Command Reference vA5(1.0) and earlier, Cisco ACE Application Control Engine
Policy Map Configuration Mode Commands
Downloads: This chapterpdf (PDF - 1.66MB) The complete bookPDF (PDF - 28.65MB) | Feedback

Policy Map Configuration Mode Commands

Table Of Contents

Policy Map Configuration Mode Commands

(config-pmap) class

(config-pmap) description

Policy Map Class Configuration Mode Commands

(config-pmap-c) appl-parameter dns advanced-options

(config-pmap-c) appl-parameter generic advanced-options

(config-pmap-c) appl-parameter http advanced-options

(config-pmap-c) appl-parameter rtsp advanced-options

(config-pmap-c) appl-parameter sip advanced-options

(config-pmap-c) appl-parameter skinny advanced-options

(config-pmap-c) connection advanced-options

(config-pmap-c) inspect

(config-pmap-c) kal-ap primary-oos

(config-pmap-c) kal-ap-tag

(config-pmap-c) loadbalance policy

(config-pmap-c) loadbalance vip advertise

(config-pmap-c) loadbalance vip icmp-reply

(config-pmap-c) loadbalance vip inservice

(config-pmap-c) loadbalance vip udp-fast-age

(config-pmap-c) nat dynamic

(config-pmap-c) nat static

(config-pmap-c) ssl-proxy

Policy Map FTP Inspection Configuration Mode Commands

(config-pmap-ftp-ins) class

(config-pmap-ftp-ins) description

(config-pmap-ftp-ins) match request-method

Policy Map FTP Inspection Class Configuration Mode Commands

(config-pmap-ftp-ins-c) deny

(config-pmap-ftp-ins-c) mask-reply

Policy Map FTP Inspection Match Configuration Mode Commands

(config-pmap-ftp-ins-m) deny

(config-pmap-ftp-ins-m) mask-reply

Policy Map Inspection HTTP Configuration Mode Commands

(config-pmap-ins-http) class

(config-pmap-ins-http) description

(config-pmap-ins-http) match content

(config-pmap-ins-http) match content length

(config-pmap-ins-http) match content-type-verification

(config-pmap-ins-http) match cookie secondary

(config-pmap-ins-http) match header

(config-pmap-ins-http) match header length

(config-pmap-ins-http) match header mime-type

(config-pmap-ins-http) match port-misuse

(config-pmap-ins-http) match request-method

(config-pmap-ins-http) match strict-http

(config-pmap-ins-http) match transfer-encoding

(config-pmap-ins-http) match url

(config-pmap-ins-http) match url length

Policy Map Inspection HTTP Class Configuration Mode Commands

(config-pmap-ins-http-c) passthrough log

(config-pmap-ins-http-c) permit

(config-pmap-ins-http-c) reset

Policy Map Inspection HTTP Match Configuration Mode Commands

(config-pmap-ins-http-m) passthrough log

(config-pmap-ins-http-m) permit

(config-pmap-ins-http-m) reset

Policy Map Inspection SIP Configuration Mode Commands

(config-pmap-ins-sip) class

(config-pmap-ins-sip) description

(config-pmap-ins-sip) match called-party

(config-pmap-ins-sip) match calling-party

(config-pmap-ins-sip) match content

(config-pmap-ins-sip) match im-subscriber

(config-pmap-ins-sip) match message-path

(config-pmap-ins-sip) match request-method

(config-pmap-ins-sip) match third-party registration

(config-pmap-ins-sip) match uri

Policy Map Inspection SIP Class Configuration Mode Commands

(config-pmap-ins-sip-c) drop

(config-pmap-ins-sip-c) log

(config-pmap-ins-sip-c) permit

(config-pmap-ins-sip-c) reset

Policy Map Inspection SIP Match Configuration Mode Commands

(config-pmap-ins-sip-m) drop

(config-pmap-ins-sip-m) permit

(config-pmap-ins-sip-m) reset

Policy Map Inspection Skinny Configuration Mode Commands

(config-pmap-ins-skinny) description

(config-pmap-ins-skinny) match message-id

Policy Map Inspection Skinny Match Configuration Mode Commands

(config-pmap-ins-skinny-m) reset

Policy Map Load Balancing Generic Configuration Mode Commands

(config-pmap-lb-generic) class

(config-pmap-lb-generic) description

(config-pmap-lb-generic) match layer4-payload

(config-pmap-lb-generic) match source-address

Policy Map Load Balancing Generic Class Configuration Mode Commands

(config-pmap-lb-generic-c) drop

(config-pmap-lb-generic-c) forward

(config-pmap-lb-generic-c) serverfarm

(config-pmap-lb-generic-c) set ip tos

(config-pmap-lb-generic-c) sticky-serverfarm

Policy Map Load Balancing Generic Match Configuration Mode Commands

(config-pmap-lb-generic-m) drop

(config-pmap-lb-generic-m) forward

(config-pmap-lb-generic-m) serverfarm

(config-pmap-lb-generic-m) set ip tos

(config-pmap-lb-generic-m) sticky-serverfarm

Policy Map Load Balancing HTTP Configuration Mode Commands

(config-pmap-lb) class

(config-pmap-lb) description

(config-pmap-lb) match cipher

(config-pmap-lb) match http content

(config-pmap-lb) match http cookie

(config-pmap-lb) match http header

(config-pmap-lb) match http url

(config-pmap-lb) match source-address

Policy Map Load Balancing HTTP Class Configuration Mode Commands

(config-pmap-lb-c) action

(config-pmap-lb-c) compress

(config-pmap-lb-c) drop

(config-pmap-lb-c) forward

(config-pmap-lb-c) insert-http

(config-pmap-lb-c) nat dynamic

(config-pmap-lb-c) serverfarm

(config-pmap-lb-c) set ip tos

(config-pmap-lb-c) ssl-proxy client

(config-pmap-lb-c) sticky-serverfarm

Policy Map Load Balancing HTTP Match Configuration Mode Commands

(config-pmap-lb-m) action

(config-pmap-lb-m) compress

(config-pmap-lb-m) drop

(config-pmap-lb-m) forward

(config-pmap-lb-m) insert-http

(config-pmap-lb-m) serverfarm

(config-pmap-lb-m) set ip tos

(config-pmap-lb-m) ssl-proxy client

(config-pmap-lb-m) sticky-serverfarm

Policy Map Load Balancing RADIUS Configuration Mode Commands

(config-pmap-lb-radius) class

(config-pmap-lb-radius) description

(config-pmap-lb-radius) match radius attribute

Policy Map Load Balancing RADIUS Class Configuration Mode Commands

(config-pmap-lb-radius-c) drop

(config-pmap-lb-radius-c) forward

(config-pmap-lb-radius-c) serverfarm

(config-pmap-lb-radius-c) set ip tos

(config-pmap-lb-radius-c) sticky-serverfarm

Policy Map Load Balancing RADIUS Match Configuration Mode Commands

(config-pmap-lb-radius-m) drop

(config-pmap-lb-radius-m) forward

(config-pmap-lb-radius-m) serverfarm

(config-pmap-lb-radius-m) set ip tos

(config-pmap-lb-radius-m) sticky-serverfarm

Policy Map Load Balancing RDP Configuration Mode Commands

(config-pmap-lb-rdp) class

(config-pmap-lb-rdp) description

Policy Map Load Balancing RDP Class Configuration Mode Commands

(config-pmap-lb-rdp-c) drop

(config-pmap-lb-rdp-c) forward

(config-pmap-lb-rdp-c) serverfarm

(config-pmap-lb-rdp-c) set ip tos

(config-pmap-lb-rdp-c) sticky-serverfarm

Policy Map Load Balancing RTSP Configuration Mode Commands

(config-pmap-lb-rtsp) class

(config-pmap-lb-rtsp) description

(config-pmap-lb-rtsp) match rtsp header

(config-pmap-lb-rtsp) match rtsp source-address

(config-pmap-lb-rtsp) match rtsp url

Policy Map Load Balancing RTSP Class Configuration Mode Commands

(config-pmap-lb-rtsp-c) drop

(config-pmap-lb-rtsp-c) forward

(config-pmap-lb-rtsp-c) serverfarm

(config-pmap-lb-rtsp-c) set ip tos

(config-pmap-lb-rtsp-c) sticky-serverfarm

Policy Map Load Balancing RTSP Match Configuration Mode Commands

(config-pmap-lb-rtsp-m) drop

(config-pmap-lb-rtsp-m) forward

(config-pmap-lb-rtsp-m) serverfarm

(config-pmap-lb-rtsp-m) set ip tos

(config-pmap-lb-rtsp-m) sticky-serverfarm

Policy Map Load Balancing SIP Configuration Mode Commands

(config-pmap-lb-sip) class

(config-pmap-lb-sip) description

(config-pmap-lb-sip) match sip header

(config-pmap-lb-sip) match source-address

Policy Map Load Balancing SIP Class Configuration Mode Commands

(config-pmap-lb-sip-c) drop

(config-pmap-lb-sip-c) forward

(config-pmap-lb-sip-c) serverfarm

(config-pmap-lb-sip-c) set ip tos

(config-pmap-lb-sip-c) sticky-serverfarm

Policy Map Load Balancing SIP Match Configuration Mode Commands

(config-pmap-lb-sip-m) drop

(config-pmap-lb-sip-m) forward

(config-pmap-lb-sip-m) serverfarm

(config-pmap-lb-sip-m) set ip tos

(config-pmap-lb-sip-m) sticky-serverfarm

Policy Map Management Configuration Mode Commands

(config-pmap-mgmt) class

(config-pmap-mgmt) description

Policy Map Management Class Configuration Mode Commands

(config-pmap-mgmt-c) deny

(config-pmap-mgmt-c) permit

Policy Map Optimization Configuration Mode Commands

(config-pmap-optmz) class

(config-pmap-optmz) description

(config-pmap-optmz) match http cookie

(config-pmap-optmz) match http header

(config-pmap-optmz) match http url

Policy Map Optimization Class Configuration Mode Commands

(config-pmap-optmz-c) action

Policy Map Optimization Match Configuration Mode Commands

(config-pmap-optmz-m) action


Policy Map Configuration Mode Commands

Policy map configuration mode commands allow you to configure a Layer 3 and Layer 4 policy map that defines the different actions applied to traffic that passes through the ACE. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy map to allow a multifeature Layer 3 and Layer 4 policy map. The ACE executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes.

To create a Layer 3 and Layer 4 policy map and access policy map configuration mode, use the policy-map multi-match command in configuration mode. When you access the policy map configuration mode, the prompt changes to (config-pmap). Use the no form of this command to remove a Layer 3 and Layer 4 policy map from the ACE.

For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions that configure the following:

Server load balancing based on Layer 3 and Layer 4 connection information (virtual IP address)

(ACE appliance only) Application acceleration and optimization

Secure Sockets Layer (SSL) security services between a web browser (the client) and the HTTP connection (the server)

Static or dynamic Network Address Translation (NAT)

Application protocol inspection (also known as protocol fixup)

TCP termination, normalization, and reuse

IP normalization and fragment reassembly

Use the no form of the policy-map multimatch command to remove a policy map from the ACE.

policy-map multi-match map_name

no policy-map multi-match map_name

Syntax Description

map_name

Name assigned to the Layer 3 and Layer 4 policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance, inspect, connection, NAT, or SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To perform HTTP load balancing, HTTP deep packet inspection, or FTP command inspection functions, you associate a previously created Layer 7 policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface. For example, to associate a Layer 7 HTTP load-balancing policy map, you nest the Layer 7 load-balancing policy map by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

The ACE supports a system-wide maximum of 4096 policy maps.

Examples

To create a Layer 3 and Layer 4 server load balancing (SLB) policy map named L4_SLB_POLICY, enter:

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
host1/Admin(config-pmap)# 
 
   

To create a Layer 3 and Layer 4 application protocol inspection policy map named L4_HTTP_APP_INSPECTION_POLICY, enter:

host1/Admin(config)# policy-map multi-match L4_HTTP_APP_INSPECTION_POLICY
host1/Admin(config-pmap)#

Related Commands

show startup-config
(config) class-map

(config-pmap) class

To associate a Layer 3 and Layer 4 class map with a Layer 3 and Layer 4 policy map, use the class command. The prompt changes from (config-pmap) to (config-pmap-c). For information about commands in this mode, see the "Policy Map Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default-v6 | class-default}

no class {name1 [insert-before name2] | class-default-v6 | class-default}}

Syntax Description

name1

Name of a previously defined Layer 3 and Layer 4 traffic class configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current named class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy-map configuration. The ACE does not save the sequence reordering as part of the configuration. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

class-default-v6

class-default-v6—Specifies the reserved, well-known IPv6 class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match the traffic, then the ACE performs the action specified under the class class-default-v6 command. The class-default-v6 class map has an implicit match any statement in it enabling it to match all IPv6 traffic.

class-default

Associates the reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A5(1.0)

Added the class-default-v6 keyword.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A5(1.0)

Added the class-default-v6 keyword.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 3 and Layer 4 class map with a Layer 3 and Layer 4 policy map, enter:

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
host1/Admin(config-pmap)# class L4_SLB_CLASS
host1/Admin(config-pmap-c)#

Related Commands

(config-pmap) description

(config-pmap) description

To provide a brief summary about the Layer 3 and Layer 4 policy map, use the description command. Use the no form of this command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the class map is to perform Layer 3 and Layer 4 server load balancing, enter:

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY
host1/Admin(config-pmap)# description Policy map for L3/L4 SLB

Related Commands

(config-pmap) class

Policy Map Class Configuration Mode Commands

Policy map class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 3 and Layer 4 class map. To access policy map class configuration mode, use the class command in policy map configuration mode (see the (config-pmap) class command for details). The prompt changes from (config-pmap) to (config-pmap-c).

The features required in your user role to execute a specific command in policy map class configuration mode are described in the "Usage Guidelines" section of the command. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-c) appl-parameter dns advanced-options

To associate a DNS parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter dns advanced-options command. Use the no form of this command to disassociate the DNS parameter map as an action from the Layer 3 and Layer 4 generic application inspection policy map.

appl-parameter dns advanced-options name

no appl-parameter dns advanced-options name

Syntax Description

name

Name of an existing DNS parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a DNS parameter map with a Layer 3 and Layer 4 policy map, enter:

host1/Admin(config)# policy-map multi-match DNS_INSPECT_L4POLICY
host1/Admin(config-pmap)# class DNS_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter dns advanced-options DNS_PARAM_MAP1
 
   

To disassociate the DNS parameter map from the Layer 3 and Layer 4 policy map, enter:

host1/Admin(config-pmap-c)# no appl-parameter dns advanced-options DNS_PARAM_MAP1

Related Commands

show parameter-map
(config) parameter-map type

(config-pmap-c) appl-parameter generic advanced-options

To associate a generic Layer 7 parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter generic advanced-options command. Use the no form of this command to disassociate the generic Layer 7 parameter map as an action from the Layer 3 and Layer 4 generic application inspection policy map.

appl-parameter generic advanced-options name

no appl-parameter generic advanced-options name

Syntax Description

name

Name of an existing generic Layer 7 parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a generic Layer 7 parameter map with the Layer 3 and Layer 4 policy map, enter:

host1/Admin(config)# policy-map multi-match GEN_L7_INSPECT_L4POLICY
host1/Admin(config-pmap)# class GEN_L7_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter generic advanced-options GEN_L7_PARAM_MAP1
 
   

To disassociate the generic Layer 7 parameter map from the Layer 3 and Layer 4 policy map, enter:

host1/Admin(config-pmap-c)# no appl-parameter generic advanced-options GEN_L7_PARAM_MAP1

Related Commands

show parameter-map
(config) parameter-map type

(config-pmap-c) appl-parameter http advanced-options

To associate an HTTP parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter http advanced-options command. A parameter map is a means to combine related actions for use in a Layer 3 and Layer 4 HTTP policy map. Use the no form of this command to disassociate the HTTP parameter map as an action from the policy map.

appl-parameter http advanced-options name

no appl-parameter http advanced-options name

Syntax Description

name

Name of an existing HTTP parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance and inspect features in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To associate an HTTP parameter map with a Layer 3 and Layer 4 policy map, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# appl-parameter http advanced-options http_param_map1

Related Commands

show parameter-map
(config) parameter-map type

(config-pmap-c) appl-parameter rtsp advanced-options

To associate a Real-Time Streaming Protocol (RTSP) parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter rtsp advanced-options command. A parameter map is a means to combine related actions for use in a Layer 3 and Layer 4 RTSP policy map. Use the no form of this command to disassociate the RTSP parameter map from the policy map.

appl-parameter rtsp advanced-options name

no appl-parameter rtsp advanced-options name

Syntax Description

name

Name of an existing RTSP parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command requires the loadbalance and inspect features in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To associate an RTSP parameter map with a Layer 3 and Layer 4 policy map, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# appl-parameter rtsp advanced-options rtsp_param_map1

Related Commands

show parameter-map
(config) parameter-map type

(config-pmap-c) appl-parameter sip advanced-options

To associate a Session Initiation Protocol (SIP) application protocol inspection parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter sip advanced-options command. Use the no form of this command to disassociate the SIP parameter map as an action from the Layer 3 and Layer 4 SIP application inspection policy map.

appl-parameter sip advanced-options name

no appl-parameter sip advanced-options name

Syntax Description

name

Name of an existing SIP parameter map. Parameter maps aggregate SIP traffic-related actions together. Enter the name of an existing SIP parameter map as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a SIP parameter map with a SIP packet inspection policy map, enter:

host1/Admin(config)# policy-map multi-match SIP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class SIP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter sip advanced-options SIP_PARAM_MAP1
 
   

To disassociate the SIP parameter map from the SIP packet inspection policy map, enter:

host1/Admin(config-pmap-c)# no appl-parameter sip advanced-options SIP_PARAM_MAP1

Related Commands

show parameter-map
(config) parameter-map type

(config-pmap-c) appl-parameter skinny advanced-options

To associate a Skinny Client Control Protocol (SCCP) parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter skinny advanced-options command. Use the no form of this command to disassociate the SCCP parameter map as an action from the Layer 3 and Layer 4 SCCP application inspection policy map.

appl-parameter skinny advanced-options name

no appl-parameter skinny advanced-options name

Syntax Description

name

Name of an existing SCCP parameter map. Parameter maps aggregate SCCP traffic-related actions together. Enter the name of an existing SCCP parameter map as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate an SCCP parameter map with the SCCP deep packet inspection policy map, enter:

host1/Admin(config)# policy-map multi-match SCCP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class SCCP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter skinny advanced-options SCCP_PARAM_MAP1
 
   

To disassociate the SCCP parameter map from the SCCP packet inspection policy map, enter:

host1/Admin(config-pmap-c)# no appl-parameter skinny advanced-options SCCP_PARAM_MAP1

Related Commands

show parameter-map
(config) parameter-map type

(config-pmap-c) connection advanced-options

To associate a connection parameter map with a Layer 3 and Layer 4 policy map, use the connection advanced-options command. Use the no form of this command to disassociate the parameter map from a policy map.

connection advanced-options name

no connection advanced-options name

Syntax Description

name

Name of an existing connection parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

For details about configuring a connection parameter map, see the Security Guide, Cisco ACE Application Control Engine.

Examples

To associate the connection parameter map IP_MAP with a Layer 3 and Layer 4 TCP/IP policy map:

host1/Admin(config)# policy-map multi-match TCPIP_POLICY
host1/Admin(config-pmap)# class TCP_CLASS
host1/Admin(config-pmap-c)# connection advanced-options IP_MAP

Related Commands

This command has no related commands.

(config-pmap-c) inspect

To define the Layer 3 and Layer 4 HTTP deep packet inspection, File Transfer Protocol (FTP) command inspection, or application protocol inspection policy actions, use the inspect command. Application inspection involves the examination of protocols such as Domain Name System (DNS), FTP, HTTP, Internet Control Message Protocol (ICMP), and Real Time Streaming Protocol (RTSP) to verify the protocol behavior and identify unwanted or malicious traffic that passes through the ACE. Use the no form of this command to remove an associated class map from a policy map.

inspect {dns [maximum-length bytes]} | {ftp [strict policy name1 | sec-param conn_parammap_name1]} | {http [policy name4 | url-logging]} | {icmp [error]} | ils | {rtsp [sec-param conn_parammap_name3]} | {sip [sec-param conn_parammap_name4] [policy name5]} | {skinny [sec-param conn_parammap_name5] [policy name6]}

no inspect {dns [maximum-length bytes]} | {ftp [strict policy name1 | sec-param conn_parammap_name1]} | {http [policy name4 | url-logging]} | {icmp [error]} | ils | {rtsp [sec-param conn_parammap_name3]} | {sip [sec-param conn_parammap_name4] [policy name5]} | {skinny [sec-param conn_parammap_name5] [policy name6]}

Syntax Description

dns

Enables DNS query inspection. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. The ACE performs the reassembly of DNS packets to verify that the packet length is less than the configured maximum length.

maximum-length bytes

(Optional) Sets the maximum length of a DNS reply. Valid entries are from 512 to 65535 bytes. The default is 512 bytes.

ftp

Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.

strict

(Optional) Checks for protocol RFC compliance and prevents web browsers from sending embedded commands in FTP requests. The strict keyword prevents an FTP client from determining valid usernames that are supported on an FTP server. When an FTP server replies to the USER command, the ACE intercepts the 530 reply code from the FTP server and replaces it with the 331 reply code. Specifying an FTP inspection policy allows selective command filtering and also prevents the display of the FTP server system type to the FTP client. The ACE intercepts the FTP server 215 reply code and message to the SYST command, and then replaces the text following the reply code with asterisks.

policy name1

Specifies the name assigned to a previously created Layer 7 FTP command inspection policy map to implement the inspection of Layer 7 FTP commands by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Use the inspect ftp command in policy map class configuration mode to define the FTP command request inspection policy.

Note If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 FTP fixup actions.

sec-param conn_parammap_name1

(Optional) Specifies the name of a previously created connection parameter map used to define parameters for FTP inspection.

http

Enables enhanced Hypertext Transfer Protocol (HTTP) inspection on the HTTP traffic. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. By default, the ACE allows all request methods.

policy name4

(Optional) Specifies the name assigned to a previously created Layer 7 HTTP application inspection policy map to implement the deep packet inspection of Layer 7 HTTP application traffic by the ACE. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Note If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks.

url-logging

(Optional) Enables the monitoring of Layer 3 and Layer 4 traffic. This function logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed.

icmp

Enables ICMP payload inspection. ICMP inspection allows ICMP traffic to have a "session" so it can be inspected similarly to TCP and UDP traffic.

error

(Optional) Performs a Network Address Translation (NAT) of ICMP error messages. The ACE creates translation sessions for intermediate or endpoint nodes that send ICMP error messages based on the NAT configuration. The ACE overwrites the packet with the translated IP addresses.

ils

Enables Internet Locator Service (ILS) protocol inspection.

rtsp

Enables RTSP packet inspection. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. The ACE monitors Setup and Response (200 OK) messages in the control channel established using TCP port 554 (no UDP support).

sec-param conn_parammap_name3

(Optional) Specifies the name of a previously created connection parameter map used to define parameters for RTSP inspection.

sip

Enables Session Initiation Protocol (SIP) inspection. SIP is used for call handling sessions and instant messaging. The ACE inspects signaling messages for media connection addresses, media ports, and embryonic connections. The ACE also uses NAT to translate IP addresses that are embedded in the user-data portion of the packet.

sec-param conn_parammap_name4

(Optional) Specifies the name of a previously created connection parameter map used to define parameters for SIP inspection.

policy name5

(Optional) Specifies the name of a previously created Layer 7 SIP application inspection policy map to implement packet inspection of Layer 7 SIP application traffic by the ACE. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Note If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks.

skinny

Enables Cisco Skinny Client Control Protocol (SCCP) inspection. The SCCP is a Cisco proprietary protocol that is used between Cisco CallManager and CIsco VOiP phones. The ACE uses NAT to translate embedded IP addresses and port numbers in SCCP packet data.

sec-param conn_parammap_name5

(Optional) Specifies the name of a previously created connection parameter map used to define parameters for SCCP inspection.

policy name6

(Optional) Specifies the name of a previously created deep packet inspection of Layer 7 SCCP application traffic by the ACE. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Note If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.0)

This command was revised.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

This command was revised.


Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To perform the deep packet inspection of Layer 7 HTTP application traffic by the ACE, you should create a Layer 7 HTTP deep packet inspection policy using the policy-map type inspect http command (see the Security Guide, Cisco ACE Application Control Engine). Nest the Layer 7 deep packet inspection policy using the Layer 3 and Layer 4 inspect http command. If you do not specify a Layer 7 HTTP policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks.

To perform checks for protocol RFC compliance and to prevent web browsers from sending embedded commands in FTP requests, you should create a Layer 7 FTP policy using the policy-map type inspect ftp command (see the Security Guide, Cisco ACE Application Control Engine). Nest the Layer 7 FTP inspection traffic policy using the Layer 3 and Layer 4 inspect ftp command. If you do not specify a Layer 7 FTP policy map, the ACE performs a general set of Layer 3 and Layer 4 FTP fixup actions.

Examples

To specify the inspect http command as an action for an HTTP application protocol inspection policy map, enter:

host1/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# inspect http policy HTTP_DEEPINSPECT_L7POLICY

Related Commands

This command has no related commands.

(config-pmap-c) kal-ap primary-oos

To enable the ACE to report the maximum load value of 255 to a GSS when the primary server farm is down and the backup server farm is in use, use the kal-ap primary-oos command in policy map class configuration mode. Use the no form of this command to disable the reporting of a load value of 255 when the primary server is down and the backup server is in use.

kal-ap primary-oos

no kal-ap primary-oos

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(3.1)

This command was introduced.


ACE Appliance Release
Modification

A3(2.6)

This command was introduced.


Usage Guidelines

This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

When you configure a server farm as a backup server farm on the ACE and the primary server farm fails, the backup server farm redirects the client requests to another data center. However, the VIP remains in the INSERVICE state.

When you configure the ACE to communicate with a GSS, the ACE reports the availability of the server to a GSS by sending a load number. To inform the GSS that the primary server farm is down and a backup server farm is in use, the ACE needs to send a load value that the server is unavailable.

When you configure the kal-ap primary-oos command, the ACE reports a load value of 255 when the primary server is down and the backup server is in use. When the GSS receives the load value of 255, it recognizes that the primary server farm is down and sends future DNS requests with the IP address of the other data center.

Examples

To enable the reporting of a load value of 255 when the primary server is down and the backup server is in use, enter:

host1/Admin(config-pmap-c)# kal-ap primary-oos
 
   

To disable the reporting of a load value of 255 when the primary server is down and the backup server is in use, enter:

host1/Admin(config-pmap-c)# no kal-ap primary-oos

Related Commands

This command has no related commands.

(config-pmap-c) kal-ap-tag

To associate a KAL-AP tag to a VIP address in a Layer 3 and Layer 4 SLB policy map configuration, use the kal-ap-tag command. Use the no form of this command to disassociate the KAL-AP tag from the Layer 3 and Layer 4 SLB policy map.

kal-ap-tag tag_name

no kal-ap-tag

Syntax Description

tag_name

Name of the KAL-AP tag. Enter the name as an unquoted text string with no spaces and a maximum of 76 alphanumeric characters.

Note the following restrictions:

You cannot configure a tag name for a VIP address that is already configured in a different policy map.

You cannot associate the same tag name to a domain and a VIP address.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(2.0)

This command was introduced.


ACE Appliance Release
Modification

A4(1.0)

This command was introduced.


Usage Guidelines

This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To associate the associate a VIP tag to a policy map configuration, enter:

host1/Admin(config)# policy-map multi-match l4_policy20
host1/Admin(config-pmap)# class VIP-20
host1/Admin(config-pmap-c)# kal-ap-tag KAL-AP-TAG2
 
   

To remove the KAL-AP-TAG2 tag from the class map, enter:

host1/Admin(config-pmap-c)# no kal-ap-tag
 
   

Related Commands

show kalap udp load

(config-pmap-c) loadbalance policy

To associate a Layer 7 server load balancing (SLB) policy map with a Layer 3 and Layer 4 SLB policy map, use the loadbalance policy command. Use the no form of this command to disassociate the Layer 7 SLB policy from the Layer 3 and Layer 4 SLB policy map.

loadbalance policy name

no loadbalance policy name

Syntax Description

name

Name of an existing Layer 7 SLB policy map. Enter the name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE treats all Layer 7 policy maps as child policies, so you must always associate a Layer 7 SLB policy map with a Layer 3 and Layer 4 SLB policy map.

Examples

To reference the Layer 7 L7SLBPOLICY policy map within the Layer 3 and Layer 4 L4SLBPOLICY policy map, enter:

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY
host1/Admin(config-pmap)# class L7SLBCLASS
host1/Admin(config-pmap-c)# serverfarm FARM2
 
   
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class L4SLBCLASS
host1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICY

Related Commands

This command has no related commands.

(config-pmap-c) loadbalance vip advertise

(ACE module only) To allow the ACE to advertise the IP address of the virtual server as the host route, use the loadbalance vip advertise command. This function is used with route health injection (RHI) to allow the ACE to advertise the availability of a VIP address throughout the network. Use the no form of this command to stop advertising the host route as an action from the policy map.

loadbalance vip advertise [active] | [metric number]

no loadbalance vip advertise [active] | [metric number]

Syntax Description

active

(Optional) Allows the ACE to advertise the IP address of the virtual server (VIP) as the host route only if there is at least one active real server in the server farm. Without the active option, the ACE always advertises the VIP whether or not there is any active real server associated with this VIP.

metric number

(Optional) Specifies the distance metric for the route. Enter the metric value that needs to be entered in the routing table. Valid values are from 1 through 254. The default is 77.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You must enable the advertising of a VIP using the loadbalance vip advertise command before you can enter a distance metric value for the route. Otherwise, the ACE returns an error message.

If you configured the loadbalance vip advertise metric command and then you enter the no loadbalance vip advertise [active] command, the ACE resets the metric value to the default of 77.

Examples

To advertise as an action for the SLB policy map, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip advertise active

Related Commands

This command has no related commands.

(config-pmap-c) loadbalance vip icmp-reply

To enable a VIP to reply to ICMP requests, use the loadbalance vip icmp-reply command. For example, if a user sends an ICMP ECHO request to a VIP, this command instructs the VIP to send an ICMP ECHO-REPLY. Use the no form of this command to disable a VIP reply to ICMP requests as an action from the policy map.

loadbalance vip icmp-reply [active [primary-inservice]]

no loadbalance vip icmp-reply [active [primary-inservice]]

Syntax Description

active

(Optional) Instructs the ACE to reply to an ICMP request only if the configured VIP is active. If the VIP is not active and the active option is specified, the ACE discards the ICMP request and the request times out.

primary-inservice

(Optional) Instructs the ACE to reply to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

3.0(0)A1(6.3)

The primary-inservice option was added.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

To complete the configuration when you configure the active option of this command, be sure to configure a Telnet probe and associate it with the server farm. The probe monitors the health of all the real servers in the server farm and ensures that the VIP responds with an ICMP ECHO REPLY only if the server port is active. If the server port is down or unreachable, the probe fails and the VIP stops responding to the ECHO request. For details about configuring probes, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

The loadbalance vip icmp-reply active command alone controls a ping to a VIP on the ACE. This command implicitly downloads an ICMP access control list entry for the VIP. When you configure this command on the ACE, any configured ACLs that deny ICMP traffic have no effect on a client's ability to ping the VIP.

Examples

To enable a VIP to reply to ICMP requests, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active

Related Commands

This command has no related commands.

(config-pmap-c) loadbalance vip inservice

To enable a VIP for server load-balancing operations, use the loadbalance vip inservice command. Use the no form of this command to disable a VIP.

loadbalance vip inservice

no loadbalance vip inservice

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To specify the loadbalance vip inservice command as an action for a server load-balancing policy map, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip oos-arpreply enable
host1/Admin(config-pmap-c)# loadbalance vip inservice

Related Commands

This command has no related commands.

(config-pmap-c) loadbalance vip udp-fast-age

To close the connection immediately after a response is sent back to the client, enabling per-packet load balancing for UDP DNS A-record (IPv4) or AAAA-record (IPv6) traffic, use the loadbalance vip udp-fast-age command. Use the no form of this command to reset the ACE default behavior.

loadbalance vip udp-fast-age

no loadbalance vip udp-fast-age

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.

A5(1.0)

Added IPv6 support.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.

A5(1.0)

Added IPv6 support.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

When you use this command, the ACE load balances all new requests to a new real server in the server farm according to the predictor algorithm. All retransmitted UDP packets from the client go to the same real server.

By default, the ACE load balances UDP packets using the same tuple to the same real server on an existing connection.

Examples

To configure the ACE to perform per-packet load balancing for UDP traffic, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip udp-fast-age
 
   

To reset the default ACE handling of UDP traffic, enter:

host1/Admin(config-pmap-c)# no loadbalance vip udp-fast-age

Related Commands

This command has no related commands.

(config-pmap-c) nat dynamic

To configure dynamic Network Address Translation (NAT) and Port Address Translation (PAT) as an action in a policy map, use the nat dynamic command. The ACE applies the dynamic NAT from the interface attached to the traffic policy (through the service-policy interface configuration command) to the interface specified in the nat dynamic command. Use the no form of this command to remove a dynamic NAT action from a policy map.

nat dynamic nat_id vlan number

no nat dynamic nat_id vlan number

Syntax Description

nat dynamic nat_id

Refers to a global pool of IP addresses that exists under the VLAN number. Dynamic NAT translates a group of local source IP addresses to a pool of global IP addresses that are routable on the destination network. All packets going from the interface attached to the traffic policy have their source address translated to one of the available addresses in the global pool. Enter an integer from 1 to 2147483647.

vlan number

Specifies the VLAN number of an existing interface for which you are configuring NAT. Enter an integer from 2 to 4094.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the NAT feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet untranslated.

Examples

To specify the nat dynamic command as an action for a dynamic NAT policy map, enter:

host1/Admin(config)# policy-map multi-action NAT_POLICY
host1/Admin(config-pmap)# class NAT_CLASS
host1/Admin(config-pmap-c)# nat dynamic 1 vlan 200

Related Commands

This command has no related commands.

(config-pmap-c) nat static

To configure static Network Address Translation (NAT) and static port redirection in a policy map, use the nat static command. Static NAT allows you to identify local traffic for address translation by specifying the source and destination addresses in an extended access control list (ACL) that is referenced as part of the class map traffic classification. The ACE applies static NAT from the interface attached to the traffic policy (through the service-policy interface configuration command) to the interface specified in the nat static command. Use the no form of this command to remove a NAT action from a policy map.

nat static [ipv6_address/prefix_length | ipv4_address netmask mask] {port1 | tcp eq port2 | udp eq port3} vlan number

no nat static [ipv6_address/prefix_length | ipv4_address netmask mask] {port1 | tcp eq port2 | udp eq port3} vlan number

Syntax Description

ipv6_address

IPv6 address for a single static translation. This argument establishes the globally unique IP address of a host as it appears to the outside world. The policy map performs the global IP address translation for the source IP address specified in the ACL (as part of the class map traffic classification).

/prefix_length

Prefix length of the IPv6 address.

ip_address

IP address for a single static translation. This argument establishes the globally unique IP address of a host as it appears to the outside world. The policy map performs the global IP address translation for the source IP address specified in the ACL (as part of the class map traffic classification).

netmask mask

Specifies the subnet mask for the IP address. Enter a subnet mask in dotted-decimal notation (for example, 255.255.255.0).

port1

Global TCP or UDP port for static port redirection. Enter an integer from 0 to 65535.

tcp eq port2

Specifies a TCP port name or number. Enter an integer from 0 to 65535. A value of 0 instructs the ACE to match any port. Alternatively, you can enter a protocol keyword that corresponds to a TCP port number. See the "Usage Guidelines" section for a list of supported well-known TCP port names and numbers.

udp eq port3

Specifies a UDP port name or number. Enter an integer from 0 to 65535. A value of 0 instructs the ACE to match any port. Alternatively, you can enter a protocol keyword that corresponds to a UDP port number. See the "Usage Guidelines" section for a list of supported well-known UDP port names and numbers.

vlan number

Specifies the interface for the global IP address. This interface must be different from the interface that the ACE uses to filter and receive traffic that requires NAT.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the NAT feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE supports static NAT only for IPv6 to IPv6 and IPv4 to IPv4 translations. Mixed mode is not supported.

Table 2-20 provides a list of supported well-known TCP and UDP port names and numbers.

Table 2-20 Supported TCP and UDP Ports

Well-Known TCP Port Numbers and Keywords
Keyword
Port Number
Description

ftp

21

File Transfer Protocol

http

80

Hyper Text Transfer Protocol

https

443

HTTP over TLS/SSL

irc

194

Internet Relay Chat

matip-a

350

Mapping of Airline Traffic over Internet Protocol (MATIP) Type A

nntp

119

Network News Transport Protocol

pop2

109

Post Office Protocol v2

pop3

110

Post Office Protocol v3

rtsp

554

Real Time Streaming Protocol

smtp

25

Simple Mail Transfer Protocol

telnet

23

Telnet

Well-Known UDP Port Numbers and Keywords

dns

53

Domain Name System

wsp

9200

Connectionless Wireless Session Protocol (WSP)

wsp-wtls

9202

Secure Connectionless WSP

wsp-wtp

9201

Connection-based WSP

wsp-wtp-wtls

9203

Secure Connection-based WSP


Examples

To specify the nat command as an action for a static NAT and port redirection policy map, enter:

host1/Admin(config)# policy-map multi-action NAT_POLICY
host1/Admin(config-pmap)# class NAT_CLASS
host1/Admin(config-pmap-c)# nat static 192.168.12.15 255.255.255.0 8080 vlan 200

Related Commands

This command has no related commands.

(config-pmap-c) ssl-proxy

To associate the Secure Sockets Layer (SSL) client or server proxy service with the policy map, use the ssl-proxy command. Use the no form of this command to remove the SSL proxy service from the policy map.

ssl-proxy {client | server} ssl_service_name

no ssl-proxy {client | server} ssl_service_name

Syntax Description

client

Associates an SSL client proxy service with the policy map. This keyword is available only when building a Layer 7 policy map, where the ACE acts as an SSL client device.

server

Associates an SSL server proxy service with the policy map. This keyword is available only when building a Layer 2 or Layer 3 policy map, where the ACE acts as an SSL server device.

ssl_service_name

Name of an existing SSL proxy service. Enter the name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To associate the SSL proxy service with the policy map, enter:

host1/C1(config-pmap-c)# ssl-proxy server SSL_SERVER_PROXY_SERVICE
host1/C1(config-pmap-c)#

Related Commands

This command has no related commands.

Policy Map FTP Inspection Configuration Mode Commands

Policy map FTP inspection configuration mode commands allow you to configure a Layer 7 policy map that defines the inspection of the File Transfer Protocol (FTP) commands by the ACE. The ACE executes the action for the first matching classification.

To create an FTP command request inspection policy map and access policy map FTP inspection configuration mode, use the policy-map type inspect ftp first-match command in configuration mode. When you access the policy map FTP inspection configuration mode, the prompt changes to (config-pmap-ftp-ins). Use the no form of this command to remove an FTP command request inspection policy map from the ACE.

policy-map type inspect ftp first-match map_name

no policy-map type inspect ftp first-match map_name

Syntax Description

map_name

Name assigned to the Layer 7 FTP command request class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You associate the Layer 7 FTP command request inspection policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 FTP inspection policy map, you nest it by using the Layer 3 and Layer 4 inspect ftp strict command (see the (config-pmap-c) inspect command).

Examples

To create a Layer 7 FTP command inspection policy map, enter:

host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins) #

Related Commands

show startup-config
(config) class-map

(config-pmap-ftp-ins) class

To associate a Layer 7 File Transfer Protocol (FTP) inspection class map with a Layer 7 FTP inspection policy map, use the class command. The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-c). For information about commands in this mode, see the "Policy Map FTP Inspection Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class name

no class name

Syntax Description

name

Name of a previously defined Layer 7 FTP command inspection class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map FTP inspection configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 FTP inspection class map with a Layer 7 FTP inspection policy map, enter:

host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# 

Related Commands

(config-pmap-ftp-ins) description

(config-pmap-ftp-ins) description

To provide a brief summary about the Layer 7 File Transfer Protocol (FTP) command inspection policy map, use the description command. Use the no form of this command to remove the description from the class map.

description text

no description text

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform FTP command inspection, enter:

host1/Admin(config-pmap-ftp-ins)# description FTP command inspection of incoming traffic
 
   

To remove d a description from the FTP policy map, enter:

host1/Admin(config-pmap-ftp-ins)# no description FTP command inspection of incoming 
traffic

Related Commands

(config-pmap-ftp-ins) class

(config-pmap-ftp-ins) match request-method

To configure the Layer 7 FTP inspection policy map to define FTP command inspection decisions performed by the ACE, use the match request-method command. The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-m). For information about commands in this mode, see the "Policy Map FTP Inspection Match Configuration Mode Commands" section. Use the no form of this command to clear the FTP inspection request method from the policy map.

match name request-method ftp_command

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ftp_command

FTP command in the class map to be subjected to FTP inspection by the ACE. The FTP commands are as follows:

appe—Appends to a file.

cd—Change to the specified directory.

cdup—Changes to the parent of the current directory.

dele—Deletes a file at the server side.

get—Retrieves a file.

help—Retrieves Help information from the server.

mkd—Creates a directory.

put—Stores a file.

rmd—Removes a directory.

rnfr—Renames from.

rnto—Renames to.

site—Specifies the server-specific command.

stou—Stores a file with a unique name.

syst—Gets system information.


Command Modes

Policy map FTP inspection configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The match command identifies the FTP command that you want filtered by the ACE.

You can specify multiple match request-method commands within a class map.

Examples

To add an inline match command to a Layer 7 FTP command policy map, enter:

host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdir
host/Admin(config-pmap-ftp-ins-m)# 

Related Commands

This command has no related commands.

Policy Map FTP Inspection Class Configuration Mode Commands

Use the policy map File Transfer Protocol (FTP) inspection class configuration mode to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 FTP inspection class map. To access policy map FTP inspection class configuration mode, use the class command in the policy map FTP inspection configuration mode (see the (config-pmap-ftp-ins) class command for details). The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-c).

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-ftp-ins-c) deny

To deny the FTP request commands specified in the class map by resetting the FTP session, use the deny command. Use the no form of this command to return to the default state and permit all FTP request commands to pass.

deny

no deny

Command Modes

Policy map FTP inspection class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to deny the FTP request commands specified in the Layer 7 FTP inspection class map by resetting the FTP session, enter:

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# deny

Related Commands

This command has no related commands.

(config-pmap-ftp-ins-c) mask-reply

To instruct the ACE to mask the reply to the FTP SYST command by filtering sensitive information from the command output, use the mask-reply command. Use the no form of this command to disable the masking of the system reply to the FTP SYST command.

mask-reply

no mask-reply

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map FTP inspection class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The mask-reply command is applicable only to the FTP SYST command and its associated reply. The SYST command is used to find out the FTP server's operating system type.

Examples

To instruct the ACE to mask the reply to the FTP SYST command, enter:

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# mask-reply

Related Commands

This command has no related commands.

Policy Map FTP Inspection Match Configuration Mode Commands

Policy map FTP inspection match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map FTP inspection match configuration mode, use the match request-method command in policy map FTP inspection configuration mode (see the (config-pmap-ftp-ins) match request-method command for details). The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the Layer 7 policy map.

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-ftp-ins-m) deny

To deny the FTP request commands specified in the inline match command by resetting the FTP session, use the deny command. By default, the ACE allows all FTP commands to pass. Use the no form of this command to return to the default state and permit all FTP request commands to pass.

deny

no deny

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map FTP inspection match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to deny the FTP request commands specified in the Layer 7 FTP inspection class map by resetting the FTP session, enter:

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdir
host/Admin(config-pmap-ftp-ins-m)# deny

Related Commands

This command has no related commands.

(config-pmap-ftp-ins-m) mask-reply

To instruct the ACE to mask the system's reply to the FTP SYST command by filtering sensitive information from the command output, use the mask-reply command. Use the no form of this command to disable the masking of the system reply to the FTP SYST command.

mask-reply

no mask-reply

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map FTP inspection match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The mask-reply command is applicable only to the FTP SYST command and its associated reply. The SYST command is used to find out the FTP server's operating system type.

Examples

To instruct the ACE to mask the system's reply to the FTP SYST command, enter:

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method syst
host/Admin(config-pmap-ftp-ins-m)# mask-reply

Related Commands

This command has no related commands.

Policy Map Inspection HTTP Configuration Mode Commands

Policy map inspection HTTP configuration mode commands allow you to define a policy map that initiates the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request.

To create an HTTP deep packet inspection policy map and access policy map inspection HTTP configuration mode, use the policy-map type inspect http all-match command in configuration mode. When you access the policy map inspection HTTP configuration mode, the prompt changes to (config-pmap-ins-http). Use the no form of this command to remove an HTTP deep packet inspection policy map from the ACE.

policy-map type inspect http all-match map_name

no policy-map type inspect http all-match map_name

Syntax Description

map_name

Name assigned to the Layer 7 HTTP deep packet inspection policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You associate the Layer 7 HTTP deep packet inspection policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can only be associated within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 HTTP inspection policy map, you nest it by using the Layer 3 and Layer 4 inspect http command (see the (config-pmap-c) inspect command).

Examples

To create a Layer 7 HTTP deep packet inspection policy map, enter:

host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host/Admin(config-pmap-ins-http)#

Related Commands

show startup-config
(config) class-map

(config-pmap-ins-http) class

To associate a Layer 7 HTTP inspection class map with a Layer 7 HTTP inspection policy map, use the class command. The prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-c). Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 HTTP inspection class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default

Associates a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.

Note By default, all matches are applied to both HTTP request and response messages, but the class class-default command is applied only to HTTP requests.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 HTTP inspection class map with a Layer 7 HTTP inspection policy map, enter:

host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-http-c)# 

Related Commands

(config-pmap-ins-http) description

(config-pmap-ins-http) description

To provide a brief summary about the Layer 7 HTTP inspection policy map, use the description command. Use the no form of this command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform HTTP deep packet inspection, enter:

host1/Admin(config-pmap-ins-http)# description HTTP protocol deep inspection of incoming 
traffic

Related Commands

(config-pmap-ins-http) class

(config-pmap-ins-http) match content

To configure the Layer 7 HTTP inspection policy map to define HTTP application inspection decisions based on content expressions contained within the HTTP entity body, use the match content command. Use the no form of this command to clear content expression-checking match criteria from the policy map.

match name content expression [offset number] [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

Content expression contained within the HTTP entity body. The range is from 1 to 255 alphanumeric characters. See the "Usage Guidelines" section for a list of the supported characters that you can use in regular expressions.

offset number

(Optional) Provides an absolute offset where the content expression search string starts. The offset starts at the first byte of the message body, after the empty line (CR, LF, CR, LF) between the headers and the body of the message. The offset value is from 1 to 4000 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match content command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The ACE supports regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, if the spaces are escaped or quoted. Table 2-21 lists the supported characters that you can use in regular expressions.

Table 2-21 Characters Supported in Regular Expressions 

Convention
Description

.*

Zero or more characters.

.

Exactly one character.

\ .

Escaped character.

\xhh

Any ASCII character as specified in two-digit hex notation.

()

Expression grouping.

Bracketed range [for example, 0-9]

Matches any single character from the range.

A leading ^ in a range [^charset]

Does not match any character in the range; all other characters represent themselves.

(expr1 | expr2)

OR of expressions.

(expr)*

0 or more of expressions.

(expr)+

1 or more of expressions.

(expr{m,n}

Matches the previous item between m and n times; valid entries are from 0 to 255.

(expr{m}

Matches the previous item exactly m times; valid entries are from 1 to 255.

(expr{m,}

Matches the previous item m or more times; valid entries are from 1 to 255.

\a

Alert (ASCII 7).

\b

Backspace (ASCII 8).

\f

Form-feed (ASCII 12).

\n

New line (ASCII 10).

\r

Carriage return (ASCII 13).

\t

Tab (ASCII 9).

\v

Vertical tab (ASCII 11).

\0

Null (ASCII 0).

.\\

Backslash.


Examples

To specify a content expression contained within the entity body sent with an HTTP request, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH1 content .*newp2psig
host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match content length

To configure the Layer 7 HTTP inspection policy map to define application inspection decisions in the HTTP content up to the configured maximum content parse length, use the match content length command. Use the no form of this command to clear the HTTP content length match criteria from the policy map.

match name content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

eq bytes

Specifies a value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length equal to the specified value. Valid entries are from 1 to 65535 bytes.

gt bytes

Specifies a minimum value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length greater than the specified value. Valid entries are from 1 to 65535 bytes.

lt bytes

Specifies a maximum value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length less than the specified value. Valid entries are from 1 to 65535 bytes.

range bytes1 bytes

Specifies a size range for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length within this range. The range is from 1 to 65535 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

Messages that meet the specified criteria will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action.

When you use the match content length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Examples

To define application inspection decisions in the HTTP content up to the configured maximum content parse length, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH2 content length eq 3495
host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match content-type-verification

To verify the content MIME-type messages with the header MIME type, use the match content-type-verification command. Use the no form of this command to clear the MIME-type match criteria from the policy map.

match name content-type-verification [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match content-type-verification command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

This inline match condition limits the MIME types in HTTP messages allowed through the ACE. It verifies that the header MIME-type value is in the internal list of supported MIME types and that the header MIME type matches the actual content in the data or entity body portion of the message. If they do not match, the ACE performs either the permit or reset policy map action.

The MIME-type HTTP inspection process searches the entity body of the HTTP message, which may degrade performance of the ACE.

Examples

To verify the content MIME-type messages with the header MIME type, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH3 content-type-verification 
host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match cookie secondary

To configure a policy map to define HTTP inspection decisions based on the name or prefix and value of a secondary cookie (URL query string), use the match cookie secondary command. Use the no form of this command to clear secondary cookie match criteria from the class map.

match name cookie secondary [name cookie_name | prefix prefix_name] value expression [insert-before map_name]

no match name cookie secondary [name cookie_name | prefix prefix_name] value expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

name cookie_name

Identifier of the secondary cookie to match. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

prefix prefix_name

Prefix of the secondary cookie to match. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

value expression

Regular expression of the secondary cookie to match. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The following configuration guidelines apply when you configure a secondary cookie inline match statement for HTTP inspection:

Ensure that secondary cookie names do not overlap with other secondary cookie names in the same match-all class map. For example, the following configuration is not allowed because the two match statements have overlapping cookie names:

(config)#  policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-insp-http)# match cookie secondary prefix id value .*
host1/Admin(config-pmap-insp-http-m)# exit
host1/Admin(config-pmap-insp-http)# match cookie secondary name identity value bob
 
   

When you configure a secondary cookie value match across all secondary cookie names in a match-all class map, you cannot configure any other secondary cookie match in the same class map. That is because a secondary cookie match on value alone is equivalent to a wildcard match on name. In the following example, the second match statement is not allowed:

(config)#  policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-insp-http)# match cookie secondary value bob
host1/Admin(config-pmap-insp-http-m)# exit
host1/Admin(config-pmap-insp-http)# match cookie secondary name identity value jane

Examples

To match a secondary cookie called "matchme" with a regular expression value of .*abc123, enter the following commands:

(config)#  policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-insp-http)# match cookie secondary name matchme value .*abc123

Related Commands

(config-cmap-http-insp) match cookie secondary

(config-pmap-ins-http) match header

To define HTTP deep packet inspection decisions based on the name and value in an HTTP header, use the match header command. The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression.Use the no form of this command to clear an HTTP header match criteria from the policy map.

match name header {header_name | header_field} header-value expression [insert-before map_name]

no match name header

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

header_name

Name of the HTTP header to match (for example, www.example1.com). The range is from 1 to 64 alphanumeric characters.

Note The header_name argument cannot include the colon in the name of the HTTP header; the ACE rejects the colon as an invalid token.

header_field

Standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and entity-header fields. Selections also include two lower-level header-matching commands: "length" and "mime-type." The supported selections are as follows:

Accept—Semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

Accept-Charset—Character sets that are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can represent documents in those character sets.

Accept-Encoding—Restricts the content encoding that a user will accept from the server.

Accept-Language—ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization—Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

Cache-Control—Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection—Allows the sender to specify connection options.

Content-MD5—MD5 digest of the entity body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect—Used by a client to inform the server about the behaviors that the client requires.

From—Contains the e-mail address of the person that controls the requesting user agent.

Host—Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource. The Host field value must represent the naming authority of the origin server or gateway given by the original URL.

If-Match—Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. This feature allows efficient updates of cached information with a minimum amount of transaction overhead. It is also used on updating requests to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

 

length —See the (config-pmap-ins-http) match header length command for details.

mime-type—See the (config-pmap-ins-http) match header mime-type command for details.

Pragma—Pragma directives that are understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP. For example, the accept field is a comma-separated list of entries for which the optional parameters are separated by semicolons.

Referer—Address (URI) of the resource from which the URI in the request was obtained.

Transfer-Encoding—Indicates what (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient.

User-Agent—Information about the user agent (for example, a software program that originates the request). This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents.

Via—Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests and between the origin server and the client on responses.

header-value expression

Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match header command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, if the spaces are escaped or quoted. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

Examples

To filter on the content and allow HTTL headers that contain the expression html, enter:

host1/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH4 header accept header-value html
host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match header length

To limit the HTTP traffic allowed through the ACE based on the length of the entity body in the HTTP message, use the match header length command. Messages will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action. Use the no form of this command to clear an HTTP header length match criteria from the policy map.

match name header length {request | response} {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

request

Specifies the size of the HTTP header request message that can be received by the ACE.

response

Specifies the size of the HTTP header response message sent by the ACE.

eq bytes

Specifies a value for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity body size equal to the specified value. Valid entries are from 1 to 65535 bytes.

gt bytes

Specifies a minimum value for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity body size greater than the specified value. Valid entries are from 1 to 65535 bytes.

lt bytes

Specifies a maximum value for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity body size less than the specified value. Valid entries are from 1 to 65535 bytes.

range bytes1 bytes 2

Specifies a size range for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a entity body size within this range. The range is from 1 to 65535 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match header length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command.

By default, the maximum header length for HTTP deep packet inspection is 2048 bytes. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Examples

To specify that the policy map match on HTTP traffic received with a length less than or equal to 3600 bytes in the entity body of the HTTP message, enter:

host1/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-http-insp)# match MATCH4 header length request eq 3600
host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match header mime-type

To specify a subset of the MIME-type messages that the ACE permits or denies based on the actions in the policy map, use the match header mime-type command. Use the no form of this command to deselect the specified Multipurpose Internet Mail Extension (MIME) message match criteria from the policy map.

match name header mime-type mime_type [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

mime_type

MIME type. The ACE includes a predefined list of MIME types, such as image\Jpeg, text\html, application\msword, or audio\mpeg. Choose whether only the MIME types included in this list are permitted through the ACE firewall or whether all MIME types are acceptable. The default behavior is to allow all MIME types.

The supported MIME types are as follows:

application\msexcel

application\mspowerpoint

application\msword

application\octet-stream

application\pdf

application\postscript

application\x-gzip

application\x-java-archive

application\x-java-vm

application\x-messenger

application\zip

audio\*

audio\basic

audio\midi

audio\mpeg

audio\x-adpcm

audio\x-aiff

audio\x-ogg

audio\x-wav image \*

image\gifimage\jpeg

image\png

 

image\tiff

image\x-3ds

image\x-bitmap

image\x-niff

image\x-portable-bitmap

image\x-portable-greymap

image\x-xpm

text\*

text\css

text\html

text\plain

text\richtext

text\sgml

text\xmcd

text\xml

video\*

video\flc

video\mpeg

video\quicktime

video\sgi

video\x-fli

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match header mime-type command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages, nontextual messages, multipart message bodies, and non-US-ASCII information in message headers.

Examples

To specify that the policy map permits MIME-type audio/midi messages through the ACE, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH5 header mime-type audio\midi
host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match port-misuse

To define HTTP deep packet inspection compliance decisions that restrict certain HTTP traffic from passing through the ACE, use the match port-misuse command. Use the no form of this command to clear the HTTP restricted application category match criteria from the policy map.

match name port-misuse {im | p2p | tunneling} [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

im

Defines the instant messaging application category. The ACE checks for the Yahoo Messenger instant messaging application.

p2p

Defines the peer-to-peer application category. The applications checked include Kazaa and Gnutella.

(ACE appliance only) The applications checked also include GoToMyPC.

tunneling

Defines the tunneling application category. The applications checked include HTTPort/HTTHost, GNU httptunnel, and FireThru.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The policy map detects the misuse of port 80 (or any other port running HTTP) for tunneling protocols such as peer-to-peer (p2p) applications, tunneling applications, and instant messaging.

When you use the match port-misuse command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The port misuse application inspection process searches the entity body of the HTTP message, which may degrade performance of the ACE.

The ACE disables the match port-misuse command by default. If you do not configure a restricted HTTP application category, the default action by the ACE is to allow the applications without generating a log.

Examples

To specify that the policy map identifies peer-to-peer applications as restricted HTTP traffic, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH6 port-misuse p2p
host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match request-method

To define HTTP deep packet inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods, use the match request-method command. If the HTTP request method or extension method compliance checks fails, the ACE denies or resets the specified HTTP traffic based on the policy map action. Use the no form of this command to clear the HTTP request method match criteria from the policy map.

match name request-method {ext method | rfc method} [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ext method

Specifies an HTTP extension method. If the RFC request messages does not contain one of the RFC 2616 HTTP request methods, the ACE verifies if it is an extension method. The ACE supports the inspection of the following HTTP request extension methods: bcopy, bdelete, bmove, bpropfind, bproppatch, copy, edit, getattr, getattrname, getprops, index, lock, mkcol, mkdir, move, propfind, proppatch, revadd, revlabel, revlog, revnum, save, search, setattr, startrev, stoprev, unedit, and unlock.

(ACE module only) The ACE also supports the inspection of the following HTTP request extension methods: notify, poll, subscribe, unsubscribe, and x-ms-emumatts.

rfc method

Specifies an RFC 2616 HTTP request method that you want to perform an RFC compliance check. The ACE supports the inspection of the following RFC 2616 HTTP request methods: connect, delete, get, head, options, post, put, and trace.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match request-method command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

For unsupported HTTP request methods, include the inspect http strict command as an action in the Layer 3 and Layer 4 policy map (see (config-pmap-c) inspect command).

The ACE disables the match request-method command by default. If you do not configure a request method, the default action by the ACE is to allow the RFC 2616 HTTP request method without generating a log. By default, the ACE allows all request and extension methods.

Examples

To specify that the policy map identifies the index HTTP RFC 2616 protocol for application inspection, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH7 request-method ext index
host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match strict-http

To ensure that the internal compliance checks verify message compliance with the HTTP RFC standard, RFC 2616, use the match strict-http command. If the HTTP message is not compliant, the ACE denies or resets the specified HTTP traffic based on the policy map action. Use the no form of this command to clear the HTTP RFC standard, RFC 2616, match criteria from the policy map.

match name strict-http [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

When you use the match strict-http command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

To configure the policy map to ensure that the internal compliance checks verify message compliance with the HTTP RFC standard, RFC 2616, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH8 strict-http
host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match transfer-encoding

To define HTTP deep packet inspection decisions that limit the HTTP transfer-encoding types that can pass through the ACE, use the match transfer-encoding command. Use the no form of this command to clear the HTTP transfer-encoding type match criteria from the policy map.

match name transfer-encoding coding_types [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

transfer-encoding coding_types

Specifies the HTTP transfer-encoding type for the class map. The possible values for coding_types are as follows:

chunked—Message body transferred as a series of chunks.

compress—Encoding format produced by the common UNIX file compression program "compress." This format is an adaptive Lempel-Ziv-Welch coding (LZW).

deflate—.zlib format defined in RFC 1950 with the deflate compression mechanism described in RFC 1951.

gzip—Encoding format produced by the file compression program gzip (GNU zip) as described in RFC 1952. This format is a Lempel-Ziv coding (LZ77) with a 32-bit CRC.

identity—Default (identity) encoding, which does not require the use of transformation.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


h

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match transfer-encoding command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. When an HTTP request message contains the configured transfer-encoding type, the ACE performs the configured action in the policy map.

Each match transfer-encoding command configures a single application type.

The ACE disables the match transfer-encoding command by default.

Examples

To configure the policy map to specify a chunked HTTP transfer encoding type to limit the HTTP traffic that flows through the ACE, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH9 transfer-encoding chunked
host1/Admin(config-pmap-ins-http-m)#
 
   

Related Commands

This command has no related commands.

(config-pmap-ins-http) match url

To define HTTP deep packet inspection decisions based on the URL name and, optionally, the HTTP method, use the match url command. HTTP performs regular expression matching against the received packet data from a particular connection based on the URL expression. Use the no form of this command to remove the URL name match criteria from the policy map.

match name url expression [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

URL, or portion of a URL, to match. The URL string range is from 1 to 256 characters. Include only the portion of the URL that follows www.hostname.domain in the match statement.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match url command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Include only the portion of the URL that follows www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE supports the use of regular expressions for matching. For a list of the supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

The period (.) does not have a literal meaning in regular expressions. Use either brackets ([]) or the backslash (\) character to match this symbol. For example, specify www[.]xyz[.]com instead of www.xyz.com.

Examples

To configure the policy map to define application inspection decisions based on a URL, enter

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH_URL url whatsnew/latest.*
host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match url length

To limit the HTTP traffic allowed through the ACE by specifying the maximum length of a URL in a request message that can be received by the ACE, use the match url length command. Messages will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action. Use the no form of this command to clear a URL length match criteria from the policy map.

match name url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before map_name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

eq bytes

Specifies a value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length equal to the specified value. Valid entries are from 1 to 65535 bytes.

gt bytes

Specifies a minimum value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length greater than the specified value. Valid entries are from 1 to 65535 bytes.

lt bytes

Specifies a maximum value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length less than the specified value. Valid entries are from 1 to 65535 bytes.

range bytes1 bytes

Specifies a size range for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length within this range. The range is from 1 to 65535 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match url length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information about commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Examples

To specify that the policy map is to match on a URL with a length less than or equal to 10,000 bytes in the request message, enter:

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH10 url length eq 10000
host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

Policy Map Inspection HTTP Class Configuration Mode Commands

Policy map inspection HTTP class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 HTTP deep packet inspection class map. To access policy map inspection HTTP class configuration mode, use the class command in policy map inspection HTTP configuration mode (see the (config-pmap-ins-http) class command for details). The prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-c).

The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through the reset command is capable of dropping traffic.

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-ins-http-c) passthrough log

To prevent a reset from being sent to the client and the server, the ACE bypasses the HTTP 1.1 parsing after a CONNECT request is received, use the passthrough command. The ACE uses this pass-through action when there is a match on a port misuse configuration with a pass-through action and a CONNECT request. Use the no form of this command to .

passthrough log

no passthrough log

Syntax Description

log

(Optional) Generates a log message for traffic that matches the class map.


Command Modes

Policy map inspection HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A4(1.1)

This command was introduced.


ACE Appliance Release
Modification

A4(1.1)

This command was introduced.


Usage Guidelines

By default, with HTTP 1.1, the ACE performs strict header parsing, which may cause a reset (RST) to be sent to the client and the server when the ACE is unable to parse the encrypted packet over a CONNECT request. This issue is not seen with HTTP 1.0 because the ACE skips the header parsing.

Examples

Create a Layer 7 class map for tunneling protocols and the policy-map action as pass through using the passthrough log command as follows:

class-map type http inspect match-any c2

 2 match port-misuse tunneling

policy-map type inspect http all-match SECURITY

 class c2

  passthrough log

Related Commands

This command has no related commands.

(config-pmap-ins-http-c) permit

To allow the specified HTTP traffic to be received by the ACE if it passes the HTTP deep packet inspection match criteria specified in the class map, use the permit command. Use the no form of this command to disallow the specified HTTP traffic to be received by the ACE.

permit [log]

no permit

Syntax Description

log

(Optional) Generates a log message for traffic that matches the class map.


Command Modes

Policy map inspection HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

By default, HTTP inspection allows traffic that does not match any of the configured Layer 7 HTTP deep packet inspection matches. You can modify this behavior by including the class class-default command with the reset action to deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches configured in the Layer 7 HTTP deep packet inspection policy map are hit, the class-default action will be taken by the ACE. For example, you can include a class map to allow the HTTP GET method and use the class class-default command to block all of the other requests.


Note By default, all matches are applied to both HTTP request and response messages, but the class class-default command is applied only to HTTP requests.


Examples

To allow the specified HTTP traffic to be received by the ACE if the class map match criteria in class map L7HTTP_CHECK are met, enter:

host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class L7HTTP_CHECK
host1/Admin(config-pmap-ins-http-c)# permit

Related Commands

This command has no related commands.

(config-pmap-ins-http-c) reset

To deny the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection, use the reset command. Use the no form of this command to allow the specified HTTP traffic to be received by the ACE.

reset [log]

no reset

Syntax Description

log

(Optional) Generates a log message for traffic that matches the class map.


Command Modes

Policy map inspection HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To deny the specified HTTP traffic to be received by the ACE if the class map match criteria in class map L7HTTP_CHECK are met, enter:

host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class http_check
host1/Admin(config-pmap-ins-http-c)# reset

Related Commands

This command has no related commands.

Policy Map Inspection HTTP Match Configuration Mode Commands

Policy map inspection HTTP match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map inspection HTTP match configuration mode, use one of the match commands in policy map inspection HTTP configuration mode (see the "Policy Map Inspection HTTP Configuration Mode Commands" section for command details). The prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the Layer 7 policy map.

The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through the reset command is capable of dropping traffic.

The commands in this mode requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-ins-http-m) passthrough log

To prevent a reset from being sent to the client and the server, the ACE bypasses the HTTP 1.1 parsing after a CONNECT request is received, use the passthrough command. The ACE uses this pass-through action when there is a match on a port misuse configuration with a pass-through action and a CONNECT request. Use the no form of this command to .

passthrough log

no passthrough log

Syntax Description

log

(Optional) Generates a log message for traffic that matches the class map.


Command Modes

Policy map inspection HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A4(1.1)

This command was introduced.


ACE Appliance Release
Modification

A4(1.1)

This command was introduced.


Usage Guidelines

By default, with HTTP 1.1, the ACE performs strict header parsing, which may cause a reset (RST) to be sent to the client and the server when the ACE is unable to parse the encrypted packet over a CONNECT request. This issue is not seen with HTTP 1.0 because the ACE skips the header parsing.

Examples

Create a Layer 7 class map for tunneling protocols and the policy-map action as pass through using the passthrough log command as follows:

class-map type http inspect match-any c2

 2 match port-misuse tunneling

policy-map type inspect http all-match SECURITY

 class c2

  passthrough log

Related Commands

This command has no related commands.

(config-pmap-ins-http-m) permit

To allow the specified HTTP traffic to be received by the ACE if it passes inspection of the match criteria in an inline match condition, use the permit command. Use the no form of this command to disallow the specified HTTP traffic to be received by the ACE.

permit [log]

no permit

Syntax Description

log

(Optional) Generates a log message for traffic that matches the inline match command.


Command Modes

Policy map inspection HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through the reset command is capable of dropping traffic.

Examples

To allow the specified HTTP traffic to be received by the ACE if the match criteria are met, enter:

host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunked
host1/Admin(config-pmap-ins-http-m)# permit

Related Commands

This command has no related commands.

(config-pmap-ins-http-m) reset

To deny the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection, use the reset command. Use the no form of this command to allow the specified HTTP traffic to be received by the ACE.

reset [log]

no reset

Syntax Description

log

(Optional) Generates a log message for traffic that matches the inline match command.


Command Modes

Policy map inspection HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To deny the specified HTTP traffic to be received by the ACE if the match criteria are met, enter:

host1/Admin(config)# policy-map type inspect http all-match HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunked
host1/Admin(config-pmap-ins-http-m)# reset

Related Commands

This command has no related commands.

Policy Map Inspection SIP Configuration Mode Commands

Policy map inspection SIP configuration mode commands allow you to define a policy map that initiates the inspection of the SIP protocol packets by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request.

To create a SIP policy map and access policy map inspection SIP configuration mode, use the policy-map type inspect sip all-match command in configuration mode. When you access the policy map inspection SIP configuration mode, the prompt changes to (config-pmap-ins-sip). Use the no form of this command to remove a SIP inspection policy map from the ACE.

policy-map type inspect sip all-match map_name

no policy-map type inspect sip all-match map_name

Syntax Description

sip all-match

Specifies the policy map that initiates the inspection of the SIP protocol packets by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request.

map_name

Name assigned to the Layer 7 SIP inspection policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

The Layer 7 policy map configures the applicable SIP inspection actions executed on the network traffic that match the classifications defined in a class map. You then associate the completed Layer 7 SIP inspection policy with a Layer 3 and Layer 4 policy map to activate the operation on a VLAN interface.

Examples

To create a Layer 7 SIP inspection policy map, enter:

host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# 
 
   

To remove the SIP inspection policy map from the configuration, enter:

host1/Admin(config)# no policy-map type inspect sip all-match SIP_INSPECT_L7POLICY

Related Commands

show startup-config

(config-pmap-ins-sip) class

To associate a Layer 7 SIP inspection class map with a Layer 7 SIP inspection policy map, use the class command. The prompt changes from (config-pmap-sip-ins) to (config-pmap-sip-ins-c). Use the no form of this command to remove an associated class map from a policy map.

class map_name [insert-before map_name]

no class map_name

Syntax Description

map_name

Name of a previously defined Layer 7 SIP inspection class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before map_name

(Optional) Places the class map ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 SIP inspection class map with a Layer 7 SIP inspection policy map, enter:

host/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS

host/Admin(config-pmap-ins-sip-c)#

To disassociate the class map from the policy map, enter:

host/Admin(config-pmap-ins-sip)# no class SIP_INSPECT_L7CLASS

Related Commands

(config-pmap-ins-sip) description
(config-pmap-ins-sip-c) drop
(config-pmap-ins-sip-c) log
(config-pmap-ins-sip-c) permit
(config-pmap-ins-sip-c) reset

(config-pmap-ins-sip) description

To provide a brief summary about the Layer 7 SIP inspection policy map, use the description command. Use the no form of this command to remove the description from the policy map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description for a Layer 7 SIP inspection policy map, enter:

host1/Admin(config-pmap-ins-sip)# description layer 7 sip inspection policy
 
   

To remove the description from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no description 

Related Commands

(config-pmap-ins-sip) class

(config-pmap-ins-sip) match called-party

To filter SIP traffic based on the called party, use the match called-party command. Use the no form of this command to remove the match statement from the policy map.

match name called-party expression [insert-before map_name]

no match name called-party expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

Called party in the URI of the SIP To header. Enter a regular expression from 1 to 255 alphanumeric characters.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You can filter SIP traffic based on the called party (callee or destination) as specified in the URI of the SIP To header. The ACE does not include the display name or tag part of the field.

The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. Table 2-21 lists the supported characters that you can use in regular expressions.

Examples

To identify the called party in the SIP To header, enter:

host1/Admin(config-pmap-ins-sip)# match MATCH_CALLED called-party 
sip:some-user@somenetwork.com
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no match MATCH_CALLED called-party 
sip:some-user@somenetwork.com

Related Commands

(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri

(config-pmap-ins-sip) match calling-party

To filter SIP traffic based on the calling party, use the match calling-party command. Use the no form of this command to remove the description from the policy map.

match name calling-party expression [insert-before map_name]

no match name calling-party expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

Calling party in the URI of the SIP From header. Enter a regular expression from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You can filter SIP traffic based on the calling party (caller or source) as specified in the URI of the SIP From header. The ACE does not include the display name or tag part of the field.

The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. See Table 2-21 for a list of the supported characters that you can use in regular expressions.

Examples

To identify the calling party in the SIP From header, enter:

host1/Admin(config-pmap-ins-sip)# match MATCH_CALLING calling-party 
sip:this-user@thisnetwork.com;tag=745g8
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no match MATCH_CALLING calling-party 
sip:this-user@thisnetwork.com;tag=745g8

Related Commands

(config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri

(config-pmap-ins-sip) match content

To define SIP content checks, use the match content command. Use the no form of this command to remove the match statement from the policy map.

match name content {length gt number} | {type sdp | expression} [insert-before map_name]

no match name content {length gt number} | {type sdp | expression}

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

length

Specifies the SIP message body length.

gt

Specifies the greater than operator.

number

Maximum size of a SIP message body that the ACE allows. Enter an integer from 0 to 65534 bytes. If the message body is greater than the configured value, the ACE performs the action that you configure in the policy map.

type

Specifies a content type check.

sdp

Specifies that the traffic must be of type Session Description Protocol (SDP) to match the policy map.

expression

Regular expression that identifies the content type in the SIP message body that is required to match the policy map. Enter a regular expression from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching. See Table 2-21 for a list of the supported characters that you can use in regular expressions.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You can configure the ACE to perform SIP content checks based on content length or content type. By default, the ACE allows all content types.

Examples

To configure the ACE to drop SIP packets that have content with a length greater than 4000 bytes in length, enter:

host1/Admin(config)# class-map type sip inspect match-all SIP_INSP_CLASS
host1/Admin(config-pmap-ins-sip)# match MATCH_CONTENT content length gt 200
 
   
host1/Admin(config)# policy-map type inspect sip all-match SIP_INSP_POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSP_CLASS
host1/Admin(config-pmap-ins-sip-c)# deny
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-cmap-sip-insp)# no match MATCH_CONTENT content length gt 200

Related Commands

(config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri

(config-pmap-ins-sip) match im-subscriber

To filter SIP traffic based on the IM subscriber, use the match im-subscriber command. Use the no form of this command to remove the description from the policy map.

match name im-subscriber expression [insert-before map_name]

no match name im-subscriber expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

Calling party. Enter a regular expression from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. See Table 2-21 for a list of the supported characters that you can use in regular expressions.

Examples

To filter SIP traffic based on the IM subscriber, John Q. Public, enter:

host1/Admin(config-pmap-ins-sip)# match MATCH_IM im-subscriber John_Q_Public
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no match MATCH_IM im-subscriber John_Q_Public

Related Commands

(config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri

(config-pmap-ins-sip) match message-path

To filter SIP traffic based on the message path, use the match message-path command. Use the no form of this command to remove the match statement from the policy map.

match name message-path expression [insert-before map_name]

no match name message-path expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

SIP proxy server. Enter a regular expression from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

SIP inspection allows you to filter messages coming from or transiting through certain SIP proxy servers. The ACE maintains a list of unauthorized SIP proxy IP addresses or URIs in the form of regular expressions and then checks this list against the VIA header field in each SIP packet. The default action is to drop SIP packets with VIA fields that match regex list.

The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. See Table 2-21 for a list of the supported characters that you can use in regular expressions.

Examples

To filter SIP traffic based on the message path 192.168.12.3:5060, enter:

host1/Admin(config-pmap-ins-sip)# match MATCH_PATH message-path 192.168.12.3:5060
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no match MATCH_PATH message-path 192.168.12.3:5060

Related Commands

(config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri

(config-pmap-ins-sip) match request-method

To filter SIP traffic based on the request method, use the match request-method command. Use the no form of this command to remove the description from the policy map.

match name request-method method_name [insert-before map_name]

no match name request-method method_name

Syntax Description

method_name

Supported SIP method using one of the following keywords:

ack

bye

cancel

info

invite

message

notify

options

prack

refer

register

subscribe

unknown

update

Use the unknown keyword to permit or deny unknown or unsupported SIP methods.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To filter SIP traffic based on the INVITE request method, enter:

host1/Admin(config-pmap-ins-sip)# match MATCH_REQUEST request-method invite
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no match MATCH_REQUEST request-method invite

Related Commands

(config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match third-party registration
(config-pmap-ins-sip) match uri

(config-pmap-ins-sip) match third-party registration

To filter SIP traffic based on third-party registrations or deregistrations, use the match third-party-registration command. Use the no form of this command to remove the match statement from the policy map.

match name third-party registration expression [insert-before map_name]

no match name third-party registration expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

Privileged user that is authorized for third-party registrations. Enter a regular expression from 1 to 255 alphanumeric characters.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

SIP allows users to register other users on their behalf by sending REGISTER messages with different values in the From and To header fields. This process may pose a security threat if the REGISTER message is actually a DEREGISTER message. A malicious user could cause a Denial of Service (DoS) attack by deregistering all users on their behalf. To prevent this security threat, you ACE can specify a list of privileged users who can register or unregister someone else on their behalf. The ACE maintains the list as a regex table. If you configure this policy, the ACE drops REGISTER messages with mismatched From and To headers and a From header value that does not match any of the privileged user IDs.

The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. See Table 2-21 for a list of the supported characters that you can use in regular expressions.

Examples

To filter SIP traffic based on SIP registrations or deregistrations, enter:

host1/Admin(config-pmap-ins-sip)# match MATCH_REG third-party-registration USER1
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no match MATCH_REG third-party-registration USER1

Related Commands

(config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match uri

(config-pmap-ins-sip) match uri

To filter SIP traffic based on URIs, use the match uri command. Use the no form of this command to remove the match statement from the policy map.

match name uri {sip | tel} length gt value [insert-before map_name]

no match name uri {sip | tel} length gt value

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

sip

Specifies that the ACE validates the length of a SIP URI.

tel

Specifies that the ACE validates the length of a Tel URI.

length

Specifies the length of the SIP or Tel URI.

gt

Specifies the greater than operator.

value

Maximum value for the length of the SIP URI or Tel URI in bytes. Enter an integer from 0 to 254 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection SIP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You can configure the ACE to validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier that a calling party (source) uses to contact the called party (destination). A Tel URI is a telephone number that identifies the endpoint of a SIP connection. For more information about SIP URIs and Tel URIs, see RFC 2534 and RFC 3966, respectively.

Examples

To instruct the ACE to filter traffic based on SIP URIs, enter:

host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
 
   

To remove the match statement from the policy map, enter:

host1/Admin(config-pmap-ins-sip)# no match MATCH_URI uri sip length gt 100

Related Commands

(config-pmap-ins-sip) match called-party
(config-pmap-ins-sip) match calling-party
(config-pmap-ins-sip) match content
(config-pmap-ins-sip) match im-subscriber
(config-pmap-ins-sip) match message-path
(config-pmap-ins-sip) match request-method
(config-pmap-ins-sip) match third-party registration

Policy Map Inspection SIP Class Configuration Mode Commands

Use the policy map SIP inspection class configuration mode to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 SIP inspection class map. To access policy map SIP inspection class configuration mode, use the class command in the policy map SIP inspection configuration mode (see the (config-pmap-ins-sip) class command for details). The prompt changes from (config-pmap-ins-sip) to (config-pmap-ins-sip-c).

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-ins-sip-c) drop

To discard the SIP traffic that matches the traffic specified in the class map, use the drop command. Use the no form of this command to return the ACE behavior to the default of permitting all SIP traffic to pass.

drop [log]

no drop

Syntax Description

log

(Optional) Generates a log message for traffic that matches the class map.


Command Modes

Policy map inspection SIP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To discard the SIP traffic that matches the class map, enter:

host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# drop

Related Commands

This command has no related commands.

(config-pmap-ins-sip-c) log

To log all SIP traffic that matches the class map, use the log command. Use the no form of this command to return the ACE behavior to the default of not logging SIP traffic.

log

no log

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map inspection SIP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To log the SIP traffic that matches the class map, enter:

host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# log

Related Commands

This command has no related commands.

(config-pmap-ins-sip-c) permit

To permit the SIP traffic that matches the class map to pass through the ACE, use the permit command. Use the no form of this command to return the ACE behavior to the default of permitting all SIP traffic to pass.

permit [log]

no permit

Syntax Description

log

(Optional) Generates a log message for traffic that matches the class map.


Command Modes

Policy map inspection SIP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To permit the SIP traffic that matches the class map to pass through the ACE, enter:

host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# permit

Related Commands

This command has no related commands.

(config-pmap-ins-sip-c) reset

To instruct the ACE to deny the SIP traffic that matches the class map and to reset the connection using the TCP RESET message, use the reset command. Use the no form of this command to return the ACE behavior to the default of permitting all SIP traffic to pass.

reset [log]

no reset

Syntax Description

log

(Optional) Generates a log message for traffic that matches the class map.


Command Modes

Policy map inspection SIP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to deny the traffic that matches the class map and to reset the connection, enter:

host1/Admin(config)# policy-map type inspect sip first-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-sip-c)# reset

Related Commands

This command has no related commands.

Policy Map Inspection SIP Match Configuration Mode Commands

Policy map inspection SIP match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map inspection SIP match configuration mode, use the match command in policy map inspection SIP configuration mode. The prompt changes from (config-pmap-ins-sip) to (config-pmap-ins-sip-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the Layer 7 policy map.

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-ins-sip-m) drop

To discard the SIP traffic that matches the traffic specified in the single inline match command, use the drop command. Use the no form of this command to return the ACE behavior to the default of permitting all SIP traffic to pass.

drop [log]

no drop

Syntax Description

log

(Optional) Generates a log message for traffic that matches the single inline match command.


Command Modes

Policy map inspection SIP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To discard the SIP traffic that matches the traffic specified in the single inline match command, enter:

host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
host1/Admin(config-pmap-ins-sip-m)# drop

Related Commands

This command has no related commands.

(config-pmap-ins-sip-m) permit

To permit the SIP traffic that matches the traffic specified in the single inline match command to pass through the ACE, use the permit command. Use the no form of this command to return to the default state and permit all SIP traffic to pass.

permit [log]

no permit

Syntax Description

log

(Optional) Generates a log message for traffic that matches the inline match command.


Command Modes

Policy map inspection SIP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To permit the SIP traffic specified in the single inline match command to pass through the ACE, enter:

host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
host1/Admin(config-pmap-ins-sip-m)# permit

Related Commands

This command has no related commands.

(config-pmap-ins-sip-m) reset

To instruct the ACE to deny SIP traffic that matches the single inline match command and to reset the connection using the TCP RESET message, use the reset command. Use the no form of this command to return the ACE behavior to the default of permitting all SIP traffic to pass.

reset [log]

no reset

Syntax Description

log

(Optional) Generates a log message for traffic that matches the single inline match command.


Command Modes

Policy map inspection SIP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to deny the traffic that matches the single inline match command and to reset the connection, enter:

host1/Admin(config)# policy-map type inspect sip all-match SIP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-sip)# match MATCH_URI uri sip length gt 100
host1/Admin(config-pmap-ins-sip-m)# reset

Related Commands

This command has no related commands.

Policy Map Inspection Skinny Configuration Mode Commands

Policy map inspection Skinny configuration mode commands allow you to define a policy map that initiates inspection of the Skinny Client Control Protocol (SCCP) by the ACE. The ACE uses the SCCP inspection policy to filter traffic based on the message ID and to perform user-configurable actions on that traffic.

To create an SCCP inspection policy map and access policy map inspection Skinny configuration mode, use the policy-map type inspect skinny command in configuration mode. When you access the policy map inspection skinny configuration mode, the prompt changes to (config-pmap-ins-skinny). Use the no form of this command to remove an SCCP inspection policy map from the ACE.

policy-map type inspect skinnny map_name

no policy-map type inspect skinny map_name

Syntax Description

map_name

Name assigned to the Layer 7 SCCP inspection policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

Examples

To create a Layer 7 SCCP inspection policy map, enter:

host1/Admin(config)# policy-map type inspect skinny SCCP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-skinny)#

Related Commands

This command has no related commands.

(config-pmap-ins-skinny) description

To provide a brief summary about the Layer 7 SCCP inspection policy map, use the description command. Use the no form of this command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map inspection Skinny configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description about the SCCP policy map, enter:

host1/Admin(config-pmap-ins-skinny)# description this is an SCCP inspection policy map
 
   

To remove the inline match statement from the policy map, enter:

host1/Admin(config-pmap-ins-skinny)# no match SCCP_MATCH message-id range 100 500

Related Commands

(config-pmap-ins-skinny-m) reset
(config-pmap-ins-skinny) match message-id

(config-pmap-ins-skinny) match message-id

To include a single inline match criteria in the policy map without specifying a traffic class, use the match message-id command. Use the no form of this command to remove the inline match statement from the policy map.

match name message-id {number1 | range {number2 number3}} [insert-before name]

no match name

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

number1

Numerical identifier of the SCCP message. Enter an integer from 0 to 65535.

range {number2 number3}

Specifies a range of SCCP message IDs. Enter an integer from 0 to 65535 for the lower and the upper limits of the range. The upper limit must be greater than or equal to the lower limit.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection skinny configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

When you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map.

Examples

To specify an inline match command for a Layer 7 SCCP inspection policy map, enter:

host1/Admin(config-pmap-ins-skinny)# match SCCP_MATCH message-id range 100 500
host1/Admin(config-pmap-ins-skinny-m)# 

Related Commands

(config-pmap-ins-skinny) description

Policy Map Inspection Skinny Match Configuration Mode Commands

Policy map inspection Skinny match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map inspection Skinny match configuration mode, use the match message-id command in policy map inspection Skinny configuration mode (see the (config-pmap-ins-skinny) match message-id command for details). The prompt changes from (config-pmap-ins-skinny) to (config-pmap-ins-skinny-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the Layer 7 policy map.

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-ins-skinny-m) reset

To instruct the ACE to deny SCCP traffic that matches the single inline match command and to reset the connection using the TCP RESET message, use the reset command as the policy map action. By default, the ACE allows all SCCP packets to pass through it. Use the no form of this command to reset the ACE behavior to the default of allowing all SCCP traffic to pass.

reset [log]

no reset

Syntax Description

log

(Optional) Generates a log message for traffic that matches the single inline match command.


Command Modes

Policy map inspection Skinny match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You apply the specified action against the single inline match command. The reset command causes the ACE to drop the SCCP traffic that matches the inline match command and reset the connection.

Examples

To specify that the ACE drop SCCP traffic that matches the match message-id inline command, enter:

host1/Admin(config)# policy-map type inspect sccp SCCP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-skinny)# match SCCP_MATCH message-id range 100 500
host1/Admin(config-pmap-ins-skinny-m)# reset

Related Commands

(config-pmap-ins-skinny) description
(config-pmap-ins-skinny) match message-id

Policy Map Load Balancing Generic Configuration Mode Commands

Policy map load balancing generic configuration mode commands allow you to specify a generic Layer 7 policy map for server load-balancing decisions. The ACE executes the specified action only against the first matching load-balancing classification.

To create a generic Layer 7 server load balancing (SLB) policy map and access policy map load balancing generic configuration mode, use the policy-map type loadbalance generic first-match command. When you access the policy map load balancing generic configuration mode, the prompt changes to (config-pmap-lb-generic). Use the no form of this command to remove a generic Layer 7 SLB policy map from the ACE.

policy-map type loadbalance generic first-match map_name

no policy-map type loadbalance generic first-match map_name

Syntax Description

map_name

Name assigned to the generic SLB policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

Examples

To create a generic SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# 

Related Commands

show running-config
(config) policy-map

(config-pmap-lb-generic) class

To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the class command. The prompt changes from (config-pmap-lb-generic) to (config-pmap-lb-generic-c). For information about commands in this mode, see the "Policy Map Load Balancing Generic Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 SLB class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current named class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map load balancing generic configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7LOADBALNCE_CLASS

Related Commands

(config-pmap-lb-generic) description

(config-pmap-lb-generic) description

To provide a brief description of the generic server load balancing (SLB) policy map, use the description command. Use the no form of this command to remove the description from the policy map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map load balancing generic configuration mode

Admin role in any user context

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform server load balancing, enter:

host/Admin(config-pmap-lb-generic)# description GENERIC_LOAD_BALANCE_PROTOCOL

Related Commands

(config-pmap-lb-generic) class

(config-pmap-lb-generic) match layer4-payload

To make server load balancing (SLB) decisions based on the Layer 4 payload, use the match layer4-payload command. Use the no form of this command to remove the Layer 4 payload match statement from the policy map.

match name layer4-payload [offset bytes] regex expression [insert-before map_name]

no match name layer4-payload [offset bytes] regex expression [insert-before map_name]

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

offset bytes

(Optional) Specifies an absolute offset in the data where the Layer 4 payload expression search string starts. The offset starts at the first byte of the TCP or UDP body. Enter an integer from 0 to 999. The default is 0.

regex expression

Specifies the Layer 4 payload expression that is contained within the TCP or UDP entity body. Enter a string from 1 to 255 alphanumeric characters. For a list of the supported characters that you can use in regular expression strings, see Table 2-21.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map or other match statement specified by the map_name argument. The ACE does not save the sequence reordering as part of the configuration.


Command Modes

Policy map load balancing generic configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

To specify actions for multiple match statements, use a class map as described in the "Class Map Generic Configuration Mode Commands" section.

Generic data parsing begins at Layer 4 with the TCP or UDP payload, which allows you the flexibility to match Layer 5 data (in the case of the Lightweight Directory Access Protocol (LDAP) or the Domain Name System (DNS) or any Layer 7 header or payload (for example, HTTP).

When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).

When you use the match layer4-payload command, you access the policy map load balancing generic match configuration mode and the prompt changes to (config-pmap-lb-generic-m). For information about commands in this mode, see the "Policy Map Load Balancing Generic Match Configuration Mode Commands" section.

Examples

To define Layer 4 payload match criteria for a generic policy map, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match L4_MATCH layer4-payload offset 10 regex abc12.*
host1/Admin(config-pmap-lb-generic-m)# 
 
   

Related Commands

(config-cmap-generic) match layer4-payload

(config-pmap-lb-generic) match source-address

To specify a client source host IP address and subnet mask as the network traffic matching criteria, use the match source-address command. You configure the associated policy map to permit or restrict management traffic to the ACE from the specified source network or host. Use the no form of this command to clear the source IP address and subnet mask match criteria from the policy map.

match name source-address ip_address mask [insert-before map_name]

no match name source-address ip_address mask

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ip_address

Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

mask

Subnet mask of the client entry in dotted-decimal notation (for example, 255.255.255.0).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing generic configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

When you use the match source-address command, you access the policy map load balancing generic match configuration mode and the prompt changes from (config-pmap-lb-generic) to (config-pmap-lb-generic-m). For information about commands in this mode, see the "Policy Map Load Balancing Generic Match Configuration Mode Commands" section.

Examples

To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match match3 source-address 192.168.10.1 255.255.0.0
host1/Admin(config-pmap-lb-generic-m)# 

Related Commands

(config-cmap-generic) match source-address

Policy Map Load Balancing Generic Class Configuration Mode Commands

Policy map load balancing generic class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 server load balancing (SLB) class map. To access policy map load balancing generic class configuration mode, use the class command in policy map load balancing generic configuration mode (see the (config-pmap-lb-generic) class command for details). The prompt changes to (config-pmap-lb-generic-c).

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-lb-generic-c) drop

To instruct the ACE to discard packets that match a particular load-balancing criterion in the class map, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing generic class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-generic-c) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing generic class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-generic-c) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load-balancing policy map.

serverfarm name1 [backup name2] [aggregate-state]

no serverfarm name1 [backup name2] [aggregate-state]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Specifies the identifier of an existing server farm that you want the ACE to use as a backup server farm. If the primary server farm goes down, the ACE sends all connections to the configured backup server farm. Enter a name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

aggregate-state

This option has been deprecated and no longer has an effect on the state of the VIP. By default, the ACE takes into account the state of all real servers in the backup server farm before taking the VIP out of service. If all real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.


Command Modes

Policy map load balancing generic class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# serverfarm FARM2 backup FARM3

Related Commands

This command has no related commands.

(config-pmap-lb-generic-c) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 255. The default is 0.


Command Modes

Policy map load balancing generic class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network configuration.

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-generic-c) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing generic class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that all requests that match a generic Layer 7 policy map are load balanced to a sticky server farm, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# class L7SLBCLASS
host1/Admin(config-pmap-lb-generic-c)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing Generic Match Configuration Mode Commands

Policy map load balancing generic match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map load balancing generic match configuration mode, use one of the match commands in policy map load balancing generic configuration mode (see the "Policy Map Load Balancing Generic Configuration Mode Commands" section for details). The prompt changes to (config-pmap-lb-generic-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The inline match commands function the same way as the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the generic SLB policy map.

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-lb-generic-m) drop

To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match command, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing generic match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match the load-balancing criteria in the inline match command, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.10.1 
255.255.0.0
host1/Admin(config-pmap-lb-generic-m)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-generic-m) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing generic match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.10.1 
255.255.0.0
host1/Admin(config-pmap-lb-generic-m)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-generic-m) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load balancing policy map.

serverfarm name1 [backup name2] [aggregate-state]

no serverfarm name1 [backup name2] [aggregate-state]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Specifies the identifier of an existing server farm that you want the ACE to use as a backup server farm. If the primary server farm goes down, the ACE sends all connections to the configured backup server farm. Enter a name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

aggregate-state

This option has been deprecated and no longer has an effect on the state of the VIP. By default, the ACE takes into account the state of all real servers in the backup server farm before taking the VIP out of service. If all real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.


Command Modes

Policy map load balancing generic match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.11.2 
255.255.255.0
host1/Admin(config-pmap-lb-generic-m)# serverfarm FARM2 backup FARM3

Related Commands

This command has no related commands.

(config-pmap-lb-generic-m) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 255. The default is 0.


Command Modes

Policy map load balancing generic match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.10.1 
255.255.0.0
host1/Admin(config-pmap-lb-generic-m)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-generic-m) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing generic match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, enter:

host1/Admin(config)# policy-map type loadbalance generic first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-generic)# match MATCH_SLB1 source-address 192.168.11.2 
255.255.255.0
host1/Admin(config-pmap-lb-generic-m)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing HTTP Configuration Mode Commands

Policy map load balancing HTTP configuration mode commands allow you to specify an HTTP Layer 7 policy map for server load-balancing decisions. The ACE executes the specified action only against the first matching load-balancing classification.

To create an HTTP Layer 7 server load balancing (SLB) policy map and access policy map load balancing HTTP configuration mode, use the policy-map type loadbalance http first-match command. When you access the policy map load balancing HTTP configuration mode, the prompt changes to (config-pmap-lb). Use the no form of this command to remove an HTTP SLB policy map from the ACE.

policy-map type loadbalance [http] first-match map_name

no policy-map type loadbalance [http] first-match map_name

Syntax Description

http

(Optional) Specifies an HTTP Layer 7 load-balancing policy map. HTTP is the default type of load-balancing policy map. If you enter policy-map type loadbalance first-match map_name, the ACE creates an HTTP load-balancing policy map.

map_name

Name assigned to the HTTP SLB policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

Examples

To create an HTTP SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# 

Related Commands

show running-config
(config) policy-map

(config-pmap-lb) class

To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the class command. The prompt changes from (config-pmap-lb) to (config-pmap-lb-c). For information about commands in this mode, see the "Policy Map Load Balancing HTTP Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 SLB class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current named class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map load balancing HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7LOADBALNCE_CLASS

Related Commands

(config-pmap-lb) description

(config-pmap-lb) description

To provide a brief description of the HTTP server load balancing (SLB) policy map, use the description command. Use the no form of this command to remove the description from the policy map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map load balancing HTTP configuration mode

Admin role in any user context

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform server load balancing, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host/Admin(config-pmap-lb)# description HTTP LOAD BALANCE PROTOCOL

Related Commands

(config-pmap-lb) class

(config-pmap-lb) match cipher

To make server load-balancing (SLB) decisions based on a specific SSL cipher or cipher strength used to initiate a connection, use the match cipher command. Use the no form of this command to remove an SSL cipher content match statement from the policy map.

match name cipher {equal-to cipher | less-than cipher_strength}

no match name cipher {equal-to cipher | less-than cipher_strength}

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

equal-to cipher

Specifies the SSL cipher. The possible values for cipher are as follows:

RSA_EXPORT1024_WITH_DES_CBC_SHA

RSA_EXPORT1024_WITH_RC4_56_MD5

RSA_EXPORT1024_WITH_RC4_56_SHA

RSA_EXPORT_WITH_DES40_CBC_SHA

RSA_EXPORT_WITH_RC4_40_MD5

RSA_WITH_3DES_EDE_CBC_SHA

RSA_WITH_AES_128_CBC_SHA

RSA_WITH_AES_256_CBC_SHA

RSA_WITH_DES_CBC_SHA

RSA_WITH_RC4_128_MD5

RSA_WITH_RC4_128_SHA

less-than cipher_strength

Specifies a noninclusive minimum SSL cipher bit strength. For example, if you specify a cipher strength value of 128, any SSL cipher that was no greater than 128 would hit the traffic polkcy. If the SSL cipher was 128-bit or greater, the connection would miss the policy.

The possible values for cipher_strength are as follows:

128

168

256

56


Command Modes

Policy map load balancing HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A4(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

To specify actions for multiple match statements, use a class map as described in the "Class Map HTTP Load Balancing Configuration Mode Commands" section.

When you use the match cipher command, you access the policy map load balancing match configuration mode and the prompt changes to (config-pmap-lb-generic-m). For information about commands in this mode, see the "Policy Map Load Balancing Generic Match Configuration Mode Commands" section.

Examples

To specify that the Layer 7 SLB policy map load balances on a specific SSL cipher, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 cipher equal-to RSA_WITH_RC4_128_CBC_SHA
host1/Admin(config-pmap-lb-m)# 

Related Commands

This command has no related commands.

(config-pmap-lb) match http content

To make server load-balancing (SLB) decisions based on the HTTP packet content, use the match http content command. Use the no form of this command to remove an HTTP content match statement from the policy map.

match name http content expression [offset bytes] [insert-before map_name]

no match name http content expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

Regular expression content to match. Enter a string from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching data strings. For a list of the supported characters that you can use in regular expressions, see Table 2-21.

offset number

(Optional) Specifies the byte at which the ACE begins parsing the packet data. Enter an integer from 1 to 255. The default is 0.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map or other match statement specified by the map_name argument. The ACE does not save the sequence reordering as part of the configuration.


Command Modes

Policy map load balancing HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

To specify actions for multiple match statements, use a class map as described in the "Class Map HTTP Load Balancing Configuration Mode Commands" section.

When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).

The ACE can perform regular expression matching against the received packet data from a particular connection based on a regular expression string in HTTP packet data (not the header).

When you use the match http content command, you access the policy map load balancing match configuration mode and the prompt changes to (config-pmap-lb-generic-m). For information about commands in this mode, see the "Policy Map Load Balancing Generic Match Configuration Mode Commands" section.

Examples

To specify that the Layer 7 SLB policy map load balances on a specific URL, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http content abc*123 offset 50
host1/Admin(config-pmap-lb-m)# 
 
   

Related Commands

(config-cmap-http-lb) match http content

(config-pmap-lb) match http cookie

To make server load balancing (SLB) decisions based on the name and string of a cookie, use the match http cookie command. Use the no form of this command to remove an HTTP cookie match statement from the policy map.

match name1 http cookie {name2 | secondary name3} cookie-value expression [insert-before map_name]

no match name1 http cookie {name2 | secondary name3} cookie-value expression

Syntax Description

name1

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

name2

Unique cookie name. Enter an unquoted text string with no spaces and a maximum of 63 alphanumeric characters.

secondary name3

Specifies a cookie in a URL string. You can specify the delimiters for cookies in a URL string using a command in an HTTP parameter map.

cookie-value expression

Specifies a unique cookie value expression. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. For a list of supported characters that you can use for matching string expressions, see Table 2-21.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match http cookie command, you access the policy map load balancing HTTP match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information about commands in this mode, see the "Policy Map Load Balancing HTTP Match Configuration Mode Commands" section.

The ACE performs regular expression matching against the received packet data from a particular connection based on the cookie expression. You can configure a maximum of five cookie names per VIP.

The ACE supports regular expressions for matching string expressions. For a list of supported characters that you can use for matching string expressions, see Table 2-21.

For details on defining a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL string, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that the Layer 7 SLB policy map load balances on a cookie with the name of testcookie1, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host/Admin(config-pmap-lb)# match MATCH2 http cookie testcookie1 cookie-value 123456
host1/Admin(config-pmap-lb-m)# 

Related Commands

(config-parammap-http) set content-maxparse-length
(config-parammap-http) set secondary-cookie-delimiters

(config-pmap-lb) match http header

To make server load balancing (SLB) decisions based on the name and value of an HTTP header, use the match http header command. The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression. Use the no form of this command to clear an HTTP header match criteria from the policy map.

match name http header {header_name | header_field} header-value expression [insert-before map_name]

no match name http header {header_name | header_field} header-value expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

header_name

Name of the HTTP header to match (for example, www.example1.com.) The range is from 1 to 64 alphanumeric characters.

Note The header_name argument cannot include the colon in the name of the HTTP header; the ACE rejects the colon as an invalid token.

header_field

A standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and the entity-header field. The supported selections are the following:

Accept—Semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

 

Accept-Charset—Character sets that are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can represent documents in those character sets.

Accept-Encoding—Restricts the content encoding that a user will accept from the server.

Accept-Language—ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization—Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

Cache-Control—Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection—Allows the sender to specify connection options.

Content-MD5—MD5 digest of the entity body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect—Used by a client to inform the server about the behaviors that the client requires.

From—Contains the e-mail address of the person that controls the requesting user agent.

Host—Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource. The Host field value must represent the naming authority of the origin server or gateway given by the original URL.

If-Match—Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. This feature allows efficient updates of cached information with a minimum amount of transaction overhead. It is also used on updating requests to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

Pragma—Pragma directives that are understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP. For example, the Accept field is a comma-separated list of entries for which the optional parameters are separated by semicolons.

 

Referer—Address (URI) of the resource from which the URI in the request was obtained.

Transfer-Encoding—Indicates what (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient.

User-Agent—Information about the user agent (for example, a software program that originates the request). This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents.

Via—Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests and between the origin server and the client on responses.

header-value expression

Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. For a list of supported characters that you can use in regular expressions, see Table 2-21.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match http header command, you access the policy map load balancing HTTP match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information about commands in this mode, see the "Policy Map Load Balancing HTTP Match Configuration Mode Commands" section.

The ACE supports regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. For a list of supported characters that you can use in regular expressions, see Table 2-21.

Examples

To specify that the Layer 7 SLB policy map load balances on an HTTP header named Host, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)# 

Related Commands

(config-parammap-http) set header-maxparse-length

(config-pmap-lb) match http url

To make server load balancing (SLB) decisions based on the URL name and, optionally, the HTTP method, use the match http url command. The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. Use the no form of this command to remove a URL match statement from the policy map.

match name http url expression [method name] [insert-before map_name]

no match name http url expression [method name]

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

URL, or portion of a URL, to match. Enter a URL string from 1 to 255 alphanumeric characters. Include only the portion of the URL that follows www.hostname.domain in the match statement. For a list of supported characters that you can use in regular expressions, see Table 2-21.

method name

(Optional) Specifies the HTTP method to match. Enter a method name as an unquoted text string with no spaces and a maximum of 15 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, PROTOPLASM).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match http url command, you access the policy map load balancing HTTP match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information about commands in this mode, see the "Policy Map Load Balancing HTTP Match Configuration Mode Commands" section.

Include only the portion of the URL that follows www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. For a list of supported characters that you can use in regular expressions, see Table 2-21.

When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).

Examples

To specify that the Layer 7 SLB policy map load balances on a specific URL, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http url whatsnew/latest.*
 
   

To use regular expressions to emulate a wildcard search to match on any .gif file, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 http url .*.gif
host1/Admin(config-pmap-lb-m)# 

Related Commands

(config-parammap-http) set content-maxparse-length

(config-pmap-lb) match source-address

To specify a client source host IP address and subnet mask from which the ACE accepts traffic as the network traffic matching criteria, use the match source-address command. You configure the associated policy map to permit or restrict management traffic to the ACE from the specified source network or host. Use the no form of this command to clear the source IP address and subnet mask match criteria from the policy map.

match name source-address ip_address mask [insert-before map_name]

no match name source-address ip_address mask

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ip_address

Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

mask

Subnet mask of the client entry in dotted-decimal notation (for example, 255.255.255.0).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing HTTP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match source-address command, you access the policy map load balancing HTTP match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information about commands in this mode, see the "Policy Map Load Balancing HTTP Match Configuration Mode Commands" section.

Examples

To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 source-address 192.168.10.1 255.255.0.0
host1/Admin(config-pmap-lb-m)# 

Related Commands

(config-cmap-http-lb) match source-address

Policy Map Load Balancing HTTP Class Configuration Mode Commands

Policy map load balancing HTTP class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 server load balancing (SLB) class map. To access policy map load balancing HTTP class configuration mode, use the class command in policy map load balancing HTTP configuration mode (see the (config-pmap-lb) class command for details). The prompt changes to (config-pmap-lb-c).

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-lb-c) action

To associate an action list with an HTTP load-balancing policy map, use the action command. Use the no form of this command to remove the action list association.

action name

no action

Syntax Description

name

Identifier of an existing action list. Enter an unquoted text string with a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You use action lists to group several ACE actions (for example, HTTP header insert, rewrite, or delete) together in a named list under a Layer 7 policy map. For information about action list commands, see the "Action List Modify Configuration Mode Commands" section.

Examples

To associate an action list for HTTP header rewrite, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class HTTP_CLASS
host1/Admin(config-pmap-lb-c)# action HTTP_MODIFY_ACTLIST
 
   

To disassociate the action list from the policy map, enter:

host1/Admin(config-pmap-lb-c)# no action

Related Commands

This command has no related commands.

(config-pmap-lb-c) compress

To instruct the ACE to compress and encode packets that match a Layer 7 SLB policy map, use the compress command. Use the no form of this command to disable HTTP compression.

compress default-method {deflate | gzip}

no compress default-method {deflate | gzip}

Syntax Description

deflate

Specifies the deflate compression method as the method to use when the client browser supports both deflate and gzip compression methods.

gzip

Specifies the gzip compression method as the method to use when the client browser supports both deflate and gzip compression methods.


Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A4(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The compress command option displays only when you associate an HTTP-type class map with a policy map.

When a client request specifies deflate or gzip encoding in the Accept-Encoding field, the ACE uses either deflate or gzip to compress and encode the response content to the client. If both encoding formats are specified in the Accept-Encoding field, the response from the ACE will be encoded according to the compress default-method command in the Layer 7 SLB policy map.

HTTP compression is intended primarily for text-based content types. For example, the following are text-based content types:

text/html

text/plain

text/xml

text/css

application/x-javascript

(ACE module only) By default, the ACE supports HTTP compression at a rate of 1 Gbps. Installing an optional license bundle allows you to increase this value to a maximum of 6 Gbps. See the Administration Guide, Cisco ACE Application Control Engine for information on ACE licensing options.

(ACE appliance only) By default, the ACE supports HTTP compression at a rate of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Administration Guide, Cisco ACE Application Control Engine for information on ACE licensing options.

When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Multipurpose Internet Mail Extension (MIME) type—All text formats (text/.*)

Minimum content length size—512 bytes

User agent exclusion—No user agent is excluded

You can create an HTTP parameter map to modify the compression parameters that the ACE uses (see the "Parameter Map Connection Configuration Mode Commands" section).

Examples

To enable compression and specify gzip as the HTTP compression method when both formats are included in the Accept-Encoding client request, enter, enter:

host1/Admin(config-pmap-lb-c)# compress default-method gzip

Related Commands

(config-parammap-http) compress

(config-pmap-lb-c) drop

To instruct the ACE to discard packets that match a particular load-balancing criteria in the class map, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-c) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-c) insert-http

To specify the name and value of a generic header field that you want the ACE to insert in the HTTP header, use the insert-http command. Use the no form of this command to delete the HTTP header name and value from the policy map.

insert-http name header-value expression

no insert-http name header-value expression

Syntax Description

name

Name of the generic header field that you want the ACE to insert in the HTTP header. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters.

header-value expression

Specifies the header-value expression string to insert in the specified field in the HTTP header. Enter a text string with a maximum of 255 alphanumeric characters. See the Server Load-Balancing Guide, Cisco ACE Application Control Engine for details.


Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

To identify a client whose source IP address has been mapped to another IP address using NAT, you can instruct the ACE to insert a generic header and string value in the client HTTP request. (For information about NAT, see the Security Guide, Cisco ACE Application Control Engine.)

For the name argument, you can specify any custom header name that you want, subject to the maximum character length. You can also enter any of the predefined header names described for the (config-pmap-lb) match http header command, regardless of whether that header name already exists in the client request header. The ACE does not overwrite any existing header information in the client request.

You can enter a maximum of 255 bytes of data for the header expression. If you enter more than 255 bytes, the ACE does not insert the header name and expression in the client request.

You can also specify the following special header-value expressions by using the following special parameter values:

%is—Inserts the source IP address in the HTTP header.

%id—Inserts the destination IP address in the HTTP header.

%ps—Inserts the source port in the HTTP header.

%pd—Inserts the destination port in the HTTP header.

For IPv6 to IPv4 and Ipv4 to IPv6 load balancing, use the X-FORWARDED-FOR header. For details, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

For Microsoft Outlook Web Access (OWA), specify the field name as HTTP_FRONT_END_HTTPS with a value of ON.

If either TCP server reuse or persistence rebalance is enabled, the ACE inserts a header in every client request.

Examples

For example, to specify the insert-http command as an action in the Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# insert-http Host header-value www.cisco.com

Related Commands

(config-parammap-http) server-conn reuse
(config-parammap-http) persistence-rebalance

(config-pmap-lb-c) nat dynamic

To configure server farm-based dynamic NAT as an action in a Layer 7 load-balancing policy map, use the nat dynamic command.

The syntax of this command is as follows:

nat dynamic pool_id vlan number serverfarm {primary | backup}

no nat dynamic pool_id vlan number serverfarm {primary | backup}

Syntax Description

pool_id

Identifier of the NAT pool of global IP addresses. Enter an integer from 1 to 2147483647.

vlan number

Specifies the server interface for the global IP address. This interface must be different from the interface that the ACE uses to filter and receive traffic that requires NAT, unless the network design operates in one-arm mode. In that case, the VLAN number is the same.

serverfarm {primary | backup}

Specifies that the dynamic NAT applies to either the primary server farm or the backup server farm.


Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

Typically, you use dynamic NAT for SNAT. Dynamic NAT allows you to identify local traffic for address translation by specifying the source and destination addresses in an extended ACL, which is referenced as part of the class map traffic classification. The ACE applies dynamic NAT from the interface to which the traffic policy is attached (through the service-policy interface configuration command) to the interface specified in the nat dynamic command.

Examples

For example, to specify the nat-dynamic command as an action in the Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# nat dynamic serverfarm primary 1 vlan 200

Related Commands

show parameter-map
(config-if) nat-pool

(config-pmap-lb-c) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load-balancing policy map.

serverfarm name1 [backup name2 [aggregate-state]]

no serverfarm name1 [backup name2 [aggregate-state]]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Specifies the identifier of an existing server farm that you want the ACE to use as a backup server farm. If the primary server farm goes down, the ACE sends all connections to the configured backup server farm. Enter a name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

aggregate-state

(Optional) This option has been deprecated and no longer has an effect on the state of the VIP. By default, the ACE takes into account the state of all real servers in the backup server farm before taking the VIP out of service. If all real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.


Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

3.0(0)A1(5)

The aggregate-state option was deprecated.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

The aggregate-state option was deprecated.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

By default, the ACE takes into account the state of all the real servers in the backup server farm before taking the VIP out of service. If all the real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.

If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# serverfarm FARM2 backup FARM3

Related Commands

This command has no related commands.

(config-pmap-lb-c) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 255. The default is 0.


Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network configuration.

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-c) ssl-proxy client

To specify a Secure Sockets Layer (SSL) proxy service in a Layer 7 load-balancing policy map, use the ssl-proxy command. The ACE uses an SSL proxy service in a Layer 7 policy map to load balance outbound SSL initiation requests to SSL servers. In this case, the ACE acts as an SSL client that sends an encrypted request to an SSL server. Use the no form of this command to remove the SSL proxy service from the policy map.

ssl-proxy client name

no ssl-proxy client name

Syntax Description

name

Name of an existing SSL proxy service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For more information about configuring SSL, see the SSL Guide, Cisco ACE Application Control Engine.

Examples

To associate an SSL proxy service with a Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# ssl-proxy client SSL_SERVER_PROXY_SERVICE

Related Commands

This command has no related commands.

(config-pmap-lb-c) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing HTTP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing HTTP Match Configuration Mode Commands

Policy map load balancing HTTP match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map load balancing HTTP match configuration mode, use one of the match commands in policy map load balancing HTTP configuration mode (see the "Policy Map Load Balancing HTTP Configuration Mode Commands" section for details). The prompt changes to (config-pmap-lb-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The inline match commands function the same way as the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the HTTP SLB policy map.

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-lb-m) action

To associate an action list with an HTTP load-balancing policy map, use the action command. Use the no form of this command to remove the action list association.

action name

no action

Syntax Description

name

Identifier of an existing action list. Enter an unquoted text string with a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

You use action lists to group several ACE actions (for example, HTTP header insert, rewrite, or delete) together in a named list under a Layer 7 policy map. For information about action list commands, see the "Action List Modify Configuration Mode Commands" section.

Examples

To associate an action list for HTTP header rewrite, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match match3 source-address 192.168.10.1 255.255.0.0
host1/Admin(config-pmap-lb-m)# action HTTP_MODIFY_ACTLIST
 
   

To disassociate the action list from the policy map, enter:

host1/Admin(config-pmap-lb-m)# no action

Related Commands

This command has no related commands.

(config-pmap-lb-m) compress

To instruct the ACE to compress and encode packets that match a Layer 7 SLB policy map, use the compress command. Use the no form of this command to disable HTTP compression.

compress default-method {deflate | gzip}

no compress default-method {deflate | gzip}

Syntax Description

deflate

Specifies the deflate compression method as the method to use when the client browser supports both deflate and gzip compression methods.

gzip

Specifies the gzip compression method as the method to use when the client browser supports both deflate and gzip compression methods.


Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A4(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The compress command option displays only when you associate an HTTP-type class map with a policy map.

When a client request specifies deflate or gzip encoding in the Accept-Encoding field, the ACE uses either deflate or gzip to compress and encode the response content to the client. If both encoding formats are specified in the Accept-Encoding field, the response from the ACE will be encoded according to the compress default-method command in the Layer 7 SLB policy map.

HTTP compression is intended primarily for text-based content types. For example, the following are text-based content types:

text/html

text/plain

text/xml

text/css

application/x-javascript

By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Administration Guide, Cisco ACE Application Control Engine for information on ACE licensing options.

When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Multipurpose Internet Mail Extension (MIME) type—All text formats (text/.*)

Minimum content length size—512 bytes

User agent exclusion—No user agent is excluded

You can create an HTTP parameter map to modify the compression parameters that the ACE uses (see the "Parameter Map Connection Configuration Mode Commands" section).

Examples

To enable compression and specify gzip as the HTTP compression method when both formats are included in the Accept-Encoding client request, enter, enter:

host1/Admin(config-pmap-lb-c)# compress default-method gzip

Related Commands

(config-parammap-http) compress

(config-pmap-lb-m) drop

To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match command, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match the load-balancing criteria in the inline match command, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-m) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-m) insert-http

To specify the name and value of a generic header field that you want the ACE to insert in the HTTP header, use the insert-http command. Use the no form of this command to delete the HTTP header name and value from the policy map.

insert-http name header-value expression

no insert-http name header-value expression

Syntax Description

name

Name of the generic header field that you want the ACE to insert in the HTTP header. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

header-value expression

Specifies the header-value expression string to insert in the specified field in the HTTP header. Enter a text string with a maximum of 255 alphanumeric characters. See the Server Load-Balancing Guide, Cisco ACE Application Control Engine for details.


Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

To identify a client whose source IP address has been mapped to another IP address using NAT, you can instruct the ACE to insert a generic header and string value in the client HTTP request. (For information about NAT, see the Security Guide, Cisco ACE Application Control Engine.)

For the name argument, you can specify any custom header name that you want, subject to the maximum character length. You can also enter any of the predefined header names described for the (config-pmap-lb) match http header command, regardless of whether that header name already exists in the client request header. The ACE does not overwrite any existing header information in the client request.

You can enter a maximum of 255 bytes of data for the header expression. If you enter more than 255 bytes, the ACE does not insert the header name and expression in the client request.

You can also specify the following special header-value expressions by using the following special parameter values:

%is—Inserts the source IP address in the HTTP header.

%id—Inserts the destination IP address in the HTTP header.

%ps—Inserts the source port in the HTTP header.

%pd—Inserts the destination port in the HTTP header.

For Microsoft Outlook Web Access (OWA), specify the field name as HTTP_FRONT_END_HTTPS with a value of ON.

If either TCP server reuse or persistence rebalance is enabled, the ACE inserts a header in every client request.

Examples

For example, to specify the insert-http command as an action in the Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*test.com
host1/Admin(config-pmap-lb-m)# insert-http Host header-value .*cisco.com
 
   

The header name and value will appear in the HTTP header as follows:

Host: www.cisco.com

Related Commands

(config-parammap-http) server-conn reuse
(config-parammap-http) persistence-rebalance

(config-pmap-lb-m) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load balancing policy map.

serverfarm name1 [backup name2 [aggregate-state]]

no serverfarm name1 [backup name2 [aggregate-state]]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Specifies the identifier of an existing server farm that you want the ACE to use as a backup server farm. If the primary server farm goes down, the ACE sends all connections to the configured backup server farm. Enter a name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

aggregate-state

This option has been deprecated and no longer has an effect on the state of the VIP. By default, the ACE takes into account the state of all real servers in the backup server farm before taking the VIP out of service. If all real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.


Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

3.0(0)A1(5)

The aggregate-state option was deprecated.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(1.0)

The aggregate-state option was deprecated.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 source-address 192.168.11.2 255.255.255.0
host1/Admin(config-pmap-lb-m)# serverfarm FARM2 backup FARM3

Related Commands

This command has no related commands.

(config-pmap-lb-m) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 255. The default is 0.


Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Via header-value 192.*
host1/Admin(config-pmap-lb-m)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-m) ssl-proxy client

To specify a Secure Sockets Layer (SSL) proxy service in a Layer 7 load-balancing policy map, use the ssl-proxy client command. The ACE uses an SSL proxy service in a Layer 7 policy map to load balance outbound SSL initiation requests to SSL servers. In this case, the ACE acts as an SSL client that sends an encrypted request to an SSL server. Use the no form of this command to remove the SSL proxy service from the policy map.

ssl-proxy client name

no ssl-proxy client name

Syntax Description

name

Name of an existing SSL proxy service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For more information about configuring SSL, see the SSL Guide, Cisco ACE Application Control Engine.

Examples

To associate an SSL proxy service with a Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-m)# ssl-proxy client SSL_SERVER_PROXY_SERVICE

Related Commands

This command has no related commands.

(config-pmap-lb-m) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing HTTP match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, enter:

host1/Admin(config)# policy-map type loadbalance http first-match L7SLBPOLICY
host1/Admin(config-pmap-lb)# match MATCH_SLB1 source-address 192.168.11.2 255.255.255.0
host1/Admin(config-pmap-lb-m)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing RADIUS Configuration Mode Commands

Policy map load balancing RADIUS configuration mode commands allow you to specify a RADIUS Layer 7 policy map for server load-balancing decisions. The ACE executes the specified action only against the first matching load-balancing classification.

To create a RADIUS Layer 7 server load balancing (SLB) policy map and access policy map load balancing RADIUS configuration mode, use the policy-map type loadbalance radius first-match command. When you access the policy map load balancing RADIUS configuration mode, the prompt changes to (config-pmap-lb-radius). Use the no form of this command to remove a RADIUS Layer 7 SLB policy map from the ACE.

policy-map type loadbalance radius first-match map_name

no policy-map type loadbalance radius first-match map_name

Syntax Description

map_name

Name assigned to the RADIUS SLB policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

Examples

To create a RADIUS SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-radius)# 

Related Commands

show running-config
(config) policy-map

(config-pmap-lb-radius) class

To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the class command. The prompt changes from (config-pmap-lb-radius) to (config-pmap-lb-radius-c). For information about commands in this mode, see the "Policy Map Load Balancing RADIUS Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 SLB class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current named class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map load balancing RADIUS configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-radius)# class L7LOADBALNCE_CLASS
host1/Admin(config-pmap-lb-radius-c)#

Related Commands

(config-pmap-lb-radius) description

(config-pmap-lb-radius) description

To provide a brief description of the RADIUS server load balancing (SLB) policy map, use the description command. Use the no form of this command to remove the description from the policy map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map load balancing RADIUS configuration mode

Admin role in any user context

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform server load balancing, enter:

host/Admin(config-pmap-lb-radius)# description RADIUS_LOAD_BALANCE_PROTOCOL

Related Commands

(config-pmap-lb-radius) class

(config-pmap-lb-radius) match radius attribute

To make server load balancing (SLB) decisions based on the calling-station-ID or username RADIUS attribute, use the match radius attribute command. Use the no form of this command to remove the RADIUS attribute match statement from the policy map.

match name radius attribute {calling-station-id | username} expression [insert-before map_name]

no match name radius attribute {calling-station-id | username} expression [insert-before map_name]

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

calling-station-id

Specifies the unique identifier of the calling station.

username

Specifies the name of the RADIUS user who initiated the connection.

expression

Calling station ID or username to match. Enter a string from 1 to 64 alphanumeric characters. The ACE supports the use of regular expressions for matching strings. For a list of the supported characters that you can use in regular expressions, see Table 2-21.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map or other match statement specified by the map_name argument. The ACE does not save the sequence reordering as part of the configuration.


Command Modes

Policy map load balancing RADIUS configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

To specify actions for multiple match statements, use a class map as described in the "Class Map RADIUS Load Balancing Configuration Mode Commands" section.

When matching data strings, the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).

When you use the match radius attribute command, you access the policy map load balancing RADIUS match configuration mode and the prompt changes to (config-pmap-lb-radius-m). For information about commands in this mode, see the "Policy Map Load Balancing RADIUS Match Configuration Mode Commands" section.

Examples

To configure RADIUS match criteria for a RADIUS policy map based on the calling station ID attribute, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)#
 
   

To remove the RADIUS attribute match statement from the RADIUS policy map, enter:

host1/Admin(config-pmap-lb-radius)# no match CALL_ID radius attribute calling-station-id 
122*

Related Commands

(config-cmap-radius-lb) match radius attribute

Policy Map Load Balancing RADIUS Class Configuration Mode Commands

Policy map load balancing RADIUS class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 server load balancing (SLB) class map. To access policy map load balancing RADIUS class configuration mode, use the class command in policy map load balancing RADIUS configuration mode (see the (config-pmap-lb-radius) class command for details). The prompt changes to (config-pmap-lb-radius-c).

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-lb-radius-c) drop

To instruct the ACE to discard packets that match a particular load-balancing criterion in the class map, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing RADIUS class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-radius-c) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing RADIUS class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-radius-c) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load-balancing policy map.

serverfarm name1 [backup name2 [aggregate-state]]

no serverfarm name1 [backup name2 [aggregate-state]]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Specifies the identifier of an existing server farm that you want the ACE to use as a backup server farm. If the primary server farm goes down, the ACE sends all connections to the configured backup server farm. Enter a name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

aggregate-state

This option has been deprecated and no longer has an effect on the state of the VIP. By default, the ACE takes into account the state of all real servers in the backup server farm before taking the VIP out of service. If all real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.


Command Modes

Policy map load balancing RADIUS class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# serverfarm FARM2 backup FARM3

Related Commands

This command has no related commands.

(config-pmap-lb-radius-c) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 255. The default is 0.


Command Modes

Policy map load balancing RADIUS class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing policy map. All packets that satisfy the match criteria of the class map RAD_CLASS are marked with the IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network configuration.

host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-radius-c) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing RADIUS class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that all requests that match a RADIUS Layer 7 policy map are load balanced to a sticky server farm, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RAD_POLICY
host1/Admin(config-pmap-lb-radius)# class RAD_CLASS
host1/Admin(config-pmap-lb-radius-c)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing RADIUS Match Configuration Mode Commands

Policy map load balancing RADIUS match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map load balancing RADIUS match configuration mode, use one of the match commands in policy map load balancing RADIUS configuration mode (see the "Policy Map Load Balancing RADIUS Configuration Mode Commands" section for details). The prompt changes to (config-pmap-lb-radius-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The inline match commands function the same way as the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the RADIUS SLB policy map.

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-lb-radius-m) drop

To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match command, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing RADIUS match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match the load-balancing criteria in the inline match command, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-radius-m) forward

To instruct the ACE to forward requests that match a particular load-balancing criteria in an inline match command without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing RADIUS match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-radius-m) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load balancing policy map.

serverfarm name1 [backup name2 [aggregate-state]]

no serverfarm name1 [backup name2 [aggregate-state]]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Specifies the identifier of an existing server farm that you want the ACE to use as a backup server farm. If the primary server farm goes down, the ACE sends all connections to the configured backup server farm. Enter a name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

aggregate-state

This option has been deprecated and no longer has an effect on the state of the VIP. By default, the ACE takes into account the state of all real servers in the backup server farm before taking the VIP out of service. If all real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.


Command Modes

Policy map load balancing RADIUS match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.

Examples

To specify the serverfarm command as an action in the RADIUS load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# serverfarm FARM2 backup FARM3 

Related Commands

This command has no related commands.

(config-pmap-lb-radius-m) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 255. The default is 0.


Command Modes

Policy map load balancing RADIUS match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-radius-m) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing RADIUS match configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that all requests that match a RADIUS policy map are load balanced to a sticky server farm, enter:

host1/Admin(config)# policy-map type loadbalance radius first-match RADIUS_POLICY
host1/Admin(config-pmap-lb-radius)# match CALL_ID radius attribute calling-station-id 122*
host1/Admin(config-pmap-lb-radius-m)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing RDP Configuration Mode Commands

Policy map load balancing Reliable Datagram Protocol (RDP) configuration mode commands allow you to specify an RDP Layer 7 policy map for server load-balancing decisions. The ACE executes the specified action only against the first matching load-balancing classification.

To create an RDP Layer 7 server load balancing (SLB) policy map and access policy map load balancing RDP configuration mode, use the policy-map type loadbalance rdp first-match command. When you access the policy map load balancing RDP configuration mode, the prompt changes to (config-pmap-lb-rdp). Use the no form of this command to remove an RDP Layer 7 SLB policy map from the ACE.

policy-map type loadbalance rdp first-match map_name

no policy-map type loadbalance rdp first-match map_name

Syntax Description

map_name

Name assigned to the RDP SLB policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

Examples

To create an RDP SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance rdp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rdp)# 

Related Commands

show running-config
(config) policy-map

(config-pmap-lb-rdp) class

To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the class command. The prompt changes from (config-pmap-lb-rdp) to (config-pmap-lb-rdp-c). For information about commands in this mode, see the "Policy Map Load Balancing RDP Class Configuration Mode Commands" section. Use the no form of this command to remove the associated class map from a policy map.

class class-default

no class class-default

Syntax Description

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class map. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map load balancing RDP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For RDP load-balancing policy maps, you can only assign the class-default class map.

Examples

To associate the Layer 7 class-default class map with the RDP SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host/Admin(config-pmap-lb-rdp)# class class-default
host/Admin(config-pmap-lb-rdp-c)#

Related Commands

(config-pmap-lb-rdp) description

(config-pmap-lb-rdp) description

To provide a brief description of the RDP server load balancing (SLB) policy map, use the description command. Use the no form of this command to remove the description from the policy map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map load balancing RDP configuration mode

Admin role in any user context

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform server load balancing, enter:

host/Admin(config-pmap-lb-rdp)# description RDP_LOAD_BALANCE_PROTOCOL

Related Commands

(config-pmap-lb-rdp) class

Policy Map Load Balancing RDP Class Configuration Mode Commands

Policy map load balancing RDP class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 server load balancing (SLB) class map. To access policy map load balancing RDP class configuration mode, use the class command in policy map load balancing RDP configuration mode (see the (config-pmap-lb-rdp) class command for details). The prompt changes to (config-pmap-lb-rdp-c).

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

(config-pmap-lb-rdp-c) drop

To instruct the ACE to discard packets that match a particular load-balancing criterion in the class map, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing RDP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match the load-balancing criteria in the class map, enter:

host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-rdp-c) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing RDP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter:

host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-rdp-c) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load-balancing policy map.

serverfarm name1 [backup name2 [aggregate-state]]

no serverfarm name1 [backup name2 [aggregate-state]]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Specifies the identifier of an existing server farm that you want the ACE to use as a backup server farm. If the primary server farm goes down, the ACE sends all connections to the configured backup server farm. Enter a name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

aggregate-state

This option has been deprecated and no longer has an effect on the state of the VIP. By default, the ACE takes into account the state of all real servers in the backup server farm before taking the VIP out of service. If all real servers in the primary server farm fail, but there is at least one real server in the backup server farm that is operational, the ACE keeps the VIP in service.


Command Modes

Policy map load balancing RDP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter:

host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# serverfarm FARM2 backup FARM3 

Related Commands

This command has no related commands.

(config-pmap-lb-rdp-c) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 255. The default is 0.


Command Modes

Policy map load balancing RDP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing policy map. All packets that satisfy the match criteria of the class-default class map are marked with the IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network configuration.

host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-rdp-c) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing RDP class configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Examples

To specify that all requests that match an RDP Layer 7 policy map are load balanced to a sticky server farm, enter:

host1/Admin(config)# policy-map type loadbalance rdp first-match RDP_POLICY
host1/Admin(config-pmap-lb-rdp)# class class-default
host1/Admin(config-pmap-lb-rdp-c)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing RTSP Configuration Mode Commands

Policy map load balancing RTSP configuration mode commands allow you to specify a Real-Time Streaming Protocol (RTSP) Layer 7 policy map for server load-balancing decisions. The ACE executes the specified action only against the first matching load-balancing classification.

To create an RTSP Layer 7 server load balancing (SLB) policy map and access policy map load balancing RTSP configuration mode, use the policy-map type loadbalance rtsp first-match command. When you access the policy map load balancing RTSP configuration mode, the prompt changes to (config-pmap-lb-rtsp). Use the no form of this command to remove an RTSP SLB policy map from the ACE.

policy-map type loadbalance rtsp first-match map_name

no policy-map type loadbalance rtsp first-match map_name

Syntax Description

map_name

Name assigned to the RTSP SLB policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

You associate the Layer 7 load balancing policy map with a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

Examples

To create an RTSP SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# 

Related Commands

show running-config
(config) policy-map

(config-pmap-lb-rtsp) class

To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the class command. The prompt changes from (config-pmap-lb-rtsp) to (config-pmap-lb-rtsp-c). For information about commands in this mode, see the "Policy Map Load Balancing RTSP Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 SLB class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current named class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map load balancing RTSP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter:

host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# class L7LOADBALNCE_CLASS
host1/Admin(config-pmap-lb-rtsp-c)#

Related Commands

(config-pmap-lb-rtsp) description

(config-pmap-lb-rtsp) description

To provide a brief description of the RTSP server load balancing (SLB) policy map, use the description command. Use the no form of this command to remove the description from the policy map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map load balancing RTSP configuration mode

Admin role in any user context

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform server load balancing, enter:

host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host/Admin(config-pmap-lb-rtsp)# description RTSP_LOAD_BALANCE_PROTOCOL

Related Commands

(config-pmap-lb-rtsp) class

(config-pmap-lb-rtsp) match rtsp header

To make server load balancing (SLB) decisions based on the name and value of an RTSP header, use the match rtsp header command. The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP header expression. Use the no form of this command to clear an RTSP header match criteria from the policy map.

match name rtsp header header_name header-value expression [insert-before map_name]

no match name rtsp header header_name header-value expression

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

header_name

Name of the field in the RTSP header. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. You can enter a text string with spaces if you enclose the entire string in quotation marks (" "). You can enter any header field name, including a standard RTSP header field name or any user-defined header field name. Because RTSP is similar in syntax and operation to HTTP/1.1, you can use any HTTP header listed in Table 2-10 if the RTSP server supports it. For a complete list of RTSP headers, see RFC 2326.

header-value expression

Specifies the expression string to compare against the value in the specified field in the RTSP header. Enter a text string with a maximum of 255 alphanumeric characters. The ACE supports the use of regular expressions for header matching. Header expressions allow spaces if the entire string that contains spaces is quoted. For a list of the supported characters that you can use in regular expressions, see Table 2-21.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing RTSP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

When you use the match rtsp header command, you access the policy map load balancing RTSP match configuration mode and the prompt changes from (config-pmap-lb-rtsp) to (config-pmap-lb-rtsp-m). For information about commands in this mode, see the "Policy Map Load Balancing RTSP Match Configuration Mode Commands" section.

The ACE supports regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. For a list of supported characters that you can use in regular expressions, see Table 2-21.

Examples

To specify that the Layer 7 SLB policy map load balances on an RTSP header named Host, enter:

host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match match3 rtsp header Host header-value .*cisco.com
host1/Admin(config-pmap-lb-rtsp-m)# 

Related Commands

(config-parammap-rtsp) set header-maxparse-length

(config-pmap-lb-rtsp) match rtsp source-address

To specify a client source host IP address and subnet mask from which the ACE accepts traffic as the network traffic matching criteria, use the match rtsp source-address command. You configure the associated policy map to permit or restrict management traffic to the ACE from the specified source network or host. Use the no form of this command to clear the source IP address and subnet mask match criteria from the policy map.

match name rtsp source-address ip_address mask [insert-before map_name]

no match name rtsp source-address ip_address mask

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ip_address

Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

mask

Subnet mask of the client entry in dotted-decimal notation (for example, 255.255.255.0).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing RTSP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

When you use the match rtsp source-address command, you access the policy map load balancing RTSP match configuration mode and the prompt changes from (config-pmap-lb-rtsp) to (config-pmap-lb-rtsp-m). For information about commands in this mode, see the "Policy Map Load Balancing RTSP Match Configuration Mode Commands" section.

Examples

To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0, enter:

host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match match3 rtsp source-address 192.168.10.1 
255.255.0.0
host1/Admin(config-pmap-lb-rtsp-m)# 

Related Commands

(config-cmap-rtsp-lb) match source-address

(config-pmap-lb-rtsp) match rtsp url

To make server load balancing (SLB) decisions based on the URL name and, optionally, the RTSP method, use the match rtsp url command. The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP URL string. Use the no form of this command to remove a URL match statement from the policy map.

match name rtsp url expression [method name] [insert-before map_name]

no match name rtsp url expression [method name]

Syntax Description

name

Name of the inline match condition. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

URL, or portion of a URL, to match. Enter a URL string from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching URL strings. For a list of supported characters that you can use in regular expressions, see Table 2-21.

method name

(Optional) Specifies the RTSP method to match. Enter a method name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The method can either be one of the standard RTSP method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or it can be a text string that must be matched exactly (for example, STINGRAY).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing RTSP configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

A2(1.0)

This command was introduced.


ACE Appliance Release
Modification

A3(1.0)

This command was introduced.


Usage Guidelines

When you use the match rtsp url command, you access the policy map load balancing RTSP match configuration mode and the prompt changes from (config-pmap-lb-rtsp) to (config-pmap-lb-rtsp-m). For information about commands in this mode, see the "Policy Map Load Balancing RTSP Match Configuration Mode Commands" section.

When matching data strings, note that the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).

Examples

To specify that the Layer 7 SLB policy map load balances on a specific URL, enter:

host1/Admin(config)# policy-map type loadbalance rtsp first-match L7SLBPOLICY
host1/Admin(config-pmap-lb-rtsp)# match match3 rtsp url whatsnew/latest.*