Cisco ACE 4700 Series Appliance Command Reference
Policy Map Configuration Mode Commands
Download this chapter
Policy Map Configuration Mode CommandsPolicy Map Configuration Mode Commands
Download the complete book
Cisco 4700 Series Application Control Engine Appliance Command Reference, Book-Length PDF (Software Version A1(7))Cisco 4700 Series Application Control Engine Appliance Command Reference, Book-Length PDF (Software Version A1(7)) (PDF - 9 MB)
give_us_feedback

Table Of Contents

Policy Map Configuration Mode Commands

(config-pmap) class

(config-pmap) description

Policy Map Class Configuration Mode Commands

(config-pmap-c) appl-parameter http advanced-options

(config-pmap-c) connection advanced-options

(config-pmap-c) inspect

(config-pmap-c) loadbalance policy

(config-pmap-c) loadbalance vip icmp-reply

(config-pmap-c) loadbalance vip inservice

(config-pmap-c) nat dynamic

(config-pmap-c) nat static

(config-pmap-c) ssl-proxy

Policy Map FTP Inspection Configuration Mode Commands

(config-pmap-ftp-ins) class

(config-pmap-ftp-ins) description

(config-pmap-ftp-ins) match request-method

Policy Map FTP Inspection Class Configuration Mode Commands

(config-pmap-ftp-ins-c) deny

(config-pmap-ftp-ins-c) mask-reply

Policy Map FTP Inspection Match Configuration Mode Commands

(config-pmap-ftp-ins-m) deny

(config-pmap-ftp-ins-m) mask-reply

Policy Map Inspection HTTP Configuration Mode Commands

(config-pmap-ins-http) class

(config-pmap-ins-http) description

(config-pmap-ins-http) match content

(config-pmap-ins-http) match content length

(config-pmap-ins-http) match content-type-verification

(config-pmap-ins-http) match header

(config-pmap-ins-http) match header length

(config-pmap-ins-http) match header mime-type

(config-pmap-ins-http) match port-misuse

(config-pmap-ins-http) match request-method

(config-pmap-ins-http) match strict-http

(config-pmap-ins-http) match transfer-encoding

(config-pmap-ins-http) match url

(config-pmap-ins-http) match url length

Policy Map Inspection HTTP Class Configuration Mode Commands

(config-pmap-ins-http-c) permit

(config-pmap-ins-http-c) reset

Policy Map Inspection HTTP Match Configuration Mode Commands

(config-pmap-ins-http-m) permit

(config-pmap-ins-http-m) reset

Policy Map Load Balancing Configuration Mode Commands

(config-pmap-lb) class

(config-pmap-lb) description

(config-pmap-lb) match http cookie

(config-pmap-lb) match http header

(config-pmap-lb) match http url

(config-pmap-lb) match source-address

Policy Map Load Balancing Class Configuration Mode Commands

(config-pmap-lb-c) compress

(config-pmap-lb-c) drop

(config-pmap-lb-c) forward

(config-pmap-lb-c) insert-http

(config-pmap-lb-c) serverfarm

(config-pmap-lb-c) set ip tos

(config-pmap-lb-c) ssl-proxy client

(config-pmap-lb-c) sticky-serverfarm

Policy Map Load Balancing Match Configuration Mode Commands

(config-pmap-lb-m) drop

(config-pmap-lb-m) forward

(config-pmap-lb-m) insert-http

(config-pmap-lb-m) serverfarm

(config-pmap-lb-m) set ip tos

(config-pmap-lb-m) ssl-proxy client

(config-pmap-lb-m) sticky-serverfarm

Policy Map Management Configuration Mode Commands

(config-pmap-mgmt) class

(config-pmap-mgmt) description

Policy Map Management Class Configuration Mode Commands

(config-pmap-mgmt-c) deny

(config-pmap-mgmt-c) permit

Policy Map Optimization Configuration Mode Commands

(config-pmap-optmz) class

(config-pmap-optmz) description

(config-pmap-optmz) match http cookie

(config-pmap-optmz) match http header

(config-pmap-optmz) match http url

Policy Map Optimization Class Configuration Mode Commands

(config-pmap-optmz-c) action

Policy Map Optimization Match Configuration Mode Commands

(config-pmap-optmz-m) action


Policy Map Configuration Mode Commands

Policy map configuration mode commands allow you to configure a Layer 3 and Layer 4 policy map that defines the different actions applied to traffic that passes through the ACE. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy map to allow a multifeature Layer 3 and Layer 4 policy map. The ACE executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes.

To create a Layer 3 and Layer 4 policy map and access policy map configuration mode, use the policy-map multi-match command in configuration mode. When you access the policy map configuration mode, the prompt changes to (config-pmap). Use the no form of the command to remove a Layer 3 and Layer 4 policy map from the ACE.

For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions that configure the following:

Server load balancing based on Layer 3 and Layer 4 connection information (virtual IP address)

Application acceleration and optimization

Secure Sockets Layer (SSL) security services between a web browser (the client) and the HTTP connection (the server)

Static or dynamic Network Address Translation (NAT)

Application protocol inspection (also known as protocol fixup)

TCP termination, normalization, and reuse

IP normalization and fragment reassembly

Use the no form of the policy-map multimatch command to remove a policy map from the ACE.

policy-map multi-match map_name

no policy-map multi-match map_name

Syntax Description

map_name

Name assigned to the Layer 3 and Layer 4 policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance, inspect, connection, NAT, or SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

To perform HTTP load balancing, HTTP deep packet inspection, or FTP command inspection functions, you associate a previously created Layer 7 policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface. For example, to associate a Layer 7 HTTP load-balancing policy map, you nest the Layer 7 load-balancing policy map by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

The ACE supports a system-wide maximum of 4096 policy maps.

Examples

To create a a Layer 3 and Layer 4 server load balancing (SLB) policy map named L4_SLB_POLICY, enter: 

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY

host1/Admin(config-pmap)#

To create a Layer 3 and Layer 4 application protocol inspection policy map named L4_HTTP_APP_INSPECTION_POLICY, enter: 

host1/Admin(config)# policy-map multi-match L4_HTTP_APP_INSPECTION_POLICY

host1/Admin(config-pmap)#

Related Commands

show startup-config
(config) class-map

(config-pmap) class

To associate a Layer 3 and Layer 4 class map with a Layer 3 and Layer 4 policy map, use the class command. The prompt changes from (config-pmap) to (config-pmap-c). For information on commands in this mode, see the "Policy Map Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2]}

Syntax Description

name1

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

insert-before name2

(Optional) Places the current named class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy-map configuration. The ACE does not save the sequence reordering as part of the configuration. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

class-default

Associates the reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 3 and Layer 4 class map with a Layer 3 and Layer 4 policy map, enter: 

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY

host1/Admin(config-pmap)# class L4_SLB_CLASS

host1/Admin(config-pmap-c)#

Related Commands

(config-pmap) description

(config-pmap) description

To provide a brief summary about the Layer 3 and Layer 4 policy map, use the description command. Use the no form of the command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the class map is to perform Layer 3 and Layer 4 server load balancing, enter: 

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY

host1/Admin(config-pmap)# description Policy map for L3/L4 SLB

Related Commands

(config-pmap) class

Policy Map Class Configuration Mode Commands

Policy map class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 3 and Layer 4 class map. To access policy map class configuration mode, use the class command in policy map configuration mode (see the (config-pmap) class command for details). The prompt changes from (config-pmap) to (config-pmap-c).

The features required in your user role to execute a specific command in policy map class configuration mode are described in the "Usage Guidelines" section of the command. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-c) appl-parameter http advanced-options

To associate an HTTP parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter http advanced-options command. A parameter map is a means to combine related actions for use in a Layer 3 and Layer 4 HTTP policy map. Use the no form of this command to disassociate the HTTP parameter map as an action from the policy map.

appl-parameter http advanced-options name

no appl-parameter http advanced-options name

Syntax Description

name

Name of an existing HTTP parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance and inspect features in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Examples

To specify the appl-parameter http advanced-options command as an action for the policy map, enter: 

host1/Admin(config)# policy-map multi-match L4SLBPOLICY

host1/Admin(config-pmap)# class FILTERHTTP

host1/Admin(config-pmap-c)# appl-parameter http advanced-options http_param_map1

Related Commands

This command has no related commands.

(config-pmap-c) connection advanced-options

To associate a connection parameter map with a Layer 3 and Layer 4 policy map, use the connection advanced-options command. Use the no form of this command to disassociate the parameter map from a policy map.

connection advanced-options name

no connection advanced-options name

Syntax Description

name

Name of an existing connection parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

For details about configuring a connection parameter map, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

Examples

To associate the connection parameter map IP_MAP with a Layer 3 and Layer 4 TCP/IP policy map: 

host1/Admin(config)# policy-map multi-match TCPIP_POLICY

host1/Admin(config-pmap)# class TCP_CLASS

host1/Admin(config-pmap-c)# connection advanced-options IP_MAP

Related Commands

This command has no related commands.

(config-pmap-c) inspect

To define the Layer 3 and Layer 4 HTTP deep packet inspection, File Transfer Protocol (FTP) command inspection, or application protocol inspection policy actions, use the inspect command. Application inspection involves the examination of protocols such as Domain Name System (DNS), FTP, HTTP, Internet Control Message Protocol (ICMP), and Real Time Streaming Protocol (RTSP) to verify the protocol behavior and identify unwanted or malicious traffic that passes through the ACE. Use the no form of this command to remove an associated class map from a policy map.

inspect {dns [maximum-length bytes]} | {ftp [strict policy policy_map1]} | {http [policy policy_map2 | url-logging]} | {icmp [error]} | rtsp

no inspect {dns [maximum-length bytes]} | {ftp [strict policy policy_map1]} | {http [policy policy_map2 | url-logging]} | {icmp [error]} | rtsp

Syntax Description

dns

Enables DNS query inspection. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. The ACE performs the reassembly of DNS packets to verify that the packet length is less than the configured maximum length.

maximum-length bytes

(Optional) Sets the maximum length of a DNS reply. Valid entries are from 64 to 65536 bytes. The default is 512 bytes.

ftp

Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.

strict

(Optional) Checks for protocol RFC compliance and prevents web browsers from sending embedded commands in FTP requests. The strict keyword prevents an FTP client from determining valid usernames that are supported on an FTP server. When an FTP server replies to the USER command, the ACE intercepts the 530 reply code from the FTP server and replaces it with the 331 reply code. Specifying an FTP inspection policy allows selective command filtering and also prevents the display of the FTP server system type to the FTP client. The ACE intercepts the FTP server 215 reply code and message to the SYST command, and then replaces the text following the reply code with Xs.

policy policy_map1

Specifies the name assigned to a previously created Layer 7 FTP command inspection policy map to implement the inspection of Layer 7 FTP commands by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Use the inspect ftp command in policy map class configuration mode to define the FTP command request inspection policy.

Note If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 FTP fixup actions.

http

Enables enhanced Hypertext Transfer Protocol (HTTP) inspection on the HTTP traffic. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. By default, the ACE allows all request methods.

policy policy_map2

(Optional) Specifies the name assigned to a previously created Layer 7 HTTP application inspection policy map to implement the deep packet inspection of Layer 7 HTTP application traffic by the ACE. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Note If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks.

url-logging

(Optional) Enables the monitoring of Layer 3 and Layer 4 traffic. This function logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed.

icmp

Enables ICMP payload inspection. ICMP inspection allows ICMP traffic to have a "session" so it can be inspected similarly to TCP and UDP traffic.

error

(Optional) Performs a Network Address Translation (NAT) of ICMP error messages. The ACE creates translation sessions for intermediate or endpoint nodes that send ICMP error messages based on the NAT configuration. The ACE overwrites the packet with the translated IP addresses.

rtsp

Enables RTSP packet inspection. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. The ACE monitors Setup and Response (200 OK) messages in the control channel established using TCP port 554 (no UDP support).


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

To perform the deep packet inspection of Layer 7 HTTP application traffic by the ACE, you should create a Layer 7 HTTP deep packet inspection policy using the policy-map type inspect http command (see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide). Nest the Layer 7 deep packet inspection policy using the Layer 3 and Layer 4 inspect http command. If you do not specify a Layer 7 HTTP policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks.

To perform checks for protocol RFC compliance and to prevent web browsers from sending embedded commands in FTP requests, you should create a Layer 7 FTP policy using the policy-map type inspect ftp command (see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide). Nest the Layer 7 FTP inspection traffic policy using the Layer 3 and Layer 4 inspect ftp command. If you do not specify a Layer 7 FTP policy map, the ACE performs a general set of Layer 3 and Layer 4 FTP fixup actions.

Examples

To specify the inspect http command as an action for an HTTP application protocol inspection policy map, enter: 

host1/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY

host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS

host1/Admin(config-pmap-c)# inspect http policy HTTP_DEEPINSPECT_L7POLICY

Related Commands

This command has no related commands.

(config-pmap-c) loadbalance policy

To associate a Layer 7 server load balancing (SLB) policy map with a Layer 3 and Layer 4 SLB policy map, use the loadbalance policy command. Use the no form of this command to disassociate the Layer 7 SLB policy from the Layer 3 and Layer 4 SLB policy map.

loadbalance policy name

no loadbalance policy name

Syntax Description

name

Name of an existing Layer 7 SLB policy map. Enter the name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

The ACE treats all Layer 7 policy maps as child policies, so you must always associate a Layer 7 SLB policy map with a Layer 3 and Layer 4 SLB policy map.

Examples

To reference the Layer 7 L7SLBPOLICY policy map within the Layer 3 and Layer 4 L4SLBPOLICY policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap)# class L7SLBCLASS

host1/Admin(config-pmap-c)# serverfarm FARM2


host1/Admin(config)# policy-map multi-match L4SLBPOLICY

host1/Admin(config-pmap)# class L4SLBCLASS

host1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICY

Related Commands

This command has no related commands.

(config-pmap-c) loadbalance vip icmp-reply

To enable a VIP to reply to ICMP requests, use the loadbalance vip icmp-reply command. For example, if a user sends an ICMP ECHO request to a VIP, this command instructs the VIP to send an ICMP ECHO-REPLY. Use the no form of this command to disable a VIP reply to ICMP requests as an action from the policy map.

loadbalance vip icmp-reply [active]

no loadbalance vip icmp-reply [active]

Syntax Description

active

(Optional) Instructs the ACE to reply to an ICMP request only if the configured VIP is active. If the VIP is not active and the active option is specified, the ACE discards the ICMP request and the request times out.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

To complete the configuration when you configure the active option of this command, be sure to configure a Telnet probe and associate it with the server farm. The probe monitors the health of all the real servers in the server farm and ensures that the VIP responds with an ICMP ECHO REPLY only if the server port is active. If the server port is down or unreachable, the probe fails and the VIP stops responding to the ECHO request. For details about configuring probes, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

Examples

To enable a VIP to reply to ICMP requests, enter: 

host1/Admin(config)# policy-map multi-match L4SLBPOLICY

host1/Admin(config-pmap)# class FILTERHTTP

host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active

Related Commands

This command has no related commands.

(config-pmap-c) loadbalance vip inservice

To enable a VIP for server load-balancing operations, use the loadbalance vip inservice command. Use the no form of this command to disable a VIP.

loadbalance vip inservice

no loadbalance vip inservice

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Examples

To specify the loadbalance vip inservice command as an action for a server load-balancing policy map, enter: 

host1/Admin(config)# policy-map multi-match L4SLBPOLICY

host1/Admin(config-pmap)# class FILTERHTTP

host1/Admin(config-pmap-c)# loadbalance vip oos-arpreply enable

host1/Admin(config-pmap-c)# loadbalance vip inservice

Related Commands

This command has no related commands.

(config-pmap-c) nat dynamic

To configure dynamic Network Address Translation (NAT) and Port Address Translation (PAT) as an action in a policy map, use the nat dynamic command. The ACE applies the dynamic NAT from the interface attached to the traffic policy (through the service-policy interface configuration command) to the interface specified in the nat dynamic command. Use the no form of this command to remove a dynamic NAT action from a policy map.

nat dynamic nat_id vlan number

no nat dynamic nat_id vlan number

Syntax Description

nat dynamic nat_id

Refers to a global pool of IP addresses that exists under the VLAN number. Dynamic NAT translates a group of local source IP addresses to a pool of global IP addresses that are routable on the destination network. All packets going from the interface attached to the traffic policy have their source address translated to one of the available addresses in the global pool. Enter an integer from 1 to 2147483647.

vlan number

Specifies the VLAN number of an existing interface for which you are configuring NAT. Enter an integer from 2 to 4094.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the NAT feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet untranslated.

Examples

To specify the nat dynamic command as an action for a dynamic NAT policy map, enter: 

host1/Admin(config)# policy-map multi-action NAT_POLICY

host1/Admin(config-pmap)# class NAT_CLASS

host1/Admin(config-pmap-c)# nat dynamic 1 vlan 200

Related Commands

This command has no related commands.

(config-pmap-c) nat static

To configure static Network Address Translation (NAT) and static port redirection in a policy map, use the nat static command. Static NAT allows you to identify local traffic for address translation by specifying the source and destination addresses in an extended access control list (ACL) that is referenced as part of the class map traffic classification. The ACE applies static NAT from the interface attached to the traffic policy (through the service-policy interface configuration command) to the interface specified in the nat static command. Use the no form of this command to remove a NAT action from a policy map.

nat static ip_address netmask mask {port1 | tcp eq port2 | udp eq port3} vlan number

no nat static ip_address netmask mask {port1 | tcp eq port2 | udp eq port3} vlan number

Syntax Description

ip_address

IP address for a single static translation. This argument establishes the globally unique IP address of a host as it appears to the outside world. The policy map performs the global IP address translation for the source IP address specified in the ACL (as part of the class map traffic classification).

netmask mask

Specifies the subnet mask for the IP address. Enter a subnet mask in dotted-decimal notation (for example, 255.255.255.0).

port1

Global TCP or UDP port for static port redirection. Enter an integer from 0 to 65535.

tcp eq port2

Specifies a TCP port name or number. Enter an integer from 0 to 65535. A value of 0 instructs the ACE to match any port. Alternatively, you can enter a protocol keyword that corresponds to a TCP port number. See the "Usage Guidelines" section for a list of supported well-known TCP port names and numbers.

udp eq port3

Specifies a UDP port name or number. Enter an integer from 0 to 65535. A value of 0 instructs the ACE to match any port. Alternatively, you can enter a protocol keyword that corresponds to a UDP port number. See the "Usage Guidelines" section for a list of supported well-known UDP port names and numbers.

vlan number

Specifies the interface for the global IP address.


Command Modes

Policy map class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the NAT feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Table 2-8 provides a list of supported well-known TCP and UDP port names and numbers.

Table 2-8 Supported TCP and UDP Ports

Well-Known TCP Port Numbers and Keywords
Keyword
Port Number
Description

ftp

21

File Transfer Protocol

http

80

Hyper Text Transfer Protocol

https

443

HTTP over TLS/SSL

irc

194

Internet Relay Chat

matip-a

350

Mapping of Airline Traffic over Internet Protocol (MATIP) Type A

nntp

119

Network News Transport Protocol

pop2

109

Post Office Protocol v2

pop3

110

Post Office Protocol v3

rtsp

554

Real Time Streaming Protocol

smtp

25

Simple Mail Transfer Protocol

telnet

23

Telnet

Well-Known UDP Port Numbers and Keywords

dns

53

Domain Name System

wsp

9200

Connectionless Wireless Session Protocol (WSP)

wsp-wtls

9202

Secure Connectionless WSP

wsp-wtp

9201

Connection-based WSP

wsp-wtp-wtls

9203

Secure Connection-based WSP


Examples

To specify the nat command as an action for a static NAT and port redirection policy map, enter: 

host1/Admin(config)# policy-map multi-action NAT_POLICY

host1/Admin(config-pmap)# class NAT_CLASS

host1/Admin(config-pmap-c)# nat static 192.168.12.15 255.255.255.0 8080 vlan 200

Related Commands

This command has no related commands.

(config-pmap-c) ssl-proxy

To associate the Secure Sockets Layer (SSL) client or server proxy service with the policy map, use the ssl-proxy command. To remove the SSL proxy service from the policy map, use the no form of this command.

ssl-proxy {client | server} ssl_service_name

no ssl-proxy {client | server} ssl_service_name

Syntax Description

client

Associates an SSL client proxy service with the policy map. This keyword is available only when building a Layer 7 policy map, where the ACE acts as an SSL client device.

server

Associates an SSL server proxy service with the policy map. This keyword is available only when building a Layer 2 or Layer 3 policy map, where the ACE acts as an SSL server device.

ssl_service_name

Name of an existing SSL proxy service. Enter the name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Examples

To associate the SSL proxy service with the policy map, enter: 

host1/C1(config-pmap-c)# ssl-proxy server SSL_SERVER_PROXY_SERVICE

host1/C1(config-pmap-c)#

Related Commands

This command has no related commands.

Policy Map FTP Inspection Configuration Mode Commands

Policy map FTP inspection configuration mode commands allow you to configure a Layer 7 policy map that defines the inspection of the File Transfer Protocol (FTP) commands by the ACE. The ACE executes the action for the first matching classification.

To create an FTP command request inspection policy map and access policy map FTP inspection configuration mode, use the policy-map type inspect ftp first-match command in configuration mode. When you access the policy map FTP inspection configuration mode, the prompt changes to (config-pmap-ftp-ins). Use the no form of this command to remove an FTP command request inspection policy map from the ACE.

policy-map type inspect ftp first-match map_name

no policy-map type inspect ftp first-match map_name

Syntax Description

map_name

Name assigned to the Layer 7 FTP command request class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

You associate the Layer 7 FTP command request inspection policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 FTP inspection policy map, you nest it by using the Layer 3 and Layer 4 inspect ftp strict command (see the (config-pmap-c) inspect command).

Examples

To create a Layer 7 FTP command inspection policy map, enter: 

host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY

host/Admin(config-pmap-ftp-ins) #

Related Commands

show startup-config
(config) class-map

(config-pmap-ftp-ins) class

To associate a Layer 7 File Transfer Protocol (FTP) inspection class map with a Layer 7 FTP inspection policy map, use the class command. The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-c). For information on commands in this mode, see the "Policy Map FTP Inspection Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class name

no class name

Syntax Description

name

Name of a previously defined Layer 7 FTP command inspection class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map FTP inspection configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 FTP inspection class map with a Layer 7 FTP inspection policy map, enter: 

host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY

host/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS

host1/Admin(config-pmap-ftp-ins-c)#

Related Commands

(config-pmap-ftp-ins) description

(config-pmap-ftp-ins) description

To provide a brief summary about the Layer 7 File Transfer Protocol (FTP) command inspection policy map, use the description command. Use the no form of the command to remove the description from the class map.

description text

no description text

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform FTP command inspection, enter: 

host1/Admin(config-pmap-ftp-ins)# description FTP command inspection of incoming traffic

To remove d a description from the FTP policy map, enter: 

host1/Admin(config-pmap-ftp-ins)# no description FTP command inspection of incoming 
traffic

Related Commands

(config-pmap-ftp-ins) class

(config-pmap-ftp-ins) match request-method

To configure the Layer 7 FTP inspection policy map to define FTP command inspection decisions performed by the ACE, use the match request-method command. The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-m). For information on commands in this mode, see the "Policy Map FTP Inspection Match Configuration Mode Commands" section. Use the no form of the command to clear the FTP inspection request method from the policy map.

match name request-method ftp_command

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ftp_command

FTP command in the class map to be subjected to FTP inspection by the ACE. The FTP commands are as follows:

appe—Appends to a file.

cdChange to the specified directory.

cdup—Changes to the parent of the current directory.

dele—Deletes a file at the server side.

get—Retrieves a file.

help—Retrieves Help information from the server.

mkd—Creates a directory.

put—Stores a file.

rmd—Removes a directory.

rnfr—Renames from.

rnto—Renames to.

site—Specifies the server-specific command.

stou—Stores a file with a unique name.

syst—Gets system information.


Command Modes

Policy map FTP inspection configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The match command identifies the FTP command that you want filtered by the ACE.

You can specify multiple match request-method commands within a class map.

Examples

To add an inline match command to a Layer 7 FTP command policy map, enter: 

host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdir

host/Admin(config-pmap-ftp-ins-m)#

Related Commands

This command has no related commands.

Policy Map FTP Inspection Class Configuration Mode Commands

Use the policy map File Transfer Protocol (FTP) inspection configuration mode to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 FTP inspection class map. To access policy map FTP inspection class configuration mode, use the class command in the policy map FTP inspection configuration mode (see the (config-pmap-ftp-ins) class command for details). The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-c).

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-ftp-ins-c) deny

To deny the FTP request commands specified in the class map by resetting the FTP session, use the deny command. Use the no form of the command to return to the default state and permit all FTP request commands to pass.

deny

no deny

Command Modes

Policy map FTP inspection class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to deny the FTP request commands specified in the Layer 7 FTP inspection class map by resetting the FTP session, enter: 

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS

host1/Admin(config-pmap-ftp-ins-c)# deny

Related Commands

This command has no related commands.

(config-pmap-ftp-ins-c) mask-reply

To instruct the ACE to mask the reply to the FTP SYST command by filtering sensitive information from the command output, use the mask-reply command. Use the no form of the command to disable the masking of the system reply to the FTP SYST command.

mask-reply

no mask-reply

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map FTP inspection class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The mask-reply command is applicable only to the FTP SYST command and its associated reply. The SYST command is used to find out the FTP server's operating system type.

Examples

To instruct the ACE to mask the reply to the FTP SYST command, enter: 

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS

host1/Admin(config-pmap-ftp-ins-c)# mask-reply

Related Commands

This command has no related commands.

Policy Map FTP Inspection Match Configuration Mode Commands

Policy map FTP inspection match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map FTP inspection match configuration mode, use the match request-method command in policy map FTP inspection configuration mode (see the (config-pmap-ftp-ins) match request-method command for details). The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the Layer 7 policy map.

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-ftp-ins-m) deny

To deny the FTP request commands specified in the inline match command by resetting the FTP session, use the deny command. By default, the ACE allows all FTP commands to pass. Use the no form of the command to return to the default state and permit all FTP request commands to pass.

deny

no deny

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map FTP inspection match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to deny the FTP request commands specified in the Layer 7 FTP inspection class map by resetting the FTP session, enter: 

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY

host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdir

host/Admin(config-pmap-ftp-ins-m)# deny

Related Commands

This command has no related commands.

(config-pmap-ftp-ins-m) mask-reply

To instruct the ACE to mask the system's reply to the FTP SYST command by filtering sensitive information from the command output, use the mask-reply command. Use the no form of the command to disable the masking of the system reply to the FTP SYST command.

mask-reply

no mask-reply

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map FTP inspection match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The mask-reply command is applicable only to the FTP SYST command and its associated reply. The SYST command is used to find out the FTP server's operating system type.

Examples

To instruct the ACE to mask the system's reply to the FTP SYST command, enter: 

host1/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY

host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method syst

host/Admin(config-pmap-ftp-ins-m)# mask-reply

Related Commands

This command has no related commands.

Policy Map Inspection HTTP Configuration Mode Commands

Policy map inspection HTTP configuration mode commands allow you to define a policy map that initiates the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request.

To create an HTTP deep packet inspection policy map and access policy map inspection HTTP configuration mode, use the policy-map type inspect http all-match command in configuration mode. When you access the policy map inspection HTTP configuration mode, the prompt changes to (config-pmap-ins-http). Use the no form of the command to remove an HTTP deep packet inspection policy map from the ACE.

policy-map type inspect http all-match map_name

no policy-map type inspect http all-match map_name

Syntax Description

map_name

Name assigned to the Layer 7 HTTP deep packet inspection policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

You associate the Layer 7 HTTP deep packet inspection policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can only be associated within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 HTTP inspection policy map, you nest it by using the Layer 3 and Layer 4 inspect http command (see the (config-pmap-c) inspect command).

Examples

To create a Layer 7 HTTP deep packet inspection policy map, enter: 

host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host/Admin(config-pmap-ins-http)#

Related Commands

show startup-config
(config) class-map

(config-pmap-ins-http) class

To associate a Layer 7 HTTP inspection class map with a Layer 7 HTTP inspection policy map, use the class command. The prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-c). For information on commands in this mode, see the "Policy Map Inspection HTTP Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 HTTP inspection class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default

Associates a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.

Note By default, all matches are applied to both HTTP request and response messages, but the class class-default command is applied only to HTTP requests.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 HTTP inspection class map with a Layer 7 HTTP inspection policy map, enter: 

host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASS

host1/Admin(config-pmap-ins-http-c)#

Related Commands

(config-pmap-ins-http) description

(config-pmap-ins-http) description

To provide a brief summary about the Layer 7 HTTP inspection policy map, use the description command. Use the no form of the command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform HTTP deep packet inspection, enter: 

host1/Admin(config-pmap-ins-http)# description HTTP protocol deep inspection of incoming 
traffic

Related Commands

(config-pmap-ins-http) class

(config-pmap-ins-http) match content

To configure the Layer 7 HTTP inspection policy map to define HTTP application inspection decisions based on content expressions contained within the HTTP entity body, use the match content command. Use the no form of the command to clear content expression-checking match criteria from the policy map.

match name content expression [offset number] [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

Content expression contained within the HTTP entity body. The range is from 1 to 255 alphanumeric characters. See the "Usage Guidelines" section for a list of the supported characters that you can use in regular expressions.

offset number

(Optional) Provides an absolute offset where the content expression search string starts. The offset starts at the first byte of the message body, after the empty line (CR, LF, CR, LF) between the headers and the body of the message. The offset value is from 1 to 4000 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match content command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The ACE supports regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, if the spaces are escaped or quoted. Table 2-9 lists the supported characters that you can use in regular expressions.

Table 2-9 Characters Supported in Regular Expressions 

Convention
Description

.*

Zero or more characters.

.

Exactly one character.

\ .

Escaped character.

\xhh

Any ASCII character as specified in a two-digit hex notation.

()

Expression grouping.

Bracketed range [for example, 0-9]

Matches any single character from the range.

A leading ^ in a range [^charset]

Does not match any character in the range; all other characters represent themselves.

(expr1 | expr2)

OR of expressions.

(expr)*

0 or more of expressions.

(expr)+

1 or more of expressions.

(expr{m,n}

Matches the previous item between m and n times; valid entries are from 1 to 255.

(expr{m}

Matches the previous item exactly m times; valid entries are from 1 to 255.

(expr{m,}

Matches the previous item m or more times; valid entries are from 1 to 255.

\a

Alert (ASCII 7).

\b

Backspace (ASCII 8).

\f

Form-feed (ASCII 12).

\n

New line (ASCII 10).

\r

Carriage return (ASCII 13).

\t

Tab (ASCII 9).

\v

Vertical tab (ASCII 11).

\0

Null (ASCII 0).

.\\

Backslash.


Examples

To specify a content expression contained within the entity body sent with an HTTP request, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH1 content .*newp2psig

host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match content length

To configure the Layer 7 HTTP inspection policy map to define application inspection decisions in the HTTP content up to the configured maximum content parse length, use the match content length command. Use the no form of the command to clear the HTTP content length match criteria from the policy map.

match name content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

eq bytes

Specifies a value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length equal to the specified value. Valid entries are from 1 to 65535 bytes.

gt bytes

Specifies a minimum value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length greater than the specified value. Valid entries are from 1 to 65535 bytes.

lt bytes

Specifies a maximum value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length less than the specified value. Valid entries are from 1 to 65535 bytes.

range bytes1 bytes

Specifies a size range for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length within this range. The range is from 1 to 65535 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

Messages that meet the specified criteria will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action.

When you use the match content length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Examples

To define application inspection decisions in the HTTP content up to the configured maximum content parse length, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH2 content length eq 3495

host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match content-type-verification

To verify the content MIME-type messages with the header MIME type, use the match content-type-verification command. Use the no form of the command to clear the MIME-type match criteria from the policy map.

match name content-type-verification [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match content-type-verification command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

This inline match condition limits the MIME types in HTTP messages allowed through the ACE. It verifies that the header MIME-type value is in the internal list of supported MIME types and that the header MIME type matches the actual content in the data or entity body portion of the message. If they do not match, the ACE performs either the permit or reset policy map action.

The MIME-type HTTP inspection process searches the entity body of the HTTP message, which may degrade performance of the ACE.

Examples

To verify the content MIME-type messages with the header MIME type, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH3 content-type-verification 

host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match header

To define HTTP deep packet inspection decisions based on the name and value in an HTTP header, use the match header command. The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression.Use the no form of the command to clear an HTTP header match criteria from the policy map.

match name header {header_name | header_field} header-value expression [insert-before map_name]

no match name header

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

header_name

Name of the HTTP header to match (for example, www.example1.com). The range is from 1 to 64 alphanumeric characters.

Note The header_name argument cannot include the colon in the name of the HTTP header; the ACE rejects the colon as an invalid token.

header_field

Standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and entity-header fields. Selections also include two lower-level header-matching commands: "length" and "mime-type." The supported selections are as follows:

Accept—Semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

Accept-Charset—Character sets that are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can represent documents in those character sets.

 

Accept-Encoding—Restricts the content encoding that a user will accept from the server.

Accept-Language—ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization—Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

Cache-Control—Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection—Allows the sender to specify connection options.

Content-MD5—MD5 digest of the entity body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect—Used by a client to inform the server about the behaviors that the client requires.

From—Contains the e-mail address of the person that controls the requesting user agent.

Host—Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource. The Host field value must represent the naming authority of the origin server or gateway given by the original URL.

If-Match—Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. This feature allows efficient updates of cached information with a minimum amount of transaction overhead. It is also used on updating requests to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

length —See the (config-pmap-ins-http) match header length command for details.

mime-type—See the (config-pmap-ins-http) match header mime-type command for details.

Pragma—Pragma directives that are understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP. For example, the accept field is a comma-separated list of entries for which the optional parameters are separated by semicolons.

 

Referer—Address (URI) of the resource from which the URI in the request was obtained.

Transfer-Encoding—Indicates what (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient.

User-Agent—Information about the user agent (for example, a software program that originates the request). This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents.

Via—Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests and between the origin server and the client on responses.

header-value expression

Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match header command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

Examples

To filter on the content and allow HTTL headers that contain the expression html, enter: 

host1/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH4 header accept header-value html

host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match header length

By default, the maximum header length for HTTP deep packet inspection is 2048 bytes. To limit the HTTP traffic allowed through the ACE based on the length of the entity body in the HTTP message, use the match header length command. Messages will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action. Use the no form of the command to clear an HTTP header length match criteria from the policy map.

match name header length {request | response} {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

request

Specifies the size of the HTTP header request message that can be received by the ACE.

response

Specifies the size of the HTTP header response message sent by the ACE.

eq bytes

Specifies a value for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity body size equal to the specified value. Valid entries are from 1 to 65535 bytes.

gt bytes

Specifies a minimum value for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity body size greater than the specified value. Valid entries are from 1 to 65535 bytes.

lt bytes

Specifies a maximum value for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity body size less than the specified value. Valid entries are from 1 to 65535 bytes.

range bytes1 bytes 2

Specifies a size range for the entity body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a entity body size within this range. The range is from 1 to 65535 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match header length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Examples

To specify that the policy map match on HTTP traffic received with a length less than or equal to 3600 bytes in the entity body of the HTTP message, enter: 

host1/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-http-insp)# match MATCH4 header length request eq 3600

host1/Admin(config-pmap-ins-http-m)

Related Commands

This command has no related commands.

(config-pmap-ins-http) match header mime-type

To specify a subset of the MIME-type messages that the ACE permits or denies based on the actions in the policy map, use the match header mime-type command. Use the no form of the command to deselect the specified Multipurpose Internet Mail Extension (MIME) message match criteria from the policy map.

match name header mime-type mime_type [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

mime_type

MIME type. The ACE includes a predefined list of MIME types, such as image\Jpeg, text\html, application\msword, or audio\mpeg. Choose whether only the MIME types included in this list are permitted through the ACE firewall or whether all MIME types are acceptable. The default behavior is to allow all MIME types.

The supported MIME types are as follows:

application\msexcel

application\mspowerpoint

application\msword

application\octet-stream

application\pdf

application\postscript

application\x-gzip

application\x-java-archive

application\x-java-vm

application\x-messenger

application\zip

audio\*

audio\basic

audio\midi

audio\mpeg

audio\x-adpcm

audio\x-aiff

audio\x-ogg

audio\x-wav image \*

image\gifimage\jpeg

image\png

 

image\tiff

image\x-3ds

image\x-bitmap

image\x-niff

image\x-portable-bitmap

image\x-portable-greymap

image\x-xpm

text\*

text\css

text\html

text\plain

text\richtext

text\sgml

text\xmcd

text\xml

video\*

video\flc

video\mpeg

video\quicktime

video\sgi

video\x-fli

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match header mime-type command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages, nontextual messages, multipart message bodies, and non-US-ASCII information in message headers.

Examples

To specify that the policy map permits MIME-type audio/midi messages through the ACE, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH5 header mime-type audio\midi

host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match port-misuse

To define HTTP deep packet inspection compliance decisions that restrict certain HTTP traffic from passing through the ACE, use the match port-misuse command. Use the no form of the command to clear the HTTP restricted application category match criteria from the policy map.

match name port-misuse {im | p2p | tunneling} [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

im

Defines the instant messaging application category. The ACE checks for the Yahoo Messenger instant messaging application.

p2p

Defines the peer-to-peer application category. The applications checked include Kazaa and Gnutella.

tunneling

Defines the tunneling application category. The applications checked include HTTPort/HTTHost, GNU httptunnel, and FireThru.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The policy map detects the misuse of port 80 (or any other port running HTTP) for tunneling protocols such as peer-to-peer (p2p) applications, tunneling applications, and instant messaging.

When you use the match port-misuse command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The port misuse application inspection process searches the entity body of the HTTP message, which may degrade performance of the ACE.

The ACE disables the match port-misuse command by default. If you do not configure a restricted HTTP application category, the default action by the ACE is to allow the applications without generating a log.

Examples

To specify that the policy map identifies peer-to-peer applications as restricted HTTP traffic, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH6 port-misuse p2p

host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match request-method

By default, the ACE allows all request and extension methods. To define HTTP deep packet inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods, use the match request-method command. If the HTTP request method or extension method compliance checks fails, the ACE denies or resets the specified HTTP traffic based on the policy map action. Use the no form of the command to clear the HTTP request method match criteria from the policy map.

match name request-method {ext method | rfc method} [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ext method

Specifies an HTTP extension method. If the RFC request messages does not contain one of the RFC 2616 HTTP request methods, the ACE verifies if it is an extension method. The ACE supports the inspection of the following HTTP request extension methods: copy, edit, getattr, getattrname, getprops, index, lock, mkdir, move, revadd, revlabel, revlog, revnum, save, setattr, startrev, stoprev, unedit, and unlock.

rfc method

Specifies an RFC 2616 HTTP request method that you want to perform an RFC compliance check. The ACE supports the inspection of the following RFC 2616 HTTP request methods: connect, delete, get, head, options, post, put, and trace.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match request-method command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

For unsupported HTTP request methods, include the inspect http strict command as an action in the Layer 3 and Layer 4 policy map (see (config-pmap-c) inspect command).

The ACE disables the match request-method command by default. If you do not configure a request method, the default action by the ACE is to allow the RFC 2616 HTTP request method without generating a log.

Examples

To specify that the policy map identifies the index HTTP RFC 2616 protocol for application inspection, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH7 request-method ext index

host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match strict-http

To ensure that the internal compliance checks verify message compliance with the HTTP RFC standard, RFC 2616, use the match strict-http command. If the HTTP message is not compliant, the ACE denies or resets the specified HTTP traffic based on the policy map action. Use the no form of the command to clear the HTTP RFC standard, RFC 2616, match criteria from the policy map.

match name strict-http [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

When you use the match strict-http command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

To configure the policy map to ensure that the internal compliance checks verify message compliance with the HTTP RFC standard, RFC 2616, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH8 strict-http

host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match transfer-encoding

To define HTTP deep packet inspection decisions that limit the HTTP transfer-encoding types that can pass through the ACE, use the match transfer-encoding command. Use the no form of the command to clear the HTTP transfer-encoding type match criteria from the policy map.

match name transfer-encoding coding_types [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

transfer-encoding coding_types

Specifies the HTTP transfer-encoding type for the class map. The possible values for coding_types are as follows:

chunked—Message body transferred as a series of chunks.

compress—Encoding format produced by the common UNIX file compression program "compress." This format is an adaptive Lempel-Ziv-Welch coding (LZW).

deflate—.zlib format defined in RFC 1950 with the deflate compression mechanism described in RFC 1951.

gzip—Encoding format produced by the file compression program gzip (GNU zip) as described in RFC 1952. This format is a Lempel-Ziv coding (LZ77) with a 32-bit CRC.

identity—Default (identity) encoding, which does not require the use of transformation.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match transfer-encoding command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. When an HTTP request message contains the configured transfer-encoding type, the ACE performs the configured action in the policy map.

Each match transfer-encoding command configures a single application type.

The ACE disables the match transfer-encoding command by default.

Examples

To configure the policy map to specify a chunked HTTP transfer encoding type to limit the HTTP traffic that flows through the ACE, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH9 transfer-encoding chunked

host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match url

To define HTTP deep packet inspection decisions based on the URL name and, optionally, the HTTP method, use the match url command. HTTP performs regular expression matching against the received packet data from a particular connection based on the URL expression. Use the no form of the command to remove the URL name match criteria from the policy map.

match name url expression [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

URL, or portion of a URL, to match. The URL string range is from 1 to 256 characters. Include only the portion of the URL that follows www.hostname.domain in the match statement.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match url command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Include only the portion of the URL that follows www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE supports the use of regular expressions for matching. For a list of the supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

The period (.) does not have a literal meaning in regular expressions. Use either brackets ([]) or the backslash (\) character to match this symbol. For example, specify www[.]xyz[.]com instead of www.xyz.com.

Examples

To configure the policy map to define application inspection decisions based on a URL, enter 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH_URL url whatsnew/latest.*

host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

(config-pmap-ins-http) match url length

To limit the HTTP traffic allowed through the ACE by specifying the maximum length of a URL in a request message that can be received by the ACE, use the match url length command. Messages will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action. Use the no form of the command to clear a URL length match criteria from the policy map.

match name url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} [insert-before map_name]

no match name

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

eq bytes

Specifies a value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length equal to the specified value. Valid entries are from 1 to 65535 bytes.

gt bytes

Specifies a minimum value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length greater than the specified value. Valid entries are from 1 to 65535 bytes.

lt bytes

Specifies a maximum value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length less than the specified value. Valid entries are from 1 to 65535 bytes.

range bytes1 bytes

Specifies a size range for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length within this range. The range is from 1 to 65535 bytes.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map inspection HTTP configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match url length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the ACE should take when network traffic matches the specified inline match command. For information on commands in this mode, see the "Policy Map Inspection HTTP Match Configuration Mode Commands" section.

Examples

To specify that the policy map is to match on a URL with a length less than or equal to 10,000 bytes in the request message, enter: 

(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH10 url length eq 10000

host1/Admin(config-pmap-ins-http-m)#

Related Commands

This command has no related commands.

Policy Map Inspection HTTP Class Configuration Mode Commands

Policy map inspection HTTP class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 HTTP deep packet inspection class map. To access policy map inspection HTTP class configuration mode, use the class command in policy map inspection HTTP configuration mode (see the (config-pmap-ins-http) class command for details). The prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-c).

The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through the reset command is capable of dropping traffic.

The commands in this mode require the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-ins-http-c) permit

To allow the specified HTTP traffic to be received by the ACE if it passes the HTTP deep packet inspection match criteria specified in the class map, use the permit command. Use the no form of the command to disallow the specified HTTP traffic to be received by the ACE.

permit

no permit

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map inspection HTTP class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

By default, HTTP inspection allows traffic that does not match any of the configured Layer 7 HTTP deep packet inspection matches. You can modify this behavior by including the class class-default command with the reset action to deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches configured in the Layer 7 HTTP deep packet inspection policy map are hit, the class-default action will be taken by the ACE. For example, you can include a class map to allow the HTTP GET method and use the class class-default command to block all of the other requests.

Note By default, all matches are applied to both HTTP request and response messages, but the class class-default command is applied only to HTTP requests.

Examples

To allow the specified HTTP traffic to be received by the ACE if the class map match criteria in class map L7HTTP_CHECK are met, enter: 

host1/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# class L7HTTP_CHECK

host1/Admin(config-pmap-ins-http-c)# permit

Related Commands

This command has no related commands.

(config-pmap-ins-http-c) reset

To deny the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection, use the reset command. Use the no form of the command to allow the specified HTTP traffic to be received by the ACE.

reset

no reset

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map inspection HTTP class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To deny the specified HTTP traffic to be received by the ACE if the class map match criteria in class map L7HTTP_CHECK are met, enter: 

host1/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# class http_check

host1/Admin(config-pmap-ins-http-c)# reset

Related Commands

This command has no related commands.

Policy Map Inspection HTTP Match Configuration Mode Commands

Policy map inspection HTTP match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map inspection HTTP match configuration mode, use one of the match commands in policy map inspection HTTP configuration mode (see the "Policy Map Inspection HTTP Configuration Mode Commands" section for command details). The prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the Layer 7 policy map.

The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through the reset command is capable of dropping traffic.

The commands in this mode requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-ins-http-m) permit

To allow the specified HTTP traffic to be received by the ACE if it passes inspection of the match criteria in an inline match condition, use the permit command. Use the no form of the command to disallow the specified HTTP traffic to be received by the ACE.

permit

no permit

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map inspection HTTP match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The default of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny through the reset command is capable of dropping traffic.

Examples

To allow the specified HTTP traffic to be received by the ACE if the match criteria are met, enter: 

host1/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunked

host1/Admin(config-pmap-ins-http-m)# permit

Related Commands

This command has no related commands.

(config-pmap-ins-http-m) reset

To deny the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection, use the reset command. Use the no form of the command to allow the specified HTTP traffic to be received by the ACE.

reset

no reset

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map inspection HTTP match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To deny the specified HTTP traffic to be received by the ACE if the match criteria are met, enter: 

host1/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICY

host1/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunked

host1/Admin(config-pmap-ins-http-m)# reset

Related Commands

This command has no related commands.

Policy Map Load Balancing Configuration Mode Commands

Policy map load balancing configuration mode commands allow you to specify a Layer 7 policy map that defines Layer 7 HTTP server load-balancing decisions. The ACE executes only the action specified against the first matching load-balancing classification.

To create a Layer 7 server load balancing (SLB) policy map and access policy map load balancing configuration mode, use the policy-map type loadbalance first-match command. When you access the policy map load balancing configuration mode, the prompt changes to (config-pmap-lb). Use the no form of the command to remove a Layer 7 SLB policy map from the ACE.

policy-map type loadbalance first-match map_name

no policy-map type loadbalance first-match map_name

Syntax Description

map_name

Name assigned to the Layer 7 SLB policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

You associate the Layer 7 load balancing policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface. A Layer 7 policy map cannot be directly applied on a VLAN (or any) interface.

To associate the Layer 7 load-balancing policy map, you nest it by using the Layer 3 and Layer 4 (config-pmap-c) loadbalance policy command.

Examples

To create a Layer 7 SLB policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)#

Related Commands

show startup-config
(config) class-map

(config-pmap-lb) class

To associate a Layer 7 server load balancing (SLB) class map with a Layer 7 SLB policy map, use the class command. The prompt changes from (config-pmap-lb) to (config-pmap-lb-c). For information on commands in this mode, see the "Policy Map Load Balancing Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 SLB class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current named class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map load balancing configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To associate a Layer 7 SLB class map with a Layer 7 SLB policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7LOADBALNCE_CLASS

Related Commands

(config-pmap-lb) description

(config-pmap-lb) description

To provide a brief summary about the Layer 7 server load balancing (SLB) policy map, use the description command. Use the no form of the command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin role in any user context

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform server load balancing, enter: 

host/Admin(config-pmap-lb)# description HTTP LOAD BALANCE PROTOCOL 1

Related Commands

(config-pmap-lb) class

(config-pmap-lb) match http cookie

To make server load balancing (SLB) decisions based on the name and string of a cookie, use the match http cookie command. Use the no form of the command to remove an HTTP cookie match statement from the policy map.

match name1 http cookie {name2 | secondary name3} cookie-value expression [insert-before map_name]

no match name1 http cookie {name2 | secondary name3} cookie-value expression

Syntax Description

name1

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

name2

Unique cookie name. Enter an unquoted text string with no spaces and a maximum of 63 alphanumeric characters.

secondary name3

Specifies a cookie in a URL string. You can specify the delimiters for cookies in a URL string using a command in an HTTP parameter map.

cookie-value expression

Specifies a unique cookie value expression. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. For a list of supported characters that you can use for matching string expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match http cookie command, you access the policy map load balancing match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information on commands in this mode, see the "Policy Map Load Balancing Match Configuration Mode Commands" section.

The ACE performs regular expression matching against the received packet data from a particular connection based on the cookie expression. You can configure a maximum of five cookie names per VIP.

The ACE supports regular expressions for matching string expressions. For a list of supported characters that you can use for matching string expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

For details on defining a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL string, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

Examples

To specify that the Layer 7 SLB policy map load balances on a cookie with the name of testcookie1, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host/Admin(config-pmap-lb)# match MATCH2 http cookie testcookie1 cookie-value 123456

Related Commands

(config-parammap-http) set content-maxparse-length
(config-parammap-http) set secondary-cookie-delimiters

(config-pmap-lb) match http header

To define application inspection decisions based on the name and value in an HTTP header, use the match http header command. The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression.Use the no form of the command to clear an HTTP header match criteria from the policy map.

match name http header {header_name | header_field} header-value expression [insert-before map_name]

no match name http header {header_name | header_field} header-value expression

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

header_name

Name of the HTTP header to match (for example, www.example1.com.) The range is from 1 to 64 alphanumeric characters.

Note The header_name argument cannot include the colon in the name of the HTTP header; the ACE rejects the colon as an invalid token.

header_field

A standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and the entity-header field. The supported selections are the following:

Accept—Semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

Accept-Charset—Character sets that are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can represent documents in those character sets.

Accept-Encoding—Restricts the content encoding that a user will accept from the server.

Accept-Language—ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization—Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

 

Cache-Control—Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection—Allows the sender to specify connection options.

Content-MD5—MD5 digest of the entity body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect—Used by a client to inform the server about the behaviors that the client requires.

From—Contains the e-mail address of the person that controls the requesting user agent.

Host—Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource. The Host field value must represent the naming authority of the origin server or gateway given by the original URL.

If-Match—Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. This feature allows efficient updates of cached information with a minimum amount of transaction overhead. It is also used on updating requests to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

Pragma—Pragma directives that are understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP. For example, the Accept field is a comma-separated list of entries for which the optional parameters are separated by semicolons.

Referer—Address (URI) of the resource from which the URI in the request was obtained.

Transfer-Encoding—Indicates what (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient.

User-Agent—Information about the user agent (for example, a software program that originates the request). This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents.

Via—Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests and between the origin server and the client on responses.

header-value expression

Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match http header command, you access the policy map load balancing match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information on commands in this mode, see the "Policy Map Load Balancing Match Configuration Mode Commands" section.

The ACE supports regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces if the spaces are escaped or quoted. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

Examples

To specify that the Layer 7 SLB policy map load balances on an HTTP header named Host, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match match3 http header Host header-value .*cisco.com

Related Commands

(config-parammap-http) set header-maxparse-length

(config-pmap-lb) match http url

To make server load balancing (SLB) decisions based on the URL name and, optionally, the HTTP method, use the match http url command. The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. Use the no form of the command to remove a URL match statement from the policy map.

match name http url expression [method name] [insert-before map_name]

no match name http url expression [method name]

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

URL, or portion of a URL, to match. Enter a URL string from 1 to 255 alphanumeric characters. Include only the portion of the URL that follows www.hostname.domain in the match statement. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

method name

(Optional) Specifies the HTTP method to match. Enter a method name as an unquoted text string with no spaces and a maximum of 15 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, PROTOPLASM).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match http url command, you access the policy map load balancing match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information on commands in this mode, see the "Policy Map Load Balancing Match Configuration Mode Commands" section.

Include only the portion of the URL that follows www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

The period (.) does not have a literal meaning in regular expressions. Use either brackets ([]) or the backslash (\) character to match this symbol. For example, specify www[.]xyz[.]com instead of www.xyz.com.

Examples

To specify that the Layer 7 SLB policy map load balances on a specific URL, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match match3 http url whatsnew/latest.*

To use regular expressions to emulate a wildcard search to match on any .gif file, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match match3 http url .*.gif

Related Commands

(config-parammap-http) set content-maxparse-length

(config-pmap-lb) match source-address

To specify a client source host IP address and subnet mask from which the ACE accepts traffic as the network traffic matching criteria, use the match source-address command. You configure the associated policy map to permit or restrict management traffic to the ACE from the specified source network or host. Use the no form of the command to clear the source IP address and subnet mask match criteria from the policy map.

match name source-address ip_address mask [insert-before map_name]

no match name source-address ip_address mask

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

ip_address

Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

mask

Subnet mask of the client entry in dotted-decimal notation (for example, 255.255.255.0).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map load balancing configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match source-address command, you access the policy map load balancing match configuration mode and the prompt changes from (config-pmap-lb) to (config-pmap-lb-m). For information on commands in this mode, see the "Policy Map Load Balancing Match Configuration Mode Commands" section.

Examples

To specify that the Layer 7 SLB policy map matches on source IP address 192.168.10.1 255.255.0.0, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match match3 source-address 192.168.10.1 255.255.0.0

Related Commands

This command has no related commands.

Policy Map Load Balancing Class Configuration Mode Commands

Policy map load balancing class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 7 server load balancing (SLB) class map. To access policy map load balancing class configuration mode, use the class command in policy map load balancing configuration mode (see the (config-pmap-lb) class command for details). The prompt changes from (config-pmap-lb) to (config-pmap-lb-c).

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-lb-c) compress

To instruct the ACE to compress and encode packets that match a Layer 7 SLB policy map, use the compress command. Use the no form of this command to disable HTTP compression.

compress default-method {deflate | gzip}

no compress default-method {deflate | gzip}

Syntax Description

deflate

Specifies the deflate compression method as the method to use when the client browser supports both deflate and gzip compression methods.

gzip

Specifies the gzip compression method as the method to use when the client browser supports both deflate and gzip compression methods.


Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The compress command option displays only when you associate an HTTP-type class map with a policy map.

When a client request specifies deflate or gzip encoding in the Accept-Encoding field, the ACE uses either deflate or gzip to compress and encode the response content to the client. If both encoding formats are specified in the Accept-Encoding field, the response from the ACE will be encoded according to the compress default-method command in the Layer 7 SLB policy map.

HTTP compression is intended primarily for text-based content types. For example, the following are text-based content types:

text/html

text/plain

text/xml

text/css

application/x-javascript

By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 1 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options.

When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Multipurpose Internet Mail Extension (MIME) type—All text formats (text/.*)

Minimum content length size—512 bytes

User agent exclusion—No user agent is excluded

You can create an HTTP parameter map to modify the compression parameters that the ACE uses (see the "Parameter Map Connection Configuration Mode Commands" section).

Examples

To enable compression and specify gzip as the HTTP compression method when both formats are included in the Accept-Encoding client request, enter, enter: 

host1/Admin(config-pmap-lb-c)# compress default-method gzip

Related Commands

(config-parammap-http) compress

(config-pmap-lb-c) drop

To instruct the ACE to discard packets that match a particular load-balancing criteria in the class map, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match a particular load-balancing criteria in the class map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-c) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-c) insert-http

To specify the name and value of a generic header field that you want the ACE to insert in the HTTP header, use the insert-http command. Use the no form of this command to delete the HTTP header name and value from the policy map.

insert-http name header-value expression

no insert-http name header-value expression

Syntax Description

name

Name of the generic header field that you want the ACE to insert in the HTTP header. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

header-value expression

Specifies the header-value expression string to insert in the specified field in the HTTP header. Enter a text string with a maximum of 512 alphanumeric characters. See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide for details.


Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

To identify a client whose source IP address has been mapped to another IP address using NAT, you can instruct the ACE to insert a generic header and string value in the client HTTP request. (For information about NAT, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.)

For the name argument, you can specify any custom header name that you want, subject to the maximum character length. You can also enter any of the predefined header names described for the (config-pmap-lb) match http header command, regardless of whether that header name already exists in the client request header. The ACE does not overwrite any existing header information in the client request.

You can enter a maximum of 512 bytes of data for the header expression. If you enter more than 512 bytes, the ACE does not insert the header name and expression in the client request.

You can also specify the following special header-value expressions by using the following special parameter values:

%is—Inserts the source IP address in the HTTP header.

%id—Inserts the destination IP address in the HTTP header.

%ps—Inserts the source port in the HTTP header.

%pd—Inserts the destination port in the HTTP header.

For Microsoft Outlook Web Access (OWA), specify the field name as HTTP_FRONT_END_HTTPS with a value of ON.

If either TCP server reuse or persistence rebalance is enabled, the ACE inserts a header in every client request.

Examples

For example, to specify the insert-http command as an action in the Layer 7 load-balancing policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# insert-http Host header-value www.cisco.com

Related Commands

(config-parammap-http) server-conn reuse
(config-parammap-http) persistence-rebalance

(config-pmap-lb-c) serverfarm

To load balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load-balancing policy map.

serverfarm name1 [backup name2 [sticky | aggregate-state]]

no serverfarm name1 [backup name2 [sticky | aggregate-state]]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2

(Optional) Designates an existing server farm as a backup server farm if the original server farm becomes unavailable. Enter the name of an existing server farm that you want to designate as a backup server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

sticky

(Optional) Specifies that the sticky group associated with the policy and applied to the primary server farm configured in that policy is also applied to the backup server farm. See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide for details.

aggregate-state

(Optional) Specifies that the state of the specified server farm is tied to the state of all the real servers in that server farm and in the backup server farm if configured. The ACE declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down.


Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

When you specify the sticky option, the ACE sends requests from the same client to the same configured real server in the primary server farm. If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm. If the primary server farm is sticky and you configured the sticky option, the backup server farm also becomes sticky. When the real server in the primary server farm becomes available again, the backup server farm continues to service existing connections. The ACE sends new connections from the same client to the backup server farm if it is sticky; otherwise, the ACE sends new connections to the primary server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# serverfarm FARM2 backup FARM3 sticky

Related Commands

This command has no related commands.

(config-pmap-lb-c) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 63. The default is 0.


Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network configuration. 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-c) ssl-proxy client

To specify a Secure Sockets Layer (SSL) proxy service in a Layer 7 load-balancing policy map, use the ssl-proxy command. The ACE uses an SSL proxy service in a Layer 7 policy map to load balance outbound SSL initiation requests to SSL servers. In this case, the ACE acts as an SSL client that sends an encrypted request to an SSL server. Use the no form of this command to remove the SSL proxy service from the policy map.

ssl-proxy client name

no ssl-proxy client name

Syntax Description

name

Name of an existing SSL proxy service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load-balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For more information about configuring SSL, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide.

Examples

To associate an SSL proxy service with a Layer 7 load-balancing policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# ssl-proxy client SSL_SERVER_PROXY_SERVICE

Related Commands

This command has no related commands.

(config-pmap-lb-c) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

Examples

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Load Balancing Match Configuration Mode Commands

Policy map load balancing match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the specified inline match command. To access policy map load balancing match configuration mode, use one of the match commands in policy map load balancing configuration mode (see the "Policy Map Load Balancing Configuration Mode Commands" section for details). The prompt changes from (config-pmap-lb) to (config-pmap-lb-m).

The inline Layer 7 policy map match commands allow you to include a single inline match criteria in the policy map without specifying a traffic class. The match commands function the same as with the Layer 7 server load balancing (SLB) class map match commands. However, when you use an inline match command, you can specify an action for only a single match command in the Layer 7 SLB policy map.

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-lb-m) drop

To instruct the ACE to discard packets that match a particular load-balancing criteria in an inline match command, use the drop command. Use the no form of this command to reset the ACE to its default of accepting packets from the policy map.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to discard packets that match a particular load-balancing criteria in the class map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com

host1/Admin(config-pmap-lb-m)# drop

Related Commands

This command has no related commands.

(config-pmap-lb-m) forward

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, use the forward command. Use the no form of this command to reset the ACE to its default of load balancing packets from the policy map.

forward

no forward

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map load balancing match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com

host1/Admin(config-pmap-lb-m)# forward

Related Commands

This command has no related commands.

(config-pmap-lb-m) insert-http

To specify the name and value of an HTTP header for Layer 7 load balancing, use the insert-http command. Use the no form of this command to delete the HTTP header name and value from the policy map.

insert-http name header-value expression

no insert-http name header-value expression

Syntax Description

name

Name of the generic header field that you want the ACE to insert in the HTTP header. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

header-value expression

Specifies the header-value expression string to insert in the specified field in the HTTP header. Enter a text string with a maximum of 255 alphanumeric characters. See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide for details.


Command Modes

Policy map load balancing match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

To identify a client whose source IP address has been mapped to another IP address using NAT, you can instruct the ACE to insert a generic header and string value in the client HTTP request. (For information about NAT, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.)

For the name argument, you can specify any custom header name that you want, subject to the maximum character length. You can also enter any of the predefined header names described for the (config-pmap-lb) match http header command, regardless of whether that header name already exists in the client request header. The ACE does not overwrite any existing header information in the client request.

You can also specify the following special header-value expressions using the following special parameter values:

%is—Inserts the source IP address in the HTTP header.

%id—Inserts the destination IP address in the HTTP header.

%ps—Inserts the source port in the HTTP header.

%pd—Inserts the destination port in the HTTP header.

For Microsoft Outlook Web Access (OWA), specify the field name as HTTP_FRONT_END_HTTPS with a value of ON.

With either TCP server reuse or persistence rebalance enabled, the ACE inserts a header in every client request.

Examples

For example, to specify the insert-http command as an action in the Layer 7 load-balancing policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*test.com

host1/Admin(config-pmap-lb-m)# insert-http Host header-value .*cisco.com

The header name and value will appear in the HTTP header as: 

Host: www.cisco.com

Related Commands

(config-parammap-http) server-conn reuse
(config-parammap-http) persistence-rebalance

(config-pmap-lb-m) serverfarm

To load-balance a client request for content to a server farm, use the serverfarm command. Server farms are groups of networked real servers that contain the same content and reside in the same physical location. Use the no form of this command to remove the server-farm action from the Layer 7 load balancing policy map.

serverfarm name1 [backup name2 [sticky | aggregate-state]]

no serverfarm name1 [backup name2 [sticky | aggregate-state]]

Syntax Description

name1

Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 characters.

backup name2

(Optional) Designates an existing server farm as a backup server farm if the original server farm becomes unavailable. Enter the name of an existing server farm that you want to designate as a backup server farm. Enter an unquoted text string with no spaces and a maximum of 64 characters.

sticky

(Optional) Specifies that the sticky group associated with the policy and applied to the primary server farm configured in that policy is also applied to the backup server farm. See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide for details.

aggregate-state

(Optional) Specifies that the state of the specified server farm is tied to the state of all the real servers in that server farm and in the backup server farm if configured. The ACE declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down.


Command Modes

Policy map load balancing match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

If all servers in the server farm fail and you do not configure a backup server farm, the ACE sends a reset (RST) to a client in response to a content request.

When you specify the sticky option, the ACE sends requests from the same client to the same configured real server in the primary server farm. If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm. If the primary server farm is sticky and you configured the sticky option, the backup server farm also becomes sticky. When the real server in the primary server farm becomes available again, the backup server farm continues to service existing connections. The ACE sends new connections from the same client to the backup server farm if it is sticky; otherwise, the ACE sends new connections to the primary server farm.

Examples

To specify the serverfarm command as an action in the load-balancing policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match MATCH_SLB1 source-address 192.168.11.2 255.255.255.0

host1/Admin(config-pmap-lb-m)# serverfarm FARM2 backup FARM3 sticky

Related Commands

This command has no related commands.

(config-pmap-lb-m) set ip tos

To specify the IP differentiated services code point (DSCP) of packets in a server load balancing (SLB) policy map, use the set ip tos command. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. Use the no form of this command to reset the IP DSCP value to the default of 0.

set ip tos value

no set ip tos value

Syntax Description

value

IP DSCP value. Enter an integer from 0 to 63. The default is 0.


Command Modes

Policy map load balancing match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For details about the ToS byte, see RFC 791, RFC 1122, RFC 1349, and RFC 3168.

Examples

To specify the set ip tos command as a QoS action in the Layer 7 load-balancing policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Via header-value 192.*

host1/Admin(config-pmap-lb-m)# set ip tos 8

Related Commands

This command has no related commands.

(config-pmap-lb-m) ssl-proxy client

To specify a Secure Sockets Layer (SSL) proxy service in a Layer 7 load-balancing policy map, use the ssl-proxy command. The ACE uses an SSL proxy service in a Layer 7 policy map to load balance outbound SSL initiation requests to SSL servers. In this case, the ACE acts as an SSL client that sends an encrypted request to an SSL server. Use the no form of this command to remove the SSL proxy service from the policy map.

ssl-proxy client name

no ssl-proxy client name

Syntax Description

name

Name of an existing SSL proxy service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For more information about configuring SSL, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide.

Examples

To associate an SSL proxy service with a Layer 7 load-balancing policy map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match MATCH_SLB1 http header Host header-value .*cisco.com

host1/Admin(config-pmap-lb-m)# ssl-proxy client SSL_SERVER_PROXY_SERVICE

Related Commands

This command has no related commands.

(config-pmap-lb-m) sticky-serverfarm

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, use the sticky-serverfarm command. Use the no form of this command to remove a sticky group from the policy map.

sticky-serverfarm name

no sticky-serverfarm name

Syntax Description

name

Name of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Policy map load balancing match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

For information about sticky groups, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

Examples

To specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, enter: 

host1/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY

host1/Admin(config-pmap-lb)# match MATCH_SLB1 source-address 192.168.11.2 255.255.255.0

host1/Admin(config-pmap-lb-m)# sticky-serverfarm STICKY_GROUP1

Related Commands

This command has no related commands.

Policy Map Management Configuration Mode Commands

Policy map management configuration mode commands allow you to specify a Layer 3 and Layer 4 policy map that identifies the network management protocols that can be received by the ACE. The ACE executes the specified action only for traffic that meets the first matching classification with a policy map. The ACE does not execute any additional actions.

To creat a Layer 3 and Layer 4 network management policy map and access the policy map management configuration mode, use the policy-map type management first-match command in configuration mode. You can classify network traffic based on the following management protocols: HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet. When you access this mode, the prompt changes to (config-pmap-mgmt). Use the no form of the command to remove a Layer 3 and Layer 4 network management policy map from the ACE.

policy-map type management first-match map_name

no policy-map type management first-match map_name

Syntax Description

map_name

Name assigned to the Layer 3 and Layer 4 network management policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the context Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Examples

To create a Layer 3 and Layer 4 network traffic management policy map, enter: 

host1/Admin(config)# policy-map type management first-match L4_REMOTE_MGMT_ALLOW_POLICY

host1/Admin(config-pmap-mgmt)#

Related Commands

(config) class-map

(config-pmap-mgmt) class

To associate a Layer 3 and Layer 4 management protocol class map with a Layer 3 and Layer 4 traffic management policy map, use the class command. The prompt changes from (config-pmap-mgmt) to (config-pmap-mgmt-c). For information on commands in this mode, see the "Policy Map Management Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 3 and Layer 4 management protocol class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it enabling it to match all traffic.


Command Modes

Management policy map configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To permit remote Secure Shell (SSH) access, enter: 

host1/Admin(config)# policy-map type management first-match L4_REMOTE_MGMT_ALLOW_POLICY

host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS

Related Commands

(config) class-map
(config-pmap-mgmt) description

(config-pmap-mgmt) description

To provide a brief summary about the Layer 3 and Layer 4 management protocol policy map, use the description command. Use the no form of the command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to allow remote Telnet access, enter: 

host1/Admin(config-pmap-mgmt)# description Allow Telnet access to the ACE

Related Commands

(config-pmap-mgmt) class

Policy Map Management Class Configuration Mode Commands

Policy map management class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches one or more match statements in the associated Layer 3 and Layer 4 network management protocol class map. To access policy map management class configuration mode, use the class command in policy map management configuration mode (see the (config-pmap-mgmt) class command for details). The prompt changes from (config-pmap-mgmt) to (config-pmap-mgmt-c).

The commands in this mode require the context Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-mgmt-c) deny

To deny the specified IP network management protocol, use the deny command. Use the no form of the command to allow the specified IP network management protocol to be received by the ACE.

deny

no deny

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map management class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To deny the specified IP network management protocol by the ACE, enter: 

host1/Admin(config-pmap-mgmt)# class SSH_CLASS

host1/Admin(config-pmap-mgmt-c)# deny

Related Commands

This command has no related commands.

(config-pmap-mgmt-c) permit

To allow the IP network management protocols listed in the associated Layer 3 and Layer 4 management class map to be received by the ACE, use the permit command. Use the no form of the command to disallow the specified IP network management protocols to be received by the ACE.

permit

no permit

Syntax Description

This command has no keywords or arguments.

Command Modes

Policy map management class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To permit the specified IP network management protocol by the ACE, enter: 

host1/Admin(config-pmap-mgmt)# class SSH_CLASS

host1/Admin(config-pmap-mgmt-c)# permit

Related Commands

This command has no related commands.

Policy Map Optimization Configuration Mode Commands

Policy map optimization configuration mode commands allow you to associate an HTTP optimization action list and, optionally, a parameter map to perform the specified application acceleration optimization actions. The ACE executes the specified action only for traffic that meets the first matching classification with a policy map. The ACE does not execute any additional actions.

To create a Layer 7 optimization policy map and access the policy map optimization configuration mode, use the policy-map type optimization http first-match command in configuration mode. When you access this mode, the prompt changes to (config-pmap-optmz). Use the no form of the command to remove a Layer 3 and Layer 4 network management policy map from the ACE.

policy-map type optimization http first-match map_name

no policy-map type optimization http first-match map_name

Syntax Description

map_name

Name assigned to the Layer 7 optimization HTTP policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Examples

To create a Layer 7 optimization HTTP policy map named L7OPTIMIZATION_POLICY, enter: 

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY

host/Admin(config-pmap-optmz)#

Related Commands

(config) class-map

(config-pmap-optmz) class

To associate a Layer 7 SLB class map with a Layer 7 optimization HTTP policy map, use the class command. The prompt changes from (config-pmap-optmz) to (config-pmap-optmz-c). For information on commands in this mode, see the "Policy Map Optimization Class Configuration Mode Commands" section. Use the no form of this command to remove an associated class map from a policy map.

class {name1 [insert-before name2] | class-default}

no class {name1 [insert-before name2] | class-default}

Syntax Description

name1

Name of a previously defined Layer 7 SLB class map configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2

(Optional) Places the current class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

class-default

Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it that enables it to match all traffic.


Command Modes

Policy map optimization configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To specify an existing Layer SLB class map, enter: 

host1/Admin(config-pmap-optmz)# class L7SLBCLASS

host1/Admin(config-pmap-optmz-c)#

Related Commands

(config) class-map
(config-pmap-optmz) description

(config-pmap-optmz) description

To provide a brief summary about the Layer 7 optimization HTTP policy map, use the description command. Use the no form of the command to remove the description from the class map.

description text

no description

Syntax Description

text

Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Policy map optimization configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To add a description that the policy map is to perform delta optimization, enter: 

host1/Admin(config-pmap-optmz)# description This policy map performs delta optimization

To remove the description from the policy map, enter: 

host1/Admin(config-pmap-optmz)# no description

Related Commands

(config-pmap-mgmt) class

(config-pmap-optmz) match http cookie

To make server load balancing (SLB) decisions based on the name and string of a cookie, use the match http cookie command. Use the no form of the command to remove an HTTP cookie match statement from the policy map.

match name1 http cookie {name2 | secondary name3} cookie-value expression [insert-before map_name]

no match name1 http cookie {name2 | secondary name3} cookie-value expression

Syntax Description

name1

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

name2

A unique cookie name. Enter an unquoted text string with no spaces and a maximum of 63 alphanumeric characters.

secondary name3

Specifies a cookie in a URL string. You can specify the delimiters for cookies in a URL string using a command in an HTTP parameter map.

cookie-value expression

Specifies a unique cookie value expression. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. For a list of supported characters that you can use for matching string expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map optimization configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

When you use the match http cookie command, you access the policy map optimization match configuration mode and the prompt changes from (config-pmap-optmz) to (v-m). For information on the load-balancing commands in this mode, see the "Policy Map Load Balancing Match Configuration Mode Commands" section.

The ACE performs regular expression matching against the received packet data from a particular connection based on the cookie expression. You can configure a maximum of five cookie names per VIP.

The ACE supports regular expressions for matching string expressions. For a list of supported characters that you can use for matching string expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

For details on defining a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL string, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

Examples

To specify that the Layer 7 optimization policy map load balances on a cookie with the name of testcookie1, enter: 

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY

host/Admin(config-pmap-optmz)# match MATCH2 http cookie testcookie1 cookie-value 123456

Related Commands

(config-parammap-http) set content-maxparse-length
(config-parammap-http) set secondary-cookie-delimiters

(config-pmap-optmz) match http header

To define application inspection decisions based on the name and value in an HTTP header, use the match http header command. Use the no form of the command to clear an HTTP header match criteria from the policy map.

match name http header {header_name | header_field} header-value expression [insert-before map_name]

no match name http header {header_name | header_field} header-value expression

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

header_name

Name of the HTTP header to match (for example, www.example1.com.) The range is from 1 to 64 alphanumeric characters.

Note The header_name argument cannot include the colon in the name of the HTTP header; the ACE rejects the colon as an invalid token.

header_field

A standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and the entity-header field. Selections also include two lower-level header-matching commands: "length" and "mime-type." The supported selections are the following:

Accept—Specifies a semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

 

Accept-Charset—Specifies the character sets that are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can represent documents in those character sets.

Accept-Encoding—Restricts the content encoding that a user will accept from the server.

Accept-Language—Specifies the ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization—Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

Cache-Control—Specifies the irectives that must be obeyed by all caching mechanisms in the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection—Allows the sender to specify connection options.

Content-MD5—Specifies the MD5 digest of the entity body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect—Used by a client to inform the server about the behaviors that the client requires.

From—Contains the e-mail address of the person who controls the requesting user agent.

Host—Specifies the internet host and port number of the resource that is requested, as obtained from the original URI given by the user or referring resource. The Host field value must represent the naming authority of the origin server or gateway given by the original URL.

If-Match—Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. This feature allows efficient updates of cached information with a minimum amount of transaction overhead. It is also used on updating requests to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

Pragma—Specifies the pragma directives that are understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP. For example, the Accept field is a comma-separated list of entries for which the optional parameters are separated by semicolons.

 

Referer—Specifies the address (URI) of the resource from which the URI in the request was obtained.

Transfer-Encoding—Indicates what (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient.

User-Agent—Specifies the information about the user agent (for example, a software program that originates the request). This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents.

Via—Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests and between the origin server and the client on responses.

header-value expression

Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map optimization configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression.

When you use the match http header command, you access the policy map optimization match configuration mode and the prompt changes from (config-pmap-optmz) to (config-pmap-optmz-m). For information on the load-balancing commands in this mode, see the "Policy Map Load Balancing Match Configuration Mode Commands" section.

The ACE supports regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, if the spaces are escaped or quoted. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

Examples

To specify that the Layer 7 optimization policy map load balances on an HTTP header named Host, enter: 

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY

host1/Admin(config-pmap-optmz)# match match3 http header Host header-value .*cisco.com

Related Commands

(config-parammap-http) set header-maxparse-length

(config-pmap-optmz) match http url

To make server load balancing (SLB) decisions based on the URL name and, optionally, the HTTP method, use the match http url command. Use the no form of the command to remove a URL match statement from the policy map.

match name http url expression [method name] [insert-before map_name]

no match name http url expression [method name]

Syntax Description

name

Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

expression

URL, or portion of a URL, to match. Enter a URL string from 1 to 255 alphanumeric characters. Include only the portion of the URL that follows www.hostname.domain in the match statement. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

method name

(Optional) Specifies the HTTP method to match. Enter a method name as an unquoted text string with no spaces and a maximum of 15 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, PROTOPLASM).

insert-before map_name

(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.


Command Modes

Policy map optimization configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string.

When you use the match http url command, you access the policy map optimization match configuration mode and the prompt changes from (config-pmap-optmz) to (config-pmap-optmz-m). For information on the load-balancing commands in this mode, see the "Policy Map Load Balancing Match Configuration Mode Commands" section.

Include only the portion of the URL that follows www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. For a list of supported characters that you can use in regular expressions, see the "Usage Guidelines" section for the (config-pmap-ins-http) match content command.

The period (.) does not have a literal meaning in regular expressions. Use either brackets ([]) or the backslash (\) character to match this symbol. For example, specify www[.]xyz[.]com instead of www.xyz.com.

Examples

To specify that the Layer 7 optimization policy map load balances on a specific URL, enter: 

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY

host1/Admin(config-pmap-optmz)# match match3 http url whatsnew/latest.*

To use regular expressions to emulate a wildcard search to match on any .gif file, enter: 

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY

host1/Admin(config-pmap-optmz)# match match3 http url .*.gif

Related Commands

(config-parammap-http) set content-maxparse-length

Policy Map Optimization Class Configuration Mode Commands

Policy map optimization class configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the Layer 7 optimization HTTP action statement. To access policy map optimization class configuration mode, use the class command in policy map optimization configuration mode (see the (config-pmap-optmz) class command for details). The prompt changes from (config-pmap-optmz) to (config-pmap-optmz-c).

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-optmz-c) action

To perform a specific set of application acceleration actions, use the action command. The Layer 7 optimization HTTP policy map activates the use of an optimization HTTP action list to configure the specified application acceleration and optimization actions. See Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for details on creating an optimization HTTP action list. Use the no form of the command to remove the action list from the policy map.

action list_name [parameter map_name]

no action list_name [parameter map_name]

Syntax Description

list_name

Unique name of an existing action list as an unquoted text string with a maximum of 64 alphanumeric characters. The action command groups the application acceleration functions associated with the specified action list that apply to a specific type of operation.

parameter map_name

(Optional) Specifies optimization-related commands that pertain to application acceleration performed by the ACE. A parameter map groups the application acceleration functions that adjust or control the actions specified in an associated action list. The map_name argument specifies a unique name of an existing parameter map as an unquoted text string with a maximum of 64 alphanumeric characters.


Command Modes

Policy map optimization class configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

Optionally, you can specify an optimization HTTP parameter list in an optimization HTTP policy map to identify the association between the action list and the parameter map. The optimization HTTP action list defines what to do while the optimization HTTP parameter map defines the specific details about how to accomplish the application acceleration action. Refer to Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for details on creating an optimization HTTP parameter map.

Examples

To associate an existing action list with an existing parameter map to control the actions in the Layer 7 HTTP optimization policy map, enter: 

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY

host1/Admin(config-pmap-optmz)# class L7SLBCLASS

host1/Admin(config-pmap-optmz-c)# action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP

To remove the action list from the Layer 7 HTTP optimization policy map, enter: 

host1/Admin(config-pmap-optmz-c)# no action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP

Related Commands

(config) action-list type
(config) parameter-map type

Policy Map Optimization Match Configuration Mode Commands

Policy map optimization match configuration mode commands allow you to specify the actions that the ACE should take when network traffic matches the Layer 7 optimization HTTP action statement. To access policy map optimization match configuration mode, use a match command in policy map optimization configuration mode (see the "Policy Map Optimization Match Configuration Mode Commands" section). The prompt changes from (config-pmap-optmz) to (config-pmap-optmz-m).

The commands in this mode require the loadbalance feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

(config-pmap-optmz-m) action

To perform a specific set of application acceleration actions, use the action command. The Layer 7 optimization HTTP policy map activates the use of an optimization HTTP action list to configure the specified application acceleration optimization actions. Refer to the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for details on creating an optimization HTTP action list. Use the no form of the command to remove the action list from the policy map.

action list_name [parameter map_name]

no action list_name [parameter map_name]

Syntax Description

list_name

Unique name of an existing action list as an unquoted text string with a maximum of 64 alphanumeric characters. The action command groups the application acceleration functions associated with the specified action list that apply to a specific type of operation.

parameter map_name

(Optional) Specifies optimization-related commands that pertain to application acceleration performed by the ACE. A parameter map groups the application acceleration functions that adjust or control the actions specified in an associated action list. The map_name argument specifies a unique name of an existing parameter map as an unquoted text string with a maximum of 64 alphanumeric characters.


Command Modes

Policy map optimization match configuration mode

Admin and user contexts

Command History

Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

Optionally, you can specify an optimization HTTP parameter list in an optimization HTTP policy map to identify the association between the action list and the parameter map. In this case, the optimization HTTP action list defines what to do while the optimization HTTP parameter map defines the specific details about how to accomplish the application acceleration action. Refer to the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for details on creating an optimization HTTP parameter map.

Examples

To associate an existing action list with an existing parameter map to control the match command action in the Layer 7 HTTP optimization policy map, enter: 

host/Admin(config)# policy-map type optimization http first-match L7OPTIMIZATION_POLICY

host1/Admin(config-pmap-optmz)# match match3 http url .*.gif

host1/Admin(config-pmap-optmz-m)# action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP

To remove the action list from the Layer 7 HTTP optimization policy map, enter: 

host1/Admin(config-pmap-optmz-m)# no action ACT_LIST1 parameter OPTIMIZE_PARAM_MAP

Related Commands

(config) action-list type
(config) parameter-map type