-
Application Control Engine Module Command Reference (Software Version A2(1.0))
-
CLI Command Summary By Mode
-
Preface
-
Using the Command-Line Interface
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Action List Configuration Mode Commands
-
Authentication Group Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
FT Track Configuration Mode Commands
-
Interface Configuration Mode Commands
-
KAL-AP UDP Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Object Group Configuration Mode Commands
-
Parameter Map Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Role Configuration Mode Commands
-
Server Farm Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
(config) aaa accounting default
(config) aaa authentication login
(config) access-list ethertype
(config) access-list resequence
(config) action-list type modify http
(config) logging reject-newconn
(config) peer shared-vlan-hostid
(config) radius-server attribute nas-ipaddr
(config) radius-server deadtime
(config) radius-server retransmit
(config) radius-server timeout
(config) snmp-server community
(config) snmp-server enable traps
(config) snmp-server trap link ietf
(config) snmp-server trap-source vlan
(config) sticky layer4-payload
(config) sticky radius framed-ip
(config) tacacs-server deadtime
(config) tacacs-server timeout
Configuration Mode Commands
Configuration mode commands allow you to configure global ACE parameters that affect the following contexts:
•
All contexts, when configured in the Admin context
•
Configuration mode also allows you to access all the ACE subordinate configuration modes. These modes provide parameters to configure the major features of the ACE, including access control lists (ACLs), application protocol inspection, fragmentation and reassembly, interfaces, Network Address Translation (NAT), persistence (stickiness), protocols, redundancy, routing, scripts, Secure Sockets Layer (SSL), server load balancing (SLB), TCP/IP normalization, users, and virtualization.
To access configuration mode, use the config command. The CLI prompt changes to (config).
See the individual command descriptions of all the configuration mode commands on the following pages.
Command Modes
Exec mode
Admin and user contexts
Command History
Usage Guidelines
This command requires one or more features assigned to your user role that allow configuration, such as AAA, interface, or fault-tolerant. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To access configuration mode, enter:
host1/Admin# confighost1/Admin(config)#Related Commands
show running-config
show startup-config(config) aaa accounting default
To configure the default accounting method, use the aaa accounting default command. You specify either a previously created AAA server group that identifies separate groups of Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS) servers or the local database on the ACE. Use the no form of this command to remove the accounting method.
aaa accounting default {group group_name} {local} {none}
no aaa accounting default {group group_name} {local} {none}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To enable user accounting to be performed using remote TACACS+ servers, followed by local login as the fallback method, enter:
host1/Admin(config)# aaa accounting default group TacServer localRelated Commands
(config) aaa authentication login
(config) aaa authentication login
To configure the authentication method used for login to the ACE CLI, use the aaa authentication login command. Use the no form of this command to disable the authentication method.
aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable
no aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Use the error-enable option cautiously. If you specify none, any user will be able to access the ACE at any time.
To view the current display status, use the show aaa authentication login error-enable command. When a user attempts to log in, and the remote AAA servers do not respond to the authentication request, the ACE processes the login sequence by switching to local user database.
Examples
To enable console authentication using the TACSERVER server group, followed by local login as the fallback method, enter:
host1/Admin(config)# aaa authentication login console group TACSERVER localPassword verification remains enabled for login authentication.To turn off password validation, enter:
host1/Admin(config)# aaa authentication login console group TACSERVER local noneRelated Commands
(config) aaa accounting default
(config) aaa group server
To configure independent server groups of Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) servers, use the aaa group server command. Use the no form of this command to remove a server group.
aaa group server {ldap | radius | tacacs+} group_name
no aaa group server {ldap | radius | tacacs+} group_name
Syntax Description
ldap
Specifies an LDAP directory server group. For information about the commands in the LDAP server configuration mode, see the "LDAP Configuration Mode Commands" section.
radius
Specifies a RADIUS server group. For information about the commands in the RADIUS server configuration mode, see the "RADIUS Configuration Mode Commands" section.
tacacs+
Specifies a TACACS+ server group. For information about the commands in the TACACS+ server configuration mode, see the "TACACS+ Configuration Mode Commands" section.
group_name
Name for the LDAP, RADIUS, or TACACS+ server group. The server group name is a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
A server group is a list of server hosts of a particular type. The ACE allows you to configure multiple TACACS+, RADIUS, and LDAP servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 10 server groups for each context in the ACE.
You can configure server groups at any time, but they take effect only when you apply them to the AAA service using the aaa authentication login or the aaa accounting default commands.
To create a AAA server group and access one of the three AAA server group configuration modes, enter the aaa group server ldap, aaa group server radius, or aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-ldap), (config-radius), or (config-tacacs+). In this mode, you specify the IP address of one or more previously configured servers that you want added to or removed from the server group.
Examples
To create a RADIUS server group and add a previously configured RADIUS server, enter:
(config)# aaa group server radius RAD_Server_Group1host1/Admin(config-radius)# server 192.168.252.1host1/Admin(config-radius)# server 192.168.252.2host1/Admin(config-radius)# server 192.168.252.3Related Commands
(config) aaa accounting default
(config) aaa authentication login
(config) access-group
To apply an access control list (ACL) to the inbound direction on all VLAN interfaces in a context and make the ACL active, use the access-group command. Use the no form of this command to remove an ACL from all interfaces in a context.
access-group input acl_name
no access-group input acl_name
Syntax Description
input
Specifies the inbound direction of all interfaces in a context on which you want to apply the ACL
acl_name
Identifier of an existing ACL that you want to apply to an interface
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You must apply an ACL to an interface to allow the passing of traffic on that interface. This command enables you to apply an ACL to all interfaces in a context in the inbound direction only and to allow traffic on all interfaces simultaneously. The following considerations apply:
•
•
•
•
•
For complete details on ACLs, see the Cisco Application Control Engine Module Security Configuration Guide.
Examples
To apply an ACL named INBOUND to the inbound direction of all interfaces in the Admin context, enter:
host1/Admin(config)# access-group input INBOUNDTo remove an ACL from all interfaces in the Admin context, enter:
host1/Admin(config)# no access-group input INBOUNDRelated Commands
(config) access-list ethertype
To configure an EtherType access control list (ACL), use the access-list ethertype command. Use the no form of this command to remove the ACL from the configuration.
access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
no access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field instead of a type field. Bridge protocol data units (BPDUs) are exceptions because they are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.
You can configure an EtherType ACL only on a Layer 2 interface in the inbound direction.
When you specify the mpls keyword in an EtherType ACL, the ACE denies or permits both MPLS-unicast and MPLS-multicast traffic.
Examples
To configure an ACL that controls traffic based on its EtherType, enter:
(config)# access-list INBOUND ethertype permit mplsRelated Commands
(config) access-list extended
To create an extended ACL, use the access-list extended command. The two major types of extended ACLs are as follows:
•
•
Use the no form of this command to delete the ACL.
For a Non-ICMP extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit}
{protocol {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name} [operator port3 [port4]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}no access-list name [line number] extended {deny | permit}
{protocol {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name} [operator port3 [port4]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}For an ICMP-extended ACL, the syntax is as follows:
access-list name [line number] extended {deny | permit}
{icmp {any | host src_ip_address | src_ip_address netmask | object_group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group network_grp_name} [icmp_type [code operator code1 [code2]]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}no access-list name [line number] extended {deny | permit}
{icmp {any | host src_ip_address | src_ip_address netmask | object_group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group network_obj_grp_name} [icmp_type [code operator code1 [code2]]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}Syntax Description
name
Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.
line number
(Optional) Specifies the line number position where you want the entry that you are configuring to appear in the ACL. The position of an entry affects the lookup order of the entries in an ACL. If you do not configure the line number of an entry, the ACE applies a default increment and a line number to the entry and appends it at the end of the ACL.
extended
Specifies an extended ACL. Extended ACLs allow you to specify the destination IP address and subnet mask and other parameters not available with a standard ACL.
deny
Blocks connections on the assigned interface.
permit
Allows connections on the assigned interface.
protocol
Name or number of an IP protocol. Enter a protocol name or an integer from 0 to 255 that represents an IP protocol number from the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
any
Specifies the network traffic from any source.
host src_ip_address
Specifies the IP address of the host from which network traffic originates. Use this keyword and argument to specify the network traffic from a single IP address.
src_ip_address netmask
Traffic from a source defined by the IP address and the network mask. Use these arguments to specify the network traffic from a range of source IP addresses.
object-group network_obj_grp_
nameSpecifies the identifier of an existing source network object group. To use object groups in an ACL, replace the normal network (source_address, mask, and so on), service (protocol operator port) or ICMP type (icmp_type) arguments with an object-group name.
operator
(Optional) Operand used to compare source and destination port numbers for TCP, TCP-UDP, and UDP protocols. The operators are as follows:
•
•
•
•
•
port1 [port2]
TCP or UDP source port name or number from which you permit or deny services access. Enter an integer from 0 to 65535. To enter an inclusive range of ports, enter two port numbers. Port2 must be greater than or equal to port1. See Table 2-2 for a list of well-known TCP port names and numbers and Table 2-3 for a list of well-known UDP port names and numbers.
dest_ip_address netmask
Specifies the IP address of the network or host to which the packet is being sent and the network mask bits that are to be applied to the destination IP address. Use these arguments to specify a range of destination IP addresses.
any
Specifies the network traffic going to any destination.
host destination_
addressSpecifies the IP address and subnet mask of the destination of the packets in a flow. Use this keyword and argument to specify the network traffic destined to a single IP address.
operator
(Optional) Operand used to compare source and destination port numbers for TCP, TCP-UDP, and UDP protocols. The operators are as follows:
•
•
•
•
•
port3 [port4]
TCP or UDP destination port name or number to which you permit or deny access to services. To enter an optional inclusive range of ports, enter two port numbers. Port4 must be greater than or equal to port3. See Table 2-2 for a list of well-known ports.
icmp_type
(Optional) Type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP types as described in Table 2-1.
code
(Optional) Specifies that a numeric operator and ICMP code follows.
operator
An operator that the ACE applies to the ICMP code number that follows. Enter one of the following operators:
•
•
•
•
•
code1, code2
ICMP code number that corresponds to an ICMP type. See Table 2-2. If you entered the range operator, enter a second ICMP code value to define the upper limit of the range.
Command Modes
Configuration mode
Admin and user contexts
Command History
3.0(0)A1(2)
This command was introduced.
A2(1.0)
This command was revised with the object-group keyword and associated keywords and arguments.
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination addresses as "any" and do not specify ports in an extended in an extended ACL.
For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs only in the inbound direction and only on Layer 2 interfaces.
If you create an ICMP extended ACL, you can optionally specify the type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP messaging types as described in Table 2-1.
Examples
To configure a TCP extended ACL, enter:
host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000To remove an entry from an extended ACL, enter:
host1/Admin(config)# no access-list INBOUND line 10To allow an external host with IP address 192.168.12.5 to be able to ping a host behind the ACE with an IP address of 10.0.0.5, enter:
(config)# access-list INBOUND extended permit icmp host 192.168.12.5 host 10.0.0.5 echo code eq 0To remove an entry from an ICMP ACL, enter:
(config)# no access-list INBOUND extended permit icmp host 192.168.12.5 echoTo use object groups for all available parameters, enter:
ISM/Admin(config)# access-list acl_name extended {deny | permit} object-group service_grp_name object-group network_grp_name object-group network_grp_nameRelated Commands
(config) access-list remark
You can add comments about an access control list (ACL) to clarify the function of the ACL. To add a comment to an ACL, use the access-list remark command. You can enter only one comment per ACL and the comment appears at the top of the ACL. Use the no form of this command to remove an ACL remark.
access-list name remark text
no access-list name remark text
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
If you delete an ACL using the no access-list name command, then the remarks are also removed.
Examples
To add an entry comment to an ACL, enter:
host1/Admin(config)# access-list INBOUND remark This is a remarkTo remove entry comments from an ACL, enter:
(config)# no access-list INBOUND line 200 remarkRelated Commands
(config) access-list resequence
To resequence the entries in an extended access control list (ACL) with a specific starting number and interval, use the access-list resequence command. Use the no form of this command to reset the number assigned to an ACL entry to the default of 10.
access-list name resequence number1 number2
no access-list name resequence number1 number2
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The ability to resequence entries in an ACL is supported only for extended ACLs.
Examples
For example, to assign the number 5 to the first entry in the access list INBOUND and then number each succeeding entry by adding 15 to the preceding entry line number, enter:
host1/Admin(config)# access-list INBOUND resequence 5 15Related Commands
(config) action-list type modify http
Action list modify configuration mode commands allow you to configure ACE action lists. An action list is a named group of actions that you associate with a Layer 7 HTTP class map in a Layer 7 HTTP policy map. You can create an action list to modify an HTTP header or to rewrite an HTTP redirect URL for SSL. For information about the commands in action list modify configuration mode, see the "Action List Modify Configuration Mode Commands" section.
To create an action list, use the action-list type modify http command. The CLI prompt changes to (config-actlist-modify). Use the no form of this command to remove the action list from the configuration.
action-list type modify http name
no action-list type modify http name
Syntax Description
name
Unique name for the action list. Enter an unquoted text string with a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To create an action list, enter:
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLISThost1/Admin(config-actlist-modify)#To remove the action list from the configuration, enter:
host1/Admin(config)# no action-list type modify http HTTP_MODIFY_ACTLISTRelated Commands
(config) arp
To configure the Address Resolution Protocol (ARP) on the ACE to manage and map IP to Media Access Control (MAC) information to forward and transmit packets, use the arp command. Use the no form of this command to remove the ARP entry or reset a default value.
arp {ip_address mac_address | interval seconds | inspection enable [flood | no flood] | learned-interval seconds | learned-mode enable | rate seconds | ratelimit pps | retries number | sync disable | sync-interval seconds}
no arp {ip_address mac_address | interval | inspection enable | learned-interval | learned-mode enable | rate | ratelimit | retries | sync disable | sync-interval}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts. The ratelimit keyword is available in the Admin context only.
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
•
•
•
The ARP rate limit applies to all gratuitous ARPs sent for local addresses on new configurations, module reboot, and on MAC address changes.
For more information, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide
Examples
To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter:
host1/contexta(config)# arp 10.1.1.1 00.02.9a.3b.94.d9To remove a static ARP entry, enter:
host1/contexta(config)# no arp 10.1.1.1 00.02.9a.3b.94.d9To enable ARP inspection and to drop all nonmatching ARP packets, enter:
host1/contexta(config)# arp inspection enable no-floodTo configure the retry attempt interval of 15 seconds, enter:
host1/contexta(config)# arp rate 15To reset the retry attempt interval to the default of 10 seconds, enter:
host1/contexta(config)# no arp rateTo disable the replication of ARP entries, enter:
host1/contexta(config)# sync disableRelated Commands
(config) banner
Use the banner command to specify a message to display as the message-of-the-day banner when a user connects to the ACE CLI. Use the no form of this command to delete or replace a banner or a line in a multiline banner.
banner motd text
no banner motd text
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To replace a banner or a line in a multiline banner, use the no banner motd command before adding the new lines.
To add multiple lines in a message-of-the-day banner, precede each line by the banner motd command. The ACE appends each line to the end of the existing banner. If the text is empty, the ACE adds a carriage return (CR) to the banner.
You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable, as follows:
•
•
To use the $(hostname) in single line banner motd input, include double quotation marks (") around the $(hostname) so that the $ is interpreted to a special character for the beginning of a variable in the single line. An example is as follows:
switch/Admin(config)# banner motd #Welcome to "$(hostname)"...#Do not use the double quotation mark (") or the percent sign (%) as a delimiting character in a single line message string. Do not use the delimiting character in the message string.
For multiline input, double quotation marks (") are not required for the token because the input mode is different from the signal line mode. The ACE treats the double quotation mark (") as a regular character when you operate in multiline mode.
Examples
To add a message-of-the-day banner, enter:
host1/Admin(config)# banner motd #Welcome to the "$(hostname)".host1/Admin(config)# banner motd Contact me at admin@admin.com for anyhost1/Admin(config)# banner motd issues.#Related Commands
(config) boot system image:
To set the BOOT environment variable, use the boot system image: command. Use the no form of this command to remove the name of the system image file.
boot system image:filename
no boot system image:filename
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can add several images to the BOOT environment variable to provide a fail-safe boot configuration. If the first file fails to boot the ACE, subsequent images that are specified in the BOOT environment variable are tried until the ACE boots or there are no additional images to attempt to boot. If there is no valid image to boot, the ACE enters ROM-monitor mode where you can manually specify an image to boot.
The ACE stores and executes images in the order in which you added them to the BOOT environment variable. If you want to change the order in which images are tried at startup, you can either prepend and clear images from the BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order.
If the file does not exist (for example, if you entered the wrong filename), then the filename is appended to the boot string, and this message displays:
Warning: File not found but still added in the bootstring.If the file does exist, but is not a valid image, the file is not added to the bootstring, and this message displays:
Warning: file found but it is not a valid boot image.Examples
To set the BOOT environment variable, enter:
host1/Admin(config)# boot system image:sb-ace.REL_1_0_0Related Commands
(config) class-map
To create a Layer 3 and Layer 4 or a Layer 7 class map, use the class-map command. Use the no form of the command to remove a class map from the ACE.
class-map [match-all | match-any] map_name
class-map type {ftp inspect match-any | generic {match-all | match-any}} map_name
class-map type {http {inspect | loadbalance} | management | radius loadbalance |
rtsp loadbalance | sip {inspect | loadbalance}} [match-all | match-any] map_nameno class-map [match-all | match-any] map_name
no class-map type {ftp inspect match-any | generic {match-all | match-any}} map_name
no class-map type {http {inspect | loadbalance} | management | radius loadbalance |
rtsp loadbalance | sip {inspect | loadbalance}} [match-all | match-any] map_nameSyntax Description
match-all
Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if all the match criteria listed in the class map match the network traffic class in the class map (typically, match commands of different types). The default setting is to meet all of the match criteria (match-all) in a class map.
match-any
Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if only one of the match criteria listed in the class map matches the network traffic class in the class map (typically, match commands of the same type). The default setting is to meet all of the match criteria (match-all) in a class map.
map_name
Name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For a Layer 3 and Layer 4 class map, you enter the class map configuration mode and the prompt changes to (config-cmap).
type
Specifies the class map type that is to be defined. When you specify a class map type, you enter its corresponding class map configuration mode (for example, HTTP inspection configuration mode).
ftp inspect
Specifies a Layer 7 class map for the inspection of File Transfer Protocol (FTP) request commands. For information about commands in FTP inspection configuration mode, see the "Class Map FTP Inspection Configuration Mode Commands" section.
generic
Specifies a Layer 7 class map for generic TCP or UDP data parsing. For information about commands in class map generic configuration mode, see the "Class Map HTTP Load Balancing Configuration Mode Commands" section.
http inspect | loadbalance
Specifies a Layer 7 class map for HTTP server load balancing (loadbalance keyword) or a Layer 7 class map for the HTTP deep packet application protocol inspection (inspect keyword) of traffic through the ACE.
For information about commands in class map HTTP inspection configuration mode, see the "Class Map HTTP Inspection Configuration Mode Commands" section. For information about commands in class map HTTP server load-balancing configuration mode, see the "Class Map HTTP Load Balancing Configuration Mode Commands" section.
management
Specifies a Layer 3 and Layer 4 class map to classify the IP network management protocols received by the ACE. For information about commands in class map management configuration mode, see the "Class Map Management Configuration Mode Commands" section.
radius loadbalance
Specifies a Layer 7 class map for RADIUS server load balancing of traffic through the ACE. For information about commands in RADIUS server load-balancing configuration mode, see the "Class Map HTTP Load Balancing Configuration Mode Commands" section.
rtsp loadbalance
Specifies a Layer 7 class map for RTSP server load balancing of traffic through the ACE. For information about commands in RTSP server load-balancing configuration mode, see the "Class Map HTTP Load Balancing Configuration Mode Commands" section.
sip inspect | loadbalance
Specifies a Layer 7 class map for SIP server load balancing (loadbalance keyword) or a Layer 7 class map for the SIP deep packet application protocol inspection (inspect keyword) of traffic through the ACE.
For information about commands in class map SIP inspection configuration mode, see the "Class Map HTTP Inspection Configuration Mode Commands" section. For information about commands in class map SIP server load-balancing configuration mode, see the "Class Map HTTP Load Balancing Configuration Mode Commands" section.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the inspect, loadbalance, NAT, connection, SSL, or vip feature in your user role, depending on the type of class map that you want to configure. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Use the class map configuration mode commands to create class maps that classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified in the class map. The CLI prompt changes correspondingly to the selected class map configuration mode, for example, (config-cmap), (config-cmap-ftp-insp), (config-cmap-http-lb), or (config-cmap-mgmt).
A Layer 3 and Layer 4 class map contains match criteria that classifies the following:
•
•
A Layer 7 class map contains match criteria that classifies specific Layer 7 protocol information. The match criteria enables the ACE to do the following:
•
•
•
The ACE supports a system-wide maximum of 8192 class maps.
For details about creating a class map, see the Cisco Application Control Engine Module Administration Guide.
When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any, the traffic that is evaluated must match one of the specified criteria (typically, match commands of the same type). If you specify match-all, the traffic that is evaluated must match all of the specified criteria (typically, match commands of different types).
Examples
To create a Layer 3 and Layer 4 class map named L4VIP_CLASS that specifies the network traffic that can pass through the ACE for server load balancing, enter:
host1/Admin(config)# class-map match-all L4VIP_CLASShost1/Admin(config-cmap)#To create a Layer 3 and Layer 4 class map named MGMT-ACCESS_CLASS that classifies the network management protocols that can be received by the ACE, enter:
host1/Admin(config)# class-map type management match-any MGMT-ACCESS_CLASShost1/Admin(config-cmap-mgmt)#To create a Layer 7 class map named L7SLB_CLASS that performs HTTP server load balancing, enter:
host1/Admin(config)# class-map type http loadbalance match-any L7SLB_CLASShost1/Admin(config-cmap-http-lb)#To create a Layer 7 class map named HTTP_INSPECT_L7CLASS that performs HTTP deep packet inspection, enter:
(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASShost1/Admin(config-cmap-http-insp)#To create a Layer 7 class map named FTP_INSPECT_L7CLASS that performs FTP command inspection, enter:
host1/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASShost1/Admin(config-cmap-ftp-insp)#Related Commands
(config) clock timezone
To set the time zone, use the clock timezone command. Use the no form of this command to configure independent server groups of Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) servers.
clock timezone {zone_name {+ | -} hours minutes} | {standard time_zone}
no clock timezone
Syntax Description
zone_name
8-letter name of the time zone (for example, PDT) to be displayed when the time zone is in effect. See Table 2-4 in the "Usage Guidelines" section for a list of the common time zone acronyms used for this argument.
hours
Hours offset from Coordinated Universal Time (UTC).
minutes
Minutes offset from UTC. Range is from 0 to 59 minutes.
standard time_zone
Sets the time to a standard time zone that include an applicable UTC hours offset. Enter one of the following well-known time zones:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Command Modes
Configuration mode
Admin context only
Command History
3.0(0)A1(2)
This command was introduced.
A2(1.0)
The ACST keyword was introduced. It replaced the CST keyword, as UTC +9.5 hours.
Usage Guidelines
The ACE keeps time internally in Universal Time Coordinated (UTC) offset, so this command is used only for display purposes and when the time is set manually.
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Table 2-4 lists common time zone acronyms used for the zone_name argument.
Examples
To set the time zone to PST and to set an UTC offset of -8 hours, enter:
host1/Admin(config)# clock timezone PST -8 0To remove the clock time-zone setting, enter:
host1/Admin(config)# no clock timezone PST -8 0Related Commands
(config) clock summer-time
To configure the ACE to change the time automatically to summer time (daylight saving time), use the clock summer-time command. Use the no form of this command to remove the clock summer-time setting.
clock summer-time {daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time daylight_offset | standard time_zone}
no clock summer-time
Syntax Description
daylight_timezone_name
8-letter name of the time zone (for example, PDT) to be displayed when summer time is in effect. For a list of the common time zone acronyms used for this argument, see the "Usage Guidelines" section for the (config) clock timezone command.
start_week
Start week for summer time, ranging from 1 through 5.
start_day
Start day for summer time, ranging from Sunday through Saturday.
start_month
Start month for summer time, ranging from January through December.
start_time
Start time (military time) in hours and minutes.
end_week
End week for summer time, ranging from 1 through 5.
end_day
End day for summer time, ranging from Sunday through Saturday.
end_month
End month for summer time, ranging from January through December.
end_time
End time (military format) in hours and minutes.
daylight_offset
Number of minutes to add during summer time. Valid entries are from 1 to 1440. The default is 60.
standard time_zone
Sets the daylight time to a standard time zone that includes an applicable daylight time start and end range along with a daylight offset. Enter one of the following well-known time zones:
•
•
•
•
•
2 a.m. last Sunday in October, + 60 minutes•
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The first part of the command specifies when summer time begins, and the second part of the command specifies when summer time ends. All times are relative to the local time zone; the start time is relative to standard time and the end time is relative to summer time. If the starting month is after the ending month, the ACE assumes that you are located in the southern hemisphere.
Examples
To specify that summer time begins on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00, with a daylight offset of 60 minutes, enter:
host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60To remove the clock summer-time setting, enter:
host1/Admin(config)# no clock summer-timeRelated Commands
(config) config-register
To change the configuration register settings, use the config-register configuration command. Use the no form of this command to reset the config-register to its default setting of 0.
config-register value
no config-register value
Syntax Description
value
Configuration register value that you want to use the next time that you restart the ACE. The supported value entries are as follows:
•
•
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can modify the boot method that the ACE uses at the next startup by setting the boot field in the software configuration register. The configuration register identifies how the ACE should boot and where the system image is stored. You can modify the boot field to force the ACE to boot a particular system image at startup instead of using the default system image.
The config-register command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered.
Examples
To set the boot field in the configuration register to boot the system image identified in the BOOT environment variable upon reboot, enter:
host1/Admin(config)# config-register 1Related Commands
(config) context
To create a context, use the context command. The CLI prompt changes to (config-context). A context provides a user view into the ACE and determines the resources available to a user. Use the no form of this command to remove a context.
context name
no context name
Syntax Description
name
Name that designates a context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the ACE allows you to create and use five user-configured contexts plus the default Admin context. To use a maximum of 251 contexts (Admin context plus 250 user contexts), you must purchase an additional license from Cisco Systems.
Examples
To create a context called C1, enter:
host1/Admin(config)# context C1host1/Admin(config-context)#To remove the context from the configuration, enter:
host1/Admin(config)# no context C1Related Commands
(config) crypto authgroup
To create a certificate authentication group, use the crypto authgroup command. Once you create an authentication group, the CLI enters into the authentication group configuration mode, where you add the required certificate files to the group. Use the no form of this command to delete an existing authentication group.
crypto authgroup group_name
no crypto authgroup group_name
Syntax Description
group_name
Name that you assign to the authentication group. Enter the authentication group name as an unquoted, alphanumeric string from 1 to 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By creating an authentication group, you can implement a group of certificates that are trusted as certificate signers on the ACE. After creating the authentication group and assigning its certificates, you can configure client authentication on an SSL-proxy service by assigning the authentication group to the service. You include an authentication group in the handshake process by configuring the SSL proxy-service with the authentication group (see the (config) ssl-proxy service command).
Examples
To create the authentication group AUTH-CERT1, enter:
host1/Admin(config)# crypto authgroup AUTH-CERTRelated Commands
(config) crypto chaingroup
To create a certificate chain group, use the crypto chaingroup command. Once you create a chain group, the CLI enters into the chaingroup configuration mode, where you add the required certificate files to the group. Use the no form of this command to delete an existing chain group.
crypto chaingroup group_name
no crypto chaingroup group_name
Syntax Description
group_name
Name that you assign to the chain group. Enter the chain group name as an alphanumeric string from 1 to 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
A chain group specifies the certificate chains that the ACE sends to its peer during the handshake process. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. You include a chain group in the handshake process by configuring the SSL proxy service with the chain group (see the (config) ssl-proxy service command).
Each context on the ACE can contain up to eight chain groups.
Examples
To create the chain group MYCHAINGROUP, enter:
host1/Admin(config)# crypto chaingroup MYCHAINGROUPRelated Commands
(config) crypto crl
To download a certificate revocation list (CRL) to the ACE, use the crypto crl command. Use the no form of this command to remove a CRL.
crypto crl crl_name url
no crypto crl crl_name
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Secure Sockets Layer (SSL) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can use a CRL downloaded to the ACE for client authentication on an SSL proxy service. After you download the CRL, you can assign it to an SSL proxy service for client authentication (see (config-ssl-proxy) crl for more information).
Examples
To download a CRL that you want to name CRL1 from http://crl.verisign.com/class1.crl, enter:
host1/Admin(config)# crypto crl CRL1 http://crl.verisign.com/class1.crlTo remove the CRL, enter:
host1/Admin(config)# no crypto crl CRL1Related Commands
(config) crypto csr-params
To create a Certificate Signing Request (CSR) parameter set to define a set of distinguished name attributes, use the crypto csr-params command. Use the no form of this command to remove an existing CSR parameter set.
crypto csr-params csr_param_name
no crypto csr-params csr_param_name
Syntax Description
csr_param_name
Name that designates a CSR parameter set. Enter the CSR parameter set name as a alphanumeric string from 1 to 64 characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
A CSR parameter set defines the distinguished name attributes that the ACE applies to the CSR during the CSR-generating process. The distinguished name attributes provide the CA with the information that it needs to authenticate your site. Creating a CSR parameter set allows you to generate multiple CSRs with the same distinguished name attributes. You can create up to eight CSR parameter sets per context.
When you use the crypto csr-params command to specify a CSR parameter set, the prompt changes to the csr-params configuration mode (for more information on this mode and commands, see the "CSR Parameters Configuration Mode Commands" section), where you define each of the distinguished name attributes. The ACE requires that you define the following attributes:
Country name
•
•
•
If you do not configure the required attributes, the ACE displays an error message when you attempt to generate a CSR using the incomplete CSR parameter set.
Examples
To create the CSR parameter set CSR_PARAMS_1, enter:
host1/Admin(config)# crypto csr-params CSR_PARAMS_1
host1/Admin(config-csr-params)
Related Commands
(config) domain
To create a domain, use the domain command. The CLI prompt changes to (config-domain). See the "Domain Configuration Mode Commands" section for details. Use the no form of this command to remove a domain from the configuration.
domain name
no domain name
Syntax Description
name
Name for the domain. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can configure a maximum of 63 domains in each context.
A domain does not restrict the context configuration that you can display using the show running-config command. You can still display the running configuration for the entire context. However, you can restrict your access to the configurable objects within a context by adding to the domain only a limited subset of all the objects available to a context. To limit a user's ability to manipulate the objects in a domain, you can assign a role to that user. For more information about domains and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can configure KAL-AP TAGs as domains. For the domain load calculation, the ACE considers the Layer 3 class map, server farm, and real server objects. All other objects under the domain are ignored during the calculation.
Examples
To create a domain named D1, enter:
host1/Admin(config)# domain D1host1/Admin(config-domain)#Related Commands
(config) end
To exit from configuration mode and return to Exec mode, use the end command.
end
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can also press Ctrl-Z or enter the exit command to exit configuration mode.
Examples
To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# endhost1/Admin#Related Commands
This command has no related commands.
(config) exit
To exit from the current configuration mode and return to the previous mode, use the exit command.
exit
Syntax Description
This command has no keywords or arguments.
Command Modes
All configuration modes
Admin and user contexts
Command History
Usage Guidelines
This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
In configuration mode, the exit command transitions to the Exec mode.
In all other configuration modes, the exit command transitions to the previous configuration mode.
You can also press Ctrl-Z, enter the (config) end command, or enter the exit command to exit configuration mode.
Examples
To exit from configuration mode and return to Exec mode, enter:
host1/Admin(config)# exithost1/Admin#To exit from interface configuration mode and return to configuration mode, enter:
host1/Admin(config-if)# exithost1/Admin(config)#Related Commands
This command has no related commands.
(config) ft auto-sync
To enable automatic synchronization of the running-configuration and the startup-configuration files in a redundancy configuration, use the ft auto-sync command. Use the no form of this command to disable the automatic synchronization of the running-configuration or the startup-configuration file.
ft auto-sync {running-config | startup-config}
no ft auto-sync {running-config | startup-config}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the ACE automatically updates the running configuration on the standby context of an FT group with any changes that occur to the running configuration of the active context. If you disable the ft auto-sync command, you need to update the configuration of the standby context manually. For more information about configuration synchronization and configuring redundancy, see the Cisco Application Control Engine Module Administration Guide.
Caution
The ACE does not copy or write changes in the running-configuration file to the startup-configuration file unless you enter the copy running-config startup-config command or the write memory command for the current context. To write the contents of the running-configuration file to the startup-configuration file for all contexts, use the write memory all command. At this time, if the ft auto-sync startup-config command is enabled, the ACE syncs the startup-configuration file on the active ACE to the standby ACE.
The ACE does not synchronize the SSL certificates and key pairs that are present in the active context with the standby context of an FT group. If the ACE performs a configuration synchronization and does not find the necessary certs and keys in the standby context, config sync fails and the standby context enters the STANDBY_COLD state.
Caution
To copy the certs and keys to the standby context, you must export the certs and keys from the active context to an FTP or TFTP server using the crypto export command, and then import the certs and keys to the standby context using the crypto import command. For more information about importing and exporting certs and keys, see the Cisco Application Control Engine Module SSL Configuration Guide.
To return the standby context to the STANDBY_HOT state in this case, ensure that you have imported the necessary SSL certs and keys to the standby context, and then perform a bulk sync of the active context configuration by entering the following commands in configuration mode in the active context of the FT group:
1.
2.
Examples
To enable autosynchronization of the running-configuration file in the C1 context, enter:
host1/C1(config)# ft auto-sync running-configRelated Commands
(config) ft group
To create a fault-tolerant (FT) group for redundancy, use the ft group command. After you enter this command, the system enters the FT group configuration mode. Use the no form of this command to remove an FT group from the configuration.
ft group group_id
no ft group group_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You must configure the same group ID on both peer modules.
On each ACE, you can create multiple FT groups, up to a maximum of 256 groups. Each group consists of a maximum of two members (contexts): one active context on one module and one standby context on the peer module.
For information about the commands in FT group configuration mode, see the "FT Group Configuration Mode Commands" section.
Examples
To configure an FT group, enter:
host1/Admin(config)# ft group 1host1/Admin(config-ft-group)#To remove the group from the configuration, enter:
host1/Admin(config)# no ft group 1Related Commands
(config) ft interface vlan
To create a dedicated fault-tolerant (FT) VLAN over which two redundant peers communicate, use the ft interface vlan command. After you enter this command, the system enters the FT interface configuration mode. Use the no form of this command to remove an FT VLAN from the configuration.
ft interface vlan vlan_id
no ft interface vlan vlan_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Peer ACEs communicate with each other over a dedicated FT VLAN. These redundant peers use the FT VLAN to transmit and receive heartbeat packets and state and configuration replication packets. You must configure the same VLAN on each peer module. You cannot use this VLAN for normal network traffic.
To remove an FT VLAN, first remove it from the FT peer using the no ft-interface vlan command in FT peer configuration mode. See the (config-ft-peer) ft-interface vlan command for more information.
Examples
To configure an FT VLAN, enter:
host1/Admin(config)# ft interface vlan 200host1/Admin(config-ft-intf)#To remove the FT VLAN from the redundancy configuration, enter:
host1/Admin(config)# no ft interface vlan 200Related Commands
(config) ft peer
On both peer ACEs, configure an FT peer definition. To create an FT peer, use the ft peer command. After you enter this command, the system enters the FT peer configuration mode. You can configure a maximum of two ACEs as redundancy peers. Use the no form of this command to remove the FT peer from the configuration.
ft peer peer_id
no ft peer peer_id
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Each ACE module can have one FT peer. FT peers are redundant ACE modules that communicate with each other over a dedicated FT VLAN.
Before you can remove an FT peer from the configuration, remove the peer from the FT group using the no peer command in FT group configuration mode.
For information about the commands in FT peer configuration mode, see the "FT Peer Configuration Mode Commands" section.
Examples
To configure an FT peer, enter:
host1/Admin(config)# ft peer 1host1/Admin(config-ft-peer)#Related Commands
(config) ft track host
To create a tracking and failure detection process for a gateway or host, use the ft track host command. After you enter this command, the system enters FT track host configuration mode. Use the no form of this command to remove the gateway-tracking process.
ft track host name
no ft track host name
Syntax Description
name
Unique identifier of the tracking process for a gateway or host. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about commands in FT track host configuration mode, see the "FT Track Host Configuration Mode Commands" section.
For details about configuring redundant ACE modules, see the Cisco Application Control Engine Module Administration Guide.
Examples
To create a tracking process for a gateway, enter:
host1/Admin(config)# ft track host TRACK_GATEWAY1host1/Admin(config-ft-track-host)#To remove the gateway-tracking process, enter:
host1/Admin(config)# no ft track host TRACK_GATEWAY1Related Commands
(config) ft track hsrp
To configure failure detection and tracking for a Hot Standby Router Protocol (HSRP) group, use the ft track hsrp command. After you enter this command, the system enters FT track hsrp configuration mode. Use the no form of this command to stop tracking for an HSRP group.
ft track hsrp name
ft track hsrp name
Syntax Description
name
Unique identifier of the tracking process for an HSRP group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You must configure the HSRP group on the supervisor engine on the Catalyst 6500 series switch before you configure HSRP tracking on the ACE. Failure to do so may result in erroneous state information for the HSRP group being displayed in the show ft track detail command output in Exec mode. For information about commands in FT track hsrp configuration mode, see the "FT Track HSRP Configuration Mode Commands" section.
For details about configuring redundant ACE modules, see the Cisco Application Control Engine Module Administration Guide.
Examples
To configure FT tracking for an HSRP group, enter:
host1/Admin(config)# ft track hsrp TRACK_HSRP_GRP1host1/Admin(config-ft-track-hsrp)#To remove the HSRP group-tracking process, enter:
host1/Admin(config)# no ft track hsrp TRACK_HSRP_GRP1Related Commands
(config) ft track interface
To create a tracking and failure detection process for a critical interface, use the ft track interface command. After you enter this command, the system enters FT track interface configuration mode. Use the no form of this command to stop tracking for an interface.
ft track interface name
no ft track interface name
Syntax Description
name
Unique identifier of the tracking process for a critical interface. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the fault-tolerant (FT) feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure the FT VLAN for tracking.
For information about commands in FT track interface configuration mode, see the "FT Track Interface Configuration Mode Commands" section.
For details about configuring redundant ACE modules, see the Cisco Application Control Engine Module Administration Guide.
Examples
To configure a tracking and failure detection process for an interface, enter:
host1/Admin(config)# ft track interface TRACK_VLAN100To remove the interface-tracking process, enter:
host1/Admin(config)# no ft track interface TRACK_VLAN100Related Commands
(config) hostname
To specify a hostname for the ACE, use the hostname command. The hostname is used for the command line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. Use the no form of this command to reset the hostname to the default of switch.
hostname name
no hostname name
Syntax Description
name
New hostname for the ACE. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the hostname for the ACE is switch.
Examples
To change the hostname of the ACE from switch to ACE_1, enter:
switch/Admin(config)# hostname ACE_1ACE_1/Admin(config)#Related Commands
(config) hw-module
To configure hardware module parameters in the ACE, use the hostname command. Use the no form of this command to reset to the default behavior.
hw-module {cde-same-port-hash | optimize-lookup}
no hw-module {cde-same-port-hash | optimize-lookup}
Syntax Description
Command Modes
Configuration mode
Admin context only
Command History
3.0(0)A1(6.2a)
This command was introduced.
A2(1.0)
This command was revised with the optimize-lookup keyword.
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, when the source and destination ports of a TCP or UDP packet are equal, the CDE uses the source IP address and destination IP address to perform the hash function. When they are not equal, the CDE only uses the ports. When the cde-same-port-hash command is configured and the ports are equal, the CDE uses a slightly different hash method from the default method.
If you have multiple ACEs installed in a Catalyst 6500 Series Switch or in a Cisco Catalyst 7600 Router, you may experience lower performance than expected with very high rates of traffic. If you fail to achieve the advertised performance of the ACE, you can disable the egress MAC address lookup using the hw-module optimize-lookup command.
Do not use the hw-module optimize-lookup command if you have intelligent modules with distributed forwarding cards (DFCs) installed in the Catalyst 6500 Series Switch or the Cisco Catalyst 7600 Router. Using this command with such modules will cause the Encoded Address Recognition Logic (EARL) units on these modules and on the Supervisor to become unsynchronized.
Examples
To configure the CDE to perform the hash function using the ports when the TCP or UDP packets are equal, enter:
switch/Admin(config)# hw-module cde-same-port-hashTo reset the default behavior, enter:
switch/Admin(config)# no hw-module cde-same-port-hashRelated Commands
(config) interface
To create a bridge-group virtual interface (BVI) or VLAN interface, use the interface command. The CLI prompt changes to (config-if). Use the no form of this command to remove the interface.
interface {bvi group_number | vlan number}
no interface {bvi group_number | vlan number}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about commands in interface configuration mode, see the "Interface Configuration Mode Commands" section.
Examples
To assign VLAN interface 100 to the Admin context and access interface configuration mode, enter:
host1/Admin(config)# interface vlan 100host1/Admin(config-if)#Related Commands
(config) ip dhcp relay
To configure a Dynamic Host Configuration Protocol (DHCP) relay agent on the ACE, use the ip dhcp relay command. When you configure the ACE as a DHCP relay agent, it is responsible for forwarding the requests and responses negotiated between the DHCP clients and the server. You must configure a DHCP server when you enable the DHCP relay. Use the no form of this command to disable a DHCP relay agent setting.
ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
no ip dhcp relay {enable | information policy {keep | replace} | server ip_address}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the DHCP feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The DHCP relay agent can be configured at both the context and interface level of the ACE. Note the following configuration considerations:
•
•
Examples
To set the IP address of a DHCP server at the context level, enter:
host1/Admin# changeto C1host1/C1# configEnter configuration commands, one per line. End with CNTL/Zhost1/C1(config)# ip dhcp relay enablehost1/C1(config)# ip dhcp relay server 192.168.20.1To specify the DHCP relay at the interface level, enter:
host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip dhcp relay enablehost1/Admin(config-if)# ip dhcp relay server 192.168.20.1To remove the IP address of the DHCP server, enter:
host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1Related Commands
(config) ip domain-list
To configure a domain name search list, use the ip domain-list command. The domain name list can contain a maximum of three domain names. Use the no form of this command to remove a domain name from the list.
ip domain-list name
no ip domain-list name
Syntax Description
name
Domain name. Enter an unquoted text string with no spaces and a maximum of 85 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the domain name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can configure a Domain Name System (DNS) client on the ACE to communicate with a DNS server to provide hostname-to-IP-address translation for hostnames in CRLs for the client authentication feature. For unqualified hostnames (hostnames that do not contain a domain name), you can configure a default domain name or a list of domain names that the ACE can use to:
•
•
If you configure both a domain name list and a default domain name, the ACE uses only the domain name list and not the single default name. After you have enabled domain name lookups and configured a domain name list, the ACE uses each domain name in turn until it can resolve a single domain name into an IP address.
Examples
For example, to configure a domain name list, enter:
host1/Admin(config)# ip domain-list cisco.comhost1/Admin(config)# ip domain-list foo.comhost1/Admin(config)# ip domain-list xyz.comTo remove a domain name from the list, enter:
host1/Admin(config)# no ip domain-list xyz.comRelated Commands
(config) ip domain-lookup
To enable the ACE to perform a domain lookup (host-to-address translation) with a DNS server, use the ip domain-lookup command. By default, this command is disabled. Use the no form of this command to return the state of domain lookups to the default value of disabled.
ip domain-lookup
no ip domain-lookup
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Domain Name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can configure a Domain Name System (DNS) client on the ACE to communicate with a DNS server to provide hostname-to-IP-address translation for hostnames in CRLs for the client authentication feature.
Before you configure a DNS client on the ACE, ensure that one or more DNS name servers are properly configured and are reachable. Otherwise, translation requests (domain lookups) from the DNS client will be discarded. You can configure a maximum of three name servers. The ACE attempts to resolve the hostnames with the configured name servers in order until the translation succeeds. If the translation fails, the ACE reports an error.
For unqualified hostnames (hostnames that do not contain a domain name), you can configure a default domain name or a list of domain names that the ACE can use to do the following:
•
•
Examples
For example, to enable domain lookups, enter:
host1/Admin(config)# ip domain-lookupTo return the state of domain lookups to the default value of disabled, enter:
host1/Admin(config)# no ip domain-lookupRelated Commands
(config) ip domain-name
To configure a default domain name, use the ip domain-name command. The domain name list can contain a maximum of three domain names. Use the no form of this command to remove a domain name from the list.
ip domain-list name
no ip domain-list name
Syntax Description
name
Default domain name. Enter an unquoted text string with no spaces and a maximum of 85 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the domain name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The DNS client feature allows you to configure a default domain name that the ACE uses to complete unqualified hostnames. An unqualified hostname does not contain a domain name (any name without a dot). When domain lookups are enabled and a default domain name is configured, the ACE appends a dot (.) and the configured default domain name to the unqualified host name and attempts a domain lookup.
Examples
For example, to specify a default domain name of cisco.com, enter:
host1/Admin(config)# ip domain-name cisco.comIn the above example, the ACE appends cisco.com to any unqualified host name in a CRL before the ACE attempts to resolve the host name to an IP address using a DNS name server.
To remove the default domain from the configuration, enter:
host1/Admin(config)# no ip domain-name cisco.comRelated Commands
show running-config
(config) ip domain-list
(config) ip domain-lookup(config) ip name-server
To configure a DNS name server on the ACE, use the ip name-server command. You can configure a maximum of three DNS name servers. Use the no form of this command to remove a name server from the list.
ip name-server ip_address
no ip name-server ip_address
Syntax Description
ip_address
IP address of a name server. Enter the address in dotted decimal notation (for example, 192.168.12.15). You can enter up to three name server IP addresses in one command line.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the domain name feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To translate a hostname to an IP address, you must configure one or more (maximum of three) existing DNS name servers on the ACE. Ping the IP address of each name server before you configure it to ensure that the server is reachable.
Examples
For example, to configure three name servers for the DNS client feature, enter:
host1/Admin(config)# ip name-server 192.168.12.15 192.168.12.16 192.168.12.17To remove a name server from the list, enter:
host1/Admin(config)# no ip name-server 192.168.12.15Related Commands
show running-config
(config) ip domain-lookup(config) ip route
To configure a default or static IP route, use the ip route command. Use the no form of this command to remove a default or static IP route from the configuration.
ip route dest_ip_prefix netmask gateway_ip_address
no ip route dest_ip_prefix netmask gateway_ip_address
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the routing feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The default route identifies the router IP address to which the ACE sends all IP packets for which it does not have a route.
Admin and user contexts do not support dynamic routing. You must use static routes for any networks to which the ACE is not directly connected; for example, use a static route when there is a router between a network and the ACE.
The ACE supports up to eight equal cost routes on the same interface for load balancing.
Routes that identify a specific destination address take precedence over the default route.
See the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for more information about configuring default or static routes.
Examples
To configure a default route, set the IP address and the subnet mask for the route to 0.0.0.0. For example, if the ACE receives traffic that it does not have a route, it sends the traffic out the interface to the router at 192.168.4.8. Enter:
host1/Admin(config)# ip route 0.0.0.0 0.0.0.0 192.168.4.8Related Commands
(config) kalap udp
To configure secure KAL-AP on the ACE, use the kalap udp command to access KAL-AP UDP configuration mode. The CLI prompt changes to (config-kalap-udp). Use the no form of this command to return to configuration mode (or use the exit command).
kalap udp
no kalap udp
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the probe feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The ACE supports secure KAL-AP for MD5 encryption of data between the ACE and the Global Site Selector (GSS). For encryption, you must configure a shared secret as a key for authentication between the GSS and the ACE context. For information about the commands in KAL-AP UDP configuration mode, see the "KAL-AP UDP Configuration Mode Commands" section.
Examples
To enter KAL-AP UDP configuration mode, enter:
host1/Admin(config)# kalap udphost1/Admin(config-kalap-udp)#Related Commands
show running-config
(config-kalap-udp) ip address(config) ldap-server host
To specify the Lightweight Directory Access Protocol (LDAP) server IP address, the destination port, and other options, use the ldap-server host command. You can enter multiple ldap-server host commands to configure multiple LDAP servers. Use the no form of this command to revert to a default LDAP server authentication setting.
ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]
no ldap-server host ip_address [port port_number] [timeout seconds] [rootDN "DN_string" [password bind_password]]
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the LDAP server port is 389. If your LDAP server uses a port other than 389, use the port keyword to configure an appropriate port before starting the LDAP service. The ldap-server port command overrides the global setting for the specified server.
By default, the ACE waits 5 seconds for the LDAP server to reply to an authentication request before the ACE declares a timeout failure and attempts to contact the next server in the group. The ldap-server timeout command overrides the global setting for the specified server.
Examples
To configure LDAP server authentication parameters, enter:
host1/Admin(config)# ldap-server host 192.168.2.3 port 2003host1/Admin(config)# ldap-server host 192.168.2.3 timeout 60host1/Admin(config)# ldap-server host 192.168.2.3 rootDN "cn=manager,dc=cisco,dc=com" password labTo remove the LDAP server authentication setting, enter:
host1/Admin(config)# no ldap-server host 192.168.2.3 timeout 60Related Commands
(config) ldap-server port
To globally configure a TCP port (if your LDAP server uses a port other than the default port 389) before you start the LDAP service, use the ldap-server port command. This global port setting will be applied to those LDAP servers for which a TCP port value is not individually configured by the ldap-server host command. Use the no form of this command to revert to the default of TCP port 389.
ldap-server port port_number
no ldap-server port port_number
Syntax Description
port_number
Destination port to the LDAP server. Enter an integer from 1 to 65535. The default is TCP port 389.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To override the global TCP port setting (specified by the ldap-server port command) for a specific server, use the ldap-server host port command.
Examples
To globally configure the TCP port, enter:
host1/Admin(config)# ldap-server port 2003To revert to the default of TCP port 389, enter:
host1/Admin(config)# no ldap-server port 2003Related Commands
(config) ldap-server timeout
To globally change the time interval that the ACE waits for the LDAP server to reply to a response before it declares a timeout failure, use the ldap-server timeout command. By default, the ACE waits 5 seconds to receive a response from an LDAP server before it declares a timeout failure and attempts to contact the next server in the group. The ACE applies this global timeout value to those LDAP servers for which a timeout value is not individually configured by the ldap-server host command. Use the no form of this command to revert to the default of 5 seconds between transmission attempts.
ldap-server timeout seconds
no ldap-server timeout seconds
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To override the global TCP timeout setting (specified by the ldap-server timeout command) for a specific server, use the ldap-server host timeout command.
Examples
To globally configure the timeout value to 30 seconds, enter:
host1/Admin(config)# ldap-server timeout 30To change to the default of 5 seconds between transmission attempts, enter:
host1/Admin(config)# no ldap-server timeout 30Related Commands
(config) line console
To configure the console interface settings, use the line console configuration mode command. When you enter this command, the prompt changes (config-console) and you enter the console configuration mode. Use the no form of this command to reset the console configuration mode parameters to their default settings.
line console
no line console
Syntax Description
There are no keywords or arguments for this command.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The console port is an asynchronous serial port on the Catalyst 6500 series switch that enables the ACE to be set up for initial configuration through a standard RS-232 port with an RJ-45 connector. Any device connected to this port must be capable of asynchronous transmission. Connection to a terminal requires a terminal emulator to be configured as 9600 baud, 8 data bits, 1 stop bit, no parity.
For information about the commands in console configuration mode, see the "Console Configuration Mode Commands" section.
Examples
To enter console configuration mode, enter:
host1/Admin(config)# line consolehost1/Admin(config-console)#Related Commands
(config) line vty
To configure the virtual terminal line settings, use the line vty configuration mode command. When you enter this command, the prompt changes (config-line) and you enter the line configuration mode. Use the no form of this command to reset the line configuration mode parameter to its default setting.
line vty
no line vty
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
For information about the commands in line configuration mode, see the "Line Configuration Mode Commands" section.
Examples
To enter the line configuration mode, enter:
host1/Admin(config)# line vtyhost1/Admin(config-line)#Related Commands
(config) login timeout
To modify the length of time that a user can be idle before the ACE terminates the console, Telnet, or Secure Shell (SSH) session, use the login timeout command. By default, the inactivity timeout value is 5 minutes. Use the no form of this command to restore the default timeout value of 5 minutes.
login timeout minutes
no login timeout
Syntax Description
minutes
Length of time in minutes. Enter a value from 0 to 60 minutes. A value of 0 instructs the ACE never to time out. The default is 5 minutes.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To specify a timeout period of 10 minutes, enter:
host1/Admin(config)# login timeout 10To restore the default timeout value of 5 minutes, enter.
host1/Admin(config)# no login timeoutRelated Commands
(config-cmap-mgmt) match protocol
(config) logging buffered
To enable system logging to a local buffer and to limit the messages sent to the buffer based on severity, use the logging buffered command. By default, logging to the local buffer on the ACE is disabled. New messages are appended to the end of the buffer. The first message displayed is the oldest message in the buffer. When the log buffer fills, the ACE deletes the oldest message to make space for new messages. Use the no form of this command to disable message logging.
logging buffered severity_level
no logging buffered
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To set the logging buffer level to 3 for logging error messages, enter:
host1/Admin(config)# logging buffered 3To disable message logging, enter:
host1/Admin(config)# no logging bufferedRelated Commands
(config) logging console
To enable the logging of syslog messages during console sessions and to limit the display of messages based on severity, use the logging console command. By default, the ACE does not display syslog messages during console sessions. Use the no form of this command to disable logging to the console.
logging console severity_level
no logging console
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Logging to the console can degrade system performance. Use the logging console command only when you are testing and debugging problems, or when there is minimal load on the network. We recommend that you use the lowest severity level possible because logging at a high rate may affect ACE performance. Do not use this command when the network is busy.
Examples
To enable system logging to the console for messages with severity levels of 2, 1, and 0:
host1/Admin(config)# logging console 2Related Commands
(config) logging device-id
To specify that the device ID of the ACE is included in the syslog message, use the logging device-id command. If enabled, the ACE displays the device ID in all non-EMBLEM-formatted syslog messages. The device ID specification does not affect the syslog message text that is in the EMBLEM format. Use the no form of this command to disable device ID logging for the ACE in the syslog message.
logging device-id {context-name | hostname | ipaddress interface_name | string text}
no logging device-id
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The device ID part of the syslog message is viewed through the syslog server only and not directly on the ACE. The device ID does not appear in EMBLEM-formatted messages, Simple Network Management Protocol (SNMP) traps, or on the ACE console, management session, or buffer.
Examples
To instruct the ACE to use the hostname of the ACE to uniquely identify the syslog messages, enter:
host1/Admin(config)# logging device-id hostnameTo disable the use of the hostname of the ACE, enter:
host1/Admin(config)# no logging device-idRelated Commands
(config) logging enable
To enable message logging, use the logging enable command. Message logging is disabled by default. You must enable logging if you want to send messages to one or more output locations. Use the no form of this command to stop message logging to all output locations.
logging enable
no logging enable
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Message logging is disabled by default. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. You must set a logging output location to view any logs.
Examples
To enable message logging to all output locations, enter:
host1/Admin(config)# logging enableTo stop message logging to all output locations, enter:
host1/Admin(config)# no logging enableRelated Commands
This command has no related commands.
(config) logging facility
To change the logging facility to a value other than the default of 20 (LOCAL4), use the logging facility command. Most UNIX systems expect the messages to use facility 20. The ACE allows you to change the syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. Use the no form of this command to set the syslog facility to its default of 20.
logging facility number
no logging facility number
Syntax Description
number
Syslog facility. Enter an integer from 16 (LOCAL0) to 23 (LOCAL7). The default is 20 (LOCAL4).
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The syslog daemon uses the specified syslog facility to determine how to process messages. Each logging facility configures how the syslog daemon on the host handles a message. Syslog servers file messages based on the facility number in the message. For more information on the syslog daemon and facility levels, see your syslog daemon documentation.
Examples
To set the syslog facility as 16 (LOCAL0) in syslog messages, enter:
host1/Admin(config)# logging facility 16To change the syslog facility back to the default of LOCAL4, enter:
host1/Admin(config)# no logging facility 16Related Commands
(config) logging fastpath
To enable the logging of connection setup and teardown messages through the fastpath, use the logging fastpath command. By default, the ACE logs connection setup and teardown syslog messages through the control plane. Use the no form of this command to disable the logging of connection setup and teardown syslog messages.
logging fastpath
no logging fastpath
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Because of the large number of syslog messages that are generated by connection setup and teardown, you can instruct the ACE to send these syslogs through the fast path instead of the control plane. The fast path supports a much higher rate of syslogs than the control plane does. When you instruct the ACE to send these syslogs through the fast path, the message formatting changes (different message spacing) and the syslog IDs change from 106023, 302022, 302023, 302024, and 302025 to 106028, 302028, 302029, 302030, and 302031, respectively.
Examples
To configure the ACE to log connection setup and teardown syslog messages, enter:
host1/Admin(config)# logging fastpathTo disable the ACE from logging connection setup and teardown syslog messages, enter:
host1/Admin(config)# no logging fastpathRelated Commands
(config) logging history
To set the Simple Network Management Protocol (SNMP) message severity level when sending log messages to a network management system (NMS), use the logging history command. Use the no form of this command to disable logging of informational system messages to an NMS.
logging history severity_level
no logging history
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To enable or disable all SNMP syslog message logging, use the logging history command without the severity_level argument.
We recommend that you use the debugging (7) level during initial setup and during testing. After setup, set the level from debugging (7) to a lower value for use in your network.
Examples
To send informational system message logs to an SNMP NMS, enter:
host1/Admin(config)# logging history 6To disable logging to an SNMP NMS, enter:
host1/Admin(config)# no logging historyRelated Commands
(config) logging host
To specify a host (the syslog server) that receives the syslog messages sent by the ACE, use the logging host command. You can use multiple logging host commands to specify additional servers to receive the syslog messages. Use the no form of this command to disable logging to a syslog server. By default, logging to a syslog server on a host is disabled on the ACE.
logging host ip_address [tcp | udp [/port#] | [default-udp] | [format emblem]]
no logging host ip_address
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
If you choose to send log messages to a host, the ACE sends those messages using either UDP or TCP. The host must run a program (known as a server) called syslogd, a daemon that accepts messages from other applications and the network, and writes them out to system wide log files. UNIX provides the syslog server as part of its operating system. If you are running Microsoft Windows, you must obtain a syslog server for the Windows operating system.
If you use TCP as the logging transport protocol, the ACE denies new network access sessions if the ACE is unable to reach the syslog server, if the syslog server is misconfigured, if the TCP queue is full, or if the disk is full.
The format emblem keywords allow you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for either TCP or UDP syslog messages. If you enable EMBLEM-format logging for a particular syslog host, then the messages are sent to that host. If you also enable the logging timestamp command, the messages are sent to the syslog server with a time stamp.
For example, the EMBLEM format for a message with a time stamp appears as follows:
ipaddress or dns name [Dummy Value/Counter]: [mmm dd hh:mm:ss TimeZone]: %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: [vtl-ctx: context id] Message-textExamples
To send log messages to a syslog server, enter:
host1/Admin(config)# logging host 192.168.10.1 tcp/1025 format emblem default-udpTo disable logging to a syslog server, enter:
host1/Admin(config)# no logging host 192.168.10.1Related Commands
(config) logging message
To control the display of a specific system logging message or to change the severity level associated with the specified system logging message, use the logging message command. Use the no form of this command to disable logging of the specified syslog message.
logging message syslog_id [level severity_level]
no logging message syslog_id
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
You can use the show logging command to determine the level currently assigned to a message and whether the message is enabled.
For information on syslog messages and their IDs, see the Cisco Application Control Engine Module System Message Guide.
Examples
To disable the %<ACE>-6-615004 syslog message (VLAN available for configuring an interface), enter:
host1/Admin(config)# no logging message 615004To resume logging of the disabled syslog message, enter:
host1/Admin(config)# logging message 615004 level 6To change the severity level of the 615004 syslog message from the default of 6 (informational) to a severity level of 5 (notification), enter:
(config)# logging message 615004 level 5To return the severity level of the 615004 syslog message to the default of 6, enter:
host1/Admin(config)# no logging message 615004Related Commands
(config) logging monitor
To display syslog messages as they occur when accessing the ACE through a Secure Shell (SSH) or a Telnet session, use the logging monitor command. You can limit the display of messages based on severity. By default, logging to a remote connection using the SSH or Telnet is disabled on the ACE. Use the no form of this command to disable system message logging to the current Telnet or SSH session.
logging monitor severity_level
no logging monitor
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Note
To display logs during the SSH or Telnet session, use the terminal monitor Exec mode command. This command enables syslog messages for all sessions in the current context. The logging monitor command sets the logging preferences for all SSH and Telnet sessions, while the terminal monitor command controls logging for each individual Telnet session. However, in each session, the terminal monitor command controls whether syslog messages appear on the terminal during the session.
Examples
To send informational system message logs to the current Telnet or SSH session, enter:
host1/Admin# terminal monitorhost1/Admin# configEnter configuration commands, one per line. End with CNTL/Zhost1/Admin(config)# logging monitor 6To disable system message logging to the current Telnet or SSH session, enter:
host1/Admin(config)# no logging monitorRelated Commands
(config) logging persistent
To send specific log messages to compact flash on the ACE, use the logging persistent command. By default, logging to compact flash is disabled on the ACE. The ACE allows you to specify the system message logs that you want to keep after a system reboot by saving them to compact flash. Use the no form of this command to disable logging to compact flash.
logging persistent severity_level
no logging persistent
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
We recommend that you use a lower severity level, such as severity level 3, because logging at a high rate to flash memory on the ACE might affect performance.
Examples
To send informational system message logs to flash memory on the ACE, enter:
host1/Admin(config)# logging persistent 6To disable logging to flash memory on the ACE, enter:
host1/Admin(config)# no logging persistentRelated Commands
(config) logging queue
To change the number of syslog messages that can appear in the message queue, use the logging queue command. By default, the ACE can hold 80 syslog messages in the message queue while awaiting processing. Use the no form of this command to reset the logging queue size to the default of 80 messages.
logging queue queue_size
no logging queue queue_size
Syntax Description
queue_size
Queue size for storing syslog messages. Enter an integer from 1 to 8192. The default is 80 messages.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Set the queue size before the ACE processes syslog messages. When traffic is heavy, messages might get discarded.
Examples
To set the size of the syslog message queue to 1000, enter:
host1/Admin(config)# logging queue 1000To reset the logging queue size to the default of 80 messages, enter:
host1/Admin(config)# no logging queue 0Related Commands
(config) logging rate-limit
To limit the rate at which the ACE generates messages in the syslog, use the logging rate-limit command. You can limit the number of syslog messages generated by the ACE for specific messages. Use the no form of this command to disable rate limiting for message logging in the syslog.
logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}
no logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Disabled rate limiting is the default setting. In this case, the logging rate-limit unlimited command will not be displayed in the ACE running-configuration file.
The severity level you enter indicates that you want all syslog messages at the specified level to be rate-limited. For example, if you specify a severity level of 7, the ACE applies a rate limit only to level 7 (debugging messages). If you want to apply a logging rate limit on a different severity level, you must configure the logging rate-limit command for that level as well.
If you configure rate limiting for syslogs 302028 through 302031 (connection setup and teardown syslogs that are formatted in the data plane), the ACE always rate-limits these syslogs at level 6. Even if you change the logging level to a different value using the logging message command and the new logging level appears on the syslog server or other destination, the ACE will continue to rate-limit these syslogs at level 6.
For information on syslog messages and their IDs, see the Cisco Application Control Engine Module System Message Guide.
Examples
To limit the syslog rate to a 60-second time interval for informational messages (level 6), enter:
host1/Admin(config)# logging rate-limit 42 60 level 6To suppress reporting of system message 302022, enter:
host1/Admin(config)# logging rate-limit 42 60 302022To disable rate limiting, enter:
host1/Admin(config)# no logging rate-limit 42 60 level 6Related Commands
(config) logging reject-newconn
To define if the ACE prohibits new connections from passing through the device if a specified condition has been met, use the logging-reject-newconn command. Use the no form of this command to prevent the ACE from rejecting new connections.
logging reject-newconn {cp-buffer-full | rate-limit-reached | tcp-queue-full}
no logging reject-newconn {cp-buffer-full | rate-limit-reached | tcp-queue-full}
Syntax Description
cp-buffer-full
Specifies that the ACE will reject new connections when the syslog daemon internal buffer is full.
rate-limit-reached
Specifies that the ACE will reject new connections if the syslog message rate specified through the logging rate-limit command has been reached. See the (config) logging rate-limit command. Disabled by default.
tcp-queue-full
Specifies that the ACE will reject new connections when syslogs can no longer reach the TCP syslog server. Enabled by default.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
None
Examples
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To configure the ACE to reject new connections if the specified syslog message rate has been reached, enter:
host1/Admin(config)# logging reject-newconn rate-limit-reachedTo disable the ACE from rejecting new connections, enter:
host1/Admin(config)# no logging reject-newconn rate-limit-reachedRelated Commands
(config) logging standby
To enable logging on the standby ACE in a redundant configuration, use the logging standby command. When enabled, the standby ACE syslog messages remain synchronized should a failover occur. When enabled, this command causes twice the message traffic on the syslog server. Use the no form of this command to disable logging on the standby ACE.
logging standby
no logging standby
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
This command is disabled by default.
Examples
To enable logging on the failover standby ACE:
host1/Admin(config)# logging standbyTo disable logging on the standby ACE, enter:
host1/Admin(config)# no logging standbyRelated Commands
(config) logging supervisor
To set the severity level at which syslog messages are sent to the supervisor engine, use the logging supervisor command. The ACE can forward syslog messages to the supervisor engine on the Catalyst 6500 series switch. Use the no form of this command to disable system message logging to the supervisor engine.
logging supervisor severity_level
no logging supervisor
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To send informational system message logs to the supervisor engine on the Catalyst 6500 series switch, enter:
host1/Admin(config)# logging supervisor 6To disable system message logging to the supervisor engine, enter:
host1/Admin(config)# no logging supervisor 3Related Commands
(config) logging timestamp
To specify that syslog messages should include the date and time that the message was generated, use the logging timestamp command. By default, the ACE does not include the date and time in syslog messages. Use the no form of this command to specify that the ACE not include the date and time when logging syslog messages.
logging timestamp
no logging timestamp
Syntax Description
This command has no keywords or arguments.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
This command is disabled by default.
Examples
To enable the time stamp on system logging messages, enter:
host1/Admin(config)# logging timestampTo disable the time stamp from syslog messages, enter:
host1/Admin(config)# no logging timestampRelated Commands
(config) logging trap
To identify which messages are sent to a syslog server, use the logging trap command. This command limits the logging messages sent to a syslog server based on severity. Use the no form of this command to return the trap level to the default (information messages).
logging trap severity_level
no logging trap
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the syslog feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To send logging messages to a syslog server, use the logging host command to specify the name or IP address of the host to be used as the syslog server.
Examples
To send informational system message logs to the syslog server, enter:
host1/Admin(config)# logging trap 6To disable sending message logs to the syslog server, enter:
host1/Admin(config)# no logging trap 6Related Commands
(config) object-group
To create an object group, use the object-group command. Object groups allow you to streamline the creation of multiple ACL entries in an ACL. Use the no form of this command to remove the object group from the configuration.
object-group [network | service] name
no object-group [network | service] name
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
You can create either network or service object groups. After you create these groups, you can use a single ACL entry to allow trusted hosts to make specific service requests to a group of public servers.
If you add new members to an existing object group that is already in use by an entry in a large ACL, recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In some cases, making this change can cause the ACE to devote over an hour to committing the ACL, during which time you cannot access the terminal. We recommend that you first remove the ACL entry that refers to the object group, make your change, and then add the ACL entry back into the ACL.
Examples
To create a network object group, enter:
host1/Admin(config)# object-group network NET_OBJ_GROUP1Related Commands
(config-objgrp-netw) ip_address netmask
(config) parameter-map type
To create a connection-, HTTP-, or SSL-type parameter map, use the parameter-map type command. Use the no form of this command to remove a parameter map from the ACE.
parameter-map type {connection | generic | http | rtsp | sip | skinny | ssl} name
no parameter-map type {connection | generic | http | rtsp | sip | skinny | ssl} name
Syntax Description
connection
Specifies a connection-type parameter map. After you create the connection-type parameter map, you configure TCP, IP, and other settings for the map in the parameter map connection configuration mode. For information about the commands in parameter map connection configuration mode, see the "Parameter Map Connection Configuration Mode Commands" section.
dns
Specifies a DNS parameter map. After you create a DNS parameter map, you configure settings for the map in the parameter map DNS configuration mode. For information about the commands in parameter map DNS configuration mode, see the "Parameter Map DNS Configuration Mode Commands" section.
generic
Specifies a generic Layer 7 parameter map. After you create the generic Layer 7 parameter map, you configure settings for the map in the parameter map generic configuration mode. For information about the commands in parameter map generic configuration mode, see the "Parameter Map HTTP Configuration Mode Commands" section.
http
Specifies an HTTP-type parameter map. After you create the HTTP-type parameter map, you configure HTTP settings for the map in the parameter map HTTP configuration mode. For information about the commands in parameter map HTTP configuration mode, see the "Parameter Map HTTP Configuration Mode Commands" section.
rtsp
Specifies an RTSP-type parameter map. After you create the RTSP-type parameter map, you configure RTSP settings for the map in the parameter map RTSP configuration mode. For information about the commands in parameter map RTSP configuration mode, see the "Parameter Map RTSP Configuration Mode Commands" section.
sip
Specifies a SIP-type parameter map. After you create the SIP-type parameter map, you configure SIP settings for the map in the parameter map SIP configuration mode. For information about the commands in parameter map SIP configuration mode, see the "Parameter Map SIP Configuration Mode Commands" section.
skinny
Specifies a Skinny Client Control Protocol (SCCP) type parameter map. After you create the SCCP-type parameter map, you configure SCCP settings for the map in the parameter map SCCP configuration mode. For information about the commands in parameter map SCCP configuration mode, see the "Parameter Map SCCP Configuration Mode Commands" section.
ssl
Specifies an SSL-type parameter map. After you create the SSL-type parameter map, you configure SSL settings for the map in the parameter map SSL configuration mode. For information about the commands in parameter map SSL connection configuration mode, see the "Parameter Map SSL Configuration Mode Commands" section.
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
The parameter-map type command allows you to configure a series of Layer 3 and Layer 4 statements that instruct the ACE how to handle TCP termination, normalization and reuse, SSL termination, and advanced HTTP behavior for server load-balancing connections. After you enter this command, the system enters the corresponding parameter map configuration mode.
To access one of the parameter-map configuration modes, enter the appropriate parameter-map type command. For example, enter parameter-map type connection, parameter-map type http, or parameter-map type ssl. The CLI prompt changes to the corresponding mode, for example, (config-parammap-conn), (config-parammap-http), or (config-parammap-ssl).
After you configure the parameter map, you associate it with a specific action statement in a policy map.
Examples
To create a connection-type parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type connection TCP_MAPhost1/Admin(config-parammap-conn)#To create an HTTP-type parameter map called HTTP_MAP, enter:
host1/Admin(config)# parameter-map type http HTTP_MAPhost1/Admin(config-parammap-http)#To create an SSL-type parameter map called SSL_MAP, enter:
host1/Admin(config)# parameter-map type ssl SSL_MAPhost1/Admin(config-parammap-ssl)#Related Commands
(config) peer hostname
To specify a hostname for the peer ACE in a redundant configuration, use the peer hostname command. The hostname is used for the command line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. Use the no form of this command to reset the hostname of the peer to the default of switch.
peer hostname name
no peer hostname name
Syntax Description
name
New hostname for the peer ACE. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
By default, the hostname for the ACE is switch.
Examples
To change the hostname of the peer ACE from switch to ACE_1, enter:
switch/Admin(config)# peer hostname ACE_1ACE_1/Admin(config)#Related Commands
(config) peer shared-vlan-hostid
To configure a specific bank of MAC addresses for a peer ACE in a redundant configuration, use the peer shared-vlan-hostid command. Use the no form of this command to remove the configured bank of MAC addresses.
peer shared-vlan-hostid number
no peer shared-vlan-hostid
Syntax Description
number
Bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs.
Command Modes
Configuration mode
Admin context only
Command History
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Examples
To configure bank 3 for a peer ACE, enter:
host1/Admin(config)# peer shared-vlan-hostid 3To remove the configured bank of MAC addresses, enter:
host1/Admin(config)# no peer shared-vlan-hostidRelated Commands
(config) policy-map
Use the policy-map command to create a Layer 3 and Layer 4 or Layer 7 policy map. To access one of the policy map configuration modes, use the policy-map command. Use the no form of this command to remove a policy map from the ACE.
policy-map multi-match map_name
policy-map type inspect {ftp first-match | http all-match | sip all-match | skinny} map_name
policy-map type loadbalance {first-match | generic first-match | http first-match |
radius first-match | rdp first-match | rtsp first-match | sip first-match} map_namepolicy-map type management first-match map_name
no policy-map multi-match map_name
no policy-map type inspect {ftp first-match | http all-match | sip all-match | skinny} map_name
no policy-map type loadbalance {first-match | generic first-match | http first-match |
radius first-match | rdp first-match | rtsp first-match | sip first-match} map_nameno policy-map type management first-match map_name
Syntax Description
multi-match
Configures a Layer 3 and Layer 4 policy map that defines the different actions applied to traffic passing through the ACE. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy map to allow a multifeature Layer 3 and Layer 4 policy map. The ACE executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes.
For information about the commands in policy map configuration mode, see the "Policy Map Configuration Mode Commands" section.
map_name
Name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
type
Specifies the type of policy map to be defined. When you specify a policy map type, you enter its corresponding policy map configuration mode (for example, RADIUS load balancing).
inspect ftp first-match
Specifies a Layer 7 policy map that defines the inspection of File Transfer Protocol (FTP) commands by the ACE. The ACE executes the action for the first matching classification. For a list of classes in a policy map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map FTP inspection configuration mode, see the "Policy Map FTP Inspection Configuration Mode Commands" section.
inspect http all-match
Specifies a Layer 7 policy map that defines the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request. For information about the commands in policy map inspection HTTP configuration mode, see the "Policy Map Inspection HTTP Configuration Mode Commands" section.
inspect sip all-match
Specifies a Layer 7 policy map that defines the inspection of SIP protocol packets by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request. For information about the commands in policy map inspection SIP configuration mode, see the "Policy Map Inspection SIP Configuration Mode Commands" section.
inspect skinny
Specifies a Layer 7 policy map that defines the inspection of SCCP or skinny protocol packets by the ACE. The ACE uses the SCCP inspection policy to filter traffic based on message ID and to perform user-configurable actions on that traffic. For information about the commands in policy map inspection SIP configuration mode, see the "Policy Map Inspection Skinny Configuration Mode Commands" section.
loadbalance first-match
Specifies a Layer 7 policy map that defines Layer 7 HTTP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information about the commands in policy map load balance configuration mode, see the "Policy Map Load Balancing HTTP Configuration Mode Commands" section.
loadbalance generic first-match
Specifies a Layer 7 policy map that defines Layer 7 HTTP server load-balancing decisions. The ACE executes the action for the first matching classification. For a list of classes in a policy-map, the actions associated with the first class that matches the packet are the actions that the ACE executes on the packet. For information
