-
Application Control Engine Module Command Reference (Software Version A1(2))
-
CLI Command Summary By Mode
-
Preface
-
Using the Command-Line Interface
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
FT Track Host Configuration Mode Commands.
-
Interface Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Parameter Map Connection Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Host Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Role Configuration Mode Commands
-
Server Farm Host Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Cookie Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
Interface Configuration Mode Commands
(config-if) ip dhcp relay enable
(config-if) ip dhcp relay server
(config-if) ip verify reverse-path
(config-if) service-policy input
Interface Configuration Mode Commands
Interface configuration mode commands allow you to configure a VLAN interface or a bridge-group virtual interface (BVI). To assign a VLAN interface to a context and access interface configuration mode, use the interface vlan command in configuration mode. To create a BVI for a bridge group in the context, use the interface bvi command. The CLI prompt changes to (config-if). For information about the commands in interface configuration mode, see the following commands.
Use the no form of the interface command to delete a BVI or VLAN interface from the context.
interface {bvi group_number | vlan number}
no interface {bvi group_number | vlan number}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
All commands in this mode require the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To enable the bridge group VLANs, you must configure a bridge-group virtual interface (BVI) that represents a corresponding bridge group. An IP address in the same subnet should be configured on the BVI. This address is used for management traffic and as a source IP address for traffic from the ACE, like ARP requests.
The ACE supports a maximum of 4,093 VLAN interfaces with a maximum of 1,024 shared VLANs.
The ACE supports a maximum of 4,094 BVI interfaces.
The ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.
The ACE requires a route back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE module.
Examples
To assign VLAN interface 200 to the Admin context and access interface configuration mode, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)#To remove a VLAN, enter:
host1/Admin(config)# no interface vlan 200To create a BVI for bridge group 15, enter:
host1/Admin(config)# interface bvi 15host1/Admin(config-if)#To delete a BVI for bridge group 15, enter:
host1/Admin(config)# no interface bvi 15Related Commands
show arp
show interface
show ip
show running-config
show vlans(config-if) access-group
To apply an ACL to the inbound or outbound direction of a VLAN interface and make the ACL active, use the access-group command. Use the no form of this command to remove an ACL from an interface.
access-group {input | output} acl_name
no access-group {input | output} acl_name
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
You must apply ACLs to a VLAN interface to allow the passing of traffic on an interface. You can apply one ACL of each type (extended and EtherType) to both directions of the interface. For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, you can allow BGP in an ACL in transparent mode, and you need to apply the ACL to both interfaces.
A bridge group VLAN supports extended ACLs for IP traffic, and EtherType ACLs for non-IP traffic. For non-IP traffic, configure an EtherType ACL. EtherType ACLs support Ethernet V2 frames. You can configure the ACE to pass one or any of the following non-IP EtherTypes: Multi-Protocol Label Switching (MPLS), Internet Protocol version 6 (ipv6), and bridge protocol data units (BDPUs).
The output option is not allowed for EtherType ACLs.
To apply an ACL globally to all interfaces in a context, use the (config) access-group command.
Examples
To apply an ACL named INBOUND to the inbound direction of an interface, enter:
host1/Admin(config)# interface vlan100host1/Admin(config-if)# access-group input INBOUNDTo remove an ACL from an interface, enter:
host1/Admin(config-if)# no access-group input INBOUNDRelated Commands
show access-list
(config) access-group
(config) access-list extended(config-if) alias
To configure an IP address that floats between active and standby modules for a BVI or VLAN interface, use the alias command. Use the no form of this command to delete an alias IP address.alias ip_address mask
no alias ip_address mask
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
You must configure redundancy (fault tolerance) on the ACE for the alias IP address to work. For more information on redundancy, see the Cisco Application Control Engine Module Administration Guide.
For stealth firewalls, an ACE balances traffic among unique VLAN alias IP address interfaces on another ACE that provides paths through stealth firewalls. You configure a stealth firewall so that all traffic moving in both directions across that VLAN moves through the same firewall.
For details about firewall load balancing (FWLB), see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.
Examples
To configure an alias IP address and mask, enter:
host1/Admin(config-if)# alias 12.0.0.81 255.0.0.0To delete the alias IP address, enter:
host1/Admin(config-if)# no alias 12.0.0.81 255.0.0.0Related Commands
(config-if) arp
To add a static ARP entry in the ARP table for a VLAN interface, use the arp command. Use the no form of this command to remove a static ARP entry.
arp ip_address mac_address
no arp ip_address mac_address
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Static ARPs for bridged interfaces are configured on the specific interface.
Examples
To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter the following command:
host1/Admin(config-if)# arp 10.1.1.1 00.02.9a.3b.94.d9To remove a static ARP entry, use the no arp command. For example, enter:
host1/Admin(config-if)# no arp 10.1.1.1 00.02.9a.3b.94.d9Related Commands
(config-if) bridge-group
To assign the VLAN to a bridge group, use the bridge-group command. Use the no form of this command to remove the bridge group from the VLAN.
bridge-group number
no bridge-group
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
In bridge mode, you can configure two interface VLANs into a group and bridge packets between them. All interfaces are in one broadcast domain and packets from one VLAN are switched to the other VLAN. The ACE bridge mode only supports two L2 VLANs per bridge group. In this mode, VLANs do not have configured IP addresses.
To enable the bridge group VLANs, you must configure a bridge-group virtual interface (BVI) that represents a corresponding bridge group.
Examples
To assign bridge group 15 to the VLAN, enter:
host1/Admin(config-if)# bridge-group 15To remove the bridge group from the VLAN, enter:
host1/Admin(config-if)# no bridge-groupRelated Commands
(config-if) description
To provide a description for a BVI or VLAN interface, use the description command. Use the no form of this command to delete the description.
description text
no description
Syntax Description
text
Description for the interface. Enter an unquoted text string containing a maximum of 240 characters including spaces.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To provide the description of POLICY MAP 3 FOR INBOUND AND OUTBOUND TRAFFIC, enter:
host1/admin(config-if)# description POLICY MAP3 FOR INBOUND AND OUTBOUND TRAFFICTo remove the description for the interface, enter:
host1/admin(config-if)# no descriptionRelated Commands
(config-if) fragment chain
To configure the maximum number of fragments belonging to the same packet that the ACE accepts for reassembly for a VLAN interface, use the fragment chain command. Use the no form for this command to reset the default value.
fragment chain number
no fragment chain
Syntax Description
number
The maximum number of fragments belonging to the same packet. Enter an integer from 1 to 256. The default is 24.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To configure a fragment chain limit of 126, enter:
host1/C1(config-if)# fragment chain 126To reset the maximum number of fragments in a packet to the default of 24, enter:
host1/C1(config-if)# no fragment chainRelated Commands
show fragment
(config-if) fragment min-mtu
(config-if) fragment timeout(config-if) fragment min-mtu
To configure the minimum fragment size that the ACE accepts for reassembly for a VLAN interface, use the fragment min-mtu command. Use the no form for this command to reset the default value.
fragment min-mtu number
no fragment min-mtu
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To configure a minimum fragment size of 1024, enter:
host1/C1(config-if)# fragment min-mtu 1024To reset the minimum fragment size to the default value of 576 bytes, enter:
host1/C1(config-if)# no fragment min-mtuRelated Commands
show fragment
(config-if) fragment chain
(config-if) fragment timeout(config-if) fragment timeout
To configure a reassembly timeout for a VLAN interface, use the fragment timeout command. Use the no form for this command to reset the default value.
fragment timeout seconds
no fragment timeout
Syntax Description
seconds
The reassembly timeout in seconds. Enter an integer from to 0 to 65535. A value of 0 instructs the ACE to never time out. The default is 10.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
The IP reassembly timeout specifies the period of time after which the ACE abandons the fragment reassembly process if it does not receive any outstanding fragments for the current fragment chain (fragments belonging to the same packet).
Examples
To configure IP reassembly timeout of 750 seconds, enter:
host1/C1(config-if)# fragment timeout 750To reset the fragment timeout to the default value of 10 seconds, enter:
host1/C1(config-if)# no fragment timeoutRelated Commands
show fragment
(config-if) fragment chain
(config-if) fragment min-mtu(config-if) icmp-guard
To enable the ICMP security checks in the ACE, use the icmp-guard command. This feature is enabled by default. Use the no form of this command to disable the ICMP security checks.
icmp-guard
no icmp-guard
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, the ACE provides several ICMP security checks by matching ICMP reply packets with request packets and using mismatched packets to detect attacks. Also, the ACE forwards ICMP error packets only if a connection record exists pertaining to the flow for which the error packet was received.
CautionDisabling the ACE ICMP security checks may expose your ACE and your data center to potential security risks. After you enter the no icmp-guard command, the ACE no longer performs NAT translations on the ICMP header and payload in error packets, which potentially can reveal real host IP addresses to attackers.
If you want to operate your ACE strictly as a load balancer, use the no icmp-guard command to disable the ACE ICMP security checks. You must also disable TCP normalization using the no normalization command. FOr details about operating your ACE for load balancing only, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.
Examples
To enable the ACE ICMP security checks after you have disabled them, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)# icmp-guard
To disable ACE ICMP security checks, enter:
host1/Admin(config-if)# no icmp-guard
Related Commands
(config-if) ip address
To assign an IP address to a BVI or VLAN interface, use the ip address command. Use the no form of this command to remove an IP address from an interface.
ip address ip_address mask
no ip address
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you assign an IP address to an interface, the ACE automatically makes it routed.
Static ARPs for bridged interfaces must be configured on the specific interface.
In a single context, each interface address must be on a unique subnet and cannot overlap. However, the IP subnet can overlap an interface in different contexts.
Across multiple contexts on a shared VLAN, the IP address must be unique. On a non-shared VLAN, the IP address can be the same.
There is no routing across contexts even when shared VLANs are configured.
Examples
To set the IP address of 192.168.1.1 255.255.255.0 for VLAN interface 200, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0
To remove the IP address for the VLAN, enter:
host1/Admin(config-if)# no ip address
Related Commands
(config-if) ip df
To configure how the ACE handles an IP packet that has its Don't Fragment (DF) bit set on a VLAN interface, use the ip df command. Use the no form of this command to instruct the ACE to ignore the DF bit.
ip df {clear | allow}
no ip df
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Occasionally, an ACE may receive a packet that has its Don't Fragment (DF) bit set in the IP header. This flag tells network routers and the ACE not to fragment the packet and to forward it in its entirety.
Examples
To clear the DF bit and permit the packet, enter:
host1/Admin(config-if)# ip df clearTo instruct the ACE to ignore the DF bit, enter:
host1/Admin(config-if)# no ip dfRelated Commands
This command has no related commands.
(config-if) ip dhcp relay enable
To accept DHCP requests on a VLAN interface, use the ip dhcp relay enable command. Use the no form of this command to disable DHCP on the interface.
ip dhcp relay enable
no ip dhcp relay enable
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
The DHCP relay starts forwarding packets to the DHCP server address specified in the ip dhcp relay server command for the associated interface or context.
Examples
To enable the DHCP relay on the interface, enter:
host1/Admin(config-if)# ip dhcp relay enableTo disable the DHCP relay on the interface, enter:
host1/Admin(config-if)# no ip dhcp relay enableRelated Commands
(config-if) ip dhcp relay enable
(config-if) ip dhcp relay server(config-if) ip dhcp relay server
To set the IP address of a DHCP server to which the DHCP relay agent forwards client requests on a VLAN interface, use the ip dhcp relay server command. Use the no form of this command to remove the IP address of the DHCP server.
ip dhcp relay server ip_address
no ip dhcp relay server ip_address
Syntax Description
ip_address
The IP address of the DHCP server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To specify the IP address for the DHCP relay server, enter:
hhost1/Admin(config-if)# ip dhcp relay server 192.168.20.1To remove the IP address of the DHCP server, enter:
host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1Related Commands
This command has no related commands.
(config-if) ip options
To configure how the ACE handles IP options and to perform specific actions when an IP option is set in a packet for a VLAN interface, use the ip-options command. Use the no form of the command to instruct the ACE to ignore the IP option.
ip options {clear | clear-invalid | allow | drop}
no ip options
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To allow packets with IP options set, enter:
host1/Admin(config-if)# ip options allowTo reset the ACE behavior to the default of clearing all IP options if the module encounters one or more invalid or unsupported IP options, enter:
host1/Admin(config-if)# no ip optionsRelated Commands
This command has no related commands.
(config-if) ip ttl minimum
To set the packet time to live (TTL) hops in the IP header on a VLAN interface, use the ip ttl command. The default behavior of the ACE is to not rewrite the TTL value of a packet. Use the no form of this command to reset the default behavior.
ip ttl minimum number
no ip ttl minimum
Syntax Description
number
The minimum number of hops that a packet can take to reach its destination. Enter an integer from 1 to 255 seconds.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Each router along the packet's path decrements the TTL by one. If the packet's TTL equals 0 before the packet reaches its destination, the packet is discarded.
If the TTL value of the incoming packet is lower than the configured value, the ACE rewrites the TTL with the configured value. Otherwise, the ACE transmits the packet with its TTL unchanged or discards the packet if the TTL equals zero.
Examples
To set the TTL hops to 15, enter:
host1/Admin(config-if)# ip ttl minimum 15To instruct the ACE to ignore the TTL value, enter:
host1/Admin(config-if)# no ip ttl minimumRelated Commands
This command has no related commands.
(config-if) ip verify reverse-path
To enable reverse-path forwarding (RPF) based on the source IP address for a VLAN interface, use the ip verify reverse-path command. By default, URPF is disabled on the interface. Use the no form of this command to reset the default behavior.
ip verify reverse-path
no ip verify reverse-path
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Unicast reverse-path forwarding (URPF) helps to mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by allowing the ACE to discard IP packets that lack a verifiable source IP address. This feature enables the ACE to filter both ingress and egress packets to verify addressing and route integrity. It is called RPF because the route lookup is typically based on the destination address, not the source address.
When you enable this feature, the ACE discards packets if there is no route found or if the route does not match the interface on which the packet arrived.
You cannot use this command when reverse-path forwarding (RPF) based on the source MAC address for a VLAN interface is enabled through the (config-if) mac-sticky enable command.
Examples
To enable reverse-path forwarding, enter:
host/Admin(config-if)# ip verify reverse-pathTo disable reverse-path forwarding, enter:
host/Admin(config-if)# no ip verify reverse-pathRelated Commands
(config-if) mac-sticky enable
To enable the mac-sticky feature for a VLAN interface, use the mac-sticky command. The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. By default, the mac-sticky feature is disabled on the ACE. Use the no form of this command to disable the mac-sticky feature, resetting the default behavior of the ACE performing a route lookup to select the next hop to reach the client.
mac-sticky enable
no mac-sticky enable
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you use this command to enable the mac-sticky feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.
This feature is useful when the ACE receives traffic from Layer-2/Layer-3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.
You cannot use this command when you configure the (config-if) ip verify reverse-path command.
Examples
To enable the mac-sticky feature, enter:
host/Admin(config-if)# mac-sticky enableTo disable the mac-sticky feature, enter:
host/Admin(config-if)# no mac-sticky enableRelated Commands
(config-if) ip verify reverse-path
(config-if) mtu
To specify the MTU for a VLAN interface, use the mtu command. This command allows you to set the data size that is sent on a connection. Use the no form of this command to reset the MTU block size to the default of 1500 for Ethernet interfaces.
mtu bytes
no mtu
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
The default MTU is 1500 bytes in a block for Ethernet interfaces. This value is sufficient for most applications, but you can pick a lower number if network conditions require it. The ACE fragments packets that are larger than the MTU value before sending them to the next hop.
Examples
To specify the MTU data size of 1000 for an interface, enter:
host1/admin(config-if)# mtu 1000To reset the MTU block size to the default value of 1500 for Ethernet interfaces, enter:
host1/admin(config-if)# no mtuRelated Commands
(config-if) nat-pool
To create a pool of IP addresses for dynamic NAT for a VLAN interface, use the nat-pool command. Use the no form of this command to remove a NAT pool from the configuration.
nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]
no nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Dynamic NAT uses a pool of global IP addresses that you specify. You can define either a single global IP address for a group of servers with PAT to differentiate between them, or a range of global IP addresses when using dynamic NAT only. To use a single IP address or a range of addresses, you assign an identifier to the address pool. You then associate the NAT pool with a global interface.
If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet untranslated.
If the ACE runs out of IP addresses in a NAT pool, it can switch over to a PAT rule, if configured. For example, you can configure the following:
nat-pool 1 10.1.100.10 10.1.100.99 netmask 255.255.255.255nat-pool 1 10.1.100.100 10.1.100.100 netmask 255.255.255.255 patExamples
To configure a NAT pool consisting of a range of 100 global IP addresses with PAT, enter:
host1/C1(config-if)# nat-pool 1 172.27.16.10 172.27.16.109 netmask 255.255.255.0 patRelated Commands
This command has no related commands.
(config-if) normalization
To enable TCP normalization, use the normalization command. This feature is enabled by default. Use the no form of this command to disable TCP normalization.
normalization
no normalization
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, TCP normalization is enabled.
Caution
To operate your ACE for load balancing only, disable TCP normalization by entering the no normalization command. You must also disable the ACE ICMP security checks using the no icmp-guard command. For details about operating your ACE strictly as a load balancer, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.
Examples
To enable TCP normalization after you have disabled it, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)# normalization
To disable TCP normalization, enter:
host1/Admin(config-if)# no normalization
Related Commands
(config-if) peer ip address
To configure the IP address of a standby module for the BVI or VLAN interface, use the peer command. Use the no form of this command to delete the IP address of the peer module.
peer ip address ip_address mask
no peer ip address
Syntax Description
Command Modes
Interface configuration mode for BVI and VLAN interfaces
Admin and user contexts
Command History
Usage Guidelines
When you configure redundancy, by default, configuration mode on the standby module is disabled and changes on an active module are automatically synchronized on the standby module. However, interface IP addresses on the active and standby modules must be unique. To ensure that the addresses on the interfaces are unique, the interface IP address on the active module is synchronized on the standby module as the peer IP address. To configure an interface IP address on the standby module, use the peer ip address command. The peer IP address on the active module is synchronized on the standby module, as the interface IP address.
Across multiple contexts on a shared VLAN, the IP address must be unique. On a non-shared VLAN, the IP address can be the same.
Examples
To configure an IP address and mask for the peer module, enter:
host1/Admin(config-if)# peer ip address 11.0.0.81 255.0.0.0To delete the IP address for the peer module, enter:
host1/Admin(config-if)# no peer ip addressRelated Commands
(config-if) service-policy input
To apply a previously created policy map and attach the traffic policy to the input direction of a VLAN interface, use the service-policy input command Use the no form of this command to remove a service policy.
service-policy input policy_name
no service-policy input policy_name
Syntax Description
policy_name
The name of a previously defined policy map, configured with a previously created policy-map command. Enter a text string with a maximum of 64 alphanumeric characters.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Policy maps applied globally in a context through the service policy command in configuration mode are applied on all interfaces existing in the context.
A policy activated on an interface overwrites any specified global policies for overlapping classification and actions.
The ACE allows only one policy of a specific feature type to be activated on a given interface.
Examples
To apply the L4SLBPOLICY policy map to an interface:
host1/C1(config-if)# service-policy input L4SLBPOLICYTo remove the L4SLBPOLICY policy map from the interface, enter:
host1/C1(config-if)# no service-policy input L4SLBPOLICYRelated Commands
show service-policy
(config) service-policy(config-if) shutdown
To disable a BVI or VLAN interface, use the shutdown command. Use the no form of this command to enable the interface.
shutdown
no shutdown
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you create an interface, the interface is in the shutdown state until you enable it. If you disable or reenable the interface within a context, only that context interface is affected.
Usage Guidelines
To disable an interface, enter:
host1/Admin(config-if)# shutdownTo enable an interface for use, enter:
host1/Admin (config-if)# no shutdownRelated Commands
