-
Cisco IOS XR Virtual Firewall Command Reference, Release 3.8
-
Preface
-
Virtual Firewall Commands on Cisco IOS XR Software
-
Class Map Commands
-
Access Control List Commands
-
Policy Map Commands
-
Virtual Firewall Interface Commands
-
Virtualization Commands
-
High Availability Commands
-
TCP/IP Normalization and IP Reassembly Parameters Commands
-
Parameter Map Commands
-
Terminal and Session Commands
-
Authentication and Accounting Commands
-
System and File Management Commands
-
SNMP Commands
-
Logging Commands
-
VASI Commands on Cisco IOS XR Software
-
Index
-
Feedback
Table Of Contents
Parameter Map Commands on the Virtual Firewall
set secondary-cookie-delimiters
Parameter Map Commands on the Virtual Firewall
Parameter map configuration mode commands allow you to define a type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
Note
The commands described in this module are SanOS (Linux) commands used on the VFW application. Before you can access any of these commands, you must attach from the route processor to the VFW application using the service firewall attach location command. For more information, see the "Attaching to the VFW Application" section in Cisco IOS XR Virtual Firewall Configuration Guide.
case-insensitive
To enable case-insensitive matching for HTTP, generic or Real Time Streaming Protocol (RTSP) matching only, use the case-insensitive command in the appropriate parameter map configuration mode. To reenable the default VFW application behavior of case-sensitive matching, use the no form of this command.
case-insensitive
no case-insensitive
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Parameter map HTTP configuration
Parameter map generic configuration
Parameter map RTSP configurationCommand History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the case-insensitive command to enable case-insensitive matching for HTTP, generic, or RTSP matching only. With case-insensitive matching enabled, uppercase and lowercase letters are considered the same. By default, the VFW application CLI is case sensitive.
When enabled for HTTP parameter maps, case insensitivity applies to:
•
•
•
•
When enabled for RTSP parameter maps, case insensitivity applies to:
•
•
•
When enabled for generic parameter maps, case insensitivity applies to generic-protocol, regular expression matches.
Examples
The following example shows how to enable case-insensitive-matching:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# case-insensitiveRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
enforce-registration
To enable registration enforcement, use the enforce-registration command in parameter map skinny configuration mode. To disable enforced registration, use the no form of this command.
enforce-registration
no enforce-registration
Syntax Description
This command has no arguments or keywords.
Defaults
By default, registration is not enforced.
Command Modes
Parameter map skinny configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
You can configure the VFW application to allow only registered skinny clients to make calls. To accomplish this task, the VFW application maintains the state of each skinny client. After a client registers with a Cisco CallManager (CCM), the VFW application opens a secure port (pinhole) to allow that client to make a call. By default, this feature is disabled.
Examples
The following example shows how to enable registration enforcement:
firewall/Admin(config)# parameter-map type skinny SCCP_MAPfirewall/Admin(config-parammap-skinny)# enforce-registrationRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
exceed-mss
To configure the VFW application behavior for a segment that exceeds the maximum segment size (MSS), use the exceed-mss command in parameter map connection configuration mode. To reset the VFW application behavior to the default of discarding segments that exceed the MSS, use the no form of this command.
exceed-mss {allow | drop}
no exceed-mss
Syntax Description
allow
Permits segments that exceed the maximum segment size.
drop
(Default) Discards segments that exceed the maximum segment size.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to configure the VFW application to allow segments that exceed the maximum segment size:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# exceed-mss allowThe following example shows how to configure the VFW application to discard segments that exceed the MSS:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# exceed-mss dropRelated Commands
im
To enable instant messaging (IM) over Session Initiation Protocol (SIP) after it has been disabled, use the im command in parameter map SIP configuration mode. To disable instant messaging, use the no form of this command.
im
no im
Syntax Description
This command has no arguments or keywords.
Defaults
Instant messaging is enabled by default.
Command Modes
Parameter map SIP configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Disabling IM results in the VFW application dropping all messages belonging to the IM.
Examples
The following example shows how to disable instant messaging:
firewall/Admin(config-parammap-sip)# no imRelated Commands
length-exceed
To configure how the VFW application handles URLs or cookies that exceed the maximum parse length, use the length command in parameter map HTTP configuration mode. To reset the VFW application behavior to the default of stopping load balancing and discarding a packet when its URL or cookie exceeds the maximum parse length, use the no form of this command.
length {drop | continue}
no length
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map HTTP configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to continue load balancing when the maximum parse length is exceeded:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# length continueRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
max-forward-validation
To instruct the VFW application to validate the value of the Max-Forwards header field, use the max-forward-validation command in parameter map SIP configuration mode. To disable maximum forward field validation, use the no form of this command.
max-forward-validation {log | {drop | reset} [log]}
no max-forward-validation {log | {drop | reset} [log]}
Syntax Description
Command Modes
Parameter map SIP configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The Max-Forwards header field limits the number of hops that a SIP request can take on the way to its destination. This header field contains an integer that is decremented by one at each hop. If the Max-Forwards value reaches zero before the request reaches its destination, the request is rejected with a 483 Too Many Hops error response. You can instruct the VFW application to validate the Max-Forwards header field value and to take appropriate action if the validation fails.
Examples
The following example shows how to enable Max-Forwards header field validation:
firewall/Admin(config-parammap-sip)# max-forward-validation drop log
Related Commands
message-id max
To set the maximum Skinny Client Control Protocol (SCCP) StationMessageID that the VFW application allows, use the message-id max command in parameter map skinny configuration mode. To reset the maximum message ID to the default of 0x181, use the no form of this command.
message-id max number
no message-id max number
Syntax Description
number
Largest value for the station message ID in hexadecimal that the VFW application accepts. Enter a hexadecimal value from 0 to 4000.
Defaults
The default maximum is 0x181.
Command Modes
Parameter map skinny configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
If a packet arrives with a station message ID greater than the maximum configured value or greater than the default value, the VFW application drops the packet and generates a syslog message.
Examples
The following example shows how to set the maximum SCCP message ID to 0x3000:
firewall/Admin(config-parammap-skinny)# message-id max 3000The following example shows how to reset the maximum message ID to the default of 0x181:
firewall/Admin(config-parammap-skinny)# no message-id max 3000Related Commands
Associates a parameter map with a Layer 3 and Layer 4 policy map.
Enables registration enforcement.
Sets the minimum and maximum SCCP prefix length.
nagle
To enable Nagle's algorithm, use the nagle command in parameter map connection configuration mode. To disable Nagle's algorithm, use the no form of this command.
nagle
no nagle
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the nagle command to enable Nagle's algorithm. By default, this command is disabled. Nagle's algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send.
Nagle's algorithm automatically concatenates a number of small buffer messages transmitted over the TCP connection. This process increases throughput by decreasing the number of segments that need to be sent over the network. However, the interaction between Nagle's algorithm and the TCP delay acknowledgment may increase latency in your TCP connection. Disable Nagle's algorithm when you observe an unacceptable delay in a TCP connection.
Examples
The following example shows how to enable Nagle's algorithm:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# nagleRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
parameter-map type
To create a parameter map, use the parameter-map type command in configuration mode. To remove a parameter map from the VFW application, use the no form of this command.
parameter-map type {connection | dns | generic | http | rtsp | sip | skinny} name
no parameter-map type {connection | dns | generic | http | rtsp | sip | skinny} name
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration mode
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The parameter-map type command allows you to configure a series of Layer 3 and Layer 4 statements that instruct the VFW application how to handle TCP termination, normalization, and reuse. After you execute this command, the system enters the corresponding parameter map configuration mode.
After you configure the parameter map, you associate it with a specific action statement in a policy map.
Examples
The following example shows how to create a connection type parameter map called TCP_MAP:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)#The following example shows how to create an HTTP type parameter map called HTTP_MAP:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)#Related Commands
Creates a Layer 3 and Layer 4 policy map and enters policy map configuration mode.
random-sequence-number
To enable TCP sequence number randomization, use the random-sequence-number command in parameter map connection configuration mode. To disable sequence number randomization, use the no form of this command.
random-sequence-number
no random-sequence-number
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the random-sequence-number command to enable TCP sequence number randomization. This feature is enabled by default.
Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Examples
The following example shows how to enable sequence number randomization:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# random-sequence-numberRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
rate-limit
To limit the connection rate or the bandwidth rate of a policy, use the rate-limit command. To return the behavior of the VFW application to the default of not limiting the policy bandwidth rate, use the no form of this command.
rate-limit {bandwidth bandwidth_rate | connection connection_rate}
no rate-limit {bandwidth | connection}
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
In addition to preserving system resources by limiting the total number of active connections to a real server, the VFW application allows you to limit the connection rate and the bandwidth rate of a policy map. The connection rate is the number of connections per second that match the policy. The bandwidth rate is the number of bytes per second that match the policy. The VFW application applies these rate limits to each class map that you associate with the policy at the virtual server level.
When the connection-rate limit or the bandwidth-rate limit is reached, the VFW application blocks any further traffic that matches that policy until the connection rate or bandwidth rate drops below the configured limit. By default, the VFW application does not limit the connection rate or the bandwidth rate of a policy.
Examples
The following example shows how to limit the connection rate of a policy to 100000 connections per second:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# rate-limit connection 100000Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
reserved-bits
To configure how a VFW application handles segments with the reserved bits set in the TCP header, use the reserved-bits command in parameter map connection configuration mode. To reset the default VFW application behavior of clearing reserved bits set in the TCP header of a segment, use the no form of this command.
reserved-bits {allow | clear | drop}
no reserved-bits
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The six reserved bits in the TCP header are for future use and usually have a value of 0.
Examples
The following example shows how to configure the VFW application to allow segments with the reserved bits set in the TCP header:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# reserved-bits allowRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
sccp-prefix-len
To set the minimum and maximum Skinny Client Control Protocol (SCCP) prefix length, use the sccp-prefix-len command in parameter map skinny configuration mode. To reset the minimum prefix length to the default behavior, use the no form of this command.
sccp-prefix len {max number | min number}
no sccp-prefix len {max number | min number}
Syntax Description
Defaults
The default max value is 4 bytes
Command Modes
Parameter map skinny configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
By default, the VFW application drops SCCP messages that have an SCCP prefix length that is less than the message ID. Use the sccp-prefix-len command to check for a specific minimum prefix length. You can also check for a maximum prefix length, but this check is disabled by default. The VFW application drops any skinny message packets that fail these checks and generates a syslog message.
Examples
The following example shows how to set the minimum SCCP prefix length:
firewall/Admin(config-parammap-skinny)# sccp-prefix-len min 4Related Commands
Associates a parameter map with a Layer 3 and Layer 4 policy map.
Enables registration enforcement.
Sets the maximum SCCP StationMessageID that the VFW application allows.
set content-maxparse-length
To set the maximum number of bytes to parse in HTTP content, use the set content-maxparse-length command in parameter map HTTP configuration mode. To reset the maximum parse length to the default of 4096 bytes, use the no form of this command.
set content-maxparse-length bytes
no set content maxparse-length
Syntax Description
bytes
Maximum number of bytes to parse in HTTP content. Enter an integer from 1 to 65535. The default is 4096 bytes.
Defaults
The default maximum parse length is 4096 bytes.
Command Modes
Parameter map HTTP configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to set the maximum parse length to 8192:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# set content-maxparse-length 8192Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set header-maxparse-length
To set the maximum number of bytes to parse for cookies, HTTP headers, and URLs, use the set header-maxparse-length command in parameter map HTTP configuration mode. To reset the HTTP header maximum parse length to the default of 2048 bytes, use the no form of this command.
set header-maxparse-length bytes
no set-header maxparse-length
Syntax Description
bytes
Maximum number of bytes to parse for the total length of all cookies, HTTP headers, and URLs. Enter an integer from 1 to 65535. The default is 2048 bytes.
Defaults
The default maximum parse length is 2048 bytes.
Command Modes
Parameter map HTTP configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to set the HTTP header maximum parse length to 8192:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# set header-maxparse-length 8192Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set ip tos
To set the type of service (ToS) for packets in a particular traffic class, use the set ip tos command in parameter map connection configuration mode. To instruct the VFW application not rewrite the IP ToS value, use the no form of this command.
set ip tos number
no set ip tos
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The ToS for a packet determines how the network handles the packet and balances its precedence, delay, throughput, and reliability. This information resides in the IP header.
For details about the ToS byte, see RFCs 791, 1122, 1349, and 3168.
Examples
The following example shows how to set a packet's ToS value to 20:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set ip tos 20Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set max-parse-length
To set the maximum number of bytes to parse for generic protocols, use the set max-parse-length command in generic parameter-map configuration mode. To revert to the default value, use the no form of this command.
set max-parse-length bytes
no set max-parse-length bytes
Syntax Description
Defaults
The default is 2048 bytes.
Command Modes
Parameter map generic configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to set the maximum parse length for generic protocols:
firewall/Admin(config-parammap-generi)# set max-parse-length 8192Related Commands
Creates a type parameter map.
Displays the detailed configuration information for a specified parameter map.
set secondary-cookie-delimiters
To define a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL string, use the set secondary-cookie-delimiters command in parameter map HTTP configuration mode. To reset the delimiter string list to the default of /?&#+, use the no form of this command.
set secondary-cookie-delimiters text
no set secondary-cookie-delimiters
Syntax Description
text
Delimiter string. Enter an unquoted text string with no spaces and a maximum of four characters. The order of the delimiters in the list does not matter. The default list of delimiters is: /&#+.
Defaults
The default delimiter string is /?&#+.
Command Modes
Parameter map HTTP configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Cookies and their delimiters appear in GET request lines. In the following example of a GET request line, the ampersand (&) that appears between name-value pairs is the secondary cookie delimiter. The question mark (?) begins the URL query and is not configurable.
GET /default.cgi?user=me&hello=world&id=2 HTTP/1.1Examples
The following example shows how to define a list of ASCII-character delimiter strings:
firewall/Admin(config)# parameter-map type http HTTP_MAPfirewall/Admin(config-parammap-http)# set secondary-cookie-delimiters !@#$Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set tcp ack-delay
To configure an ACK delay, use the set tcp ack-delay command in parameter map connection configuration mode. To reset the ACK delay timer to the default value of 200 ms, use the no form of this command.
set tcp ack-delay number
no set tcp ack-delay
Syntax Description
number
Delay time for sending an ACK from a client to a server. Enter an integer from 0 to 400 ms. The default is 200 ms.
Defaults
The default ACK delay timer is 200 ms.
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the set tcp ack-delay command to configure an ACK delay. You can configure the VFW application to delay sending the ACK from a client to a server. Some applications require delaying the ACK for best performance.
Delaying the ACK can help reduce congestion by sending one ACK for multiple segments rather than acknowledging each segment individually.
Examples
The following example shows how to delay sending an ACK for 400 ms:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp ack-delay 400Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set tcp mss
To set a range of values for the TCP maximum segment size (MSS), use the set tcp mss command in parameter map connection configuration mode. To reset the minimum MSS to the default value of 536 bytes and the maximum MSS to the default value of 1380, use the no form of this command.
set tcp mss min number1 max number2
no set tcp mss
Syntax Description
Defaults
The default minimum MSS is 536 bytes and the default maximum MSS is 1380.
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The MSS is the largest amount of TCP data that the VFW application accepts in one segment. To prevent the transmission of many smaller segments or very large segments that may require fragmentation, you can set the minimum and maximum acceptable sizes of the MSS.
Both the host and the server can set the MSS when they first establish a connection. If either maximum exceeds the value you set with the set tcp mss max command, then the VFW application overrides the maximum value and inserts the value you set. If either maximum is less than the value you set with the set tcp mss min command, then the VFW application overrides the maximum and inserts the minimum value you set. (The minimum value is actually the smallest maximum allowed.) For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the VFW application alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the VFW application alters the packet to request 400 bytes (the minimum).
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request an MSS, the VFW application assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the MSS to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default for Ethernet). Large numbers of fragments can impact the performance of the VFW application. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.
Examples
The following example shows how to set the minimum acceptable MSS size to 768 bytes, and the maximum acceptable MSS size to 1500:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp mss min 768 max 1500Related Commands
set tcp syn-retry
To set the maximum number of attempts that the VFW application can take to transmit a TCP segment, use the set tcp syn-retry number command in parameter map connection configuration mode. To reset the maximum number of TCP SYN retries to the default value of 4, use the no form of this command.
set tcp syn-retry number
no set tcp syn-retry
Syntax Description
Defaults
The default maximum number of TCP SYN retries is 4.
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to set the maximum number of attempts that the VFW application takes to transmit a TCP segment to 3:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp syn-retry 3Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set tcp timeout
To configure a timeout for TCP embryonic connections and half-closed connections, use the set tcp timeout command in parameter map connection configuration mode. To reset TCP timeout values to their default settings, use the no form of this command.
set tcp timeout {embryonic seconds | half-closed seconds}
no set tcp timeout {embryonic | half-closed}
Syntax Description
Defaults
The default embryonic timeout is 5; the default half-closed timeout is 3600 (1 hour).
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the set tcp timeout command to configure a timeout for TCP embryonic connections and half-closed connections. TCP embryonic connections are connections that result from an incomplete three-way handshake. Half-closed connections are connections where the client has sent a FIN packet and the server has not responded.
Examples
The following example shows how to set the TCP timeout for embryonic connections to 24 seconds:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp timeout embryonic 24Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set tcp window-scale
To configure a TCP window-scale factor for network paths with high-bandwidth, long-delay characteristics, use the set tcp window-scale command in parameter map connection configuration mode. To reset the window-scale factor to its default setting, use the no form of this command.
set tcp window-scale number
no set tcp window-scale
Syntax Description
Defaults
The default window scale factor is 0.
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The TCP window scaling feature adds support for the Window Scaling option in RFC 1323. We recommend increasing the window size to improve TCP performance in network paths with large bandwidth, long-delay characteristics. This type of network is called a long fat network (LFN).
The window scaling extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. You can increase the window size to a maximum scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs.
Examples
The following example shows how to set the TCP window-scale factor to 3:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set tcp window-scale 3Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
set timeout inactivity
To configure the connection inactivity timer, use the set timeout inactivity command in parameter map connection configuration mode. To reset the timeout inactivity values to the default ICMP, TCP, and UDP settings, use the no form of this command.
set timeout inactivity seconds
no set timeout inactivity
Syntax Description
Defaults
Default settings are:
•
•
•
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The VFW application uses the connection inactivity timer to disconnect established Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP) connections that have remained idle for the duration of the specified timeout period.
The VFW application rounds up the configured timeout value to the nearest 30-second interval.
Examples
The following example shows how to specify that the VFW application disconnect idle established TCP connections after 2400 seconds:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# set timeout inactivity 2400Related Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
show login timeout
To display the login session idle timeout value, use the show login timeout command in EXEC mode.
show login timeout
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
This command requires the Admin user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
To configure the login timeout value, use the login timeout command in configuration mode.
Examples
The following example shows how to display login timeout value:
firewall/Admin#show login timeoutRelated Commands
show parameter-map
To display the detailed configuration information for a specified parameter map, use the show parameter-map command in EXEC mode.
show parameter-map parammap_name
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to display configuration for the parameter map SSL_PARAMMAP:
firewall/Admin# show parameter-map SSL_PARAMMAPRelated Commands
Displays the running configuration information associated with the current context.
slowstart
To enable the slow start algorithm, use the slowstart command in parameter map connection configuration mode. This feature is enabled by default. To disable the slow start algorithm, use the no form of this command.
slowstart
no slowstart
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the slowstart command to enable the slow start algorithm. This feature is enabled by default.
The slow start algorithm is a congestion avoidance method in which TCP increases its window size as ACK handshakes arrive. It operates by observing that the rate at which new segments should be injected into the network is the rate at which the acknowledgments are returned by the host at the other end of the connection. For further details about the TCP slow start algorithm, see RFC 3390.
Examples
The following example shows how to enable the slow start algorithm:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# slowstartRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
software-version
To enable user agent (UA) software version options, use the software-version command in parameter map SIP configuration mode. To reset the software version to the default behavior, use the no form of this command.
software-version {log | mask [log]}
no software-version {log | mask [log]}
Syntax Description
log
Specifies that the VFW application log the UA software version.
mask
Specifies that the VFW application mask the UA software version.
Defaults
By default, the user agent is neither logged or masked.
Command Modes
Parameter map SIP configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
If the software version of a user agent (UA) is exposed, the UA may be more vulnerable to attacks from hackers who exploit the security holes present in that particular version of software. To protect the UA from such attacks, the VFW application allows you to log or mask the UA software version.
Examples
The following example shows how to configure the VFW application to mask the UA software version:
firewall/Admin(config-parammap-sip)# software-version maskRelated Commands
strict-header-validation
To enable strict header validation and the action that you want the VFW application to perform if a Session Initiation Protocol (SIP) header does not meet the validation requirements, use the strict-header-validation command in parameter map SIP configuration mode. To disable strict header validation, use the no form of this command.
strict-header-validation {log | {drop | reset} [log]}
no strict-header-validation {log | {drop | reset} [log]}
Syntax Description
drop
Specifies that the VFW application drop the SIP message.
reset
Specifies that the VFW application reset the connection.
log
Specifies that the VFW application log the header validation event.
Defaults
By default, strict header validation is disabled.
Command Modes
Parameter map SIP configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
You can ensure the validity of SIP packet headers by configuring the VFW application to check for the presence of the following mandatory SIP header fields:
•
•
•
•
•
•
If one of these header fields is missing in a SIP packet, the VFW application considers that packet invalid. The VFW application also checks for forbidden header fields, according to RFC 3261.
Examples
The following example shows how to enable strict header validation, instruct the VFW application to drop the connection if the packet header does not meet the header validation requirements, and log the event:
firewall/Admin(config-parammap-sip)# strict-header-validation drop-connection logRelated Commands
syn-data
To set the VFW application behavior for SYN segments with data, use the syn-data command in parameter map connection configuration mode. To reset the VFW application behavior to the default of allowing SYN segments that contain data, use the no form of this command.
syn-data {allow | drop}
no syn-data
Syntax Description
allow
(Default) Permits the SYN segments that contain data and flags them for data processing.
drop
Discards the SYN segments that contain data.
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Occasionally, the VFW application may receive a SYN segment that contains data. You can configure the VFW application to either discard the segment or flag the segment for data processing.
Examples
The following example shows how to instruct the VFW application to discard segments that contain data:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# syn-data dropRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
tcp-options
To specify a range of TCP options not explicitly supported by the VFW application, or to allow or clear explicitly supported TCP options specified in a SYN segment, use the tcp-options command in parameter map connection configuration mode. To remove a TCP option range from the configuration or reset the behavior of the VFW application to the default of clearing the specific TCP options, use the no form of this command.
tcp-options {range number1 number2 {allow | drop} | {selective-ack | timestamp | window-scale} {allow | clear}}
no tcp-options {range number1 number2 {allow | drop} | {selective-ack | timestamp | window-scale} {allow | clear}}
Syntax Description
Defaults
No default behavior or values
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Using the tcp-options command, the VFW application permits you to allow or clear the following explicitly supported TCP options specified in a SYN segment:
•
•
•
You can specify this command multiple times to configure different options and actions. If you specify the same option with different actions, the VFW application uses the order of precedence to decide which action to use.
The order of precedence for the actions in this command is:
1.
2.
3.
Table 15 lists the TCP options explicitly supported by the VFW application.
Table 16 lists the TCP options not explicitly supported by the VFW application.
Examples
The following example shows how to allow the segment with the SACK option set:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# tcp-options selective-ack allowThe following example shows how to reset the behavior of the VFW application to the default of clearing the SACK option and allowing the segment:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# no tcp-options selective-ack allowYou can specify a range of options for each action. If you specify overlapping option ranges with different actions, the VFW application uses the order of precedence described earlier in the "Usage Guidelines" section to decide which action to perform for the specified options.
For example:
firewall/Admin(config-parammap-conn)# tcp-options range 6 7 allowfirewall/Admin(config-parammap-conn)# tcp-options range 9 18 clearfirewall/Admin(config-parammap-conn)# tcp-options range 19 26 dropThe following example shows how to remove the TCP option ranges from the configuration:
firewall/Admin(config-parammap-conn)# no tcp-options range 6 7 allowfirewall/Admin(config-parammap-conn)# no tcp-options range 9 18 clearfirewall/Admin(config-parammap-conn)# no tcp-options range 19 26 dropRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
timeout query
To configure the VFW application to time out Domain Name System (DNS) queries that have no matching server response, use the timeout query command in parameter map DNS configuration mode. To reset the behavior to the default of timing out DNS queries when the underlying User Datagram Protocol (UDP) connection times out, use the no form of this command.
timeout query {number}
no timeout query {number}
Syntax Description
number
Length of time in seconds that the VFW application keeps the query entries without answers in the hash table before timing them out. Enter an integer from 2 to 120 seconds.
Defaults
The default timeout query is 10 seconds.
Command Modes
Parameter map DNS configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you enable DNS inspection using the inspect dns command as a Layer 4 policy-map action, the VFW application stores DNS queries that it receives from clients in a hash table. When it receives a response from the DNS server, the VFW application forwards the server response to the client if it finds a matching query in the table and then deletes the entry in the table. Queries, for which the VFW application does not receive a response, remain in the table until they time out. The VFW application may not receive an answer for a DNS query because the server is down, the query was spoofed, and so on.
If the underlying UDP connection times out, the VFW application removes all DNS query hash entries using that UDP connection in 2 seconds. You can configure the UDP inactivity timeout using a connection parameter map. For details, see the "Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall" module.
If the VFW application continues to receive DNS queries on the same UDP connection, the UDP connection does not time out. In this case, the queries without answers time out in 10 seconds. To change this time-out value, use the timeout query command.
Examples
The following example shows how to configure the VFW application to time out DNS query entries with no corresponding server responses after 20 seconds:
firewall/Admin(config-parammap-dns)# timeout query 20Related Commands
timeout sip-media
To specify the SIP media connection timeout, use the timeout sip-media command in parameter map SIP configuration mode. To reset the behavior to the default of timing, use the no form of this command.
timeout sip-media {number}
no timeout sip-media {number}
Syntax Description
Defaults
The default timeout is 5 seconds.
Command Modes
Parameter map SIP configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
The VFW application opens a temporary secure port (pinhole) to stream media to a SIP client. To prevent a hacker from exploiting this port, set a timeout for SIP media by using the timeout command.
Examples
The following example shows how to configure the SIP media connection timeout to 20 seconds:
firewall/Admin(config-parammap-dns)# timeout sip-media 20Related Commands
urgent-flag
To set the Urgent Pointer policy, use the urgent-flag command in parameter map connection configuration mode. To return to the default setting of clearing the Urgent flag, use the no form of this command.
urgent-flag {allow | clear}
no urgent-flag
Syntax Description
Defaults
The urgent flag is not set.
Command Modes
Parameter map connection configuration
Command History
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
If the Urgent control bit (flag) is set in the TCP header, it indicates that the Urgent Pointer is valid. The Urgent Pointer contains an offset that indicates the location of the segment following the urgent data in the payload. Urgent data is data that should be processed as soon as possible, even before normal data is processed. The VFW application permits you to allow or clear the Urgent flag. If you clear the Urgent flag, you invalidate the Urgent Pointer.
The VFW application clears the Urgent flag for any traffic above Layer 4. If you have enabled server connection reuse, the VFW application does not pass the Urgent flag value to the server.
Examples
The following example shows how to clear the Urgent flag:
firewall/Admin(config)# parameter-map type connection TCP_MAPfirewall/Admin(config-parammap-conn)# urgent-flag clearRelated Commands
Creates a parameter map and enters parameter map configuration mode.
Displays the detailed configuration information for a specified parameter map.
uri-non-sip
To enable the detection of non-Session Initiation Protocol (SIP) uniform resource identifiers (URIs) in SIP messages, use the uri-non-sip command in parameter map SIP configuration mode. To disable the detection of non-SIP URIs, use the no form of this command.
uri-non-sip {log | mask [log]}
no uri-non-sip {log | mask [log]}
Syntax Description
log
Specifies that the VFW application log the non-SIP URI.
mask
Specifies that the VFW application mask the non-SIP URI.
Defaults
Detection of non-SIP URIs in SIP messages is disabled.
Command Modes
Parameter map SIP configuration
Command History
Release 3.8.0
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to enable the detection of non-SIP URIs in SIP messages and log the event:
firewall/Admin(config-parammap-sip)# uri-non-sip logRelated Commands
