-
Application Control Engine Module Command Reference (Software Version A2(1.0))
-
CLI Command Summary By Mode
-
Preface
-
Using the Command-Line Interface
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Action List Configuration Mode Commands
-
Authentication Group Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
FT Track Configuration Mode Commands
-
Interface Configuration Mode Commands
-
KAL-AP UDP Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Object Group Configuration Mode Commands
-
Parameter Map Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Role Configuration Mode Commands
-
Server Farm Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) exceed-mss
(config-parammap-conn) random-sequence-number
(config-parammap-conn) rate-limit
(config-parammap-conn) reserved-bits
(config-parammap-conn) set ip tos
(config-parammap-conn) set tcp ack-delay
(config-parammap-conn) set tcp buffer-share
(config-parammap-conn) set tcp mss
(config-parammap-conn) set tcp syn-retry
(config-parammap-conn) set tcp timeout
(config-parammap-conn) set tcp wan-optimization
(config-parammap-conn) set tcp window-scale
(config-parammap-conn) set timeout inactivity
(config-parammap-conn) slowstart
(config-parammap-conn) syn-data
(config-parammap-conn) tcp-options
(config-parammap-conn) urgent-flag
Parameter Map DNS Configuration Mode Commands
(config-parammap-dns) timeout query
Parameter Map Generic Configuration Mode Commands
(config-parammap-generi) case-insensitive
(config-parammap-generi) set max-parse-length
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) case-insensitive
(config-parammap-http) header modify per-request
(config-parammap-http) length-exceed
(config-parammap-http) persistence-rebalance
(config-parammap-http) server-conn reuse
(config-parammap-http) set content-maxparse-length
(config-parammap-http) set header-maxparse-length
(config-parammap-http) set secondary-cookie-delimiters
Parameter Map RTSP Configuration Mode Commands
(config-parammap-rtsp) case-insensitive
(config-parammap-rtsp) set header-maxparse-length
Parameter Map SCCP Configuration Mode Commands
(config-parammap-skinny) enforce-registration
(config-parammap-skinny) message-id max
(config-parammap-skinny) sccp-prefix-len
Parameter Map SIP Configuration Mode Commands
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) strict-header-validation
(config-parammap-sip) uri-non-sip
Parameter Map SSL Configuration Mode Commands
(config-parammap-ssl) close-protocol
(config-parammap-ssl) expired-crl reject
(config-parammap-ssl) queue-delay timeout
(config-parammap-ssl) session-cache timeout
Parameter Map Connection Configuration Mode Commands
Parameter map connection configuration mode commands allow you to define a connection-type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map. To create the connection parameter map and access parameter map connection configuration mode, use the parameter-map type connection command in configuration mode. The prompt changes to (config-parammap-conn). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type connection name
no parameter-map type connection name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure a parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-pmap-c) connection advanced-options command in the "Policy Map Configuration Mode Commands" section.
Examples
To create a connection parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type connection TCP_MAPhost1/Admin(config-parammap-conn)#To delete the connection parameter map, enter:
host1/Admin(config)# no parameter-map type connection TCP_MAPRelated Commands
(config-pmap-c) connection advanced-options
(config-parammap-conn) exceed-mss
To configure the ACE to allow segments that exceed the maximum segment size (MSS), use the exceed-mss command. Use the no form of this command to reset the ACE to its default of discarding segments that exceed the MSS.
exceed-mss {allow | drop}
no exceed-mss
Syntax Description
allow
Permits segments that exceed the maximum segment size.
drop
Discards segments that exceed the maximum segment size. This is the default.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To configure the ACE to allow segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# exceed-mss allowTo configure the ACE to discard segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# exceed-mss dropTo reset the ACE behavior to the default of discarding segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# no exceed-mss allowRelated Commands
(config-parammap-conn) set tcp mss
(config-parammap-conn) nagle
To enable Nagle's algorithm, use the nagle command. By default, this command is disabled. Nagle's algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send. Use the no form of this command to disable Nagle's algorithm.
nagle
no nagle
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Nagle's algorithm automatically concatenates a number of small buffer messages that are transmitted over the TCP connection. This process increases throughput by decreasing the number of segments that need to be sent over the network. However, the interaction between Nagle's algorithm and the TCP delay acknowledgment may increase latency in your TCP connection. You should disable Nagle's algorithm if you notice delays in your TCP connection.
Examples
To enable Nagle's algorithm, enter:
host1/Admin(config-parammap-conn)# nagleTo disable Nagle's algorithm, enter:
host1/Admin(config-parammap-conn)# no nagleRelated Commands
(config-parammap-conn) random-sequence-number
To enable TCP sequence number randomization, use the random-sequence-number command. This feature is enabled by default. Use the no form of this command to disable sequence number randomization.
random-sequence-number
no random-sequence-number
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Randomizing TCP sequence numbers makes it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Examples
To enable sequence number randomization, enter:
host1/Admin(config-parammap-conn)# random-sequence-numberTo disable sequence number randomization, enter:
host1/Admin(config-parammap-conn)# no random-sequence-numberRelated Commands
(config-parammap-conn) rate-limit
To limit the connection rate or the bandwidth rate of a policy, use the rate-limit command. Use the no form of this command to return the behavior of the ACE to the default of not limiting the connection rate or the bandwidth rate of a policy.
rate-limit {connection number1 | bandwidth number2}
no rate-limit {connection number1 | bandwidth number2}
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
In addition to preserving system resources by limiting the total number of active connections to a real server, the ACE allows you to limit the connection rate and the bandwidth rate of a policy map. The connection rate is the number of connections per second that match the policy. The bandwidth rate is the number of bytes per second that match the policy. The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level.
When the connection-rate limit or the bandwidth-rate limit is reached, the ACE blocks any further traffic that matches that policy until the connection rate or bandwidth rate drops below the configured limit. By default, the ACE does not limit the connection rate or the bandwidth rate of a policy.
You can also limit the connection rate and the bandwidth rate of a real server in a server farm. For details, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide
Examples
To limit the connection rate of a policy to 100000 connections per second, enter:
host1/Admin(config-parammap-conn)# rate-limit connection 100000To return the behavior of the ACE to the default of not limiting the policy connection rate, enter:
host1/Admin(config-parammap-conn)# no rate-limit connection 100000To limit the policy bandwidth rate to 5000000 bytes per second, enter:
host1/Admin(config-parammap-conn)# rate-limit bandwidth 50000000To return the behavior of the ACE to the default of not limiting the policy bandwidth rate, enter:
host1/Admin(config-parammap-conn)# no rate-limit bandwidth 50000000
Related Commands
(config-parammap-conn) reserved-bits
To configure how an ACE handles segments with the reserved bits set in the TCP header, use the reserved-bits command. Use the no form of this command to reset the ACE to its default of clearing reserved bits set in the TCP header of a segment.
reserved-bits {allow | clear | drop}
no reserved-bits
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The six reserved bits in the TCP header are for future use and have a value of 0.
Examples
To configure the ACE to allow segments with the reserved bits set in the TCP header, enter:
host1/Admin(config-parammap-conn)# reserved-bits allowTo reset the ACE to its default of clearing reserved bits set in the TCP header of a segment, enter:
host1/Admin(config-parammap-conn)# no reserved-bits allowRelated Commands
(config-parammap-conn) set ip tos
To set the type of service (ToS) for packets in a particular traffic class, use the set ip tos command. Use the no form of this command to instruct the ACE to not rewrite the IP ToS value.
set ip tos number
no set ip tos
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The ToS for a packet determines how the network handles the packet and balances its precedence, delay, throughput, and reliability. This information resides in the IP header.
For details about the ToS byte, see RFCs 791, 1122, 1349, and 3168.
Examples
To set a packet's ToS value to 20, enter:
host1/Admin(config-parammap)# set ip tos 20To instruct the ACE to ignore the ToS of a packet, enter:
host1/Admin(config-parammap)# no set ip tosRelated Commands
(config-parammap-conn) set tcp ack-delay
To configure an ACK delay, use the set tcp ack-delay command. You can configure the ACE to delay sending the ACK from a client to a server. Some applications delay the ACK for best performance. To reset the ACK delay timer to the default value of 200 ms, use the no form of this command.
set tcp ack-delay number
no set tcp ack-delay
Syntax Description
number
Delay time for sending an ACK from a client to a server. Enter an integer from 0 to 400 ms. The default is 200 ms.
Command Modes
Connection parameter-map configuration mode
Command History
Usage Guidelines
Delaying the ACK can help reduce congestion by sending one ACK for multiple segments rather than sending an ACK for each segment.
Examples
To delay sending an ACK for 400 ms, enter:
host1/Admin(config-parammap-conn)# set tcp ack-delay 400To reset the ACK delay timer to the default of 200 ms, enter:
host1/Admin(config-parammap-conn)# no set tcp ack-delayRelated Commands
(config-parammap-conn) set tcp buffer-share
To set the maximum receive or transmit buffer share size for each TCP connection, use the set tcp buffer-share command. Use the no form of this command to reset the buffer limit to the default of 32768 bytes.
set tcp buffer-share number
no set tcp buffer-share
Syntax Description
number
Maximum size of the receive or transmit buffer share in bytes for each TCP connection. Enter an integer from 8192 to 262143. The default is 32768 bytes.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
To improve throughput and overall performance, the ACE checks the number of buffered bytes on a TCP connection against the configured buffer setting before accepting new receive or transmit data. By default, the maximum size of the receive or transmit buffer for each TCP connection is 32768 bytes. For large bandwidth and delay network connections, you may want to increase the default buffer size to improve your network performance.
Examples
To specify a maximum receive buffer share size of 16384 bytes, enter:
host1/Admin(config-parammap-conn)# set tcp buffer-share 16384To reset the buffer limit to the default of 65535 bytes, enter:
host1/Admin(config-parammap-conn)# no set tcp buffer-shareRelated Commands
(config-parammap-conn) set tcp mss
To set a range of values for the TCP maximum segment size (MSS), use the set tcp mss command. Use the no form of this command to reset the minimum MSS to the default of 536 bytes and the maximum MSS to the default of 1380.
set tcp mss min number1 max number2
no set tcp mss
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The MSS is the largest amount of TCP data that the ACE accepts in one segment. To prevent the transmission of many smaller segments or very large segments that may require fragmentation, you can set the minimum and maximum acceptable sizes of the MSS.
Both the host and the server can set the MSS when they first establish a connection. If either maximum value exceeds the value that you set with the set tcp mss max command, then the ACE overrides the maximum value and inserts the value that you set. If either maximum value is less than the value that you set with the set tcp mss min command, then the ACE overrides the maximum value and inserts the minimum value (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum value of 1200 bytes and a minimum value of 400 bytes, when a host requests a maximum value of 1300 bytes, then the ACE alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the ACE alters the packet to request 400 bytes (the minimum).
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request an MSS, the ACE assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the MSS to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default for Ethernet). Large numbers of fragments can impact the performance of the ACE. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.
Examples
To set the minimum acceptable MSS value to 768 bytes and the maximum acceptable MSS value to 1500, enter:
host1/Admin(config-parammap-conn)# set tcp mss min 768 max 1500To reset the minimum MSS to the default of 536 bytes and the maximum MSS to the default of 1380, enter:
host1/Admin(config-parammap-conn)# no set tcp mssRelated Commands
(config-parammap-conn) exceed-mss
(config-parammap-conn) set tcp syn-retry
To set the maximum number of attempts that the ACE can take to transmit a TCP segment, use the set tcp syn-retry number command. Use the no form of this command to reset the maximum number of TCP SYN retires to the default of 4.
set tcp syn-retry number
no set tcp syn-retry
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the maximum number of attempts that the ACE takes to transmit a TCP segment to 3, enter:
host1/Admin(config-parammap-conn)# set tcp syn-retry 3To reset the maximum number of TCP SYN retries to the default of 4, enter:
host1/Admin(config-parammap-conn)# no set tcp syn-retryRelated Commands
(config-parammap-conn) set tcp timeout
To configure a timeout for TCP embryonic connections (connections that result from an incomplete three-way handshake) and half-closed connections (connections where the client has sent a FIN and the server has not responded), use the set tcp timeout command. Use the no form of this command to reset TCP timeout values to their default settings.
set tcp timeout {embryonic seconds | half-closed seconds}
no set tcp timeout {embryonic | half-closed}
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The set tcp timeout embryonic command affects only Layer 4 flows and not Layer 7 flows.
Examples
To set the TCP timeout for embryonic connections to 24 seconds, enter:
host1/Admin(config-parammap-conn)# set tcp timeout embryonic 24To reset the TCP half-closed connection timeout to the default of 600 seconds, enter:
host1/Admin(config-parammap-conn)# no set tcp timeout half-closedRelated Commands
(config-parammap-conn) set tcp wan-optimization
To control how the ACE applies TCP optimizations to packets on a connection associated with a Layer 7 policy map using a round-trip time (RTT) value, use the set tcp wan-optimization command. Use the no form of this command to restore ACE behavior to the default of not optimizing TCP connections.
set tcp wan-optimization rtt number
no set tcp wan-optimization rtt number
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command allows you to control how the ACE applies TCP optimizations to packets on a connection associated with a Layer 7 policy map using the following RTT values:
•
For a value of 0, the ACE applies TCP optimizations to packets for the life of a connection.
•
•
–
–
TCP optimizations include the following connection parameter-map configuration mode operations:
•
•
•
•
•
Examples
To set the RTT to 0 to apply TCP optimizations to packets for the life of a connection, enter:
host1/C1(config-parammap-conn)# set tcp wan-optimization rtt 0To restore the ACE behavior to the default of not optimizing TCP connections, enter:
host1/C1(config-parammap-conn)# no set tcp wan-optimization rtt
Related Commands
(config-parammap-conn) set tcp window-scale
To configure a TCP window-scale factor for network paths with high-bandwidth, long-delay characteristics, use the set tcp window-scale command. Use the no form of this command to reset the window-scale factor to its default setting.
set tcp window-scale number
no set tcp window-scale
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The TCP window scaling feature adds support for the Window Scaling option in RFC 1323. We recommend increasing the window size to improve TCP performance in network paths with large bandwidth, long-delay characteristics. This type of network is called a long fat network (LFN).
The window scaling extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. You can increase the window size to a maximum scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs.
Examples
To set the TCP window-scale factor to 3, enter:
host1/Admin(config-parammap-conn)# set tcp window-scale 3To reset the TCP window-scale factor to the default of 0, enter:
host1/Admin(config-parammap-conn)# no set tcp window-scaleRelated Commands
(config-parammap-conn) set timeout inactivity
To configure the connection inactivity timer, use the set timeout inactivity command. Use the no form of this command to reset the timeout inactivity values to the default ICMP, TCP, and UDP settings.
set timeout inactivity seconds
no set timeout inactivity
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The ACE uses the connection inactivity timer to disconnect established ICMP, TCP, and UDP connections that have remained idle for the duration of the specified timeout period.
The ACE rounds up the configured timeout value to the nearest 30-second interval.
Examples
To specify that the ACE disconnect idle established TCP connections after 2400 seconds, enter:
host1/Admin(config-parammap-conn)# set timeout inactivity 2400To reset the ICMP, TCP, and UDP inactivity timeout to the default values, enter:
host1/Admin(config-parammap-conn)# no set timeout inactivityRelated Commands
(config-parammap-conn) slowstart
To enable the slow start algorithm, use the slowstart command. This feature is disabled by default. Use the no form of this command to disable the slow start algorithm after it has been enabled.
slowstart
no slowstart
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The slow start algorithm is a congestion avoidance method in which TCP increases its window size as ACK handshakes arrive. It operates by observing that the rate at which new segments should be injected into the network is the rate at which the acknowledgments are returned by the host at the other end of the connection. For further details about the TCP slow start algorithm, see RFC 3390.
Examples
To enable the slow start algorithm, enter:
host1/Admin(config-parammap-conn)# slowstartTo disable the slow start algorithm, enter:
host1/Admin(config-parammap-conn)# no slowstartRelated Commands
(config-parammap-conn) syn-data
To set the ACE to discard SYN segments with data, use the syn-data command. Use the no form of this command to reset the ACE to its default of allowing SYN segments that contain data.
syn-data {allow | drop}
no syn-data
Syntax Description
allow
Permits the SYN segments that contain data and flags them for data processing. This is the default.
drop
Discards the SYN segments that contain data.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Occasionally, the ACE may receive a SYN segment that contains data. You can configure the ACE to either discard the segment or flag the segment for data processing.
Examples
To instruct the ACE to discard segments that contain data, enter:
host1/Admin(config-parammap-conn)# syn-data dropTo reset the ACE to its default of allowing SYN segments that contain data, enter:
host1/Admin(config-parammap-conn)# no syn-dataRelated Commands
(config-parammap-conn) tcp-options
To specify a range of TCP options not explicitly supported by the ACE, or allow or clear explicitly supported TCP options specified in a SYN segment, use the tcp-options command. Use the no form of this command to remove a TCP option range from the configuration or reset the ACE to its default of clearing the specific TCP options.
tcp-options {range number1 number2 {allow | drop}} | {selective-ack | timestamp | window-scale {allow | clear | drop}}
no tcp-options {range number1 number2 {allow | drop}} | {selective-ack | timestamp | window-scale {allow | clear | drop}}
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Using the tcp-options command, the ACE permits you to allow or clear the following explicitly supported TCP options specified in a SYN segment:
•
•
•
You can specify this command multiple times to configure different options and actions. If you specify the same option with different actions, the ACE uses the order of precedence to decide which action to use.
The order of precedence for the actions in this command is as follows:
1.
2.
3.
Table 2-12 lists the TCP options not explicitly supported by the ACE.
Table 2-13 lists the TCP options explicitly supported by the ACE.
Examples
To allow the segment with the SACK option set, enter:
host1/Admin(config-parammap-conn)# tcp-options selective-ack allowTo reset the behavior of the ACE to the default of clearing the SACK option and allowing the segment, enter:
host1/Admin(config-parammap-conn)# no tcp-options selective-ack allowYou can specify a range of options for each action. If you specify overlapping option ranges with different actions, the ACE uses the order of precedence described in the "Usage Guidelines" section to decide which action to perform for the specified options.
For example, to specify a range of options for each action, enter:
host1/Admin(config-parammap-conn)# tcp-options range 6 7 allowhost1/Admin(config-parammap-conn)# tcp-options range 9 18 clearhost1/Admin(config-parammap-conn)# tcp-options range 19 26 dropTo remove the TCP option ranges from the configuration, enter:
host1/Admin(config-parammap-conn)# no tcp-options range 6 7 allowhost1/Admin(config-parammap-conn)# no tcp-options range 9 18 clearhost1/Admin(config-parammap-conn)# no tcp-options range 19 26 dropRelated Commands
(config-parammap-conn) urgent-flag
To set the Urgent Pointer policy, use the urgent-flag command. Use the no form of this command to return to the default setting of clearing the Urgent flag.
urgent-flag {allow | clear}
no urgent-flag
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
If the Urgent control bit (flag) is set in the TCP header, it indicates that the Urgent Pointer is valid. The Urgent Pointer contains an offset that indicates the location of the segment that follows the urgent data in the payload. Urgent data is data that should be processed as soon as possible, even before normal data is processed. The ACE permits you to allow or clear the Urgent flag. If you clear the Urgent flag, you invalidate the Urgent Pointer.
The ACE clears the Urgent flag for any traffic above Layer 4. If you have enabled server connection reuse (see the Cisco Application Control Engine Module Security Configuration Guide), the ACE does not pass the Urgent flag value to the server.
Examples
To clear the Urgent flag, enter:
host1/Admin(config-parammap-conn)# urgent-flag clearTo reset the ACE to its default of allowing the Urgent flag, enter:
host1/Admin(config-parammap-conn)# no urgent-flagRelated Commands
Parameter Map DNS Configuration Mode Commands
Parameter map DNS configuration mode commands allow you to define a DNS-type parameter map. After you create the DNS parameter map, you can configure a query timeout for the map. To create the DNS parameter map and access parameter map DNS configuration mode, use the parameter-map type dns command in configuration mode. The prompt changes to (config-parammap-dns). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type dns name
no parameter-map type dns name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure a parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-pmap-c) appl-parameter dns advanced-options command in the "Policy Map Configuration Mode Commands" section.
Examples
To create a connection parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type dns TCP_MAPhost1/Admin(config-parammap-conn)#To delete the connection parameter map, enter:
host1/Admin(config)# no parameter-map type dns TCP_MAPRelated Commands
(config-pmap-c) appl-parameter dns advanced-options
(config-parammap-dns) timeout query
To configure the ACE to time out DNS queries that have no matching server response, use the timeout query command. Use the no form of this command to reset the ACE behavior to the default of timing out DNS queries when the underlying UDP connection times out.
timeout query {number}
no timeout query {number}
Syntax Description
Command Modes
Parameter map DNS configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To configure the ACE to time out DNS query entries with no corresponding server responses after 20 seconds, enter:
host1/Admin(config-parammap-dns)# timeout query 20To reset the ACE behavior to the default of timing out DNS queries without server responses when the underlying UDP connection times out, enter:
host1/Admin(config-parammap-dns)# no timeout query 20Related Commands
Parameter Map Generic Configuration Mode Commands
Parameter map generic configuration mode commands allow you to define a generic-type parameter map. After you create the generic parameter map, you can configure related parameters for the map. To create the generic parameter map and access parameter map generic configuration mode, use the parameter-map type generic command in configuration mode. The prompt changes to (config-parammap-generic). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type generic name
no parameter-map type generic name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure a parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-pmap-c) appl-parameter generic advanced-options command in the "Policy Map Configuration Mode Commands" section.
Examples
To create a connection parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type generic TCP_MAPhost1/Admin(config-parammap-generi)#To delete the connection parameter map, enter:
host1/Admin(config)# no parameter-map type generic TCP_MAPRelated Commands
(config-pmap-c) appl-parameter generic advanced-options
(config-parammap-generi) case-insensitive
To enable case-insensitive matching for generic matching only, use the case-insensitive command. With case-insensitive matching enabled, uppercase and lowercase letters are considered the same. By default, the ACE CLI is case sensitive. Use the no form of this command to reset the ACE to its default of case-sensitive generic matching.
case-insensitive
no case-insensitive
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map generic configuration mode
Admin and user contexts
Command History
Usage Guidelines
When enabled, case insensitivity applies to generic protocol regular expression matches.
Examples
To enable case-insensitive-matching, enter:
host1/Admin(config-parammap-generi)# case-insensitiveTo reenable case-sensitive matching, enter:
host1/Admin(config-parammap-generi)# no case-insensitiveRelated Commands
(config-parammap-generi) set max-parse-length
You can set the maximum number of bytes to parse for generic protocols by using the set max-parse-length command in generic parameter-map configuration mode. The syntax of this command is as follows:
set max-parse-length bytes
no set max-parse-length bytes
Syntax Description
bytes
Maximum number of bytes to parse. Enter an integer from 1 to 65535. The default is 2048 bytes.
Command Modes
Parameter map generic configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the maximum parse length for generic protocols, enter the following command:
host1/Admin(config-parammap-generi)# set max-parse-length 8192To reset the maximum parse length for generic protocols to the default value of 2048, enter the following command:
host1/Admin(config-parammap-generi)# no set max-parse-lengthRelated Commands
Parameter Map HTTP Configuration Mode Commands
Parameter map HTTP configuration mode commands allow you to specify an HTTP-type parameter map and define its settings. To create an HTTP-type parameter map and access parameter map HTTP configuration mode, use the parameter-map type http command in configuration mode. The prompt changes to (config-parammap-http). Use the no form of this command to remove an HTTP-type parameter map from the configuration.
parameter-map type http name
no parameter-map type http name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure a parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-pmap-c) appl-parameter http advanced-options command in the "Policy Map Configuration Mode Commands" section.
Examples
To create an HTTP-type parameter map called HTTP_MAP, enter:
host1/Admin(config)# parameter-map type http HTTP_MAPhost1/Admin(config-parammap-http)#Related Commands
(config-pmap-c) appl-parameter http advanced-options
(config-parammap-http) case-insensitive
To enable case-insensitive matching for HTTP matching only, use the case-insensitive command. With case-insensitive matching enabled, uppercase and lowercase letters are considered the same. By default, the ACE CLI is case sensitive. Use the no form of this command to reset the ACE to its default of case-sensitive HTTP matching.
case-insensitive
no case-insensitive
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
When enabled, case insensitivity applies to the following:
•
•
•
•
Examples
To enable case-insensitive-matching, enter:
host1/Admin(config-parammap-http)# case-insensitiveTo reenable case-sensitive matching, enter:
host1/Admin(config-parammap-http)# no case-insensitiveRelated Commands
(config-parammap-http) header modify per-request
To instruct the ACE to modify headers (insert, delete, or rewrite) on every HTTP request or response without the additional effect of performing load balancing on each new HTTP request caused by the persistence-rebalance command, use the header modify per-request command. Use the no form of this command to reset the ACE to its default of case-sensitive HTTP matching.
header modify per-request
no header modify per-request
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has an effect only when persistence-rebalance is disabled. The header modify per-request command also causes the ACE to perform URL location header rewrite on every HTTP response if the ssl url rewrite location command is enabled. For more information about SSL URL rewrite, see the Cisco Application Control Engine Module SSL Configuration Guide.
Examples
To instruct the ACE to perform header modification on every HTTP request or response, enter the following command:
host1/Admin(config-parammap-http)# header modify per-request
To return the ACE behavior to the default of modifying headers only on the first HTTP request or response, enter the following command:
host1/Admin(config-parammap-http)# no header modify per-request
Related Commands
show parameter-map
(config) action-list type modify http
(config-actlist-modify) header delete
(config-actlist-modify) header insert
(config-actlist-modify) header rewrite
(config-actlist-modify) ssl url rewrite location
(config-parammap-http) persistence-rebalance
(config-pmap-lb-c) insert-http
(config-pmap-lb-m) insert-http(config-parammap-http) length-exceed
To configure how the ACE handles URLs or cookies that exceed the maximum parse length, use the length command. Use the no form of this command to reset the ACE to its default of stopping load balancing and discarding a packet when its URL or cookie exceeds the maximum parse length.
length-exceed {continue | drop}
no length-exceed
Syntax Description
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you specify the continue keyword, the (config-parammap-http) persistence-rebalance command is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse-length value.
Examples
To continue load balancing when the maximum parse length is exceeded, enter:
host1/Admin(config-parammap-http)# length-exceed continueTo reset the ACE to its default of stopping load balancing and discarding a packet when its URL or cookie exceeds the maximum parse length, enter:
host1/Admin(config-parammap-http)# no length-exceedRelated Commands
show parameter-map
(config-parammap-http) persistence-rebalance(config-parammap-http) persistence-rebalance
To enable the ACE to check each GET request on a TCP connection and to load balance the request only if it matches a policy that is different from the policy matched by the previous request, use the persistence-rebalance command. By default, the persistence-rebalance command is disabled. Use the no form of this command to reset persistence to the default setting of disabled.
persistence-rebalance
no persistence-rebalance
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
3.0(0)A1(2)
This command was introduced.
3.0(0)A1(6.2a)
This command behavior was modified.
Usage Guidelines
With persistence rebalance enabled, when successive GET requests result in load balancing that chooses the same class in the same policy, the ACE sends the requests to the real server that was used for the last GET request. This behavior prevents the ACE from load balancing every request and recreating the server-side connection on every GET request, producing less overhead and better performance. If a request matches a different policy, then the ACE rebalances the server-side connection.
When persistence rebalance is disabled, the ACE load balances the first GET request on a new connection to a real server. The ACE sends successive requests on that same connection to the same server that serviced the first request because the ACE does not parse the Layer 7 information that is present in the request. In this case, load balancing is not involved after the initial load-balancing decision is made.
Another effect of persistence rebalance is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request.
If a real server is enabled with the NTLM Microsoft authentication protocol, we recommend that you leave persistence rebalance disabled. NTLM is a security measure that is used to perform authentication with Microsoft remote access protocols. When a real server is enabled with NTLM, every connection to the real server must be authenticated; typically, each client user will see a pop-up window prompting for a username and password. Once the connection is authenticated, all subsequent requests on the same connection will not be challenged. However, when the server load balancing function is enabled and configured with persistence rebalance, a subsequent request may point to a different real server causing a new authentication handshake.
The persistence-rebalance command is not compatible with generic protocol parsing.
Examples
To enable persistence rebalance, enter the following command:
host1/Admin(config-parammap-http)# persistence-rebalanceTo reset persistence rebalance to the default setting of disabled, enter the following command:
host1/Admin(config-parammap-http)# no persistence-rebalanceRelated Commands
(config-pmap-lb-c) insert-http
(config-sticky-cookie) cookie insert
(config-parammap-http) server-conn reuse
To configure TCP server reuse, use the server-conn reuse command. TCP server reuse allows the ACE to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. Use the no form of this command to disable TCP server reuse.
server-conn reuse
no server-conn reuse
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
The ACE maintains a pool of TCP connections that can be reused if the client connection and the server connection share the same TCP options. For information about how the ACE handles TCP options, see the Cisco Application Control Engine Module Security Configuration Guide. For proper operation of this feature, follow these TCP server reuse configuration recommendations and restrictions:
•
•
•
•
Another effect of TCP server reuse is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request.
Examples
To enable TCP server reuse, enter:
host1/Admin(config-parammap-http)# server-conn reuseTo disable TCP server reuse, enter:
host1/Admin(config-parammap-http)# no server-conn reuseRelated Commands
show parameter-map
(config-parammap-http) persistence-rebalance
(config-pmap-lb-c) insert-http
(config-sticky-cookie) cookie insert(config-parammap-http) set content-maxparse-length
To set the maximum number of bytes to parse in HTTP content, use the set content-maxparse-length command. Use the no form of this command to reset the maximum parse length to the default of 4096 bytes.
set content-maxparse-length bytes
no set content maxparse-length
Syntax Description
bytes
Maximum number of bytes to parse in HTTP content. Enter an integer from 1 to 65535. The default is 4096 bytes.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set content-maxparse-length 8192To reset the maximum parse length to the default of 4096 bytes, enter:
host1/Admin(config-parammap-http)# no set content-maxparse-lengthRelated Commands
(config-parammap-http) set header-maxparse-length
To set the maximum number of bytes to parse for cookies, HTTP headers, and URLs, use the set header-maxparse-length command. Use the no form of this command to reset the HTTP header maximum parse length to the default of 4096 bytes.
set header-maxparse-length bytes
no set-header maxparse-length
Syntax Description
bytes
Maximum number of bytes to parse for the total length of all cookies, HTTP headers, and URLs. Enter an integer from 1 to 65535. The default is 4096bytes.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the HTTP header maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set header-maxparse-length 8192To reset the HTTP header maximum parse length to the default of 4096 bytes, enter:
host1/Admin(config-parammap-http)# no set header-maxparse-lengthRelated Commands
(config-parammap-http) set secondary-cookie-delimiters
To define a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL string, use the set secondary-cookie-delimiters command. Use the no form of this command to reset the delimiter string list to the default of /&#+.
set secondary-cookie-delimiters text
no set secondary-cookie-delimiters
Syntax Description
text
Delimiter string. Enter an unquoted text string with no spaces and a maximum of four characters. The order of the delimiters in the list does not matter. The default list of delimiters is /&#+.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
Cookies and their delimiters appear in GET request lines. In the following example of a GET request line, the ampersand (&) that appears between name-value pairs is the secondary cookie delimiter. The question mark (?) begins the URL query and is not configurable.
GET /default.cgi?user=me&hello=world&id=2 HTTP/1.1Examples
To set the delimiter string list to the characters !@#$, enter:
host1/Admin(config-parammap-http)# set secondary-cookie-delimiters !@#$To reset the delimiter string list to the default of /&#+, enter:
host1/Admin(config-parammap-http)# no set secondary-cookie-delimitersRelated Commands
Parameter Map RTSP Configuration Mode Commands
Parameter map RTSP configuration mode commands allow you to specify a Real-Time Streaming Protocol (RTSP-type) parameter map and define its settings. To create an RTSP-type parameter map and access parameter map RTSP configuration mode, use the parameter-map type rtsp command. The prompt changes to (config-parammap-rtsp). Use the no form of this command to remove an RTSP-type parameter map from the configuration.
parameter-map type rtsp name
no parameter-map type rtsp name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure a parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-pmap-c) appl-parameter rtsp advanced-options command in the "Policy Map Configuration Mode Commands" section.
Examples
To create an RTSP-type parameter map called RTSP_MAP, enter:
host1/Admin(config)# parameter-map type rtsp RTSP_MAPhost1/Admin(config-parammap-rtsp)#Related Commands
(config-pmap-c) appl-parameter rtsp advanced-options
(config-parammap-rtsp) case-insensitive
ACETo disable case-sensitivity matching for RTSP, use the case-insensitive command. Use the no form of this command to reset the ACE to its default of case-sensitive RTSP matching.
case-insensitive
no case-insensitive
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map RTSP configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, the ACE CLI is case sensitive. With case-insensitive matching enabled, uppercase and lowercase letters are considered the same.
When case sensitivity is disabled, it applies to the following:
•
•
•
Examples
To enable case-insensitive matching, enter:
host1/Admin(config-parammap-rtsp)# case-insensitiveTo reenable case-sensitive matching, enter:
host1/Admin(config-parammap-rtsp)# no case-insensitiveRelated Commands
(config-parammap-rtsp) set header-maxparse-length
To set the maximum number of bytes to parse for RTSP headers, use the set header-maxparse-length command. Use the no form of this command to reset the RTSP header maximum parse length to the default of 2048 bytes.
set header-maxparse-length bytes
no set-header maxparse-length
Syntax Description
bytes
Maximum number of bytes to parse for the total length of all RTSP headers. Enter an integer from 1 to 65535. The default is 2048 bytes.
Command Modes
Parameter map RTSP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the RTSP header maximum parse length to 16,384 bytes, enter:
host1/Admin(config-parammap-rtsp)# set header-maxparse-length 16384To reset the RTSP header maximum parse length to the default of 2048 bytes, enter:
host1/Admin(config-parammap-rtsp)# no set header-maxparse-length 8192
Related Commands
Parameter Map SCCP Configuration Mode Commands
Parameter map Skinny Client Control Protocol (SCCP) configuration mode commands allow you to specify an SCCP-type parameter map and configure SCCP packet inspection on the ACE. To configure SCCP packet inspection, use the parameter-map type skinny command in configuration mode. The prompt changes to (config-parammap-skinny). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type skinny name
no parameter-map type skinny name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 32 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
Note the following considerations when you configure SCCP inspection on the ACE:
•
•
Examples
To create an SCCP-type parameter map called SCCP_PARAMMAP, enter:
host1/Admin(config)# parameter-map type skinny SCCP_PARAMMAPhost1/Admin(config-parammap-skinny)#To remove the parameter map from the configuration, enter:
host1/Admin(config)# no parameter-map type skinny SCCP_PARAMMAPRelated Commands
(config-pmap-c) appl-parameter skinny advanced-options
(config-parammap-skinny) enforce-registration
To enable registration enforcement, use the enforce-registration command. Use the no form of this command to disable registration enforcement.
enforce-registration
no enforce-registration
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map SCCP configuration mode
Admin and user contexts
Command History
Usage Guidelines
You can configure the ACE to allow only registered Skinny clients to make calls. To accomplish this task, the ACE maintains the state of each Skinny client. After a client registers with CCM, the ACE opens a secure port (pinhole) to allow that client to make a call. By default, this feature is disabled.
Examples
To enable registration enforcement for Skinny clients, enter:
host1/Admin(config-parammap-skinny)# enforce-registrationTo disable registration enforcement, enter:
host1/Admin(config-parammap-skinny)# no enforce-registrationRelated Commands
(config-pmap-c) appl-parameter skinny advanced-options
(config-parammap-skinny) message-id max
(config-parammap-skinny) sccp-prefix-len(config-parammap-skinny) message-id max
To set the maximum SCCP StationMessageID that the ACE allows, use the message-id max command. Use the no form of this command to reset the maximum message ID to the default of 0x181.
message-id max number
no message-id max number
Syntax Description
Command Modes
Parameter map SCCP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the maximum SCCP message ID to 0x3000, enter:
host1/Admin(config-parammap-skinny)# message-id max 3000To reset the maximum message ID to the default of 0x181, enter
host1/Admin(config-parammap-skinny)# no message-id max 3000Related Commands
(config-pmap-c) appl-parameter skinny advanced-options
(config-parammap-skinny) enforce-registration
(config-parammap-skinny) sccp-prefix-len(config-parammap-skinny) sccp-prefix-len
To set the minimum and maximum SCCP prefix length, use the sccp-prefix-len command. Use the no form of this command to reset the minimum prefix length to the default behavior.
sccp-prefix len {max number | min number}
no sccp-prefix len {max number | min number}
Syntax Description
Command Modes
Parameter map SCCP configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, the ACE drops SCCP messages that have an SCCP Prefix length that is less than the message ID. You can configure the ACE to check for a specific minimum prefix length. You can also configure the ACE to check for a maximum prefix length, but this check is disabled by default. The ACE drops any Skinny message packets that fails these checks and generates a syslog message.
Examples
To set the minimum SCCP prefix length, enter:
host1/Admin(config-parammap-skinny)# sccp-prefix-len min 4To reset the minimum SCCP prefix length to the default behavior, enter:
host1/Admin(config-parammap-skinny)# no sccp-prefix-len min 4
Related Commands
(config-pmap-c) appl-parameter skinny advanced-options
(config-parammap-skinny) enforce-registration
(config-parammap-skinny) message-id maxParameter Map SIP Configuration Mode Commands
Parameter map Session Initiation Protocol (SIP) configuration mode commands allow you to specify an SIP-type parameter map and configure a SIP deep packet inspection policy map. To configure SIP deep packet inspection, use the parameter-map type sip command in configuration mode. The prompt changes to (config-parammap-sip). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type sip name
no parameter-map type sip name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 32 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
Note the following considerations when you configure SIP inspection on the ACE:
•
•
–
–
The port value is missing in the contact field of the REGISTER message that the endpoint sends to the proxy server.
Examples
To create an SIP-type parameter map called SIP_PARAMMAP, enter:
host1/Admin(config)# parameter-map type sip SIP_PARAMMAPhost1/Admin(config-parammap-sip)#To remove the parameter map from the configuration, enter:
host1/Admin(config)# no parameter-map type sip SIP_PARAMMAPRelated Commands
(config-pmap-c) appl-parameter sip advanced-options
(config-parammap-sip) im
To enable instant messaging (IM) over SIP after it has been disabled, use the im command. Use the no form of this command to disable instant messaging.
im
no im
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines
Disabling IM results in the ACE dropping all messages belonging to the IM.
Examples
To enable instant messaging over SIP, enter:
host1/Admin(config-parammap-sip)# imTo disable instant messaging, enter:
host1/Admin(config-parammap-sip)# no imRelated Commands
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) strict-header-validation
(config-parammap-sip) uri-non-sip(config-parammap-sip) max-forward-validation
To instruct the ACE to validate the value of the Max-Forwards header field, use the ACE max-forward-validation command. Use the no form of this command to disable maximum forward field validation.
max-forward-validation {log} | {{drop| reset} [log]}
no max-forward-validation {log} | {{drop| reset} [log]}
Syntax Description
log
Specifies that the ACE log a max forward validation event.
drop
Specifies that the ACE drop the SIP message.
reset
Specifies that the ACE reset the SIP connection.
Command Modes
Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines
The Max-Forwards header field limits the number of hops that a SIP request can take on the way to its destination. This header field contains an integer that is decremented by one at each hop. If the Max-Forwards value reaches zero before the request reaches its destination, the request is rejected with a 483 Too Many Hops error response. You can instruct the ACE to validate the Max-Forwards header field value and to take appropriate action if the validation fails.
Examples
To enable Max-Forwards header field validation, enter:
host1/Admin(config-parammap-sip)# max-forward-validation drop log
To disable maximum forward field validation, enter:
host1/Admin(config-parammap-sip)# no max-forward-validation
Related Commands
(config-parammap-sip) im
(config-parammap-sip) software-version
(config-parammap-sip) strict-header-validation
(config-parammap-sip) uri-non-sip(config-parammap-sip) software-version
To enable user agent (UA) software version options, use the software-version command. Use the no form of this command to reset the software version to the default behavior.
software-version {log} | {mask [log]}
no software-version {log} | {mask [log]}
Syntax Description
log
Specifies that the ACE log the UA software version.
mask
Specifies that the ACE mask the UA software version.
Command Modes
Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines
If the software version of a user agent (UA) were exposed, the UA may be more vulnerable to attacks from hackers who exploit the security holes present in that particular version of software. To protect the UA from such attacks, the ACE allows you to log or mask the UA software version.
Examples
To configure the ACE to mask the UA software version, enter:
host1/Admin(config-parammap-sip)# software-version mask
To return the ACE behavior to the default of not masking the UA software version, enter:
host1/Admin(config-parammap-sip)# no software-version mask
Related Commands
(config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) strict-header-validation
(config-parammap-sip) uri-non-sip(config-parammap-sip) strict-header-validation
To enable strict header validation and the action that you want the ACE to perform if a SIP header does not meet the validation requirements, use the strict-header-validation command. Use the no form of this command to disable strict header validation.
strict-header-validation {log} | {{drop | reset} [log]}
no strict-header-validation {log} | {{drop| reset} [log]}
Syntax Description
drop
Specifies that the ACE drop the SIP message.
reset
Specifies that the ACE reset the connection.
log
Specifies that the ACE log the header validation event.
Command Modes
Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines
You can ensure the validity of SIP packet headers by configuring the ACE to check for the presence of the following mandatory SIP header fields:
•
•
•
•
•
•
If one of these header fields is missing in a SIP packet, the ACE considers that packet invalid. The ACE also checks for forbidden header fields, according to RFC 3261.
Use care if you plan to enable the drop option to ensure the validity of SIP packet headers. The drop option results in dropping requests which do not include the mandatory headers of that request. In some cases, the use of the drop option can lead to problems with some phones which do not utilize the mandatory headers in the request. For example, when a call is made and then cancelled, the phone receives a 487 Request Terminated cancel status request and transmits an ACK. However, for the Cisco IP Phone 7960, the transmitted ACK does not contain the MAX-FORWARDS header, which is a mandatory header for ACK. The ACE will then drop this packet, which can result in operational issues with the phone.
Examples
To enable strict header validation, instruct the ACE to drop the connection if the packet header does not meet the header validation requirements, and log the event, enter:
host1/Admin(config-parammap-sip)# strict-header-validation drop logTo disable strict header validation, enter:
host1/Admin(config-parammap-sip)# no strict-header-validation drop log
Related Commands
(config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) uri-non-sip(config-parammap-sip) timeout
To prevent a hacker from exploiting the media port, set a timeout for SIP media by using the timeout command in parameter map SIP configuration mode. Use the no form of this command to return the streaming media port timeout value to the default of 5 seconds.
timeout sip-media number
no timeout sip-media number
Syntax Description
Command Modes
Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To specify a secure streaming media port timeout value of 1 hour, enter:
host1/Admin(config)# parameter-map type sip SIP_PARAMMAPhost1/Admin(config-parammap-sip)# timeout sip-media 3600To return the streaming media port timeout value to the default of 5 seconds, enter:
host1/Admin(config-parammap-sip)# no timeout sip-media 3600Related Commands
(config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) uri-non-sip(config-parammap-sip) uri-non-sip
To enable the detection of non-SIP URIs in SIP messages, use the uri-non-sip command. Use the no form of this command to disable the detection of non-SIP URIs.
uri-non-sip {log} | {mask [log]}
no uri-non-sip {log} | {mask [log]}
Syntax Description
Command Modes
Parameter map SIP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To enable the detection of non-SIP URIs in SIP messages and log the event, enter:
host1/Admin(config-parammap-sip)# uri-non-sip logTo disable the detection of non-SIP URIs in SIP messages, enter:
host1/Admin(config-parammap-sip)# no uri-non-sip log
Related Commands
(config-parammap-sip) im
(config-parammap-sip) max-forward-validation
(config-parammap-sip) software-version
(config-parammap-sip) strict-header-validation
Parameter Map SSL Configuration Mode Commands
Parameter map Secure Sockets Layer (SSL) configuration mode commands allow you to specify an SSL-type parameter map and configure SSL settings for the map. To create an SSL-type parameter map and access parameter map SSL configuration mode, use the parameter-map type ssl command in configuration mode. The prompt changes to (config-parammap-ssl). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type ssl name
no parameter-map type ssl name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection or SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure an SSL parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-ssl-proxy) ssl advanced-options command in the "SSL Proxy Configuration Mode Commands" section.
Examples
To create an SSL-type parameter map called SSL_MAP, enter:
host1/Admin(config)# parameter-map type ssl SSL_MAPhost1/Admin(config-parammap-ssl)#Related Commands
(config-ssl-proxy) ssl advanced-options
(config-parammap-ssl) cipher
To define each of the cipher suites that you want the ACE to support during a secure session, use the cipher command. Use the no form of this command to delete a cipher suite from the SSL parameter map.
cipher cipher_name [priority cipher_priority]
no cipher cipher_name
Syntax Description
cipher_name
Name of the cipher suite. See the "Usage Guidelines" section for the TCP options available for the available cipher suites that the ACE supports. Enter one of the supported cipher suites from Table 2-14. The default setting is all.
priority
(Optional) Assigns a priority level to the cipher suite. The priority level represents the preference-for-use ranking of the cipher suite, with 10 being the most preferred and 1 being the least preferred. By default, all configured cipher suites have a priority level of 1.
cipher_priority
Priority level of the cipher suite. Enter a value from 1 to 10. The default priority value is 1.
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
Table 2-14 lists the available cipher suites that the ACE supports and indicates which of the supported cipher suites are exportable from the ACE. Table 2-14 also lists the authentication certificate and encryption key required by each cipher suite.
Repeat the cipher command for each cipher suite that you want to include in the SSL parameter map.
The ACE chooses a cipher suite with the highest priority level from the client list. For SSL termination applications, the ACE uses the priority level to match cipher suites in the client's ClientHello handshake message. For SSL initiation applications, the priority level represents the order in which the ACE places the cipher suites in its ClientHello handshake message to the server.
The default "all cipher suites" setting works only when you do not configure the SSL parameter map with any specific ciphers. To return to using the "all cipher suites" setting, you must delete each of the specifically defined ciphers from the parameter map using the no form of the command.
Examples
To add the cipher suite RSA_WITH _AES_128_CBC_SHA and assign it a priority 2 level, enter:
host1/Admin(config-parammap-ssl)# cipher RSA_WITH_AES_128_CBC_SHA priority 2To delete the cipher suite RSA_WITH _AES_128_CBC_SHA from the SSL parameter map, enter:
host1/Admin(config-parammap-ssl)# no cipher RSA_WITH_AES_128_CBC_SHARelated Commands
(config-parammap-ssl) queue-delay timeout
(config-parammap-ssl) session-cache timeout
(config-parammap-ssl) close-protocol
To configure how the ACE handles the sending of close-notify messages, use the close-protocol command. By default, the ACE sends a close-notify alert message to its peer when closing a session but has no expectation of receiving one back from the peer. Use the no form of this command to reset the the default behavior.
close-protocol {disabled | none}
no close-protocol
Syntax Description
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set close-protocol to disabled, enter:
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSLhost1/Admin(config-parammap-ssl)# close-protocol disabledTo configure the close-protocol command with the default setting of none, enter:
host1/Admin(config-parammap-ssl)# no close-protocolRelated Commands
(config-parammap-ssl) expired-crl reject
To configure the ACE to reject a client certificate when the CRL in use has expired, use the expired-crl reject command. Use the no form of this command to reset the default behavior of the ACE accepting a client certificate after the CRL in use has expired.
expired-crl reject
no expired-crl reject
Syntax Description
This command has no keywords or arguments.
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you configure certificate revocation lists (CRLs) on the ACE for client authentication by using the crl command in SSL proxy configuration mode, the CRLs contain an update field that specifies the date when a new version would be available. By default, the ACE continues to use CRLs that contains an update field with an expired date and, thus, does not reject incoming client certificates using the CRL.
Examples
To configure the ACE to reject a client certificate when the CRL in use has expired, enter:
host1/Admin(config-parammap-ssl)# expired-crl rejectTo reset the default behavior of the ACE accepting a client certificate after the CRL in use has expired, enter:
host1/Admin(config-parammap-ssl)# no expired-crl rejectRelated Commands
show parameter-map
(config-ssl-proxy) crl(config-parammap-ssl) queue-delay timeout
To set the delay time, use the queue-delay timeout command. The queue delay time is the amount of time that the ACE waits before emptying the queued data for encryption. Use the no form of this command to disable the queue delay time to its default value of 0. By default, the queue delay timer is disabled.
queue-delay timeout milliseconds
no queue-delay
Syntax Description
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
The queue delay applies only to data that the ACE sends to the client.
Examples
To set the queue delay time to 500 milliseconds, enter:
host1/Admin(config-parammap-ssl)# queue-delay timeout 500To disable the queue delay time to its default value of 0, enter:
host1/Admin(config-parammap-ssl)# no queue-delayRelated Commands
(config-parammap-ssl) session-cache timeout
To set the session cache timeout, use the session-cache timeout command. Use the no form of this command to disable the timer and ensure that the full SSL handshake occurs for each new connection with the ACE.
session-cache timeout seconds
no session-cache timeout
Syntax Description
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
A SSL session ID is created every time the client and the ACE perform a full SSL key exchange and establish a new master secret key. To quicken the SSL negotiation process between the client and the ACE, the SSL session ID reuse feature allows the ACE to reuse the secret key information in the session cache. On subsequent connections with the client, the ACE reuses the key stored in the cache from the last negotiated session.
You can enable session ID reuse by setting a session cache timeout value for the total amount of time that the SSL session ID remains valid before the ACE requires a full SSL handshake to establish a new session.
Examples
To set the session cache timeout to 600 milliseconds, enter:
host1/Admin(config-parammap-ssl)# session-cache timeout 600To disable the timer and ensure that the full SSL handshake occurs for each new connection with the ACE, enter:
host1/Admin(config-parammap-ssl)# no session-cache timeoutRelated Commands
(config-parammap-ssl) version
To specify the versions of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) that the ACE supports when it uses the SSL proxy parameter map during the handshake process, use the version command. Use the no form of the command to remove a version from the SSL proxy parameter map.
version {all | ssl3 | tls1}
no version
Syntax Description
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To specify the version SSL3, enter:
host1/Admin(config-parammap-ssl)# version SSL3To remove the version TLS1 from the SSL proxy parameter map, enter:
host1/Admin(config-parammap-ssl)# no versionRelated Commands
(config-parammap-ssl) queue-delay timeout
(config-parammap-ssl) session-cache timeout