-
Application Control Engine Module Command Reference (Software Version A1(2))
-
CLI Command Summary By Mode
-
Preface
-
Using the Command-Line Interface
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
FT Track Host Configuration Mode Commands.
-
Interface Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Parameter Map Connection Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Host Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Role Configuration Mode Commands
-
Server Farm Host Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Cookie Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
(config) aaa accounting default
(config) aaa authentication login
(config) access-list ethertype
(config) access-list resequence
(config) logging reject-newconn
(config) radius-server attribute nas-ipaddr
(config) radius-server deadtime
(config) radius-server retransmit
(config) radius-server timeout
(config) snmp-server community
(config) snmp-server enable traps
(config) snmp-server trap link ietf
(config) snmp-server trap-source vlan
(config) tacacs-server deadtime
(config) tacacs-server timeout
Configuration Mode Commands
Configuration mode commands allow you to configure global ACE parameters that affect:
•
All contexts, when configured in the Admin context
•
Configuration mode also allows you to access all the ACE subordinate configuration modes. These modes provide parameters to configure the major features of the ACE, including access control lists (ACLs), application protocol inspection, fragmentation and reassembly, interfaces, network address translation (NAT), persistence (stickiness), protocols, redundancy, routing, scripts, secure sockets layer (SSL), server load balancing (SLB), TCP/IP normalization, users, and virtualization.
To access configuration mode, use the config command. The CLI prompt changes to (config).
See the individual command descriptions of all the configuration mode commands on the following pages.
Command Modes
Exec mode
Admin and user contexts
Command History
Usage Guidelines
This command requires one or more features assigned to your user role that allow configuration, such as AAA, interface, or fault-tolerant. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To access configuration mode, enter:
host1/Admin# confighost1/Admin(config)#Related Commands
show running-config
show startup-config(config) aaa accounting default
To configure the default accounting method, use the aaa accounting default command. You specify either a previously created AAA server group that identifies separate groups of TACACS+ or RADIUS servers or the local database on the ACE. Use the no form of this command to remove the accounting method.
aaa accounting default {group group_name} {local} {none}
no aaa accounting default {group group_name} {local} {none}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To enable user accounting to be performed using remote TACACS+ servers, followed by local login as the fallback method.
host1/Admin(config)# aaa accounting default group TacServer localRelated Commands
(config) aaa authentication login
(config) aaa authentication login
To configure the authentication method used for login to the ACE CLI, use the aaa authentication login command. Use the no form of this command to disable the authentication method.
aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable
no aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Use the error-enable option cautiously. If you specify none, any user will be able to access the ACE at any time.
To view the current display status, use the show aaa authentication login error-enable command. When a user attempts to log in, and the remote AAA servers do not respond to the authentication request, the ACE processes the login sequence by switching to local user database.
Examples
To enable console authentication using the TACSERVER server group, followed by local login as the fallback method, enter:
host1/Admin(config)aaa authentication login console group TACSERVER localPassword verification remains enabled for login authentication.To turn off password validation, enter:
host1/Admin(config) aaa authentication login console group TACSERVER local noneRelated Commands
(config) aaa accounting default
(config) aaa group server
To configure independent server groups of TACACS+, RADIUS, or LDAP servers, use the aaa group server command. Use the no form of this command to remove a server group.
aaa group server {ldap | radius | tacacs+} group_name
no aaa group server {ldap | radius | tacacs+} group_name
Syntax Description
ldap
Specifies that this is an LDAP directory server group. For information about the commands in the LDAP server configuration mode, see the "LDAP Configuration Mode Commands" section.
radius
Specifies that this is a RADIUS server group. For information about the commands in the RADIUS server configuration mode, see the "RADIUS Configuration Mode Commands" section.
tacacs+
Specifies that this is a TACACS+ server group. For information about the commands in the TACACS+ server configuration mode, see the "TACACS+ Configuration Mode Commands" section.
group_name
Name for the LDAP, RADIUS, or TACACS+ server group. The server group name is a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
A server group is a list of server hosts of a particular type. The ACE allows you to configure multiple TACACS+, RADIUS, and LDAP servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 100 server groups for each context in the ACE.
You can configure server groups at any time, but they take effect only when you apply them to the AAA service using the aaa authentication login or the aaa accounting default commands.
To create a AAA server group and access one of the three AAA server group configuration modes, enter the aaa group server ldap, aaa group server radius, or aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-ldap), (config-radius), or (config-tacacs+). In this mode, you specify the IP address of one or more previously configured servers that you want added to or removed from the server group.
Examples
To create a RADIUS server group and add a previously configured RADIUS servers, enter:
(config)# aaa group server radius RAD_Server_Group1host1/Admin(config-radius)# server 192.168.252.1host1/Admin(config-radius)# server 192.168.252.2host1/Admin(config-radius)# server 192.168.252.3Related Commands
(config) aaa accounting default
(config) aaa authentication login
(config) access-group
To apply an ACL to the inbound direction on all VLAN interfaces in a context and make the ACL active, use the access-group command. Use the no form of this command to remove an ACL from all interfaces in a context.
access-group input acl_name
no access-group input acl_name
Syntax Description
input
Specifies the inbound direction of all interfaces in a context on which you want to apply the ACL
acl_name
Identifier of an existing ACL that you want to apply to an interface
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You must apply an ACL to an interface to allow the passing of traffic on that interface. This command enables you to apply an ACL to all interfaces in a context in the inbound direction only and to allow traffic on all interfaces simultaneously. The following considerations apply:
•
•
•
•
•
For complete details on ACLs, see the Cisco Application Control Engine Module Security Configuration Guide.
Examples
To apply an ACL named INBOUND to the inbound direction of all interfaces in the Admin context, enter:
host1/Admin(config)# access-group input INBOUNDTo remove an ACL from all interfaces in the Admin context, enter:
host1/Admin(config)# no access-group input INBOUNDRelated Commands
(config) access-list ethertype
To configure an EtherType ACL, use the access-list ethertype command. Use the no form of the command to remove the ACL from the configuration.
access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
no access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a sub-protocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field as opposed to a type field. The only exception is bridge protocol data units (BPDUs), which are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.
You can configure an EtherType ACL only on a Layer 2 interface in the inbound direction.
When you specify the mpls keyword in an Ethertype ACL, the ACE denies or permits both MPLS-unicast and MPLS-multicast traffic.
Examples
For example, enter
(config)# access-list INBOUND ethertype permit 0800Related Commands
(config) access-list extended
To create an extended ACL, use the access-list extended command. There are three major types of extended ACLs:
•
•
•
Use the no form of the command to delete the ACL.
For an IP extended ACL:
access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address}
no access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address}
For a TCP or a UDP extended ACL:
access-list name [line number] extended {deny | permit} {{tcp | udp} {src_ip_address netmask | any | host src_ip_address}} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
no access-list name [line number] extended {deny | permit} {{tcp | udp} {src_ip_address netmask | any | host src_ip_address}} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
For an ICMP extended ACL:
access-list name [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address} {any | host dest_ip_address | dest_ip_address netmask} [icmp_type] [code operator code]
no access-list name [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address} {any | host dest_ip_address | dest_ip_address netmask} [icmp_type] [code operator code]
Syntax Description
name
Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 characters.
line number
(Optional) Specifies the line number position where you want the entry you are configuring to appear in the ACL. The position of an entry affects the lookup order of the entries in an ACL. If you do not configure the line number of an entry, the ACE applies a default increment and a line number to the entry and appends it at the end of the ACL.
extended
Specifies an extended ACL. Extended ACLs allow you to specify the destination IP address and subnet mask and other parameters not available with a standard ACL.
deny
Blocks connections on the assigned interface.
permit
Allows connections on the assigned interface.
protocol
Name or number of an IP protocol. Enter a protocol name or an integer from 0 to 255 that represents an IP protocol number from the following:
•
•
•
•
•
•
•
•
•
•
•
•
src_ip_address netmask
Traffic from a source defined by the IP address and the network mask. Use these arguments to specify network traffic from a range of source IP addresses.
host src_ip_address
Specifies the IP address of the host from which network traffic originates. Use this keyword and argument to specify network traffic from a single IP address.
any
Specifies network traffic from any source.
operator
(Optional) Operand used to compare source and destination port numbers for TCP and UDP protocols. The operators are:
•
•
•
•
•
port1 [port2]
TCP or UDP source port name or number from which you permit or deny services access. To enter an inclusive range of ports, enter two port numbers. Port2 must be greater than or equal to port1. See Table 2-2 for a list of well-known port names and numbers.
any
Specifies network traffic going to any destination.
dest_ip_address netmask
Specifies the IP address of the network or host to which the packet is being sent and the network mask bits to be applied to the destination IP address. Use these arguments to specify a range of destination IP addresses.
host destination_address
IP address and subnet mask of the destination of the packets in a flow. Use this keyword and argument to specify network traffic destined to a single IP address.
port3 [port4]
TCP or UDP destination port name or number to which you permit or deny services access. To enter an optional inclusive range of ports, enter two port numbers. Port4 must be greater than or equal to port3. See Table 2-2 for a list of well-known ports.
icmp_type
(Optional) Type of ICMP messaging. Enter either an integer corresponding to the ICMP code number or one of the ICMP types as described in Table 2-1.
code
(Optional) Specifies that a numeric operator and ICMP code follows. This keyword is available only if you select icmp as the protocol type.
icmp_operator
An operator that the ACE applies to the ICMP code number that follows. Enter one of the following operators:
•
•
•
•
•
code1, code2
ICMP code number that corresponds to an ICMP type. See Table 2-2. If you entered the range operator, enter a second ICMP code value to define the upper limit of the range.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the ports and destination addresses as "any" in an extended ACL.
For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.
You can apply only one ACL of each type (extended and EtherType) to each direction of an interface. You can also apply the same ACLs on multiple interfaces.
If you selected icmp as the IP protocol type, you can optionally specify the type of ICMP messaging. Enter either an integer corresponding to the ICMP code number or one of the ICMP messaging types as described in Table 2-1.
Examples
To configure a TCP extended ACL, enter:
host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000To remove an entry from an extended ACL, enter:
host1/Admin(config)# no access-list INBOUND line 10To allow an external host with IP address 192.168.12.5 to be able to ping a host behind the ACE with an IP address of 10.0.0.5, enter:
(config)# access-list INBOUND permit icmp host 192.168.12.5 host 10.0.0.5To remove an entry from an ICMP ACL, enter:
(config)# no access-list INBOUND permit icmp host 192.168.12.5Related Commands
(config) access-list remark
You can add comments about an ACL to clarify the function of the ACL. To add a comment to an ACL use the access-list remark command. You can enter only one comment per ACL and the comment appears at the top of the ACL. Use the no form of the command to remove an ACL remark.
access-list name remark text
no access-list name remark text
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
If you delete an ACL using the no access-list name command, then the remarks are also removed.
Examples
For example, enter:
host1/Admin(config)# access-list INBOUND remark This is a remarkTo remove entry comments from an ACL, enter:
(config)# no access-list INBOUND line 200 remarkRelated Commands
(config) access-list resequence
To resequence the ACL entries in an ACL with a specific starting number and interval, use the access-list resequence command. Use the no form of the command to reset the number assigned to an ACL entry to the default of 10.
access-list name resequence number1 number2
no access-list name resequence number1 number2
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
For example, enter:
host1/Admin(config)# access-list INBOUND resequence 5 15Related Commands
(config) arp
To configure the Address Resolution Protocol (ARP) on the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets, use the arp command. Use the no form of the command to remove the ARP entry or reset a default value.
arp {ip_address mac_address | interval seconds | inspection enable [flood | no flood] | learned-interval seconds | learned-mode enable | rate seconds | retries number}
no arp {ip_address mac_address | interval | inspection enable | learned-interval | learned-mode enable | rate | retries}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
When you enable ARP inspection, the ACE compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
•
•
•
Examples
To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter:
host1/contexta(config)# arp 10.1.1.1 00.02.9a.3b.94.d9To remove a static ARP entry, enter:
host1/contexta(config)# no arp 10.1.1.1 00.02.9a.3b.94.d9To enable ARP inspection, and to drop all non-matching ARP packets, enter:
host1/contexta(config)# arp inspection enable no-floodTo configure the retry attempt interval of 15 seconds, enter:
host1/contexta(config)# arp rate 15To reset the retry attempt interval to the default of 10 seconds, enter:
host1/contexta(config)# no arp rateRelated Commands
(config) banner
Use the banner motd command to specify a message to display as the message-of -the-day banner when a user connects to the ACE CLI. Use the no form of the command to delete or replace a banner or a line in a multi-line banner.
banner motd text
no banner motd text
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To replace a banner or a line in a multi-line banner, use the no banner motd command before adding the new lines.
To add multiple lines in a message-of -the-day banner, precede each line by the banner motd command. The ACE appends each line to the end of the existing banner. If the text is empty, the ACE adds a carriage return (CR) to the banner.
You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable. For example:
•
•
To use the $(hostname) in single line banner motd input, ensure that you include double quotes (") around the $(hostname) so that the $ is interpreted to a special character for the beginning of a variable in the single line. For example:
switch/Admin(config)# banner motd #Welcome to "$(hostname)"...#Do not use the double quote character (") or the percent sign character (%) as a delimiting character in a single line message string. Do not use the delimiting-character in the message string.
For multi-line input, double quotes (") are not required for the token because the input mode is different from signal line mode. The ACE treats the double quote character (") as is when you operate in multi-line mode.
Examples
To add a message-of-the-day banner, enter:
host1/Admin(config)# banner motd #Welcome to the "$(hostname)".host1/Admin(config)# banner motd Contact me at admin@admin.com for anyhost1/Admin(config)# banner motd issues.#Related Commands
(config) boot system
To set the BOOT environment variable, use the boot system image: command. Use the no form of the command to remove the name of the system image file.
boot system image:filename
no boot system image:filename
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can add several images to the BOOT environment variable to provide a fail-safe boot configuration. If the first file fails to boot the ACE, subsequent images that are specified in the BOOT environment variable are tried until the ACE boots or there are no additional images to attempt to boot. If there is no valid image to boot, the ACE enters ROM-monitor mode where you can manually specify an image to boot.
The ACE stores and executes images in the order in which you added them to the BOOT environment variable. If you want to change the order in which images are tried at startup, you can either prepend and clear images from the BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order.
If the file does not exist (for example, if you entered the wrong filename), then the filename is appended to the boot string, and this message displays:
Warning: File not found but still added in the bootstring.If the file does exist, but is not a valid image, the file is not added to the bootstring, and this message displays:
Warning: file found but it is not a valid boot image.Examples
To set the BOOT environment variable, enter:
host1/Admin(config)# boot system image:sb-ace.REL_1_0_0Related Commands
(config) class-map
To create a Layer 3 and Layer 4 or a Layer 7 class map, use the class-map command. Use the no form of the class-map command to remove a class map from the ACE.
class-map [type {ftp inspect | http {inspect | loadbalance} | management] [match-all | match-any] map_name
no class-map [type {ftp inspect | http {inspect | loadbalance} | management] [match-all | match-any] map_name
Syntax Description
type
(Optional) Specifies the class map type that is to be defined. When you specify a class type, you enter its corresponding class map configuration mode (for example, HTTP inspection).
ftp inspect
Specifies a Layer 7 class map for the inspection of FTP request commands. For information about commands in FTP inspection configuration mode, see the "Class Map FTP Inspection Configuration Mode Commands" section.
http inspect | loadbalance
Specifies a Layer 7 class map for HTTP server load balancing (inspect keyword), or a Layer 7 class map for the HTTP deep packet application protocol inspection (loadbalance keyword) of traffic through the ACE.
•
•
management
Specifies a Layer 3 and Layer 4 class map to classify the IP network management protocols received by the ACE. For information about commands in class map management configuration mode, see the "Class Map Management Configuration Mode Commands" section.
match-all | match-any
(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:
•
•
The default setting is to meet all of the match criteria (match-all) in a class map.
map_name
The name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For a Layer 3 and Layer 4 class map, you enter the class map configuration mode and the prompt changes to (config-cmap).
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the inspect, loadbalance, NAT, connection, SSL, or vip feature in your user role, depending on the type of class map you want to configure. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Use the class map configuration mode commands to create class maps that classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified in the class map. The CLI prompt changes correspondingly to the selected class map configuration mode: (config-cmap), (config-cmap-ftp-insp), (config-cmap-http-insp), (config-cmap-http-lb), or (config-cmap-mgmt).
A Layer 3 and Layer 4 class map contains match criteria that classifies:
•
•
A Layer 7 class map contains match criteria that classifies specific Layer 7 protocol information. The match criteria enables the ACE to:
•
•
•
The ACE supports a system-wide maximum of 8192 class maps.
For details about creating a class map, see the Cisco Application Control Engine Module Administration Guide.
When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any as the evaluation instruction, the traffic being evaluated must match one of the specified criteria, typically match commands of the same type. If you specify match-all as the evaluation instruction, the traffic being evaluated must match all of the specified criteria, typically match commands of different types.
Examples
To create a Layer 3 and Layer 4 class map named L4VIP_CLASS that specifies the network traffic that can pass through the ACE for server load-balancing, enter:
host1/Admin# class-map match-all L4VIP_CLASShost1/Admin(config-cmap)#To create a Layer 3 and Layer 4 class map named MGMT-ACCESS_CLASS that classifies the network management protocols that can be received by the ACE, enter:
host1/Admin# class-map type management match-any MGMT-ACCESS_CLASShost1/Admin(config-cmap-mgmt)#To create a Layer 7 class map named L7SLB_CLASS that performs server load-balancing, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLB_CLASShost1/Admin(config-cmap-http-lb)#To create a Layer 7 class map named HTTP_INSPECT_L7CLASS that performs HTTP deep packet inspection, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASShost1/Admin(config-cmap-http-insp)#To create a Layer 7 class map named FTP_INSPECT_L7CLASS that performs FTP command inspection, enter:
host1/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASShost1/Admin(config-cmap-ftp-insp)#Related Commands
(config) clock timezone
To set the time zone, use the clock timezone command. The ACE keeps time internally in Universal Time Coordinated (UTC) offset, so this command is used only for display purposes and when the time is set manually. Use the no form of this command to configure independent server groups of TACACS+, RADIUS, or LDAP servers.
clock timezone {zone_name {+ | -} hours minutes} | {standard time_zone}
no clock timezone
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The following table lists common time zone acronyms used for the zone_name argument.
Examples
To set the time zone to PST and to set an UTC offset of -8 hours, enter:
host1/Admin(config)# clock timezone PST -8 0To remove the clock timezone setting, enter:
host1/Admin(config)# no clock timezone PST -8 0Related Commands
(config) clock summer-time
To configure the ACE to change the time automatically to summer time (daylight savings time), use the clock summer-time command. Use the no form of the command to remove the clock summer-time setting.
clock summer-time {daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time daylight_offset | standard time_zone}
no clock summer-time
Syntax Description
daylight_timezone_name
The 8-character name of the time zone (for example, PDT) to be displayed when summer time is in effect. For a list of the common time zone acronyms used for this argument, see the Usage Guidelines section for the (config) clock timezone command.
start_week end_week
The start and end week, ranging from 1 through 5.
start_day end_day
The start and end day, ranging from Sunday through Saturday.
start_month end_month
The start and end month, ranging from January through December.
start_time end_time
Time (military format) in hours and minutes.
daylight_offset
Number of minutes to add during summer time Valid entries are 1 to 1440. The default is 60.
standard time_zone
Sets the daylight time to a standard time zone that include an applicable daylight time start and end range along with a daylight offset. Enter one of the following well-known time zones:
•
•
•
•
•
•
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The first part of the command specifies when summer time begins, and the second part of the command specifies when summer time ends. All times are relative to the local time zone; the start time is relative to standard time and the end time is relative to summer time. If the starting month is after the ending month, the ACE assumes that you are located in the Southern Hemisphere.
Examples
To specify that summer time begins on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00, with a daylight offset of 60 minutes, enter:
host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60To remove the clock summer-time setting, enter:
host1/Admin(config)# no clock summer-timeRelated Commands
(config) config-register
To change the configuration register settings, use the config-register configuration command. Use the no form of this command to reset the config-register to its default setting of 0.
config-register value
no config-register value
Syntax Description
value
The configuration register value that you want to use the next time you restart the ACE. The supported value entries include:
•
•
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can modify the boot method that the ACE uses at the next startup by setting the boot field in the software configuration register. The configuration register identifies how the ACE should boot and where the system image is stored. You can modify the boot field to force the ACE to boot a particular system image at startup instead of using the default system image.
The config-register command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered.
Examples
To set the boot field in the configuration register to boot the system image identified in the BOOT environment variable upon reboot, enter:
host1/Admin(config)# config-register 1Related Commands
(config) context
To create a context, use the context command. The CLI prompt changes to (config-context). A context provides a user view into the ACE and determines the resources available to a user. Use the no form of the command to remove a context.
context name
no context name
Syntax Description
name
The name that designates a context. Enter an unquoted text string with no spaces and a maximum of 64 characters.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the ACE allows you to create and use five user-configured contexts plus the default Admin context. To use a maximum of 251 contexts (Admin context plus 250 user contexts), you must purchase an additional license from Cisco Systems.
Examples
To create a context called C1, enter:
host1/Admin(config)# context C1host1/Admin(config-context)#To remove the context from the configuration, enter:
host1/Admin(config)# no context C1Related Commands
(config) crypto chaingroup
To create a certificate chain group, use the crypto chaingroup command. Once you create a chain group, the CLI enters into the chaingroup configuration mode, where you add the required certificate files to the group. Use the no form of the command to delete an existing chain group.
crypto chaingroup group_name
no crypto chaingroup group_name
Syntax Description
group_name
Name you assign the chain group. Enter the chain group name as an alphanumeric string from 1 to 64 characters in length.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
A chain groups specifies which certificate chains the ACE sends to its peer during the handshake process. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. Each context on the ACE can contain up to eight chain groups.
You include a chain group in the handshake process by configuring the SSL proxy-service with the chain group (see the (config) ssl-proxy service command).
Examples
To create the chain group MYCHAINGROUP, enter:
host1/Admin(config)# crypto chaingroup MYCHAINGROUPRelated Commands
(config) crypto csr-params
To create a CSR (Certificate Signing Request) parameter set to define a set of distinguished name attributes, use the crypto csr-params command. When you create a CSR parameter set, the CLI enters into the csr-params configuration mode, where you define each of the distinguished name attributes. Use the no form of this command to remove an existing CSR parameter set.
crypto csr-params csr_param_name
no crypto csr-params csr_param_name
Syntax Description
csr_param_name
Name that designates a CSR parameter set. Enter the CSR parameter set name as a alphanumeric string from 1 to 64 characters in length.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
A CSR parameter set defines the distinguished name attributes the ACE applies to the CSR during the CSR-generating process. The distinguished name attributes provide the CA with the information it needs to authenticate your site. Creating a CSR parameter set allows you to generate multiple CSRs with the same distinguished name attributes. You can create up to eight CSR parameter sets per context.
When you use the crypto csr-params command to specify a CSR parameter set, the prompt changes to the csr-params configuration mode (for more information on this mode and commands, see the "CSR Parameters Configuration Mode Commands" section), where you define each of the distinguished name attributes. The ACE requires that you define the following attributes:
•
•
•
•
If you do not configure the required attributes, the ACE displays an error message when you attempt to generate a CSR using the incomplete CSR parameter set.
Examples
To create the CSR parameter set CSR_PARAMS_1, enter:
host1/Admin(config)# crypto csr-params CSR_PARAMS_1
host1/Admin(config-csr-params)
Related Commands
(config) domain
To create a domain, use the domain command. The CLI prompt changes to (config-domain). See the "Domain Configuration Mode Commands" section for details. Use the no form of this command to remove a domain from the configuration.
domain name
no domain name
Syntax Description
name
The name for the domain. Enter an unquoted text string with no spaces and a maximum of 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
A domain does not restrict the context configuration that you can display using the show running-config command. You can still display the running configuration for the entire context. However, a domain can restrict your access to the configurable objects within a context by adding to the domain only a limited subset of all the objects available to a context. To limit a user's ability to manipulate the objects in a domain, you can assign a role to that user. For more information about domains and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To create a domain named D1, enter:
host1/Admin(config)# domain D1host1/Admin(config-domain)#Related Commands
(config) end
To exit from configuration mode and return to Exec mode, use the end command.
end
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can also press Ctrl-Z or enter the exit command to exit configuration mode.
Examples
To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# endhost1/Admin#Related Commands
This command has no related commands.
(config) exit
To exit from the current configuration mode and return to the previous mode, use the exit command.
exit
Syntax Description
This command has no keywords or arguments.
Command Modes
All configuration modes
Admin and user contexts
Command History
Usage Guidelines
This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
In configuration mode, the exit command transitions to the Exec mode.
In all other configuration modes, the exit command transitions to the previous configuration mode.
You can also press Ctrl-Z, enter the (config) end command, or enter the exit command to exit configuration mode.
Examples
To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# exithost1/Admin#To exit from interface configuration mode and return to configuration mode, enter:
host1/Admin(config-if)# exithost1/Admin(config)#Related Commands
This command has no related commands.
(config) ft auto-sync
To enable automatic synchronization of the running-configuration and the startup-configuration files in a redundancy configuration, use the ft auto-sync command. Use the no form of this command to disable the automatic synchronization of the running-configuration or the startup-configuration file.
ft auto-sync {running-config | startup-config}
no ft auto-sync {running-config | startup-config}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the ACE automatically updates the running configuration on the standby context of an FT group with any changes that occur to the running configuration of the active context. If you disable the ft auto-sync command, you need to update the configuration of the standby context manually. For more information about configuration synchronization and configuring redundancy, see the Cisco Application Control Engine Module Administration Guide.
Caution
Examples
To enable autosynchronization of the running-configuration file in the C1 context, enter:
host1/C1(config)# ft auto-sync running-configRelated Commands
(config) ft group
To create a fault tolerant (FT) group for redundancy, use the ft group command. After you execute this command, the system enters the FT group configuration mode. Use the no form of this command to remove an FT group from the configuration.
ft group group_id
no ft group group_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You must configure the same group ID on both peer modules.
On each ACE, you can create multiple FT groups, up to a maximum of 256 groups. Each group consists of a maximum of two members (contexts): one active context on one module and one standby context on the peer module.
For information about commands in FT group configuration mode, see the "FT Group Configuration Mode Commands" section.
Examples
To configure a fault tolerant group, enter:
host1/Admin(config)# ft group 1host1/Admin(config-ft-group)#To remove the group from the configuration, enter:
host1/Admin(config)# no ft group 1Related Commands
(config) ft interface vlan
To create a dedicated fault tolerance (FT) VLAN over which two redundant peers communicate, use the ft interface vlan command. After you execute this command, the system enters the FT interface configuration mode. Use the no form of this command to remove an FT VLAN from the configuration.
ft interface vlan vlan_id
no ft interface vlan vlan_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Peer ACEs communicate with each other over a dedicated FT VLAN. These redundant peers use the FT VLAN to transmit and receive heartbeat packets and state and configuration replication packets. You must configure the same VLAN on each peer module. You cannot use this VLAN for normal network traffic.
To remove an FT VLAN, first remove it from the FT peer using the no ft-interface vlan command in FT peer configuration mode. See the (config-ft-peer) ft-interface vlan command for more information.
Examples
To configure a fault tolerant VLAN, enter:
host1/Admin(config)# ft interface vlan 200host1/Admin(config-ft-intf)#To remove the FT VLAN from the redundancy configuration, enter:
host1/Admin(config)# no ft interface vlan 200Related Commands
(config) ft peer
On both peer ACEs, configure an FT peer definition. To create an FT peer, use the ft peer command. After you execute this command, the system enters the FT peer configuration mode. You can configure a maximum of two ACEs as redundancy peers. Use the no form of this command to remove the FT peer from the configuration.
ft peer peer_id
no ft peer peer_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Each ACE module can have one FT peer. FT peers are redundant ACE modules that communicate with each other over a dedicated FT VLAN.
Before you can remove an FT peer from the configuration, remove the peer from the FT group using the no peer command in FT group configuration mode.
For information about commands in FT peer configuration mode, see the "FT Peer Configuration Mode Commands" section.
Examples
To configure an FT peer, enter:
host1/Admin(config)# ft peer 1host1/Admin(config-ft-peer)#Related Commands
(config) ft track host
To create a tracking and failure detection process for a gateway or host, use the ft track host command. After you execute this command, the system enters FT track host configuration mode. Use the no form of the command to remove the gateway-tracking process.
ft track host name
no ft track host name
Syntax Description
name
Unique identifier of the tracking process for a gateway or host. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about commands in FT track host configuration mode, see the "FT Track Host Configuration Mode Commands" section.
For details about configuring redundant ACE modules, see Cisco Application Control Engine Module Administration Guide.
Examples
To create a tracking process for a gateway, enter:
host1/Admin(config)# ft track host TRACK_GATEWAY1host1/Admin(config-ft-track-host)#To remove the gateway-tracking process, enter:
host1/Admin(config)# no ft track host TRACK_GATEWAY1Related Commands
(config) ft track hsrp
To configure failure detection and tracking for a Hot Standby Router Protocol (HSRP) group, use the ft track hsrp command. After you execute this command, the system enters FT track hsrp configuration mode. Use the no form of this command to stop tracking for an HSRP group.
ft track hsrp name
ft track hsrp name
Syntax Description
name
Unique identifier of the tracking process for an HSRP group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You must configure the HSRP group on the Catalyst 6500 Supervisor before you configure HSRP tracking on the ACE. Failure to do so may result in erroneous state information for the HSRP group being displayed in the show ft track detail command output in Exec mode. For information about commands in FT track hsrp configuration mode, see the "FT Track HSRP Configuration Mode Commands" section.
For details about configuring redundant ACE modules, see Cisco Application Control Engine Module Administration Guide.
Examples
To configure fault-tolerance tracking for an HSRP group, enter:
host1/Admin(config)# ft track hsrp TRACK_HSRP_GRP1host1/Admin(config-ft-track-hsrp)#To remove the HSRP group-tracking process, enter:
host1/Admin(config)# no ft track hsrp TRACK_HSRP_GRP1Related Commands
(config) ft track interface
To create a tracking and failure detection process for a critical interface, use the ft track interface command. After you execute this command, the system enters FT track interface configuration mode. Use the no form of this command to stop tracking for an interface.
ft track interface name
no ft track interface name
Syntax Description
name
Unique identifier of the tracking process for a critical interface. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure the FT VLAN for tracking.
For information about commands in FT track interface configuration mode, see the "FT Track Interface Configuration Mode Commands" section.
For details about configuring redundant ACE modules, see Cisco Application Control Engine Module Administration Guide.
Examples
To configure a tracking and failure detection process for an interface, enter:
host1/Admin(config)# ft track interface TRACK_VLAN100To remove the interface-tracking process, enter:
host1/Admin(config)# no ft track interface TRACK_VLAN100Related Commands
(config) hostname
To specify a host name for the ACE, use the hostname command. The host name is used for the command line prompts and default configuration filenames. If you establish sessions to multiple devices, the host name helps you keep track of where you enter commands. Use the no form of this command to reset the hostname to the default of switch.
hostname name
no hostname name
Syntax Description
name
A new host name for the ACE. Enter a case sensitive text string that contains from 1 to 32 alphanumeric characters.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the host name for the ACE is switch.
Examples
To change the host name of the ACE from switch to ACE_1, enter:
switch/Admin(config)# hostname ACE_1ACE_1/Admin(config)#Related Commands
This command has no related commands.
(config) interface
To create a bridge-group virtual interface (BVI) or VLAN interface, use the interface command. The CLI prompt changes to (config-if). Use the no form of this command to remove the interface.
interface {bvi group_number | vlan number}
no interface {bvi group_number | vlan number}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about commands in interface configuration mode, see the "Interface Configuration Mode Commands" section.
Examples
To assign VLAN interface 100 to the Admin context and access interface configuration mode, enter:
host1/Admin(config)# interface vlan 100host1/Admin(config-if)#Related Commands
(config) ip dhcp relay
To configure a DHCP relay agent on the ACE, use the ip dhcp relay command. When you configure the ACE as a DHCP relay agent, it is responsible for forwarding the requests and responses negotiated between the DHCP clients and the server. You must configure a DHCP server in conjunction with enabling the DHCP relay. Use the no form of this command to disable a DHCP relay agent setting.
ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
no ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the DHCP feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The DHCP relay agent can be configured at both the context and interface level of the ACE. Note the following configuration considerations:
•
•
Examples
To set the IP address of a DHCP server at the context level, enter:
host1/Admin# changeto C1host1/C1# configEnter configuration commands, one per line. End with CNTL/Zhost1/C1(config)# ip dhcp relay enablehost1/C1(config)# ip dhcp relay server 192.168.20.1To specify the DHCP relay at the interface level, enter:
host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip dhcp relay enablehost1/Admin(config-if)# ip dhcp relay server 192.168.20.1To remove the IP address of the DHCP server, enter:
host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1Related Commands
(config) ip route
To configure a default or static IP route, use the ip route command. Use the no form of this command to remove a default or static IP route from the configuration.
ip route dest_ip_prefix netmask gateway_ip_address
no ip route dest_ip_prefix netmask gateway_ip_address
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the routing feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The default route identifies the router IP address to which the ACE sends all IP packets for which it does not have a route.
Admin and user contexts do not support dynamic routing, thus you must use static routes for any networks to which the ACE is not directly connected; for example, when there is a router between a network and the ACE.
The ACE supports up to eight equal cost routes on the same interface for load balancing.
Routes that identify a specific destination address take precedence over the default route.
See the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for more information about configuring default or static routes.
Examples
To configure a default route, set IP address and subnet mask for the route to 0.0.0.0. For example, if the ACE receives traffic that it does not have a route, it sends the traffic out the interface to the router at 192.168.4.8. Enter:
host1/Admin(config)# ip route 0.0.0.0 255.255.255.0 192.168.4.8Related Commands
(config) ldap-server host
Use the ldap-server host command to specify the LDAP server IP address, destination port, and other options. You can define multiple ldap-server host commands to configure multiple LDAP servers. Use the no form of this command to revert to a default LDAP server authentication setting.
ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]
no ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Guidelines for the port keyword: By default, the LDAP server port is 389. If your LDAP server uses a port other than 389, use the port keyword to configure the ACE for the appropriate port prior to starting the LDAP service. For the specified server, this command overrides the global setting assigned using the ldap-server port command.
Guidelines for the timeout option: By default, the ACE waits five seconds for the LDAP server to reply to an authentication request before the ACE declares a timeout failure and attempts to contact the next server in the group. For the specified server, this command overrides the global setting assigned using the ldap-server timeout command.
Examples
To configure LDAP server authentication parameters, enter:
host1/Admin(config)# ldap-server host 192.168.2.3 port 2003host1/Admin(config)# ldap-server host 192.168.2.3 timeout 60host1/Admin(config)# ldap-server host 192.168.2.3 rootDN "cn=manager,dc=cisco,dc=com" password labTo remove the LDAP server authentication setting, enter:
host1/Admin(config)# no ldap-server host 192.168.2.3 timeout 60Related Commands
(config) ldap-server port
To globally configure the ACE for the appropriate port prior to starting the LDAP service if your LDAP server uses a port other than 389 (the default), use the ldap-server port command. This global port setting will be applied to those LDAP servers for which a TCP port value is not individually configured by the ldap-server host command. Use the no form of this command to revert to the default of TCP port 389.
ldap-server port port_number
no ldap-server port port_number
Syntax Description
port_number
The destination port to the LDAP server. Enter an integer from 1 to 65535. The default is TCP port 389.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To override the global TCP port setting (specified by the ldap-server port command) for a specific server, use the ldap-server host port command.
Examples
To globally configure the TCP port, enter:
host1/Admin(config)# ldap-server port 2003To revert to the default of TCP port 389, enter:
host1/Admin(config)# no ldap-server port 2003Related Commands
(config) ldap-server timeout
To globally change the time interval that the ACE waits for the LDAP server to reply to a response before it declares a timeout failure, use the ldap-server timeout command. By default, the ACE waits five seconds to receive a response from an LDAP server before it declares a timeout failure and attempts to contact the next server in the group. The ACE applies this global timeout value to those LDAP servers for which a timeout value is not individually configured by the ldap-server host command. Use the no form of the command to revert to the default of five seconds between transmission attempts.
ldap-server timeout seconds
no ldap-server timeout seconds
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To override the global TCP timeout setting (specified by the ldap-server timeout command) for a specific server, use the ldap-server host timeout command.
Examples
To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# ldap-server timeout 30To change to the default of five seconds between transmission attempts, enter:
host1/Admin(config)# no ldap-server timeout 30Related Commands
(config) line console
To configure the console interface settings, use the line console configuration mode command. When you execute this command, the prompt changes (config-console) and you enter the console configuration mode. Use the no form of this command to reset the console configuration mode parameters to their default settings.
line console
no line console
Syntax Description
There are no keywords or arguments for this command.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The console port is an asynchronous serial port on the Catalyst 6500 series that enables the ACE to be set up for initial configuration through a standard RS-232 port with an RJ-45 connector. Any device connected to this port must be capable of asynchronous transmission. Connection to a terminal requires a terminal emulator to be configured as 9600 baud, 8 data bits, 1 stop bit, no parity.
For information about commands in console configuration mode, see the "Console Configuration Mode Commands" section.
Examples
To enter console configuration mode, enter:
host1/Admin(config)# line consolehost1/Admin(config-console)#Related Commands
(config) line vty
To configure the virtual terminal line settings, use the line vty configuration mode command. When you execute this command, the prompt changes (config-line) and you enter the line configuration mode. Use the no form of this command to reset the line configuration mode parameter to its default setting.
line vty
no line vty
Syntax Description
There are no keywords or arguments for this command.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about commands in line configuration mode, see the "Line Configuration Mode Commands" section.
Examples
To enter the line configuration mode, enter:
host1/Admin(config)# line vtyhost1/Admin(config-line)#Related Commands
(config) login timeout
To modify the length of time that a user can be idle before the ACE terminates the console, Telnet, or SSH session, use the login timeout command. By default, the inactivity timeout value is 5 minutes. Use the no form of this command to restore the default timeout value of 5 minutes.
login timeout minutes
no login timeout
Syntax Description
minutes
The length of time in minutes. Enter a value from 0 to 60 minutes. A value of 0 instructs the ACE never to timeout. The default is 5 minutes.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To specify a timeout period of 10 minutes, enter:
host1/Admin(config)# login timeout 10To restore the default timeout value of 5 minutes, enter.
host1/Admin(config)# no login timeoutRelated Commands
(config-cmap-mgmt) match protocol
(config) logging buffered
To enable system logging to a local buffer and to limit the messages sent to the buffer based on severity, use the logging buffered command. By default, logging to the local buffer on the ACE is disabled. New messages append to the end of the buffer. The first message displayed is the oldest message in the buffer. When the log buffer fills, the ACE deletes the oldest message to make space for new messages. Use the no form of this command to disable message logging.
logging buffered severity_level
no logging buffered
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To set the logging buffer level to 3 for logging error messages, enter:
host1/Admin(config)# logging buffered 3To disable message logging, enter:
host1/Admin(config)# no logging bufferedRelated Commands
(config) logging console
To enable the logging of syslog messages during console sessions and to limit the display of messages based on severity, use the logging console command. By default, the ACE does not display syslog messages during console sessions. Use the no form of this command to disable logging to the console.
logging console severity_level
no logging console
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Logging to the console can degrade system performance. Use the logging console command only when you are testing and debugging problems, or when there is minimal load on the network. We recommend that you use the lowest severity level possible, since logging at a high rate may impact the performance of the ACE. Do not use this command when the network is busy, as it can reduce ACE performance.
Examples
To enable system logging to the console for messages with severity levels of 2, 1, and 0:
host1/Admin(config)# logging buffered 2Related Commands
(config) logging device-id
To specify that the device ID of the ACE is included in the syslog message, use the logging device-id command. If enabled, the ACE displays the device ID in all non-EMBLEM-formatted syslog messages. The device ID specification does not affect the syslog message text that is in EMBLEM format. Use the no form of the command to disable device ID logging for the ACE in the syslog message.
logging device-id {context-name | hostname | ipaddress interface_name | string text}
no logging device-id
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The device ID part of the syslog message is viewed through the syslog server only and not directly on the ACE. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the ACE console, management session, or buffer.
Examples
To instruct the ACE to use the host name of the ACE to uniquely identify the syslog messages, enter:
host1/Admin(config)# logging device-id hostnameTo disable the use of the host name of the ACE, enter:
host1/Admin(config)# no logging device-idRelated Commands
(config) logging enable
To enable message logging, use the logging enable command. Message logging is disabled by default. You must enable logging if you wish to send messages to one or more output locations. Use the no form of this command to stop message logging to all output locations.
logging enable
no logging enable
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Message logging is disabled by default. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. You must set a logging output location to view any logs.
Examples
To enable message logging to all output locations, enter:
host1/Admin(config)# logging enableTo stop message logging to all output locations, enter:
host1/Admin(config)# no logging enableRelated Commands
This command has no related commands.
(config) logging facility
To change the logging facility to a value other than the default of 20 (LOCAL4), use the logging facility command. Most UNIX systems expect the messages to use facility 20. The ACE allows you to change the syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. Use the no form of this command to set the syslog facility to its default of 20.
logging facility number
no logging facility number
Syntax Description
number
The syslog facility. Enter an integer from 16 (LOCAL0) to 23 (LOCAL7). The default is 20 (LOCAL4).
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The syslog daemon uses the specified syslog facility to determine how to process messages. Each logging facility configures how the syslog daemon on the host handles a message. Syslog servers file messages based on the facility number in the message. For more information on the syslog daemon and facility levels, see your syslog daemon documentation.
Examples
To set the syslog facility as 16(LOCAL0) in syslog messages, enter:
host1/Admin(config)# logging facility 16To change the syslog facility back to the default of LOCAL4, enter:
host1/Admin(config)# no logging facility 16Related Commands
(config) logging fastpath
To enable the logging of connection setup and teardown messages, use the logging fastpath command. By default, the ACE does not log connection setup and teardown syslog messages. Use the no form of this command to disable the logging of connection setup and teardown syslog messages.
logging fastpath
no logging fastpath
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To configure the ACE to log connection setup and teardown syslog messages, enter:
host1/Admin(config)# logging fastpathTo disable the ACE from logging connection setup and teardown syslog messages, enter:
host1/Admin(config)# no logging fastpathRelated Commands
(config) logging history
To set the SNMP message severity level when sending log messages to an NMS, use the logging history command. Use the no form of this command to disable logging of informational system messages to an NMS.
logging history severity_level
no logging history
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To enable or disable all SNMP syslog message logging, use the logging history command without the severity_level argument.
We recommend that you use the debugging (7) level during initial setup and during testing. After setup, set the level from debugging (7) to a lower value for use in your network.
Examples
To send informational system message logs to an SNMP NMS, enter:
host1/Admin(config)# logging history 6To disable logging to an SNMP NMS, enter:
host1/Admin(config)# no logging historyRelated Commands
(config) logging host
To specify a host (the syslog server) that receives the syslog messages sent by the ACE, use the logging host command. You can use multiple logging host commands to specify additional servers to receive the syslog messages. Use the no form of this command to disable logging to a syslog server. By default, logging to a syslog server on a host is disabled on the ACE.
logging host ip_address [tcp | udp [/port#] | [default-udp] | [format emblem]]
no logging host ip_address
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
If you choose to send log messages to a host, the ACE sends those messages using either UDP or TCP. The host must run a program (known as a server) called syslogd, a daemon that accepts messages from other applications and the network, and writes them out to system wide log files. UNIX provides the syslog server as part of its operating system. For Microsoft Windows, you must obtain a syslog server for the Windows operating system.
If you use TCP as the logging transport protocol, the ACE denies new network access sessions as a security measure if the ACE is unable to reach the syslog server, if the syslog server is misconfigured, if the TCP queue is full, or if the disk is full.
The format emblem keywords allows you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for either TCP or UDP syslog messages. If you enable EMBLEM-format logging for a particular syslog host, then the messages are sent to that host. If you also enable the logging timestamp command, the the messages are sent to the syslog server with a time stamp.
For example, the EMBLEM format for a message with timestamp appears as follows:
ipadress or dns name [Dummy Value/Counter]: [mmm dd hh:mm:ss TimeZone]: %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: [vtl-ctx: context id] Message-textExamples
To send log messages to a syslog server, enter:
host1/Admin(config)# logging host 192.168.10.1 tcp/1025 format-emblem default-udpTo disable logging to a syslog server, enter:
host1/Admin(config)# no logging host 192.168.10.1Related Commands
(config) logging message
To control the display of a specific system logging message or to change the severity level associated with the specified system logging message, use the logging message command. Use the no form of this command to disable logging of the specified syslog message.
logging message syslog_id [level severity_level]
no logging message syslog_id
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can use the show logging command to determine the level currently assigned to a message and whether the message is enabled.
For information on syslog messages and their IDs, see the Cisco Application Control Engine Module System Message Guide.
Examples
To disable the %<ACE>-6-615004 syslog message (VLAN available for configuring an interface), enter:
host1/Admin(config)# no logging message 615004To resume logging of the disabled syslog message, enter:
host1/Admin(config)# logging message 615004 level 6To change the severity level of the 615004 syslog message from the default of 6 (informational) to a severity level of 5 (notification), enter:
(config)# logging message 615004 level 5To return the severity level of the 615004 syslog message to the default of 6, enter:
host1/Admin(config)# no logging message 615004Related Commands
(config) logging monitor
To display syslog messages as they occur when accessing the ACE through an SSH or a Telnet session, use the logging monitor command. You can limit the display of messages based on severity. By default, logging to a remote connection using the Secure Shell (SSH) or Telnet is disabled on the ACE. Use the no form of this command to disable system message logging to the current Telnet or SSH session.
logging monitor severity_level
no logging monitor
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Before using this command, enable remote access on the ACE and establish a remote connection using the Secure Shell (SSH) or Telnet protocols from a PC.
To display logs during the SSH or Telnet session, use the terminal monitor Exec mode command. This command enables syslog messages for all sessions in the current context. The logging monitor command sets the logging preferences for all SSH and Telnet sessions, while the terminal monitor command controls logging for each individual Telnet session. However, in each session, the terminal monitor command controls whether syslog messages appear on the terminal during the session.
Examples
To send informational system message logs to the current Telnet or SSH session, enter:
host1/Admin# terminal monitorhost1/Admin# configEnter configuration commands, one per line. End with CNTL/Zhost1/Admin(config)# logging monitor 6To disable system message logging to the current Telnet or SSH session, enter:
host1/Admin(config)# no logging monitorRelated Commands
(config) logging persistent
To send specific log messages to compact flash on the ACE, use the logging persistent command. By default, logging to compact flash is disabled on the ACE. The ACE allows you to specify the system message logs that you want to keep after a system reboot by saving them to compact flash. Use the no form of this command to disable logging to compact flash.
logging persistent severity_level
no logging persistent
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
We recommend that you use a lower severity level, such as 3, since logging at a high rate to Flash memory on the ACE may impact performance.
Examples
To send informational system message logs to Flash memory on the ACE, enter:
host1/Admin(config)# logging persistent 6To disable logging to Flash memory on the ACE, enter:
host1/Admin(config)# no logging persistentRelated Commands
(config) logging queue
To change the number of syslog messages that can appear in the message queue, use the logging queue command. By default, the ACE can hold 100 syslog messages in the message queue while awaiting processing. Use the no form of this command to reset the logging queue size to the default of 100 messages.
logging queue queue_size
no logging queue queue_size
Syntax Description
queue_size
The size of the queue for storing syslog messages. Enter an integer from 1 to 8192. The default is 100 messages.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Set the queue size before the ACE processes syslog messages. When traffic is heavy, messages may be discarded.
Examples
To set the size of the syslog message queue to 1000, enter:
host1/Admin(config)# logging queue 1000To reset the logging queue size to the default of 100 messages, enter:
host1/Admin(config)# no logging queue 0Related Commands
(config) logging rate-limit
To limit the rate at which the ACE generates messages in the syslog, use the logging rate-limit command. You can limit the number of syslog messages generated by the ACE for specific messages. Use the no form of this command to disable rate-limiting for message logging in the syslog.
logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}
no logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The severity level you enter indicates that you want all syslog messages at the specified level to be rate-limited. For example, if you specify a severity level of 7, the ACE applies a rate limit only to level 7 (debugging messages). If you want to apply a logging rate limit on a different severity level, you must configure the logging rate-limit level command for that level as well.
If you configure rate limiting for syslogs 302028 through 302031 (connection setup and teardown syslogs that are formatted in the data plane), the ACE always rate-limits these syslogs at level 6. Even if you change the logging level to a different value using the logging message command and the new logging level appears on the syslog server or other destination, the ACE will continue to rate-limit these syslogs at level 6.
For information on syslog messages and their IDs, see the Cisco Application Control Engine Module System Message Guide.
Examples
To limit the syslog rate for a 60 second time interval, enter:
host1/Admin(config)# logging rate-limit 42 60To disable rate limiting, enter:
host1/Admin(config)# no logging rate-limit 42 60Related Commands
(config) logging reject-newconn
To define if the ACE prohibits new connections from passing through the device if a specified condition has been met, use the logging-reject-newconn command. Use the no form of this command to prevent the ACE from rejecting new connections.
logging reject-newconn {cp-buffer-full | rate-limit-reached | tcp-queue-full}
no logging reject-newconn {cp-buffer-full | rate-limit-reached | tcp-queue-full}
Syntax Description
cp-buffer-full
Specifies that the ACE reject new connections when the syslog daemon internal buffer is full. Disabled by default.
rate-limit-reached
Specifies that the ACE reject new connections if the syslog message rate specified through the logging rate-limit command has been reached. See the (config) logging rate-limit command. Disabled by default.
tcp-queue-full
Specifies that the ACE reject new connections when syslogs can no longer reach the TCP syslog server. Enabled by default.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
None
Examples
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To configure the ACE to reject new connections if the specified syslog message rate has been reached, enter:
host1/Admin(config)# logging reject-newconn rate-limit-reachedTo disable the ACE from rejecting new connections, enter:
host1/Admin(config)# no logging reject-newconn rate-limit-reachedRelated Commands
(config) logging standby
To enable logging on the failover standby ACE, use the logging standby command. When enabled, the standby ACE syslog messages remain synchronized should failover occur. When enabled, this command causes twice the message traffic on the syslog server. Use the no form of this command to disable logging on the standby ACE.
logging standby
no logging standby
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
This command is disabled by default.
Examples
To enable logging on the failover standby ACE:
host1/Admin(config)# logging standbyTo disable logging on the standby ACE, enter:
host1/Admin(config)# no logging standbyRelated Commands
(config) logging supervisor
To set the severity level at which syslog messages are sent to the supervisor module, use the logging supervisor command. The ACE can forward syslog messages to the supervisor module on the Catalyst chassis. Use the no form of the command to disable system message logging to the supervisor module.
logging supervisor severity_level
no logging supervisor
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To send informational system message logs to the Supervisor module in the Catalyst 6500 series, enter:
host1/Admin(config)# logging supervisor 6To disable system message logging to the supervisor module, enter:
host1/Admin(config)# no logging supervisor 3Related Commands
(config) logging timestamp
To specify that syslog messages should include the date and time that the message was generated, use the logging timestamp command. By default, the ACE does not include the date and time in syslog messages. Use the no form of this command to specify that the ACE not include the date and time when logging syslog messages.
logging timestamp
no logging timestamp
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
This command is disabled by default.
Examples
To enable the timestamp display on system logging messages, enter:
host1/Admin(config)# logging timestampTo disable the timestamp display from syslog messages, enter:
host1/Admin(config)# no logging timestampRelated Commands
(config) logging trap
To identify which messages are sent to a syslog server, use the logging trap command. This command limits the logging messages sent to a syslog server based on severity. Use the no form of the command to return the trap level to the default (information messages).
logging trap severity_level
no logging trap
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To send logging messages to a syslog server, use the logging host command to specify the name or IP address of the host to be used as the syslog server.
Examples
To send informational system message logs to the syslog server, enter:
host1/Admin(config)# logging trap 6To disable sending message logs to the syslog server, enter:
host1/Admin(config)# no logging trap 6Related Commands
(config) parameter-map type
To create a connection, HTTP, or SSL type parameter map, use the parameter-map type command. Use the no form of this command to remove a parameter map from the ACE.
parameter-map type {connection | http | ssl} name
no parameter-map type {connection | http | ssl} name
Syntax Description
connection
Specifies a connection type parameter map. After you create the connection type parameter map, you configure TCP, IP, and other settings for the map in the parameter map connection configuration mode. For information about the commands in parameter map connection configuration mode, see the "Parameter Map Connection Configuration Mode Commands" section.
http
Specifies an HTTP type parameter map. After you create the HTTP type parameter map, you configure HTTP settings for the map in the parameter map HTTP configuration mode. For information about the commands in parameter map HTTP connection configuration mode, see the "Parameter Map HTTP Configuration Mode Commands" section.
ssl
Specifies an SSL type parameter map. After you create the SSL type parameter map, you configure SSL settings for the map in the parameter map SSL configuration mode. For information about the commands in parameter map SSL connection configuration mode, see the "Parameter Map SSL Configuration Mode Commands" section.
name
The name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The parameter-map type command allow you to configure a series of Layer 3 and Layer 4 statements that instruct the ACE how to handle TCP termination, normalization, and reuse, SSL termination, and advanced HTTP behavior for SLB connections. After you execute this command, the system enters the corresponding parameter map configuration mode.
To access one of the three parameter-map configuration modes (connection, http, or ssl), enter the parameter-map type connection, parameter-map type http, or parameter-map type ssl command in configuration mode. The CLI prompt changes to the corresponding mode: (config-parammap-conn), (config-parammap-http), or (config-parammap-ssl).
After you configure the parameter map, you associate it with a specific action statement in a policy map.
Examples
To create a connection type parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type connection TCP_MAPhost1/Admin(config-parammap-conn)#To create an HTTP type parameter map called HTTP_MAP, enter:
host1/Admin(config)# parameter-map type http HTTP_MAPhost1/Admin(config-parammap-http)#To create an SSL type parameter map called SSL_MAP, enter:
host1/Admin(config)# parameter-map type ssl SSL_MAPhost1/Admin(config-parammap-ssl)#Related Commands
(config) policy-map
Use the policy-map command to create a Layer 3 and Layer 4 or Layer 7 policy map. You access one of the policy map configuration modes by entering the policy-map command. Use the no form of the policy-map command to remove a policy map from the ACE.
policy-map {multi-match | {type {inspect ftp first-match | inspect http all-match | loadbalance first-match | management first-match}} map_name
no policy-map {multi-match | {type {inspect ftp first-match | inspect http all-match | loadbalance first-match | management first-match}} map_name
Syntax Description
multi-match
Configures a Layer 3 and Layer 4 policy map that defines the different actions applied to traffic passing through the ACE. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy-map to allow a multi-feature Layer 3 and Layer 4 policy map. The ACE executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes.
For information about the commands in policy map configuration mode, see the "Policy Map Configuration Mode Commands" section.
type
Specifies the type of policy map to be defined. When you specify a policy map type, you enter its corresponding policy map configuration mode (for example, load balancing).
inspect ftp first-match
Specifies a Layer 7 policy map that defines the inspection of FTP commands by the ACE. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map FTP inspection configuration mode, see the "Policy Map FTP Inspection Configuration Mode Commands" section.
inspect http all-match
Specifies a Layer 7 policy map that defines the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request. For information about the commands in policy map inspection HTTP configuration mode, see the "Policy Map Inspection HTTP Configuration Mode Commands" section.
loadbalance first-match
Specifies a Layer 7 policy map that defines Layer 7 HTTP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing Configuration Mode Commands" section.
management first-match
Specifies a Layer 3 and Layer 4 policy map that defines the IP management protocols that can be received by the ACE. The ACE executes the specified action only for traffic that meets the first matching classification with a policy map. For information about the commands in policy map management configuration mode, see the "Policy Map Management Configuration Mode Commands" section.
map_name
The name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the inspect, loadbalance, NAT, connection, or SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Use the policy map configuration mode commands to configure a series of Layer 3 and Layer 4 or Layer 7 policies. Each policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic. The CLI prompt changes correspondingly to the selected policy map configuration mode: config-pmap, config-pmap-c, config-pmap-insp-http, config-pmap-insp-http-c, config-pmap-insp-http-m, config-pmap-lb, config-pmap-lb-c, config-pmap-lb-m, config-pmap-mgmt, and config-pmap-mgmt-c).
For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions that configure:
•
•
•
•
•
•
•
For a Layer 7 traffic classification, you create policy maps with actions that configure:
•
•
•
The ACE supports a system-wide maximum of 4096 policy maps.
For details about creating a policy map, see the Cisco Application Control Engine Module Administration Guide.
Examples
To create a Layer 3 and Layer 4 server load balancing policy map named L4_SLB_POLICY, enter:
host1/Admin(config)# policy-map multi-match L4_SLB_POLICYhost1/Admin(config-pmap)#To create a Layer 3 and Layer 4 management protocol policy map named L4_MGMT-ACCESS_POLICY, enter:
host1/Admin(config)# policy-map type management match-any L4_MGMT-ACCESS_CLASShost1/Admin(config-pmap-mgmt)#To create a Layer 7 HTTP server load balancing policy map named L7_SLB_POLICY, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICYhost1/Admin(config-pmap-lb)#To create a Layer 7 HTTP deep packet inspection policy map named L7_HTTP_INSPECT_POLICY, enter:
host/Admin(config) #policy-map type inspect http all-match HTTP_INSPECT_L7POLICYhost/Admin(config-pmap-ins-http) #To create a Layer 7 FTP command inspection policy map named L7_FTP_INSPECT_POLICY, enter:
host1/Admin(config)# class-map type ftp inspect match-any L7_FTP_INSPECT_POLICYhost1/Admin(config-pmap-ftp-ins)#Related Commands
(config) probe
To define a probe and access its configuration mode, use the probe command. The CLI prompt changes to (config-probe_type). Use the no form of this command to delete the probe.
probe probe_type probe_name
no probe probe_type probe_name
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about commands in probe configuration mode, see the "Probe Configuration Mode Commands" section.
Examples
To define a TCP probe named PROBE1 and access its mode, enter:
host1/Admin(config)# probe tcp PROBE1host1/Admin(config-probe-tcp)#To delete a TCP probe named PROBE1, enter:
host1/Admin(config)# no probe tcp PROBE1Related Commands
(config) radius-server attribute nas-ipaddr
To specify an RADIUS NAS-IP-Address attribute, use the radius-server attribute nas-ipaddr command. Use the no form of this command to delete the RADIUS NAS-IP-Address and return to the default configuration.
radius-server attribute nas-ipaddr nas_ip_address
no radius-server attribute nas-ipaddr nas_ip_address
Syntax Description
nas_ip_address
An IP address to be used as the RADIUS NAS-IP-Address, attribute 4. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the NAS-IP-Address is not configured. The ACE performs a route lookup on the RADIUS server IP address and uses the result.
The RADIUS NAS-IP-Address attribute allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address for each context.
The radius-server attribute nas-ipaddr command allows the ACE to behave as a single RADIUS client from the perspective of the RADIUS server. The configured NAS-IP-Address will be encapsulated in all outgoing RADIUS authentication request and accounting packets.
Examples
To specify a RADIUS NAS-IP-Address, enter:
host1/Admin(config)# radius-server attribute nas-ipaddr 192.168.1.1To delete the RADIUS NAS-IP-Address and return to the default configuration, enter:
host1/Admin(config)# no radius-server attribute nas-ipaddr 192.168.1.1Related Commands
(config) radius-server deadtime
To globally set the time interval in which the ACE verifies whether a nonresponsive server is operational, use the radius-server deadtime command. Use the no form of this command to reset the RADIUS server dead-time request to the default of 0.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
minutes
The length of time that the ACE skips a nonresponsive RADIUS server for transaction requests.Enter an integer from 0 to 1440 (24 hours). The default is 0
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Use of this command causes the ACE to mark as "dead" any RADIUS servers that fail to respond to authentication requests. This action avoids the wait for the request to time out before trying the next configured server. The ACE skips a RADIUS server that is marked as "dead" by additional requests for the duration of minutes.
The dead-time interval starts when the server does not respond to the number of authentication request transmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the ACE transmits the authentication request to the server.
Examples
To globally configure a fifteen-minute dead-time for RADIUS servers that fail to respond to authentication requests, enter:
host1/Admin(config)# radius-server deadtime 15To set the RADIUS server dead-time request to 0, enter:
host1/Admin(config)# no radius-server deadtime 15Related Commands
(config) radius-server host
To designate and configure a host for radius-server functions, use the radius-server host command. You can define multiple radius-server host commands to configure multiple RADIUS servers. Use the no form of this command to remove the radius server from the configuration.
radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]
no radius-server host ip_address [key shared_secret [0 shared_secret | 7 shared_secret]] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The key option overrides the global setting of the radius-server key command. If you do not specify a key, the global value is used. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays keys in encrypted form.
If neither the authentication nor the accounting options are specified, the RADIUS server is used for both accounting and authentication purposes.
If your RADIUS server uses a port other than 1813, use the acct-port keyword to configure the ACE for the appropriate port prior to starting the RADIUS service.
If your RADIUS server uses a port other than 1812, use the auth-port keyword to configure the ACE for the appropriate port prior to starting the RADIUS service.
For the specified server, the retransmit and timeout options override the global settings assigned using the radius-server retransmit and radius-server timeout commands, respectively.
Examples
To configure RADIUS server authentication parameters, enter:
host1/Admin(config)# radius-server host 192.168.2.3 key HostKeyhost1/Admin(config)# radius-server host 192.168.2.3 key 7 secret_1256host1/Admin(config)# radius-server host 192.168.2.3 auth-port 1645host1/Admin(config)# radius-server host 192.168.2.3 acct-port 1646host1/Admin(config)# radius-server host 192.168.2.3 authenticationhost1/Admin(config)# radius-server host 192.168.2.3 accountinghost1/Admin(config)# radius-server host 192.168.2.3 timeout 25host1/Admin(config)# radius-server host 192.168.2.3 retransmit 3To revert to a default RADIUS server authentication setting, enter:
host1/Admin(config)# no radius-server host 192.168.2.3 acct-port 1646Related Commands
(config) radius-server attribute nas-ipaddr
(config) radius-server key
To globally configure an authentication key for communication between the ACE and the RADIUS daemon running on each RADIUS server, use the radius-server key command. Use the no form of this command o remove the global radius server key setting from the configuration.
radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}
no radius-server key {shared_secret | 0 shared_secret | 7 shared_secret}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The key is a text string that must match the encryption key used on the RADIUS server. RADIUS keys are always stored in encrypted form in persistent storage on the ACE. This global key will be applied to those RADIUS servers in a named server group for which a shared secret is not individually configured by the (config) radius-server host command.
Examples
To globally configure an authentication key to be sent in encrypted text (indicated by 7) to the RADIUS server, enter:
host1/Admin(config)# radius-server key 7 abe4DFeeweo00oTo delete the key, enter:
host1/Admin(config)# no radius-server key 7 abe4DFeeweo00oRelated Commands
(config) radius-server retransmit
To globally change the number of times the ACE sends an authentication request to a RADIUS server, use the radius-server retransmit command. Use the no form of this command to revert to the default of one transmission attempt.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
count
The number of times the ACE attempts to connect to a RADIUS server(s) before trying to contact the next available server. Enter an integer from 1 to 5. The default is 1.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The ACE applies this global retransmission value to those RADIUS servers for which a value is not individually configured by the (config) radius-server host command.
If all servers in the group are unavailable for authentication and accounting, the ACE tries the local database if configured as a local fallback method in the aaa authentication login or the aaa accounting default commands. If you do not have a fallback method, the ACE continues to contact one of the AAA servers listed in the server group.
Examples
To globally configure the number of retransmissions to 3, enter:
host1/Admin(config)# radius-server retransmit 3To revert to the default of one transmission attempt, enter:
host1/Admin(config)# no radius-server retransmit 3Related Commands
(config) radius-server timeout
To globally change the time interval that the ACE waits for the RADIUS server to reply before retransmitting an authentication request to the RADIUS server, use the radius-server timeout command. Use the no form of this command to revert to the default of one second between transmission attempts.
radius-server timeout seconds
no radius-server timeout seconds
Syntax Description
seconds
The time in seconds between retransmissions to the RADIUS server. Enter an integer from 1 to 60 seconds. The default is 1 second.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The ACE applies this global timeout value to those RADIUS servers for which a timeout value is not individually configured by the (config) radius-server host command.
Examples
To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# radius-server timeout 30To revert to the default of one second between transmission attempts, enter:
host1/Admin(config)# no radius-server timeout 30Related Commands
(config) resource-class
To create a resource class and enter resource configuration mode, use the resource-class command. The CLI prompt changes to (config-resource). Configure a resource class to limit the use of system resources by one or more contexts. Use the no form of this command to remove the resource-class setting.
resource-class name
no resource-class name
Syntax Description
name
The name assigned to the resource class. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. You can also use the resource class called default.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Use a resource class to allocate and limit system resources among contexts in your ACE. The default resource class allocates 100% of all configurable system resources to each context. By creating a resource class, you can prevent oversubscription by limiting the percentage of resources available to each context. After you create and configure a resource class, use the (config-context) member command in context configuration mode to assign a context to the class.
To use the stickiness feature, you must allocate a minimum percentage of resources to the feature. Otherwise, stickiness will not work. For more details, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about the commands in the resource configuration mode, see the "Resource Configuration Mode Commands" section.
Examples
This example shows how to create a resource-class called RC1, enter:
host1/C1(config)# resource-class RC1host1/C1(config-resource)To remove the resource class from the configuration, enter:
host1/C1(config)# no resource-class RC1Related Commands
(config) role
To assign a user role to a user and enter role configuration mode, use the role command. The CLI prompt changes to (config-role). User roles determine the privileges a user has, the commands a user can enter, and the actions that a user can perform in a particular context. You can apply the roles you create only in the context in which you create them. See the "Role Configuration Mode Commands" section for details. Use the no form of this command, to remove the user role assignment.
role name
no role name
Syntax Description
name
The identifier associated with a user role. Enter an unquoted text string with no spaces and a maximum of 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
If you do not assign a user role to a new user, the default user role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the (config) username command.
For information about the commands in the role configuration mode, see the "Role Configuration Mode Commands" section.
For information about configuring roles and assigning them to users, see the Cisco Application Control Engine Module Virtualization Configuration Guide
Examples
To assign a role, enter:
host1/C1(config)# role TECHNICIANhost1/C1(config-role)#To remove the role from the configuration, enter:
host1/C1(config)# no role TECHNICIANRelated Commands
(config) rserver
To create a real server for server load balancing (SLB) and enter real server configuration mode, use the rserver command. The CLI prompt changes to (config-host-rserver) or (config-redirect-rserver), depending on the type of real server you create. You can create a maximum of 16,384 real servers. Use the no form of this command to remove the real server from the configuration.
rserver [host | redirect] name
no rserver [host | redirect] name
Syntax Description
host
(Optional) Specifies a typical real server that provides content and services to clients. This is the default setting. For details on the commands in real server host configuration mode, see the "Real Server Host Configuration Mode Commands" section.
redirect
(Optional) Specifies a real server used to redirect traffic to a new location as specified in the relocn-string argument of the webhost-redirection command. For details on the commands in real server redirect configuration mode, see the "Real Server Redirect Configuration Mode Commands" section.
name
An identifier for the real server. Enter an unquoted text string with no spaces and maximum of 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the rserver feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
All servers in a server farm must be of the same type: host or redirect. You can create a maximum of 4096 real servers in each ACE.
Examples
To create a real server of type host, enter:
host1/Admin(config)# rserver server1To remove the real server of type host from the configuration, enter:
host1/Admin(config)# no rserver server1Related Commands
(config-rserver-redir) webhost-redirection
(config) script file
To load a script into memory on the ACE and enable it for use, use the script file command. Use the no form of this command to remove a script from memory and the running configuration.
script file index script_name
no script file index
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To run a script or create a health probe using a script, you must see the script name, not the script file from which the script was loaded.
Examples
To load a script into memory, enter:
host1/Admin(config)# script file 22 ftp1.tclTo remove the script with index 22, enter:
host1/Admin(config)# no script file 22Related Commands
(config) serverfarm
To create a new server farm or modify an existing server farm and enter the serverfarm configuration mode, use the serverfarm command. You can configure a maximum of 4096 server farms on each ACE. Use the no form of this command to remove the server farm from the configuration.
serverfarm [host | redirect] name
no serverfarm [host | redirect] name
Syntax Description
host
(Optional) Specifies a typical server farm that consists of real servers that provide content and services to clients. This is the default. For details on the commands in the serverfarm host configuration mode, see the "Serverfarm Host Configuration Mode Commands" section.
redirect
(Optional) Specifies that the server farm consist only of real servers that redirect client requests to alternate locations specified by the relocation string or port number in the real server configuration. For details on the commands in the serverfarm redirect host configuration mode, see the "Serverfarm Redirect Configuration Mode Commands" section.
name
Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the server-farm feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Once you have created a server farm, you configure the other server farm attributes and add real servers to the farm. You can configure a maximum of 4096 server farms in each ACE.
Examples
To create a server farm of type host called SFARM1, enter:
host1/Admin(config)# serverfarm SFARM1host1/Admin(config-sfarm-host)#To remove a server farm called SFARM1, enter:
host1/Admin(config)# no serverfarm SFARM1host1/Admin(config-sfarm-host)#Related Commands
(config-rserver-redir) webhost-redirection
(config) service-policy
To apply a previously created policy map and attach the traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context, use the service-policy command. Use the no form of this command to remove a service policy.
service-policy input policy_name
no service-policy input policy_name
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Note the following when creating a service policy:
•
•
•
•
Examples
To specify an interface VLAN and apply the Layer 3 and Layer 4 SLB policy map to the VLAN:
host1/C1(config)# interface vlan50host1/C1(config-if)# mtu 1500host1/C1(config-if)# ip address 172.20.1.100 255.255.0.0host1/C1(config-if)# service-policy input L4SLBPOLICYTo globally apply the Layer 3 and Layer 4 SLB policy map to the entire context:
host1/C1(config)# service-policy input L4SLBPOLICYTo globally detach a traffic policy from a context, enter:
host1/C1(config)# no service-policy input L4SLBPOLICYRelated Commands
(config-if) service-policy input
(config) shared-vlan-hostid
To configure a specific bank of MAC addresses for an ACE, use the shared-vlan-hostid command. Use the no form of this command to remove a configured bank of MAC addresses.
shared-vlan-hostid number
no shared-vlan-hostid
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE modules derive these addresses from a global pool of 16k MAC addresses. This pool is divided into 16 banks, each containing 1,024 addresses. An ACE supports only 1,024 shared VLANs, and would use only one bank of MAC addresses out of the pool.
By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE modules in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank and thus, use the same MAC addresses. To avoid this conflict, you need to configure the bank that the ACEs will use.
Examples
To configure bank 2 of MAC addresses, enter:
host1/Admin(config)# shared-vlan-hostid 2To remove the configured bank of MAC addresses, use the no vlan-hostid command. For example, enter:
host1/Admin(config)# no shared-vlan-hostidRelated Commands
(config) snmp-server community
To create or modify SNMP community names and access privileges. Each SNMP device or member is part of a community, use the snmp-server community command. An SNMP community determines the access rights for each SNMP device. SNMP uses communities to establish trust between managers and agents. Use the no form of this command to remove an SNMP community.
snmp-server community community_name [group group_name | ro]
no snmp-server community community_name [group group_name | ro]
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
