-
Cisco ACE 4700 Series Appliance Command Reference
-
CLI Command Summary By Mode
-
Preface
-
Using the Command-Line Interface
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Action List Optimization Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
FT Track Host Configuration Mode Commands
-
Interface Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Optimize Configuration Mode Commands
-
Parameter Map Connection Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Host Configuration Mode Commands
-
Role Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Serverfarm Host Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Cookie Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
(config) aaa accounting default
(config) aaa authentication login
(config) access-list ethertype
(config) access-list resequence
(config) logging reject-newconn
(config) radius-server attribute nas-ipaddr
(config) radius-server deadtime
(config) radius-server retransmit
(config) radius-server timeout
(config) snmp-server community
(config) snmp-server enable traps
(config) snmp-server trap link ietf
(config) snmp-server trap-source vlan
(config) tacacs-server deadtime
(config) tacacs-server timeout
Configuration Mode Commands
Configuration mode commands allow you to configure global ACE parameters that affect the following contexts:
•
All contexts, when configured in the Admin context
•
Configuration mode also allows you to access all the ACE subordinate configuration modes. These modes provide parameters to configure the major features of the ACE, including access control lists (ACLs), application protocol inspection, fragmentation and reassembly, interfaces, Network Address Translation (NAT), persistence (stickiness), protocols, redundancy, routing, scripts, Secure Sockets Layer (SSL), server load balancing (SLB), TCP/IP normalization, users, and virtualization.
To access configuration mode, use the config command. The CLI prompt changes to (config).
See the individual command descriptions of all the configuration mode commands on the following pages.
Command Modes
Exec mode
Admin and user contexts
Command History
Usage Guidelines
This command requires one or more features assigned to your user role that allow configuration, such as AAA, interface, or fault-tolerant. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Examples
To access configuration mode, enter:
host1/Admin# confighost1/Admin(config)#Related Commands
show running-config
show startup-config(config) aaa accounting default
To configure the default accounting method, use the aaa accounting default command. You specify either a previously created AAA server group that identifies separate groups of Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS) servers or the local database on the ACE. Use the no form of this command to remove the accounting method.
aaa accounting default {group group_name} {local} {none}
no aaa accounting default {group group_name} {local} {none}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Examples
To enable user accounting to be performed using remote TACACS+ servers, followed by local login as the fallback method, enter:
host1/Admin(config)# aaa accounting default group TacServer localRelated Commands
(config) aaa authentication login
(config) aaa authentication login
To configure the authentication method used for login to the ACE CLI, use the aaa authentication login command. Use the no form of this command to disable the authentication method.
aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable
no aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Use the error-enable option cautiously. If you specify none, any user will be able to access the ACE at any time.
To view the current display status, use the show aaa authentication login error-enable command. When a user attempts to log in, and the remote AAA servers do not respond to the authentication request, the ACE processes the login sequence by switching to local user database.
Examples
To enable console authentication using the TACSERVER server group, followed by local login as the fallback method, enter:
host1/Admin(config)# aaa authentication login console group TACSERVER localPassword verification remains enabled for login authentication.To turn off password validation, enter:
host1/Admin(config)# aaa authentication login console group TACSERVER local noneRelated Commands
(config) aaa accounting default
(config) aaa group server
To configure independent server groups of Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) servers, use the aaa group server command. Use the no form of this command to remove a server group.
aaa group server {ldap | radius | tacacs+} group_name
no aaa group server {ldap | radius | tacacs+} group_name
Syntax Description
ldap
Specifies an LDAP directory server group. For information about the commands in the LDAP server configuration mode, see the "LDAP Configuration Mode Commands" section.
radius
Specifies a RADIUS server group. For information about the commands in the RADIUS server configuration mode, see the "RADIUS Configuration Mode Commands" section.
tacacs+
Specifies a TACACS+ server group. For information about the commands in the TACACS+ server configuration mode, see the "TACACS+ Configuration Mode Commands" section.
group_name
Name for the LDAP, RADIUS, or TACACS+ server group. The server group name is a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
A server group is a list of server hosts of a particular type. The ACE allows you to configure multiple TACACS+, RADIUS, and LDAP servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 100 server groups for each context in the ACE.
You can configure server groups at any time, but they take effect only when you apply them to the AAA service using the aaa authentication login or the aaa accounting default commands.
To create a AAA server group and access one of the three AAA server group configuration modes, enter the aaa group server ldap, aaa group server radius, or aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-ldap), (config-radius), or (config-tacacs+). In this mode, you specify the IP address of one or more previously configured servers that you want added to or removed from the server group.
Examples
To create a RADIUS server group and add a previously configured RADIUS server, enter:
(config)# aaa group server radius RAD_Server_Group1host1/Admin(config-radius)# server 192.168.252.1host1/Admin(config-radius)# server 192.168.252.2host1/Admin(config-radius)# server 192.168.252.3Related Commands
(config) aaa accounting default
(config) aaa authentication login
(config) access-group
To apply an access control list (ACL) to the inbound direction on all VLAN interfaces in a context and make the ACL active, use the access-group command. Use the no form of this command to remove an ACL from all interfaces in a context.
access-group input acl_name
no access-group input acl_name
Syntax Description
input
Specifies the inbound direction of all interfaces in a context on which you want to apply the ACL
acl_name
Identifier of an existing ACL that you want to apply to an interface
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You must apply an ACL to an interface to allow the passing of traffic on that interface. This command enables you to apply an ACL to all interfaces in a context in the inbound direction only and to allow traffic on all interfaces simultaneously. The following considerations apply:
•
•
•
•
•
For complete details on ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.
Examples
To apply an ACL named INBOUND to the inbound direction of all interfaces in the Admin context, enter:
host1/Admin(config)# access-group input INBOUNDTo remove an ACL from all interfaces in the Admin context, enter:
host1/Admin(config)# no access-group input INBOUNDRelated Commands
(config) access-list ethertype
To configure an EtherType access control list (ACL), use the access-list ethertype command. Use the no form of the command to remove the ACL from the configuration.
access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
no access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field instead of a type field. Bridge protocol data units (BPDUs) are exceptions because they are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.
You can configure an EtherType ACL only on a Layer 2 interface in the inbound direction.
When you specify the mpls keyword in an EtherType ACL, the ACE denies or permits both MPLS-unicast and MPLS-multicast traffic.
Examples
For example, enter:
(config)# access-list INBOUND ethertype permit 0800Related Commands
(config) access-list extended
To create an extended ACL, use the access-list extended command. The three major types of extended ACLs are as follows:
•
•
•
Use the no form of the command to delete the ACL.
For an IP-extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address}
no access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address}
For a TCP- or a UDP-extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit} {{tcp | udp} {src_ip_address netmask | any | host src_ip_address}} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
no access-list name [line number] extended {deny | permit} {{tcp | udp} {src_ip_address netmask | any | host src_ip_address}} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
For an ICMP-extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address} {any | host dest_ip_address | dest_ip_address netmask} [icmp_type] [code operator_code]
no access-list name [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address} {any | host dest_ip_address | dest_ip_address netmask} [icmp_type] [code operator_code]
Syntax Description
name
Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.
line number
(Optional) Specifies the line number position where you want the entry that you are configuring to appear in the ACL. The position of an entry affects the lookup order of the entries in an ACL. If you do not configure the line number of an entry, the ACE applies a default increment and a line number to the entry and appends it at the end of the ACL.
extended
Specifies an extended ACL. Extended ACLs allow you to specify the destination IP address and subnet mask and other parameters not available with a standard ACL.
deny
Blocks connections on the assigned interface.
permit
Allows connections on the assigned interface.
protocol
Name or number of an IP protocol. Enter a protocol name or an integer from 0 to 255 that represents an IP protocol number from the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
src_ip_address netmask
Traffic from a source defined by the IP address and the network mask. Use these arguments to specify the network traffic from a range of source IP addresses.
any
Specifies the network traffic from any source.
host src_ip_address
Specifies the IP address of the host from which network traffic originates. Use this keyword and argument to specify the network traffic from a single IP address.
operator
(Optional) Operand used to compare source and destination port numbers for TCP and UDP protocols. The operators are as follows:
•
•
•
•
•
port1 [port2]
TCP or UDP source port name or number from which you permit or deny access to services. To enter an inclusive range of ports, enter two port numbers. Port2 must be greater than or equal to port1. See Table 2-2 for a list of well-known port names and numbers.
dest_ip_address netmask
Specifies the IP address of the network or host to which the packet is being sent and the network mask bits that are to be applied to the destination IP address. Use these arguments to specify a range of destination IP addresses.
any
Specifies the network traffic going to any destination.
host dest_ip_address
IP address and subnet mask of the destination of the packets in a flow. Use this keyword and argument to specify the network traffic destined to a single IP address.
port3 [port4]
TCP or UDP destination port name or number to which you permit or deny access to services. To enter an optional inclusive range of ports, enter two port numbers. Port4 must be greater than or equal to port3. See Table 2-2 for a list of well-known ports.
icmp_type
(Optional) Type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP types as described in Table 2-1.
code
(Optional) Specifies that a numeric operator and ICMP code follows. This keyword is available only if you select icmp as the protocol type.
operator_code
An operator that the ACE applies to the ICMP code number that follows. Enter one of the following operators:
•
•
•
•
•
code1, code2
ICMP code number that corresponds to an ICMP type. See Table 2-2. If you entered the range operator, enter a second ICMP code value to define the upper limit of the range.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the ports and destination addresses as "any" in an extended ACL.
For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.
You can apply only one ACL of each type (extended and EtherType) to each direction of an interface. You can also apply the same ACLs on multiple interfaces.
If you selected icmp as the IP protocol type, you can optionally specify the type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP messaging types as described in Table 2-1.
Examples
To configure a TCP extended ACL, enter:
host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000To remove an entry from an extended ACL, enter:
host1/Admin(config)# no access-list INBOUND line 10To allow an external host with IP address 192.168.12.5 to be able to ping a host behind the ACE with an IP address of 10.0.0.5, enter:
(config)# access-list INBOUND permit icmp host 192.168.12.5 host 10.0.0.5To remove an entry from an ICMP ACL, enter:
(config)# no access-list INBOUND permit icmp host 192.168.12.5Related Commands
(config) access-list remark
You can add comments about an access control list (ACL) to clarify the function of the ACL. To add a comment to an ACL use the access-list remark command. You can enter only one comment per ACL and the comment appears at the top of the ACL. Use the no form of the command to remove an ACL remark.
access-list name remark text
no access-list name remark text
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
If you delete an ACL using the no access-list name command, then the remarks are also removed.
Examples
For example, enter:
host1/Admin(config)# access-list INBOUND remark This is a remarkTo remove entry comments from an ACL, enter:
(config)# no access-list INBOUND line 200 remarkRelated Commands
(config) access-list resequence
To resequence the entries in an access control list (ACL) with a specific starting number and interval, use the access-list resequence command. Use the no form of the command to reset the number assigned to an ACL entry to the default of 10.
access-list name resequence number1 number2
no access-list name resequence number1 number2
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Examples
For example, enter:
host1/Admin(config)# access-list INBOUND resequence 5 15Related Commands
(config) action-list type
To create an optimization action map for performing application acceleration and optimization, use the action-list type command in global configuration mode. Use the no form of this command to remove an action list from the ACE.
action-list type {optimization http} list_name
no action-list type {optimization http} list_name
Syntax Description
optimization http
Specifies an optimization HTTP action list. After you create the optimization HTTP type action list, you configure application acceleration and optimization functions in the action list optimization configuration mode. For information about the commands in action list optimization configuration mode, see the "Action List Optimization Configuration Mode Commands" section.
list_name
Name assigned to the action list. Enter a unique name as an unquoted text string with a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The action-list type command allows you to configure a series of application acceleration and optimization statements. An action list groups a series of individual functions that apply to a specific type of operation. After you enter this command, the system enters the action list optimization configuration mode.
After you configure the action list, you associate it with a specific statement in a Layer 7 HTTP optimization policy map. The Layer 7 optimization HTTP policy map activates an optimization HTTP action list that allows you to configure the specified optimization actions.
For information about the commands in action list optimization configuration mode, see the "Action List Optimization Configuration Mode Commands" section. For details about configuring the commands in the action list optimization configuration mode, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide.
Examples
To create an optimization HTTP action list, enter:
host1/Admin(config)# action-list type optimization http ACT_LIST1host1/Admin(config-actlist-optm)#To remove the action list from the configuration, enter:
host1/Admin(config)# no action-list type optimization http ACT_LIST1Related Commands
(config) arp
To configure the Address Resolution Protocol (ARP) on the ACE to manage and map IP to Media Access Control (MAC) information to forward and transmit packets, use the arp command. Use the no form of the command to remove the ARP entry or reset a default value.
arp {ip_address mac_address | interval seconds | inspection enable [flood | no flood] | learned-interval seconds | learned-mode enable | rate seconds | retries number | sync disable | sync-interval number}
no arp {ip_address mac_address | interval | inspection enable | learned-interval | learned-mode enable | rate | retries| sync disable | sync-interval number}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
When you enable ARP inspection, the ACE compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
•
•
•
Examples
To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter:
host1/contexta(config)# arp 10.1.1.1 00.02.9a.3b.94.d9To remove a static ARP entry, enter:
host1/contexta(config)# no arp 10.1.1.1 00.02.9a.3b.94.d9To enable ARP inspection and to drop all nonmatching ARP packets, enter:
host1/contexta(config)# arp inspection enable no-floodTo configure the retry attempt interval of 15 seconds, enter:
host1/contexta(config)# arp rate 15To reset the retry attempt interval to the default of 10 seconds, enter:
host1/contexta(config)# no arp rateTo disable the replication of address resolution protocol (ARP) entries, enter:
host1/contexta(config)# sync disableRelated Commands
(config) banner
Use the banner motd command to specify a message to display as the message-of-the-day banner when a user connects to the ACE CLI. Use the no form of the command to delete or replace a banner or a line in a multiline banner.
banner motd text
no banner motd text
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To replace a banner or a line in a multiline banner, use the no banner motd command before adding the new lines.
To add multiple lines in a message-of-the-day banner, precede each line by the banner motd command. The ACE appends each line to the end of the existing banner. If the text is empty, the ACE adds a carriage return (CR) to the banner.
You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable, as follows:
•
•
To use the $(hostname) in single line banner motd input, include double quotation marks (") around the $(hostname) so that the $ is interpreted to a special character for the beginning of a variable in the single line. An example is as follows:
switch/Admin(config)# banner motd #Welcome to "$(hostname)"...#Do not use the double quotation mark (") or the percent sign (%) as a delimiting character in a single line message string. Do not use the delimiting character in the message string.
For multiline input, double quotation marks (") are not required for the token because the input mode is different from the signal line mode. The ACE treats the double quotation mark (") as a regular character when you operate in multiline mode.
Examples
To add a message-of-the-day banner, enter:
host1/Admin(config)# banner motd #Welcome to the "$(hostname)".host1/Admin(config)# banner motd Contact me at admin@admin.com for anyhost1/Admin(config)# banner motd issues.#Related Commands
(config) boot system
To set the BOOT environment variable, use the boot system image: command. Use the no form of the command to remove the name of the system image file.
boot system image:filename
no boot system image:filename
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You can add several images to the BOOT environment variable to provide a fail-safe boot configuration. If the first file fails to boot the ACE, subsequent images that are specified in the BOOT environment variable are tried until the ACE boots or there are no additional images to attempt to boot. If there is no valid image to boot, the ACE enters ROM-monitor mode where you can manually specify an image to boot.
The ACE stores and executes images in the order in which you added them to the BOOT environment variable. If you want to change the order in which images are tried at startup, you can either prepend and clear images from the BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order.
If the file does not exist (for example, if you entered the wrong filename), then the filename is appended to the boot string, and this message displays:
Warning: File not found but still added in the bootstring.If the file does exist, but is not a valid image, the file is not added to the bootstring, and this message displays:
Warning: file found but it is not a valid boot image.Examples
To set the BOOT environment variable, enter:
host1/Admin(config)# boot system image:ace-t1k9-mzg.1.7.1.binRelated Commands
(config) class-map
To create a Layer 3 and Layer 4 or a Layer 7 class map, use the class-map command. Use the no form of the class-map command to remove a class map from the ACE.
class-map [type {ftp inspect | http {inspect | loadbalance} | management] [match-all | match-any] map_name
no class-map [type {ftp inspect | http {inspect | loadbalance} | management] [match-all | match-any] map_name
Syntax Description
type
(Optional) Specifies the class map type that is to be defined. When you specify a class type, you enter its corresponding class map configuration mode (for example, HTTP inspection).
ftp inspect
Specifies a Layer 7 class map for the inspection of File Transfer Protocol (FTP) request commands. For information about commands in FTP inspection configuration mode, see the "Class Map FTP Inspection Configuration Mode Commands" section.
http inspect | loadbalance
Specifies a Layer 7 class map for HTTP server load balancing (inspect keyword), or a Layer 7 class map for the HTTP deep packet application protocol inspection (loadbalance keyword) of traffic through the ACE.
•
•
management
Specifies a Layer 3 and Layer 4 class map to classify the IP network management protocols received by the ACE. For information about commands in class map management configuration mode, see the "Class Map Management Configuration Mode Commands" section.
match-all | match-any
(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:
•
•
The default setting is to meet all of the match criteria (match-all) in a class map.
map_name
The name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For a Layer 3 and Layer 4 class map, you enter the class map configuration mode and the prompt changes to (config-cmap).
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the inspect, loadbalance, NAT, connection, SSL, or vip feature in your user role, depending on the type of class map that you want to configure. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Use the class map configuration mode commands to create class maps that classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified in the class map. The CLI prompt changes correspondingly to the selected class map configuration mode: (config-cmap), (config-cmap-ftp-insp), (config-cmap-http-insp), (config-cmap-http-lb), or (config-cmap-mgmt).
A Layer 3 and Layer 4 class map contains match criteria that classifies the following:
•
•
A Layer 7 class map contains match criteria that classifies specific Layer 7 protocol information. The match criteria enables the ACE to do the following:
•
•
•
The ACE supports a system-wide maximum of 8192 class maps.
For details about creating a class map, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any, the traffic that is evaluated must match one of the specified criteria (typically, match commands of the same type). If you specify match-all, the traffic that is evaluated must match all of the specified criteria (typically, match commands of different types).
Examples
To create a Layer 3 and Layer 4 class map named L4VIP_CLASS that specifies the network traffic that can pass through the ACE for server load balancing, enter:
host1/Admin# class-map match-all L4VIP_CLASShost1/Admin(config-cmap)#To create a Layer 3 and Layer 4 class map named MGMT-ACCESS_CLASS that classifies the network management protocols that can be received by the ACE, enter:
host1/Admin# class-map type management match-any MGMT-ACCESS_CLASShost1/Admin(config-cmap-mgmt)#To create a Layer 7 class map named L7SLB_CLASS that performs server load balancing, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLB_CLASShost1/Admin(config-cmap-http-lb)#To create a Layer 7 class map named HTTP_INSPECT_L7CLASS that performs HTTP deep packet inspection, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASShost1/Admin(config-cmap-http-insp)#To create a Layer 7 class map named FTP_INSPECT_L7CLASS that performs FTP command inspection, enter:
host1/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASShost1/Admin(config-cmap-ftp-insp)#Related Commands
(config) clock timezone
To set the time zone, use the clock timezone command. Use the no form of this command to configure independent server groups of Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) servers.
clock timezone {zone_name {+ | -} hours minutes} | {standard time_zone}
no clock timezone
Syntax Description
zone_name
8-letter name of the time zone (for example, PDT) to be displayed when the time zone is in effect. See Table 2-3 in the "Usage Guidelines" section for a list of the common time zone acronyms used for this argument.
hours
Hours offset from Coordinated Universal Time (UTC).
minutes
Minutes offset from UTC. Range is from 0 to 59 minutes.
standard time_zone
Sets the time to a standard time zone that include an applicable UTC hours offset. Enter one of the following well-known time zones:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
The ACE keeps time internally in Universal Time Coordinated (UTC) offset, so this command is used only for display purposes and when the time is set manually.
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Table 2-3 lists common time zone acronyms used for the zone_name argument.
Examples
To set the time zone to PST and to set an UTC offset of -8 hours, enter:
host1/Admin(config)# clock timezone PST -8 0To remove the clock time-zone setting, enter:
host1/Admin(config)# no clock timezone PST -8 0Related Commands
(config) clock summer-time
To configure the ACE to change the time automatically to summer time (daylight saving time), use the clock summer-time command. Use the no form of the command to remove the clock summer-time setting.
clock summer-time {daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time daylight_offset | standard time_zone}
no clock summer-time
Syntax Description
daylight_timezone_name
8-letter name of the time zone (for example, PDT) to be displayed when summer time is in effect. For a list of the common time zone acronyms used for this argument, see the "Usage Guidelines" section for the (config) clock timezone command.
start_week
Start week for summer time, ranging from 1 through 5.
start_day
Start day for summer time, ranging from Sunday through Saturday.
start_month
Start month for summer time, ranging from January through December.
start_time
Start time (military time) in hours and minutes.
end_week
End week for summer time, ranging from 1 through 5.
end_day
End day for summer time, ranging from Sunday through Saturday.
end_month
End month for summer time, ranging from January through December.
end_time
End time (military format) in hours and minutes.
daylight_offset
Number of minutes to add during summer time. Valid entries are from 1 to 1440. The default is 60.
standard time_zone
Sets the daylight time to a standard time zone that includes an applicable daylight time start and end range along with a daylight offset. Enter one of the following well-known time zones:
•
•
•
•
•
2 a.m. last Sunday in October, + 60 minutes•
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The first part of the command specifies when summer time begins, and the second part of the command specifies when summer time ends. All times are relative to the local time zone; the start time is relative to standard time and the end time is relative to summer time. If the starting month is after the ending month, the ACE assumes that you are located in the southern hemisphere.
Examples
To specify that summer time begins on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00, with a daylight offset of 60 minutes, enter:
host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60To remove the clock summer-time setting, enter:
host1/Admin(config)# no clock summer-timeRelated Commands
(config) config-register
To change the configuration register boot settings, use the config-register configuration command. Use the no form of this command to reset the config-register setting.
config-register value
no config-register value
Syntax Description
value
Configuration register value that you want to use the next time that you restart the ACE. The supported value entries are as follows:
•
•
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You can modify the boot method that the ACE uses at the next startup by setting the boot field in the software configuration register. The configuration register identifies how the ACE should boot.The config-register command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered.
Examples
To set the boot field in the configuration register to boot the system image identified in the BOOT environment variable upon reboot and to load the startup-configuration file stored in Flash memory, enter:
host1/Admin(config)# config-register 0x1Related Commands
(config) context
To create a context, use the context command. The CLI prompt changes to (config-context). A context provides a user view into the ACE and determines the resources available to a user. Use the no form of the command to remove a context.
context name
no context name
Syntax Description
name
Name that designates a context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
By default, the ACE allows you to create and use five user-configured contexts plus the default Admin context. To use a maximum of 251 contexts (Admin context plus 250 user contexts), you must purchase an additional license from Cisco Systems.
Examples
To create a context called C1, enter:
host1/Admin(config)# context C1host1/Admin(config-context)#To remove the context from the configuration, enter:
host1/Admin(config)# no context C1Related Commands
changeto
show context
show user-account
show users(config) crypto chaingroup
To create a certificate chain group, use the crypto chaingroup command. Once you create a chain group, the CLI enters into the chaingroup configuration mode, where you add the required certificate files to the group. Use the no form of the command to delete an existing chain group.
crypto chaingroup group_name
no crypto chaingroup group_name
Syntax Description
group_name
Name that you assign to the chain group. Enter the chain group name as an alphanumeric string from 1 to 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
A chain group specifies the certificate chains that the ACE sends to its peer during the handshake process. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. You include a chain group in the handshake process by configuring the SSL proxy-service with the chain group (see the (config) ssl-proxy service command).
Each context on the ACE can contain up to eight chain groups.
Examples
To create the chain group MYCHAINGROUP, enter:
host1/Admin(config)# crypto chaingroup MYCHAINGROUPRelated Commands
(config) crypto csr-params
To create a Certificate Signing Request (CSR) parameter set to define a set of distinguished name attributes, use the crypto csr-params command. Use the no form of this command to remove an existing CSR parameter set.
crypto csr-params csr_param_name
no crypto csr-params csr_param_name
Syntax Description
csr_param_name
Name that designates a CSR parameter set. Enter the CSR parameter set name as a alphanumeric string from 1 to 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
A CSR parameter set defines the distinguished name attributes that the ACE applies to the CSR during the CSR-generating process. The distinguished name attributes provide the CA with the information that it needs to authenticate your site. Creating a CSR parameter set allows you to generate multiple CSRs with the same distinguished name attributes. You can create up to eight CSR parameter sets per context.
When you use the crypto csr-params command to specify a CSR parameter set, the prompt changes to the csr-params configuration mode (for more information on this mode and commands, see the "CSR Parameters Configuration Mode Commands" section), where you define each of the distinguished name attributes. The distinguished name consists of several required and optional attributes. The ACE requires that you define the following attributes:
•
•
•
•
If you do not configure the required attributes, the ACE displays an error message when you attempt to generate a CSR using the incomplete CSR parameter set.
Examples
To create the CSR parameter set CSR_PARAMS_1, enter:
host1/Admin(config)# crypto csr-params CSR_PARAMS_1host1/Admin(config-csr-params)Related Commands
(config) domain
To create a domain, use the domain command. The CLI prompt changes to (config-domain). See the "Domain Configuration Mode Commands" section for details. Use the no form of this command to remove a domain from the configuration.
domain name
no domain name
Syntax Description
name
Name for the domain. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
A domain does not restrict the context configuration that you can display using the show running-config command. You can still display the running configuration for the entire context. However, you can restrict your access to the configurable objects within a context by adding to the domain only a limited subset of all the objects available to a context. To limit a user's ability to manipulate the objects in a domain, you can assign a role to that user. For more information about domains and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Examples
To create a domain named D1, enter:
host1/Admin(config)# domain D1host1/Admin(config-domain)#Related Commands
(config) end
To exit from configuration mode and return to Exec mode, use the end command.
end
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You can also press Ctrl-Z or enter the exit command to exit configuration mode.
Examples
To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# endhost1/Admin#Related Commands
This command has no related commands.
(config) exit
To exit from the current configuration mode and return to the previous mode, use the exit command.
exit
Syntax Description
This command has no keywords or arguments.
Command Modes
All configuration modes
Admin and user contexts
Command History
Usage Guidelines
This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
In configuration mode, the exit command transitions to the Exec mode.
In all other configuration modes, the exit command transitions to the previous configuration mode.
You can also press Ctrl-Z, enter the (config) end command, or enter the exit command to exit configuration mode.
Examples
To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# exithost1/Admin#To exit from interface configuration mode and return to configuration mode, enter:
host1/Admin(config-if)# exithost1/Admin(config)#Related Commands
This command has no related commands.
(config) ft auto-sync
To enable automatic synchronization of the running-configuration and the startup-configuration files in a redundancy configuration, use the ft auto-sync command. Use the no form of this command to disable the automatic synchronization of the running-configuration or the startup-configuration file.
ft auto-sync {running-config | startup-config}
no ft auto-sync {running-config | startup-config}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
By default, the ACE automatically updates the running configuration on the standby context of an FT group with any changes that occur to the running configuration of the active context. If you disable the ft auto-sync command, you need to update the configuration of the standby context manually. For more information about configuration synchronization and configuring redundancy, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Caution
Examples
To enable autosynchronization of the running-configuration file in the C1 context, enter:
host1/C1(config)# ft auto-sync running-configRelated Commands
(config) ft group
To create a fault-tolerant (FT) group for redundancy, use the ft group command. After you enter this command, the system enters the FT group configuration mode. Use the no form of this command to remove an FT group from the configuration.
ft group group_id
no ft group group_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You must configure the same group ID on both peer appliances.
On each ACE, you can create multiple FT groups, up to a maximum of 21 groups. Each group consists of a maximum of two members (contexts): one active context on one appliance and one standby context on the peer appliance.
For information about the commands in FT group configuration mode, see the "FT Group Configuration Mode Commands" section.
Examples
To configure an FT group, enter:
host1/Admin(config)# ft group 1host1/Admin(config-ft-group)#To remove the group from the configuration, enter:
host1/Admin(config)# no ft group 1Related Commands
(config) ft interface vlan
To create a dedicated fault-tolerant (FT) VLAN over which two redundant peers communicate, use the ft interface vlan command. After you enter this command, the system enters the FT interface configuration mode. Use the no form of this command to remove an FT VLAN from the configuration.
ft interface vlan vlan_id
no ft interface vlan vlan_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Peer ACEs communicate with each other over a dedicated FT VLAN. These redundant peers use the FT VLAN to transmit and receive heartbeat packets and state and configuration replication packets. You must configure the same VLAN on each peer appliance. You cannot use this VLAN for normal network traffic; it must be dedicated for redundancy only.
To configure one of the Ethernet ports or a port-channel interface on the ACE for fault tolerance using a dedicated FT VLAN for communication between the members of an FT group, use the ft-port vlan command in interface configuration mode. See the (config-if) ft-port vlan command for more information.
On both peer ACE appliances, you must configure the same Ethernet port or port-channel interface as the FT VLAN port. For example:
•
•
To remove an FT VLAN, first remove it from the FT peer using the no ft-interface vlan command in FT peer configuration mode. See the (config-ft-peer) ft-interface vlan command for more information.
Examples
To configure an FT VLAN, enter:
host1/Admin(config)# ft interface vlan 200host1/Admin(config-ft-intf)#To remove the FT VLAN from the redundancy configuration, enter:
host1/Admin(config)# no ft interface vlan 200Related Commands
(config) ft peer
On both peer ACEs, configure an FT peer definition. To create an FT peer, use the ft peer command. After you enter this command, the system enters the FT peer configuration mode. You can configure a maximum of two ACEs as redundancy peers. Use the no form of this command to remove the FT peer from the configuration.
ft peer peer_id
no ft peer peer_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Each ACE appliance can have one FT peer. FT peers are redundant ACE appliances that communicate with each other over a dedicated FT VLAN.
Before you can remove an FT peer from the configuration, remove the peer from the FT group using the no peer command in FT group configuration mode.
For information about the commands in FT peer configuration mode, see the "FT Peer Configuration Mode Commands" section.
Examples
To configure an FT peer, enter:
host1/Admin(config)# ft peer 1host1/Admin(config-ft-peer)#Related Commands
(config) ft track host
To create a tracking and failure detection process for a gateway or host, use the ft track host command. After you enter this command, the system enters FT track host configuration mode. Use the no form of the command to remove the gateway-tracking process.
ft track host name
no ft track host name
Syntax Description
name
Unique identifier of the tracking process for a gateway or host. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
For information about commands in FT track host configuration mode, see the "FT Track Host Configuration Mode Commands" section.
For details about configuring redundant ACE appliances, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Examples
To create a tracking process for a gateway, enter:
host1/Admin(config)# ft track host TRACK_GATEWAY1host1/Admin(config-ft-track-host)#To remove the gateway-tracking process, enter:
host1/Admin(config)# no ft track host TRACK_GATEWAY1Related Commands
(config) ft track interface
To create a tracking and failure detection process for a critical interface, use the ft track interface command. After you enter this command, the system enters FT track interface configuration mode. Use the no form of this command to stop tracking for an interface.
ft track interface name
no ft track interface name
Syntax Description
name
Unique identifier of the tracking process for a critical interface. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure the FT VLAN for tracking.
For information about commands in FT track interface configuration mode, see the "FT Track Interface Configuration Mode Commands" section.
For details about configuring redundant ACE appliances, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Examples
To configure a tracking and failure detection process for an interface, enter:
host1/Admin(config)# ft track interface TRACK_VLAN100To remove the interface-tracking process, enter:
host1/Admin(config)# no ft track interface TRACK_VLAN100Related Commands
(config) hostname
To specify a hostname for the ACE, use the hostname command. The hostname is used for the command line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. Use the no form of this command to reset the hostname to the default of switch.
hostname name
no hostname name
Syntax Description
name
New hostname for the ACE. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
By default, the hostname for the ACE is switch.
Examples
To change the hostname of the ACE from switch to ACE_1, enter:
switch/Admin(config)# hostname ACE_1ACE_1/Admin(config)#Related Commands
This command has no related commands.
(config) interface
To configure a bridge-group virtual interface (BVI), Ethernet port, port-channel interface, or VLAN interface, use the interface command. The CLI prompt changes to (config-if). Use the no form of this command to remove the interface.
interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel channel_number | vlan number}
no interface {bvi group_number | gigabitEthernet slot_number/port_number | port-channel channel_number | vlan number}
Syntax Description
Command Modes
Configuration mode
BVI and VLAN—Admin and user contexts
Ethernet port and port-channel interface—Admin context only
Command History
Usage Guidelines
This command requires the interface feature in your user role. In addition, the Ethernet port and port-channel interface command functions require the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The four Ethernet ports provide physical Ethernet ports to connect servers, PCs, routers, and other devices to the ACE. You can configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN and can carry traffic within a designated VLAN.
You can group physical ports together on the ACE to form a logical Layer 2 interface called the EtherChannel (or port channel). You must configure all the ports that belong to the same port channel with the same values (such as port parameters, VLAN membership, and trunk configuration). Only one port channel in a channel group is allowed, and a physical port can belong to only to a single port-channel interface.
To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that represents a corresponding bridge group. You should configure an IP address in the same subnet on the BVI. This address is used for management traffic and as a source IP address for traffic from the ACE, similar to ARP requests.
The ACE supports a maximum of 4000 VLAN interfaces with a maximum of 1024 shared VLANs.
The ACE requires a route back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE appliance.
For information about commands in interface configuration mode, see the "Interface Configuration Mode Commands" section. For details about configuring a BVI interface, Ethernet port, port-channel interface, or VLAN interface, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
Examples
To configure Ethernet port 3 and access interface configuration mode, enter:
host1/Admin(config)# interface gigabitEthernet 1/3host1/Admin(config-if)#To create a port-channel interface with a channel number of 255, enter:
host1/Admin(config)# interface port-channel 255host1/Admin(config-if)#To assign VLAN interface 200 to the Admin context and access interface configuration mode, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)#To remove a VLAN, enter:
host1/Admin(config)# no interface vlan 200To create a BVI for bridge group 15, enter:
host1/Admin(config)# interface bvi 15host1/Admin(config-if)#To delete a BVI for bridge group 15, enter:
host1/Admin(config)# no interface bvi 15Related Commands
(config) ip dhcp relay
To configure a Dynamic Host Configuration Protocol (DHCP) relay agent on the ACE, use the ip dhcp relay command. When you configure the ACE as a DHCP relay agent, it is responsible for forwarding the requests and responses negotiated between the DHCP clients and the server. You must configure a DHCP server when you enable the DHCP relay. Use the no form of this command to disable a DHCP relay agent setting.
ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
no ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the DHCP feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The DHCP relay agent can be configured at both the context and interface level of the ACE. Note the following configuration considerations:
•
•
Examples
To set the IP address of a DHCP server at the context level, enter:
host1/Admin# changeto C1host1/C1# configEnter configuration commands, one per line. End with CNTL/Zhost1/C1(config)# ip dhcp relay enablehost1/C1(config)# ip dhcp relay server 192.168.20.1To specify the DHCP relay at the interface level, enter:
host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip dhcp relay enablehost1/Admin(config-if)# ip dhcp relay server 192.168.20.1To remove the IP address of the DHCP server, enter:
host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1Related Commands
(config) ip route
To configure a default or static IP route, use the ip route command. Use the no form of this command to remove a default or static IP route from the configuration.
ip route dest_ip_prefix netmask gateway_ip_address
no ip route dest_ip_prefix netmask gateway_ip_address
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the routing feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The default route identifies the router IP address to which the ACE sends all IP packets for which it does not have a route.
Admin and user contexts do not support dynamic routing. You must use static routes for any networks to which the ACE is not directly connected; for example, use a static route when there is a router between a network and the ACE.
The ACE supports up to eight equal cost routes on the same interface for load balancing.
Routes that identify a specific destination address take precedence over the default route.
See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide for more information about configuring default or static routes.
Examples
To configure a default route, set the IP address and the subnet mask for the route to 0.0.0.0. For example, if the ACE receives traffic that it does not have a route, it sends the traffic out the interface to the router at 192.168.4.8. Enter:
host1/Admin(config)# ip route 0.0.0.0 255.255.255.0 192.168.4.8Related Commands
(config) ldap-server host
To specify the Lightweight Directory Access Protocol (LDAP) server IP address, the destination port, and other options, use the ldap-server host command. You can enter multiple ldap-server host commands to configure multiple LDAP servers. Use the no form of this command to revert to a default LDAP server authentication setting.
ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]
no ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
By default, the LDAP server port is 389. If your LDAP server uses a port other than 389, use the port keyword to configure an appropriate port before starting the LDAP service. The ldap-server port command overrides the global setting for the specified server.
By default, the ACE waits 5 seconds for the LDAP server to reply to an authentication request before the ACE declares a timeout failure and attempts to contact the next server in the group. The ldap-server timeout command overrides the global setting for the specified server.
Examples
To configure LDAP server authentication parameters, enter:
host1/Admin(config)# ldap-server host 192.168.2.3 port 2003host1/Admin(config)# ldap-server host 192.168.2.3 timeout 60host1/Admin(config)# ldap-server host 192.168.2.3 rootDN "cn=manager,dc=cisco,dc=com" password labTo remove the LDAP server authentication setting, enter:
host1/Admin(config)# no ldap-server host 192.168.2.3 timeout 60Related Commands
(config) ldap-server port
To globally configure a TCP port (if your LDAP server uses a port other than the default port 389) before you start the LDAP service, use the ldap-server port command. This global port setting will be applied to those LDAP servers for which a TCP port value is not individually configured by the ldap-server host command. Use the no form of this command to revert to the default of TCP port 389.
ldap-server port port_number
no ldap-server port port_number
Syntax Description
port_number
Destination port to the LDAP server. Enter an integer from 1 to 65535. The default is TCP port 389.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To override the global TCP port setting (specified by the ldap-server port command) for a specific server, use the ldap-server host port command.
Examples
To globally configure the TCP port, enter:
host1/Admin(config)# ldap-server port 2003To revert to the default of TCP port 389, enter:
host1/Admin(config)# no ldap-server port 2003Related Commands
(config) ldap-server timeout
To globally change the time interval that the ACE waits for the LDAP server to reply to a response before it declares a timeout failure, use the ldap-server timeout command. By default, the ACE waits 5 seconds to receive a response from an LDAP server before it declares a timeout failure and attempts to contact the next server in the group. The ACE applies this global timeout value to those LDAP servers for which a timeout value is not individually configured by the ldap-server host command. Use the no form of the command to revert to the default of 5 seconds between transmission attempts.
ldap-server timeout seconds
no ldap-server timeout seconds
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To override the global TCP timeout setting (specified by the ldap-server timeout command) for a specific server, use the ldap-server host timeout command.
Examples
To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# ldap-server timeout 30To change to the default of five seconds between transmission attempts, enter:
host1/Admin(config)# no ldap-server timeout 30Related Commands
(config) line vty
To configure the virtual terminal line settings, use the line vty configuration mode command. When you enter this command, the prompt changes (config-line) and you enter the line configuration mode. Use the no form of this command to reset the line configuration mode parameter to its default setting.
line vty
no line vty
Syntax Description
There are no keywords or arguments for this command.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
For information about the commands in line configuration mode, see the "Line Configuration Mode Commands" section.
Examples
To enter the line configuration mode, enter:
host1/Admin(config)# line vtyhost1/Admin(config-line)#Related Commands
(config) login timeout
To modify the length of time that a user can be idle before the ACE terminates the console, Telnet, or Secure Shell (SSH) session, use the login timeout command. By default, the inactivity timeout value is 5 minutes. Use the no form of this command to restore the default timeout value of 5 minutes.
login timeout minutes
no login timeout
Syntax Description
minutes
Length of time in minutes. Enter a value from 0 to 60 minutes. A value of 0 instructs the ACE never to time out. The default is 5 minutes.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Examples
To specify a timeout period of 10 minutes, enter:
host1/Admin(config)# login timeout 10To restore the default timeout value of 5 minutes, enter.
host1/Admin(config)# no login timeoutRelated Commands
(config-cmap-mgmt) match protocol
(config) logging buffered
To enable system logging to a local buffer and to limit the messages sent to the buffer based on severity, use the logging buffered command. By default, logging to the local buffer on the ACE is disabled. New messages are appended to the end of the buffer. The first message displayed is the oldest message in the buffer. When the log buffer fills, the ACE deletes the oldest message to make space for new messages. Use the no form of this command to disable message logging.
logging buffered severity_level
no logging buffered
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Examples
To set the logging buffer level to 3 for logging error messages, enter:
host1/Admin(config)# logging buffered 3To disable message logging, enter:
host1/Admin(config)# no logging bufferedRelated Commands
(config) logging console
To enable the logging of syslog messages during console sessions and to limit the display of messages based on severity, use the logging console command. By default, the ACE does not display syslog messages during console sessions. Use the no form of this command to disable logging to the console.
logging console severity_level
no logging console
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Logging to the console can degrade system performance. Use the logging console command only when you are testing and debugging problems, or when there is minimal load on the network. We recommend that you use the lowest severity level possible because logging at a high rate may affect ACE performance. Do not use this command when the network is busy.
Examples
To enable system logging to the console for messages with severity levels of 2, 1, and 0:
host1/Admin(config)# logging buffered 2Related Commands
(config) logging device-id
To specify that the device ID of the ACE is included in the syslog message, use the logging device-id command. If enabled, the ACE displays the device ID in all non-EMBLEM-formatted syslog messages. The device ID specification does not affect the syslog message text that is in the EMBLEM format. Use the no form of the command to disable device ID logging for the ACE in the syslog message.
logging device-id {context-name | hostname | ipaddress interface_name | string text}
no logging device-id
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The device ID part of the syslog message is viewed through the syslog server only and not directly on the ACE. The device ID does not appear in EMBLEM-formatted messages, Simple Network Management Protocol (SNMP) traps, or on the ACE console, management session, or buffer.
Examples
To instruct the ACE to use the hostname of the ACE to uniquely identify the syslog messages, enter:
host1/Admin(config)# logging device-id hostnameTo disable the use of the hostname of the ACE, enter:
host1/Admin(config)# no logging device-idRelated Commands
(config) logging enable
To enable message logging, use the logging enable command. Message logging is disabled by default. You must enable logging if you want to send messages to one or more output locations. Use the no form of this command to stop message logging to all output locations.
logging enable
no logging enable
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Message logging is disabled by default. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. You must set a logging output location to view any logs.
Examples
To enable message logging to all output locations, enter:
host1/Admin(config)# logging enableTo stop message logging to all output locations, enter:
host1/Admin(config)# no logging enableRelated Commands
This command has no related commands.
(config) logging facility
To change the logging facility to a value other than the default of 20 (LOCAL4), use the logging facility command. Most UNIX systems expect the messages to use facility 20. The ACE allows you to change the syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. Use the no form of this command to set the syslog facility to its default of 20.
logging facility number
no logging facility number
Syntax Description
number
The syslog facility. Enter an integer from 16 (LOCAL0) to 23 (LOCAL7). The default is 20 (LOCAL4).
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The syslog daemon uses the specified syslog facility to determine how to process messages. Each logging facility configures how the syslog daemon on the host handles a message. Syslog servers file messages based on the facility number in the message. For more information on the syslog daemon and facility levels, see your syslog daemon documentation.
Examples
To set the syslog facility as 16 (LOCAL0) in syslog messages, enter:
host1/Admin(config)# logging facility 16To change the syslog facility back to the default of LOCAL4, enter:
host1/Admin(config)# no logging facility 16Related Commands
(config) logging fastpath
To enable the logging of connection setup and teardown messages, use the logging fastpath command. By default, the ACE does not log connection setup and teardown syslog messages. Use the no form of this command to disable the logging of connection setup and teardown syslog messages.
logging fastpath
no logging fastpath
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Examples
To configure the ACE to log connection setup and teardown syslog messages, enter:
host1/Admin(config)# logging fastpathTo disable the ACE from logging connection setup and teardown syslog messages, enter:
host1/Admin(config)# no logging fastpathRelated Commands
(config) logging history
To set the Simple Network Management Protocol (SNMP) message severity level when sending log messages to an network management system (NMS), use the logging history command. Use the no form of this command to disable logging of informational system messages to an NMS.
logging history severity_level
no logging history
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To enable or disable all SNMP syslog message logging, use the logging history command without the severity_level argument.
We recommend that you use the debugging (7) level during initial setup and during testing. After setup, set the level from debugging (7) to a lower value for use in your network.
Examples
To send informational system message logs to an SNMP NMS, enter:
host1/Admin(config)# logging history 6To disable logging to an SNMP NMS, enter:
host1/Admin(config)# no logging historyRelated Commands
(config) logging host
To specify a host (the syslog server) that receives the syslog messages sent by the ACE, use the logging host command. You can use multiple logging host commands to specify additional servers to receive the syslog messages. Use the no form of this command to disable logging to a syslog server. By default, logging to a syslog server on a host is disabled on the ACE.
logging host ip_address [tcp | udp [/port#] | [default-udp] | [format emblem]]
no logging host ip_address
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
If you choose to send log messages to a host, the ACE sends those messages using either UDP or TCP. The host must run a program (known as a server) called syslogd, a daemon that accepts messages from other applications and the network, and writes them out to system wide log files. UNIX provides the syslog server as part of its operating system. If you are running Microsoft Windows, you must obtain a syslog server for the Windows operating system.
If you use TCP as the logging transport protocol, the ACE denies new network access sessions if the ACE is unable to reach the syslog server, if the syslog server is misconfigured, if the TCP queue is full, or if the disk is full.
The format emblem keywords allows you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for either TCP or UDP syslog messages. If you enable EMBLEM-format logging for a particular syslog host, then the messages are sent to that host. If you also enable the logging timestamp command, the the messages are sent to the syslog server with a time stamp.
For example, the EMBLEM format for a message with a time stamp appears as follows:
ipadress or dns name [Dummy Value/Counter]: [mmm dd hh:mm:ss TimeZone]: %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: [vtl-ctx: context id] Message-textExamples
To send log messages to a syslog server, enter:
host1/Admin(config)# logging host 192.168.10.1 tcp/1025 format emblem default-udpTo disable logging to a syslog server, enter:
host1/Admin(config)# no logging host 192.168.10.1Related Commands
(config) logging message
To control the display of a specific system logging message or to change the severity level associated with the specified system logging message, use the logging message command. Use the no form of this command to disable logging of the specified syslog message.
logging message syslog_id [level severity_level]
no logging message syslog_id
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
You can use the show logging command to determine the level currently assigned to a message and whether the message is enabled.
For information on syslog messages and their IDs, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.
Examples
To disable the %<ACE>-6-615004 syslog message (VLAN available for configuring an interface), enter:
host1/Admin(config)# no logging message 615004To resume logging of the disabled syslog message, enter:
host1/Admin(config)# logging message 615004 level 6To change the severity level of the 615004 syslog message from the default of 6 (informational) to a severity level of 5 (notification), enter:
(config)# logging message 615004 level 5To return the severity level of the 615004 syslog message to the default of 6, enter:
host1/Admin(config)# no logging message 615004Related Commands
(config) logging monitor
To display syslog messages as they occur when accessing the ACE through a Secure Shell (SSH) or a Telnet session, use the logging monitor command. You can limit the display of messages based on severity. By default, logging to a remote connection using the SSH or Telnet is disabled on the ACE. Use the no form of this command to disable system message logging to the current Telnet or SSH session.
logging monitor severity_level
no logging monitor
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Note
To display logs during the SSH or Telnet session, use the terminal monitor Exec mode command. This command enables syslog messages for all sessions in the current context. The logging monitor command sets the logging preferences for all SSH and Telnet sessions, while the terminal monitor command controls logging for each individual Telnet session. However, in each session, the terminal monitor command controls whether syslog messages appear on the terminal during the session.
Examples
To send informational system message logs to the current Telnet or SSH session, enter:
host1/Admin# terminal monitorhost1/Admin# configEnter configuration commands, one per line. End with CNTL/Zhost1/Admin(config)# logging monitor 6To disable system message logging to the current Telnet or SSH session, enter:
host1/Admin(config)# no logging monitorRelated Commands
(config) logging persistent
To send specific log messages to compact flash on the ACE, use the logging persistent command. By default, logging to compact flash is disabled on the ACE. The ACE allows you to specify the system message logs that you want to keep after a system reboot by saving them to compact flash. Use the no form of this command to disable logging to compact flash.
logging persistent severity_level
no logging persistent
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
We recommend that you use a lower severity level, such as severity level 3, because logging at a high rate to flash memory on the ACE might affect performance.
Examples
To send informational system message logs to flash memory on the ACE, enter:
host1/Admin(config)# logging persistent 6To disable logging to flash memory on the ACE, enter:
host1/Admin(config)# no logging persistentRelated Commands
(config) logging queue
To change the number of syslog messages that can appear in the message queue, use the logging queue command. By default, the ACE can hold 100 syslog messages in the message queue while awaiting processing. Use the no form of this command to reset the logging queue size to the default of 100 messages.
logging queue queue_size
no logging queue queue_size
Syntax Description
queue_size
Queue size for storing syslog messages. Enter an integer from 1 to 8192. The default is 100 messages.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Set the queue size before the ACE processes syslog messages. When traffic is heavy, messages might get discarded.
Examples
To set the size of the syslog message queue to 1000, enter:
host1/Admin(config)# logging queue 1000To reset the logging queue size to the default of 100 messages, enter:
host1/Admin(config)# no logging queue 0Related Commands
(config) logging rate-limit
To limit the rate at which the ACE generates messages in the syslog, use the logging rate-limit command. You can limit the number of syslog messages generated by the ACE for specific messages. Use the no form of this command to disable rate limiting for message logging in the syslog.
logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}
no logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The severity level you enter indicates that you want all syslog messages at the specified level to be rate-limited. For example, if you specify a severity level of 7, the ACE applies a rate limit only to level 7 (debugging messages). If you want to apply a logging rate limit on a different severity level, you must configure the logging rate-limit level command for that level as well.
For information on syslog messages and their IDs, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.
Examples
To limit the syslog rate for a 60-second time interval, enter:
host1/Admin(config)# logging rate-limit 42 60To disable rate limiting, enter:
host1/Admin(config)# no logging rate-limit 42 60Related Commands
(config) logging reject-newconn
To define if the ACE prohibits new connections from passing through the device if a specified condition has been met, use the logging-reject-newconn command. Use the no form of this command to prevent the ACE from rejecting new connections.
logging reject-newconn {cp-buffer-full | rate-limit-reached | tcp-queue-full}
no logging reject-newconn {cp-buffer-full | rate-limit-reached | tcp-queue-full}
Syntax Description
cp-buffer-full
Specifies that the ACE will reject new connections when the syslog daemon internal buffer is full.
rate-limit-reached
Specifies that the ACE will reject new connections if the syslog message rate specified through the logging rate-limit command has been reached. See the (config) logging rate-limit command. Disabled by default.
tcp-queue-full
Specifies that the ACE will reject new connections when syslogs can no longer reach the TCP syslog server. Enabled by default.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
None
Examples
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To configure the ACE to reject new connections if the specified syslog message rate has been reached, enter:
host1/Admin(config)# logging reject-newconn rate-limit-reachedTo disable the ACE from rejecting new connections, enter:
host1/Admin(config)# no logging reject-newconn rate-limit-reachedRelated Commands
(config) logging standby
To enable logging on the failover standby ACE, use the logging standby command. When enabled, the standby ACE syslog messages remain synchronized should a failover occur. When enabled, this command causes twice the message traffic on the syslog server. Use the no form of this command to disable logging on the standby ACE.
logging standby
no logging standby
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
This command is disabled by default.
Examples
To enable logging on the failover standby ACE:
host1/Admin(config)# logging standbyTo disable logging on the standby ACE, enter:
host1/Admin(config)# no logging standbyRelated Commands
(config) logging timestamp
To specify that syslog messages should include the date and time that the message was generated, use the logging timestamp command. By default, the ACE does not include the date and time in syslog messages. Use the no form of this command to specify that the ACE not include the date and time when logging syslog messages.
logging timestamp
no logging timestamp
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
This command is disabled by default.
Examples
To enable the time stamp on system logging messages, enter:
host1/Admin(config)# logging timestampTo disable the time stamp from syslog messages, enter:
host1/Admin(config)# no logging timestampRelated Commands
(config) logging trap
To identify which messages are sent to a syslog server, use the logging trap command. This command limits the logging messages sent to a syslog server based on severity. Use the no form of the command to return the trap level to the default (information messages).
logging trap severity_level
no logging trap
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To send logging messages to a syslog server, use the logging host command to specify the name or IP address of the host to be used as the syslog server.
Examples
To send informational system message logs to the syslog server, enter:
host1/Admin(config)# logging trap 6To disable sending message logs to the syslog server, enter:
host1/Admin(config)# no logging trap 6Related Commands
(config) ntp
To configure the ACE system clock to synchronize a peer (or to be synchronized by a peer) or to be synchronized by a time server, use the ntp command. Use the no form of the command to remove an NTP peer or server from the configuration.
ntp {peer ip_address1 [prefer] | server ip_address2 [prefer]}
no ntp {peer ip_address1 [prefer] | server ip_address2 [prefer]}
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
An NTP association can be a peer association, which means that the ACE is willing to synchronize to the other system or to allow the other system to synchronize to the ACE. An NTP association can also be a server association, which means that only this system will synchronize to the other system, not the other way around. You can identify multiple servers; the ACE uses the most accurate server.
To send logging messages to a syslog server, use the logging host command to specify the name or IP address of the host to be used as the syslog server.
Examples
To specify multiple NTP server IP addresses and identify a preferred server, enter:
host1/Admin(config)# ntp server 192.168.10.10 preferhost1/Admin(config)# ntp server 192.168.4.143host1/Admin(config)# ntp server 192.168.5.10To form a peer association with a preferred peer, enter:
host1/Admin(config)# ntp peer 192.168.10.0 preferTo remove an NTP peer or server from the configuration, enter:
host1/Admin(config)# no ntp peer 192.168.10.0Related Commands
(config) optimize
To configure the global optimization settings on the ACE, enter the optimize command. The CLI prompt changes to (config-optimize). To remove an optimize mode selection, use the no form of the command.
optimize
no optimize
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
For information about commands in optimize configuration mode, see the "Optimize Configuration Mode Commands" section. For details about configuring the commands in the optimize configuration mode, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide.
Examples
To access the optimize configuration mode, enter:
host1/Admin(config)# optimize
host1/Admin(config-optimize)#Related Commands
(config) parameter-map type
To create a connection-, HTTP-, optimization HTTP-, or SSL-type parameter map, use the parameter-map type command. Use the no form of this command to remove a parameter map from the ACE.
parameter-map type {connection | http | optimization http | ssl} name
no parameter-map type {connection | http | optimization http | ssl} name
Syntax Description
connection
Specifies a connection-type parameter map. After you create the connection-type parameter map, you configure TCP, IP, and other settings for the map in the parameter map connection configuration mode. For information about the commands in parameter map connection configuration mode, see the "Parameter Map Connection Configuration Mode Commands" section.
http
Specifies an HTTP-type parameter map. After you create the HTTP-type parameter map, you configure HTTP settings for the map in the parameter map HTTP configuration mode. For information about the commands in parameter map HTTP connection configuration mode, see the "Parameter Map HTTP Configuration Mode Commands" section.
optimization http
Specifies an optimization HTTP-type parameter map and define its application acceleration and optimization settings. After you create the optimization HTTP-type parameter map, you configure settings for the map in the parameter map optimization HTTP configuration mode. For information about the commands in parameter map HTTP connection configuration mode, see the "Parameter Map Optimization Configuration Mode Commands" section.
ssl
Specifies an SSL-type parameter map. After you create the SSL-type parameter map, you configure SSL settings for the map in the parameter map SSL configuration mode. For information about the commands in parameter map SSL connection configuration mode, see the "Parameter Map Optimization Configuration Mode Commands" section.
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The connection and http commands requires the connection feature in your user role. The optimization http commands in this mode require the loadbalance feature in your user role. The ssl commands in this mode require the connection or SSL feature. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The parameter-map type command allows you to configure a series of Layer 3 and Layer 4 statements that instruct the ACE how to handle TCP termination, normalization and reuse, SSL termination, and advanced HTTP behavior for server load-balancing connections. After you enter this command, the system enters the corresponding parameter map configuration mode.
To access one of the three parameter-map configuration modes (connection, http, or ssl), enter the parameter-map type connection, parameter-map type http, or parameter-map type ssl command in configuration mode. The CLI prompt changes to the corresponding mode: (config-parammap-conn), (config-parammap-http), or (config-parammap-ssl).
After you configure the parameter map, you associate it with a specific action statement in a policy map.
Examples
To create a connection-type parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type connection TCP_MAPhost1/Admin(config-parammap-conn)#To create an HTTP-type parameter map called HTTP_MAP, enter:
host1/Admin(config)# parameter-map type http HTTP_MAPhost1/Admin(config-parammap-http)#To create an optimization HTTP parameter map called OPTIMIZE_MAP, enter:
host1/Admin(config)# parameter-map type optimization http OPTIMIZE_MAPhost1/Admin(config-parammap-optmz)#To create an SSL-type parameter map called SSL_MAP, enter:
host1/Admin(config)# parameter-map type ssl SSL_MAPhost1/Admin(config-parammap-ssl)#Related Commands
(config) policy-map
Use the policy-map command to create a Layer 3 and Layer 4 or Layer 7 policy map. You access one of the policy map configuration modes by entering the policy-map command. Use the no form of the policy-map command to remove a policy map from the ACE.
policy-map {multi-match | type {inspect ftp first-match | inspect http all-match | loadbalance first-match | management first-match | optimization http first-match}} map_name
no policy-map {multi-match | type {inspect ftp first-match | inspect http all-match | loadbalance first-match | management first-match | optimization http first-match}} map_name
Syntax Description
multi-match
Configures a Layer 3 and Layer 4 policy map that defines the different actions applied to traffic passing through the ACE. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy map to allow a multifeature Layer 3 and Layer 4 policy map. The ACE executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes.
For information about the commands in policy map configuration mode, see the "Policy Map Configuration Mode Commands" section.
type
Specifies the type of policy map to be defined. When you specify a policy map type, you enter its corresponding policy map configuration mode (for example, load balancing).
inspect ftp first-match
Specifies a Layer 7 policy map that defines the inspection of File Transfer Protocol (FTP) commands by the ACE. The ACE executes the action for the first matching classification. For a list of classes in a policy map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map FTP inspection configuration mode, see the "Policy Map FTP Inspection Configuration Mode Commands" section.
inspect http all-match
Specifies a Layer 7 policy map that defines the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request. For information about the commands in policy map inspection HTTP configuration mode, see the "Policy Map Inspection HTTP Configuration Mode Commands" section.
loadbalance first-match
Specifies a Layer 7 policy map that defines Layer 7 HTTP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing Configuration Mode Commands" section.
management first-match
Specifies a Layer 3 and Layer 4 policy map that defines the IP management protocols that can be received by the ACE. The ACE executes the specified action only for traffic that meets the first matching classification with a policy map. For information about the commands in policy map management configuration mode, see the "Policy Map Management Configuration Mode Commands" section.
optimization http first-match
Specifies a Layer 7 policy map that defines Layer 7 HTTP optimization operations. The Layer 7 optimization HTTP policy map associates an HTTP optimization action list and parameter map to configure the specified optimization actions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map optimization configuration mode, see the "Policy Map Optimization Configuration Mode Commands" section.
map_name
Name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the inspect, loadbalance, NAT, connection, or SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Use the policy map configuration mode commands to configure a series of Layer 3 and Layer 4 or Layer 7 policies. Each policy map defines a series of actions (functions) that you apply to a set of classified inbound traffic. The CLI prompt changes correspondingly to the selected policy map configuration mode: config-pmap, config-pmap-c, config-pmap-insp-http, config-pmap-insp-http-c, config-pmap-insp-http-m, config-pmap-lb, config-pmap-lb-c, config-pmap-lb-m, config-pmap-mgmt, config-pmap-mgmt-c, config-pmap-optmz, and config-pmap-optmz-c).
For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions that configure the following:
•
•
•
•
•
•
•
For a Layer 7 traffic classification, you create policy maps with actions that configure the following:
•
•
•
•
The ACE supports a system-wide maximum of 4096 policy maps.
For details about creating a policy map, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Examples
To create a Layer 3 and Layer 4 server load-balancing policy map named L4_SLB_POLICY, enter:
host1/Admin(config)# policy-map multi-match L4_SLB_POLICYhost1/Admin(config-pmap)#To create a Layer 3 and Layer 4 management protocol policy map named L4_MGMT-ACCESS_POLICY, enter:
host1/Admin(config)# policy-map type management match-any L4_MGMT-ACCESS_CLASShost1/Admin(config-pmap-mgmt)#To create a Layer 7 optimization HTTP policy map named L7OPTIMIZATION_POLICY, enter:
host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICYhost/Admin(config-pmap-optmz)#To create a Layer 7 HTTP server load balancing policy map named L7_SLB_POLICY, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICYhost1/Admin(config-pmap-lb)#To create a Layer 7 HTTP deep packet inspection policy map named L7_HTTP_INSPECT_POLICY, enter:
host/Admin(config) # policy-map type inspect http all-match HTTP_INSPECT_L7POLICYhost/Admin(config-pmap-ins-http)#To create a Layer 7 FTP command inspection policy map named L7_FTP_INSPECT_POLICY, enter:
host1/Admin(config)# class-map type ftp inspect match-any L7_FTP_INSPECT_POLICYhost1/Admin(config-pmap-ftp-ins)#Related Commands
(config) probe
To define a probe and access its configuration mode, use the probe command. The CLI prompt changes to (config-probe_type). Use the no form of this command to delete the probe.
probe probe_type probe_name
no probe probe_type probe_name
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
For information about commands in probe configuration mode, see the "Probe Configuration Mode Commands" section.
Examples
To define a TCP probe named PROBE1 and access its mode, enter:
host1/Admin(config)# probe tcp PROBE1host1/Admin(config-probe-tcp)#To delete a TCP probe named PROBE1, enter:
host1/Admin(config)# no probe tcp PROBE1Related Commands
(config) radius-server attribute nas-ipaddr
To specify a RADIUS NAS-IP-Address attribute, use the radius-server attribute nas-ipaddr command. Use the no form of this command to delete the RADIUS NAS-IP-Address and return to the default configuration.
radius-server attribute nas-ipaddr nas_ip_address
no radius-server attribute nas-ipaddr nas_ip_address
Syntax Description
nas_ip_address
IP address that is used as the RADIUS NAS-IP-Address, attribute 4. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
By default, the NAS-IP-Address is not configured. The ACE performs a route lookup on the Remote Authentication Dial-In User Service (RADIUS) server IP address and uses the result.
The RADIUS NAS-IP-Address attribute allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address for each context.
The radius-server attribute nas-ipaddr command allows the ACE to behave as a single RADIUS client from the perspective of the RADIUS server. The configured NAS-IP-Address will be encapsulated in all outgoing RADIUS authentication request and accounting packets.
Examples
To specify a RADIUS NAS-IP-Address, enter:
host1/Admin(config)# radius-server attribute nas-ipaddr 192.168.1.1To delete the RADIUS NAS-IP-Address and return to the default configuration, enter:
host1/Admin(config)# no radius-server attribute nas-ipaddr 192.168.1.1Related Commands
(config) radius-server deadtime
To globally set the time interval in which the ACE verifies whether a nonresponsive server is operational, use the radius-server deadtime command. Use the no form of this command to reset the Remote Authentication Dial-In User Service (RADIUS) server dead-time request to the default of 0.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
minutes
Length of time that the ACE skips a nonresponsive RADIUS server for transaction requests. Enter an integer from 0 to 1440 (24 hours). The default is 0.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Use of this command causes the ACE to mark as "dead" any RADIUS servers that fail to respond to authentication requests. This action avoids the wait for the request to time out before trying the next configured server. The ACE skips a RADIUS server that is marked as dead by sending additional requests for the duration of minutes.
The dead-time interval starts when the server does not respond to the number of authentication request transmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the ACE transmits the authentication request to the server.
Examples
To globally configure a 15-minute dead-time for RADIUS servers that fail to respond to authentication requests, enter:
host1/Admin(config)# radius-server deadtime 15To set the RADIUS server dead-time request to 0, enter:
host1/Admin(config)# no radius-server deadtime 15Related Commands
(config) radius-server host
To designate and configure a host for RADIUS server functions, use the radius-server host command. You can define multiple radius-server host commands to configure multiple Remote Authentication Dial-In User Service (RADIUS) servers. Use the no form of this command to remove the RADIUS server from the configuration.
radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]
no radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The key option overrides the global setting of the radius-server key command. If you do not specify a key, the global value is used. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays keys in encrypted form.
If neither the authentication nor the accounting options are specified, the RADIUS server is used for both accounting and authentication.
If your RADIUS server uses a port other than 1813, use the acct-port keyword to configure the ACE for the appropriate port before starting the RADIUS service.
If your RADIUS server uses a port other than 1812, use the auth-port keyword to configure the ACE for the appropriate port before starting the RADIUS service.
The retransmit and timeout options override the global settings assigned for the specified server when you enter the radius-server retransmit and radius-server timeout commands.
Examples
To configure RADIUS server authentication parameters, enter:
host1/Admin(config)# radius-server host 192.168.2.3 key HostKeyhost1/Admin(config)# radius-server host 192.168.2.3 key 7 secret_1256host1/Admin(config)# radius-server host 192.168.2.3 auth-port 1645host1/Admin(config)# radius-server host 192.168.2.3 acct-port 1646host1/Admin(config)# radius-server host 192.168.2.3 authenticationhost1/Admin(config)# radius-server host 192.168.2.3 accountinghost1/Admin(config)# radius-server host 192.168.2.3 timeout 25host1/Admin(config)# radius-server host 192.168.2.3 retransmit 3To revert to a default RADIUS server authentication setting, enter:
host1/Admin(config)# no radius-server host 192.168.2.3 acct-port 1646Related Commands
(config) radius-server attribute nas-ipaddr
(config) radius-server key
To globally configure an authentication key for communication between the ACE and the Remote Authentication Dial-In User Service (RADIUS) daemon running on each RADIUS server, use the radius-server key command. Use the no form of this command to remove the global RADIUS server key setting from the configuration.
radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}
no radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The key is a text string that must match the encryption key used on the RADIUS server. RADIUS keys are always stored in encrypted form in persistent storage on the ACE. This global key will be applied to those RADIUS servers in a named server group for which a shared secret is not individually configured by the (config) radius-server host command.
Examples
To globally configure an authentication key to be sent in encrypted text (indicated by 7) to the RADIUS server, enter:
host1/Admin(config)# radius-server key 7 abe4DFeeweo00oTo delete the key, enter:
host1/Admin(config)# no radius-server key 7 abe4DFeeweo00oRelated Commands
(config) radius-server retransmit
To globally change the number of times that the ACE sends an authentication request to a Remote Authentication Dial-In User Service (RADIUS) server, use the radius-server retransmit command. Use the no form of this command to revert to the default of one transmission attempt.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
count
Number of times that the ACE attempts to connect to a RADIUS server(s) before trying to contact the next available server. Enter an integer from 1 to 5. The default is 1.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The ACE applies this global retransmission value to those RADIUS servers for which a value is not individually configured by the (config) radius-server host command.
If all servers in the group are unavailable for authentication and accounting, the ACE tries the local database if you configure a local fallback method by entering the aaa authentication login or the aaa accounting default commands. If you do not have a fallback method, the ACE continues to contact one of the AAA servers listed in the server group.
Examples
To globally configure the number of retransmissions to 3, enter:
host1/Admin(config)# radius-server retransmit 3To revert to the default of one transmission attempt, enter:
host1/Admin(config)# no radius-server retransmit 3Related Commands
(config) radius-server timeout
To globally change the time interval that the ACE waits for the Remote Authentication Dial-In User Service (RADIUS) server to reply before retransmitting an authentication request to the RADIUS server, use the radius-server timeout command. Use the no form of this command to revert to the default of one second between transmission attempts.
radius-server timeout seconds
no radius-server timeout seconds
Syntax Description
seconds
Tme in seconds between retransmissions to the RADIUS server. Enter an integer from 1 to 60 seconds. The default is 1 second.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The ACE applies this global timeout value to those RADIUS servers for which a timeout value is not individually configured by the (config) radius-server host command.
Examples
To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# radius-server timeout 30To revert to the default of one second between transmission attempts, enter:
host1/Admin(config)# no radius-server timeout 30Related Commands
(config) resource-class
To create a resource class and enter resource configuration mode, use the resource-class command. The CLI prompt changes to (config-resource). Configure a resource class to limit the use of system resources by one or more contexts. Use the no form of this command to remove the resource-class setting.
resource-class name
no resource-class name
Syntax Description
name
Name assigned to the resource class. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. You can also use the resource class called default.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Use a resource class to allocate and limit system resources among contexts in your ACE. The default resource class allocates 100 percent of all configurable system resources to each context. By creating a resource class, you can prevent oversubscription by limiting the percentage of resources available to each context. After you create and configure a resource class, use the (config-context) member command in context configuration mode to assign a context to the class.
To use the stickiness feature, you must allocate a minimum percentage of resources to the feature. Otherwise, stickiness will not work. For more details, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
For information about the commands in the resource configuration mode, see the "Resource Configuration Mode Commands" section.
Examples
This example shows how to create a resource class called RC1.
host1/C1(config)# resource-class RC1host1/C1(config-resource)To remove the resource class from the configuration, enter:
host1/C1(config)# no resource-class RC1Related Commands
(config) role
To assign a user role to a user and enter role configuration mode, use the role command. The CLI prompt changes to (config-role). User roles determine the privileges that a user has, the commands that a user can enter, and the actions that a user can perform in a particular context. You can apply the roles that you create only in the context in which you create them. See the "Role Configuration Mode Commands" section for details. Use the no form of this command, to remove the user role assignment.
role name
no role name
Syntax Description
name
Identifier associated with a user role. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
If you do not assign a user role to a new user, the default user role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the (config) username command.
For information about the commands in the role configuration mode, see the "Role Configuration Mode Commands" section.
For information about configuring roles and assigning them to users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide
Examples
To assign a role, enter:
host1/C1(config)# role TECHNICIANhost1/C1(config-role)#To remove the role from the configuration, enter:
host1/C1(config)# no role TECHNICIANRelated Commands
show role
show user-account
show users
(config) username(config) rserver
To create a real server for server load balancing (SLB) and enter real server configuration mode, use the rserver command. The CLI prompt changes to (config-host-rserver) or (config-redirect-rserver), depending on the type of real server that you create. You can create a maximum of 16,384 real servers. Use the no form of this command to remove the real server from the configuration.
rserver [host | redirect] name
no rserver [host | redirect] name
Syntax Description
host
(Optional) Specifies a typical real server that provides content and services to clients. This is the default setting. For details on the commands in real server host configuration mode, see the "Real Server Host Configuration Mode Commands" section.
redirect
(Optional) Specifies a real server used to redirect traffic to a new location as specified in the relocn-string argument of the webhost-redirection command. For details on the commands in real server redirect configuration mode, see the "Real Server Redirect Configuration Mode Commands" section.
name
Identifier for the real server. Enter an unquoted text string with no spaces and maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the rserver feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
All servers in a server farm must be of the same type: host or redirect. You can create a maximum of 4096 real servers in each ACE.
Examples
To create a real server of type host, enter:
host1/Admin(config)# rserver server1To remove the real server of type host from the configuration, enter:
host1/Admin(config)# no rserver server1Related Commands
(config-rserver-redir) webhost-redirection
clear rserver
show rserver(config) script file
To load a script into memory on the ACE and enable it for use, use the script file command. Use the no form of this command to remove a script from memory and the running configuration.
script file index script_name
no script file index
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To run a script or create a health probe using a script, you must see the script name, not the script file from which the script was loaded.
Examples
To load a script into memory, enter:
host1/Admin(config)# script file 22 ftp1.tclTo remove the script with index 22, enter:
host1/Admin(config)# no script file 22Related Commands
<
