and determines the resources available to a user. Use the no form of this command to remove a context.

context name

no context name

Syntax Description

name

Name that designates a context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Do not configure a context name that contains opening braces, closing braces, white spaces, or any of the following characters: ` $ % & * ( ) \ | ; ' " < > / ?

Do not start the context name with the following characters: - . # ~


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(2.3)

This command no longer supports you from configuring a context name that contains opening braces, closing braces, white spaces, or any of the following symbols: ` $ % & * ( ) \ | ; ' " < > / ?


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(2.3)

This command no longer supports you from configuring a context name that contains opening braces, closing braces, white spaces, or any of the following symbols: ` $ % & * ( ) \ | ; ' " < > / ?


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, the ACE allows you to create and use five user-configured contexts plus the default Admin context. To use a maximum of 251 contexts (Admin context plus 250 user contexts), you must purchase an additional license from Cisco Systems.

Examples

To create a context called C1, enter:

host1/Admin(config)# context C1
host1/Admin(config-context)#
 
   

To remove the context from the configuration, enter:

host1/Admin(config)# no context C1

Related Commands

changeto

show context

show user-account

show users

(config) crypto authgroup

To create a certificate authentication group, use the crypto authgroup command. Once you create an authentication group, the CLI enters into the authentication group configuration mode, where you add the required certificate files to the group. Use the no form of this command to delete an existing authentication group.

crypto authgroup group_name

no crypto authgroup group_name

Syntax Description

group_name

Name that you assign to the authentication group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.

A4(1.0)

The number of certificates in an authentication group was increased from 4 to 10.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A4(1.0)

The number of certificates in an authentication group was increased from 4 to 10.


Usage Guidelines

This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By creating an authentication group, you can implement a group of certificates that are trusted as certificate signers on the ACE. After creating the authentication group and assigning its certificates, you can configure client authentication on an SSL-proxy service by assigning the authentication group to the service. You include an authentication group in the handshake process by configuring the SSL proxy-service with the authentication group (see the (config) ssl-proxy service command).

You can configure an authentication group with up to ten certificates.

Examples

To create the authentication group AUTH-CERT1, enter:

host1/Admin(config)# crypto authgroup AUTH-CERT

Related Commands

(config) ssl-proxy service

(config) crypto chaingroup

To create a certificate chain group, use the crypto chaingroup command. Once you create a chain group, the CLI enters into the chaingroup configuration mode, where you add the required certificate files to the group. Use the no form of this command to delete an existing chain group.

crypto chaingroup group_name

no crypto chaingroup group_name

Syntax Description

group_name

Name that you assign to the chain group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

A chain group specifies the certificate chains that the ACE sends to its peer during the handshake process. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. You include a chain group in the handshake process by configuring the SSL proxy service with the chain group (see the (config) ssl-proxy service command).

Each context on the ACE can contain up to eight chain groups.

Examples

To create the chain group MYCHAINGROUP, enter:

host1/Admin(config)# crypto chaingroup MYCHAINGROUP

Related Commands

(config) ssl-proxy service

(config) crypto crl

To download a certificate revocation list (CRL) to the ACE, use the crypto crl command. Use the no form of this command to remove a CRL.

crypto crl crl_name url

no crypto crl crl_name

Syntax Description

crl_name

Name that you assign to the CRL. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

url

URL where the ACE retrieves the CRL. Enter the URL full path including the CRL filename in an unquoted alphanumeric string with a maximum of 255 characters. Both HTTP and LDAP URLs are supported. Start the URL with the http:// prefix or the ldap:// prefix.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.

A2(2.0)

This command was revised to support LDAP URLs and increased the number of CRLs per context from four to eight.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.

A4(1.0)

This command was revised to support LDAP URLs and increased the number of CRLs per context from four to eight.


Usage Guidelines

This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can use a CRL downloaded to the ACE for client or server authentication on an SSL proxy service. After you download the CRL, you can assign it to an SSL proxy service for either client or server authentication (see (config-ssl-proxy) crl for more information).

The ldap:/// prefix is not considered a valid LDAP CRL link in the CDP portion of the server certificate. Valid formats for LDAP URLs are as follows:

ldap://10.10.10.1:389/dc=cisco,dc=com?o=bu?certificateRevocationList

ldap://10.10.10.1/dc=cisco,dc=com?o=bu?certificateRevocationList

ldap://ldapsrv.cisco.com/dc=cisco,dc=com?o=bu?certificateRevocationList

ldap://ldapsrv.cisco.com:389/dc=cisco,dc=com?o=bu?certificateRevocationList

To use a question mark (?) character as part of the URL, press Ctrl-v before entering it. Otherwise the ACE interprets the question mark as a help command.

You can configure up to eight CRLs per context.

Examples

To download a CRL that you want to name CRL1 from http://crl.verisign.com/class1.crl, enter:

host1/Admin(config)# crypto crl CRL1 http://crl.verisign.com/class1.crl
 
   

To remove the CRL, enter:

host1/Admin(config)# no crypto crl CRL1

Related Commands

(config) ssl-proxy service

(config) crypto crlparams

To configure signature verification on a Certificate Revocation List (CRL) to determine that it is from a trusted certificate authority or to configure a timeoute for CRL downloads to specify the maximum wait time for the ACE to retrieve the CRL data from a server, use the crypto crlparams command. Use the no form of this command to remove the CRL global parameters.

crypto crlparams crl_name {cacert ca_cert_filename | timeout number}

no crypto crlparams crl_name {cacert ca_cert_filename | timeout number}

Syntax Description

crl_name

Name that you assign to the CRL. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

cacert ca_cert_filename

Name of the CA certificate file used for signature verification.

timeout number

Specifies the time in seconds that the ACE waits for the CRL data before closing the connection with the server. For static CRLs, enter an integer from 2 to 300. For best-effort CRLs, the timeout is 60 seconds and not user-configurable. If the ACE does not receive the entire CRL data within the timeout limit, the ACE closes the socket connection with the server. For static CRLs, you can abort the CRL data download by removing the static CRL from the configuration.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.4) and A2(2.1)

This command was introduced.

A4(1.1)

Added the timeout number keyword and argument.


ACE Appliance Release
Modification

A3(2.2)

This command was introduced.

A4(1.1)

Added the timeout number keyword and argument.


Usage Guidelines

This command requires the PKI feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

In the absence of the timeout keyword, if the ACE does not receive the complete certificate revocation list (CRL) in a timely manner from a CRL server or the server does not close the connection, the ACE continues to wait for the data to arrive. While it is waiting for the CRL data, the ACE keeps the socket connection with the server open until the TCP connection with the server is closed because of inactivity. The TCP inactivity timer value could be as large as an hour. There is no way to clear this already established connection with the CRL server even if the static CRL is removed from the configuration.

Examples

To download a CRL that you want to name CRL1 from http://crl.verisign.com/class1.crl, enter:

host1/Admin(config)# crypto crl CRL1 http://crl.verisign.com/class1.crl
 
   

To remove the CRL, enter:

host1/Admin(config)# no crypto crl CRL1
 
   

to configure a 200-second CRL download timeout for CRL1, enter the following command:

host1/Admin(config)# crypto crl-params CRL1 timeout 200
 
   

When the CRL data download timeout expires and the download is aborted, the ACE generates a syslog to log the event as follows:

%ACE-6-253008: CRL crl_name could not be retrieved, reason: crl data dnld timeout error
 
   

The crl_name variable indicates the name of an existing CRL whose download was aborted because the CRL download timeout expired.

To return the behavior of the ACE to the default of waiting until the entire CRL is downloaded before closing the SSL connection or waiting for the TCP inactivity timeout to close the TCP connection, enter the following command:

host1/Admin(config)# no crypto crl-params CRL1 timeout 200
 
   

Related Commands

(config) ssl-proxy service

(config) crypto csr-params

To create a Certificate Signing Request (CSR) parameter set to define a set of distinguished name attributes, use the crypto csr-params command. Use the no form of this command to remove an existing CSR parameter set.

crypto csr-params csr_param_name

no crypto csr-params csr_param_name

Syntax Description

csr_param_name

Name that designates a CSR parameter set. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

A CSR parameter set defines the distinguished name attributes that the ACE applies to the CSR during the CSR-generating process. The distinguished name attributes provide the CA with the information that it needs to authenticate your site. Creating a CSR parameter set allows you to generate multiple CSRs with the same distinguished name attributes. You can create up to eight CSR parameter sets per context.

When you use the crypto csr-params command to specify a CSR parameter set, the prompt changes to the csr-params configuration mode (for more information on this mode and commands, see the "CSR Parameters Configuration Mode Commands" section), where you define each of the distinguished name attributes. The ACE requires that you define the following attributes:

Country name

State or province

Common name

Serial number

If you do not configure the required attributes, the ACE displays an error message when you attempt to generate a CSR using the incomplete CSR parameter set.

Examples

To create the CSR parameter set CSR_PARAMS_1, enter:

host1/Admin(config)# crypto csr-params CSR_PARAMS_1

host1/Admin(config-csr-params)

Related Commands

crypto generate csr

show crypto

(config) crypto ocspserver

To configure an Online Certificate Status Protocol (OCSP) server that the ACE uses for revocation checks, use the crypto ocspserver command. By default, SSL rehandshake is disabled in all ACE contexts. Use the no form of this command to reset the default behavior.

crypto ocspserver ocsp_server_name url [conninactivitytout timeout] [nonce enable | disable] [reqsigncert signer_cert_filename {reqsignkey signer_key_filename}] [respsigncert response_signer_cert]

no crypto ocspserver ocsp_server_name url [conninactivitytout timeout] [nonce enable | disable] [reqsigncert signer_cert_filename {reqsignkey signer_key_filename}] [respsigncert response_signer_cert]

Syntax Description

ocsp_server_name

Identifier of the OCSP server. You use this name to apply the OCSP server to an SSL proxy service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

url

HTTP URL in the form: http://ocsphost.com:port_id/. The port ID is optional. If you do not specify a port, the default value of 2560 is used. You can specify either an IPv4- or an IPv6-based URL. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters.

conninactivitytout timeout

(Optional) TCP connection inactivity timeout. in seconds. Enter an integer from 2 to 3600. The default is 300 seconds.

nonce enable | disable

(Optional) Enables or disables the use of a nonce. By default, nonce is disabled. A nonce is a unique string that is used to bind OCSP requests and responses. When a nonce is enabled, the ACE includes a unique string in the requests that is sends to the OCSP server. The server must include the string in its responses to the ACE to verify the response.

reqsigncert signer_cert_filename

(Optional) Signer's certificate filename to sign outgoing requests to the OCSP server. By default, the request is not signed.

reqsignkey signer_key_filename

(Optional) Signer's private key filename to sign outgoing requests to the OCSP server. By default, the request is not signed. If you enter the reqsigncert option, you must enter the reqsignkey option.

respsigncert response_signer_cert

(Optional) Certificate to verify the signature of the OCSP server responses. By default, the signature in the response from the OCSP server are not verified.


Command Modes

Configuration mode

All contexts

Command History

ACE Module Release
Modification

A5(1.0)

This command was introduced.


ACE Appliance Release
Modification

A5(1.0)

This command was introduced.


Usage Guidelines

This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

OCSP has the following configurations guidelines and restrictions:

You can configure a maximum of 64 OCSP servers in the ACE.

You can configure a maximum of 10 OCSP servers in an SSL proxy service.

The ACE can handle a maximum of 64 OCSP server connections with both static and best effort OCSP servers combined.

If you configure best-effort OCSP servers and best-effort CRLs in the same proxy list, the ACE extracts a maximum of four AIAs and four CDPs to conserve resources.

Client authentication may be delayed when you configure OCSP servers and CRLs in the same SSL proxy service.

The ACE does not perform authentication and revocation checks on response signer certificates.

Examples

To configure an OCSP server that the ACE uses to check the revocation status of SSL certificates, enter the following command:

host1/Admin(config)# crypto ocspserver OCSP_SSERVER1 http://10.10.10.10/ nonce enable 
conninactivitytout 60

To remove an OCSP server from the configuration, enter the following command:

host1/Admin(config)# no crypto ocspserver OCSP_SSERVER1

Related Commands

show crypto

(config) crypto rehandshake enabled

To enable SSL rehandshake for all VIPs in a context, use the crypto rehandshake enabled command in configuration mode. By default, SSL rehandshake is disabled in all ACE contexts. Use the no form of this command to reset the default behavior.

crypto rehandshake enabled

no crypto rehandshake enabled

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

All contexts

Command History

ACE Module Release
Modification

A4(1.0)

This command was introduced.


ACE Appliance Release
Modification

A4(1.0)

This command was introduced.


Usage Guidelines

This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The crypto rehandshake enabled configuration mode command overrides the rehandshake enable parameter map command that you can configure individually in an SSL proxy service.

Examples

To enable SSL rehandshake for all VIPs in a context, enter:

host1/Admin(config)# crypto rehandshake enabled
 
   

To return the ACE behavior to the default of rehandshake being disabled, enter:

host1/Admin(config)# no crypto rehandshake enabled

Related Commands

show crypto

(config-parammap-ssl) rehandshake enabled

(config) domain

To create a domain, use the domain command. The CLI prompt changes to (config-domain). See the "Domain Configuration Mode Commands" section for details. Use the no form of this command to remove a domain from the configuration.

domain name

no domain name

Syntax Description

name

Name for the domain. Enter an unquoted text string with no spaces and a maximum of 76 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(2.0)

The length of the name argument changes from 64 to 76 characters.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can configure a maximum of 63 domains in each context.

A domain does not restrict the context configuration that you can display using the show running-config command. You can still display the running configuration for the entire context. However, you can restrict your access to the configurable objects within a context by adding to the domain only a limited subset of all the objects available to a context. To limit a user's ability to manipulate the objects in a domain, you can assign a role to that user. For more information about domains and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can configure KAL-AP TAGs as domains. For the domain load calculation, the ACE considers the Layer 3 class map, server farm, and real server objects. All other objects under the domain are ignored during the calculation.

Examples

To create a domain named D1, enter:

host1/Admin(config)# domain D1
host1/Admin(config-domain)# 

Related Commands

(config) context

show user-account

show users

(config) end

To exit from configuration mode and return to Exec mode, use the end command.

end

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can also press Ctrl-Z or enter the exit command to exit configuration mode.

Examples

To exit from configuration mode and return to Exec mode, enter:

host1/Admin(config)# end
host1/Admin#

Related Commands

This command has no related commands.

(config) exit

To exit from the current configuration mode and return to the previous mode, use the exit command.

exit

Syntax Description

This command has no keywords or arguments.

Command Modes

All configuration modes

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

In configuration mode, the exit command transitions to the Exec mode.

In all other configuration modes, the exit command transitions to the previous configuration mode.

You can also press Ctrl-Z, enter the (config) end command, or enter the exit command to exit configuration mode.

Examples

To exit from configuration mode and return to Exec mode, enter:

host1/Admin(config)# exit
host1/Admin# 
 
   

To exit from interface configuration mode and return to configuration mode, enter:

host1/Admin(config-if)# exit
host1/Admin(config)# 

Related Commands

This command has no related commands.

(config) ft auto-sync

To enable automatic synchronization of the running-configuration and the startup-configuration files in a redundancy configuration, use the ft auto-sync command. Use the no form of this command to disable the automatic synchronization of the running-configuration or the startup-configuration file.

ft auto-sync {running-config | startup-config}

no ft auto-sync {running-config | startup-config}

Syntax Description

running-config

Enables autosynchronization of the running-configuration file. The default is enabled.

startup-config

Enables autosynchronization of the startup-configuration file. The default is enabled.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, the ACE automatically updates the running configuration on the standby context of an FT group with any changes that occur to the running configuration of the active context. If you disable the ft auto-sync command, you need to update the configuration of the standby context manually. For more information about configuration synchronization and configuring redundancy, see the Administration Guide, Cisco ACE Application Control Engine.


Caution Toggling ft auto-sync running-config in the Admin context may have undesirable side effects if the same command is also disabled in an active user context. If the ft auto-sync running-config command is disabled in the active Admin context and in an active user context, and you subsequently enable the ft auto-sync running-config command in the active Admin context first, the entire configuration of the standby user context will be lost. Always enter the ft auto-sync running-config command in the active user context first, and then enable the command in the active Admin context.

The ACE does not copy or write changes in the running-configuration file to the startup-configuration file unless you enter the copy running-config startup-config command or the write memory command for the current context. To write the contents of the running-configuration file to the startup-configuration file for all contexts, use the write memory all command. At this time, if the ft auto-sync startup-config command is enabled, the ACE syncs the startup-configuration file on the active ACE to the standby ACE.

The ACE does not synchronize the SSL certificates and key pairs that are present in the active context with the standby context of an FT group. If the ACE performs a configuration synchronization and does not find the necessary certs and keys in the standby context, config sync fails and the standby context enters the STANDBY_COLD state.


Caution Do not enter the no inservice command followed by the inservice command on the active context of an FT group when the standby context is in the STANDBY_COLD state. Doing so may cause the standby context running-configuration file to overwrite the active context running-configuration file.

To copy the certs and keys to the standby context, you must export the certs and keys from the active context to an FTP or TFTP server using the crypto export command, and then import the certs and keys to the standby context using the crypto import command. For more information about importing and exporting certs and keys, see the SSL Guide, Cisco ACE Application Control Engine.

To return the standby context to the STANDBY_HOT state in this case, ensure that you have imported the necessary SSL certs and keys to the standby context, and then perform a bulk sync of the active context configuration by entering the following commands in configuration mode in the active context of the FT group:

1. no ft auto-sync running-config

2. ft auto-sync running-config

Examples

To enable autosynchronization of the running-configuration file in the C1 context, enter:

host1/C1(config)# ft auto-sync running-config

Related Commands

(config) ft group

(config) ft interface vlan

(config) ft peer

(config) ft track host

(ACE module only) (config) ft track hsrp

(config) ft track interface

(config) ft connection-sync disable

By default, connection replication is enabled. There may be times when you want to disable it. To disable connection replication, use the ft connection-sync disable command. The syntax of this command is as follows:

ft connection-sync disable

no ft connection-sync disable

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A4(1.1)

This command was introduced.


ACE Appliance Release
Modification

A4(1.1)

This command was introduced.


Usage Guidelines

This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Initially, after you disable connection replication, the active ACE does not synchronize connections to the standby ACE. After a bulk sync:

New connections are not synchronized

Connections are not updated in a periodic scan

Connections that are already synchronized on the standby are not torn down

If you enable connection replication after a bulk sync occurs, the ACE takes the following actions:

New connections are synced immediately

Existing connections are synced in the next periodic cycle (in approximately 3 to 4 minutes)

Sticky replication is disabled by default and you can configure it on a per sticky group basis. The replicate sticky command takes precedence over the ft connection-sync disable command, so new client connections can be load balanced to the same server even when connection replication is disabled.

Note the following caveats with stickiness when connection replication is disabled:

The sticky database is not always in sync on the standby. With connection replication disabled, sticky connections on the active close normally, but on the standby the connections time out according to the idle timeout setting.

When sticky entries are approaching their expiration time, it is possible to have a zero active-conns-count on the standby and still have active connections on the active ACE. This condition can lead to sticky entries that are not present after a switchover.

Examples

To disable connection replication in the C1 context, enter the following command:

host1/C1(config)# ft connection-sync disable
 
   

To reenable connection replication after you have disabled it, enter the following command:

host1/Admin(config)# no ft connection-sync disable
 
   

Related Commands

(config) ft auto-sync

(config) ft group

To create a fault-tolerant (FT) group for redundancy, use the ft group command. After you enter this command, the system enters the FT group configuration mode. Use the no form of this command to remove an FT group from the configuration.

ft group group_id

no ft group group_id

Syntax Description

group-id

Unique identifier of the FT group.

For the ACE module, enter an integer from 1 to 255.

For the ACE appliance, enter an integer from 1 to 64.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(2.6)

The number of FT groups increased from 21 to 64.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You must configure the same group ID on both peer ACEs.

On each ACE, you can create multiple FT groups:

For ACE module, up to a maximum of 251 (250 contexts and 1 Admin context)

For ACE appliance, up to a maximum of 64 groups

Each group consists of a maximum of two members (contexts): one active context on one ACE and one standby context on the peer ACE.

For information about the commands in FT group configuration mode, see the "FT Group Configuration Mode Commands" section.

Examples

To configure an FT group, enter:

host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)#
 
   

To remove the group from the configuration, enter:

host1/Admin(config)# no ft group 1

Related Commands

(config) ft auto-sync

(config) ft interface vlan

(config) ft peer

(config) ft track host

(ACE module only) (config) ft track hsrp

(config) ft track interface

(config) ft interface vlan

To create a dedicated fault-tolerant (FT) VLAN over which two redundant peers communicate, use the ft interface vlan command. After you enter this command, the system enters the FT interface configuration mode. Use the no form of this command to remove an FT VLAN from the configuration.

ft interface vlan vlan_id

no ft interface vlan vlan_id

Syntax Description

vlan_id

Unique identifier for the FT VLAN. Enter an integer from 2 to 4094.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Peer ACEs communicate with each other over a dedicated FT VLAN. These redundant peers use the FT VLAN to transmit and receive heartbeat packets and state and configuration replication packets. You must configure the same VLAN on each peer ACE. You cannot use this VLAN for normal network traffic and the FT VLAN does not support IPv6.

To remove an FT VLAN, first remove it from the FT peer using the no ft interface vlan command in FT peer configuration mode. See the (config-ft-peer) ft-interface vlan command for more information.

(ACE appliance only) To configure one of the Ethernet ports or a port-channel interface on the ACE for fault tolerance using a dedicated FT VLAN for communication between the members of an FT group, use the ft-port vlan command in interface configuration mode. See the (config-if) ft-port vlan command for more information.

(ACE appliance only) On both peer ACE appliances, you must configure the same Ethernet port or port-channel interface as the FT VLAN port. For example:

If you configure ACE appliance 1 to use Ethernet port 4 as the FT VLAN port, then be sure to configure ACE appliance 2 to use Ethernet port 4 as the FT VLAN port.

If you configure ACE appliance 1 to use port-channel interface255 as the FT VLAN port, then be sure to configure ACE appliance 2 to use port-channel interface 255 as the FT VLAN.

Examples

To configure an FT VLAN, enter:

host1/Admin(config)# ft interface vlan 200
host1/Admin(config-ft-intf)#
 
   

To remove the FT VLAN from the redundancy configuration, enter:

host1/Admin(config)# no ft interface vlan 200

Related Commands

(config) ft auto-sync

(config) ft group

(config) ft peer

(config) ft track host

(ACE module only) (config) ft track hsrp

(config) ft track interface

(ACE appliance only) (config-if) ft-port vlan

(config) ft peer

On both peer ACEs, configure an FT peer definition. To create an FT peer, use the ft peer command. After you enter this command, the system enters the FT peer configuration mode. You can configure a maximum of two ACEs as redundancy peers. Use the no form of this command to remove the FT peer from the configuration.

ft peer peer_id

no ft peer peer_id

Syntax Description

peer_id

Unique identifier of the FT peer. Enter 1.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Each ACE ACE can have one FT peer. FT peers are redundant ACE ACEs that communicate with each other over a dedicated FT VLAN.

Before you can remove an FT peer from the configuration, remove the peer from the FT group using the no peer command in FT group configuration mode.

For information about the commands in FT peer configuration mode, see the "FT Peer Configuration Mode Commands" section.

Examples

To configure an FT peer, enter:

host1/Admin(config)# ft peer 1
host1/Admin(config-ft-peer)#

Related Commands

(config) ft auto-sync

(config) ft group

(config) ft interface vlan

(config) ft track host

(ACE module only) (config) ft track hsrp

(config) ft track interface

(config) ft track host

To create a tracking and failure detection process for a gateway or host, use the ft track host command. After you enter this command, the system enters FT track host configuration mode. Use the no form of this command to remove the gateway-tracking process.

ft track host name

no ft track host name

Syntax Description

name

Unique identifier of the tracking process for a gateway or host. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about commands in FT track host configuration mode, see the "FT Track Host Configuration Mode Commands" section.

For details about configuring redundant ACE ACEs, see the Administration Guide, Cisco ACE Application Control Engine.

Examples

To create a tracking process for a gateway, enter:

host1/Admin(config)# ft track host TRACK_GATEWAY1
host1/Admin(config-ft-track-host)#
 
   

To remove the gateway-tracking process, enter:

host1/Admin(config)# no ft track host TRACK_GATEWAY1

Related Commands

(ACE module only) (config) ft track hsrp

(config) ft track interface

(config) ft track hsrp

(ACE module only) To configure failure detection and tracking for a Hot Standby Router Protocol (HSRP) group, use the ft track hsrp command. After you enter this command, the system enters FT track hsrp configuration mode. Use the no form of this command to stop tracking for an HSRP group.

ft track hsrp name

ft track hsrp name

Syntax Description

name

Unique identifier of the tracking process for an HSRP group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


Usage Guidelines

This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You must configure the HSRP group on the supervisor engine on the Catalyst 6500 series switch before you configure HSRP tracking on the ACE. Failure to do so may result in erroneous state information for the HSRP group being displayed in the show ft track detail command output in Exec mode. For information about commands in FT track hsrp configuration mode, see the "FT Track Interface Configuration Mode Commands" section.

For details about configuring redundant ACE ACEs, see the Administration Guide, Cisco ACE Application Control Engine.

Examples

To configure FT tracking for an HSRP group, enter:

host1/Admin(config)# ft track hsrp TRACK_HSRP_GRP1
host1/Admin(config-ft-track-hsrp)#
 
   

To remove the HSRP group-tracking process, enter:

host1/Admin(config)# no ft track hsrp TRACK_HSRP_GRP1

Related Commands

(config) ft auto-sync

(config) ft group

(config) ft interface vlan

(config) ft peer

(config) ft track host

(config) ft track interface

(config) ft track interface

To create a tracking and failure detection process for a critical interface, use the ft track interface command. After you enter this command, the system enters FT track interface configuration mode. Use the no form of this command to stop tracking for an interface.

ft track interface name

no ft track interface name

Syntax Description

name

Unique identifier of the tracking process for a critical interface. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure the FT VLAN for tracking.

For information about commands in FT track interface configuration mode, see the "FT Track Interface Configuration Mode Commands" section.

For details about configuring redundant ACE ACEs, see the Administration Guide, Cisco ACE Application Control Engine.

Examples

To configure a tracking and failure detection process for an interface, enter:

host1/Admin(config)# ft track interface TRACK_VLAN100
 
   

To remove the interface-tracking process, enter:

host1/Admin(config)# no ft track interface TRACK_VLAN100

Related Commands

(config) ft auto-sync

(config) ft group

(config) ft interface vlan

(config) ft peer

(config) ft track host

(ACE module only) (config) ft track hsrp

(config) hostname

To specify a hostname for the ACE, use the hostname command. The hostname is used for the command line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. Use the no form of this command to reset the hostname to the default of switch.

hostname name

no hostname name

Syntax Description

name

New hostname for the ACE. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters (with no spaces). The underscore (_) character is not supported in the hostname for the ACE.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A4(1.0)

Underscores (_) in the host name for an ACE are not supported.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A4(1.0)

Underscores (_) in the host name for an ACE are not supported.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, the hostname for the ACE is switch.

Examples

To change the hostname of the ACE from switch to ACE1, enter:

switch/Admin(config)# hostname ACE1
ACE1/Admin(config)# 

Related Commands

(config) peer hostname

(config) hw-module

(ACE module only) To configure hardware module parameters in the ACE, use the hostname command. Use the no form of this command to reset to the default behavior.

hw-module {cde-same-port-hash | optimize-lookup}

no hw-module {cde-same-port-hash | optimize-lookup}

Syntax Description

cde-same-port-hash

Configures the classification and distribution engine (CDE) to perform the hash function using the ports when the TCP or UDP packets are equal. When this command is configured, the ACE also disables implicit PAT on packets so that the source port does not change. This command is available only in the Admin context.

optimize-lookup

Disables the egress MAC address lookup that the ACE normally performs. Use this command when you have multiple ACEs installed in a chassis with heavy traffic to improve performance.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(6.2a)

This command was introduced.

A2(1.0)

This command was revised with the optimize-lookup keyword.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, when the source and destination ports of a TCP or UDP packet are equal, the CDE uses the source IP address and destination IP address to perform the hash function. When they are not equal, the CDE only uses the ports. When the cde-same-port-hash command is configured and the ports are equal, the CDE uses a slightly different hash method from the default method.

If you have multiple ACEs installed in a Catalyst 6500 Series Switch or in a Cisco Catalyst 7600 Router, you may experience lower performance than expected with very high rates of traffic. If you fail to achieve the advertised performance of the ACE, you can disable the egress MAC address lookup using the hw-module optimize-lookup command.

Do not use the hw-module optimize-lookup command if you have intelligent modules with distributed forwarding cards (DFCs) installed in the Catalyst 6500 Series Switch or the Cisco Catalyst 7600 Router. Using this command with such modules will cause the Encoded Address Recognition Logic (EARL) units on these modules and on the Supervisor to become unsynchronized.

Examples

To configure the CDE to perform the hash function using the ports when the TCP or UDP packets are equal, enter:

switch/Admin(config)# hw-module cde-same-port-hash
 
   

To reset the default behavior, enter:

switch/Admin(config)# no hw-module cde-same-port-hash

Related Commands

show cde

(config) interface

To configure a bridge-group virtual interface (BVI), VLAN interface, and for the ACE appliance, the Ethernet port, or port-channel interface, use the interface command. The CLI prompt changes to (config-if). Use the no form of this command to remove the interface.

interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel channel_number | vlan number}

no interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel channel_number | vlan number}

Syntax Description

bvi group_number

Creates a BVI for a bridge group and accesses interface configuration mode commands for the BVI. The group_number argument is the bridge-group number configured on a VLAN interface.

gigabitEthernet slot_number/
port_number

(ACE appliance only) Specifies one of the four Ethernet ports on the rear panel of the ACE as follows:

slot_numberThe physical slot on the ACE containing the Ethernet ports. This selection is always 1, the location of the daughter card in the ACE. The daughter card includes the four Layer 2 Ethernet ports to perform Layer 2 switching.

port_number—The physical Ethernet port on the ACE. Valid selections are 1 through 4, which specifies one of the four Ethernet ports (1, 2, 3, or 4) associated with the slot 1 (daughter card) selection.

port-channel channel_number

(ACE appliance only) Specifies the channel number assigned to this port-channel interface. Valid values are from 1 to 255.

vlan number

Assigns the VLAN to the context and accesses interface configuration mode commands for the VLAN. The number argument is the VLAN number you want to assign to the interface. VLAN numbers are 2 to 4094 (VLAN 1 is reserved for internal use and cannot be used).

(ACE module only) The VLAN is assigned to the ACE from the supervisor engine for the Catalyst 6500 series switch.


Command Modes

Configuration mode

BVI and VLAN—Admin and user contexts

(ACE appliance only) Ethernet port and port-channel interface—Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about commands in interface configuration mode, see the "Interface Configuration Mode Commands" section. For details about configuring a BVI interface, Ethernet port, port-channel interface, or VLAN interface, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that represents a corresponding bridge group. An IP address in the same subnet should be configured on the BVI. This address is used for management traffic and as a source IP address for traffic from the ACE, similar to ARP requests.

The ACE supports a maximum of 4093 VLAN interfaces with a maximum of 1,024 shared VLANs.

The ACE supports a maximum of 4094 BVI interfaces.

The ACE supports a maximum of 8192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.

The ACE requires a route back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE ACE.

You can configure one or more VLAN interfaces in any user context before you assign those VLAN interfaces to the associated user contexts through the (config-context) allocate-interface command in the Admin context.

ACE Appliance Guidelines

In addition, the Ethernet port and port-channel interface command functions require the Admin user role.

The four Ethernet ports provide physical Ethernet ports to connect servers, PCs, routers, and other devices to the ACE. You can configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, or full-duplex or half-duplex operation on an Ethernet LAN, and can carry traffic within a designated VLAN.

You can group physical ports together on the ACE to form a logical Layer 2 interface called the EtherChannel (or port-channel). All the ports belonging to the same port-channel must be configured with same values; for example, port parameters, VLAN membership, trunk configuration. Only one port-channel in a channel group is allowed, and a physical port can belong to only to a single port-channel interface.

Examples

To assign VLAN interface 200 to the Admin context and access interface configuration mode, enter:

host1/Admin(config)# interface vlan 200
host1/Admin(config-if)# 
 
   

To remove a VLAN, enter:

host1/Admin(config)# no interface vlan 200
 
   

To create a BVI for bridge group 15, enter:

host1/Admin(config)# interface bvi 15
host1/Admin(config-if)# 
 
   

To delete a BVI for bridge group 15, enter:

host1/Admin(config)# no interface bvi 15
 
   

ACE Appliance Example

To configure Ethernet port 3 and access interface configuration mode, enter:

host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)#
 
   

To create a port-channel interface with a channel number of 255, enter:

host1/Admin(config)# interface port-channel 255
host1/Admin(config-if)#
 
   

Related Commands

clear interface

show interface

(config) ip dhcp relay

To configure a Dynamic Host Configuration Protocol (DHCP) relay agent on the ACE, use the ip dhcp relay command. When you configure the ACE as a DHCP relay agent, it is responsible for forwarding the requests and responses negotiated between the DHCP clients and the server. You must configure a DHCP server when you enable the DHCP relay. Use the no form of this command to disable a DHCP relay agent setting.

ip dhcp relay {enable | information policy {keep | replace} | server ip_address}

no ip dhcp relay {enable | information policy {keep | replace} | server ip_address}

Syntax Description

enable

Accepts DHCP requests from clients on the associated context or interface and enables the DHCP relay agent. The DHCP relay starts forwarding packets to the DHCP server address specified in the ip dhcp relay server command for the associated interface or context.

information policy

Configures a relay agent information reforwarding policy on the DHCP server to identify what the DHCP server should do if a forwarded message already contains relay information.

keep

Indicates that existing information is left unchanged on the DHCP relay agent. This is the default setting.

replace

Indicates that existing information is overwritten on the DHCP relay agent.

server

Specifies the IP address of a DHCP server to which the DHCP relay agent forwards client requests.

ip_address

IP address of the DHCP server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the DHCP feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The DHCP relay agent can be configured at both the context and interface level of the ACE. Note the following configuration considerations:

If you configure the DHCP relay agent at the context level, the configuration is applicable to all interfaces associated with the context.

If you configure the DHCP relay agent at the interface level, the configuration is applicable to that particular interface only; the remaining interfaces fallback to the context level configuration.

Examples

To set the IP address of a DHCP server at the context level, enter:

host1/Admin# changeto C1
host1/C1# config
Enter configuration commands, one per line. End with CNTL/Z
host1/C1(config)# ip dhcp relay enable
host1/C1(config)# ip dhcp relay server 192.168.20.1
 
   

To specify the DHCP relay at the interface level, enter:

host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip dhcp relay enable
host1/Admin(config-if)# ip dhcp relay server 192.168.20.1
 
   

To remove the IP address of the DHCP server, enter:

host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1

Related Commands

clear ip

show ip

(config) ip domain-list

To configure a domain name search list, use the ip domain-list command. The domain name list can contain a maximum of three domain names. Use the no form of this command to remove a domain name from the list.

ip domain-list name

no ip domain-list name

Syntax Description

name

Domain name. Enter an unquoted text string with no spaces and a maximum of 85 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the domain name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can configure a Domain Name System (DNS) client on the ACE to communicate with a DNS server to provide hostname-to-IP-address translation for hostnames in CRLs for the client authentication feature. For unqualified hostnames (hostnames that do not contain a domain name), you can configure a default domain name or a list of domain names that the ACE can use to:

Complete the hostname

Attempt a hostname-to-IP-address resolution with a DNS server

If you configure both a domain name list and a default domain name, the ACE uses only the domain name list and not the single default name. After you have enabled domain name lookups and configured a domain name list, the ACE uses each domain name in turn until it can resolve a single domain name into an IP address.

Examples

For example, to configure a domain name list, enter:

host1/Admin(config)# ip domain-list cisco.com
host1/Admin(config)# ip domain-list foo.com
host1/Admin(config)# ip domain-list xyz.com
 
   

To remove a domain name from the list, enter:

host1/Admin(config)# no ip domain-list xyz.com
 
   

Related Commands

show running-config

(config) ip domain-lookup

(config) ip domain-name

(config) ip domain-lookup

To enable the ACE to perform a domain lookup (host-to-address translation) with a DNS server, use the ip domain-lookup command. By default, this command is disabled. Use the no form of this command to return the state of domain lookups to the default value of disabled.

ip domain-lookup

no ip domain-lookup

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Domain Name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can configure a Domain Name System (DNS) client on the ACE to communicate with a DNS server to provide hostname-to-IP-address translation for hostnames in CRLs for the client authentication feature.

Before you configure a DNS client on the ACE, ensure that one or more DNS name servers are properly configured and are reachable. Otherwise, translation requests (domain lookups) from the DNS client will be discarded. You can configure a maximum of three name servers. The ACE attempts to resolve the hostnames with the configured name servers in order until the translation succeeds. If the translation fails, the ACE reports an error.

For unqualified hostnames (hostnames that do not contain a domain name), you can configure a default domain name or a list of domain names that the ACE can use to do the following:

Complete the hostname

Attempt a hostname-to-IP-address resolution with a DNS server

Examples

For example, to enable domain lookups, enter:

host1/Admin(config)# ip domain-lookup
 
   

To return the state of domain lookups to the default value of disabled, enter:

host1/Admin(config)# no ip domain-lookup
 
   

Related Commands

show running-config

(config) ip domain-list

(config) ip domain-name

(config) ip name-server

(config) ip domain-name

To configure a default domain name, use the ip domain-name command. The domain name list can contain a maximum of three domain names. Use the no form of this command to remove a domain name from the list.

ip domain-list name

no ip domain-list name

Syntax Description

name

Default domain name. Enter an unquoted text string with no spaces and a maximum of 85 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the domain name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The DNS client feature allows you to configure a default domain name that the ACE uses to complete unqualified hostnames. An unqualified hostname does not contain a domain name (any name without a dot). When domain lookups are enabled and a default domain name is configured, the ACE appends a dot (.) and the configured default domain name to the unqualified host name and attempts a domain lookup.

Examples

For example, to specify a default domain name of cisco.com, enter:

host1/Admin(config)# ip domain-name cisco.com
 
   

In the above example, the ACE appends cisco.com to any unqualified host name in a CRL before the ACE attempts to resolve the host name to an IP address using a DNS name server.

To remove the default domain from the configuration, enter:

host1/Admin(config)# no ip domain-name cisco.com
 
   

Related Commands

show running-config
(config) ip domain-list
(config) ip domain-lookup

(config) ip name-server

To configure a DNS name server on the ACE, use the ip name-server command. You can configure a maximum of three DNS name servers. Use the no form of this command to remove a name server from the list.

ip name-server ip_address

no ip name-server ip_address

Syntax Description

ip_address

IP address of a name server. Enter the address in dotted decimal notation (for example, 192.168.12.15). You can enter up to three name server IP addresses in one command line.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the domain name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To translate a hostname to an IP address, you must configure one or more (maximum of three) existing DNS name servers on the ACE. Ping the IP address of each name server before you configure it to ensure that the server is reachable.

Examples

For example, to configure three name servers for the DNS client feature, enter:

host1/Admin(config)# ip name-server 192.168.12.15 192.168.12.16 192.168.12.17
 
   

To remove a name server from the list, enter:

host1/Admin(config)# no ip name-server 192.168.12.15
 
   

Related Commands

show running-config
(config) ip domain-lookup

(config) ip route

To configure a default or static IP route, use the ip route command. Use the no form of this command to remove a default or static IP route from the configuration.

ip route ipv6_dest_address/prefix_length {global_nexthop_address | {bvi number | vlan number {link_local_address}}} | {ipv4_dest_address netmask gateway_ip_address}

no ip route dest_ip_prefix netmask gateway_ip_address

Syntax Description

ipv6_dest_address

IPv6 destination address for the route. The address that you specify for the static route is the address that is in the packet before entering the ACE and performing network address translation.

/prefix_length

Specifies how many of the most significant bits (MSBs) of the IPv6 address are used for the network identifier. Enter a a forward slash character (/) followed by an integer from 1 to 128. The default is /128.

global_nexthop_address

IP address of the gateway router (the next-hop address for this route). The gateway address must be in the same network as specified in the ip address command for a VLAN interface. For information on configuring the address, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

bvi number

Forward bridged VLAN interface for the link-local address.

link_local_address

Link-local address of the interface.

vlan number

Forward VLAN interface for the link-local address.

ipv4_dest_address

IPv4 destination address for the route. The address that you specify for the static route is the address that is in the packet before entering the ACE and performing network address translation.

netmask

Subnet mask for the route.

gateway_ip_address

IP address of the gateway router (the next-hop address for this route). The gateway address must be in the same network as specified in the ip address command for a VLAN interface.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A5(1.0)

Added IPv6 support.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A5(1.0)

Added IPv6 support.


Usage Guidelines

This command requires the routing feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The default route identifies the router IP address to which the ACE sends all IP packets for which it does not have a route.

Admin and user contexts do not support dynamic routing. You must use static routes for any networks to which the ACE is not directly connected; for example, use a static route when there is a router between a network and the ACE.

The ACE supports up to eight equal cost routes on the same interface for load balancing.

Routes that identify a specific destination address take precedence over the default route.

See the Routing and Bridging Guide, Cisco ACE Application Control Engine for more information about configuring default or static routes.

Examples

IPv6 Examples

To configure a static route to send all traffic destined to 2001:DB8:1::1/64 to the next-hop router at 2001:DB8:1::10, enter the following command:

host1/Admin(config)# ip route 2001:DB8:1::1/64 2001:DB8:1::10
 
   

To configure a default route, set the IPv6 address for the route to ::/0, the IPv6 equivalent of "any." For example, if the ACE receives traffic that does not have a route and you want the ACE to send the traffic out the interface to the router at 2001:DB8:1::10/64, enter:

host1/Admin(config)# ip route ::/0 2001:DB8:1::10
 
   

To remove a default or static route, use the no form of the command as follows:

host1/Admin(config)# no ip route 2001:DB8:1::1/64 2001:DB8:1::10
 
   

IPv4 Examples

To configure a default route, set the IP address and the subnet mask for the route to 0.0.0.0. For example, if the ACE receives traffic that it does not have a route, it sends the traffic out the interface to the router at 192.168.4.8. Enter:

host1/Admin(config)# ip route 0.0.0.0 0.0.0.0 192.168.4.8

Related Commands

(config-if) ip address

(config) ipv6 nd interval

To configure the refresh interval for existing neighbor discovery (ND) entries of configured hosts, use the ipv6 nd interval command in configuration mode. Use the no form of this command to reset the ND refresh interval to the default value of 300 seconds.

ipv6 nd interval number

no ipv6 nd interval number

Syntax Description

interval

Indicates the frequency of the neighbor solicitation (NS) messages that are sent by the ACE.

number

Specifies the time interval in seconds between NS messages for configured hosts. Enter an integer from 15 to 31536000. The default is 300 seconds (5 minutes).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module/Appliance Release
Modification

A5(1.0)

This command was introduced.


Usage Guidelines

You configure this command for each context.

Examples

To configure an NS message interval of 600 seconds (10 minutes), enter the following command:

host1/Admin(config)# ipv6 nd interval 600
 
   

To reset the NS message interval to the default of 300 seconds, enter the following command;

host1/Admin(config)# no ipv6 nd interval 600
 
   

Related Commands

(config-if) ipv6 nd ns-interval

(config) ipv6 nd learned-interval

To configure the refresh interval for ND entries of learned hosts, use the ipv6 nd learned-interval command. Use the no form of this command to reset the ND refresh interval of learned hosts to the default value of 300 seconds.

ipv6 nd learned-interval number

no ipv6 nd learned-interval number

Syntax Description

learned-interval

Indicates the refresh interval for ND entries of learned hosts.

number

Specifies the time interval in seconds between NS messages for learned neighbor entries. Enter an integer from 60 to 31536000. The default is 300 seconds (5 minutes).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module/Appliance Release
Modification

A5(1.0)

This command was introduced.


Usage Guidelines

You configure this command for each context.

Examples

To configure a learned neighbor interval of 600 seconds (10 minutes), enter the following command:

host1/Admin(config)# ipv6 nd learned-interval 600
 
   

To reset the learned neighbor interval to the default of 300 seconds, enter the following command;

host1/Admin(config)# no ipv6 nd learned-interval 600
 
   

Related Commands

(config-if) ipv6 nd ns-interval

(config) ipv6 nd retries

To configure the number of NS attempts before the ACE considers a host as down, use the ipv6 nd retries command. Use the no form of this command to reset the number of retries to the default value of 3.

ipv6 nd retries number

no ipv6 nd retries number

Syntax Description

number

Specifies the number of times that the ACE resends the NS messages before considering a host as down. Enter an integer from 1 to 15. The default is 3.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module/Appliance Release
Modification

A5(1.0)

This command was introduced.


Usage Guidelines

You configure this command for each context.

Examples

To configure the ACE to resend NS messages five times before marking the host as down, enter the following command:

host1/Admin(config)# ipv6 nd retries 5
 
   

To reset the number of retries to the default value of 3, enter the following command;

host1/Admin(config)# no ipv6 nd retries 5
 
   

Related Commands

(config-if) ipv6 nd ns-interval
(config) ipv6 nd interval

(config) ipv6 nd sync disable

To disable the replication of ND entries from the active to the standby in a redundant configuration, use the ipv6 nd sync disable command. Use the no form of this command to reset the ACE behavior to the default of replicating ND entries to the standby in a redundant configuration.

ipv6 nd sync disable

no ipv6 nd sync disable

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module/Appliance Release
Modification

A5(1.0)

This command was introduced.


Usage Guidelines

You configure this command for each context.

Examples

To disable ND entry replication for the current context, enter the following command:

host1/Admin(config)# ipv6 nd sync disable
 
   

To reenable the replication of ND entries, enter the following command;

host1/Admin(config)# no ipv6 nd sync disable
 
   

Related Commands

(config-if) ipv6 nd ns-interval

(config) ipv6 nd sync-interval

To configure the time interval between neighbor discovery (ND) synchronization messages for learned hosts, use the ipv6 nd sync-interval command. Use the no form of this command to reset the interval to the default value of 5 seconds.

ipv6 nd sync-interval number

no ipv6 nd sync-interval number

Syntax Description

number

Specifies the time interval between ND synchronization messages. Enter an integer from 1 to 3600 seconds (1 hour). The default is 5 seconds.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module/Appliance Release
Modification

A5(1.0)

This command was introduced.


Usage Guidelines

You configure this command for each context.

Examples

To specify a time intervall between ND synchronization messages for learned hosts of 100 seconds, enter:

host1/Admin(config)# ipv6 nd sync-interval 100
 
   

To restore the default value of 5 seconds, enter the following command:

host1/Admin(config)# no ipv6 nd sync-interval
 
   

Related Commands

(config-if) ipv6 nd ns-interval

(config) kalap udp

To configure secure KAL-AP on the ACE, use the kalap udp command to access KAL-AP UDP configuration mode. The CLI prompt changes to (config-kalap-udp). Use the no form of this command to return to configuration mode (or use the exit command).

kalap udp

no kalap udp

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE supports secure KAL-AP for MD5 encryption of data between the ACE and the Global Site Selector (GSS). For encryption, you must configure a shared secret as a key for authentication between the GSS and the ACE context. For information about the commands in KAL-AP UDP configuration mode, see the "KAL-AP UDP Configuration Mode Commands" section.

Examples

To enter KAL-AP UDP configuration mode, enter:

host1/Admin(config)# kalap udp
host1/Admin(config-kalap-udp)#

Related Commands

show kalap udp load

show running-config
(config-kalap-udp) ip address

(config) ldap-server host

To specify the Lightweight Directory Access Protocol (LDAP) server IP address, the destination port, and other options, use the ldap-server host command. You can enter multiple ldap-server host commands to configure multiple LDAP servers. Use the no form of this command to revert to a default LDAP server authentication setting.

ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]

no ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]

Syntax Description

ip_address

IP address for the LDAP server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).

port port_number

(Optional) Specifies the TCP destination port for communicating authentication requests to the LDAP directory server. The port_number argument specifies the LDAP + port number. Enter an integer from 1 to 65535.

timeout seconds

(Optional) Specifies the time in seconds to wait for a response from the LDAP server before the ACE can declare a timeout failure with the LDAP server. Use this option to change the time interval that the ACE waits for the LDAP server to reply to an authentication request. Enter an integer from 1 to 60. The default is 5 seconds.

rootDN "DN_string"

(Optional) Defines the distinguished name (DN) for a user who is unrestricted by access controls or administrative limit parameters to perform operations on the LDAP server directory. The rootDN user can be thought of as the root user for the LDAP server database. Enter a quoted string with a maximum of 63 alphanumeric characters. The default is an empty string.

password bind_password

(Optional) Defines the bind password (rootpw) applied to the rootDN of the LDAP server directory. Enter an unquoted string with a maximum of 63 alphanumeric characters. The default is an empty string.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, the LDAP server port is 389. If your LDAP server uses a port other than 389, use the port keyword to configure an appropriate port before starting the LDAP service. The ldap-server port command overrides the global setting for the specified server.

By default, the ACE waits 5 seconds for the LDAP server to reply to an authentication request before the ACE declares a timeout failure and attempts to contact the next server in the group. The ldap-server timeout command overrides the global setting for the specified server.

Examples

To configure LDAP server authentication parameters, enter:

host1/Admin(config)# ldap-server host 192.168.2.3 port 2003 
host1/Admin(config)# ldap-server host 192.168.2.3 timeout 60 
host1/Admin(config)# ldap-server host 192.168.2.3 rootDN "cn=manager,dc=cisco,dc=com" 
password lab
 
   

To remove the LDAP server authentication setting, enter:

host1/Admin(config)# no ldap-server host 192.168.2.3 timeout 60

Related Commands

show aaa

(config) aaa group server

(config) ldap-server port

(config) ldap-server timeout

(config) ldap-server port

To globally configure a TCP port (if your LDAP server uses a port other than the default port 389) before you start the LDAP service, use the ldap-server port command. This global port setting will be applied to those LDAP servers for which a TCP port value is not individually configured by the ldap-server host command. Use the no form of this command to revert to the default of TCP port 389.

ldap-server port port_number

no ldap-server port port_number

Syntax Description

port_number

Destination port to the LDAP server. Enter an integer from 1 to 65535. The default is TCP port 389.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To override the global TCP port setting (specified by the ldap-server port command) for a specific server, use the ldap-server host port command.

Examples

To globally configure the TCP port, enter:

host1/Admin(config)# ldap-server port 2003 
 
   

To revert to the default of TCP port 389, enter:

host1/Admin(config)# no ldap-server port 2003

Related Commands

show aaa

(config) aaa group server

(config) ldap-server host

(config) ldap-server timeout

(config) ldap-server timeout

To globally change the time interval that the ACE waits for the LDAP server to reply to a response before it declares a timeout failure, use the ldap-server timeout command. By default, the ACE waits 5 seconds to receive a response from an LDAP server before it declares a timeout failure and attempts to contact the next server in the group. The ACE applies this global timeout value to those LDAP servers for which a timeout value is not individually configured by the ldap-server host command. Use the no form of this command to revert to the default of 5 seconds between transmission attempts.

ldap-server timeout seconds

no ldap-server timeout seconds

Syntax Description

seconds

Timeout value in seconds. Enter an integer from 1 to 60. The default is 5 seconds.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To override the global TCP timeout setting (specified by the ldap-server timeout command) for a specific server, use the ldap-server host timeout command.

Examples

To globally configure the timeout value to 30 seconds, enter:

host1/Admin(config)# ldap-server timeout 30 
 
   

To change to the default of 5 seconds between transmission attempts, enter:

host1/Admin(config)# no ldap-server timeout 30

Related Commands

show aaa

(config) aaa group server

(config) ldap-server host

(config) ldap-server port

(config) line console

(ACE module only) To configure the console interface settings, use the line console configuration mode command. When you enter this command, the prompt changes (config-console) and you enter the console configuration mode. Use the no form of this command to reset the console configuration mode parameters to their default settings.

line console

no line console

Syntax Description

There are no keywords or arguments for this command.

Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The console port is an asynchronous serial port on the Catalyst 6500 series switch that enables the ACE to be set up for initial configuration through a standard RS-232 port with an RJ-45 connector. Any device connected to this port must be capable of asynchronous transmission. Connection to a terminal requires a terminal emulator to be configured as 9600 baud, 8 data bits, 1 stop bit, no parity.

For information about the commands in console configuration mode, see the "Console Configuration Mode Commands" section.

Examples

To enter console configuration mode, enter:

host1/Admin(config)# line console
host1/Admin(config-console)#

Related Commands

clear line

show line

(config) line vty

To configure the virtual terminal line settings, use the line vty configuration mode command. When you enter this command, the prompt changes (config-line) and you enter the line configuration mode. Use the no form of this command to reset the line configuration mode parameter to its default setting.

line vty

no line vty

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about the commands in line configuration mode, see the "Line Configuration Mode Commands" section.

Examples

To enter the line configuration mode, enter:

host1/Admin(config)# line vty
host1/Admin(config-line)# 

Related Commands

clear line

show line

(config) login timeout

To modify the length of time that a user can be idle before the ACE terminates the console, Telnet, or Secure Shell (SSH) session, use the login timeout command. By default, the inactivity timeout value is 5 minutes. Use the no form of this command to restore the default timeout value of 5 minutes.

login timeout minutes

no login timeout

Syntax Description

minutes

Length of time in minutes. Enter a value from 0 to 60 minutes. A value of 0 instructs the ACE never to time out. The default is 5 minutes.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To specify a timeout period of 10 minutes, enter:

host1/Admin(config)# login timeout 10
 
   

To restore the default timeout value of 5 minutes, enter.

host1/Admin(config)# no login timeout

Related Commands

telnet

(config-cmap-mgmt) match protocol

(config) logging buffered

To enable system logging to a local buffer and to limit the messages sent to the buffer based on severity, use the logging buffered command. By default, logging to the local buffer on the ACE is disabled. New messages are appended to the end of the buffer. The first message displayed is the oldest message in the buffer. When the log buffer fills, the ACE deletes the oldest message to make space for new messages. Use the no form of this command to disable message logging.

logging buffered severity_level

no logging buffered

Syntax Description

severity_level

Maximum level for system log messages sent to the buffer. The severity level that you specify indicates that you want syslog messages at that level and below.

Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To set the logging buffer level to 3 for logging error messages, enter:

host1/Admin(config)# logging buffered 3
 
   

To disable message logging, enter:

host1/Admin(config)# no logging buffered

Related Commands

(config) logging enable

(config) logging console

To enable the logging of syslog messages during console sessions and to limit the display of messages based on severity, use the logging console command. By default, the ACE does not display syslog messages during console sessions. Use the no form of this command to disable logging to the console.

logging console severity_level

no logging console

Syntax Description

severity_level

Maximum level for system log messages sent to the console. The severity level that you specify indicates that you want to log messages at that level and below.

Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Logging to the console can degrade system performance. Use the logging console command only when you are testing and debugging problems, or when there is minimal load on the network. We recommend that you use the lowest severity level possible because logging at a high rate may affect ACE performance. Do not use this command when the network is busy.

Examples

To enable system logging to the console for messages with severity levels of 2, 1, and 0:

host1/Admin(config)# logging console 2

Related Commands

(config) logging enable

(config) logging device-id

To specify that the device ID of the ACE is included in the syslog message, use the logging device-id command. If enabled, the ACE displays the device ID in all non-EMBLEM-formatted syslog messages. The device ID specification does not affect the syslog message text that is in the EMBLEM format. Use the no form of this command to disable device ID logging for the ACE in the syslog message.

logging device-id {context-name | hostname | ipaddress interface_name | string text}

no logging device-id

Syntax Description

context-name

Specifies the name of the current context as the device ID to uniquely identify the syslog messages sent from the ACE.

hostname

Specifies the hostname of the ACE as the device ID to uniquely identify the syslog messages sent from the ACE.

ipaddress interface_name

Specifies the IP address of the interface as the device ID to uniquely identify the syslog messages sent from the ACE. You can specify the IP address of a VLAN interface or BVI as the device ID. If you use the ipaddress keyword, syslog messages sent to an external server contain the IP address of the interface specified, regardless of which interface the ACE uses to send the log data to the external server. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

string text

Specifies a text string to uniquely identify the syslog messages sent from the ACE. The maximum length is 64 alphanumeric characters without spaces. You cannot use the following characters: & (ampersand), ` (single quotation mark), " (double quotation marks), < (less than), > (greater than), or ? (question mark).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The device ID part of the syslog message is viewed through the syslog server only and not directly on the ACE. The device ID does not appear in EMBLEM-formatted messages, Simple Network Management Protocol (SNMP) traps, or on the ACE console, management session, or buffer.

Examples

To instruct the ACE to use the hostname of the ACE to uniquely identify the syslog messages, enter:

host1/Admin(config)# logging device-id hostname
 
   

To disable the use of the hostname of the ACE, enter:

host1/Admin(config)# no logging device-id

Related Commands

(config) logging enable

(config) logging enable

To enable message logging, use the logging enable command. Message logging is disabled by default. You must enable logging if you want to send messages to one or more output locations. Use the no form of this command to stop message logging to all output locations.

logging enable

no logging enable

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Message logging is disabled by default. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. You must set a logging output location to view any logs.

Examples

To enable message logging to all output locations, enter:

host1/Admin(config)# logging enable
 
   

To stop message logging to all output locations, enter:

host1/Admin(config)# no logging enable

Related Commands

This command has no related commands.

(config) logging facility

To change the logging facility to a value other than the default of 20 (LOCAL4), use the logging facility command. Most UNIX systems expect the messages to use facility 20. The ACE allows you to change the syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. Use the no form of this command to set the syslog facility to its default of 20.

logging facility number

no logging facility number

Syntax Description

number

Syslog facility. Enter an integer from 16 (LOCAL0) to 23 (LOCAL7). The default is 20 (LOCAL4).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The syslog daemon uses the specified syslog facility to determine how to process messages. Each logging facility configures how the syslog daemon on the host handles a message. Syslog servers file messages based on the facility number in the message. For more information on the syslog daemon and facility levels, see your syslog daemon documentation.

Examples

To set the syslog facility as 16 (LOCAL0) in syslog messages, enter:

host1/Admin(config)# logging facility 16
 
   

To change the syslog facility back to the default of LOCAL4, enter:

host1/Admin(config)# no logging facility 16

Related Commands

(config) logging enable

(config) logging fastpath

To enable the logging of connection setup and teardown messages through the fastpath, use the logging fastpath command. By default, the ACE logs connection setup and teardown syslog messages through the control plane. Use the no form of this command to disable the logging of connection setup and teardown syslog messages.

logging fastpath

no logging fastpath

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Because of the large number of syslog messages that are generated by connection setup and teardown, you can instruct the ACE to send these syslogs through the fast path instead of the control plane. The fast path supports a much higher rate of syslogs than the control plane does. When you instruct the ACE to send these syslogs through the fast path, the message formatting changes (different message spacing) and the syslog IDs change from 106023, 302022, 302023, 302024, and 302025 to 106028, 302028, 302029, 302030, and 302031, respectively.

Examples

To configure the ACE to log connection setup and teardown syslog messages, enter:

host1/Admin(config)# logging fastpath
 
   

To disable the ACE from logging connection setup and teardown syslog messages, enter:

host1/Admin(config)# no logging fastpath

Related Commands

(config) logging enable

(config) logging history

To set the Simple Network Management Protocol (SNMP) message severity level when sending log messages to a network management system (NMS), use the logging history command. Use the no form of this command to disable logging of informational system messages to an NMS.

logging history severity_level

no logging history

Syntax Description

severity_level

Maximum level system log messages sent as traps to the NMS. The severity level that you specify indicates that you want to log messages at that level and below.

Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To enable or disable all SNMP syslog message logging, use the logging history command without the severity_level argument.

We recommend that you use the debugging (7) level during initial setup and during testing. After setup, set the level from debugging (7) to a lower value for use in your network.

Examples

To send informational system message logs to an SNMP NMS, enter:

host1/Admin(config)# logging history 6
 
   

To disable logging to an SNMP NMS, enter:

host1/Admin(config)# no logging history

Related Commands

(config) logging enable

(config) logging host

To specify a host (the syslog server) that receives the syslog messages sent by the ACE, use the logging host command. You can use multiple logging host commands to specify additional servers to receive the syslog messages. Use the no form of this command to disable logging to a syslog server. By default, logging to a syslog server on a host is disabled on the ACE.

logging host ip_address [tcp | udp [/port#] | [default-udp] | [format emblem]]

no logging host ip_address

Syntax Description

ip_address

IP address of the host to be used as the syslog server.

tcp

(Optional) Specifies to use TCP to send messages to the syslog server. A server can only be specified to receive either UDP or TCP, not both.

udp

(Optional) Specifies to use UDP to send messages to the syslog server. A server can only be specified to receive either UDP or TCP, not both.

/port#

(Optional) Port that the syslog server listens to for syslog messages. Enter an integer from 1025 to 65535. The default protocol and port are UDP/514. The default TCP port, if specified, is 1470.

default-udp

(Optional) Instructs the ACE to default to UDP if the TCP transport fails to communicate with the syslog server.

format emblem

(Optional) Enables EMBLEM-format logging for each syslog server. The Cisco Resource Management Environment (RME) is a network management application that collects syslogs. RME can process syslog messages only if they are in EMBLEM format.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

If you choose to send log messages to a host, the ACE sends those messages using either UDP or TCP. The host must run a program (known as a server) called syslogd, a daemon that accepts messages from other applications and the network, and writes them out to system wide log files. UNIX provides the syslog server as part of its operating system. If you are running Microsoft Windows, you must obtain a syslog server for the Windows operating system.

If you use TCP as the logging transport protocol, the ACE denies new network access sessions if the ACE is unable to reach the syslog server, if the syslog server is misconfigured, if the TCP queue is full, or if the disk is full.

The format emblem keywords allow you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for either TCP or UDP syslog messages. If you enable EMBLEM-format logging for a particular syslog host, then the messages are sent to that host. If you also enable the logging timestamp command, the messages are sent to the syslog server with a time stamp.

For example, the EMBLEM format for a message with a time stamp appears as follows:

ipaddress or dns name [Dummy Value/Counter]: [mmm dd hh:mm:ss TimeZone]: 
%FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: [vtl-ctx: context id] Message-text 

Examples

To send log messages to a syslog server, enter:

host1/Admin(config)# logging host 192.168.10.1 tcp/1025 format emblem default-udp
 
   

To disable logging to a syslog server, enter:

host1/Admin(config)# no logging host 192.168.10.1

Related Commands

(config) logging enable

(config) logging timestamp

(config) logging message

To control the display of a specific system logging message or to change the severity level associated with the specified system logging message, use the logging message command. Use the no form of this command to disable logging of the specified syslog message.

logging message syslog_id [level severity_level]

no logging message syslog_id

Syntax Description

syslog_id

Specific message that you want to disable or to enable.

level severity_level

(Optional) Changes the severity level associated with a specific system log message. For example, the %<ACE>-4-411001 message listed in the syslog has the default assigned severity level of 4 (warning message). You can change the assigned default severity level to a different level.

Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can use the show logging command to determine the level currently assigned to a message and whether the message is enabled.

For information on syslog messages and their IDs, see the System Message Guide, Cisco ACE Application Control Engine.

Examples

To disable the %<ACE>-6-615004 syslog message (VLAN available for configuring an interface), enter:

host1/Admin(config)# no logging message 615004 
 
   

To resume logging of the disabled syslog message, enter:

host1/Admin(config)# logging message 615004 level 6
 
   

To change the severity level of the 615004 syslog message from the default of 6 (informational) to a severity level of 5 (notification), enter:

(config)# logging message 615004 level 5
 
   

To return the severity level of the 615004 syslog message to the default of 6, enter:

host1/Admin(config)# no logging message 615004

Related Commands

(config) logging enable

(config) logging monitor

To display syslog messages as they occur when accessing the ACE through a Secure Shell (SSH) or a Telnet session, use the logging monitor command. You can limit the display of messages based on severity. By default, logging to a remote connection using the SSH or Telnet is disabled on the ACE. Use the no form of this command to disable system message logging to the current Telnet or SSH session.

logging monitor severity_level

no logging monitor

Syntax Description

severity_level

Maximum level for system log messages displayed during the current SSH or Telnet session. The severity level that you specify indicates that you want to log messages at that level and below. Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.


Note Before you can use this command, you must enable remote access on the ACE and establish a remote connection using the SSH or Telnet protocols from a PC.


To display logs during the SSH or Telnet session, use the terminal monitor Exec mode command. This command enables syslog messages for all sessions in the current context. The logging monitor command sets the logging preferences for all SSH and Telnet sessions, while the terminal monitor command controls logging for each individual Telnet session. However, in each session, the terminal monitor command controls whether syslog messages appear on the terminal during the session.

Examples

To send informational system message logs to the current Telnet or SSH session, enter:

host1/Admin# terminal monitor
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# logging monitor 6
 
   

To disable system message logging to the current Telnet or SSH session, enter:

host1/Admin(config)# no logging monitor

Related Commands

(config) logging enable

(config) logging persistent

To send specific log messages to compact flash on the ACE, use the logging persistent command. By default, logging to compact flash is disabled on the ACE. The ACE allows you to specify the system message logs that you want to keep after a system reboot by saving them to compact flash. Use the no form of this command to disable logging to compact flash.

logging persistent severity_level

no logging persistent

Syntax Description

severity_level

Maximum level for system log messages sent to compact flash. The severity level that you specify indicates that you want to log messages at that level and below. Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

We recommend that you use a lower severity level, such as severity level 3, because logging at a high rate to flash memory on the ACE might affect performance.

Examples

To send informational system message logs to flash memory on the ACE, enter:

host1/Admin(config)# logging persistent 6
 
   

To disable logging to flash memory on the ACE, enter:

host1/Admin(config)# no logging persistent

Related Commands

(config) logging enable

(config) logging queue

To change the number of syslog messages that can appear in the message queue, use the logging queue command. By default, the ACE can hold 80 syslog messages in the message queue while awaiting processing. Use the no form of this command to reset the logging queue size to the default of 100 messages.

logging queue queue_size

no logging queue queue_size

Syntax Description

queue_size

Queue size for storing syslog messages. Enter an integer from 1 to 8192. The default is 80 messages.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Set the queue size before the ACE processes syslog messages. When traffic is heavy, messages might get discarded.

Examples

To set the size of the syslog message queue to 1000, enter:

host1/Admin(config)# logging queue 1000
 
   

To reset the logging queue size to the default of 80 messages, enter:

host1/Admin(config)# no logging queue 0

Related Commands

(config) logging enable

(config) logging rate-limit

To limit the rate at which the ACE generates messages in the syslog, use the logging rate-limit command. You can limit the number of syslog messages generated by the ACE for specific messages. Use the no form of this command to disable rate limiting for message logging in the syslog.

logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}

no logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}

Syntax Description

num

Number at which the syslog is to be rate limited.

interval

Time interval in seconds over which the system message logs should be limited. The default time interval is 1 second.

level severity_level

Specifies the syslog level that you want to rate limit. Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)

message syslog_id

Identifies the ID of the specific message you want to suppress reporting.

unlimited

Disables rate limiting for messages in the syslog.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Disabled rate limiting is the default setting. In this case, the logging rate-limit unlimited command will not be displayed in the ACE running-configuration file.

The severity level you enter indicates that you want all syslog messages at the specified level to be rate-limited. For example, if you specify a severity level of 7, the ACE applies a rate limit only to level 7 (debugging messages). If you want to apply a logging rate limit on a different severity level, you must configure the logging rate-limit level command for that level as well.

If you configure rate limiting for syslogs 302028 through 302031 (connection setup and teardown syslogs that are formatted in the data plane), the ACE always rate-limits these syslogs at level 6. Even if you change the logging level to a different value using the logging message command and the new logging level appears on the syslog server or other destination, the ACE will continue to rate-limit these syslogs at level 6.

For information on syslog messages and their IDs, see the System Message Guide, Cisco ACE Application Control Engine.

Examples

To limit the syslog rate to a 60-second time interval for informational messages (level 6), enter:

host1/Admin(config)# logging rate-limit 42 60 level 6
 
   

To suppress reporting of system message 302022, enter:

host1/Admin(config)# logging rate-limit 42 60 302022
 
   

To disable rate limiting, enter:

host1/Admin(config)# no logging rate-limit 42 60 level 6

Related Commands

(config) logging enable

(config) logging standby

To enable logging on the standby ACE in a redundant configuration, use the logging standby command. When enabled, the standby ACE syslog messages remain synchronized should a failover occur. When enabled, this command causes twice the message traffic on the syslog server. Use the no form of this command to disable logging on the standby ACE.

logging standby

no logging standby

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

This command is disabled by default.

Examples

To enable logging on the failover standby ACE:

host1/Admin(config)# logging standby
 
   

To disable logging on the standby ACE, enter:

host1/Admin(config)# no logging standby

Related Commands

(config) logging enable

(config) logging supervisor

(ACE module only) To set the severity level at which syslog messages are sent to the supervisor engine, use the logging supervisor command. The ACE can forward syslog messages to the supervisor engine on the Catalyst 6500 series switch. Use the no form of this command to disable system message logging to the supervisor engine.

logging supervisor severity_level

no logging supervisor

Syntax Description

severity_level

Maximum level for system log messages. The severity level that you specify indicates that you want to log messages at that level and below. Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To send informational system message logs to the supervisor engine on the Catalyst 6500 series switch, enter:

host1/Admin(config)# logging supervisor 6
 
   

To disable system message logging to the supervisor engine, enter:

host1/Admin(config)# no logging supervisor 3

Related Commands

(config) logging enable

(config) logging timestamp

To specify that syslog messages should include the date and time that the message was generated, use the logging timestamp command. By default, the ACE does not include the date and time in syslog messages. Use the no form of this command to specify that the ACE not include the date and time when logging syslog messages.

logging timestamp

no logging timestamp

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

This command is disabled by default.

Examples

To enable the time stamp on system logging messages, enter:

host1/Admin(config)# logging timestamp
 
   

To disable the time stamp from syslog messages, enter:

host1/Admin(config)# no logging timestamp

Related Commands

(config) logging enable

(config) logging trap

To identify which messages are sent to a syslog server, use the logging trap command. This command limits the logging messages sent to a syslog server based on severity. Use the no form of this command to return the trap level to the default (information messages).

logging trap severity_level

no logging trap

Syntax Description

severity_level

Maximum level for system log messages. The severity level that you specify indicates that you want to log messages at that level and below. Allowable entries are as follows:

0—emergencies (system unusable messages)

1—alerts (take immediate action)

2—critical (critical condition)

3—errors (error message)

4—warnings (warning message)

5—notifications (normal but significant condition)

6—informational (information message)

7—debugging (debug messages)


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To send logging messages to a syslog server, use the logging host command to specify the name or IP address of the host to be used as the syslog server.

Examples

To send informational system message logs to the syslog server, enter:

host1/Admin(config)# logging trap 6
 
   

To disable sending message logs to the syslog server, enter:

host1/Admin(config)# no logging trap 6

Related Commands

(config) logging enable

(config) logging host

(config) nexus-device

To create the DCI device (Nexus 7000 series switch) for the dynamic workload scaling (DWS) feature, use the nexus-device command. The CLI prompt changes to (config-dci). See the "DCI Configuration Mode Commands" section for details. Use the no form of this command to remove the DCI device from the configuration.

nexus-device name

no nexus-device name

Syntax Description

name

Name of the DCI device that the ACE queries for the locality information of the VMs. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module/Appliance Release
Modification

A4(2.0)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The DCI device provides the locality information (local or remote) of the virtual machines (VMs) only. You can configure one DCI device per ACE.

Examples

To create a DCI device named DCI_DEVICE1, enter:

host1/Admin(config)# nexus-device DCI_DEVICE1
host1/Admin(config-dci)#
 
   

To remove the DCI device from the configuration, enter:

host1/Admin(config)# no nexus-device DCI_DEVICE1
 
   

Related Commands

show nexus-device

(config) ntp

(ACE appliance only) To configure the ACE system clock to synchronize a peer (or to be synchronized by a peer) or to be synchronized by a time server, use the ntp command. Use the no form of the command to remove an NTP peer or server from the configuration.

ntp {peer ip_address1 [prefer] | server ip_address2 [prefer]}

no ntp {peer ip_address1 [prefer] | server ip_address2 [prefer]}

Syntax Description

peer

Configures the ACE system clock to synchronize a peer or to be synchronized by a peer. You can specify multiple associations.

ip_address1

IP address of the peer providing or being provided by the clock synchronization.

prefer

(Optional) Makes this peer the preferred peer that provides synchronization. Using the prefer keyword reduces switching back and forth between peers.

server

Configures the ACE system clock to be synchronized by a time server. You can specify multiple associations.

ip_address2

IP address of the time server that provides the clock synchronization.

prefer

(Optional) Makes this server the preferred server that provides synchronization. Use the prefer keyword to set this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers have similar accuracy, then the prefer keyword specifies which of those servers to use.


Command Modes

Configuration mode

Admin context only

Command History

ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

An NTP association can be a peer association, which means that the ACE is willing to synchronize to the other system or to allow the other system to synchronize to the ACE. An NTP association can also be a server association, which means that only this system will synchronize to the other system, not the other way around. You can identify multiple servers; the ACE uses the most accurate server.

To send logging messages to a syslog server, use the logging host command to specify the name or IP address of the host to be used as the syslog server.

Examples

To specify multiple NTP server IP addresses and identify a preferred server, enter:

host1/Admin(config)# ntp server 192.168.10.10 prefer
host1/Admin(config)# ntp server 192.168.4.143
host1/Admin(config)# ntp server 192.168.5.10
 
   

To form a peer association with a preferred peer, enter:

host1/Admin(config)# ntp peer 192.168.10.0 prefer
 
   

To remove an NTP peer or server from the configuration, enter:

host1/Admin(config)# no ntp peer 192.168.10.0

Related Commands

clear np

show clock

(config) object-group

To create an object group, use the object-group command. Object groups allow you to streamline the creation of multiple ACL entries in an ACL. Use the no form of this command to remove the object group from the configuration.

object-group [network | service] name

no object-group [network | service] name

Syntax Description

network

Specifies a group of hosts or subnet IP addresses.

service

Specifies a group of TCP or UDP port specifications.

name

Unique identifier for the object group. Enter the object group name as an unquoted, alphanumeric string from 1 to 64 characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You can create either network or service object groups. After you create these groups, you can use a single ACL entry to allow trusted hosts to make specific service requests to a group of public servers.

If you add new members to an existing object group that is already in use by an entry in a large ACL, recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In some cases, making this change can cause the ACE to devote over an hour to committing the ACL, during which time you cannot access the terminal. We recommend that you first remove the ACL entry that refers to the object group, make your change, and then add the ACL entry back into the ACL.

Examples

To create a network object group, enter:

host1/Admin(config)# object-group network NET_OBJ_GROUP1

Related Commands

(config-objgrp-netw) ip_address

(config-objgrp-netw) host

(config) optimize

(ACE appliance only) To configure the global optimization settings on the ACE, enter the optimize command. The CLI prompt changes to (config-optimize). To remove an optimize mode selection, use the no form of the command.

optimize

no optimize

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about commands in optimize configuration mode, see the "Optimize Configuration Mode Commands" section. For details about configuring the commands in the optimize configuration mode, see the Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance.

Examples

To access the optimize configuration mode, enter:

host1/Admin(config)# optimize

host1/Admin(config-optimize)# 

Related Commands

show optimization-global

(config) parameter-map type

To create a connection-, HTTP- or SSL-type parameter map, use the parameter-map type command. For the ACE appliance only, you can also create an optimization HTTP-type parameter map. Use the no form of this command to remove a parameter map from the ACE.

parameter-map type {connection | generic | http | optimization http | rtsp | sip | skinny | ssl} name

no parameter-map type {connection | generic | http | optimization http | rtsp | sip | skinny | ssl} name

Syntax Description

connection

Specifies a connection-type parameter map. After you create the connection-type parameter map, you configure TCP, IP, and other settings for the map in the parameter map connection configuration mode. For information about the commands in parameter map connection configuration mode, see the "Parameter Map Connection Configuration Mode Commands" section.

dns

Specifies a DNS parameter map. After you create a DNS parameter map, you configure settings for the map in the parameter map DNS configuration mode. For information about the commands in parameter map DNS configuration mode, see the "Parameter Map DNS Configuration Mode Commands" section.

generic

Specifies a generic Layer 7 parameter map. After you create the generic Layer 7 parameter map, you configure settings for the map in the parameter map generic configuration mode. For information about the commands in parameter map generic configuration mode, see the "Parameter Map HTTP Configuration Mode Commands" section.

http

Specifies an HTTP-type parameter map. After you create the HTTP-type parameter map, you configure HTTP settings for the map in the parameter map HTTP configuration mode. For information about the commands in parameter map HTTP configuration mode, see the "Parameter Map HTTP Configuration Mode Commands" section.

optimization http

(ACE appliance only) Specifies an optimization HTTP-type parameter map and define its application acceleration and optimization settings. After you create the optimization HTTP-type parameter map, you configure settings for the map in the parameter map optimization HTTP configuration mode. For information about the commands in parameter map HTTP connection configuration mode, see the "Parameter Map Optimization Configuration Mode Commands" section.

rtsp

Specifies an RTSP-type parameter map. After you create the RTSP-type parameter map, you configure RTSP settings for the map in the parameter map RTSP configuration mode. For information about the commands in parameter map RTSP configuration mode, see the "Parameter Map RTSP Configuration Mode Commands" section.

sip

Specifies a SIP-type parameter map. After you create the SIP-type parameter map, you configure SIP settings for the map in the parameter map SIP configuration mode. For information about the commands in parameter map SIP configuration mode, see the "Parameter Map SIP Configuration Mode Commands" section.

skinny

Specifies a Skinny Client Control Protocol (SCCP) type parameter map. After you create the SCCP-type parameter map, you configure SCCP settings for the map in the parameter map SCCP configuration mode. For information about the commands in parameter map SCCP configuration mode, see the "Parameter Map SCCP Configuration Mode Commands" section.

ssl

Specifies an SSL-type parameter map. After you create the SSL-type parameter map, you configure SSL settings for the map in the parameter map SSL configuration mode. For information about the commands in parameter map SSL connection configuration mode, see the "Parameter Map SSL Configuration Mode Commands" section.

name

Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.0)

This command was revised.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

This command was revised.


Usage Guidelines

The connection and http commands requires the connection feature in your user role. The ssl commands in this mode require the connection or SSL feature.

(ACE appliance only) The optimization http commands in this mode require the loadbalance feature in your user role.

For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The parameter-map type command allows you to configure a series of Layer 3 and Layer 4 statements that instruct the ACE how to handle TCP termination, normalization and reuse, SSL termination, and advanced HTTP behavior for server load-balancing connections. After you enter this command, the system enters the corresponding parameter map configuration mode.

To access one of the parameter-map configuration modes, enter the appropriate parameter-map type command. For example, enter parameter-map type connection, parameter-map type http, or parameter-map type ssl. The CLI prompt changes to the corresponding mode, for example, (config-parammap-conn), (config-parammap-http), or (config-parammap-ssl).

After you configure the parameter map, you associate it with a specific action statement in a policy map.

Examples

To create a connection-type parameter map called TCP_MAP, enter:

host1/Admin(config)# parameter-map type connection TCP_MAP
host1/Admin(config-parammap-conn)#
 
   

To create an HTTP-type parameter map called HTTP_MAP, enter:

host1/Admin(config)# parameter-map type http HTTP_MAP
host1/Admin(config-parammap-http)#
 
   

To create an SSL-type parameter map called SSL_MAP, enter:

host1/Admin(config)# parameter-map type ssl SSL_MAP
host1/Admin(config-parammap-ssl)#
 
   

ACE Appliance Example

To create an optimization HTTP parameter map called OPTIMIZE_MAP, enter:

host1/Admin(config)# parameter-map type optimization http OPTIMIZE_MAP
host1/Admin(config-parammap-optmz)#
 
   

Related Commands

show running-config

(config) policy-map

(config) peer hostname

To specify a hostname for the peer ACE in a redundant configuration, use the peer hostname command. The hostname is used for the command line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. Use the no form of this command to reset the hostname of the peer to the default of switch.

peer hostname name

no peer hostname name

Syntax Description

name

New hostname for the peer ACE. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, the hostname for the ACE is switch.

Examples

To change the hostname of the peer ACE from switch to ACE_1, enter:

switch/Admin(config)# peer hostname ACE_1
ACE_1/Admin(config)# 

Related Commands

(config) hostname

(config) peer shared-vlan-hostid

To configure a specific bank of MAC addresses for a peer ACE in a redundant configuration, use the peer shared-vlan-hostid command. Use the no form of this command to remove the configured bank of MAC addresses.

peer shared-vlan-hostid number

no peer shared-vlan-hostid

Syntax Description

number

Bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(6.2a)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To configure bank 3 for a peer ACE, enter:

host1/Admin(config)# peer shared-vlan-hostid 3
 
   

To remove the configured bank of MAC addresses, enter:

host1/Admin(config)# no peer shared-vlan-hostid 

Related Commands

(config) arp

(config) shared-vlan-hostid

(config) policy-map

Use the policy-map command to create a Layer 3 and Layer 4 or Layer 7 policy map. To access one of the policy map configuration modes, use the policy-map command. Use the no form of this command to remove a policy map from the ACE.

policy-map multi-match map_name

policy-map type inspect {ftp first-match | http all-match | sip all-match | skinny} map_name

policy-map type loadbalance {first-match | generic first-match | http first-match |
radius first-match
| rdp first-match | rtsp first-match | sip first-match} map_name

policy-map type management first-match map_name

policy-map type optimization http first-match map_name

no policy-map multi-match map_name

no policy-map type inspect {ftp first-match | http all-match | sip all-match | skinny} map_name

no policy-map type loadbalance {first-match | generic first-match | http first-match |
radius first-match
| rdp first-match | rtsp first-match | sip first-match} map_name

no policy-map type management first-match map_name

Syntax Description

multi-match

Configures a Layer 3 and Layer 4 policy map that defines the different actions applied to traffic passing through the ACE. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy map to allow a multifeature Layer 3 and Layer 4 policy map. The ACE executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes.

For information about the commands in policy map configuration mode, see the "Policy Map Configuration Mode Commands" section.

map_name

Name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

type

Specifies the type of policy map to be defined. When you specify a policy map type, you enter its corresponding policy map configuration mode (for example, RADIUS load balancing).

inspect ftp first-match

Specifies a Layer 7 policy map that defines the inspection of File Transfer Protocol (FTP) commands by the ACE. The ACE executes the action for the first matching classification. For a list of classes in a policy map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map FTP inspection configuration mode, see the "Policy Map FTP Inspection Configuration Mode Commands" section.

inspect http all-match

Specifies a Layer 7 policy map that defines the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request. For information about the commands in policy map inspection HTTP configuration mode, see the "Policy Map Inspection HTTP Configuration Mode Commands" section.

inspect sip all-match

Specifies a Layer 7 policy map that defines the inspection of SIP protocol packets by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request. For information about the commands in policy map inspection SIP configuration mode, see the "Policy Map Inspection SIP Configuration Mode Commands" section.

inspect skinny

Specifies a Layer 7 policy map that defines the inspection of SCCP or skinny protocol packets by the ACE. The ACE uses the SCCP inspection policy to filter traffic based on message ID and to perform user-configurable actions on that traffic. For information about the commands in policy map inspection SIP configuration mode, see the "Policy Map Inspection Skinny Configuration Mode Commands" section.

loadbalance first-match

Specifies a Layer 7 policy map that defines Layer 7 first-match server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing HTTP Configuration Mode Commands" section.

loadbalance generic first-match

Specifies a Layer 7 policy map that defines Layer 7 generic server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing Generic Configuration Mode Commands" section.

loadbalance http first-match

Specifies a Layer 7 policy map that defines Layer 7 HTTP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing HTTP Configuration Mode Commands" section.

loadbalance radius first-match

Specifies a Layer 7 policy map that defines Layer 7 RADIUS server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing RADIUS Configuration Mode Commands" section.

loadbalance rdp first-match

Specifies a Layer 7 policy map that defines Layer 7 RDP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing RDP Configuration Mode Commands" section.

loadbalance rtsp first-match

Specifies a Layer 7 policy map that defines Layer 7 RTSP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing RDP Configuration Mode Commands" section.

loadbalance sip first-match

Specifies a Layer 7 policy map that defines Layer 7 SIP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing SIP Configuration Mode Commands" section.

management first-match

Specifies a Layer 3 and Layer 4 policy map that defines the IP management protocols that can be received by the ACE. The ACE executes the specified action only for traffic that meets the first matching classification with a policy map. For information about the commands in policy map management configuration mode, see the "Policy Map Management Configuration Mode Commands" section.

optimization http first-match

(ACE appliance only) Specifies a Layer 7 policy map that defines Layer 7 HTTP optimization operations. The Layer 7 optimization HTTP policy map associates an HTTP optimization action list and parameter map to configure the specified optimization actions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map optimization configuration mode, see the "Policy Map Optimization Configuration Mode Commands" section.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.0)

This command was revised.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

This command was revised.


Usage Guidelines

This command requires the inspect, loadbalance, NAT, connection, or SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Use the policy map configuration mode commands to configure a series of Layer 3 and Layer 4 or Layer 7 policies. Each policy map defines a series of actions (functions) that you apply to a set of classified inbound traffic. The CLI prompt changes correspondingly to the selected policy map configuration mode: config-pmap, config-pmap-c, config-pmap-insp-http, config-pmap-insp-http-c, config-pmap-insp-http-m, config-pmap-lb, config-pmap-lb-c, config-pmap-lb-m, config-pmap-mgmt, and config-pmap-mgmt-c.

(ACE appliance only) In addition, the prompt include config-pmap-optmz and config-pmap-optmz-c.

For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions that configure the following:

Network management traffic received by the ACE (HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet)

Server load balancing based on Layer 3 and Layer 4 connection information (virtual IP address)

Secure Sockets Layer (SSL) security services between a web browser (the client) and the HTTP connection (the server)

Static or dynamic Network Address Translation (NAT)

Application protocol inspection (also known as protocol fixup)

TCP termination, normalization, and reuse

IP normalization and fragment reassembly

For a Layer 7 traffic classification, you create policy maps with actions that configure the following:

Server load balancing based on the Layer 7 HTTP-related information (such as HTTP headers, cookies, and URLs), or the client IP address

(ACE appliance only) Application acceleration and optimization functions

Deep packet inspection of the HTTP protocol

FTP command inspection

The ACE supports a system-wide maximum of 4096 policy maps.

For details about creating a policy map, see the Administration Guide, Cisco ACE Application Control Engine.

Examples

To create a Layer 3 and Layer 4 server load-balancing policy map named L4_SLB_POLICY, enter:

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
host1/Admin(config-pmap)# 
 
   

To create a Layer 3 and Layer 4 management protocol policy map named L4_MGMT-ACCESS_POLICY, enter:

host1/Admin(config)# policy-map type management match-any L4_MGMT-ACCESS_CLASS
host1/Admin(config-pmap-mgmt)#
 
   

(ACE appliance only) To create a Layer 7 optimization HTTP policy map named L7OPTIMIZATION_POLICY, enter:

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY
host/Admin(config-pmap-optmz)#
 
   

To create a Layer 7 HTTP server load-balancing policy map named L7_SLB_POLICY, enter:

host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICY
host1/Admin(config-pmap-lb)# 
 
   

To create a Layer 7 HTTP deep packet inspection policy map named L7_HTTP_INSPECT_POLICY, enter:

host/Admin(config) # policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host/Admin(config-pmap-ins-http)#
 
   

To create a Layer 7 FTP command inspection policy map named L7_FTP_INSPECT_POLICY, enter:

host1/Admin(config)# class-map type ftp inspect match-any L7_FTP_INSPECT_POLICY
host1/Admin(config-pmap-ftp-ins)# 

Related Commands

show startup-config

(config) class-map

(config) parameter-map type

(config) service-policy

(config) probe

To define a probe and access its configuration mode, use the probe command. The CLI prompt changes to (config-probe_type). Use the no form of this command to delete the probe.

probe probe_type probe_name

no probe probe_type probe_name

Syntax Description

probe_type

Probe types. The probe type determines what the probe sends to the real server. Enter one of the following keywords:

 

dns—Sends a request to a DNS server giving it a configured domain. To determine if the server is up, the ACE must receive the configured IP address for that domain.

 

echo {tcp | udp}—Sends a string to the server and compares the response to the original string. If the response string matches the original string, the server is marked as passed. Otherwise, the ACE retries a configured number of times and time interval before the server is marked as failed.

 

finger—Sends a Finger probe to a server to verify that a defined username is a username on the server. Use the Finger protocol to configure the username string.

 

ftp—Initiates an FTP session. By default, this probe is for an anonymous login with the option of configuring a user ID and password. The ACE performs an FTP GET or LS to determine the outcome of the probe. This probe supports only active connections.

 

http—Sets up a TCP connection and issues an HTTP request. The default request is an HTTP 1.1 GET request with the URL /. Any valid HTTP response causes the probe to mark the real server as passed. You can also configure an HTTP response value.

 

https—Similar to the HTTP probe, but this probe uses SSL to generate encrypted data.

 

icmp—Sends an ICMP request and listens for a response. If the server returns a response, the ACE marks the real server as passed. If there is no response and the time times out, or an ICMP standard error such as DESTINATION_UNREACHABLE occurs, the ACE marks the real server as failed.

 

imap—Identical to POP/POP3 probe, but uses IMAP.

 

pop—Initiates a POP session, using a configured user ID and password. Then, the probe attempts to retrieve e-mail from the server and validates the result of the probe based on the return codes received from the server.

 

radius—Connects to a RADIUS server and logs in to it to determine whether the server is up.

 

rtsp—Establishes a TCP connection and sends a request packet to the RTSP server to determine whether the server is up.

 

scripted—Executes probes from a configured script to perform health probing. You can author specific scripts with features not present in standard health probes.

 

sip {tcp | udp}— Establishes a TCP or UDP connection and sends an OPTIONS request packet to the user agent on the SIP server to determine whether the server is up.

 

smtp—Initiates an SMTP session by logging in to the server.

 

snmp—Establishes a UDP connection and sends a maximum of eight SMNP OID queries to probe the server.

 

tcp—Initiates a TCP handshake and expects a response. By default, a successful response causes the probe to mark the server as passed, and then the probe sends a FIN to end the session. If the response is not valid or if there is no response, the probe marks the real server as failed.

 

telnet—Establishes a connection to the real server and verifies that a greeting from the application was received.

 

udp—Sends a UDP packet to a real server. The probe marks the server as failed only if an ICMP Port Unreachable message is returned. Optionally, you can configure this probe to send specific data and expect a specific response to mark the real server as passed.

vm—Polls the local VM load information from the VM controller (vCenter) for the dynamic workload scaling (DWS) feature. The ACE calculates the average aggregate load information as a percentage of CPU usage or memory usage to determine when to burst traffic to the remote data center. If the server farm consists of both physical servers and VMs, the ACE considers load information only from the VMs. After you configure the VM probe and its attributes, you associate it with a VM controller and a server farm.

probe_name

Identifier for the probe. The probe name associates the probe to the real server. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.0)

This command was revised.

A4(2.0)

Added the VM probe type.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

This command was revised.

A4(2.0)

Added the VM probe type.


Usage Guidelines

This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about commands in probe configuration mode, see the "Probe Configuration Mode Commands" section.

Examples

To define a TCP probe named PROBE1 and access its mode, enter:

host1/Admin(config)# probe tcp PROBE1
host1/Admin(config-probe-tcp)#
 
   

To delete a TCP probe named PROBE1, enter:

host1/Admin(config)# no probe tcp PROBE1

Related Commands

clear probe

show probe

(config) radius-server attribute nas-ipaddr

To specify a RADIUS NAS-IP-Address attribute, use the radius-server attribute nas-ipaddr command. Use the no form of this command to delete the RADIUS NAS-IP-Address and return to the default configuration.

radius-server attribute nas-ipaddr nas_ip_address

no radius-server attribute nas-ipaddr nas_ip_address

Syntax Description

nas_ip_address

IP address that is used as the RADIUS NAS-IP-Address, attribute 4. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, the NAS-IP-Address is not configured. The ACE performs a route lookup on the Remote Authentication Dial-In User Service (RADIUS) server IP address and uses the result.

The RADIUS NAS-IP-Address attribute allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address for each context.

The radius-server attribute nas-ipaddr command allows the ACE to behave as a single RADIUS client from the perspective of the RADIUS server. The configured NAS-IP-Address will be encapsulated in all outgoing RADIUS authentication request and accounting packets.

Examples

To specify a RADIUS NAS-IP-Address, enter:

host1/Admin(config)# radius-server attribute nas-ipaddr 192.168.1.1
 
   

To delete the RADIUS NAS-IP-Address and return to the default configuration, enter:

host1/Admin(config)# no radius-server attribute nas-ipaddr 192.168.1.1 

Related Commands

show aaa

(config) aaa group server

(config) radius-server host

(config) radius-server deadtime

To globally set the time interval in which the ACE verifies whether a nonresponsive server is operational, use the radius-server deadtime command. Use the no form of this command to reset the Remote Authentication Dial-In User Service (RADIUS) server dead-time request to the default of 0.

radius-server deadtime minutes

no radius-server deadtime minutes

Syntax Description

minutes

Length of time that the ACE skips a nonresponsive RADIUS server for transaction requests. Enter an integer from 0 to 1440 (24 hours). The default is 0.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Use of this command causes the ACE to mark as "dead" any RADIUS servers that fail to respond to authentication requests. This action avoids the wait for the request to time out before trying the next configured server. The ACE skips a RADIUS server that is marked as dead by sending additional requests for the duration of minutes.

The dead-time interval starts when the server does not respond to the number of authentication request transmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the ACE transmits the authentication request to the server.

Examples

To globally configure a 15-minute dead-time for RADIUS servers that fail to respond to authentication requests, enter:

host1/Admin(config)# radius-server deadtime 15
 
   

To set the RADIUS server dead-time request to 0, enter:

host1/Admin(config)# no radius-server deadtime 15

Related Commands

show aaa

(config) aaa group server

(config) radius-server host

(config) radius-server host

To designate and configure a host for RADIUS server functions, use the radius-server host command. You can define multiple radius-server host commands to configure multiple Remote Authentication Dial-In User Service (RADIUS) servers. Use the no form of this command to remove the RADIUS server from the configuration.

radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]

no radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]

Syntax Description

ip_address

IP address for the RADIUS server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).

key

(Optional) Enables an authentication key for communication between the ACE and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

shared_secret

Key that is used to authenticate communication between the RADIUS client and server. The shared secret must match the one configured on the RADIUS server. Enter the shared secret as a case-sensitive string with no spaces with a maximum of 63 alphanumeric characters.

0

(Optional) Configures a key specified in clear text (indicated by 0) to authenticate communication between the RADIUS client and server.

7

(Optional) Configures a key specified in encrypted text (indicated by 7) to authenticate communication between the RADIUS client and server.

auth-port port_number

(Optional) Specifies the UDP destination port for communicating authentication requests to the RADIUS server. By default, the RADIUS authentication port is 1812 (as defined in RFC 2138 and RFC 2139). The port_number argument specifies the RADIUS port number. Valid values are from 1 to 65535.

acct-port port_number

(Optional) Specifies the UDP destination port for communicating accounting requests to the RADIUS server. By default, the RADIUS accounting port is 1813 (as defined in RFC 2138 and RFC 2139). The port_number argument specifies the RADIUS port number. Valid values are from 1 to 65535.

authentication

(Optional) Specifies that the RADIUS server is used only for authentication purposes.

If neither the authentication nor the accounting options are specified, the RADIUS server is used for both accounting and authentication purposes.

accounting

(Optional) Specifies that the RADIUS server is used only for accounting purposes.

If neither the authentication nor the accounting options are specified, the RADIUS server is used for both accounting and authentication purposes.

timeout seconds

(Optional) Specifies the time interval that the ACE waits for the RADIUS server to reply to an authentication request before retransmitting a request. Valid entries are from 1 to 60 seconds. The default is 1 second.

retransmit count

(Optional) Specifies the number of times that the ACE retransmits an authentication request to a timed-out RADIUS server before declaring the server to be unresponsive and contacting the next server in the group. Valid entries are from 1 to 5 attempts. The default is one attempt.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The key option overrides the global setting of the radius-server key command. If you do not specify a key, the global value is used. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays keys in encrypted form.

If neither the authentication nor the accounting options are specified, the RADIUS server is used for both accounting and authentication.

If your RADIUS server uses a port other than 1813, use the acct-port keyword to configure the ACE for the appropriate port before starting the RADIUS service.

If your RADIUS server uses a port other than 1812, use the auth-port keyword to configure the ACE for the appropriate port before starting the RADIUS service.

The retransmit and timeout options override the global settings assigned for the specified server when you enter the radius-server retransmit and radius-server timeout commands.

Examples

To configure RADIUS server authentication parameters, enter:

host1/Admin(config)# radius-server host 192.168.2.3 key HostKey 
host1/Admin(config)# radius-server host 192.168.2.3 key 7 secret_1256
host1/Admin(config)# radius-server host 192.168.2.3 auth-port 1645 
host1/Admin(config)# radius-server host 192.168.2.3 acct-port 1646
host1/Admin(config)# radius-server host 192.168.2.3 authentication
host1/Admin(config)# radius-server host 192.168.2.3 accounting
host1/Admin(config)# radius-server host 192.168.2.3 timeout 25
host1/Admin(config)# radius-server host 192.168.2.3 retransmit 3
 
   

To revert to a default RADIUS server authentication setting, enter:

host1/Admin(config)# no radius-server host 192.168.2.3 acct-port 1646

Related Commands

show aaa

(config) aaa group server

(config) radius-server attribute nas-ipaddr

(config) radius-server key

To globally configure an authentication key for communication between the ACE and the Remote Authentication Dial-In User Service (RADIUS) daemon running on each RADIUS server, use the radius-server key command. Use the no form of this command to remove the global RADIUS server key setting from the configuration.

radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}

no radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}

Syntax Description

shared_secret

Key used to authenticate communication between the RADIUS client and the server. The shared secret must match the one configured on the RADIUS server. Enter the shared secret as a case-sensitive string with no spaces and a maximum of 63 alphanumeric characters.

0

Configures a key specified in clear text (indicated by 0) to authenticate communication between the RADIUS client and server.

7

Configures a key specified in encrypted text (indicated by 7) to authenticate communication between the RADIUS client and server.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The key is a text string that must match the encryption key used on the RADIUS server. RADIUS keys are always stored in encrypted form in persistent storage on the ACE. This global key will be applied to those RADIUS servers in a named server group for which a shared secret is not individually configured by the (config) radius-server host command.

Examples

To globally configure an authentication key to be sent in encrypted text (indicated by 7) to the RADIUS server, enter:

host1/Admin(config)# radius-server key 7 abe4DFeeweo00o 
 
   

To delete the key, enter:

host1/Admin(config)# no radius-server key 7 abe4DFeeweo00o

Related Commands

show aaa

(config) aaa group server

(config) radius-server host

(config) radius-server retransmit

To globally change the number of times that the ACE sends an authentication request to a Remote Authentication Dial-In User Service (RADIUS) server, use the radius-server retransmit command. Use the no form of this command to revert to the default of one transmission attempt.

radius-server retransmit count

no radius-server retransmit count

Syntax Description

count

Number of times that the ACE attempts to connect to a RADIUS server(s) before trying to contact the next available server. Enter an integer from 1 to 5. The default is 1.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE applies this global retransmission value to those RADIUS servers for which a value is not individually configured by the (config) radius-server host command.

If all servers in the group are unavailable for authentication and accounting, the ACE tries the local database if you configure a local fallback method by entering the aaa authentication login or the aaa accounting default commands. If you do not have a fallback method, the ACE continues to contact one of the AAA servers listed in the server group.

Examples

To globally configure the number of retransmissions to 3, enter:

host1/Admin(config)# radius-server retransmit 3
 
   

To revert to the default of one transmission attempt, enter:

host1/Admin(config)# no radius-server retransmit 3

Related Commands

show aaa

(config) aaa group server

(config) radius-server host

(config) radius-server timeout

To globally change the time interval that the ACE waits for the Remote Authentication Dial-In User Service (RADIUS) server to reply before retransmitting an authentication request to the RADIUS server, use the radius-server timeout command. Use the no form of this command to revert to the default of one second between transmission attempts.

radius-server timeout seconds

no radius-server timeout seconds

Syntax Description

seconds

Time in seconds between retransmissions to the RADIUS server. Enter an integer from 1 to 60 seconds. The default is 1 second.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE applies this global timeout value to those RADIUS servers for which a timeout value is not individually configured by the (config) radius-server host command.

Examples

To globally configure the timeout value to 30 seconds, enter:

host1/Admin(config)# radius-server timeout 30 
 
   

To revert to the default of one second between transmission attempts, enter:

host1/Admin(config)# no radius-server timeout 30

Related Commands

show aaa

(config) aaa group server

(config) radius-server host

(config) regex compilation-timeout

(ACE appliance only) To configure the timeout for regex compilation, use the regex compilation-timeout command. When you configure a regex and its compilation is longer than the configured timeout, the ACE stops the regex compilation. Use the no form of this command to revert to the default of 60 minutes.

regex compilation-timeout minutes

no regex compilation-timeout

Syntax Description

minutes

Timeout value in minutes. Enter an integer from 1 to 500. The default timeout is 60 minutes.


Command Modes

Configuration mode

Admin context

Command History

ACE Appliance Release
Modification

A3(2.7). Not applicable for A4(1.0) and A4(2.0).

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

This command is applicable across all contexts.

Examples

To configure a compilation timeout of 80 minutes, enter the following command:

host/Admin(config)# regex compilation-timeout 80
 
   

To reset the regex compilation timeout to the default value of 60 minutes, enter the following command:

host/Admin(config)# no regex compilation-timeout

Related Commands

This command has no related commands.

(config) resource-class


Caution The no resource-class command will remove all resources from any context to which the specified resource class is assigned. Be sure that you want to do this before you enter the command.

To create a resource class and enter resource configuration mode, use the resource-class command. The CLI prompt changes to (config-resource). Configure a resource class to limit the use of system resources by one or more contexts. Use the no form of this command to remove the resource-class setting.

resource-class name

no resource-class name

Syntax Description

name

Name assigned to the resource class. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. You can also use the resource class called default.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Use a resource class to allocate and limit system resources among contexts in your ACE. The default resource class allocates 100 percent of all configurable system resources to each context. By creating a resource class, you can prevent oversubscription by limiting the percentage of resources available to each context. After you create and configure a resource class, use the (config-context) member command in context configuration mode to assign a context to the class.

To use the stickiness feature, you must allocate a minimum percentage of resources to the feature. Otherwise, stickiness will not work. For more details, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about the commands in the resource configuration mode, see the "Resource Configuration Mode Commands" section.

Examples

To create a resource class called RC1, enter:

host1/C1(config)# resource-class RC1
host1/C1(config-resource)
 
   

To remove the resource class from the configuration, enter:

host1/C1(config)# no resource-class RC1

Related Commands

show resource allocation

show resource usage

show user-account

show users

(config-context) member

(config) role

To assign a user role to a user and enter role configuration mode, use the role command. The CLI prompt changes to (config-role). User roles determine the privileges that a user has, the commands that a user can enter, and the actions that a user can perform in a particular context. You can apply the roles that you create only in the context in which you create them. See the "Role Configuration Mode Commands" section for details. Use the no form of this command to remove the user role assignment.

role name

no role name

Syntax Description

name

Identifier associated with a user role. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

If you do not assign a user role to a new user, the default user role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the (config) username command.

For information about the commands in the role configuration mode, see the "Role Configuration Mode Commands" section.

For information about configuring roles and assigning them to users, see the Virtualization Guide, Cisco ACE Application Control Engine

Examples

To assign a role, enter:

host1/C1(config)# role TECHNICIAN
host1/C1(config-role)#
 
   

To remove the role from the configuration, enter:

host1/C1(config)# no role TECHNICIAN

Related Commands

show role

show user-account

show users

(config) username

(config) rserver

To create a real server for server load balancing (SLB) and enter real server configuration mode, use the rserver command. The CLI prompt changes to (config-host-rserver) or (config-redirect-rserver), depending on the type of real server that you create. You can create a maximum of 16,384 real servers. Use the no form of this command to remove the real server from the configuration.

rserver [host | redirect] name

no rserver [host | redirect] name

Syntax Description

host

(Optional) Specifies a typical real server that provides content and services to clients. This is the default setting. For details on the commands in real server host configuration mode, see the "Real Server Host Configuration Mode Commands" section.

redirect

(Optional) Specifies a real server used to redirect traffic to a new location as specified in the relocn-string argument of the webhost-redirection command. For details on the commands in real server redirect configuration mode, see the "Real Server Redirect Configuration Mode Commands" section.

name

Identifier for the real server. Enter an unquoted text string with no spaces and maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the rserver feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

All servers in a server farm must be of the same type: host or redirect. You can create a maximum of 4096 real servers in each ACE.

Examples

To create a real server of type host, enter:

host1/Admin(config)# rserver server1
 
   

To remove the real server of type host from the configuration, enter:

host1/Admin(config)# no rserver server1

Related Commands

(config-rserver-redir) webhost-redirection

clear rserver

show rserver

(config) script file name

To load a script into memory on the ACE and enable it for use, use the script file name command. Use the no form of this command to remove a script from memory and the running configuration.

script file name script_name

no script file name script_name

Syntax Description

script_name

Name of the script on the disk0: filesystem. The script name must be unique across the context. You will use the filename when you configure the probe.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To run a script or create a health probe using a script, you must see the script name, not the script file from which the script was loaded.

Examples

To load a script into memory, enter:

host1/Admin(config)# script file name ftp1.tcl
 
   

To remove the script, enter:

host1/Admin(config)# no script file name ftp1.tcl

Related Commands

show script

(config) serverfarm

To create a new server farm or modify an existing server farm and enter the serverfarm configuration mode, use the serverfarm command. You can configure a maximum of 4096 server farms on each ACE. Use the no form of this command to remove the server farm from the configuration.

serverfarm [host | redirect] name

no serverfarm [host | redirect] name

Syntax Description

host

(Optional) Specifies a typical server farm that consists of real servers that provide content and services to clients. This is the default. For details on the commands in the serverfarm host configuration mode, see the "Server Farm Host Configuration Mode Commands" section.

redirect

(Optional) Specifies that the server farm consist only of real servers that redirect client requests to alternate locations specified by the relocation string or port number in the real server configuration. For details on the commands in the serverfarm redirect host configuration mode, see the "Server Farm Redirect Configuration Mode Commands" section.

name

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the server-farm feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

After you create a server farm, you configure the other server farm attributes and add real servers to the farm. You can configure a maximum of 4096 server farms in each ACE.

Examples

To create a server farm of type host called SFARM1, enter:

host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)#
 
   

To remove a server farm called SFARM1, enter:

host1/Admin(config)# no serverfarm SFARM1
host1/Admin(config-sfarm-host)#

Related Commands

(config-rserver-redir) webhost-redirection

clear serverfarm

show serverfarm

(config) service-policy

To apply a previously created policy map and attach the traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context, use the service-policy command. Use the no form of this command to remove a service policy.

service-policy input policy_name

no service-policy input policy_name

Syntax Description

input

Specifies that the traffic policy is to be attached to the input direction of an interface. The traffic policy evaluates all traffic received by that interface.

policy_name

Name of a previously defined policy map, configured with a previously created policy-map command. The name can be a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Note the following when creating a service policy:

Policy maps, applied globally in a context, are internally applied on all interfaces existing in the context.

You can apply the policy in an input direction only.

A policy activated on an interface overwrites any specified global policies for overlapping classification and actions.

The ACE allows only one policy of a specific feature type to be activated on a given interface.

Examples

To specify an interface VLAN and apply the Layer 3 and Layer 4 SLB policy map to the VLAN, enter:

host1/C1(config)# interface vlan50
host1/C1(config-if)# mtu 1500
host1/C1(config-if)# ip address 172.20.1.100 255.255.0.0
host1/C1(config-if)# service-policy input L4SLBPOLICY

To globally apply the Layer 3 and Layer 4 SLB policy map to the entire context:

host1/C1(config)# service-policy input L4SLBPOLICY
 
   

To globally detach a traffic policy from a context, enter:

host1/C1(config)# no service-policy input L4SLBPOLICY

Related Commands

clear service-policy

show service-policy

(config-if) service-policy input

(config) shared-vlan-hostid

To configure a specific bank of MAC addresses for an ACE, use the shared-vlan-hostid command. Use the no form of this command to remove a configured bank of MAC addresses.

shared-vlan-hostid number

no shared-vlan-hostid

Syntax Description

number

Bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE ACEs derive these addresses from a global pool of 16k MAC addresses. This pool is divided into 16 banks, each containing 1,024 addresses. An ACE supports only 1,024 shared VLANs, and would use only one bank of MAC addresses out of the pool.

By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE ACEs in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank and use the same MAC addresses. To avoid this conflict, you need to configure the bank that the ACEs will use.

Examples

To configure bank 2 of MAC addresses, enter:

host1/Admin(config)# shared-vlan-hostid 2
 
   

To remove the configured bank of MAC addresses, enter:

host1/Admin(config)# no shared-vlan-hostid 

Related Commands

(config) arp

(config) peer shared-vlan-hostid

(config) snmp-server community

To create or modify Simple Network Management Protocol (SNMP) community names and access privileges, use the snmp-server community command. Each SNMP device or member is part of a community. An SNMP community determines the access rights for each SNMP device. SNMP uses communities to establish trust between managers and agents. Use the no form of this command to remove an SNMP community.

snmp-server community community_name [group group_name | ro]

no snmp-server community community_name [group group_name | ro]

Syntax Description

community_name

SNMP community name for this system. Enter an unquoted text string with no space and a maximum of 32 alphanumeric characters.

group group_name

(Optional) Identifies the role group to which the user belongs. Enter Network-Monitor, the default group name and the only role that is supported.

Note Only network monitoring operations are supported through the ACE implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Virtualization Guide, Cisco ACE Application Control Engine.

ro

(Optional) Allows read-only access for this community.


Command Modes

Configuration mode

Admin and user contexts


Caution If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become invalid. You must recreate all SNMP users by using the snmp-server community command in configuration mode.

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

After you create or modify a community, all SNMP devices assigned to that community as members have the same access rights (as described in RFC 2576). The ACE allows read-only access to the MIB tree for devices included in this community. The read-only community string allows a user to read data values, but prevents that user from modifying modify the data.

SNMP communities are applicable only for SNMPv1 and SNMPv2c. SNMPv3 requires user configuration information such as specifying the role group that the user belongs to, authentication parameters for the user, authentication password, and message encryption parameters.

Examples

To specify an SNMP community called SNMP_Community1, which is a member of the user group, with read-only access privileges for the community, enter:

host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor 
 
   

To remove an SNMP community, enter:

host1/Admin(config)# no snmp-server community SNMP_Community1 group Network-Monitor 

Related Commands

(config) snmp-server host

(config) snmp-server contact

To specify the contact information for the Simple Network Management Protocol (SNMP) system, use the snmp-server contact command. You can specify information for only one contact name. Use the no form of this command to remove an SNMP contact.

snmp-server contact contact_information

no snmp-server contact

Syntax Description

contact_information

SNMP contact information for this system. Enter a text string with a maximum of 240 alphanumeric characters, including spaces. If the string contains more than one word, enclose the string in quotation marks (" "). You can include information on how to contact the person; for example, you can include a phone number or an e-mail address.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can specify only one contact name per SNMP system.

Examples

To specify SNMP system contact information, enter:

host1/Admin(config)# snmp-server contact "User1 user1@cisco.com"
 
   

To remove the specified SNMP contact information, enter:

host1/Admin(config)# no snmp-server contact

Related Commands

(config) snmp-server host

(config) snmp-server enable traps

To enable the ACE to send Simple Network Management Protocol (SNMP) traps and informs to the network management system (NMS), use the snmp-server enable traps command. This command enables both traps and inform requests for the specified notification types. Use the no form of this command to disable the sending of SNMP traps and inform requests.

snmp-server enable traps [notification_type [notification_option]]

no snmp-server enable traps [notification_type [notification_option]]

Syntax Description

notification_type

(Optional) Type of notification to enable. If no type is specified, the ACE sends all notifications. Specify one of the following keywords:

license—Sends SNMP license manager notifications. This keyword appears only in the Admin context.

slb—Sends server load-balancing notifications. When you specify the slb keyword, you can specify a notification_option value.

snmp—Sends SNMP notifications. When you specify the snmp keyword, you can specify a notification_option value.

syslog—Sends error message notifications (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history command.

virtual-context—Sends virtual context change notifications. This keyword appears only in the Admin context.

notification_option

(Optional) One of the following SNMP notifications to enable:

When you specify the snmp keyword, specify the authentication, coldstart, linkdown, or linkup keyword to enable SNMP notifications. This selection generates a notification if the community string provided in SNMP request is incorrect, or when a VLAN interface is either up or down. The coldstart keyword appears only in the Admin context.

When you specify the slb keyword, specify the real, serverfarm, or vserver keyword to enable server load-balancing notifications. This selection generates a notification if one of the following occurs:

The real server changes state (up or down) due to such occurrences as user intervention, ARP failures, and probe failures.

The virtual server changes state (up or down). The virtual server represents the servers behind the content switch in the ACE to the outside world and consists of the following attributes: destination address (can be a range of IP addresses), protocol, destination port, incoming VLAN.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(2.4)

The serverfarm option was added to this command.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The notification types used in the snmp-server enable traps command all have an associated MIB object that globally enables or disables them. However, not all of the notification types available in the snmp-server host command have notificationEnable MIB objects, so some of the notification types cannot be controlled using the snmp-server enable traps command.

To configure the ACE to send the SNMP notifications, specify at least one snmp-server enable traps command. To enable multiple types of notifications, you must enter a separate snmp-server enable traps command for each notification type and notification option. If you enter the command without any keywords, the ACE enables all notification types and traps.

The snmp-server enable traps command is used with the snmp-server host command. The snmp-server host command specifies which host receives the SNMP notifications. To send notifications, you must configure at least one SNMP server host.

(ACE appliance only) The supported SNMP notifications (traps) in the CISCO-ENHANCED-SLB-MIB for the serverfarm option are as follows:

esRealServerStateUpRev1 State of a real server configured in a server farm is up due to user intervention.The notification is sent with the following varbinds:

cesRealServerName

cesServerFarmRserverBackupPort

cesServerFarmName

cesServerFarmRserverAdminStatus

cesServerFarmRserverOperStatus

cesRserverIpAddressType

cesRserverIpAddress

cesServerFarmRserverDescr

cesRealServerStateDownRev1 State of a real server configured in a server farm is down due to user intervention. The notification is sent with the following varbinds:

cesRealServerName

cesServerFarmRserverBackupPort

cesServerFarmName

cesServerFarmRserverAdminStatus

cesServerFarmRserverOperStatus

cesServerFarmRserverStateDescr

cesRserverIpAddressType

cesRserverIpAddress

cesServerFarmRserverDescr

cesRealServerStateChangeRev1 State of a real server configured in a server farm changed to a new state as a result of something other than a user intervention. This notification is sent for situations such as ARP failures, probe failures, and so on. The notification is sent with the following varbinds:

cesRealServerName

cesServerFarmRserverBackupPort

cesServerFarmName

cesServerFarmRserverAdminStatus

cesServerFarmRserverOperStatus

cesServerFarmRserverStateDescr

cesRserverIpAddressType

cesRserverIpAddress

cesProbeName

cesServerFarmRserverDescr

Examples

To enable the ACE to send server load-balancing traps to the host myhost.cisco.com using the community string public, enter:

host1/Admin(config)# snmp-server host myhost.cisco.com
host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor
host1/Admin(config)# snmp-server enable traps slb real
 
   

To disable SNMP server notifications, enter:

host1/Admin(config)# no snmp-server enable traps slb real

Related Commands

(config) snmp-server host

(config) snmp-server engineid

To configure the SNMP engine ID for an ACE context, use the snmp-server engineid command. Use the no form of this command to reset the default engine ID for the context.

snmp-server engineid number

no snmp-server engineid number

Syntax Description

contact_information

SNMPv3 engine ID that you want to configure. Enter a range of 10 to 64 hexadecimal digits.


Command Modes

Configuration mode

Admin and user contexts


Caution If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become invalid and all SNMP communities are deleted. You must recreate all SNMP users by using the snmp-server user command in configuration mode. You must recreate all SNMP communities by using the snmp-server community command in configuration mode.

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(2.3)

This command was introduced.


Usage Guidelines

The ACE allows you to configure an SNMP engine ID for the Admin or user context. By default, the ACE automatically creates an SNMP engine ID for the Admin context and each user context. The SNMP engine represents a logically separate SNMP agent. The IP address for an ACE context provides access to only one SNMP engine ID.

For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To configure an engine ID 88439573498573888843957349857388 for the Admin context, enter:

host1/Admin(config)# snmp-server engineID 88439573498573888843957349857388
 
   

To reset the default engine ID for the Admin context, enter:

host1/Admin(config)# no snmp-server engineID
 
   

To display the engine ID for a context, use the show snmp engineID command in Exec mode for the context. For example, to display the engine ID for the Admin context, enter:

host1/Admin# show snmp engineID

Related Commands

(config) snmp-server host
(config) snmp-server community
(config) snmp-server user

(config) snmp-server host

To specify which host receives Simple Network Management Protocol (SNMP) notifications, use the snmp-server host command. To send notifications, you must configure at least one SNMP host using the snmp-server host command. Use the no form of this command to remove the specified host.

snmp-server host host_address [informs | traps] [version {1 | 2c | {3 auth | noauth | priv}] community-string_username [udp-port number]

no snmp-server host host_address [informs | traps] [version {1 | 2c | {3 auth | noauth | priv}] community-string_username [udp-port number]

Syntax Description

host_address

IP address of the host (the targeted recipient). Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).

informs

(Optional) Sends SNMP inform requests to the identified host, which allows for manager-to-manager communication. Inform requests can be useful when you need more than one NMS in the network.

traps

(Optional) Sends SNMP traps to the identified host. An agent uses a trap to tell the NMS that a problem has occurred. The trap originates from the agent and is sent to the trap destination, as configured within the agent itself. The trap destination is typically the IP address of the NMS.

version

(Optional) Specifies the version of SNMP used to send the traps. SNMPv3 is the most secure model because it allows packet encryption with the priv keyword.

1

Specifies SNMPv1.

2c

Specifies SNMPv2C.

3

Specifies SNMPv3.

auth

Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) packet authentication.

noauth

Specifies the noAuthNoPriv security level.

priv

Enables Data Encryption Standard (DES) packet encryption (privacy).

community-string_username

SNMP community string or username with the notification operation to send. Enter an unquoted text string with no space and a maximum of 32 alphanumeric characters.

udp-port number

(Optional) Specifies the port UDP port of the host to use. The default is 162. Enter a number from 0 to 65535.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE supports a maximum of 10 SNMP hosts per context.

Examples

To specify the recipient of an SNMP notification, enter:

host1/Admin(config)# snmp-server host 192.168.1.1 traps version 2c abcddsfsf udp-port 500
 
   

To remove the specified host, enter:

host1/Admin(config)# no snmp-server host 192.168.1.1 traps version 2c abcddsfsf udp-port 
500

Related Commands

(config) snmp-server enable traps

(config) snmp-server location

To specify the Simple Network Management Protocol (SNMP) system location, use the snmp-server location command. You can specify only one location. Use the no form of this command to remove the SNMP system location.

snmp-server location location

no snmp-server location

Syntax Description

location

Physical location of the system. Enter a text string with a maximum of 240 alphanumeric characters, including spaces. If the string contains more than one word, enclose the string in quotation marks (" ").


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You can specify only one location per SNMP system.

Examples

To specify SNMP system location information, enter:

host1/Admin(config)# snmp-server location "Boxborough MA"
 
   

To remove the specified SNMP system location information, enter:

host1/Admin(config)# no snmp-server location

Related Commands

(config) snmp-server community

(config) snmp-server trap link ietf

To instruct the ACE to send the linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings that consist of ifIndex, ifAdminStatus, and ifOperStatus, use the snmp-server trap link ietf command. Use the no form of this command to revert to the Cisco implementation of linkUp and linkDown traps.

snmp-server trap link ietf

no snmp-server trap link ietf

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

By default, the ACE sends the Cisco implementation of linkUp and linkDown traps to the NMS. The ACE sends the Cisco Systems IF-MIB variable bindings that consist of ifIndex, ifAdminStatus, ifOperStatus, ifName, ifType, clogOriginID, and clogOriginIDType. You can configure the ACE to send the IETF standards-based implementation for linkUp and linkDown traps (as outlined in RFC 2863).

The Cisco var-binds are sent by default. To receive RFC 2863-compliant traps, you must specify the snmp-server trap link ietf command.

Examples

To configure the linkUp and linkDown traps to be compliant with RFC 2863, enter:

host1/Admin(config)# snmp-server trap link ietf 
 
   

To revert to the Cisco implementation of linkUp and linkDown traps, enter:

host1/Admin(config)# no snmp-server trap link ietf 

Related Commands

(config) snmp-server enable traps

(config) snmp-server trap-source vlan

To specify the use of the IP address configured on a VLAN as the trap-source address in the SNMPv1 trap PDU, use the snmp-server trap-source vlan command. If the VLAN interface does not contain a valid IP address, the sending of notifications fails for SNMPv1 traps. Use the no form of this command to remove the specified VLAN as the source address in the SNMPv1 trap PDU and reset the default behavior.

snmp-server trap-source vlan number

no snmp-server trap-source vlan number

Syntax Description

number

VLAN number of the configured interface. Enter a value from 2 to 4094 for an existing VLAN.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(2.1)

You can no longer select the VLAN number of the FT VLAN interface that has been specified between redundant ACE appliances as the trap source address contained in the SNMP v1 trap PDU.


Usage Guidelines

By default, the ACE uses the trap source IP address from the internal routing table, depending on the destination host address, where the ACE will send the notification.

For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(ACE appliance only) The ACE restricts you from selecting the VLAN number of the FT VLAN interface that has been specified between redundant ACE appliances as the trap source address contained in the SNMP v1 trap PDU.

Examples

To specify VLAN 50 in the VLAN interface as the source address in the SNMPv1 trap PDUs, enter:

host1/Admin(config)# snmp-server trap-source vlan 50
 
   

To remove the specified VLAN as the source address in the SNMPv1 trap PDU and reset the default behavior, enter:

host1/Admin(config)# no snmp-server trap-source

Related Commands

(config) snmp-server enable traps

(config) snmp-server unmask-community

To unmask the snmpCommunityName and snmpCommunitySecurityName OIDs of the SNMP-COMMUNITY-MIB, use the snmp-server unmask-community command. By default, these OIDs are masked. Use the no form of this command to mask these OIDs.

snmp-server unmask-community

no snmp-server unmask-community

Syntax Description

This command has no keywords or arguments.

Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.5)

This command was introduced.


ACE Appliance Release
Modification

A3(2.3)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To assign multiple roles to a user, enter multiple snmp-server user commands.

You can create a maximum of 28 SNMP users for each context.

User configuration through the snmp-server user command is applicable only for SNMPv3; SNMPv1 and SNMPv2c use a community string match for user authentication.

The ACE synchronizes the interactions between a user created with the username command and the same user specified using the snmp-server user command; updates made to a user configuration in the ACE CLI are automatically reflected in the SNMP server. For example, when you delete a user, the user is automatically deleted from both the SNMP server and the CLI. In addition, user-role mapping changes are synchronized in SNMP and CLI.

Only network monitoring operations are supported through the ACE implementation of SNMP where all SNMP users are automatically assigned to the system-defined default group of Network-Monitor.

Examples

To set the user information, enter:

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# snmp-server user joe Network-Monitor auth sha abcd1234
host1/Admin(config)# snmp-server user sam Network-Monitor auth md5 abcdefgh
host1/Admin(config)# snmp-server user Bill Network-Monitor auth sha abcd1234 priv abcdefgh
 
   

To disable the SNMP user configuration or to remove an SNMP user, enter:

host1/Admin(config)# no snmp-server user Bill Network-Monitor auth sha abcd1234 priv 
abcdefgh

Related Commands

This command has no related commands.

(config) snmp-server user

To configure Simple Network Management Protocol (SNMP) user information, use the snmp-server user command. Use the no form of this command to disable the SNMP user configuration or to remove an SNMP user.

snmp-server user user_name [group_name] [auth {md5 | sha} password1 [priv [aes-128] password2] [localizedkey]]

no snmp-server user user_name [group_name] [auth {md5 | sha} password1 [priv [aes-128] password2] [localizedkey]]

Syntax Description

user_name

Username. Enter an unquoted text string with no spaces and a maximum of 24 alphanumeric characters.

group_name

(Optional) User role group to which the user belongs. Enter Network-Monitor, the default group name and the only role that is supported.

Note Only network monitoring operations are supported through the ACE implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Virtualization Guide, Cisco ACE Application Control Engine.

auth

(Optional) Sets authentication parameters for the user. Authentication determines that the message is from a valid source.

md5

Specifies the HMAC Message Digest 5 (MD5) encryption algorithm for user authentication.

sha

Specifies the HMAC Secure Hash Algorithm (SHA) encryption algorithm for user authentication.

password1

User authentication password. Enter an unquoted text string with no space and a maximum of 130 alphanumeric characters. The ACE automatically synchronizes the SNMP authentication password as the password for the CLI user. The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )

Note that the ACE encrypts clear text passwords in the running-config.

priv

(Optional) Specifies encryption parameters for the user. The priv option and the aes-128 option indicate that this privacy password is for generating a 128-bit AES key.

aes-128

(Optional) Specifies the 128-byte Advanced Encryption Standard (AES) algorithm for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP message encryption. It conforms with RFC 3826.

password2

Encryption password for the user. The AES priv password can have a minimum of eight alphanumeric characters. If the passphrases are specified in clear text, you can specify a maximum of 64 alphanumeric characters. If you use the localized key, you can specify a maximum of 130 alphanumeric characters. Spaces are not allowed. The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )

Note that the ACE encrypts clear text passwords in the running-config.

localizedkey

(Optional) Specifies that the password is in a localized key format for security encryption.


Command Modes

Configuration mode

Admin and user contexts


Note If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become invalid. You must recreate all SNMP users by using the snmp-server user command in configuration mode.


Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To assign multiple roles to a user, enter multiple snmp-server user commands.

You can create a maximum of 28 SNMP users for each context.

User configuration through the snmp-server user command is applicable only for SNMPv3; SNMPv1 and SNMPv2c use a community string match for user authentication.

The ACE synchronizes the interactions between a user created with the username command and the same user specified using the snmp-server user command; updates made to a user configuration in the ACE CLI are automatically reflected in the SNMP server. For example, when you delete a user, the user is automatically deleted from both the SNMP server and the CLI. In addition, user-role mapping changes are synchronized in SNMP and CLI.

Only network monitoring operations are supported through the ACE implementation of SNMP where all SNMP users are automatically assigned to the system-defined default group of Network-Monitor.

Examples

To set the user information, enter:

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# snmp-server user joe Network-Monitor auth sha abcd1234
host1/Admin(config)# snmp-server user sam Network-Monitor auth md5 abcdefgh
host1/Admin(config)# snmp-server user Bill Network-Monitor auth sha abcd1234 priv abcdefgh
 
   

To disable the SNMP user configuration or to remove an SNMP user, enter:

host1/Admin(config)# no snmp-server user Bill Network-Monitor auth sha abcd1234 priv 
abcdefgh

Related Commands

(config) snmp-server community

(config) ssh key

To generate the Secure Shell (SSH) private key and the corresponding public key for use by the SSH server, use the ssh key command. Use the no form of this command to remove an SSH key pair.

ssh key {dsa | rsa | rsa1} [bits [force]]

no ssh key {dsa | rsa | rsa1}

Syntax Description

dsa

Generates the DSA key pair for the SSH version 2 protocol.

rsa

Generates the RSA key pair for the SSH version 2 protocol.

rsa1

Generates the RSA1 key pair for the SSH version 1 protocol.

bits

(Optional) Number of bits for the key pair. For DSA, enter an integer from 768 to 2048. For RSA and RSA1, enter an integer from 768 to 4096. The greater the number of bits that you specify, the longer it takes to generate the key. The default is 1024.

force

(Optional) Forces the generation of a DSA or RSA key even when previous keys exist. If the SSH key pair option is already generated for the required version, use the force option to overwrite the previously generated key pair.


Command Modes

Configuration mode

Admin context only

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Before you generate the key, set the hostname. This setting is used in the generation of the key.

The global administrator performs the key generation in the Admin context. All contexts associated with the ACE share the common key. There is only a single host-key pair.

If you are the administrator or another user authorized in the Admin context, use the changeto command in exec mode to move to the Admin context. An administrator can perform all allowable functions within the Admin context.

Ensure that you have an SSH host key pair with the appropriate version before you enable the SSH service. The SSH service accepts three types of key pairs for use by SSH versions 1 and 2. Generate the SSH host key pair according to the SSH client version used.

Examples

To generate an RSA1 key pair in the Admin context, enter:

host1/Admin(config)# ssh key rsa1 768
generating rsa1 key(768 bits).....
.
generated rsa1 key
 
   

To remove the SSH host key pair, enter:

host1/Admin(config)# no ssh key rsa1

Related Commands

(config) ssh maxsessions

(config-cmap-mgmt) match protocol

(config) ssh maxsessions

To control the maximum number of Secure Shell (SSH) sessions allowed for each context, use the ssh maxsessions command. By default, the ACE supports four concurrent SSH management sessions for each user context and 16 concurrent SSH management sessions for the Admin context. Use the no form of this command to revert to the default number of SSH sessions.

ssh maxsessions max_sessions

no ssh maxsessions

Syntax Description

max_sessions

Maximum number of concurrent SSH sessions allowed for the associated context. The range is from 1 to 4 SSH sessions per user context and from 1 to 16 SSH sessions for the Admin context. The defaults are 4 (user context) and 16 (Admin context).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE supports a total maximum of 256 concurrent SSH sessions.

Examples

To set the maximum number of concurrent SSH sessions in the Admin context to 3, enter:

host1/Admin(config)# ssh maxsessions 3
 
   

To revert to the default of 16 SSH sessions for the Admin context, enter:

host1/Admin(config)# no ssh maxsessions

Related Commands

(config) ssh key

(config-cmap-mgmt) match protocol

(config) ssl-proxy service

To create a Secure Sockets Layer (SSL) proxy service, use the ssl-proxy service command. For SSL termination, you configure the ACE with an SSL proxy server service because the ACE acts as an SSL server. Once you create an SSL proxy service, the CLI enters into the ssl-proxy configuration mode, where you define each of the proxy service attributes that the ACE uses during the SSL handshake. Use the no form of this command to delete an existing SSL proxy service.

ssl-proxy service pservice_name

no ssl-proxy service pservice_name

Syntax Description

pservice_name

Name of the SSL proxy service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

When you create a SSL proxy service, the CLI prompt changes to the ssl-proxy configuration mode, where you define the following SSL proxy service attributes:

Authentication group

Certificate

Key pair

Chain group

Parameter map

For information about the commands in SSL proxy configuration mode, see the "SSL Proxy Configuration Mode Commands" section.

Examples

To create the SSL proxy service PSERVICE_SERVER, enter:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)#
 
   

To delete an existing SSL proxy service, enter:

host1/Admin(config)# no ssl-proxy PSERVICE_SERVER

Related Commands

(config-ssl-proxy) cert

(config-ssl-proxy) authgroup

(config-ssl-proxy) chaingroup

(config-ssl-proxy) key

(config-ssl-proxy) ssl advanced-options

(config) static

(ACE module only) To configure the static NAT overwrite feature, use the static command. This feature allows a maximum number of 400 K static NATs. By default, the ACE allows you to configure a maximum 8 K static NAT configurations. Use the no form of this command to reset the default behavior.

static vlan mapped_vlan_id vlan real_vlan_id mapped_ip_address {real_ip_address [netmask mask]}

no static vlan mapped_vlan_id vlan real_vlan_id mapped_ip_address {real_ip_address [netmask mask]}

Syntax Description

mapped_vlan_id

The VLAN ID of the interface connected to the mapped IP address network. In a context, the mapped interface must be the same in each static NAT configuration.

real_vlan_id

The VLAN ID of the interface connected to the real IP address network.

mapped_ip_address

The translated IP address for the real address. Enter an IP address in dotted-decimal notation (for example, 172.27.16.10). In a context, the mapped IP address must be different in each static NAT configuration.

real_ip_address

The real server IP address for translation. Enter an IP address in dotted-decimal notation (for example, 172.27.16.10). In a context, you must configure a different address for configurations that have the same real server interface.

netmask mask

(Optional) Specifies the subnet mask for the real server address. Enter a subnet mask in dotted-decimal notation (for example, 255.255.255.0).


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.

A5(1.0)

This command was deprecated.


Usage Guidelines

This command requires the NAT feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE creates static connections that contain the NATs as soon as the configuration is applied. Because these connections exist before the packets are received, no ACL is required to permit flows that will be translated.

When using the static command, consider the following restrictions:

The ACE supports this configuration only in routed mode.

The ACE allows only one mapped interface in a context. However, each static NAT configuration must have a different mapped IP address.

The ACE does not support bidirectional NAT, source address and destination address translation for the same flow.

You must limit the number of real server IP addresses on the same subnet as the real interface to less than 1 K. Also, limit the number of mapped IP addresses on the same subnet as the mapped interface to less than 1 K.

You must not configure more than one next-hop at any point on the mapped interface.

It is not recommended that you configure MPC-based NAT for the same context in which you configure the static command.

Examples

To create a static NAT configuration for the mapped interface VLAN 176, real server interface VLAN 171, and real server IP address of 10.181.0.2 255.255.255.255 to be translated to the mapped address 5.6.7.4, enter:

host1/C1(config)# static vlan 176 vlan 171 5.6.7.4 10.81.0.2 netmask 255.255.255.255
 
   

To remove this configuration, enter:

host1/C1(config)# no static vlan 176 vlan 171 5.6.7.4 10.81.0.2 netmask 255.255.255.255
 
   

Related Commands

show nat-fabric
show running-config

(config) sticky http-content

To create a sticky group for HTTP content stickiness, use the sticky http-content command. The prompt changes to the sticky HTTP content configuration mode (config-sticky-content). Use the no form of this command to remove the sticky group from the configuration.

sticky http-content name

no sticky http-content name

Syntax Description

name

Unique identifier of the sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command requires the sticky feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness. Otherwise, the feature will not work. For more information about allocating resources, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about the commands in sticky HTTP content configuration mode, see the "Sticky HTTP Content Configuration Mode Commands" section.

Examples

To create a sticky group for HTTP packet content stickiness, enter:

host1/Admin(config)# sticky http-content HTTP_CONTENT_GROUP
host1/Admin(config-sticky-content)#
 
   

To remove the sticky group from the configuration, enter:

host1/Admin(config)# no sticky http-content HTTP_CONTENT_GROUP

Related Commands

show running-config
show sticky database

(config) sticky http-cookie

To configure the ACE to use HTTP cookies for stickiness and enter sticky cookie configuration mode, use the sticky http-cookie command. The CLI prompt changes to (config-sticky-cookie). The ACE uses the learned cookie to provide stickiness between a client and a server for the duration of a transaction. Use the no form of this command to remove the sticky group from the configuration.

sticky http-cookie name1 name2

no sticky http-cookie name1 name2

Syntax Description

http-cookie name1

Specifies that the ACE learn the cookie value from the HTTP header of the client request or from the Set-Cookie message from the server. Enter a unique identifier for the cookie as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

name2

Unique identifier of the sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the sticky feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness. Otherwise, the feature will not work. For more information about allocating resources, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about the commands in sticky cookie configuration mode, see the "Sticky HTTP Cookie Configuration Mode Commands" section.

Examples

To create a sticky group for cookie stickiness, enter:

host1/Admin(config)# sticky http-cookie cisco.com GROUP3
 
   

To remove the sticky group from the configuration, enter:

host1/Admin(config)# no sticky http-cookie cisco.com GROUP3

Related Commands

show running-config
show sticky database

(config) sticky http-header

To create an HTTP header sticky group to enable the ACE to stick client connections to the same real server based on HTTP headers, use the sticky http-header command. The prompt changes to the sticky-header configuration mode (config-sticky-header). Use the no form of this command to remove the sticky group from the configuration.

sticky http-header name1 name2

no sticky http-header name1 name2

Syntax Description

name1

HTTP header name. Enter the HTTP header name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Alternatively, you can select one of the following standard headers:

Accept

Accept-Charset

Accept-Encoding

Accept-Language

Authorization

Cache-Control

Connection

Content-MD5

Expect

From

Host

If-Match

Pragma

Referer

Transfer-Encoding

User-Agent

Via

See the Server Load-Balancing Guide, Cisco ACE Application Control Engine for a definition of each standard header.

name2

Unique identifier of the sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the sticky feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness. Otherwise, the feature will not work. For more information about allocating resources, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about the commands in HTTP sticky header configuration mode, see the "Sticky HTTP Header Configuration Mode Commands" section.

Examples

To create a group for HTTP header stickiness, enter:

host1/Admin(config)# sticky http-header Host GROUP4
host1/Admin(config-sticky-header)#
 
   

To remove the sticky group from the configuration, enter:

host1/Admin(config)# no sticky http-header Host GROUP4

Related Commands

show running-config
show sticky database

(config) sticky ip-netmask

To create a sticky group for IP address stickiness, use the sticky-ip netmask command. The prompt changes to the sticky-IP configuration mode (config-sticky-ip). You can create a maximum of 4096 sticky groups on an ACE. Use the no form of this command to remove the sticky group from the configuration.

sticky ip-netmask netmask address {both | destination | source} name

no sticky ip-netmask netmask address {both | destination | source} name

Syntax Description

netmask

Network mask that the ACE applies to the IP address. Enter a network mask in dotted-decimal notation (for example, 255.255.255.0).

address {both | destination | source}

Specifies the IP address used for stickiness. Enter one of the following options after the address keyword:

both—Specifies that the ACE use both the source IP address and the destination IP address to stick the client to a server.

destination—Specifies that the ACE use the destination address specified in the client request to stick the client to a server. You typically use this keyword in caching environments.

source—Specifies that the ACE use the client source IP address to stick the client to a server. You typically use this keyword in web application environments.

name

Unique identifier of the sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the sticky feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness. Otherwise, the feature will not work. For more information about allocating resources, see the Virtualization Guide, Cisco ACE Application Control Engine.

For information about the commands in sticky IP configuration mode, see the "Sticky IP Configuration Mode Commands" section.

Examples

To create a sticky group that uses IP address stickiness based on both the source IP address and the destination IP address, enter:

host1/Admin(config)# sticky ip-netmask 255.255.255.0 address both GROUP1
host1/Admin(config-sticky-ip)#
 
   

To remove the sticky group from the configuration, enter:

host1/Admin(config)# no sticky ip-netmask 255.255.255.0 address both GROUP1

Related Commands

show running-config
show sticky database

(config) sticky layer4-payload

To create a sticky group for Layer 4 payload stickiness, use the sticky layer4-payload command. The prompt changes to the sticky Layer 4 payload configuration mode (config-sticky-l4payloa). Use the no form of this command to remove the sticky group from the configuration.

sticky layer4-payload name

no sticky layer4-payload name

Syntax Description

name

Unique identifier of the sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines