-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
match ehlo-reply-parameter through match question Commands
match flow ip destination-address
match header (policy-map type inspect esmtp)
match header (policy-map type inspect ipv6)
match ehlo-reply-parameter through match question Commands
match ehlo-reply-parameter
To configure a match condition on the ESMTP ehlo reply parameter, use the match ehlo-reply-parameter command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] ehlo-reply-parameter parameter
no match [not] ehlo-reply-parameter parameter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for an ehlo reply parameter in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match ehlo-reply-parameter authRelated Commands
match filename
To configure a match condition for a filename for FTP transfer, use the match filename command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] filename regex [regex_name | class regex_class_name]
no match [not] filename regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for an FTP transfer filename in an FTP inspection class map:
hostname(config)# class-map type inspect ftp match-all ftp_class1hostname(config-cmap)# description Restrict FTP users ftp1, ftp2, and ftp3 from accessing /roothostname(config-cmap)# match username regex class ftp_regex_userhostname(config-cmap)# match filename regex ftp-fileRelated Commands
match filetype
To configure a match condition for a filetype for FTP transfer, use the match filetype command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] filetype regex [regex_name | class regex_class_name]
no match [not] filetype regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for an FTP transfer filetype in an FTP inspection policy map:
hostname(config-pmap)# match filetype class regex ftp-regex-filetypeRelated Commands
match flow ip destination-address
To specify the flow IP destination address in a class map, use the match flow ip destination-address command in class-map configuration mode. To remove this specification, use the no form of this command.
match flow ip destination-address
no match flow ip destination-address
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions on a tunnel group, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the match flow ip destination-address command. Use match tunnel-group to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalhostname(config)#Related Commands
match header (policy-map type inspect esmtp)
To configure a match condition on the ESMTP header, use the match header command in policy-map type inspect esmtp configuration mode. To disable this feature, use the no form of this command.
match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]
no match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy-map type inspect esmtp configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a header in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match header length gt 512Related Commands
match header (policy-map type inspect ipv6)
To configure a match condition on the IPv6 header, use the match header command in policy-map type inspect ipv6 configuration mode. To disable this feature, use the no form of this command.
match [not] header {ah | count gt number | destination-option | esp | fragment | hop-by-hop | routing-address count gt number | routing-type {eq | range} number}
no match [not] header {ah | count gt number | destination-option | esp | fragment | hop-by-hop | routing-address count gt number | routing-type {eq | range} number}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy-map type inspect ipv6 configuration
•
•
•
•
—
Command History
Usage Guidelines
Specifies the headers you want to match. By default, the packet is logged (log); if you want to drop (and optionally also log) the packet, enter the drop and optional log commands in match configuration mode.
Re-enter the match command and optional drop action for each extension you want to match:
Examples
The following example creates an inspection policy map that will drop and log all IPv6 packets with the hop-by-hop, destination-option, routing-address, and routing type 0 headers:
policy-map type inspect ipv6 ipv6-pmparametersmatch header hop-by-hopdrop logmatch header destination-optiondrop logmatch header routing-address count gt 0drop logmatch header routing-type eq 0drop logRelated Commands
match header-flag
To configure a match condition for a DNS header flag, use the match header-flag command in class-map or policy-map configuration mode. To remove a configured header flag, use the no form of this command.
match [not] header-flag [eq] {f_well_known | f_value}
no match [not] header-flag [eq] {f_well_known | f_value}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a DNS class map or policy map. Only one entry can be entered in a DNS class map.
Examples
The following example shows how to configure a match condition for a DNS header flag in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match header-flag AARelated Commands
match im-subscriber
To configure a match condition for a SIP IM subscriber, use the match im-subscriber command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] im-subscriber regex [regex_name | class regex_class_name]
no match [not] im-subscriber regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for a SIP IM subscriber in a SIP inspection class map:
hostname(config-cmap)# match im-subscriber regex class im_senderRelated Commands
match interface
To distribute any routes that have their next hop out one of the interfaces specified, use the match interface command in route-map configuration mode. To remove the match interface entry, use the no form of this command.
match interface interface-name
no match interface interface-name
Syntax Description
interface-name
Name of the interface (not the physical interface). Multiple interface names can be specified.
Defaults
No match interfaces are defined.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
•
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the interface-type interface-number arguments.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions that are given with the set commands. The no forms of the match commands remove the specified match criteria. If there is more than one interface specified in the match command. then the no match interface interface-name can be used to remove a single interface.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. If you want to modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows that the routes with their next hop outside is distributed:
hostname(config)# route-map namehostname(config-route-map)# match interface outsideRelated Commands
match invalid-recipients
To configure a match condition on the ESMTP invalid recipient address, use the match invalid-recipients command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] invalid-recipients count gt number
no match [not] invalid-recipients count gt number
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for invalid recipients count in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match invalid-recipients count gt 1000Related Commands
match ip address
To redistribute any routes that have a route address or match packet that is passed by one of the access lists specified, use the match ip address command in route-map configuration mode. To restore the default settings, use the no form of this command.
match ip address {acl...} prefix-list
no match ip address {acl...} prefix-list
Syntax Description
acl
Specifies the name of an access list. Multiple access lists can be specified.
prefix-list
Specifies the name of a match prefix list.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
•
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match ip address acl_dmz1 acl_dmz2Related Commands
match ipv6 address
To redistribute any routes that have an IPv6 route address or match packet that is passed by one of the access lists specified, use the match ipv6 address command in route-map configuration mode. To restore the default settings, use the no form of this command.
match ipv6 address {acl...} prefix-list
no match ipv6 address {acl...} prefix-list
Syntax Description
acl
Specifies the name of an access list. Multiple access lists can be specified.
prefix-list
Specifies the name of a match prefix list.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
•
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
Examples
The following example shows how to redistribute internal routes: access-list acl_dmz1 extended permit ipv6 any <net> <mask>
hostname(config)# access-list acl_dmz1 extended permit ipv6 any <net> <mask>hostname(config)# route-map namehostname(config-route-map)# match ipv6 address acl_dmz1 acl_dmz2Related Commands
match ip next-hop
To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip next-hop {acl...} | prefix-list prefix_list
no match ip next-hop {acl...} | prefix-list prefix_list
Syntax Description
Defaults
Routes are distributed freely, without being required to match a next-hop address.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
•
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the acl argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to distribute routes that have a next-hop router address passed by access list acl_dmz1 or acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip next-hop acl_dmz1 acl_dmz2Related Commands
match ip route-source
To redistribute routes that have been advertised by routers and access servers at the address that is specified by the ACLs, use the match ip route-source command in the route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip route-source {acl...} | prefix-list prefix_list
no match ip route-source {acl...}
Syntax Description
Defaults
No filtering on a route source.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
•
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-name argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.
Examples
The following example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by ACLs acl_dmz1 and acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip route-source acl_dmz1 acl_dmz2Related Commands
match login-name
To configure a match condition for a client login name for instant messaging, use the match login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] login-name regex [regex_name | class regex_class_name]
no match [not] login-name regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for a client login name in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match login-name regex loginRelated Commands
match media-type
To configure a match condition on the H.323 media type, use the match media-type command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] media-type [audio | data | video]
no match [not] media-type [audio | data | video]
Syntax Description
audio
Specifies to match audio media type.
data
Specifies to match data media type.
video
Specifies to match video media type.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for audio media type in an H.323 inspection class map:
hostname(config-cmap)# match media-type audioRelated Commands
match message id
To configure a match condition for a GTP message ID, use the match message id command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] message id [message_id | range lower_range upper_range]
no match [not] message id [message_id | range lower_range upper_range]
Syntax Description
message_id
Specifies an alphanumeric identifier between 1 and 255.
range lower_range upper_range
Specifies a lower and upper range of IDs.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for a message ID in a GTP inspection class map:
hostname(config-cmap)# match message id 33Related Commands
match message length
To configure a match condition for a GTP message ID, use the match message length command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] message length min min_length max max_length
no match [not] message length min min_length max max_length
Syntax Description
min min_length
Specifies a minimum message ID length. Value is between 1 and 65536.
max max_length
Specifies a maximum message ID length. Value is between 1 and 65536.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for a message length in a GTP inspection class map:
hostname(config-cmap)# match message length min 8 max 200Related Commands
match message-path
To configure a match condition for the path taken by a SIP message as specified in the Via header field, use the match message-path command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] message-path regex [regex_name | class regex_class_name]
no match [not] message-path regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for the path taken by a SIP message in a SIP inspection class map:
hostname(config-cmap)# match message-path regex class sip_messageRelated Commands
match metric
To redistribute routes with the metric specified, use the match metric command in route-map configuration mode. To remove the entry, use the no form of this command.
match metric number
no match metric number
Syntax Description
Defaults
No filtering on a metric value.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
•
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to redistribute routes with the metric 5:
hostname(config)# route-map namehostname(config-route-map)# match metric 5Related Commands
match mime
To configure a match condition on the ESMTP mime encoding type, mime filename length, or mime file type, use the match mime command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] mime [encoding type | filename length gt bytes | filetype regex]
no match [not] mime [encoding type | filename length gt bytes | filetype regex]
Syntax Description
encoding type
Specifies to match on the encoding type.
filename length gt bytes
Specifies to match on the filename length.
filetype regex
Specifies to match on the file type.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a mime filename length in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match mime filename length gt 255Related Commands
match peer-ip-address
To configure a match condition for the peer IP address for instant messaging, use the match peer-ip-address command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] peer-ip-address ip_address ip_address_mask
no match [not] peer-ip-address ip_address ip_address_mask
Syntax Description
ip_address
Specifies a hostname or IP address of the client or server.
ip_address_mask
Specifies the netmask for the client or server IP address.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the peer IP address in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match peer-ip-address 10.1.1.0 255.255.255.0Related Commands
match peer-login-name
To configure a match condition for the peer login name for instant messaging, use the match peer-login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] peer-login-name regex [regex_name | class regex_class_name]
no match [not] peer-login-name regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the peer login name in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match peer-login-name regex peerloginRelated Commands
match port
When using the Modular Policy Framework, match the TCP or UDP ports to which you want to apply actions by using the match port command in class-map configuration mode. To remove the match port command, use the no form of this command.
match port {tcp | udp} {eq port | range beg_port end_port}
no match port {tcp | udp} {eq port | range beg_port end_port}
Syntax Description
eq port
Specifies a single port name or number.
range beg_port end_port
Specifies beginning and ending port range values between 1 and 65535.
tcp
Specifies a TCP port.
udp
Specifies a UDP port.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the matchport command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match access-list command (the class-map type management command only allows the match port command). You can only include one match port command in the class map, and you cannot combine it with other types of match commands.
2.
3.
4.
Examples
The following example shows how to define a traffic class using a class map and the match port command:
hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 8080Related Commands
match precedence
To specify a precedence value in a class map, use the match precedence command in class-map configuration mode. To remove this specification, use the no form of this command.
match precedence value
no match precedence value
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match precedence command to specify the value represented by the TOS byte in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match precedence command:
hostname(config)# class-map cmaphostname(config-cmap)# match precedence 1hostname(config-cmap)#Related Commands
match protocol
To configure a match condition for a specific instant messaging protocol, such as MSN or Yahoo, use the match protocol command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] protocol {msn-im | yahoo-im}
no match [not] protocol {msn-im | yahoo-im}
Syntax Description
msn-im
Specifies to match the MSN instant messaging protocol.
yahoo-im
Specifies to match the Yahoo instant messaging protocol.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the Yahoo instant messaging protocol in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match protocol yahoo-imRelated Commands
match question
To configure a match condition for a DNS question or resource record, use the match question command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match {question | {resource-record answer | authority | additional}}
no match {question | {resource-record answer | authority | additional}}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects the DNS header and matches the specified field. It can be used in conjunction with other DNS match commands to define inspection of a particular question or RR type..
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS question in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match questionRelated Commands