-
Application Control Engine Module Command Reference (Software Version A2(3.0))
-
CLI Command Summary By Mode
-
Preface
-
CLI Commands
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Action List Modify Configuration Mode Commands
-
Authentication Group Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Track Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
Interface Configuration Mode Commands
-
KAL-AP UDP Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Object Group Configuration Mode Commands
-
Parameter Map Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Configuration Mode Commands
-
Role Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Server Farm Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
Interface Configuration Mode Commands
(config-if) ip dhcp relay enable
(config-if) ip dhcp relay server
(config-if) ip route inject vlan
(config-if) ip verify reverse-path
(config-if) mac address autogenerate
(config-if) service-policy input
(config) interface(config) interface(config) interface(config-if) syn-cookie
Interface Configuration Mode Commands
Interface configuration mode commands allow you to configure a VLAN interface or a bridge-group virtual interface (BVI). To assign a VLAN interface to a context and access interface configuration mode, use the interface vlan command in configuration mode. To create a BVI for a bridge group in the context, use the interface bvi command. The CLI prompt changes to (config-if). For information about the commands in interface configuration mode, see the following commands.
Use the no form of the interface command to delete a BVI or VLAN interface from the context.
interface {bvi group_number | vlan number}
no interface {bvi group_number | vlan number}
Syntax Description
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
All commands in this mode require the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that represents a corresponding bridge group. An IP address in the same subnet should be configured on the BVI. This address is used for management traffic and as a source IP address for traffic from the ACE, similar to ARP requests.
The ACE supports a maximum of 4,093 VLAN interfaces with a maximum of 1,024 shared VLANs.
The ACE supports a maximum of 4,094 BVI interfaces.
The ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.
The ACE requires a route back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE module.
Examples
To assign VLAN interface 200 to the Admin context and access interface configuration mode, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)#To remove a VLAN, enter:
host1/Admin(config)# no interface vlan 200To create a BVI for bridge group 15, enter:
host1/Admin(config)# interface bvi 15host1/Admin(config-if)#To delete a BVI for bridge group 15, enter:
host1/Admin(config)# no interface bvi 15Related Commands
show arp
show interface
show ip
show running-config
show vlans(config-if) access-group
To apply an access control list (ACL) to the inbound or outbound direction of a VLAN interface and make the ACL active, use the access-group command. Use the no form of this command to remove an ACL from an interface.
access-group {input | output} acl_name
no access-group {input | output} acl_name
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
You must apply ACLs to a VLAN interface to allow the traffic to pass on an interface. You can apply one ACL of each type (extended and EtherType) to both directions of the interface. For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, you can allow Border Gateway Protocol (BGP) in an ACL in transparent mode, and you need to apply the ACL to both interfaces.
A bridge-group VLAN supports extended ACLs for IP traffic and EtherType ACLs for non-IP traffic. For non-IP traffic, you can configure an EtherType ACL. EtherType ACLs support Ethernet V2 frames. You can configure the ACE to pass one or any of the following non-IP EtherTypes: Multiprotocol Label Switching (MPLS), IP version 6 (ipv6), and bridge protocol data units (BDPUs).
The output option is not allowed for EtherType ACLs.
To apply an ACL globally to all interfaces in a context, use the (config) access-group command.
Examples
To apply an ACL named INBOUND to the inbound direction of an interface, enter:
host1/Admin(config)# interface vlan100host1/Admin(config-if)# access-group input INBOUNDTo remove an ACL from an interface, enter:
host1/Admin(config-if)# no access-group input INBOUNDRelated Commands
show access-list
(config) access-group
(config) access-list extended(config-if) alias
To configure an IP address that is shared between active and standby modules for a bridge-group virtual interface (BVI) or VLAN interface, use the alias command. Use the no form of this command to delete an alias IP address.alias ip_address mask [secondary]
no alias ip_address mask [secondary]
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
3.0(0)A1(2)
This command was introduced.
A2(3.0)
The secondary option was added.
Usage Guidelines
You must configure redundancy (fault tolerance) on the ACE for the alias IP address to work. For more information on redundancy, see the Cisco Application Control Engine Module Administration Guide.
For stealth firewalls, an ACE balances traffic among unique VLAN alias IP address interfaces on another ACE that provides paths through stealth firewalls. You configure a stealth firewall so that all traffic moving in both directions across that VLAN moves through the same firewall.
For details about firewall load balancing (FWLB), see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.
You cannot configure secondary IP addresses on FT VLANs.
Examples
To configure an alias IP address and mask, enter:
host1/Admin(config-if)# alias 12.0.0.81 255.0.0.0To configure a secondary alias IP address, enter:
host1/Admin(config-if)# alias 193.168.12.15 255.255.255.0 secondaryTo remove an alias IP address, enter:
host1/Admin(config-if)# no alias 192.168.12.15 255.255.255.0To remove a secondary alias IP address, enter:
host1/Admin(config-if)# no alias 193.168.12.15 255.255.255.0 secondaryRelated Commands
(config-if) arp
To add a static ARP entry in the ARP table for a VLAN interface, use the arp command. Use the no form of this command to remove a static ARP entry.
arp ip_address mac_address
no arp ip_address mac_address
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Static ARPs for bridged interfaces are configured on the specific interface.
Examples
To allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter:
host1/Admin(config-if)# arp 10.1.1.1 00.02.9a.3b.94.d9To remove a static ARP entry, use the no arp command. For example, enter:
host1/Admin(config-if)# no arp 10.1.1.1 00.02.9a.3b.94.d9Related Commands
(config-if) arp inspection
To enable the ACE to dynamically check the source MAC address in an Ethernet header against the sender's MAC address in an ARP payload for every ARP packet received by the ACE, use the arp inspection command. Use the no form of this command to remove a static ARP entry.
arp inspection validate src-mac [flood | no-flood]
no arp ip_address mac_address
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
The ACE does not learn or update the ARP or MAC tables for packets with different MAC addresses. By default, dynamic ARP inspection is disabled. If you enable this feature, the default option is flood.
Use this feature for interoperability with third-party firewalls (for example, CheckPoint).
If ARP inspection fails, then the ACE does not perform source MAC validation. For details about ARP inspection, see the (config) arp command.
Regardless of whether you enter the flood or the no-flood option, if the source MAC address of the ARP packet does not match the MAC address of the Ethernet header, then the source MAC validation fails and the ACE increments the Smac-validation Failed counter of the show arp command.
Examples
To enable the ACE to check the source MAC address in an Ethernet header against the sender's MAC address in an ARP payload for every ARP packet received by the ACE and to forward (flood) the packets, enter:
host1/Admin(config-if)# arp inspection validate src-macTo restore the behavior of the ACE to the default of not validating source MAC addresses, enter the following command:
host1/Admin(config-if)# no arp inspection validate src-macRelated Commands
(config-if) bridge-group
To assign the VLAN to a bridge group, use the bridge-group command. Use the no form of this command to remove the bridge group from the VLAN.
bridge-group number
no bridge-group
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
In bridge mode, you can configure two interface VLANs into a group and bridge packets between them. All interfaces are in one broadcast domain and packets from one VLAN are switched to the other VLAN. The ACE bridge mode supports only two L2 VLANs per bridge group. In this mode, VLANs do not have configured IP addresses.
To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that represents a corresponding bridge group.
Examples
To assign bridge group 15 to the VLAN, enter:
host1/Admin(config-if)# bridge-group 15To remove the bridge group from the VLAN, enter:
host1/Admin(config-if)# no bridge-groupRelated Commands
(config-if) description
To provide a description for a bridge-group virtual interface (BVI) or VLAN interface, use the description command. Use the no form of this command to delete the description.
description text
no description
Syntax Description
text
Description for the interface. Enter an unquoted text string that contains a maximum of 240 characters including spaces.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To provide the description of POLICY MAP 3 FOR INBOUND AND OUTBOUND TRAFFIC, enter:
host1/admin(config-if)# description POLICY MAP3 FOR INBOUND AND OUTBOUND TRAFFICTo remove the description for the interface, enter:
host1/admin(config-if)# no descriptionRelated Commands
(config-if) fragment chain
To configure the maximum number of fragments that belong to the same packet that the ACE accepts for reassembly for a VLAN interface, use the fragment chain command. Use the no form of this command to reset the default value.
fragment chain number
no fragment chain
Syntax Description
number
Maximum number of fragments that belong to the same packet. Enter an integer from 1 to 256. The default is 24.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To configure a fragment chain limit of 126, enter:
host1/C1(config-if)# fragment chain 126To reset the maximum number of fragments in a packet to the default of 24, enter:
host1/C1(config-if)# no fragment chainRelated Commands
show fragment
(config-if) fragment min-mtu
(config-if) fragment timeout(config-if) fragment min-mtu
To configure the minimum fragment size that the ACE accepts for reassembly for a VLAN interface, use the fragment min-mtu command. Use the no form of this command to reset the default value.
fragment min-mtu number
no fragment min-mtu
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To configure a minimum fragment size of 1024, enter:
host1/C1(config-if)# fragment min-mtu 1024To reset the minimum fragment size to the default value of 576 bytes, enter:
host1/C1(config-if)# no fragment min-mtuRelated Commands
show fragment
(config-if) fragment chain
(config-if) fragment timeout(config-if) fragment timeout
To configure a reassembly timeout for a VLAN interface, use the fragment timeout command. Use the no form of this command to reset the default value.
fragment timeout seconds
no fragment timeout
Syntax Description
seconds
Reassembly timeout in seconds. Enter an integer from to 0 to 65535. A value of 0 instructs the ACE to never time out. The default is 5.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
The IP reassembly timeout specifies the period of time after which the ACE abandons the fragment reassembly process if it does not receive any outstanding fragments for the current fragment chain (fragments that belong to the same packet).
Examples
To configure an IP reassembly timeout of 750 seconds, enter:
host1/C1(config-if)# fragment timeout 750To reset the fragment timeout to the default value of 5 seconds, enter:
host1/C1(config-if)# no fragment timeoutRelated Commands
show fragment
(config-if) fragment chain
(config-if) fragment min-mtu(config-if) icmp-guard
To enable the ICMP security checks in the ACE, use the icmp-guard command. This feature is enabled by default. Use the no form of this command to disable the ICMP security checks.
icmp-guard
no icmp-guard
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, the ACE provides several ICMP security checks by matching ICMP reply packets with request packets and using mismatched packets to detect attacks. Also, the ACE forwards ICMP error packets only if a connection record pertaining to the flow for which the error packet was received exists.
CautionIf you disable the ACE ICMP security checks, you may expose your ACE and your data center to potential security risks. After you enter the no icmp-guard command, the ACE no longer performs Network Address Translation (NAT) translations on the ICMP header and payload in error packets, which potentially can reveal real host IP addresses to attackers.
If you want to operate your ACE as a load balancer only, use the no icmp-guard command to disable the ACE ICMP security checks. You must also disable TCP normalization by using the no normalization command. For details about operating your ACE for load balancing only, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.
Examples
To enable the ACE ICMP security checks after you have disabled them, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)# icmp-guardTo disable ACE ICMP security checks, enter:
host1/Admin(config-if)# no icmp-guardRelated Commands
(config-if) ip address
To assign an IP address to a bridge-group virtual interface (BVI) or VLAN interface, use the ip address command. Use the no form of this command to remove an IP address from an interface.
ip address ip_address mask [secondary]
no ip address ip_address mask [secondary]
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
3.0(0)A1(2)
This command was introduced.
A2(3.0)
The secondary option was added.
Usage Guidelines
When you assign an IP address to an interface, the ACE automatically makes the interface routed.
You must configure a primary IP address for the interface to allow a VLAN to become active. The primary address must be active before a secondary address can be active.
An interface can have only one primary IP address.
When you configure access to an interface, the ACE applies it to all IP addresses configured on the interface.
The ACE treats the secondary addresses the same as a primary address and handles IP broadcasts and ARP requests for the subnet that is assigned to the secondary address as well as the interface routes in the IP routing table.
The ACE accepts client, server, or remote access traffic on the primary and secondary addresses. When the destination for the control plane (CP)-originated packets is Layer 2 adjacent to either the primary subnet or one of the secondary subnets, the ACE uses the appropriate primary or secondary interface IP address for the destination subnet as the source IP address. For any destination that is not Layer 2 adjacent, the ACE uses the primary address as the source IP address. For packets destined to the secondary IP address, the ACE sends the response with the secondary IP address as the source address.
SSL probes use the primary IP address as the source address for all the destinations.
You cannot configure secondary IP addresses on FT VLANs. When you configure a query interface to assess the health of the active FT group member, it uses the primary IP address.
You must configure static ARP entries for bridged interfaces on the specific interface.
In a single context, you must configure each interface address on a unique subnet; the addresses cannot overlap. However, the IP subnet can overlap an interface in different contexts.
You must configure a unique IP address across multiple contexts on a shared VLAN. On a nonshared VLAN, the IP address can be the same.
No routing occurs across contexts even when shared VLANs are configured.
Examples
To set the IP address of 192.168.1.1 255.255.255.0 for VLAN interface 200, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0To assign a secondary IP address and mask 193.168.1.1 255.255.255.0 to VLAN interface 200, enter the following command:
host1/Admin(config-if)# ip address 192.168.1.2 255.255.255.0 secondary
To remove the IP address for the VLAN, enter:
host1/Admin(config-if)# no ip address 192.168.1.1 255.255.255.0
To remove a secondary IP address for the VLAN, enter:
host1/Admin(config-if)# no ip address 192.168.1.2 255.255.255.0 secondary
Related Commands
(config-if) ip df
To configure how the ACE handles an IP packet that has its Don't Fragment (DF) bit set on a VLAN interface, use the ip df command. Use the no form of this command to instruct the ACE to ignore the DF bit.
ip df {clear | allow}
no ip df
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Occasionally, an ACE may receive a packet that has its DF bit set in the IP header. This flag tells network routers and the ACE not to fragment the packet and to forward it in its entirety.
Examples
To clear the DF bit and permit the packet, enter:
host1/Admin(config-if)# ip df clearTo instruct the ACE to ignore the DF bit, enter:
host1/Admin(config-if)# no ip dfRelated Commands
This command has no related commands.
(config-if) ip dhcp relay enable
To accept Dynamic Host Configuration Protocol (DHCP) requests on a VLAN interface, use the ip dhcp relay enable command. Use the no form of this command to disable DHCP on the interface.
ip dhcp relay enable
no ip dhcp relay enable
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
The DHCP relay starts forwarding packets to the DHCP server address specified in the ip dhcp relay server command for the associated interface or context.
Examples
To enable the DHCP relay on the interface, enter:
host1/Admin(config-if)# ip dhcp relay enableTo disable the DHCP relay on the interface, enter:
host1/Admin(config-if)# no ip dhcp relay enableRelated Commands
(config-if) ip dhcp relay enable
(config-if) ip dhcp relay server(config-if) ip dhcp relay server
To set the IP address of a Dynamic Host Configuration Protocol (DHCP) server to which the DHCP relay agent forwards client requests on a VLAN interface, use the ip dhcp relay server command. Use the no form of this command to remove the IP address of the DHCP server.
ip dhcp relay server ip_address
no ip dhcp relay server ip_address
Syntax Description
ip_address
IP address of the DHCP server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To specify the IP address for the DHCP relay server, enter:
host1/Admin(config-if)# ip dhcp relay server 192.168.20.1To remove the IP address of the DHCP server, enter:
host1/Admin(config-if)# no ip dhcp relay server 192.168.20.1Related Commands
This command has no related commands.
(config-if) ip options
To configure how the ACE handles IP options and to perform specific actions when an IP option is set in a packet for a VLAN interface, use the ip options command. Use the no form of this command to instruct the ACE to ignore the IP option.
ip options {allow | clear | clear-invalid | drop}
no ip options
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To allow packets with IP options set, enter:
host1/Admin(config-if)# ip options allowTo reset the ACE to its default of clearing all IP options if the module encounters one or more invalid or unsupported IP options, enter:
host1/Admin(config-if)# no ip optionsRelated Commands
This command has no related commands.
(config-if) ip route inject vlan
To advertise a VLAN for route health injection (RHI) that is different from the VIP interface VLAN, use the ip route inject vlan command. By default, the ACE advertises the VLAN of the VIP interface for RHI. Use the no form of this command to restore the ACE default behavior of advertising the VIP interface VLAN for RHI.
ip route inject vlan vlan_id
no ip route inject vlan vlan_id
Syntax Description
vlan_id
Interface shared between the supervisor and the intervening device. Enter the ID as an integer from 2 to 4090.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Use this command when there is no directly shared VLAN between the ACE and the Catalyst 6500 series supervisor. This topology can occur when there is an intervening device, for example, a Cisco Firewall Services Module (FWSM), configured between the ACE and the supervisor.
Note
Examples
To advertise route 200 for RHI, enter:
host1/Admin(config-if)# ip route inject vlan 200To restore the ACE default behavior of advertising the VIP interface VLAN for RHI, enter:
host1/Admin(config-if)# no ip route inject vlan 200Related Commands
This command has no related commands.
(config-if) ip ttl minimum
To set the packet time-to-live (TTL) hops in the IP header on a VLAN interface, use the ip ttl minimum command. By default, the ACE does not rewrite the TTL value of a packet. Use the no form of this command to reset the default behavior.
ip ttl minimum number
no ip ttl minimum
Syntax Description
number
Minimum number of hops that a packet can take to reach its destination. Enter an integer from 1 to 255 seconds.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Each router along the packet's path decrements the TTL by one. If the packet's TTL equals 0 before the packet reaches its destination, the packet is discarded.
If the TTL value of the incoming packet is lower than the configured value, the ACE rewrites the TTL with the configured value. Otherwise, the ACE transmits the packet with its TTL unchanged or discards the packet if the TTL equals zero.
Examples
To set the TTL hops to 15, enter:
host1/Admin(config-if)# ip ttl minimum 15To instruct the ACE to ignore the TTL value, enter:
host1/Admin(config-if)# no ip ttl minimumRelated Commands
This command has no related commands.
(config-if) ip verify reverse-path
To enable reverse-path forwarding (RPF) based on the source IP address for a VLAN interface, use the ip verify reverse-path command. By default, URPF is disabled on the interface. Use the no form of this command to reset the default behavior.
ip verify reverse-path
no ip verify reverse-path
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Unicast reverse-path forwarding (URPF) helps to mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by allowing the ACE to discard IP packets that lack a verifiable source IP address. This feature enables the ACE to filter both ingress and egress packets to verify addressing and route integrity. The route lookup is typically based on the destination address, not the source address.
When you enable URPF, the ACE discards packets if no route is found or if the route does not match the interface on which the packet arrived.
You cannot use this command when RPF based on the source MAC address for a VLAN interface is enabled through the (config-if) mac-sticky enable command.
Examples
To enable RPF, enter:
host/Admin(config-if)# ip verify reverse-pathTo disable RPF, enter:
host/Admin(config-if)# no ip verify reverse-pathRelated Commands
(config-if) mac address autogenerate
To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command. Use the no form of this command to disable MAC address autogeneration.
mac address autogenerate
no mac address autogenerate
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer-2 domains, unless it is a shared VLAN. Thus the ACE allocates the same MAC address to them.
When using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, two Layer-3 VLANs must be assigned to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses.
When you issue the mac address autogenerate command, the ACE assigns a MAC address from the bank of MAC address for shared VLANs. If you issue the no mac address autogenerate command, the interface retains this address. To revert to a MAC address for an unshared VLAN, you must delete the interface and then readd it.
Examples
To enable MAC address autogeneration on the VLAN, enter:
host1/Admin(config-if)# mac address autogenerateTo disable MAC address autogeneration on the VLAN, enter:
host1/Admin(config-if)# no mac address autogenerateRelated Commands
This command has no related commands.
(config-if) mac-sticky enable
To enable the mac-sticky feature for a VLAN interface, use the mac-sticky command. The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. By default, the mac-sticky feature is disabled on the ACE. Use the no form of this command to disable the mac-sticky feature, resetting the default behavior of the ACE performing a route lookup to select the next hop to reach the client.
mac-sticky enable
no mac-sticky enable
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you use this command to enable the mac-sticky feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.
This feature is useful when the ACE receives traffic from Layer-2/Layer-3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.
You cannot use this command when RPF based on the source IP address for a VLAN interface is enabled through the (config-if) ip verify reverse-path command.
Examples
To enable the mac-sticky feature, enter:
host/Admin(config-if)# mac-sticky enableTo disable the mac-sticky feature, enter:
host/Admin(config-if)# no mac-sticky enableRelated Commands
(config-if) ip verify reverse-path
(config-if) mtu
To specify the maximum transmission unit (MTU) for a VLAN interface, use the mtu command. This command allows you to set the data size that is sent on a connection. Use the no form of this command to reset the MTU block size to the default of 1500 for Ethernet interfaces.
mtu bytes
no mtu
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
The default MTU is a 1500-byte block for Ethernet interfaces. This value is sufficient for most applications, but you can pick a lower number if network conditions require it. The ACE fragments packets that are larger than the MTU value before sending them to the next hop.
Examples
To specify the MTU data size of 1000 for an interface, enter:
host1/admin(config-if)# mtu 1000To reset the MTU block size to the default value of 1500 for Ethernet interfaces, enter:
host1/admin(config-if)# no mtuRelated Commands
(config-if) nat-pool
To create a pool of IP addresses for dynamic Network Address Translation (NAT) for a VLAN interface, use the nat-pool command. Use the no form of this command to remove a NAT pool from the configuration.
nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]
no nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Dynamic NAT uses a pool of global IP addresses that you specify. You can define either a single global IP address for a group of servers with PAT to differentiate between them or a range of global IP addresses when using dynamic NAT only. To use a single IP address or a range of addresses, you assign an identifier to the address pool. You then associate the NAT pool with a global interface that is different from the interface that you use to filter and receive NAT traffic.
If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet untranslated.
If the ACE runs out of IP addresses in a NAT pool, it can switch over to a PAT rule, if configured. For example, you can configure the following:
nat-pool 1 10.1.100.10 10.1.100.99 netmask 255.255.255.255nat-pool 1 10.1.100.100 10.1.100.100 netmask 255.255.255.255 patExamples
To configure a NAT pool that consists of a range of 100 global IP addresses with PAT, enter:
host1/C1(config-if)# nat-pool 1 172.27.16.10 172.27.16.109 netmask 255.255.255.0 patRelated Commands
show nat-fabric
(config-pmap-lb-c) nat dynamic(config-if) normalization
To enable TCP normalization, use the normalization command. This feature is enabled by default. Use the no form of this command to disable TCP normalization.
normalization
no normalization
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, TCP normalization is enabled.
Caution
To operate your ACE for load balancing only, disable TCP normalization by entering the no normalization command. You must also disable the ACE Internet Control Message Protocol (ICMP) security checks by using the no icmp-guard command. For details about operating your ACE as a load balancer only, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.
Disabling TCP normalization affects only Layer 4 traffic. TCP normalization is always enabled for Layer 7 traffic.
Use the no normalization command when you encounter the following two types of asymmetric flows, which would otherwise be blocked by the normalization checks that the ACE performs:
•
•
With TCP normalization disabled, the ACE still sets up flows for the asymmetric traffic described above and makes entries in the connection table.
Examples
To enable TCP normalization after you have disabled it, enter:
host1/Admin(config)# interface vlan 200host1/Admin(config-if)# normalizationTo disable TCP normalization, enter:
host1/Admin(config-if)# no normalizationRelated Commands
(config-if) peer ip address
To configure the IP address of a standby module for the bridge-group virtual interface (BVI) or VLAN interface, use the peer command. Use the no form of this command to delete the IP address of the peer module.
peer ip address ip_address mask [secondary]
no peer ip address ip_address mask [secondary]
Syntax Description
Command Modes
Interface configuration mode for BVI and VLAN interfaces
Admin and user contexts
Command History
3.0(0)A1(2)
This command was introduced.
A2(3.0)
The secondary option was added.
Usage Guidelines
When you configure redundancy, configuration mode on the standby module is disabled by default and changes on an active module are automatically synchronized on the standby module. However, interface IP addresses on the active and standby modules must be unique. To ensure that the addresses on the interfaces are unique, the interface IP address on the active module is synchronized on the standby module as the peer IP address. To configure an interface IP address on the standby module, use the peer ip address command. The peer IP address on the active module is synchronized on the standby module as the interface IP address.
You must configure a unique IP address across multiple contexts on a shared VLAN. On a nonshared VLAN, the IP address can be the same.
When the destination for the control plane (CP)-originated packets is Layer 2 adjacent to either the primary subnet or one of the secondary subnets, the ACE always uses the appropriate primary or secondary interface IP address that belongs to the destination subnet as the source IP address. For any destination that is not Layer 2 adjacent, the ACE uses the primary address as the source IP address.
SSL probes always uses the primary IP address as the source address for all destinations.
You cannot configure secondary IP addresses on FT VLANs.
Examples
To configure an IP address and mask for the peer module, enter:
host1/Admin(config-if)# peer ip address 11.0.0.81 255.0.0.0To configure a secondary IP address and mask for the peer ACE module, enter:
host1/Admin(config-if)# peer ip address 12.0.0.81 255.0.0.0 secondaryTo delete the IP address for the peer ACE module, enter:
host1/Admin(config-if)# no peer ip address 11.0.0.81 255.0.0.0To delete the secondary IP address for the peer ACE module, enter:
host1/Admin(config-if)# no peer ip address 12.0.0.81 255.0.0.0 secondaryRelated Commands
(config-if) service-policy input
To apply a previously created policy map and attach the traffic policy to the input direction of a VLAN interface, use the service-policy input command Use the no form of this command to remove a service policy.
service-policy input policy_name
no service-policy input policy_name
Syntax Description
policy_name
Name of a previously defined policy map, configured with a previously created policy-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you enter the service-policy command in configuration mode, the policy maps that are applied globally in a context are applied on all interfaces that exist in the context.
A policy activated on an interface overwrites any specified global policies for overlapping classifications and actions.
The ACE allows only one policy of a specific feature type to be activated on a given interface.
Examples
To apply the L4SLBPOLICY policy map to an interface, enter:
host1/C1(config-if)# service-policy input L4SLBPOLICYTo remove the L4SLBPOLICY policy map from the interface, enter:
host1/C1(config-if)# no service-policy input L4SLBPOLICYRelated Commands
show service-policy
(config) service-policy(config-if) shutdown
To disable a bridge-group virtual interface (BVI) or VLAN interface, use the shutdown command. Use the no form of this command to enable the interface.
shutdown
no shutdown
Syntax Description
This command has no keywords or arguments.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you create an interface, the interface is in the shutdown state until you enable it. If you disable or reenable the interface within a context, only that context interface is affected.
When you enable the interface, all of its configured primary and secondary addresses are enabled. You must configure a primary IP address to enable an interface. The ACE does not enable an interface with only secondary addresses. When you disable an interface, all of its configured primary and secondary addresses are disabled.
Examples
To disable an interface, enter:
host1/Admin(config-if)# shutdownTo enable an interface for use, enter:
host1/Admin (config-if)# no shutdownRelated Commands
show interface
show running-config(config) interface(config) interface(config) interface(config-if) syn-cookie
To configure SYN-cookie-based DoS protection, use the syn-cookie command. Use the no form of this command to remove SYN-cookie DoS protection from the interface.
syn-cookie number
no syn-cookie
Syntax Description
number
Embryonic connection threshold above which the ACE applies SYN-cookie DoS protection. Enter an integer from 2 to 65535.
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
Please keep in mind the following guidelines when you use the SYN cookie feature:
•
•
•
•
•
•
•
For example, assuming the following configuration:
–
–
–
Configure the following static routes:
–
–
Examples
To configure SYN-cookie DoS protection for servers in a data center connected to VLAN 100, enter:
host1/C1(config)# interface vlan 100host1/C1(config-if)# syn-cookie 4096To remove SYN-cookie DoS protection from the interface, enter:
host1/C1(config-if)# no syn-cookieRelated Commands
show interface
show running-config(config-if) udp
To enable the UDP booster feature for applications that require very high UDP connection rates, use the udp command in interface configuration mode. The syntax of this command is as follows:
udp {ip-source-hash | ip-destination-hash}
no udp
Syntax Description
Command Modes
Interface configuration mode
Admin and user contexts
Command History
Usage Guidelines
For the UDP booster feature to work, you must configure both command keywords on their respective interfaces.
Do not configure this feature with NAT or with any Layer 7 feature, for example, per-packet UDP load balancing (also called UDP fast-age) using the loadbalance vip udp-fast-age command. Otherwise, unexpected results may occur.
For detailed information concerning this feature and its configuration, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.
Examples
To configure the UDP booster feature on the client VLAN 100, enter:
host1/C1(config)# interface vlan 100host1/C1(config-if)# udp ip-source-hashTo configure the UDP booster feature on the server VLAN 200, enter:
host1/C1(config)# interface vlan 200host1/C1(config-if)# udp ip-destination-hashTo remove the UDP booster feature from an interface, enter:
host1/C1(config-if)# no udpRelated Commands
