-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
queue-limit through rtp-conformance Commands
remote-access threshold session-threshold-exceeded
queue-limit through rtp-conformance Commands
queue-limit (priority-queue)
To specify the depth of the priority queues, use the queue-limit command in priority-queue mode. To remove this specification, use the no form of this command.
queue-limit number-of-packets
no queue-limit number-of-packets
Syntax Description
Defaults
The default queue limit is 1024 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Priority-queue
•
•
•
•
—
Command History
Usage Guidelines
The security appliance allows two classes of traffic: low-latency queuing (LLQ) for higher priority, latency sensitive traffic (such as voice and video) and best-effort, the default, for all other traffic. The security appliance recognizes priority traffic and enforces appropriate Quality of Service (QoS) policies. You can configure the size and depth of the priority queue to fine-tune the traffic flow.
You must use the priority-queue command to create the priority queue for an interface before priority queuing takes effect. You can apply one priority-queue command to any interface that can be defined by the nameif command.
The priority-queue command enters priority-queue mode, as shown by the prompt. In priority-queue mode, you can configure the maximum number of packets allowed in the transmit queue at any given time (tx-ring-limit command) and the number of packets of either type (priority or best -effort) allowed to be buffered before dropping packets (queue-limit command).
Note
The tx-ring-limit and the queue-limit that you specify affect both the higher priority low-latency queue and the best-effort queue. The tx-ring-limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust these two parameters to optimize the flow of low-latency traffic.
Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.
Note
Examples
The following example configures a priority queue for the interface named test, specifying a queue limit of 30,000 packets and a transmit queue limit of 256 packets.
hostname(config)# priority-queue testhostname(priority-queue)# queue-limit 30000hostname(priority-queue)# tx-ring-limit 256hostname(priority-queue)#Related Commands
queue-limit (tcp-map)
To configure the maximum number of out-of-order packets that can be buffered and put in order for a TCP connection, use the queue-limit command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.
queue-limit pkt_num [timeout seconds]
no queue-limit
Syntax Description
Defaults
The default setting is 0, which means this command is disabled.
The default timeout is 4 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable TCP normalization, use the Modular Policy Framework:
1.
a.
2.
3.
a.
b.
4.
If you do not enable TCP normalization, or if the queue-limit command is set to the default of 0, which means it is disabled, then the default system queue limit is used depending on the type of traffic:
•
•
If you set the queue-limit command to be 1 or above, then the number of out-of-order packets allowed for all TCP traffic matches this setting. For application inspection, IPS, and TCP check-retransmission traffic, any advertized settings are ignored. For other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through untouched.
Examples
The following example sets the queue limit to 8 packets and the buffer timeout to 6 seconds for all Telnet connections:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# queue-limit 8 timeout 6hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq telnethostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalhostname(config)#Related Commands
quit
To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the quit command.
quit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the quit command in privileged or user EXEC modes, you log out from the security appliance. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the quit command to exit global configuration mode, and then logout from the session:
hostname(config)# quithostname# quitLogoffThe following example shows how to use the quit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# quithostname# disablehostname>Related Commands
radius-common-pw
To specify a common password to be used for all users who are accessing this RADIUS authorization server through this security appliance, use the radius-common-pw command in AAA-server host mode. To remove this specification, use the no form of this command:
radius-common-pw string
no radius-common-pw
Syntax Description
string
A case-sensitive, alphanumeric keyword of up to 127 characters to be used as a common password for all authorization transactions with this RADIUS server.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for RADIUS authorization servers.
The RADIUS authorization server requires a password and username for each connecting user. The security appliance provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this security appliance. Be sure to provide this information to your RADIUS server administrator.
If you do not specify a common user password, each user's password is his or her own username. For example, a user with the username "jsmith" would enter "jsmith". If you are using usernames for the common user passwords, as a security precaution do not use this RADIUS server for authorization anywhere else on your network.
13-125
Note
Examples
The following example configures a RADIUS AAA server group named "svrgrp1" on host "1.2.3.4", sets the timeout interval to 9 seconds, sets the retry interval to 7 seconds, and configures the RADIUS commnon password as "allauthpw".
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# radius-common-pw allauthpwhostname(config-aaa-server-host)# exithostname(config)#Related Commands
radius-with-expiry
To have the security appliance use MS-CHAPv2 to negotiate a password update with the user during authentication, use the radius-with-expiry command in tunnel-group ipsec-attributes configuration mode. The security appliance ignores this command if RADIUS authentication has not been configured.
To return to the default value, use the no form of this command.
radius-with-expiry
no radius-with-expiry
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting for this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to IPSec remote-access tunnel-group type.
Examples
The following example entered in config-ipsec configuration mode, configures Radius with Expiry for the remote-access tunnel group named remotegrp:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-tunnel-ipsec)# radius-with-expiryhostname(config-tunnel-ipsec)#Related Commands
rate-limit
When using the Modular Policy Framework, limit the rate of messages for packets that match a match command or class map by using the rate-limit command in match or class configuration mode. This rate limit action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. To disable this action, use the no form of this command.
rate-limit messages_per_second
no rate-limit messages_per_second
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Match and class configuration
•
•
•
•
—
Command History
Usage Guidelines
An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the rate-limit command to limit the rate of messages.
When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect dns dns_policy_map command where dns_policy_map is the name of the inspection policy map.
Examples
The following example limits the invite requests to 100 messages per second:
hostname(config-cmap)# policy-map type inspect sip sip-map1hostname(config-pmap-c)# match request-method invitehostname(config-pmap-c)# rate-limit 100Related Commands
reactivation-mode
To specify the method by which failed servers in a group are reactivated, use the reactivation-mode command in aaa-server protocol mode. To remove this specification, use the no form of this command:
reactivation-mode {depletion [deadtime minutes] | timed}
no reactivation-mode [depletion [deadtime minutes] | timed]
Syntax Description
Defaults
The default reactivation mode is depletion, and the default deadtime value is 10.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server protcocol configuration
•
•
•
•
—
Command History
Usage Guidelines
Each server group has an attribute that specifies the reactivation policy for its servers.
In depletion mode, when a server is deactivated, it remains inactive until all other servers in the group are inactive. When and if this occurs, all servers in the group are reactivated. This approach minimizes the occurrence of connection delays due to failed servers. When depletion mode is in use, you can also specify the deadtime parameter. The deadtime parameter specifies the amount of time (in minutes) that will elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. This parameter is meaningful only when the server group is being used in conjunction with the local fallback feature.
In timed mode, failed servers are reactivated after 30 seconds of down time. This is useful when customers use the first server in a server list as the primary server and prefer that it is online whenever possible. This policy breaks down in the case of UDP servers. Since a connection to a UDP server will not fail, even if the server is not present, UDP servers are put back on line blindly. This could lead to slowed connection times or connection failures if a server list contains multiple servers that are not reachable.
Accounting server groups that have simultaneous accounting enabled are forced to use the timed mode. This implies that all servers in a given list are equivalent.
Examples
The following example configures aTACACS+ AAA server named "srvgrp1" to use the depletion reactivation mode, with a deadtime of 15 minutes:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-sersver-group)# reactivation-mode depletion deadtime 15hostname(config-aaa-server)# exithostname(config)#The following example configures aTACACS+ AAA server named "srvgrp1" to use timed reactivation mode:
hostname(config)# aaa-server svrgrp2 protocol tacacs+hostname(config-aaa-server)# reactivation-mode timedhostname(config-aaa-server)#Related Commands
redistribute (OSPF)
To redistribute routes from one routing domain into an OSPF routing process, use the redistribute command in router configuration mode. To remove the redistribution, use the no form of this command.
redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | rip | static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
no redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | rip | static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
Syntax Description
Defaults
The following are the command defaults:
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
This command was modified to include the rip keyword.
Examples
This example shows how to redistribute static routes into the current OSPF process:
hostname(config)# router ospf 1hostname(config-router)# redistribute staticRelated Commands
redistribute (RIP)
To redistribute routes from another routing domain into the RIP routing process, use the redistribute command in router configuration mode. To remove the redistribution, use the no form of this command.
redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | static | connected} [metric {metric_value | transparent}] [route-map map_name]
no redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | static | connected} [metric {metric_value | transparent}] [route-map map_name]
Syntax Description
Defaults
The following are the command defaults:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Examples
This example shows how to redistribute static routes into the current RIP process:
hostname(config)# router riphostname(config-router)# network 10.0.0.0hostname(config-router)# redistribute static metric 2Related Commands
regex
To create a regular expression to match text, use the regex command in global configuration mode. To delete a regular expression, use the no form of this command.
regex name regular_expression
no regex name [regular_expression]
Syntax Description
name
Specifies the regular expression name, up to 40 characters in length.
regular_expression
Specifies the regular expression up to 100 characters in length. See "Usage Guidelines" for a list of metacharacters you can use in the regular expression.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The regex command can be used for various features that require text matching. For example, you can configure special actions for application inspection using Modular Policy Framework using an inspection policy map (see the policy map type inspect command). In the inspection policy map, you can identify the traffic you want to act upon by creating an inspection class map containing one or more match commands or you can use match commands directly in the inspection policy map. Some match commands let you identify text in a packet using a regular expression; for example, you can match URL strings inside HTTP packets. You can group regular expressions in a regular expression class map (see the class-map type regex command).
A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic; for example, you can match body text inside an HTTP packet.
Table 23-1 lists the metacharacters that have special meanings.
