-
Cisco IOS XR Virtual Firewall Command Reference, Release 3.7
-
Preface
-
Virtual Firewall Commands on Cisco IOS XR Software
-
Class Map Commands
-
Access Control List Commands
-
Policy Map Commands
-
Virtual Firewall Interface Commands
-
Virtualization Commands
-
Authentication and Accounting Commands
-
High Availability Commands
-
TCP/IP Normalization and IP Reassembly Parameters Commands
-
Parameter Map Commands
-
Terminal and Session Commands
-
System and File Management Commands
-
SNMP Commands
-
Logging Commands
-
VASI Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Parameter Map Commands on the Virtual Firewall
set secondary-cookie-delimiters
Parameter Map Commands on the Virtual Firewall
Parameter map connection configuration mode commands allow you to define a connection type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
Note
The commands described in this module are SanOS (Linux) commands used on the VFW application. Before you can access any of these commands, you must attach from the route processor to the VFW application using the service firewall attach location command. For more information, see the "Attaching to the VFW Application" section in Cisco IOS XR Virtual Firewall Configuration Guide.
case-sensitive
To enable case-insensitive matching for HTTP matching only, use the case-insensitive command in parameter map HTTP configuration mode. To reenable the default VFW application behavior of case-sensitive HTTP matching, use the no form of this command.
case-insensitive
no case-insensitive
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Parameter map HTTP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the case-insensitive command to enable case-insensitive matching for HTTP matching only. With case-insensitive matching enabled, uppercase and lowercase letters are considered the same. By default, the VFW application CLI is case sensitive.
When enabled, case insensitivity applies to:
•
•
•
•
Examples
The following example shows how to enable case-insensitive-matching:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# case-insensitiveRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
exceed-mss
To configure the VFW application behavior for a segment that exceeds the maximum segment size (MSS), use the exceed-mss command in parameter map connection configuration mode. To reset the VFW application behavior to the default of discarding segments that exceed the MSS, use the no form of this command.
exceed-mss {allow | drop}
no exceed-mss
Syntax Description
allow
Permits segments that exceed the maximum segment size.
drop
(Default) Discards segments that exceed the maximum segment size.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to configure the VFW application to allow segments that exceed the maximum segment size:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# exceed-mss allowThe following example shows how to configure the VFW application to discard segments that exceed the MSS:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# exceed-mss dropRelated Commands
length-exceed
To configure how the VFW application handles URLs or cookies that exceed the maximum parse length, use the length command in parameter map HTTP configuration mode. To reset the VFW application behavior to the default of stopping load balancing and discarding a packet when its URL or cookie exceeds the maximum parse length, use the no form of this command.
length {drop | continue}
no length
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map HTTP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to continue load balancing when the maximum parse length is exceeded:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# length continueRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
nagle
To enable Nagle's algorithm, use the nagle command in parameter map connection configuration mode. To disable Nagle's algorithm, use the no form of this command.
nagle
no nagle
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the nagle command to enable Nagle's algorithm. By default, this command is disabled. Nagle's algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send.
Nagle's algorithm automatically concatenates a number of small buffer messages transmitted over the TCP connection. This process increases throughput by decreasing the number of segments that need to be sent over the network. However, the interaction between Nagle's algorithm and the TCP delay acknowledgment may increase latency in your TCP connection. Disable Nagle's algorithm when you observe an unacceptable delay in a TCP connection.
Examples
The following example shows how to enable Nagle's algorithm:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# nagleRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
parameter-map type
To create a connection, HTTP, or SSL type parameter map, use the parameter-map type command in configuration mode. To remove a parameter map from the VFW application, use the no form of this command.
parameter-map type {connection | http} name
no parameter-map type {connection | http} name
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The parameter-map type command allows you to configure a series of Layer 3 and Layer 4 statements that instruct the VFW application how to handle TCP termination, normalization, and reuse. After you execute this command, the system enters the corresponding parameter map configuration mode.
After you configure the parameter map, you associate it with a specific action statement in a policy map.
Examples
The following example shows how to create a connection type parameter map called TCP_MAP:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)#The following example shows how to create an HTTP type parameter map called HTTP_MAP:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)#Related Commands
Creates a Layer 3 and Layer 4 policy map and enters policy map configuration mode.
random-sequence-number
To enable TCP sequence number randomization, use the random-sequence-number command in parameter map connection configuration mode. To disable sequence number randomization, use the no form of this command.
random-sequence-number
no random-sequence-number
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the random-sequence-number command to enable TCP sequence number randomization. This feature is enabled by default.
Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Examples
The following example shows how to enable sequence number randomization:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# random-sequence-numberRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
reserved-bits
To configure how a VFW application handles segments with the reserved bits set in the TCP header, use the reserved-bits command in parameter map connection configuration mode. To reset the default VFW application behavior of clearing reserved bits set in the TCP header of a segment, use the no form of this command.
reserved-bits {allow | clear | drop}
no reserved-bits
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The six reserved bits in the TCP header are for future use and usually have a value of 0.
Examples
The following example shows how to configure the VFW application to allow segments with the reserved bits set in the TCP header:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# reserved-bits allowRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set content-maxparse-length
To set the maximum number of bytes to parse in HTTP content, use the set content-maxparse-length command in parameter map HTTP configuration mode. To reset the maximum parse length to the default of 4096 bytes, use the no form of this command.
set content-maxparse-length bytes
no set content maxparse-length
Syntax Description
bytes
Maximum number of bytes to parse in HTTP content. Enter an integer from 1 to 65535. The default is 4096 bytes.
Defaults
The default maximum parse length is 4096 bytes.
Command Modes
Parameter map HTTP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to set the maximum parse length to 8192:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# set content-maxparse-length 8192Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set header-maxparse-length
To set the maximum number of bytes to parse for cookies, HTTP headers, and URLs, use the set header-maxparse-length command in parameter map HTTP configuration mode. To reset the HTTP header maximum parse length to the default of 2048 bytes, use the no form of this command.
set header-maxparse-length bytes
no set-header maxparse-length
Syntax Description
bytes
Maximum number of bytes to parse for the total length of all cookies, HTTP headers, and URLs. Enter an integer from 1 to 65535. The default is 2048 bytes.
Defaults
The default maximum parse length is 2048 bytes.
Command Modes
Parameter map HTTP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to set the HTTP header maximum parse length to 8192:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# set header-maxparse-length 8192Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set ip tos
To set the type of service (ToS) for packets in a particular traffic class, use the set ip tos command in parameter map connection configuration mode. To instruct the VFW application not rewrite the IP ToS value, use the no form of this command.
set ip tos number
no set ip tos
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The ToS for a packet determines how the network handles the packet and balances its precedence, delay, throughput, and reliability. This information resides in the IP header.
For details about the ToS byte, see RFCs 791, 1122, 1349, and 3168.
Examples
The following example shows how to set a packet's ToS value to 20:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set ip tos 20Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set secondary-cookie-delimiters
To define a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL string, use the set secondary-cookie-delimiters command in parameter map HTTP configuration mode. To reset the delimiter string list to the default of /?&#+, use the no form of this command.
set secondary-cookie-delimiters text
no set secondary-cookie-delimiters
Syntax Description
text
Delimiter string. Enter an unquoted text string with no spaces and a maximum of four characters. The order of the delimiters in the list does not matter. The default list of delimiters is: /&#+.
Defaults
The default delimiter string is /?&#+.
Command Modes
Parameter map HTTP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Cookies and their delimiters appear in GET request lines. In the following example of a GET request line, the ampersand (&) that appears between name-value pairs is the secondary cookie delimiter. The question mark (?) begins the URL query and is not configurable.
GET /default.cgi?user=me&hello=world&id=2 HTTP/1.1Examples
The following example shows how to define a list of ASCII-character delimiter strings:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# set secondary-cookie-delimiters !@#$Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set tcp ack-delay
To configure an ACK delay, use the set tcp ack-delay command in parameter map connection configuration mode. To reset the ACK delay timer to the default value of 200 ms, use the no form of this command.
set tcp ack-delay number
no set tcp ack-delay
Syntax Description
number
Delay time for sending an ACK from a client to a server. Enter an integer from 0 to 400 ms. The default is 200 ms.
Defaults
The default ACK delay timer is 200 ms.
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the set tcp ack-delay command to configure an ACK delay. You can configure the VFW application to delay sending the ACK from a client to a server. Some applications require delaying the ACK for best performance.
Delaying the ACK can help reduce congestion by sending one ACK for multiple segments rather than acknowledging each segment individually.
Examples
The following example shows how to delay sending an ACK for 400 ms:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp ack-delay 400Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set tcp mss
To set a range of values for the TCP maximum segment size (MSS), use the set tcp mss command in parameter map connection configuration mode. To reset the minimum MSS to the default value of 536 bytes and the maximum MSS to the default value of 1380, use the no form of this command.
set tcp mss min number1 max number2
no set tcp mss
Syntax Description
Defaults
The default minimum MSS is 536 bytes and the default maximum MSS is 1380.
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The MSS is the largest amount of TCP data that the VFW application accepts in one segment. To prevent the transmission of many smaller segments or very large segments that may require fragmentation, you can set the minimum and maximum acceptable sizes of the MSS.
Both the host and the server can set the MSS when they first establish a connection. If either maximum exceeds the value you set with the set tcp mss max command, then the VFW application overrides the maximum value and inserts the value you set. If either maximum is less than the value you set with the set tcp mss min command, then the VFW application overrides the maximum and inserts the minimum value you set. (The minimum value is actually the smallest maximum allowed.) For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the VFW application alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the VFW application alters the packet to request 400 bytes (the minimum).
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request an MSS, the VFW application assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the MSS to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default for Ethernet). Large numbers of fragments can impact the performance of the VFW application. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.
Examples
The following example shows how to set the minimum acceptable MSS size to 768 bytes, and the maximum acceptable MSS size to 1500:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp mss min 768 max 1500Related Commands
set tcp syn-retry
To set the maximum number of attempts that the VFW application can take to transmit a TCP segment, use the set tcp syn-retry number command in parameter map connection configuration mode. To reset the maximum number of TCP SYN retries to the default value of 4, use the no form of this command.
set tcp syn-retry number
no set tcp syn-retry
Syntax Description
Defaults
The default maximum number of TCP SYN retries is 4.
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to set the maximum number of attempts that the VFW application takes to transmit a TCP segment to 3:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp syn-retry 3Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set tcp timeout
To configure a timeout for TCP embryonic connections and half-closed connections, use the set tcp timeout command in parameter map connection configuration mode. To reset TCP timeout values to their default settings, use the no form of this command.
set tcp timeout {embryonic seconds | half-closed seconds}
no set tcp timeout {embryonic | half-closed}
Syntax Description
Defaults
The default embryonic timeout is 5; the default half-closed timeout is 3600 (1 hour).
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the set tcp timeout command to configure a timeout for TCP embryonic connections and half-closed connections. TCP embryonic connections are connections that result from an incomplete three-way handshake. Half-closed connections are connections where the client has sent a FIN packet and the server has not responded.
Examples
The following example shows how to set the TCP timeout for embryonic connections to 24 seconds:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp timeout embryonic 24Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set tcp window-scale
To configure a TCP window-scale factor for network paths with high-bandwidth, long-delay characteristics, use the set tcp window-scale command in parameter map connection configuration mode. To reset the window-scale factor to its default setting, use the no form of this command.
set tcp window-scale number
no set tcp window-scale
Syntax Description
Defaults
The default window scale factor is 0.
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The TCP window scaling feature adds support for the Window Scaling option in RFC 1323. We recommend increasing the window size to improve TCP performance in network paths with large bandwidth, long-delay characteristics. This type of network is called a long fat network (LFN).
The window scaling extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. You can increase the window size to a maximum scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs.
Examples
The following example shows how to set the TCP window-scale factor to 3:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp window-scale 3Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
set timeout inactivity
To configure the connection inactivity timer, use the set timeout inactivity command in parameter map connection configuration mode. To reset the timeout inactivity values to the default ICMP, TCP, and UDP settings, use the no form of this command.
set timeout inactivity seconds
no set timeout inactivity
Syntax Description
Defaults
Default settings are:
•
•
•
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The VFW application uses the connection inactivity timer to disconnect established ICMP, TCP, and UDP connections that have remained idle for the duration of the specified timeout period.
The VFW application rounds up the configured timeout value to the nearest 30-second interval.
Examples
The following example shows how to specify that the VFW application disconnect idle established TCP connections after 2400 seconds:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set timeout inactivity 2400Related Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
show login timeout
To display the login session idle timeout value, use the show login timeout command in EXEC mode.
show login timeout
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
To configure the login timeout value, use the login timeout command in configuration mode.
Examples
The following example shows how to display login timeout value:
firewall/Admin# show login timeoutRelated Commands
show parameter-map
To display the detailed configuration information for a specified parameter map, use the show parameter-map command in EXEC mode.
show parameter-map parammap_name
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to display configuration for the parameter map SSL_PARAMMAP:
firewall/Admin# show parameter-map SSL_PARAMMAPRelated Commands
Displays the running configuration information associated with the current context.
slowstart
To enable the slow start algorithm, use the slowstart command in parameter map connection configuration mode. This feature is enabled by default. To disable the slow start algorithm, use the no form of this command.
slowstart
no slowstart
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the slowstart command to enable the slow start algorithm. This feature is enabled by default.
The slow start algorithm is a congestion avoidance method in which TCP increases its window size as ACK handshakes arrive. It operates by observing that the rate at which new segments should be injected into the network is the rate at which the acknowledgments are returned by the host at the other end of the connection. For further details about the TCP slow start algorithm, see RFC 3390.
Examples
The following example shows how to enable the slow start algorithm:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# slowstartRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
syn-data
To set the VFW application behavior for SYN segments with data, use the syn-data command in parameter map connection configuration mode. To reset the VFW application behavior to the default of allowing SYN segments that contain data, use the no form of this command.
syn-data {allow | drop}
no syn-data
Syntax Description
allow
(Default) Permits the SYN segments that contain data and flags them for data processing.
drop
Discards the SYN segments that contain data.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Occasionally, the VFW application may receive a SYN segment that contains data. You can configure the VFW application to either discard the segment or flag the segment for data processing.
Examples
The following example shows how to instruct the VFW application to discard segments that contain data:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# syn-data dropRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
tcp-options
To specify a range of TCP options not explicitly supported by the VFW application, or to allow or clear explicitly supported TCP options specified in a SYN segment, use the tcp-options command in parameter map connection configuration mode. To remove a TCP option range from the configuration or reset the behavior of the VFW application to the default of clearing the specific TCP options, use the no form of this command.
tcp-options {range number1 number2 {allow | drop} | {selective-ack | timestamp | window-scale} {allow | clear}}
no tcp-options {range number1 number2 {allow | drop} | {selective-ack | timestamp | window-scale} {allow | clear}}
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Using the tcp-options command, the VFW application permits you to allow or clear the following explicitly supported TCP options specified in a SYN segment:
•
•
•
You can specify this command multiple times to configure different options and actions. If you specify the same option with different actions, the VFW application uses the order of precedence to decide which action to use.
The order of precedence for the actions in this command is:
1.
2.
3.
Table 1 lists the TCP options explicitly supported by the VFW application.
Table 2 lists the TCP options not explicitly supported by the VFW application.
Examples
The following example shows how to allow the segment with the SACK option set:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# tcp-options selective-ack allowThe following example shows how to reset the behavior of the VFW application to the default of clearing the SACK option and allowing the segment:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# no tcp-options selective-ack allowYou can specify a range of options for each action. If you specify overlapping option ranges with different actions, the VFW application uses the order of precedence described earlier in the "Usage Guidelines" section to decide which action to perform for the specified options.
For example:
firewall/Admin(config-parammap-conn)# tcp-options range 6 7 allowfirewall/Admin(config-parammap-conn)# tcp-options range 9 18 clearfirewall/Admin(config-parammap-conn)# tcp-options range 19 26 dropThe following example shows how to remove the TCP option ranges from the configuration:
firewall/Admin(config-parammap-conn)# no tcp-options range 6 7 allowfirewall/Admin(config-parammap-conn)# no tcp-options range 9 18 clearfirewall/Admin(config-parammap-conn)# no tcp-options range 19 26 dropRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
urgent-flag
To set the Urgent Pointer policy, use the urgent-flag command in parameter map connection configuration mode. To return to the default setting of clearing the Urgent flag, use the no form of this command.
urgent-flag {allow | clear}
no urgent-flag
Syntax Description
Defaults
The urgent flag is not set.
Command Modes
Parameter map connection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
If the Urgent control bit (flag) is set in the TCP header, it indicates that the Urgent Pointer is valid. The Urgent Pointer contains an offset that indicates the location of the segment following the urgent data in the payload. Urgent data is data that should be processed as soon as possible, even before normal data is processed. The VFW application permits you to allow or clear the Urgent flag. If you clear the Urgent flag, you invalidate the Urgent Pointer.
The VFW application clears the Urgent flag for any traffic above Layer 4. If you have enabled server connection reuse, the VFW application does not pass the Urgent flag value to the server.
Examples
The following example shows how to clear the Urgent flag:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# urgent-flag clearRelated Commands
Creates a connection, HTTP, or SSL type parameter map.
Displays the detailed configuration information for a specified parameter map.
