Cisco Explorer 4700 Installation guide

Preface
This documentation describes how to use the Device Manager to configure the Cisco ACE 4700 Series
Application Control Engine Appliance.
This section provides the following topics about the documentation:
•
Audience, page i
•
Organization, page i
•
Related Documentation, page iii
•
Conventions, page v
•
Obtaining Documentation, Obtaining Support, and Security Guidelines, page v
•
Open-Source Software Included in Cisco ACE Application Control Engine, page vi
•
Open Source License Acknowledgements, page vi
Audience
This documentation is intended for experienced system and network administrators. Depending on the
configuration required, readers should have specific knowledge in the following areas:
•
Networking and data communications
•
Network security
•
Router configuration
Organization
This documentation contains the following sections:
•
Chapter 1, “Overview” contains an summary of ACE features and the ACE Appliance Device
Manager interface, terms, and getting started configuration information.
•
Chapter 2, “Using Homepage” describes how to use the DM Homepage, a launching point for quick
access to selected areas within the DM.
•
Chapter 3, “Using DM Guided Setup” describes how to use the guided setup pages to simplify
configuration of the DM.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
i
Preface
•
Chapter 4, “Configuring Virtual Contexts” describes how to configure virtual contexts on the ACE
appliance so that you can effectively and efficiently manage and allocate resources, users, and
services.
•
Chapter 5, “Configuring Virtual Servers” contains procedures for configuring virtual servers for
load balancing on the ACE.
•
Chapter 6, “Configuring Real Servers and Server Farms” provides an overview of server load
balancing and procedures for configuring real servers and server farms for load balancing on the
ACE.
•
Chapter 7, “Configuring Stickiness” provides information about sticky behavior and procedures for
configuring stickiness with the ANM.
•
Chapter 8, “Configuring Parameter Maps” describes how to configure parameter maps so that the
ACE can perform actions on incoming traffic based on certain criteria, such as protocol or
connection attributes.
•
Chapter 9, “Configuring SSL” describes the SSL configuration process and details the procedures
for configuring SSL on the ACE appliance.
•
Chapter 10, “Configuring Network Access” includes information about configuring virtual context
VLAN interfaces, port channel interfaces, and Gigabit Ethernet interfaces.
•
Chapter 11, “Configuring High Availability” contains an overview of the redundancy feature and
explains how to configure high available.
•
Chapter 12, “Configuring Traffic Policies” describes how to configure class maps and policy maps
to provide a global level of classification for filtering traffic received by or passing through the ACE
appliance.
•
Chapter 13, “Configuring Application Acceleration and Optimization” describes how to configure
application acceleration and optimization options on the ACE appliance.
•
Chapter 14, “Monitoring Your Network” allows you to monitor key areas of system usage.
•
Chapter 15, “Managing the ACE Appliance” describes the administrative tools that manage the
ACE appliance.
•
Chapter 16, “Using ACE Appliance Device Manager Troubleshooting Tools” describes the
administrator-only diagnostic tools to help troubleshoot ACE appliance management problems.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
ii
OL-26645-01
Preface
Related Documentation
In addition to this documentation, the ACE appliance documentation set includes the following:
Document Title
Description
Administration Guide, Cisco ACE
Application Control Engine
Describes how to perform the following administration tasks on
the ACE:
Application Acceleration and
Optimization Guide, Cisco ACE
4700 Series Application Control
Engine Appliance
•
Setting up the ACE
•
Establishing remote access
•
Managing software licenses
•
Configuring class maps and policy maps
•
Managing the ACE software
•
Configuring SNMP
•
Configuring redundancy
•
Configuring the XML interface
•
Upgrading the ACE software
Describes how to configure the web optimization features of the
ACE appliance. This guide also provides an overview and
description of those features.
Cisco Application Control Engine
Provides examples of common configurations for load
(ACE) Configuration Examples Wiki balancing, security, SSL, routing and bridging, virtualization,
and so on.
Cisco Application Control Engine
(ACE) Troubleshooting Wiki
Describes the procedures and methodology in wiki format to
troubleshoot the most common problems that you may
encounter during the operation of your ACE.
Command Reference, Cisco ACE
Application Control Engine
Provides an alphabetical list and descriptions of all CLI
commands by mode, including syntax, options, and related
commands.
CSS-to-ACE Conversion Tool
Guide, Cisco ACE Application
Control Engine
Describes how to use the CSS-to-ACE conversion tool to
migrate Cisco Content Services Switches (CSS)
running-configuration or startup-configuration files to the ACE.
Hardware Installation Guide, Cisco Provides information for installing the ACE appliance.
ACE 4710 Application Control
Engine Appliance
Quick Start Guide, Cisco ACE 4700 Describes how to use the ACE appliance Device Manager GUI
and CLI to perform the initial setup and VIP load-balancing
Series Application Control Engine
Appliance
configuration tasks.
Regulatory Compliance and Safety
Information, Cisco ACE 4710
Application Control Engine
Appliance
Regulatory compliance and safety information for the ACE
appliance.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
iii
Preface
Document Title
Description
Release Note, Cisco ACE 4700
Series Application Control Engine
Appliance
Provides information about operating considerations, caveats,
and command-line interface (CLI) commands for the ACE
appliance.
Routing and Bridging Guide, Cisco
ACE Application Control Engine
Describes how to perform the following routing and bridging
tasks on the ACE:
Security Guide, Cisco ACE
Application Control Engine
Server Load-Balancing Guide,
Cisco ACE Application Control
Engine
SSL Guide, Cisco ACE Application
Control Engine
System Message Guide, Cisco ACE
Application Control Engine
•
(ACE appliance only) Configuring Ethernet ports
•
Configuring VLAN interfaces
•
Configuring routing
•
Configuring bridging
•
Configuring Dynamic Host Configuration Protocol (DHCP)
Describes how to perform the following ACE security
configuration tasks:
•
Security access control lists (ACLs)
•
User authentication and accounting using a Terminal Access
Controller Access Control System Plus (TACACS+),
Remote Authentication Dial-In User Service (RADIUS), or
Lightweight Directory Access Protocol (LDAP) server
•
Application protocol and HTTP deep packet inspection
•
TCP/IP normalization and termination parameters
•
Network Address Translation (NAT)
Describes how to configure the following server load-balancing
features on the ACE:
•
Real servers and server farms
•
Class maps and policy maps to load balance traffic to real
servers in server farms
•
Server health monitoring (probes)
•
Stickiness
•
Dynamic workload scaling (DWS)
•
Firewall load balancing
•
TCL scripts
Describes how to configure the following Secure Sockets Layer
(SSL) features on the ACE:
•
SSL certificates and keys
•
SSL initiation
•
SSL termination
•
End-to-end SSL
Describes how to configure system message logging on the ACE.
This guide also lists and describes the system log (syslog)
messages generated by the ACE.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
iv
OL-26645-01
Preface
Document Title
Description
User Guide, Cisco Application
Networking Manager
Describes how to use Cisco Application Networking Manager
(ANM), a networking management application for monitoring
and configuring network devices, including the ACE.
Virtualization Guide, Cisco ACE
Application Control Engine
Describes how to operate your ACE in a single context or in
multiple contexts.
Conventions
This documentation uses the following conventions:
Note
Caution
Item
Convention
Commands and keywords
boldface font
Variables for which you supply values
italic font
Displayed session and system information
screen
Information you enter
boldface screen font
Variables you enter
italic screen
Menu items and button names
boldface font
Selecting a menu item in paragraphs
Option > Network Preferences
Selecting a menu item in tables
Option > Network Preferences
font
font
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Obtaining Documentation, Obtaining Support, and Security
Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly
What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
v
Preface
Open-Source Software Included in Cisco ACE Application
Control Engine
•
Cisco ACE Application Control Engine includes the following open-source software, which is
covered by the Apache 2.0 license (http://www.apache.org/): Ant, Apache Axis, Avalon Logkit,
Commons, Ehcache, Globus Toolkit, Jetty, Log4J, Oro, Tomcat.
•
Cisco ACE Application Control Engine includes the following open-source software, which is
covered by The Legion of the Bouncy Castle (http://www.bouncycastle.org/licence.html) license:
BouncyCastle.
•
Cisco ACE Application Control Engine includes the following open-source software, which is
covered by the GNU Lesser General Public License Version 2.1
(http://www.gnu.org/licenses/lgpl.html): c3p0-0.9.0.2.jar, Enterprise DT, Jasperreports 1.2,
Jcommon 1.2, Jfreechart 1.0.1
•
Cisco ACE Application Control Engine includes the following open-source software, which is
covered by the Mozilla Public License Version 1.1 (http://www.mozilla.org/MPL/MPL-1.1.html):
Itext 1.4.
Open Source License Acknowledgements
The following acknowledgements pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
© 1998-1999 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions,
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
vi
OL-26645-01
Preface
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit. (http://www.openssl.org/)”
4.
The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
5.
Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6.
Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
© 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
vii
Preface
The word ‘cryptographic’ can be left out if the routines from the library being used are not
cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: “This product includes software written
by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
viii
OL-26645-01
C H A P T E R
1
Overview
This chapter contains the following sections:
•
ACE Appliance Device Manager Overview, page 1-1
•
Information About the ACE No Payload Encryption Software Version, page 1-2
•
Finding Information on CLI Tasks, page 1-3
•
Logging into ACE Appliance Device Manager, page 1-4
•
Changing Your Account Password, page 1-6
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Configuration Overview, page 1-18
•
Understanding ACE Features, page 1-19
•
IPv6 Considerations, page 1-20
•
Understanding ACE Appliance Device Manager Terminology, page 1-22
For more information on how to get started quickly, see the Quick Start Guide, Cisco ACE 4700 Series
Application Control Engine Appliance.
ACE Appliance Device Manager Overview
The ACE Appliance Device Manager, which resides in flash memory on the ACE appliance, provides a
browser-based interface for configuring and managing the ACE appliance. Its intuitive interface
combines easy navigation with point-and-click provisioning of services, reducing the complexity of
configuring virtual services and multiple feature sets.
ACE Appliance Device Manager menus and options:
•
Supports end-to-end service provisioning of the ACE appliance and any associated virtual contexts,
including network access, port management, application acceleration and optimization,
load-balancing, SSL management, resource management, and fault tolerance.
Note
Device Manager uses SSH and XML over HTTPS to communicate with the ACE appliance
and applying exec mode configuration changes (such as, checkpoint, SSL certificate,
license, copy, and backup and restore configurations) to the appliance. By default, SSH is
enabled on the appliance. However, ensure that the ssh key rsa 1024 force command is
applied on the appliance.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-1
Chapter 1
Overview
Information About the ACE No Payload Encryption Software Version
•
Helps you manage ACE appliance licenses and role-based access control (RBAC).
•
Provides a monitoring interface with a flexible choice of statistics and graphs.
•
Enables you report any problem with the ACE appliance using the Lifeline feature, which allows
you to forward critical information about the problem to Cisco Technical Support.
•
Offers task-based context-sensitive help from each screen, providing information about fields on the
screen and related procedures.
For more information on how to get started quickly, see the Getting Started Guide, Cisco ACE 4700
Series Application Control Engine Appliance.
Information About the ACE No Payload Encryption
Software Version
Beginning with ACE software Version A5(2.0), Cisco makes available the following two ACE software
versions:
•
ACE Payload Encryption (PE)—CLI commands related to payload encryption protocols are
enabled. The ACE uses the payload encryption protocols to encrypt through-the-box traffic, such as
IPsec, SSL VPN, and other secure voice protocols. The ACE PE software version contains the same
payload encryption functionality found in previous ACE software versions.
•
ACE No Payload Encryption (NPE)—CLI commands related to payload encryption protocols are
either removed or do not function because the key encryption configuration commands have been
removed. The new ACE NPE software version supports customers located in countries where the
United States has imposed export restrictions on crypto functions. Without the use of payload
encryption protocol commands, you cannot configure the ACE to perform data encryption tasks,
such as configuring it as a virtual Secure Sockets Layer (SSL) server for SSL initiation or
termination.
Modifications made to the ACE NPE software version do not affect management protocols, such as SSH,
which is required to access the Device Manager GUI. For more information, see the “Using the Setup
Script to Enable Connectivity to the Device Manager” section in the Cisco 4700 Series Application
Control Engine Appliance Administration Guide.
When using the ACE NPE software version, Device Manager includes the following modifications:
•
The SSL configuration tab (Config > Virtual Contexts > SSL) is removed to prevent access to the
main SSL configuration windows.
•
In GUI sections that typically contain encryption-related configuration attributes, the attributes are
either removed or you are not permitted to configure them. If you attempt to configure an
encryption-related attribute, Device Manager does not allow you to deploy the configuration.
•
In GUI sections that display monitored attributes that include encryption-related attributes (such as
SSL connection rate), the encryption-related attributes may be listed but do not show any values
associated with them.
This guide and the Device Manager online help contain notes where information about
encryption-related attributes is affected when using the ACE NPE software version.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-2
OL-26645-02
Chapter 1
Overview
Finding Information on CLI Tasks
Finding Information on CLI Tasks
ACE Appliance Device Manager does not include a one-to-one mapping of all the possible command
line interface (CLI) tasks for the ACE appliance. Table 1-1 identifies some of the individual tasks to be
performed from the CLI and provides a reference to the applicable configuration guide. For tasks not
found in this table, see the Getting Started Guide, Cisco ACE 4700 Series Application Control Engine
Appliance.
Table 1-1
CLI Documentation References
Task Topic
Related CLI Documentation
ARP, configuring
Routing and Bridging Guide, Cisco ACE Application Control
Engine
Chapter 5, Configuring ARP
Authentication and accounting
(AAA) services
Security Guide, Cisco ACE Application Control Engine
Chapter 2, Configuring Authentication and Accounting Services
Boot configuration (environment Administration Guide, Cisco ACE Application Control Engine
variable)
Chapter 1, Setting Up the ACE
Date and time (time zone,
daylight savings time, clock
settings, and NTP)
Administration Guide, Cisco ACE Application Control Engine
LDAP directory server
Security Guide, Cisco ACE Application Control Engine
Chapter 1, Setting Up the ACE
Chapter 2, Configuring Authentication and Accounting Services
Message-of-the-day banner
Administration Guide, Cisco ACE Application Control Engine
Chapter 1, Setting Up the ACE
Logging in to the ACE
Administration Guide, Cisco ACE Application Control Engine
Chapter 1, Setting Up the ACE
RADIUS server
Security Guide, Cisco ACE Application Control Engine
Chapter 2, Configuring Authentication and Accounting Services
script file
1
Command Reference, Cisco ACE Application Control Engine
SSH management sessions
Administration Guide, Cisco ACE Application Control Engine
Chapter 2, Enabling Remote Access to the ACE
TACACS+ server
Security Guide, Cisco ACE Application Control Engine
Chapter 2, Configuring Authentication and Accounting Services
VLAN interfaces, configuring
Routing and Bridging Guide, Cisco ACE Application Control
Engine
Chapter 2, Configuring VLAN Interfaces
1. ACE Appliance Device Manager supports the domain object type Script for RBAC configuration. It does not configure the
script CLI command. To use the script file command, use the ACE Appliance CLI to load a script into memory on the ACE and
enable it for use.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-3
Chapter 1
Overview
Logging into ACE Appliance Device Manager
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Logging into ACE Appliance Device Manager
You access ACE Appliance Device Manager features and functions through a Web-based interface. The
following sections describe logging in, the interface, and terms used in ACE Appliance Device Manager.
By default, your ACE provides an Admin context and five user contexts, which allow you to use multiple
contexts if you choose to configure them. ACE Appliance Device Manager uses Hypertext Transfer
Protocol Secure (HTTPS) to securely encrypt HTTP requests and responses.
The ACE Appliance Device Manager login screen allows you to do the following:
•
Log into the ACE Appliance Device Manager interface (First Time Login, page 1-4 or Logging In
as a User, page 1-5)
•
Change the password for your account (See Changing Your Account Password, page 1-6.)
•
Obtain online help by clicking Help
We recommend that before you log into the ACE Appliance Device Manager that you log in to the ACE
appliance CLI and initially configure basic settings on the ACE. See the Administration Guide, Cisco
ACE Application Control Engine, Chapter 1, Setting Up the ACE, for details.
Note
The DM does not support duplicate management IP addresses in different contexts.
First Time Login
After you perform the initial setup of the ACE appliance using the CLI, use the following procedure to
log in the first time.
Procedure
Step 1
Use a Web browser and navigate to the ACE Appliance Device Manager login screen by typing the IP
address of the management interface configured during initial setup, such as https://192.168.11.1. A
security alert screen appears.
Note
The DM does not support duplicate management IP addresses in different contexts.
Step 2
We recommend that you view the certificate to confirm it is from Cisco Systems, and then click OK or
Yes to accept the certificate and proceed to the login screen. The keys you select may be different based
on your browser.
Step 3
In the User Name field, type admin.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-4
OL-26645-02
Chapter 1
Overview
Logging into ACE Appliance Device Manager
The admin account was created when the system was installed. Once you are logged in using this
account, you can create additional user accounts and manage virtual contexts, roles, and domains. For
information on changing account passwords, see Changing User Passwords, page 15-13.
Step 4
In the Password field, type the password for the admin user account, admin. The password for the admin
user account was configured when the system was installed. Change the default admin login password
as outlined in Changing Your Account Password, page 1-6.
Note
Step 5
All ACE appliances shipped from Cisco Systems are configured with the same administrative
username and password. If you do not change the default Admin password, you will only be able
to log in to the ACE through the console port.
Click Login.
When you log in, the default page that appears is the DM Homepage (see Chapter 2, “Using
Homepage”).
Step 6
We recommend you change your admin password. See Changing Your Account Password, page 1-6.
Logging In as a User
Procedure
Step 1
Use a web browser and navigate to the ACE Appliance Device Manager login screen by typing the IP
address of the management interface of a virtual context you wish to login into, such as
https://192.168.11.1. The login screen appears.
Note
The DM does not support duplicate management IP addresses in different contexts.
Step 2
To login as a user, enter userid in the User Name field (where userid is the login name provided by your
admin).
Step 3
Enter your password and click Login.
Related Topics
•
Changing Your Account Password, page 1-6
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Managing Users, page 15-7
•
Managing User Roles, page 15-14
•
Managing Domains, page 15-31
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-5
Chapter 1
Overview
Changing Your Account Password
Changing Your Account Password
All ACE appliances are shipped from Cisco Systems with the same administrative username and
password. If you do not change the default Admin password, you will only be able to log in to the ACE
through the console port.
Use this procedure to change your account password.
Procedure
Step 1
Using a Web browser, navigate to the ACE Appliance Device Manager login screen by typing the IP
address of the management interface configured during initial setup, such as https://192.168.11.1. The
login screen appears.
Note
The DM does not support duplicate management IP addresses in different contexts.
Step 2
In the User Name field, enter your account user name.
Step 3
Click Change Password. The Change Password configuration screen appears.
Step 4
In the User Name field, enter the user name of the account you want to modify.
For a user name in a context other than the Admin context, you must include the context name after the
user name in the following format: username@context_name
For example, for the test_1 user name in the C1 context, enter test_1@C1.
Step 5
In the Old Password field, enter the current password for this account.
Step 6
In the New Password field, enter the new password for this account.
Password attributes such as minimum and maximum length or accepted characters are defined at the
appliance level. Valid passwords are unquoted text strings with a maximum of 64 characters.
Step 7
In the Confirm New Password field, reenter the new password for this account.
Step 8
Do the following:
•
Click OK to save your entries and to return to the login screen.
•
Click Cancel to exit this procedure without saving your entries and to return to the login screen.
Related Topics
•
Logging into ACE Appliance Device Manager, page 1-4
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Changing the Admin Password, page 15-13
ACE Appliance Device Manager Interface Overview
When you log into the ACE Appliance Device Manager, the default window that appears is the
Homepage from which you can access the operational and monitoring features of DM. For details about
using Homepage, see Chapter 2, “Using Homepage”).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-6
OL-26645-02
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Figure 1-1 is the All Virtual Contexts table (Config > Virtual Contexts) as an example of the DM
interface components. Table 1-2 describes the numbered fields. A description of the buttons in the ACE
Appliance Device Manager window are in Table 1-4 on page 1-9.
Features that are not accessible from your user login or context due to permission settings will not
display or may display grayed out. For more details on roles and features, see Managing User Roles,
page 15-14.
Figure 1-1
ACE Appliance Device Manager Interface Components
Table 1-2
ACE Appliance Device Manager Interface Components Descriptions
Field
Description
1
Navigation pane, which contains:
•
The high-level navigation path within the ACE Appliance Device Manager interface,
which includes Config, Monitor, and Admin functions. You can click a tab in the
navigation path to view the next level of menus below the tabs.
•
The Logout button.
•
A Help menu that provides links to context-sensitive help and ACE Appliance Device
Manager version information.
2
A second-level navigation path, which contains another level of navigation. Clicking an
option in this submenu displays its associated menus in the navigation pane.
3
Third-level navigation pane, which contains additional levels of navigation. Clicking on the
menu bar in this pane toggles the task menu display options.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-7
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Table 1-2
ACE Appliance Device Manager Interface Components Descriptions (continued)
Field
Description
4
Content area, which contains the display and input area of the window. It can include tables,
graphical maps, configuration screens, graphs, buttons, or combinations of these items. For a
description of buttons, see Table 1-4 on page 1-9.
5
Status bar, which displays Device Manager and CLI synchronization information, polling
status for a context, and the current date and time of the ACE appliance.
Note
Time values are displayed using a fixed time zone (GMT). The Device Manager
automatically converts the timezone setting of the ACE appliance to GMT and
displays the GMT string adjacent to the current time.
Related Topics
•
Understanding ACE Appliance Device Manager Screens and Menus, page 1-8
•
Understanding Table Buttons, page 1-11
Understanding ACE Appliance Device Manager Screens and Menus
Figure 1-2 contains many common screen elements as described in Table 1-3.
Figure 1-2
Example ACE Appliance Device Manager Screen
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-8
OL-26645-02
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Table 1-3
Example ACE Appliance Device Manager Screen Descriptions
Numbe
r
Description
1
The high-level navigation path within the ACE Appliance Device Manager interface, which
includes Config, Monitor, and Admin functions. You can click a tab in the navigation path
to view the next level of menus below the tabs.
2
Content area. Contains the display and input area of the window. It can include tables,
graphical maps, configuration screens, graphs, buttons, or combinations of these items.
3
Content buttons, which are described in Table 1-4.
4
Object selector. Use this field to change virtual contexts.
5
Input fields. Use these fields to make selections and provide information. Fields with 2 or
3 options use radio buttons. Fields with more than 3 options use dropdown lists.
6
Synchronization and configuration section of the status bar. One indicator displays DM GUI
and CLI synchronization and summary count information and the other indicator displays
CLI synchronization information and polling status for a context. See Viewing Virtual
Context Synchronization Status, page 4-80 for CLI Config Status message descriptions or
Error Monitoring, page 14-15 for polling state message descriptions.
Related Topics
•
Understanding ACE Appliance Device Manager Buttons, page 1-9
•
Understanding Table Buttons, page 1-11
•
ACE Appliance Device Manager Screen Conventions, page 1-15
Understanding ACE Appliance Device Manager Buttons
Table 1-4 describes the buttons that appear in some of the Config, Monitor, and Admin screens.
Note
ACE Appliance Device Manager documentation, including online help, uses the names of buttons in all
procedures. For example, “Click Back to return to the previous screen.”
Table 1-4
Button
Button and Element Descriptions
Name
Description
Back
Returns you to the previous screen.
Forward
Takes you to the screen previously visited from the current location.
Refresh
Immediately refreshes the information in the content area with the current
information.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-9
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Table 1-4
Button
Button and Element Descriptions (continued)
Name
Description
Auto
Refresh
Pauses the automatic refresh feature. You can pause the automatic refresh
for 30, 60, 120, 300, 600, or 3600 seconds. If you disable the automatic
refresh feature, ACE Appliance Device Manager times out after 30
minutes.
Help
Launches context-sensitive help for the current screen.
Add
Another
Saves the current entries and refreshes the screen so you can add another
entry.
Advanced
Editing
Mode
Lets you view or enter advanced arguments for the selected display.
Switch
between
Configure
and
Browse
modes
Displays the subtables for those items that have additional sets of
parameters that can be configured, such as Config > Virtual Contexts >
context > Load Balancing > Server Farms.
Note
This button is not available on single-row tables such as Config >
Virtual Contexts > System > SNMP. To switch between these
modes, navigate to another screen where the button appears (for
example, Config > Virtual Contexts > context > Load
Balancing > Server Farms), click the button to enter the desired
mode, and then return to the screen on which the button was
missing. You will remain in the mode you selected.
Key
Indicates that the associated field is a key field for this table. This field is
mandatory and should be unique. If there are two fields with this key, then
the combination must be unique.
Plus
Displays a table with information related to the field where Plus appears.
For example, when Plus appears next to the field label Role, clicking Plus
displays a list of all Role Names in a separate window. Indicates that the
associated field is a key field for this table. This field is mandatory and
should be unique. If there are two fields with this key, then the
combination must be unique.
In File Browser only: expands or collapses the folder structure and reloads
the specific directory.
Screen
Mode
Toggles from partial to full screen mode. Maximizes the content area and
removes the navigation aids.
Reorder
List
Toggles list by alpha-order.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-10
OL-26645-02
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Related Topics
•
Understanding ACE Appliance Device Manager Screens and Menus, page 1-8
•
Understanding Table Buttons, page 1-11
•
ACE Appliance Device Manager Screen Conventions, page 1-15
Understanding Table Buttons
When the content area of the ACE Appliance Device Manager screen contains a table, there are several
buttons that appear as described in Table 1-5.
Table 1-5
Button
ACE Appliance Device Manager Table Buttons
Name
Description
Add
Lets you an entry to the displayed table.
View/Edit
Opens the configuration screen of a selected entry in the table.
Delete
Deletes the selected entry in the table.
Filter
Filters the displayed list of items according to the criteria you
specify. (See Filtering Entries, page 1-13.)
Go
Appears when filtering is enabled; updates the table with the
filtering criteria.
Save
Displays the current information in a new window in either raw data
or Excel format so you can save it to a file or print it.
Related Topics
•
Understanding ACE Appliance Device Manager Buttons, page 1-9
•
ACE Appliance Device Manager Screen Conventions, page 1-15
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Conventions in Tables, page 1-12
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-11
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Conventions in Tables
Selecting Table Entries
Double-clicking an entry in a table opens its corresponding configuration screen.
You can select multiple entries in a table in two ways:
•
To select all table entries, check the check box at the top of the first column (where available).
•
To select multiple entries individually, select the desired entries.
Parent Rows
If you select multiple entries in a table and then choose an option that can apply to only one entry at a
time, the Parent Row field appears first in the configuration screen (see Figure 1-3).
The Parent Row field lists the selected entries and requires you to select one. Subsequent configuration
choices in this screen are applied only to the entry identified in the Parent Row field.
Parent Row columns appear in subtables when multiple items are selected in the primary table.
Figure 1-3
Parent Rows in Configuration Screens
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-12
OL-26645-02
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Filtering Entries
Click Filter to view table entries using criteria you select. When filtering is enabled, a filter row appears
above the first table entry that allows you to filter entries in the following ways:
•
In a drop-down list, select one of the ACE Appliance Device Manager-identified categories (see
Figure 1-4). The table refreshes automatically with the entries that match the selected criterion.
•
In fields without drop-down lists, enter the string you want to match, and then click Go above the
first table entry. The table refreshes with the entries that match your input.
Figure 1-4
Example Table with Filtering Enabled
Related Topics
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Using the Advanced Editing Option, page 1-14
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-13
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Using the Advanced Editing Option
By default, tables include columns that contain configured attributes, or a subset of columns related to
a key field.
To view all configurable attributes in table format, click Advanced Editing Mode (the highlighted
button in Figure 1-5). When advanced editing mode is enabled, all columns appear for your review (see
Figure 1-5).
Figure 1-5
Advanced Editing Enabled Screen
Related Topics
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Conventions in Tables, page 1-12
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-14
OL-26645-02
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
ACE Appliance Device Manager Screen Conventions
Table 1-6 describes other conventions used in ACE Appliance Device Manager screens.
Table 1-6
Convention
ACE Appliance Device Manager Screen Conventions
Example
Description
Dimmed field
Dimmed fields signify items that cannot be modified or
that are not accessible from the current screen.
Some buttons are dimmed if more than one item is selected
in the list. For example, if multiple servers are selected in
the Real Servers table, the View/Edit button is dimmed.
Dropdown lists
Fields with 2 or 3 options use radio buttons. Fields with
more than 3 options use dropdown lists.
Light yellow
field with
green font
Warning text that appears below the affected field as green
font against a light yellow background. In the example, a
message stating that the community string must be entered
if virtual context monitoring is used resulted in this display.
Red asterisk
A red asterisk indicates a required field.
Yellow field
with red font
Incorrect, invalid, or incomplete entries appear as red font
against a yellow background. In the example, an IP address
cannot begin with four digits, resulting in this display.
Warning text may also display below the affected field in
green text on a yellow background.
Related Topics
•
Conventions in Tables, page 1-12
•
ACE Appliance Device Manager Interface Overview, page 1-6
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-15
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Viewing Monitoring Results
Figure 1-6 shows an example graph from the Monitor component.
Figure 1-6
Monitoring Results Screen
Monitor graphs offer many options including graph type, viewing raw data, graph layout, and values to
be included. Table 1-7 identifies these options and their associated buttons. When viewing a graph, click
the button to select the option. ACE Appliance Device Manager displays graph data in GMT.
Note
The maximum number of statistics that can be graphed is five.
Note
On the ACE, statistics are kept for 7 days or 20,000 hourly records, whichever comes first. The duration
it takes to reach 20,000 hourly records is determined by the number of contexts, interfaces and real
servers configured. The “All dates” graph provides all available data in the database, up to the above
mentioned numbers. An ACE reboot will reset the statistics database.
Table 1-7
Button
ACE Appliance Device Manager Monitor Buttons (unsure if all of these are still available)
Name
Description
Line graph
Creates a line graph using the displayed information.
Stacked bar
graph
Creates a stacked bar chart using the displayed information.
Graph Options
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-16
OL-26645-02
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Table 1-7
Button
ACE Appliance Device Manager Monitor Buttons (unsure if all of these are still available)
Name
Description
Bar graph
Creates a bar graph using the displayed information.
Show raw data
Displays the raw data in table format.
Viewing Options
Output to Excel Displays the raw data in Excel format in a separate browser window.
Layout, Value, and Time Options
Change Legend Displays the location of the legend.
Location
Multigraph
Mode
Displays two line graphs next to each other.
Value delta per Displays data points over time. See Monitoring Resource Usage,
time
page 14-17 for a comparison of regular and value delta per time
graphs. Time values are displayed using a fixed time zone (GMT).
Time range
Displays the selected time range of the data to graph. Includes
previous 1, 2, 8, or 24 hours or all dates.
Related Topics
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Understanding ACE Appliance Device Manager Terminology, page 1-22
•
Monitoring Resource Usage, page 14-17
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-17
Chapter 1
Overview
Configuration Overview
Configuration Overview
Use the flow chart in Figure 1-7 to get started with the ACE Appliance Device Manager. Table 1-8
describes these tasks in more detail.
Figure 1-7
High-Level Configuration Process
Install ACE Appliance
Licenses
Configure Virtual
Contexts
Configure Load-Balancing
Services
Update Resource
Classes
Perform Administrative
Tasks
Table 1-8
181773
Add User
Accounts
Configuration Task Overview
Task
Description
Step 1
Install ACE appliance
licenses.
In this step you install licenses for ACE appliances that let you
increase the number of virtual contexts, appliance bandwidth, and
SSL TPS (transactions per second). See Managing ACE Appliance
Licenses, page 4-29 for details.
Step 2
Configure virtual contexts. In this step you partition the ACE appliance into multiple virtual
devices or contexts. Each context contains its own set of policies,
interfaces, resources, and administrators, allowing you to
efficiently manage resources, users, and the services you provide to
your customers. See Using Virtual Contexts, page 4-2 for details.
Step 3
Configure load-balancing
services.
In this step you configure load balancing to manage client requests
for service. See Load Balancing Overview, page 5-1 for details.
Step 4
Update resource classes.
In this step you configure resource usage models that you can apply
across your network. See Managing Resource Classes, page 4-35
for details.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-18
OL-26645-02
Chapter 1
Overview
Understanding ACE Features
Table 1-8
Configuration Task Overview (continued)
Task
Description
Step 5
Add user accounts.
In this step you set up tiered access for users. See Managing the
ACE Appliance, page 15-1 for details.
Step 6
Perform administrative
tasks.
This step includes ongoing maintenance and administrative tasks,
such as follows:
•
Updating ACE appliance software (see Managing ACE
Appliance Licenses, page 4-29).
•
Monitoring virtual context or ACE Appliance Device Manager
statistics (see “Monitoring Your Network” section on
page 14-1).
Understanding ACE Features
The ACE performs high-performance server load balancing (SLB) among groups of servers, server farms,
firewalls, and other network devices, based on Layer 3 as well as Layer 4 through Layer 7 packet
information. The ACE provides the following major features and functionality.
•
Ethernet Interfaces—The ACE provides four physical Ethernet ports that provide an interface for
connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports
autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN, and can carry traffic
within a designated VLAN interface.
•
Routing and Bridging—You configure the corresponding VLAN interfaces on the ACE as either
routed or bridged. When you configure an IP address on an interface, the ACE automatically
configures it as a routed mode interface. When you configure a bridge group on an interface VLAN,
the ACE automatically configures it as a bridged interface.
•
Traffic Policies—The ACE allows you to perform advanced administration tasks such as using
traffic policies to classify traffic flow and the action to take for the type of traffic. Traffic policies
consist of class maps, policy maps, and service policies.
•
Redundancy—Redundancy provides fault tolerance for the stateful switchover of flow, and offers
increased uptime for a more robust network.
•
Virtualization—Virtualization allow you to manage ACE system resources and users, as well as the
services provided to your customers. Multiple contexts use the concept of virtualization to partition
your ACE into multiple virtual devices or contexts. Each context contains its own set of policies,
interfaces, resources, and administrators.
•
Server Load Balancing— Server load balancing (SLB) on the ACE provides network traffic policies
for SLB, real servers and server farms, health monitoring through probes, and firewall load
balancing.
•
ACE
•
Secure Sockets Layer—The SSL protocol on the ACE provides encryption technology for the
Internet, ensuring secure transactions.
Security Features—The ACE contains several security features including ACLs, NAT, user
authentication and accounting, HTTP deep packet inspection, FTP command request inspection, and
application protocol inspection of DNS, HTTP, ICMP, or RTSP.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-19
Chapter 1
Overview
IPv6 Considerations
•
Application Acceleration and Optimization—The ACE includes several optimization technologies
to accelerate Web application performance, optimize network performance, and improve access to
critical business information.
•
Command-Line Interface—The command-line interface (CLI) is a line-oriented user interface that
provides commands for configuring, managing, and monitoring the ACE. For more information, see
the Command Reference, Cisco ACE Application Control Engine.
Related Topics
•
ACE Appliance Device Manager Overview, page 1-1
•
Command Reference, Cisco ACE Application Control Engine
IPv6 Considerations
The DM supports IPv6 configurations with the following considerations:
•
By default, IPv6 is disabled on an interface. You must enable IPv6 on the interface to enable its
configured IPv6 addresses. The interface cannot be in bridged mode. The interface may or may not
have IPv4 addresses configured on it.
•
When you enable IPv6 or configure a global IPv6 address on an interface, the ACE automatically
does the following:
– Configures a link-local address (if it is not already configured)
– Performs duplicate address detection (DAD) on both addresses
You must enable IPv6 on the interface to enable global IPv6 address.
•
IPv6 on interface can be individually enabled or disabled. IPv6 cannot be enable or disable globally.
•
A link-local address is an IPv6 unicast address that has a scope of the local link only and is required
on every interface. Every link-local address has a predefined prefix of FE80::/10. You can configure
a link-local address manually. If you do not configure a link-local address before enabling an IPV6
address on the interface, the ACE automatically generates a link-local address with a prefix of
FE80::/64. Only one IPv6 link-local address can be configured on an interface.
In a redundant configuration, you can configure an IPv6 peer link-local address for the standby
ACE. You can configure only one peer link-local address on an interface.
•
A unique-local address is an optional IPv6 unicast address that is used for local communication
within an organization and it is similar to a private IPv4 address (for example, 10.10.2.1).
unique-local addresses have a global scope, but they are not routable on the internet, and they are
assigned by a central authority. All unique-local addresses have a predefined prefix of FC00::/7. You
can configure only one IPv6 unique-local address on an interface.
In a redundant configuration, you can configure an IPv6 peer unique-local address on the active that
is synchronized to the standby ACE. You can configure only one peer unique-local IPv6 address on
an interface.
•
A global address is an IPv6 unicast address that is used for general IPv6 communication. Each
global address is unique across the entire Internet. Therefore, its scope is global. The low order 64
bits can be assigned in several ways, including autoconfiguration using the EUI-64 format. You can
configure only one globally unique IPv6 address on an interface.
In a redundant configuration, you can configure an IPv6 peer global address that is synchronized to
the standby ACE.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-20
OL-26645-02
Chapter 1
Overview
IPv6 Considerations
When you configure redundancy with active and standby ACEs, you can configure a VLAN
interface that has an alias global IPv6 address that is shared between the active and standby ACEs.
The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant configuration.
You can configure only one alias global IPv6 address on an interface.
•
A multicast address is used for communications from one source to many destinations. IPv6
multicast addresses function in a manner that is similar to IPv4 multicast addresses. All multicast
addresses have a predefined prefix of FF00::/8.
•
The ACE supports abbreviated IPv6 addresses. When using double colons (::) for leading zeros in
a contiguous block, they can only be used once in an address. Leading zeros can be omitted. Trailing
zeros cannot be omitted. The DM will abbreviate an IPv6 address after you finish typing it. If you
enter the entire address with a block of contiguous zeros, the DM collapses it into the double colons.
For example: FF01:0000:0000:0000:0000:0000:0000:101 becomes FF01::101.
•
The ACE uses the Neighbor Discovery (ND) protocol to manage and learn the mapping of IPv6 to
Media Access Control (MAC) addresses of nodes attached to the local link. The ACE uses this
information to forward and transmit IPv6 packets. The neighbor discovery protocol enables IPv6
nodes and routers to:
– Determine the link-layer address of a neighbor on the same link
– Find neighboring routers
– Keep track of neighbors
The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses
to determine the link-layer address of a neighbor on the same network (local link), verify the
reachability of a neighbor, and keep track of neighbor routers. The IPv6 neighbor discovery process
uses the following mechanisms for its operation:
– Neighbor Solicitation
– Neighbor Advertisement
– Router Solicitation
– Router Advertisement
– Duplicate Address Detection
•
The ACE supports IPv6-to-IPv6 L4/L7 SLB, including support for IPv6 VIP, predictor, probe,
server farm, sticky, access-list, object-group, interface, source NAT, OCSP, and CRL.
•
The probe must have the same IP address type (IPv6 or IPv4) as the real server. For example, you
cannot configure an IPv6 probe to an IPv4 real server.
•
You can associate both IPv6 and IPv4 probes to a server farm.
•
Only the following Layer 7 protocol will support IPv6:
– Layer 7 HTTP/HTTPS/DNS
– Layer 4 TCP/UDP
•
The ACE supports the following:
– IPv6-to-IPv4 SLB and IPv4-to-IPv6 SLB for L7 HTTP/HTTP/TCP/UDP
– Source NAT support of IPv6
– IPv6 access-list and object group
– DHCPv6 relay
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-21
Chapter 1
Overview
Understanding ACE Appliance Device Manager Terminology
•
ICMPv6 traffic is not automatically allowed. You must configure the corresponding management
traffic policy to allow the ping request to ACE. However, the necessary ND (neighbor Discovery)
messages for ARP, duplication address detection are automatically permitted.
•
All the management traffic used by the network management server or DM is required to send over
IPv4 protocol. IPv6 is not supported.
•
Copying files over IPv6 to or from devices are not supported.
•
The ACE supports IPv6 HA:
– All the FT transport (ft vlan) is still on IPv4.
– Track IPv6 host /peer will be supported
Understanding ACE Appliance Device Manager
Terminology
It is useful to understand the following terms when using the ACE Appliance Device Manager:
•
Virtual context
A virtual context is a concept that allows users to partition an ACE appliance into multiple virtual
devices. Each virtual context contains its own set of policies, interfaces, and resources, allowing
administrators to more efficiently manage system resources and services.
•
Virtual server
In a load-balancing environment, a virtual server is a construct that allows multiple physical servers
to appear as one for load-balancing purposes. A virtual server is bound to physical services running
on real servers in a server farm and uses IP address and port information to distribute incoming
client requests to the servers in the server farm according to a specified load-balancing algorithm.
•
Role-Based Access Control
Managing users using role-based access allows administrators to set up users, roles, and domain
access to your virtual contexts. Each user is assigned a role and a domain which defines what virtual
contexts they can view and configure. Roles determine which commands and resources are available
to a user. Domains determine which objects they can use. Only users associated with an admin
virtual context are allowed to see other virtual contexts.
There are two types of virtual contexts:
– Admin context
The Admin context, which contains the basic settings for each virtual device or context, allows
a user to configure and manage all contexts. When a user logs into the Admin context, he or she
has full system administrator access to the entire ACE appliance and all contexts and objects
within it. The Admin context provides access to network-wide resources, for example, a syslog
server or context configuration server. All global commands for ACE appliance settings,
contexts, resource classes, and so on, are available only in the Admin context.
– User context
A user context has access to the resources in which the context was created. For example, a user
context that was created by an administrator while in the Admin context, by default, has access
to all resources in an ACE appliance. Any user created by someone in a user-defined context
only has access to the resources within that context. In addition, roles and domains create access
parameters for each user. For a description of the predefined user roles, see Managing User
Roles, page 15-14.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-22
OL-26645-02
Chapter 1
Overview
Understanding ACE Appliance Device Manager Terminology
For more information on RBAC, see Controlling Access to the Cisco ACE Appliance, page 15-3.
•
Resource class
A resource class is a defined set of resources and allocations available for use by a virtual context.
Using resource classes prevents a single context from using all available resources and can be used
to ensure that every context is guaranteed the minimum set of resources necessary.
Related Topics
•
Controlling Access to the Cisco ACE Appliance, page 15-3
•
ACE Appliance Device Manager Interface Overview, page 1-6
•
Conventions in Tables, page 1-12
•
Glossary
Supported Browsers for ACE Appliance Device Manager
The ACE appliance Device Manager is supported on the following browsers listed in Table 9. All
browsers require cookies and DHTML (JavaScript) to be enabled.
Table 9
Supported Browsers
Browser
Version
Client Platform
Microsoft Internet
Explorer
IE 7.0
Windows XP Professional with Service Pack 2 or Windows Vista with Service
Pack 1
IE 8.0
Windows XP Professional with Service Pack 2, Windows Vista with Service
Pack 1, or Windows 7
Firefox
20
•
Windows XP Professional with Service Pack 2, Windows Vista with Service
Pack 1, or Windows 7
•
Red Hat Enterprise Linux 5
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
1-23
Chapter 1
Overview
Understanding ACE Appliance Device Manager Terminology
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
1-24
OL-26645-02
CHAPTER
2
Using Homepage
Homepage is a launching point for quick access to selected areas within Cisco Device Manager (DM).
It allows you to have quick access to the following operations and guided setup tasks in DM:
•
Operational tasks that you can access:
– The Real Servers table to view information for each configured real server, activate or suspend
real servers listed in the table, or modify the server weight.
– The Virtual Servers table to view information for each configured virtual server and to activate
or suspend virtual servers listed in the table.
•
Monitoring—View the system dashboard for health, usage, and performance information related to
the ACE appliance, and system traffic resource usage.
•
Guided setup tasks that you can launch:
– The Cisco Application Control Engine (ACE) Hardware Setup task to configure ACE devices
that are new to the network by establishing network connectivity in either standalone or
high-availability (HA) deployments.
– The Virtual Context Setup task to create and connect an ACE virtual context.
– The Application Setup task to configure end-to-end load-balancing for your application.
•
Configuration—Tasks that allow you to configure system attributes for a virtual context, and control
a user’s access to the ACE.
•
Documentation—Quick links to DM and ACE appliance user documentation on www.cisco.com,
and the local ACE appliance toolpage.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
2-1
Chapter 2
Using Homepage
The DM Homepage (see Figure 2-1) is the first page that appears in DM after you log in.
Figure 2-1
Homepage Window
Table 2-1 identifies the Homepage links, associated pages in DM, and related topics that can be found
in this document.
Table 2-1
Homepage Links
Homepage Link
DM Page
Related Topics
Manage Real Servers
Config > Operations > Real Servers
Managing Real Servers, page 6-9
Manage Virtual Servers
Config > Operations > Virtual Servers
Managing Virtual Servers, page 5-63
Dashboard
Monitor > Virtual Contexts > Dashboard >
System Dashboard
ACE System Dashboard, page 14-3
Resource Usage Summary
Monitor > Virtual Contexts > Resource
Usage >Connections
Monitoring System Traffic Resource Usage,
page 14-19
Configure ACE Hardware
Config > Guided Setup > ACE Hardware
Setup
Using ACE Hardware Setup, page 3-3
Create a Virtual Context
Config > Guided Setup > Virtual Context
Setup
Using Virtual Context Setup, page 3-7
Provision an Application
Config > Guided Setup > Application Setup
Using Application Setup, page 3-9
Configure Virtual Contexts
Config > Virtual Contexts
Configuring Virtual Context Primary
Attributes, page 4-11
DM Role-Based Access
Control
Adman > Role-Based Access Control >
Users
Managing Users, page 15-7
Operational Tasks
Monitoring
Guided Setup
Configuration
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
2-2
OL-26645-01
Chapter 2
Using Homepage
Table 2-1
Homepage Links (continued)
Homepage Link
DM Page
Related Topics
Documentation
Cisco DM Documentation
N/A
(link to documentation set on
www.cisco.com)
N/A
N/A
Cisco ACE Appliance
Documentation
(link to documentation set on
www.cisco.com)
N/A
Cisco ACE Appliance Tools
(link to the local ACE
appliance toolpage)
N/A
N/A
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
2-3
Chapter 2
Using Homepage
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
2-4
OL-26645-01
CHAPTER
3
Using DM Guided Setup
This chapter describes how to use Cisco Device Manager (DM) Guided Setup.
Note
When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using DM with an ACE appliance and you configure a named object at the ACE CLI, keep in
mind that DM does not support all of the special characters that the ACE CLI allows you to use when
configuring a named object. If you use special characters that DM does not support, you may not be able
to import or manage the ACE using DM.
This chapter contains the following sections:
•
Information About Guided Setup, page 3-1
•
Guidelines and Limitations, page 3-3
•
Using ACE Hardware Setup, page 3-3
•
Using Virtual Context Setup, page 3-7
•
Using Application Setup, page 3-9
Information About Guided Setup
DM Guided Setup provides a series of setup sequences that offer GUI window guidance and networking
diagrams to simplify the configuration of DM and the network devices that it manages.
Guided Setup allows you to quickly perform the following tasks:
•
Configure ACE devices that are new to the network by establishing network connectivity in either
standalone or high-availability (HA) deployments.
•
Create and connect to an ACE virtual context.
•
Set up load balancing application from an ACE to a group of back-end servers.
To access Guided Setup, click the Config tab located at the top of the window, and then click Guided
Setup.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
3-1
Chapter 3
Using DM Guided Setup
Information About Guided Setup
Note
The available menu and button options on the Guided Setup tasks are under Role-Based Access Control
(RBAC). Menu and button options will be grayed if proper permission has not been granted to the logged
in user by the administrator. See the “Controlling Access to the Cisco ACE Appliance” section on
page 15-3 for more information about RBAC in DM.
Table 3-1 identifies the individual guided setup tasks and related topics.
Table 3-1
Guided Setup Tasks and Related Topics
Guided Setup Tasks
Purpose
ACE hardware setup
Launch the ACE Hardware Setup task
to help you configure ACE devices
that are new to the network by
establishing network connectivity in
either standalone or high-availability
(HA) deployments.
Virtual context setup
Application setup
Launch the Virtual Context Setup task
to create and connect an ACE virtual
context.
Launch the Application Setup task to
configure load balancing for your
application. This task guides you
through a complete end-to-end
configuration of the ACE for many
common server load-balancing
situations.
Related Topics
•
Using ACE Hardware Setup, page 3-3
•
Managing ACE Appliance Licenses, page 4-29
•
Configuring SNMP for Virtual Contexts,
page 4-19
•
Configuring Port Channel Interfaces, page 10-2
•
Configuring Gigabit Ethernet Interfaces,
page 10-5
•
Configuring Virtual Context VLAN Interfaces,
page 10-10
•
Configuring High Availability Peers, page 11-8
•
Using Virtual Context Setup, page 3-7
•
Managing Resource Classes, page 4-35
•
Creating Virtual Contexts, page 4-2
•
Configuring Virtual Contexts, page 4-7
•
Using Application Setup, page 3-9
•
Configuring Virtual Context VLAN Interfaces,
page 10-10
•
Configuring Virtual Context BVI Interfaces,
page 10-23
•
Configuring VLAN Interface NAT Pools and
Displaying NAT Utilization, page 10-32
•
Configuring Security with ACLs, page 4-58
•
SSL Setup Sequence, page 9-5
•
Configuring Virtual Servers, page 5-2
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
3-2
OL-26645-02
Chapter 3
Using DM Guided Setup
Guidelines and Limitations
Guidelines and Limitations
As you perform a Guided Setup task, use the following operating conventions:
•
To move between steps, click the name of the step in the menu to the left.
•
The steps for each task are listed in an order that is designed to prevent problems during later steps;
however, you can skip steps if you know they are not applicable to your application.
•
Depending on your user privileges, DM may prevent you from making changes on certain steps.
•
You must save and deploy any changes you want to keep before leaving each page.
•
Each task can be run as many times as you like.
Using ACE Hardware Setup
You can use the ACE Hardware Setup task to configure ACE devices that are new to the network by
establishing network connectivity in either standalone or high-availability (HA) deployments.
Assumptions
•
You can extend the functionality of the ACE by installing licenses. If you plan to extend the ACE
functionality, ensure that you have received the proper software license key for the ACE, that ACE
licenses are available on a remote server for importing to the ACE, or you have received the software
license key and have copied the license file to the disk0: file system on the ACE using the copy
path/]filename1 disk0: CLI command.
Note
See the Administration Guide, Cisco ACE Application Control Engine for details on the copy
path/]filename1 disk0: CLI command.
•
You must be in the Admin virtual context on an ACE appliance to configure ACE devices that are
new to the network.
•
When importing an ACE HA pair into DM, you should follow one of the following configuration
requirements so that DM can uniquely identify the ACE HA pair:
– Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every
ACE HA pair imported into DM. For HA, it is critical that the combination of FT interface
VLAN and IP address/peer IP address is always unique across every pair of ACE peer devices.
– Define a peer IP address in the management interface using the management IP address of the
peer ACE (module or appliance). The management IP address and management peer IP address
used for this definition should be the management IP address used to import both ACE devices
into DM.
Note
•
For more information about the use of HA pairs imported into DM, see the “Understanding ACE
Redundancy” section on page 11-2.
When you are configuring the ACE, changes to the physical interfaces (including Gigabit Ethernet
ports or port channels) can result in a loss of connectivity between DM and the ACE. Use caution
when following the ACE Hardware Setup task if you are modifying the interface that management
traffic is traversing.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
3-3
Chapter 3
Using DM Guided Setup
Using ACE Hardware Setup
Procedure
Step 1
Choose Config > Guided Setup > ACE Hardware Setup.
The ACE Hardware Setup window appears with the Configuration Type drop-down list.
Step 2
From the Configuration Type drop-down list, choose whether to set up the ACE as a standalone device
or as a member of a high-availability (HA) ACE pair:
•
Standalone—The ACE is not to be used in an HA configuration.
•
HA Secondary—The ACE is to be the secondary peer in an HA configuration.
•
HA Primary—The ACE is to be the primary peer in an HA configuration.
Note
Step 3
Ensure that you complete the ACE hardware setup task for the secondary device before you set
up the primary device.
Click Start Setup.
The License window appears (Config > Guided Setup > ACE Hardware Setup > Licenses). Cisco
offers licenses for ACE appliances that allows you to increase the number of default contexts,
bandwidth, and SSL TPS (transactions per second). For more information, see the Administration Guide,
Cisco ACE Application Control Engine on cisco.com.
If you need to install licenses at this point, go to Step 4.
If you do not need to install licenses at this point, go to Step 5.
Step 4
Install one or more ACE licenses (see the “Managing ACE Appliance Licenses” section on page 4-29).
Note
Step 5
For an ACE primary and secondary HA pair, because each ACE license is only valid on a single
hardware device, licenses are not synchronized between HA peer devices. You must install an
appropriate version of each license independently on both the primary and secondary ACE
devices.
Click SNMP v2c Read-Only Community String under ACE Hardware Setup (Config > Guided Setup
> ACE Hardware Setup > SNMP v2c Read-Only Community String).
The SNMP v2c Read-Only Community String window appears.
Perform the following actions to configure an SNMP community string (a requirement for an ACE to be
monitored by DM):
a.
Click Add (+) at the top of the SNMP v2c Read-Only Community String table to create an SNMP
community string. The New SNMP v2c Community window appears.
Note
b.
For DM to monitor an ACE, you must configure an SNMPv2c community string in the
Admin virtual context.
In the Read-Only Community field, enter the SNMP read-only community string name. Valid entries
are unquoted text strings with no spaces and a maximum of 32 characters.
Additional SNMP configuration selections are available under Config > Virtual Contexts > context >
System > SNMP. See the “Configuring SNMP for Virtual Contexts” section on page 4-19.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
3-4
OL-26645-02
Chapter 3
Using DM Guided Setup
Using ACE Hardware Setup
Step 6
If you are configuring an ACE appliance, to group physical ports together on the ACE appliance to form
a logical Layer 2 interface called the port-channel (sometimes known as EtherChannels), click Port
Channel Interfaces under ACE Hardware Setup.
The Port Channel Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > Port
Channel Interfaces).
Note
You must configure port channels on both the ACE appliance and the switch that the ACE is
connected to.
Perform the following actions to configure a port channel interface:
a.
At the top of the Port Channel Interfaces table, click Add (+) to add a port channel interface, or
choose an existing port channel interface and click Edit to modify it. The New Port Channel
Interface window appears.
Note
Step 7
Step 8
If you click Edit, not all of the fields can be modified.
b.
Enter the port channel interface attributes as described in the “Configuring Port Channel Interfaces”
section on page 10-2.
c.
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
d.
To display statistics and status information for a port-channel interface, choose the interface from
the Port Channel Interfaces table and click Details. The show interface port-channel CLI
command output appears. See the “Displaying Port Channel Interface Statistics and Status
Information” section on page 10-5 for details.
If you are configuring an ACE appliance, to configure one or more of the Gigabit Ethernet ports on the
appliance, click GigabitEthernet Interfaces under ACE Hardware Setup. The GigabitEthernet
Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > GigabitEthernet
Interfaces).
a.
Choose an existing Gigabit Ethernet interface and click Edit to modify it.
b.
Enter the Gigabit Ethernet physical interface attributes as described in the “Configuring Gigabit
Ethernet Interfaces” section on page 10-5.
c.
Click Deploy Now when completed to deploy this configuration on the ACE and save your entries
to the running-configuration and startup-configuration files.
d.
Repeat Steps a through c for each Gigabit Ethernet interface that you want to configure.
e.
To display statistics and status information for a particular Gigabit Ethernet interface, choose the
interface from the GigabitEthernet Interfaces table, and then click Details. The show interface
gigabitEthernet CLI command output appears. See the “Displaying Gigabit Ethernet Interface
Statistics and Status Information” section on page 10-9 for details.
If the ACE is a member of an HA ACE pair, click VLAN Interfaces under ACE Hardware Setup.
The VLAN Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > VLAN
Interfaces).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
3-5
Chapter 3
Using DM Guided Setup
Using ACE Hardware Setup
Note
a.
To prevent loss of management connectivity during an HA configuration, you must configure
the IP addresses of the management VLAN interface correctly for your HA setup. During this
procedure, choose the management VLAN interface (and click the Edit button) and make sure
its IP address, alias IP address, and peer IP address are all set correctly. You can repeat this
process for any VLAN interfaces that you want. If the management VLAN is properly
configured before establishing HA, you will be able to return later to reconfigure other VLANs.
Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to
modify it.
Note
Step 9
If you click Edit, not all of the fields can be modified.
b.
Enter the VLAN interface attributes as described in the “Configuring Virtual Context VLAN
Interfaces” section on page 10-10. Click More Settings to access the additional VLAN interface
attributes. By default, DM hides the default VLAN interface attributes and the VLAN interface
attributes which are not commonly used.
c.
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
d.
To display statistics and status information for a VLAN interface, choose the VLAN interface from
the VLAN Interface table, and then click Details. The show interface vlan, show ipv6 interface
vlan, and show ipv6 neighbors CLI commands appear. Click on the command to display its output.
See the “Displaying VLAN Interface Statistics and Status Information” section on page 10-23 for
details.
If the ACE is the primary peer in a high availability (HA) configuration, click HA Peering under ACE
Hardware Setup (Config > Guided Setup > ACE Hardware Setup > HA Peering).
a.
Click Edit below the HA Management section to configure the primary ACE and the secondary
ACE as described in the “Configuring High Availability Peers” section on page 11-8. There are two
columns, one for the selected ACE and another for a peer ACE.
You can specify the following information:
– Identify the two members of a HA pair.
– Assign IP addresses to the peer ACEs.
– Assign an HA VLAN to HA peers and bind a physical Gigabit Ethernet interface to the FT
VLAN.
– Configure the heartbeat frequency and count on the peer ACEs in a fault-tolerant VLAN.
When completed, click Deploy Now to deploy this configuration on the ACE and save your entries
to the running-configuration and startup-configuration files.
b.
Click Add below the ACE HA group table to add a new high availability group. Enter the
information in the configurable fields as described in the “Configuring High Availability Peers”
section on page 11-8. When completed, click Deploy Now to deploy this configuration on the ACE
and save your entries to the running-configuration and startup-configuration files.
The HA State field displays FT VLAN Compatible once HA setup has been successfully completed.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
3-6
OL-26645-02
Chapter 3
Using DM Guided Setup
Using Virtual Context Setup
Note
Step 10
To display statistics and status information for a particular HA group, choose the group from
the ACE HA Groups table and click Details. The show ft group group_id detail CLI
command output appears. See the “Displaying High Availability Group Statistics and Status
Information” section on page 11-16 for details.
Once the HA State field in the ACE HA Groups table shows a successful state, the ACE is ready for
further configuration as follows:
•
To set up additional virtual contexts, continue to the Virtual Context Setup task to create and connect
an ACE virtual context. See the “Using Virtual Context Setup” section on page 3-7.
•
To set up an application in an existing virtual context, continue to the Application Setup task to set
up load-balancing for an application from an ACE to a group of back-end servers. See the “Using
Application Setup” section on page 3-9.
Related Topics
•
Managing ACE Appliance Licenses, page 4-29
•
Configuring SNMP for Virtual Contexts, page 4-19
•
Configuring Port Channel Interfaces, page 10-2
•
Configuring Gigabit Ethernet Interfaces, page 10-5
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring High Availability Peers, page 11-8
Using Virtual Context Setup
You can use the Virtual Context Setup task to create and connect an ACE virtual context. Virtual contexts
use virtualization to partition your ACE appliance into multiple virtual devices, or contexts. Each
context contains its own set of policies, interfaces, resources, and administrators.
Before You Begin
You must be in the Admin context on the ACE to create a new user context.
Procedure
Step 1
Choose Config > Guided Setup > Virtual Context Setup.
The Virtual Context Setup window appears.
Step 2
From the ACE Device drop-down list, choose an ACE.
Step 3
Click Start Setup.
The Resource Classes window appears (Config > Guided Setup > Virtual Context Setup > Resource
Classes).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
3-7
Chapter 3
Using DM Guided Setup
Using Virtual Context Setup
Perform the following tasks to create or modify a resource class:
a.
If you want to create a resource class, click Add (+). The New Resource Class configuration window
appears. Enter the resource information as described in the “Managing Resource Classes” section
on page 4-35.
b.
If you want to modify an existing resource, choose the resource class that you want to modify, and
then click Edit. The Edit Resource Class configuration window appears. Enter the resource
information as described in the “Managing Resource Classes” section on page 4-35.
c.
Click OK to save your entries and to return to the Resource Classes table.
Make note of the resource class that you want to use because you will need it in Step 5.
Step 4
Click Virtual Context Management under Virtual Context Setup.
The Virtual Context window appears (Config > Guided Setup > Virtual Context Setup > Virtual
Context Management).
Perform the following actions to create or modify a virtual context:
Step 5
a.
If you want to create a virtual context, click Add (+). The New Virtual Context window appears.
Configure the virtual context as described in the “Configuring Virtual Contexts” section on
page 4-7.
b.
If you want to modify an existing virtual context, choose the virtual context that you want to modify
and click Edit. The Primary Attributes configuration screen appears. Enter the primary attributes
for this virtual context as described in the “Configuring Virtual Context Primary Attributes” section
on page 4-11.
When completed, click Deploy Now to deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. Follow these guidelines when creating or
modifying the virtual context:
•
To connect the virtual context to the available VLANs, specify one or more VLANs in the Allocated
VLANs field. You can specify multiple VLAN values and ranges (for example, “10, 14, 70-79”).
•
For virtual contexts configured for an ACE, you must set up all VLANs used in this step as trunk or
access VLANs on the port channel or Gigabit Ethernet interfaces. If you did not set up these VLANs
during the ACE Hardware Setup task, you can return to the ACE Hardware Setup window to
configure the required VLANs. See the “Using ACE Hardware Setup” section on page 3-3.
•
When specifying the resource class for the virtual context, choose the resource class that you created
or specified in Step 3.
Note
•
If you are unsure of the resource class to use for this virtual context, choose default. You
can change the resource class setting at a later time.
If HA has been correctly configured for this ACE device, the High Availability check box will be
checked. If the check box is unchecked, check it to instruct DM to automatically configure
synchronization for this virtual context.
Note
The High Availability check box is available only if HA Peering has previously been
completed for the ACE hardware.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
3-8
OL-26645-02
Chapter 3
Using DM Guided Setup
Using Application Setup
•
Step 6
If you want to set up a separate management VLAN interface for the virtual context, under
Management Settings, configure the management interface for this virtual context and create an
admin user. Each context also has its own management VLAN that you can access using the DM
GUI. In this case, you would assign an independent VLAN and IP address for management traffic
to access the virtual context.
To edit the load-balancing configuration for a virtual context, continue to the Application Setup task.
See the “Using Application Setup” section on page 3-9.
Related Topics
•
Using ACE Hardware Setup, page 3-3
•
Using Virtual Contexts, page 4-2
•
Managing Resource Classes, page 4-35
•
Creating Virtual Contexts, page 4-2
•
Configuring Virtual Contexts, page 4-7
•
Using Application Setup, page 3-9
Using Application Setup
This section contains the following topics:
•
ACE Network Topology Overview, page 3-9
•
Using Application Setup, page 3-10
ACE Network Topology Overview
With respect to ACE configuration, the network topology describes where—which VLAN or
subnet—client traffic comes into the ACE and where this traffic is sent to real servers. Network
configuration for ACE load balancing depends on the surrounding topology. By specifying to DM the
topology that is appropriate for your networking application, DM can present more relevant options and
guidance.
The network topology is often determined solely by your existing network; however, the goals for your
ACE deployment can also play a role. For example, when ACE acts as a router between clients and
servers, it provides a level of protection by effectively hiding the servers from the clients. On the other
hand, for a routed topology to work, each of those servers must be configured to route back through the
ACE, which can be a significant change to the network routing.
The ACE is also capable of bridging the client and server VLANs, which does not affect server routing.
However, it does require the network to have VLANs set up appropriately.
If you are not sure what topology to use, or do not want to make topology decisions immediately, use
the “one-armed” topology. The one-armed topology does not typically require any changes to an existing
network and can be set up with minimal knowledge of the network. You can then expand your ACE
network topology to routed mode or bridged mode to better suit your networking requirements.
Figure 3-1 illustrates the one-armed network topology.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
3-9
Chapter 3
Using DM Guided Setup
Using Application Setup
Figure 3-1
Example of a One-Armed Network Topology
Client to ACE Request
Client IP (src):<a.b.c.d>
VIP (dst): 172.16.5.10
Router/
Switch
Client to ACE Request
Nat Pool IP (src): 172.16.5.101
Server IP (dst): 192.168.1.11
Client Network
Server VLAN
e.g. 192.168.1.0/16
247750
ACE VLAN
e.g. 172.16.5.0/16
Real
Servers
ACE Virtual
Context
Figure 3-2 illustrates the routed mode network topology.
Example of a Routed Mode Network Topology
Client Network
Real Server
Default Routes
ACE Virtual
Context
Server VLAN
e.g. 192.168.1.0/16
Client VLAN
e.g. 172.16.5.0/16
Real
Servers
247751
Router/
Switch
Real
Servers
247752
Figure 3-2
Figure 3-3 illustrates the bridged mode network topology.
Figure 3-3
Example of a Bridged Mode Network Topology
Real Server
Default Routes
Router/
Switch
Client Network
ACE Virtual
Context
Client VLAN
Server VLAN
BVI
e.g. 192.168.1.0/16
Using Application Setup
You use the Application Setup task to set up load balancing for an application.
Procedure
Step 1
Choose Config > Guided Setup > Application Setup.
The Application Setup window appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
3-10
OL-26645-02
Chapter 3
Using DM Guided Setup
Using Application Setup
Step 2
From the Select Virtual Context drop-down list, choose an existing ACE virtual context.
Step 3
If your ACE is to use HTTPS when communicating with either the client or with real servers, in the Use
HTTPS (SSL) field, choose Yes to specify that the ACE should be set up for secure (SSL) Hypertext
Transfer Protocol (HTTP).
Note
Step 4
The HTTPS option does not apply to the ACE NPE software version. The radio button is set to
No and cannot be changed. For more information, see the “Information About the ACE No
Payload Encryption Software Version” section on page 1-2.
Choose the network topology that reflects the relationship of the selected ACE virtual context to the real
servers in the network.
Topology choices include one-armed, routed, or bridged. See the “ACE Network Topology Overview”
section on page 3-9 for background details on networking topology.
Step 5
Click Start Setup.
Step 6
If you selected either the one-armed or routed topology, the VLAN Interfaces window appears (Config
> Guided Setup > Application Setup > VLAN Interfaces).
To communicate with the client and real servers, a VLAN interface must be specified for client and
server traffic to be sent and received.
Perform the following actions to configure a VLAN interface:
a.
Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to
modify it.
b.
Enter the VLAN interface attributes as described in the “Configuring Virtual Context VLAN
Interfaces” section on page 10-10. Click More Settings to access the additional VLAN interface
attributes. By default, DM hides the default VLAN interface attributes and the VLAN interface
attributes which are not commonly used.
Note
Step 7
After you define the VLAN, write down the VLAN number. You will need this VLAN
number in the ACL and virtual server steps (Steps 9 and 11) of this procedure.
c.
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
d.
To display statistics and status information for a VLAN interface, choose the VLAN interface from
the VLAN Interface table, and then click Details. The show interface vlan, show ipv6 interface
vlan, and show ipv6 neighbors CLI commands appear. Click on the command to display its output.
See the “Displaying VLAN Interface Statistics and Status Information” section on page 10-23 for
details.
If you selected the bridged topology, the BVI Interfaces window appears (Config > Guided Setup >
Application Setup > BVI Interfaces).
Perform the following actions to configure a BVI interface:
a.
Click Add to add a new BVI interface, or choose an existing BVI interface, and then click Edit to
modify it.
b.
Enter the BVI interface attributes as described in the “Configuring Virtual Context BVI Interfaces”
section on page 10-23.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
3-11
Chapter 3
Using DM Guided Setup
Using Application Setup
Note
Step 8
After you define the BVI, write down the client-side VLAN number. You will need this BVI
number in the ACL and virtual server steps (Steps 9 and 11) of this procedure.
c.
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
d.
To display statistics and status information for a BVI interface, choose the BVI interface from the
BVI Interface table, and then click Details. The show interface bvi, show ipv6 interface bvi, and
show ipv6 neighbors CLI commands appear. Click on the command to display its output. See the
“Displaying BVI Interface Statistics and Status Information” section on page 10-31 for details.
If you selected the one-armed topology, click NAT Pools under Application Setup.
The NAT Pools window appears (Config > Guided Setup > Application Setup > NAT Pools). To set
up a one-armed topology, you need a NAT pool to provide the set of IP addresses that ACE can use as
source addresses when sending requests to the real servers.
Note
You must configure the NAT pool on the same VLAN interface that you configured in Step 6.
Perform the following actions to create or modify a NAT pool for a VLAN:
a.
Click Add to add a new NAT pool entry, or choose an existing NAT pool entry and click Edit to
modify it. The NAT Pool configuration window appears.
b.
Configure the NAT pool attributes as described in the “Configuring VLAN Interface NAT Pools and
Displaying NAT Utilization” section on page 10-32.
Note
c.
Step 9
After you define the NAT pool, write down the NAT pool ID. You will specify the NAT pool
ID in the virtual server step (Step 11) of this procedure.
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Click ACLs under Application Setup.
The ACLs window appears (Config > Guided Setup > Application Setup > ACLs). An ACL applies
to one or more VLAN interfaces. Each ACL consists of a list of entries, each of which defines a source,
a destination, and whether to permit or deny traffic between those locations.
Perform the following actions to create or modify an ACL:
Step 10
a.
Click Add to add a new ACL entry, or choose an existing ACL entry and click Edit to modify it.
The Access List configuration window appears.
b.
Add or edit the required fields as described in the “Configuring Security with ACLs” section on
page 4-58.
c.
Click Deploy to save this configuration.
d.
To display statistics and status information for an ACL, choose an ACL from the ACLs table, and
then click Details. The show access-list access-list detail CLI command output appears. See the
“Displaying ACL Information and Statistics” section on page 4-69 for details.
Click SSL Proxy under Application Setup.
This selection appears only if you specified in Step 3 that the ACE is to use HTTPS when communicating
with either the client or with real servers.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
3-12
OL-26645-02
Chapter 3
Using DM Guided Setup
Using Application Setup
The SSL Proxy window appears (Config > Guided Setup > Application Setup > SSL Proxy).
Note
To terminate or initiate HTTPS connections with ACE, the virtual context must have at least one
SSL proxy service. An SSL proxy contains the certificate and key information needed to
terminate HTTPS connections from the client or initiate them to the servers.
Perform the following actions to create or modify an SSL proxy service:
a.
To create an SSL proxy service, click SSL Proxy Setup.
Note
Step 11
To edit an existing SSL proxy service, choose it from the SSL Proxy table, and click Edit to
modify the SSL proxy service. The SSL Proxy Service configuration window appears. Edit
the required fields as described in the “Configuring SSL Proxy Service” section on
page 9-28.
b.
Add required fields as described in the “Configuring SSL Proxy Service” section on page 9-28.
c.
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Click Virtual Server under Application Setup.
The Virtual Servers window appears (Config > Guided Setup > Application Setup > Virtual Server).
The virtual server defines the load-balancing configuration for an application.
Perform the following actions to create or modify a virtual server:
a.
Click Add to add a new virtual server, or choose an existing virtual server, and click Edit to modify
it. The Virtual Server configuration window appears with a number of configuration subsets. The
subsets that you see depend on whether you use the Basic View or the Advanced View and entries
you make in the Properties subset. Change views by using the View object selector at the top of the
configuration pane.
b.
Add or edit required fields as described in the “Virtual Server Configuration Procedure” section on
page 5-7. Table 5-1 identifies and describes virtual server configuration subsets with links to related
topics for configuration information.
Virtual servers have many configuration options. At a minimum, you need to configure the
following attributes:
– Set the VIP, port number (TCP or UDP), and application protocol for your application.
Note
If the ACE is to terminate the client HTTPS connections, choose HTTPS as the Application
Protocol.
– (One-Armed Topology) For VLAN, choose the VLAN from Step 6.
– (Routed Topology) For VLAN, choose the client-side VLAN from Step 6.
– (Bridged Topology) For VLAN, choose the client-side VLAN from Step 6.
– If the ACE is to terminate client HTTPS connections, then under the SSL Termination header,
specify the SSL proxy defined in Step 10.
– Under the Default L7 Loadbalancing Action, set Primary Action to Loadbalance.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
3-13
Chapter 3
Using DM Guided Setup
Using Application Setup
– Create a server farm that contains one or more real servers for this application (see Table 5-10
in the “Configuring Virtual Server Layer 7 Load Balancing” section for details on setting server
farm attributes).
– If the ACE is to initiate HTTPS connections to the real servers, choose the desired SSL proxy
for initiation to this application from the menu next to SSL Initiation.
– (One-Armed Topology) Under NAT, enter the NAT pool ID from Step 8.
After you set up a base virtual server, you can test it to validate your configuration and isolate any
issues in your networking application. You can then add these more advanced load balancing options
to your networking application:
– Additional real servers to a server farm. See Table 5-10 in the “Configuring Virtual Server
Layer 7 Load Balancing” section for details.
– Health monitoring probes and attributes for the specific probe type. See Table 5-11 in the
“Configuring Virtual Server Layer 7 Load Balancing” section for details.
– Stickiness, where client requests for content are to be handled by a sticky group when match
conditions are met. See Table 5-13 in the “Configuring Virtual Server Layer 7 Load Balancing”
section for details.
– Application protocol inspection, where the ACE allows the virtual server to verify protocol
behavior and identify unwanted or malicious traffic passing through the ACE. See the
“Configuring Virtual Server Protocol Inspection” section for details.
c.
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
d.
To display statistics and status information for an existing virtual server, choose a virtual server from
the Virtual Servers table, and then click Details. The show service-policy global detail CLI
command output appears. See the Viewing All Virtual Servers, page 5-65 for details.
Related Topics
•
Using ACE Hardware Setup, page 3-3
•
Using Virtual Context Setup, page 3-7
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context BVI Interfaces, page 10-23
•
Configuring Virtual Context Static Routes, page 10-34
•
Configuring Security with ACLs, page 4-58
•
SSL Setup Sequence, page 9-5
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
3-14
OL-26645-02
C H A P T E R
4
Configuring Virtual Contexts
Cisco Application Control Engine Appliance Device Manager (ACE Appliance Device Manager)
provides a number of options for creating, configuring, and managing ACE appliances.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
This chapter contains the following sections:
•
Using Virtual Contexts, page 4-2
•
Creating Virtual Contexts, page 4-2
•
Configuring Virtual Contexts, page 4-7
•
Configuring Virtual Context System Attributes, page 4-11
•
Configuring Virtual Context Primary Attributes, page 4-11
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring SNMP for Virtual Contexts, page 4-19
•
Configuring Virtual Context Global Traffic Policies, page 4-28
•
Managing ACE Appliance Licenses, page 4-29
•
Managing Resource Classes, page 4-35
•
Setting Resource Usage Thresholds to Receive SNMP Notifications, page 4-42
•
Using the Configuration Checkpoint and Rollback Service, page 4-46
•
Performing Device Backup and Restore Functions, page 4-49
•
Configuring Security with ACLs, page 4-58
•
Configuring Object Groups, page 4-70
•
Configuring Virtual Context Expert Options, page 4-79
•
Managing Virtual Contexts, page 4-79
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-1
Chapter 4
Configuring Virtual Contexts
Using Virtual Contexts
Using Virtual Contexts
Virtual contexts use the concept of virtualization to partition your ACE appliance into multiple virtual
devices or contexts. Each context contains its own set of policies, interfaces, resources, and
administrators. This feature enables you to more closely and efficiently manage resources, users, and the
services you provide to your customers.
The first time you configure a virtual context, you will see only the Admin context. In addition to the
configurable attributes of other virtual contexts, the Admin context can configure:
•
ACE appliance licenses
•
Resource classes
•
Port channel, management, and Gigabit Ethernet interfaces
•
High Availability (HA or fault tolerance between ACE appliances)
•
Application acceleration and optimization on the ACE appliance
Related Topics
•
Creating Virtual Contexts, page 4-2
•
Configuring Virtual Contexts, page 4-7
•
Deleting Virtual Contexts, page 4-84
Creating Virtual Contexts
Use this procedure to create virtual contexts.
Note
If you do not configure a management VLAN for SNMP access, the ACE Appliance Device Manager
will not be able to poll the context.
Note
If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot
be modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby
members display Standby Hot in the HA State column in the All Virtual Contexts table (Config >
Virtual Contexts). For more information, see the“High Availability Polling” section on page 11-2.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Click Add.
The New Virtual Context screen appears.
Step 3
Configure the virtual context using the information in Table 4-1.
Tip
Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-2
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Creating Virtual Contexts
Table 4-1
Virtual Context Configuration Attributes
Field
Description
Basic Settings
Name
Enter a unique name for the virtual context. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
This field is read-only for existing contexts.
Description
Enter a brief description of the virtual context. Enter a description as an unquoted text string
with a maximum of 240 alphanumeric characters.
Resource Class
Choose the resource class this virtual context is to use. Click View to display the information
for the selected resource class. For more information, see the “Managing Resource Classes”
section on page 4-35).
Allocate VLANs
Enter the number of a VLAN or a range of VLANs so that the context can receive the
associated traffic. You can specify VLANs in any of the following ways:
•
•
For a single VLAN, enter an integer from 2 to 4096.
For multiple, non-sequential VLANs, use comma-separated entries, such as 101, 201,
302.
•
For a range of VLANs, use the format <beginning-VLAN>-<ending-VLAN>, such as
101-150.
Note
Default Gateway for IPv4
VLANs cannot be modified in an Admin context.
Enter the IPv4 address of the default gateway. You can enter a maximum of eight addresses.
Use a comma-separated list to specify multiple IP addresses, for example, such as
192.168.65.1, 192.168.64.2.
Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the
ACE appear in this field.
Default Gateway for IPv6
Enter the IPv6 address of the default gateway or select the forward VLAN interface or BVI,
as follows:
•
IPv6 Address field—Enter the address of the gateway router (the next-hop address for this
route). Then, use the right arrow to move it to the Selected field. You can enter a
maximum of eight addresses including a selected VLAN or BVI through the Outgoing
Interfaces setting.
Default static routes with a prefix and IP address of ::0 previously configured on the ACE
appear in the Selected field.
•
Outgoing Interfaces—Select either VLAN or BVI used for the link-local address only.
And then select the Interface Number for the VLAN or BVI.
Management Settings
VLAN Id
Enter the VLAN number that you want to assign to the management interface. Valid values
are from 2 to 4094. By default, all devices are assigned to VLAN1, known as the default
VLAN.
The ACE Device Manager identifies the management class maps and policy maps associated
with the selected VLAN ID assigned to the management interface.
This field is read-only if configured for existing contexts.
VLAN Description
Enter a description for the management interface. Enter an unquoted text string that contains
a maximum of 240 alphanumeric characters including spaces.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-3
Chapter 4
Configuring Virtual Contexts
Creating Virtual Contexts
Table 4-1
Virtual Context Configuration Attributes (continued)
Field
Description
Interface Mode
Choose the topology that reflects the relationship of the selected ACE virtual context to the
real servers in the network:
•
Routed—The ACE virtual context acts as a router between the client-side network and
the server-side network. In this topology, every real server for the application must be
routed through the ACE virtual context, either by setting the default gateway on each real
server to the virtual context server-side VLAN interface address, or by using a separate
router with appropriate routes configured between the ACE virtual context and the real
servers.
•
Bridged—The virtual ACE bridges two VLANs—a client-side VLAN and a real-server
VLAN—on the same subnet using a bridged virtual interface (BVI). In this case, the real
server routing does not change to accommodate the ACE virtual context. Instead, the
virtual ACE transparently handles traffic to and from the real servers.
This field is read-only if configured for existing contexts.
Management IP
Enter the IPv4 address that is to be used for remote management of the context. This address
must be a unique management IP address that is not used in another context. The DM does not
support duplicate management IP addresses in different contexts.
Note
The Device Manager considers an interface as a management interface if it has a
management policy map associated with the VLAN interface. See the “Configuring
Virtual Context VLAN Interfaces” section on page 10-10.
Management Netmask
Choose the subnet mask to apply to this IP address.
Alias IP Address
Enter the IPv4 address of the alias associated with this interface.
Peer IP Address
Enter the IPv4 address of the remote peer.
Access Permission
Choose the source IP addresses that are allowed on the management interface as follows:
•
Allow All—Allows all configured client source IP addresses on the management interface
as the network traffic matching criteria.
•
Deny All—Denies all configured client source IP addresses on the management interface
as the network traffic matching criteria.
•
Match—Displays the Match Conditions table, where you specify the match criteria that
the ACE is to use for traffic on the management interface.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-4
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Creating Virtual Contexts
Table 4-1
Virtual Context Configuration Attributes (continued)
Field
Description
Match Conditions
When you enter the VLAN ID for the management interface, the Match Conditions table
appears.
To add or modify the protocols allowed on this management VLAN, do the following:
1.
Click Add to choose a protocol for the management interface, or choose an existing
protocol entry listed in the Match Conditions table and click Edit to modify it.
2.
In the Protocol drop-down list, choose a protocol:
– HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
– HTTPS—Specifies the Hypertext Transfer Protocol Secure (HTTPS) for
connectivity with the interface using port 443.
– ICMP—Specifies the Internet Control Message Protocol (ICMP) for Internet
Protocol version 4 (IPv4).
– ICMPv6—Specifies the Internet Control Message Protocol version 6 (ICMPv6) for
Internet Protocol version 6 (IPv6).
– KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP.
– SNMP—Specifies the Simple Network Management Protocol (SNMP).
Note
If SNMP is not selected, the ACE Appliance Device Manager cannot poll the
context.
– SSH—Specifies a Secure Shell (SSH) connection to the ACE.
– TELNET—Specifies a Telnet connection to the ACE.
– XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving
XML documents between the ACE appliance and a Network Management System
(NMS) using port 10443. This option is available for ACE appliances only.
3.
In the Allowed From field, specify the matching criteria for the client source IP address:
– Any—Specifies any client source address for the management traffic classification.
– Source Address—Specifies a client source host IP address as the network traffic
matching criteria. An ICMPv6 source address only accept an IPv6 address.
– Source Netmask—Select a subnet mask. This field is not applicable for ICMPv6.
– Source Prefix Length—(ICMPv6 only) Enter the prefix length, a value from 1 to
128.
4.
Click OK to accept the protocol selection or click Cancel to exit without accepting your
entries.
Note
Enable SNMP Get
To remove a protocol from the management VLAN, choose the entry in the Match
Conditions table, and click Delete.
Check this check box to add an SNMP Get community string to enable SNMP polling on this
context.
This field is read-only if configured for existing contexts.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-5
Chapter 4
Configuring Virtual Contexts
Creating Virtual Contexts
Table 4-1
Virtual Context Configuration Attributes (continued)
Field
Description
SNMP v2c Read-Only
Community String
When you check the Enable SNMP Get check box, this field appears.
Enter the SNMPv2c read-only community string to be used as the SNMP Get community
string.
This field is read-only if configured for existing contexts.
Note
Add Admin User
If SNMP is not an allowed protocol, the ACE Appliance Device Manager will not be
able to poll the context.
When initially configuring the context, check this check box to configure this context for an
Admin user. When the fields appear, enter the user name and password, and confirm the
password.
More Settings
Switch Mode
Check this check box to change the way that the ACE processes TCP connections that are not
destined to a VIP or that do not have any policies associated with their traffic. For such traffic,
the ACE still creates connection objects but processes the connections as stateless
connections, which means that they do not undergo any TCP normalization checks. With this
option enabled, the ACE also creates stateless connections for non-SYN TCP packets if they
satisfy all other configured requirements. This process ensures that a long-lived persistent
connection passes through the ACE successfully (even if it times out) by being reestablished
by any incoming packet related to the connection.
By default, these stateless connections time out after 2 hours and 15 minutes unless you
configure the inactivity timeout otherwise in a parameter map. When a stateless connection
times out, the ACE does not send a TCP RST packet but silently closes the connection. Even
though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the
connections are closed when the ACE sees these flags in the received packets.
Shared VLAN Host Id
Specific bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to
configure different bank numbers for multiple ACEs. This field is available only in the Admin
context.
Regex Compilation Timeout Enter the timeout for regex compilation in minutes. When you configure a regex and its
(minutes)
compilation is longer than the configured timeout, the ACE stops the regex compilation. A
valid entry is an integer from 1 to 500. The default timeout is 60. This field is available only
in the Admin context.
Step 4
Do one of the following
•
Click Deploy Now to deploy this virtual context. To configure other virtual context attributes, see
the “Configuring Virtual Contexts” section on page 4-7.
•
Click Cancel to exit this procedure without saving your entries and to return to the All Virtual
Contexts table.
Related Topics
•
Using Virtual Contexts, page 4-2
•
Configuring Virtual Contexts, page 4-7
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-6
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Contexts
Configuring Virtual Contexts
After creating a virtual context, you can configure it. Configuring a virtual context involves configuring
a number of attributes, grouped into configuration subsets. Table 4-2 describes ACE Appliance Device
Manager configuration subsets and provides links to related topics.
Note
If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot
be modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby
members display Standby Hot in the HA State column in the All Virtual Contexts table (Config >
Virtual Contexts). For more information, see the “High Availability Polling” section on page 11-2.
Note
To add objects such as real servers or server farms to a customized domain, use the CLI and then use the
synchronize feature in ACE Appliance Device Manager to add this object into its customized domain on
ACE Appliance Device Manager. Adding objects to customized domains directly in ACE Appliance
Device Manager results in the object being added to the default domain.
Synchronization options are available in the All Virtual Contexts table (Config > Virtual Contexts).
Tip
Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-7
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Contexts
Table 4-2
ACE Appliance and Virtual Context Configuration Options
Configuration
Subset
Description
System
System configuration options allow you to configure:
Related Topics
•
Configuring Virtual Context Primary
Attributes, page 4-11
•
Syslog attributes including the type and severity
of syslog messages that are to be logged, the
syslog log host, log messages, and log rate limits.
Configuring Virtual Context Syslog Logging,
page 4-12
•
Configuring SNMP for Virtual Contexts,
page 4-19
•
SNMP attributes.
•
•
Global policy map configuration for all VLANs
on a virtual context.
Configuring Virtual Context Global Traffic
Policies, page 4-28
•
Managing ACE Appliance Licenses, page 4-29
•
ACE license use on the ACE appliance.
•
Managing Resource Classes, page 4-35
•
Resource classes for allocation of ACE appliance
resources.
•
Configuring Global Application Acceleration
and Optimization, page 13-9
•
Application acceleration and optimization on the
ACE appliance.
•
Using the Configuration Checkpoint and
Rollback Service, page 4-46
•
Checkpoint (snapshot in time) of a known stable
running configuration.
•
Performing Device Backup and Restore
Functions, page 4-49
•
Back up or restore the configuration and
dependencies of an entire ACE or of a particular
virtual context.
•
•
Primary attributes such as VLANs, SNMP
access, and resource class.
Note
ACE appliance licenses, resource classes, and
acceleration and optimization can be
configured only in an Admin context.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-8
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Contexts
Table 4-2
ACE Appliance and Virtual Context Configuration Options (continued)
Configuration
Subset
Description
Load
Balancing
Related Topics
Load-balancing attributes allow you to:
•
Configure virtual servers, real servers, and server
farms for load balancing.
•
Establish the predictor method and return code
checking.
•
Implement sticky groups for session persistence.
•
Configure parameter maps to combine related
actions for policy maps.
Load-balancing configuration options include:
SSL
Security
•
Virtual servers
•
Real servers
•
Server farms
•
Health monitoring
•
Sticky attributes
•
Parameter maps
•
Secure KAL-AP
•
Dynamic Workload Scaling (admin context only)
SSL configuration options allow you to:
•
Load Balancing Overview, page 5-1
•
Configuring Virtual Servers, page 5-2
•
Configuring Server Farms, page 6-18
•
Configuring Health Monitoring for Real
Servers, page 6-41
•
Configuring Sticky Groups, page 7-11
•
Configuring Parameter Maps, page 8-1
•
Configuring Secure KAL-AP, page 6-70
•
Configuring Dynamic Workload Scaling,
page 6-14
•
Configuring SSL, page 9-1
•
Import and export SSL certificates and keys.
•
Using SSL Certificates, page 9-6
•
Set up SSL parameter maps and chain group
parameters.
•
Using SSL Keys, page 9-11
•
Generating CSRs, page 9-27
•
Generate certificate signing requests for
submission to a certificate authority.
•
Configuring SSL Parameter Maps, page 9-19
•
Authenticate peer certificates.
•
Configuring SSL Chain Group Parameters,
page 9-25
•
Configure certificate revocation lists for use
during client authentication.
•
Configuring SSL Proxy Service, page 9-28
•
Configure an Online Certificate Status Protocol
(OCSP) service to define the host server for
certificate revocation checks using OCSP.
•
Configuring SSL Authentication Groups,
page 9-32
•
Configuring SSL OCSP Service, page 9-30
•
Configuring CRLs for Client Authentication,
page 9-33
•
Configuring Virtual Context Expert Options,
page 4-79
•
Creating ACLs, page 4-59
•
Configuring Object Groups, page 4-70
Security configuration options allow you to create
access control lists, set ACL attributes, resequence
ACLs, delete ACLs, and configure object groups.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-9
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Contexts
Table 4-2
ACE Appliance and Virtual Context Configuration Options (continued)
Configuration
Subset
Description
Network
Network configuration options allow you to
configure:
•
Port channel interfaces
•
Gigabit Ethernet interfaces
•
VLAN interfaces
•
BVI interfaces
•
Network Address Translation (NAT) pools for a
VLAN interface
•
Static routes
•
DHCP relay agents
Note
High
Availability
High Availability (HA) attributes allow you to
configure two ACE appliances for fault-tolerant
redundancy.
Note
HA Tracking
And Failure
Detection
Expert
You can configure port channel and Gigabit
Ethernet interfaces only in an Admin context.
You can set up high availability only in an
Admin virtual context.
HA Tracking And Failure Detection attributes allow
you to configure tracking processes that can help
ensure reliable fault tolerance.
Expert options allow you to:
•
Configure traffic policies for filtering and
handling traffic received by or passing through
the ACE appliance.
•
Configure optimization action lists.
•
Configure HTTP header modify action lists.
Related Topics
•
Configuring Virtual Context BVI Interfaces,
page 10-23
•
Configuring Gigabit Ethernet Interfaces,
page 10-5
•
Configuring Virtual Context VLAN Interfaces,
page 10-10
•
Configuring Virtual Context BVI Interfaces,
page 10-23
•
Configuring VLAN Interface NAT Pools and
Displaying NAT Utilization, page 10-32
•
Configuring Virtual Context Static Routes,
page 10-34
•
Configuring Global IP DHCP, page 10-35
•
Configuring High Availability, page 11-1
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups,
page 11-11
•
High Availability Tracking and Failure
Detection Overview, page 11-17
•
Tracking VLAN Interfaces for High
Availability, page 11-19
•
Tracking Hosts for High Availability,
page 11-20
•
Configuring Traffic Policies, page 12-1
•
Configuring an HTTP Optimization Action
List, page 13-3
•
Configuring an HTTP Header Modify Action
List, page 12-90
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-10
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context System Attributes
Configuring Virtual Context System Attributes
Table 4-3 identifies the ACE Appliance Device Manager virtual context System configuration options
and related topics for more information.
Table 4-3
Virtual Context System Configuration Options
System Configuration Options
Related Topics
Specify virtual context primary attributes
Configuring Virtual Context Primary Attributes,
page 4-11
Configure syslog options
Configure SNMP attributes
•
Configuring Virtual Context Syslog Logging,
page 4-12
•
Configuring Syslog Log Hosts, page 4-16
•
Configuring Syslog Log Messages, page 4-17
•
Configuring Syslog Log Rate Limits,
page 4-18
•
Configuring SNMP for Virtual Contexts,
page 4-19
•
Configuring SNMP Version 2c Communities,
page 4-20
•
Configuring SNMP Version 3 Users,
page 4-21
•
Configuring SNMP Trap Destination Hosts,
page 4-23
•
Configuring SNMP Notifications, page 4-25
Establish global policy maps for all VLANs on a Configuring Virtual Context Global Traffic
virtual context
Policies, page 4-28
Manage ACE appliance licenses
Managing ACE Appliance Licenses, page 4-29
Manage ACE appliance resources across virtual
contexts
Managing Resource Classes, page 4-35
Establish application acceleration and
optimization for the ACE appliance
Configuring Global Application Acceleration and
Optimization, page 13-9
Back up or restore the configuration and
dependencies of an entire ACE or of a particular
virtual context
Performing Device Backup and Restore
Functions, page 4-49
Configuring Virtual Context Primary Attributes
Primary attributes specify a name and resource class for each virtual context. After providing this
information, you can configure other attributes, such as interfaces, monitoring, or load-balancing. For a
complete list of configuration options, see the “Configuring Virtual Contexts” section on page 4-7.
Use this procedure to configure virtual context primary attributes.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-11
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Primary Attributes.
The Primary Attributes configuration screen appears.
Step 2
Enter the primary attributes for this virtual context as described in Table 4-1.
Step 3
Click Deploy Now to deploy this configuration on the ACE appliance.
To exit this procedure without accepting your entries, select a different configuration option.
Related Topics
•
Using Virtual Contexts, page 4-2
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context BVI Interfaces, page 10-23
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring Traffic Policies, page 12-1
Configuring Virtual Context Syslog Logging
The ACE Appliance Device Manager uses syslog logging to send log messages to a process which logs
messages to designated locations asynchronously to the processes that generated the messages.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Syslog.
The Syslog configuration screen appears.
Step 2
Enter the syslog logging attributes in the displayed fields (see Table 4-5).
All fields that require you to select syslog severity levels use the values in Table 4-4.
Table 4-4
Syslog Logging Levels
Severity
Description
0-Emergency
Unusable system
1-Critical
Critical condition
2-Warning
Warning condition
3-Alert
Immediate action required
4-Error
Error condition
5-Notification
Normal but significant condition
6-Information
Informational message only
7-Debug
Appears only during debugging
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-12
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
The severity level that you specify indicates that you want syslog messages at that level and the more
severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency
messages.
Note
If you set all syslog levels to Debug, some commands like switchover are not processed
successfully. These commands are issued via the CLI and ACE Appliance Device Manager
cannot parse the returned prompt if Debug level is enabled. Instead, a timeout message is
displayed.
If you set syslog levels to Debug and then issue a command that results in a timeout message,
click Refresh to view the result of the operation.
Note
Table 4-5
Setting all syslog levels to Debug during normal operation can degrade overall performance.
Virtual Context Syslog Configuration Attributes
Field
Description
Action
Enable Syslog
This option indicates whether syslog
logging should be enabled or disabled.
Check the check box to enable syslog logging or clear
the check box to disable syslog logging.
Facility
The syslog daemon uses the specified
syslog facility to determine how to
process the messages it receives. Syslog
servers file or direct messages based on
the facility number in the message.
Enter the facility appropriate for your network.
Valid entries are 16 (LOCAL0) through 23 (LOCAL7).
The default for an ACE appliance is 20 (LOCAL4).
For more information on the syslog
daemon and facility levels, refer to your
syslog daemon documentation.
Buffered Level
Console Level
This option enables system logging to a
local buffer and limits the messages sent
to the buffer based on severity.
Choose the desired level for sending system log
messages to a local buffer.
This option is disabled by default.
This option specifies the maximum level Select the desired level for sending system log
for system log messages sent to the
messages to the console.
console.
This option is disabled by default.
Note
Logging into the console can degrade system
performance. Therefore, we recommend that
you log messages to the console only when you
are testing or debugging problems. Do not use
this option when the network is busy, as it can
reduce ACE appliance performance.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-13
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Table 4-5
Virtual Context Syslog Configuration Attributes (continued)
Field
History Level
Description
Action
This option specifies the maximum level Choose the desired level for sending system log
for system log messages sent as traps to messages as traps to an SNMP network management
an SNMP network management station. station.
This option is disabled by default.
Note
Monitor Level
This option specifies the maximum level
for system log messages sent to a remote
connection using Secure Shell (SSH) or
Telnet on the ACE appliance.
Select the desired level for sending system log
messages to a remote connection using SSH or Telnet
on the ACE appliance.
This option is disabled by default.
Note
Persistence Level
For more information about configuring
SNMP, see the “Configuring SNMP
Notifications” section on page 4-25.
You must enable remote access on the ACE
appliance and establish a remote connection
using the SSH or Telnet protocol from a PC for
this option to work.
This option specifies the maximum level Select the desired level for sending system log
for system log messages sent to Flash
messages to Flash memory.
memory.
This option is disabled by default.
Note
We recommend that you use a lower severity
level, such as 3, since logging at a high rate to
Flash memory on the ACE appliance might
impact performance.
Trap Level
This option specifies the maximum level Select the desired level for sending system log
for system log messages sent to a syslog messages to a syslog server.
server.
This option is disabled by default.
Queue Size
This option specifies the size of the buffer Enter the desired queue size.
for storing syslog messages received
Valid entries are from 0 to 8192 messages.
from other processes within the ACE
The default is 100 messages.
appliance while they await processing.
When the queue exceeds the specified
value, the excess messages are discarded.
Enable Timestamp
This option indicates whether syslog
messages should include the date and
time that the message was generated.
Check the check box to enable timestamps on syslog
messages or clear the check box to disable timestamps
on syslog messages.
This option is disabled by default.
Enable Standby
This option indicates whether logging is
enabled on the failover standby ACE
appliance. When enabled:
•
This feature causes twice the
message traffic on the syslog server.
•
The standby ACE appliance syslog
messages remain synchronized if
failover occurs.
Check the check box to enable logging on the failover
standby ACE appliance or clear the check box to
disable logging on the failover standby ACE
appliance.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-14
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Table 4-5
Virtual Context Syslog Configuration Attributes (continued)
Field
Description
Action
Enable Fastpath
Logging
This option indicates whether connection Check the check box to enable the logging of setup and
setup and teardown messages are logged. teardown messages or clear the check box to disable
the logging of setup and teardown messages.
This option is disabled by default.
This option specifies the type of unique Select the type of device identifier to be used:
device identifier to be included in syslog
• Any String—Indicates that a test string is to be
messages sent to the syslog server.
used to uniquely identify syslog messages send
The device identifier does not appear in
from the ACE appliance.
EMBLEM-formatted messages, SNMP
• Context Name—Indicates that the name of the
traps, or on the ACE appliance console,
current virtual context is to be used to uniquely
management session, or buffer.
identify the syslog messages sent from the ACE
appliance.
Device Id Type
•
Host Name—Indicates that the hostname of the
ACE appliance is to be used to uniquely identify
the syslog messages sent from the ACE appliance.
•
Interface—Indicates that the IP address of the
interface is to be used to uniquely identify the
syslog messages sent from the ACE appliance.
•
Undefined—Indicates that no identifier is to be
used.
Device Interface Name
This field appears if the Device Id Type is Enter a text string that uniquely identifies the logging
device interface name whose ID is to be included in
Interface.
system messages. The maximum string length is
This option specifies the logging device
64 characters without spaces. Do not use the following
interface to be used to uniquely identify
characters: & (ampersand), ‘ (single quote), “ (double
syslog messages sent from the ACE
quote), < (less than), > (greater than), or ? (question
appliance.
mark).
Logging Device Id
This field appears if the Device ID Type
is Any String.
Step 3
Enter a text string that uniquely identifies the syslog
messages sent from the ACE appliance. The maximum
string length is 64 characters without spaces. Do not
This option specifies the text string to be
use the following characters: & (ampersand), ‘ (single
used to uniquely identify syslog messages
quote), “ (double quote), < (less than), > (greater than),
sent from the ACE appliance.
or ? (question mark).
Click Deploy Now to deploy this configuration on the ACE appliance.
To configure other Syslog attributes for this virtual context, see the following topics:
•
Configuring Syslog Log Hosts, page 4-16
•
Configuring Syslog Log Messages, page 4-17
•
Configuring Syslog Log Rate Limits, page 4-18
Related Topics
•
Configuring Virtual Contexts, page 4-7
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-15
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
•
Configuring Syslog Log Hosts, page 4-16
•
Configuring Syslog Log Messages, page 4-17
•
Configuring Syslog Log Rate Limits, page 4-18
Configuring Syslog Log Hosts
After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Logging”
section on page 4-12), you can configure the log host, log messages, and log rate limits. The tabs for
these attributes appear beneath the Syslog configuration screen.
Guidelines and Restrictions
You can configure the ACE with a maximum of four log hosts per context.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Syslog.
The Syslog configuration screen appears.
Step 2
Select the Log Host tab.
The Log Host table appears.
Step 3
Click Add to add a new log host, or select an existing log host, and then click Edit to modify it.
The Log Host configuration screen appears.
Step 4
In the IP Address field, enter the IPv4 address of the host to be used as the syslog server.
Step 5
In the Protocol field, select TCP or UDP as the protocol to be used.
Step 6
In the Protocol Port field, enter the number of the port that the syslog server listens to for syslog
messages.
Valid entries are from 1 to 65535. The default port for TCP is 1470 and for UDP it is 514.
Step 7
If it is present, check the Default UDP check box to specify that the ACE appliance is to default to UDP
if the TCP transport fails to communicate with the syslog server.
The Default UDP check box appears if TCP is selected in the Protocol field (Step 5). Clear this check
box to prevent the ACE appliance from defaulting to UDP if the TCP transport fails.
Step 8
Step 9
In the Format field, indicate whether EMBLEM-format logging is to be used as follows:
•
N/A—Indicates that you do not want to enable EMBLEM-format logging.
•
Emblem—Indicates that EMBLEM-format logging is to be enabled for each syslog server. If you
use Cisco Resource Manager Essentials (RME) software to collect and process syslog messages on
your network, enable EMBLEM-format logging so that RME can handle them. Similarly, UDP
needs to be enabled because the Cisco Resource Manager Essentials (RME) syslog analyzer
supports only UDP syslog messages.
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Log Host table.
•
Click Add Another to configure another syslog host.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-16
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Related Topics
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring Syslog Log Messages, page 4-17
•
Configuring Syslog Log Rate Limits, page 4-18
Configuring Syslog Log Messages
After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Logging”
section on page 4-12), you can configure the log host, log messages, and log rate limits. The tabs for
these attributes appear beneath the Syslog configuration screen.
Use this procedure to configure Syslog log messages.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Syslog.
The Syslog configuration screen appears.
Step 2
Click the Log Message tab.
The Log Message table appears.
Step 3
Click Add to add a new entry to this table, or select an existing entry, and then click Edit to modify it.
The Log Message configuration screen appears.
Step 4
In the Message Id field, select the system log message ID of the syslog messages that are to be sent to
the syslog server or that are not to be sent to the syslog server.
Step 5
Check the Enable State check box to indicate that logging is enabled for the specified message ID.
Clear the check box to indicate that logging is not enabled for the specified message ID. If you check
the Enable State check box, the Log Level field appears.
Step 6
In the Log Level field, select the desired level of syslog messages to be sent to the syslog server, using
the levels identified in Table 4-4.
Step 7
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Log Message
table.
•
Click Add Another to save your entries and to configure additional syslog message entries for this
virtual context.
Related Topics
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring Syslog Log Hosts, page 4-16
•
Configuring Syslog Log Rate Limits, page 4-18
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-17
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Configuring Syslog Log Rate Limits
After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Logging”
section on page 4-12), you can configure the log host, log messages, and log rate limits. The tabs for
these attributes appear beneath the Syslog configuration screen.
Use this procedure to limit the rate at which the ACE appliance generates messages in the syslog.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Syslog.
The Syslog configuration screen appears.
Step 2
Click the Log Rate Limit tab.
The Log Rate Limit table appears.
Step 3
Click Add to add a new entry to this table, or select an existing entry, and then click Edit to modify it.
The Log Rate Limit configuration screen appears.
Step 4
Step 5
In the Type field, indicate the method by which syslog messages are to be limited as follows:
•
Choose Level to limit syslog messages by syslog level. In the Level field, select the level of syslog
messages to be sent to the syslog server, using the levels identified in Table 4-4.
•
Choose Message to limit syslog messages by message identification number. In the Message Id
field, select the syslog message ID for those messages for which you want to suppress reporting.
Check the Unlimited check box to indicate that limits are not to be applied to system message logging.
Clear the Unlimited check box to indicate that limits are to be applied to system message logging. If you
clear the Unlimited check box, the Rate and Time Interval fields appear.
Step 6
Step 7
If you clear the Unlimited check box, specify the limits to apply to system message logging as follows:
a.
In the Rate field, enter the number at which syslog message creation is to be limited. When this limit is
reached, the ACE appliance limits the creation of new syslog messages to be no greater than the
specified rate. Valid entries are integers from 0 to 2147483647.
b.
In the Time Interval (Seconds) field, enter the length of time (in seconds) over which the system
message logs should be limited. The default time interval is one second. For example, if you enter 42 in
the Rate field and 60 in the Time Interval (Seconds) field, the ACE appliance limits the creation of syslog
messages that are sent to a maximum of 42 messages in that 60-second period. Valid entries are from 0
to 2147483647 seconds.
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Log Rate Limit
table.
•
Click Add Another to save your entries and to add another entry to the Log Rate Limit table.
Related Topics
•
Configuring Virtual Contexts, page 4-7
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring Syslog Log Hosts, page 4-16
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-18
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
•
Configuring Syslog Log Messages, page 4-17
Configuring SNMP for Virtual Contexts
This section describes how to configure the SNMP attributes for a virtual context and contains the
following topics:
•
Configuring Basic SNMP Attributes, page 4-19
•
Configuring SNMP Version 2c Communities, page 4-20
•
Configuring SNMP Version 3 Users, page 4-21
•
Configuring SNMP Trap Destination Hosts, page 4-23
•
Configuring SNMP Notifications, page 4-25
Configuring Basic SNMP Attributes
Use this procedure to configure basic SNMP attributes for use with this virtual context.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > SNMP.
The SNMP configuration screen appears.
Step 2
Enter SNMP attributes (see Table 4-6).
Table 4-6
SNMP Attributes
Field
Description
Contact Information
Enter contact information for the SNMP server within the virtual
context as a text string with a maximum of 240 characters including
spaces. In addition to a name, you might want to include a phone number
or e-mail address. To include spaces, add quotation marks at the
beginning and end of the entry.
Location
Enter the physical location of the system as a text string with a
maximum of 240 characters including spaces. To include spaces, add
quotation marks at the beginning and end of the entry.
Unmask Community
Check the check box to unmask the snmpCommunityName and
snmpCommunitySecurityName OIDs of the
SNMP-COMMUNITY-MIB.
Clear the check box to mask these OIDs. By default, they are masked
(the check box is unchecked).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-19
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Table 4-6
SNMP Attributes (continued)
Field
Description
Trap Source Interface
Enter a valid VLAN number that identifies the interface from which the
SNMP traps originate.
IETF Trap
Check the check box to indicate that the ACE appliance is to send
linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863)
variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus.
Clear the check box to indicate that the ACE appliance is not to send
linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863)
variable bindings. Instead, the ACE appliance sends Cisco var-binds by
default.
Step 3
Click Deploy Now to deploy this configuration on the ACE appliance.
To configure other SNMP attributes, see the following topics:
•
Configuring SNMP Version 2c Communities, page 4-20
•
Configuring SNMP Version 3 Users, page 4-21
•
Configuring SNMP Trap Destination Hosts, page 4-23
•
Configuring SNMP Notifications, page 4-25
Related Topic
•
Configuring Virtual Contexts, page 4-7
Configuring SNMP Version 2c Communities
After configuring basic SNMP information for a virtual context (see the “Configuring SNMP for Virtual
Contexts” section on page 4-19), you can configure other SNMP attributes such as SNMP version 2c
communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these
attributes appear below the SNMP configuration screen.
Note
All SNMP communities in ACE Appliance Device Manager are read-only communities and all
communities belong to the group network monitors.
Use this procedure to configure SNMP version 2c communities for a virtual context.
Assumption
You have configured at least one SNMP contact (see the “Configuring SNMP for Virtual Contexts”
section on page 4-19).
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > SNMP.
The SNMP configuration screen appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-20
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Step 2
Click the SNMP v2c Configuration tab.
The SNMP v2c Configuration table appears.
Step 3
Click Add to add an SNMP v2c community.
The SNMP v2c Configuration screen appears.
Note
Step 4
You cannot modify an existing SNMP v2c community. Instead, delete the existing SNMP v2c
community, and then add a new one.
In the Read-Only Community field, enter the SNMP v2c community name for this context.
Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.
Step 5
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entry and to return to the SNMP v2c
Community table.
•
Click Add Another to save your entry and to configure another SNMP community for this virtual
context. The screen refreshes and you can enter another community name.
Related Topics
•
Configuring Virtual Contexts, page 4-7
•
Configuring SNMP Version 3 Users, page 4-21
•
Configuring SNMP Trap Destination Hosts, page 4-23
•
Configuring SNMP Notifications, page 4-25
Configuring SNMP Version 3 Users
After configuring basic SNMP information for a virtual context (see the “Configuring SNMP for Virtual
Contexts” section on page 4-19), you can configure other SNMP attributes such as SNMP version 2c
communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these
attributes appear below the SNMP configuration screen.
Use this procedure to configure SNMP version 3 users for a virtual context.
Assumption
You have configured at least one SNMP contact (see the “Configuring SNMP for Virtual Contexts”
section on page 4-19).
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > SNMP.
The SNMP configuration screen appears.
Step 2
Click the SNMP v3 Configuration tab.
The SNMP v3 Configuration table appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-21
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Step 3
Click Add to add users, or select an existing entry, and then Edit to modify it.
The SNMP v3 Configuration screen appears.
Step 4
Enter SNMP v3 user attributes (see Table 4-7).
Table 4-7
SNMP v3 User Configuration Attributes
Field
Description
User Name
Enter the SNMP v3 username. Valid entries are unquoted text strings with no
spaces and a maximum of 24 characters.
Authentication
Algorithm
Select the authentication algorithm to be used for this user.
Authentication
Password
•
N/A—Indicates that no authentication is to be used.
•
Message Digest (MD5)—Indicates that Message Digest 5 is to be used
as the authentication mechanism.
•
Secure Hash Algorithm (SHA)—Indicates that Secure Hash Algorithm
is to be used as the authentication mechanism.
Appears if you select an authentication algorithm. The ACE appliance
automatically updates the password for the CLI user with the SNMP
authentication password.
Enter the authentication password for this user as follows:
Confirm
•
If the passphrases are specified in clear text, enter an unquoted text
string with no space that is from 8 to 64 alphanumeric characters in
length. The password length can be an odd or even value.
•
If use of a localized key is enabled, enter an unquoted text string with
no space that is from 8 to 130 alphanumeric characters in length. The
password length must be an even value.
Appears if you select an authentication algorithm.
Reenter the authentication password.
Localized
Appears if you select an authentication algorithm.
This field will be always selected to True.
•
Privacy
True—Indicates that the password is in localized key format for
encryption.
Appears if you select an authentication algorithm.
Indicate whether encryption attributes are to be configured for this user:
•
N/A—Indicates that no encryption attributes are specified.
•
False—Indicates that encryption parameters are not to be configured for
this user.
•
True—Indicates that encryption parameters are to be configured for this
user.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-22
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Table 4-7
SNMP v3 User Configuration Attributes (continued)
Field
Description
AES 128
Appears if you set Privacy to True.
Indicate whether the 128-byte Advanced Encryption standard (AES)
algorithm is to be used for privacy. AES is a symmetric cipher algorithm and
is one of the privacy protocols for SNMP message encryption.
Privacy Password
•
N/A—Indicates that no standard is specified.
•
False—Indicates that AES 128 is not be used for privacy.
•
True—Indicates that AES 128 is to be used for privacy.
Appears if you set Privacy to True. Enter the user encryption password as
follows:
Confirm
•
If the passphrases are specified in clear text, enter an unquoted text
string with no space that is from 8 to 64 alphanumeric characters in
length. The password length can be an odd or even value.
•
If use of a localized key is enabled, enter an unquoted text string with
no space that is from 8 to 130 alphanumeric characters in length. The
password length must be an even value.
Appears if you set Privacy to True.
Reenter the privacy password.
Step 5
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the SNMP v3
Configuration table.
•
Click Add Another to save your entries and to add another entry to the SNMP v3 Configuration
table. The screen refreshes and you can enter another SNMP v3 user.
Related Topics
•
Configuring Virtual Contexts, page 4-7
•
Configuring SNMP Version 2c Communities, page 4-20
•
Configuring SNMP Trap Destination Hosts, page 4-23
•
Configuring SNMP Notifications, page 4-25
Configuring SNMP Trap Destination Hosts
To receive SNMP notifications you must configure:
•
At least one SNMP trap destination host. This section describes how to do this.
•
At least one type of notification. See the “Configuring SNMP Notifications” section on page 4-25.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-23
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
After configuring basic SNMP information for a virtual context (see the “Configuring SNMP for Virtual
Contexts” section on page 4-19), you can configure other SNMP attributes such as SNMP version 2c
communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these
attributes appear below the SNMP configuration screen.
Use this procedure to configure SNMP trap destination hosts for a virtual context.
Assumption
You have configured at least one SNMP contact (see the “Configuring SNMP for Virtual Contexts”
section on page 4-19).
Procedure
Choose Config > Virtual Contexts > context > System > SNMP.
Step 1
The SNMP configuration screen appears.
Click the Trap Destination Host tab.
Step 2
The Trap Destination Host table appears.
Click Add to add a host, or select an existing entry in the table, and then Edit to modify it.
Step 3
The Trap Destination Host configuration screen appears.
Configure the SNMP trap destination host using the information in Table 4-8.
Step 4
Table 4-8
SNMP Trap Destination Host Configuration Attributes
Field
Description
IP Address
Enter the IPv4 address of the server that is to receive SNMP notifications.
Port
Enter the port to be used for SNMP notification. The default port is 162.
Version
Select the version of SNMP used to send traps:
•
V1—Indicates that SNMP version 1 is to be used to send traps. This option is not available for use
with SNMP inform requests.
•
V2c—Indicates that SNMP version 2c is to be used to send traps.
•
V3—Indicates that SNMP version 3 is to be used to send traps. This version is the most secure
model because it allows packet encryption.
Community
Enter the SNMP community string or username to be sent with the notification operation. Valid entries
are unquoted text strings with no spaces and a maximum of 32 characters.
Security Level
This field appears if V3 is the selected version.
Select the level of security that is to be implemented:
Step 5
•
Auth—Indicates that Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are to be used
for packet authentication.
•
Noauth—Indicates that the noAuthNoPriv security level is to be used.
•
Priv—Indicates that Data Encryption Standard (DES) is to be used for packet encryption.
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-24
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
•
Click Cancel to exit this procedure without saving your entries and to return to the Trap Destination
Host table.
•
Click Add Another to save your entries and to add another entry to the Trap Destination Host table.
The screen refreshes and you can add another trap destination host.
Related Topics
•
Configuring Virtual Contexts, page 4-7
•
Configuring SNMP Version 2c Communities, page 4-20
•
Configuring SNMP Version 3 Users, page 4-21
•
Configuring SNMP Notifications, page 4-25
Configuring SNMP Notifications
After configuring basic SNMP information for a virtual context (see the “Configuring SNMP for Virtual
Contexts” section on page 4-19), you can configure other SNMP attributes such as SNMP version 2c
communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these
attributes appear below the SNMP configuration screen.
To receive SNMP notifications you must configure:
•
At least one SNMP trap destination host. See the “Configuring SNMP Trap Destination Hosts”
section on page 4-23.
•
At least one type of notification as described in this section.
Use this procedure to configure SNMP notification for a virtual context.
Prerequisites
•
At least one SNMP contact has been configured (see the “Configuring SNMP for Virtual Contexts”
section on page 4-19).
•
At least one SNMP server host has been configured (see the “Configuring SNMP Trap Destination
Hosts” section on page 4-23).
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > SNMP.
The SNMP configuration screen appears.
Step 2
Click the SNMP Notification tab.
The SNMP Notification table appears.
Step 3
Click Add to add a new entry.
The SNMP Notification configuration screen appears.
Note
Step 4
You cannot modify an existing entry. Instead, delete the existing notification entry and then add
a new one.
In the Options field, choose the type of notifications to be sent to the SNMP host.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-25
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
For the notification types, see Table 4-9.
Table 4-9
Types of Notification
Notification Type
Description
Bandwidth
Notifications are sent that indicate changes to the bandwidth usage (see the All
“Setting Resource Usage Thresholds to Receive SNMP Notifications”
section on page 4-42).
Concurrent Connections Notifications are sent that indicate changes to the concurrent connections
(see the “Setting Resource Usage Thresholds to Receive SNMP
Notifications” section on page 4-42)
Context
All
Connection Rate
Notifications are sent that indicate changes to the connection rates (see the All
“Setting Resource Usage Thresholds to Receive SNMP Notifications”
section on page 4-42).
License
SNMP license notifications are to be sent.
Admin
Rate Limit
Notifications are sent when the threshold settings for the attributes
associated with the rate limit are breached. For more information, see the
“Setting Resource Usage Thresholds to Receive SNMP Notifications”
section on page 4-42.
All
Real Server
Notifications are sent when the threshold settings for the attributes
associated with the real server are breached.
All
Real Server Bandwidth
Notifications are sent that indicate changes to the aggregated bandwidth
usage at the real server level. For more information, see the “Setting
Resource Usage Thresholds to Receive SNMP Notifications” section on
page 4-42).
All
Real Server Concurrent
Connections
Notifications are sent that indicate changes to the concurrent connections
at the real server level.
All
Real Server Connection Notifications are sent that indicate changes to the connection rates at the
Rate
real server level.
All
SLB
Server load-balancing notifications are to be sent.
All
SLB Real Server
Notifications of real server state changes are to be sent.
All
SLB Server Farm
Notifications of server farm state changes are to be sent.
All
SLB Virtual Server
Notifications of virtual server state changes are to be sent.
All
SNMP
SNMP notifications are to be sent.
All
SNMP Authentication
Notifications of incorrect community strings in SNMP requests are to be
sent.
All
SNMP Cold-Start
SNMP agent restart notifications are to be sent after a cold restart (full
power cycle) of the ACE.
Admin
SNMP Link-Down
Notifications are to be sent when a VLAN interface is down.
All
SNMP Link-Up
Notifications are to be sent when a VLAN interface is up.
All
Syslog
Error message notifications (Cisco Syslog MIB) are to be sent.
All
System
Notifications are sent when the threshold settings for the attributes
associated with the system level are breached.
Admin
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-26
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Table 4-9
Types of Notification (continued)
Notification Type
Description
Context
System Active SSL
Connections
Notifications are sent that indicate changes to the aggregated active SSL
connections. For more information, see the “Setting Resource Usage
Thresholds to Receive SNMP Notifications” section on page 4-42).
Admin
Note
This resource option is not available with the ACE NPE software
version (see the “Information About the ACE No Payload
Encryption Software Version” section on page 1-2).
System Bandwidth
Notifications are sent that indicate changes to the aggregated bandwidth
Admin
usage. For more information, see the “Setting Resource Usage Thresholds
to Receive SNMP Notifications” section on page 4-42).
System Concurrent
Connections
Notifications are sent that indicate changes to the concurrent connections. Admin
System Connection Rate Notifications are sent that indicate changes to the connection rates at the
system level.
Admin
System CPU Utilization Notifications are sent that indicate changes to the CPU utilization at the
system level.
Admin
System Memory
Utilization
Notifications are sent that indicate changes to the memory utilization at the Admin
system level.
VIP
Notifications are sent when the threshold settings for the attributes
associated with VIP are breached.
All
VIP Bandwidth
Notifications are sent that indicate changes to the bandwidth usage at the
VIP level.
All
VIP Concurrent
Connections
Notifications are sent that indicate changes to the concurrent connections
at the VIP level.
All
VIP Connection Rate
Notifications are sent that indicate changes to the connection rate at the VIP All
level.
Virtual Context
Virtual context notifications are to be sent.
Step 5
Admin
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your selection and to return to the SNMP
Notification table.
•
Click Add Another to save your entries and to add another entry to the SNMP Notification table.
The screen refreshes and you can select another SNMP notification option.
Related Topics
•
Configuring Virtual Contexts, page 4-7
•
Configuring SNMP Version 2c Communities, page 4-20
•
Configuring SNMP Version 3 Users, page 4-21
•
Setting Resource Usage Thresholds to Receive SNMP Notifications, page 4-42
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-27
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Global Traffic Policies
Configuring Virtual Context Global Traffic Policies
With the ACE Appliance Device Manager, you can apply traffic policies to a specific VLAN interface
or to all VLAN interfaces in the same virtual context.
Use this procedure to apply a policy to all VLAN interfaces in the selected context.
To apply a policy to a specific VLAN, see the “Configuring Traffic Policies” section on page 12-1.
Note
You cannot modify an existing policy. Instead, delete the existing global policy, and then create
a new one.
Assumption
A Layer 3/Layer 4 or Management policy map has been configured for this virtual context. For more
information, see the “Configuring Virtual Context Policy Maps” section on page 12-34.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Global Policies.
The Global Policies table appears.
Step 2
Click Add to add a new global policy.
The Global Policies configuration screen appears.
Note
Step 3
You cannot modify an existing policy. Instead, delete the existing global policy, and then create
a new one.
In the Policy Maps field, choose the policy map that you want to apply to all VLANs in this context.
Click the Add button to create or edit the policy map.
Step 4
In the Direction field, verify that the policy is being applied to incoming communications.
Step 5
Do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Global Policies
table.
•
Click Add Another to save your entries and to configure another global policy for this context.
Related Topics
•
Using Virtual Contexts, page 4-2
•
Configuring Virtual Context Primary Attributes, page 4-11
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring Traffic Policies, page 12-1
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-28
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Managing ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
Cisco offers licenses for ACE appliances that let you increase performance throughput, the number of
default contexts, SSL TPS (transactions per second), and HTTP compression performance. For more
information on these licenses, refer to the Administration Guide, Cisco ACE Application Control Engine
on cisco.com.
You can view, install, remove, or update ACE appliance licenses using the ACE Appliance Device
Manager.
Installing or updating an ACE appliance license involves two processes:
•
Copying the license from a remote network server to the disk0: file system in Flash memory on the
ACE appliance.
•
Installing or updating the license on the ACE appliance.
You can use the ACE appliance Device Manager to perform both processes from a single dialog box. If
you previously copied the license to disk0: on the ACE by using the copy CLI command, you can use
this dialog box to install the new license or upgrade license on your ACE.
Related Topics
•
Viewing ACE Appliance Licenses, page 4-29
•
Installing ACE Appliance Licenses, page 4-30
•
Updating ACE Appliance Licenses, page 4-32
•
Uninstalling ACE Appliance Licenses, page 4-33
•
Displaying the File Contents of a License, page 4-34
Viewing ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
Use this procedure to view the licenses that are currently installed on an ACE appliance.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Context table appears.
Step 2
Choose the Admin context whose ACE appliance licenses you want to view, and then click System >
Licenses.
The following license tables appear:
•
License Status Table—Provides a summary of the license status for the ACE, including:
– Compression performance in megabits or Gigabits per second
– Application acceleration and optimization in the number of concurrent connections
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-29
Chapter 4
Configuring Virtual Contexts
Managing ACE Appliance Licenses
– SSL transactions per second
Note
The SSL transactions per second license does not apply to the ACE NPE software
version (see the “Information About the ACE No Payload Encryption Software
Version” section on page 1-2).
– Number of supported virtual contexts
– ACE appliance bandwidth in Gigabits per second
•
Installed License Files Table—Lists all installed licenses with their filenames, vendors, and
expiration (expiry) dates.
Related Topics
•
Managing ACE Appliance Licenses, page 4-29
•
Installing ACE Appliance Licenses, page 4-30
•
Updating ACE Appliance Licenses, page 4-32
•
Uninstalling ACE Appliance Licenses, page 4-33
•
Displaying the File Contents of a License, page 4-34
Installing ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
Use this procedure to copy and install a new or upgrade ACE appliance license from a remote server
onto the ACE appliance.
Assumption
•
You have received the proper software license key for the ACE appliance.
•
ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you
have received the software license key and have copied the license file to the disk0: filesystem on
the ACE appliance using the copy disk0: CLI command.
•
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the
ssh key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Choose the Admin context you want to import and install a license for, and then click System >
Licenses.
The License Status Table and Installed License Files Table appear listing all installed licenses.
Step 3
Click Install.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-30
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing ACE Appliance Licenses
The Install an ACE License dialog box appears.
Step 4
(Optional) If the license currently exists on the ACE disk0: file system in Flash memory, do the
following:
a.
In the Select an Option to Locate a License File section of the dialog box, click the Select a license
file on the ACE option.
b.
In the Select a License File on the Device (disk0) section of the dialog box, from the drop-down list,
choose the name of the license file.
c.
Go to Step 10.
Step 5
(Optional) If the license must be copied to the disk0: file system in Flash memory, in the Select an Option
to Locate a License File section of the dialog box, click the Import a license file from remote system
option. Go to Step 6.
Step 6
In the Protocol To Connect To Remote System field, choose the protocol to be used to import the license
file from the remote server to the ACE as follows:
Step 7
Step 8
•
If you choose FTP, the User Name and Password fields appear. Go to Step 7.
•
If you choose SFTP, the User Name and Password fields appear. Go to Step 7.
•
If you choose TFTP, go to Step 8.
(Optional) If you chose FTP or SFTP, do the following:
a.
In the User Name field, enter the username of the account on the network server.
b.
In the Password field, enter the password for the user account.
In the Remote System IP Address field, enter the host IPv4 address of the remote server.
For example, your entry might be 192.168.11.2.
Step 9
In the License Path In Remote System field, enter the host path and filename of the license file on the
remote server in the format /path/filename where:
•
path represents the directory path of the license file on the remote server.
•
filename represents the filename of the license file on the remote server.
For example, your entry might resemble /usr/bin/ACE-VIRT-020.lic.
Step 10
Step 11
Do one of the following:
•
Click Install to accept your entries and to install the license file.
•
Click Cancel to exit this procedure without installing the license file and to return to the Licenses
table.
(Optional) After installing an ACE license, we recommend that you manually synchronize the ACE
Admin context with the CLI to ensure that DM accurately displays the monitored resource usage
information (Monitor > Virtual Contexts > Resource Usage).
For information about synchronizing the Admin context, see the “Synchronizing Virtual Context
Configurations” section on page 4-79.
Related Topics
•
Managing ACE Appliance Licenses, page 4-29
•
Viewing ACE Appliance Licenses, page 4-29
•
Updating ACE Appliance Licenses, page 4-32
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-31
Chapter 4
Configuring Virtual Contexts
Managing ACE Appliance Licenses
•
Uninstalling ACE Appliance Licenses, page 4-33
•
Displaying the File Contents of a License, page 4-34
Updating ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
ACE Appliance Device Manager allows you to convert demonstration licenses to permanent licenses
and to upgrade permanent licenses to increase the number of virtual contexts.
Use this procedure to install ACE appliance update licenses.
Assumption
•
You have received the proper update software license for the ACE appliance.
•
ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you
have received the update software license and have copied the license file to the disk0: filesystem
on the ACE appliance using the copy disk0: CLI command.
•
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the
ssh key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Choose the Admin context with the license you want to update, and then click System > Licenses.
The License Status Table and Installed License Files Table appear listing all installed licenses.
Step 3
Select the license to be updated, and then click Update.
The Update License On The ACE dialog box appears.
Step 4
(Optional) If the update license currently exists on the ACE disk0: file system in Flash memory, do the
following:
a.
In the Select an Option to Locate a License File section of the dialog box, click the Select a license
file on the ACE option.
b.
In the Select a License File on the Device (disk0) section of the dialog box, choose the name of the
update license file from the drop-down list.
c.
Go to Step 10.
Step 5
(Optional) If the update license must be copied to the disk0: file system in Flash memory, in the Select
an Option to Locate a License File section of the dialog box, click the Import a license file from remote
system option and go to Step 6.
Step 6
In the Protocol To Connect To Remote System field, choose the protocol to be used to import the update
license file from the remote server to the ACE as follows:
•
If you choose FTP, the User Name and Password fields appear. Go to Step 7.
•
If you choose SFTP, the User Name and Password fields appear. Go to Step 7.
•
If you choose TFTP, go to Step 8.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-32
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Step 7
Step 8
(Optional) If you chose FTP or SFTP, do the following:
a.
In the User Name field, enter the username of the account on the network server.
b.
In the Password field, enter the password for the user account.
In the Remote System IP Address field, enter the host IPv4 address of the remote server.
For example, your entry might be 192.168.11.2.
Step 9
In the Licence Path In Remote System field, enter the host path and filename of the license file on the
remote server in the format /path/filename where:
•
path represents the directory path of the license file on the remote server.
•
filename represents the filename of the license file on the remote server.
For example, your entry might be /usr/bin/ACE-VIRT-020.lic.
Step 10
Step 11
Do one of the following:
•
Click Update to update the license and to return to the License table. The License table displays the
updated information.
•
Click Cancel to exit this procedure without updating the license and to return to the License table.
(Optional) After updating an ACE license, we recommend that you manually synchronize the ACE
Admin context with the CLI to ensure that DM accurately displays the monitored resource usage
information (Monitor > Virtual Contexts > ACE > Resource Usage).
For information about synchronizing the Admin context, see the “Synchronizing Virtual Context
Configurations” section on page 4-79.
Related Topics
•
Managing ACE Appliance Licenses, page 4-29
•
Viewing ACE Appliance Licenses, page 4-29
•
Installing ACE Appliance Licenses, page 4-30
•
Uninstalling ACE Appliance Licenses, page 4-33
•
Displaying the File Contents of a License, page 4-34
Uninstalling ACE Appliance Licenses
Note
Caution
This functionality is available for only Admin contexts.
Removing licenses can affect an ACE appliance’s bandwidth or performance. For detailed information
on the effect of license removal on your ACE appliance, see the Administration Guide, Cisco ACE
Application Control Engine.
Use this procedure to remove ACE appliance licenses.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-33
Chapter 4
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Assumption
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh
key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Choose the Admin context with the license you want to remove, and then click System > Licenses.
Step 3
In the Installed License Files table, choose the license to be removed.
Step 4
Click Uninstall.
A dialog box appears, asking you to confirm the license removal process.
Note
Step 5
Removing licenses can affect the number of contexts, ACE appliance bandwidth, or SSL TPS
(transactions per second). Be sure you understand the effect of removing the license on your
environment before continuing.
Click OK to confirm the removal or Cancel to stop the removal process.
If you click OK, a status window appears with the status of license removal. When the license has been
removed, the Licenses table refreshes without the deleted license.
Step 6
(Optional) After uninstalling an ACE license, we recommend that you manually synchronize the ACE
Admin context with the CLI to ensure that DM accurately displays the monitored resource usage
information (Monitor > Virtual Contexts > Resource Usage).
For information about synchronizing the Admin context, see the “Synchronizing Virtual Context
Configurations” section on page 4-79.
Related Topics
•
Managing ACE Appliance Licenses, page 4-29
•
Installing ACE Appliance Licenses, page 4-30
•
Updating ACE Appliance Licenses, page 4-32
•
Viewing ACE Appliance Licenses, page 4-29
•
Displaying the File Contents of a License, page 4-34
Displaying the File Contents of a License
Note
This functionality is available for only Admin contexts.
Use this procedure to display file content information about ACE licenses.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-34
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing Resource Classes
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Choose the Admin context with the license information you want to view, and then choose System >
Licenses.
The License Status Table and Installed License Files Table appear listing all installed licenses.
Step 3
Choose the installed license file with the information that you want to display, and click View.
DM displays the output of the show license file C LI command.
For example:
ACE-AP-C-500-LIC.lic:
SERVER this_host ANY
VENDOR cisco
INCREMENT ACE-AP-C-500-LIC cisco 1.0 permanent 1 \
NOTICE="<LicFileID>lic.conf</LicFileID><LicLineID>0</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=222C4BCAD092
Step 4
Click Close when you finish viewing the license file information.
Related Topics
•
Installing ACE Appliance Licenses, page 4-30
•
Updating ACE Appliance Licenses, page 4-32
Managing Resource Classes
Resource classes are the means by which you manage virtual context access to ACE appliance resources,
such as concurrent connections or bandwidth rate. ACE appliances are preconfigured with a default
resource class that is applied to the Admin context and any user context upon creation. The default
resource class is configured to allow a context to operate within a range that can vary from no resource
access (0%) to complete resource access (100%). When you use the default resource class with multiple
contexts, you run the risk of oversubscribing ACE appliance resources. This means that the ACE
appliance permits all contexts to have full access to all resources on a first-come, first-served basis.
When a resource is utilized to its maximum limit, the ACE appliance denies additional requests made
by any context for that resource.
To avoid oversubscribing resources and to help guarantee access to a resource by any context, you can
create customized resource classes that you associate with one or more contexts. A context becomes a
member of the resource class when you make the association. Creating a resource class allows you to set
limits on the minimum and maximum amounts of each ACE appliance resource that a member context
is entitled to use. You define the minimum and maximum values as a percentage of the whole. For
example, you can create a resource class that allows its member contexts access to no less that 25% of
the total number of SSL connections that the ACE appliance supports.
You can limit and manage the allocation of the following ACE appliance resources:
•
ACL memory
•
Application acceleration connections
•
Buffers for syslog messages and TCP out-of-order (OOO) segments
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-35
Chapter 4
Configuring Virtual Contexts
Managing Resource Classes
•
Concurrent connections (through-the-ACE traffic)
•
Management connections (to-the-ACE traffic)
•
HTTP compression percentage
•
Proxy connections
•
Set resource limit as a rate (number per second)
•
Regular expression (regexp) memory
•
SSL connections
Note
Managing the SSL connections resource does not apply to the ACE NPE software version
(see the “Information About the ACE No Payload Encryption Software Version” section on
page 1-2).
•
Sticky entries
•
Static or dynamic network address translations (Xlates)
Table 4-10 identifies and defines the resources that you can establish for resource classes.
Resource Allocation Constraints
Note
This functionality is available for only Admin contexts.
The following resources are critical for maintaining connectivity to the Admin context:
Caution
•
Rate Bandwidth
•
Rate Management Traffic
•
Rate SSL Connections
•
Rate Connections
•
Management Connections
•
Concurrent Connections
If you allocate 100% of these resources to a resource class and then apply the resource class to virtual
contexts, connectivity to the Admin context can be lost.
We recommend that you create a resource class specifically for the Admin context and apply it to the
context so that you can maintain IP connectivity.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-36
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing Resource Classes
Table 4-10
Resource Class Attributes
Resource
Definition
All
Limits all resources to the specified value for all contexts assigned to this
resource class, except for management traffic bandwidth. Management
traffic bandwidth remains at the default values until you explicitly configure
a minimum value for management traffic.
Acceleration
Connections
Percentage of application acceleration connections.
ACL Memory
Percentage of memory allocated for ACLs.
Buffer Syslog
Percentage of the syslog buffer.
Concurrent
Connections
Percentage of simultaneous connections.
Note
If you consume all Concurrent Connections by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
HTTP Compression
Percentage of compression for HTTP data.
Management
Connections
Percentage of management connections.
Note
If you consume all Management Connections by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
Proxy Connections
Percentage of proxy connections.
Rate Bandwidth
Percentage of context throughput. This attribute limits the total ACE
throughput in bytes per second for one or more contexts.
Note
If you consume all rate bandwidth by allocating 100% to virtual
contexts, IP connectivity to the Admin context can be lost.
The maximum bandwidth rate per context is determined by your bandwidth
license. By default, the ACE supports 1 Gigabit per second (Gbps) appliance
throughput. You can upgrade the ACE with an optional 2-Gbps bandwidth
license. When you configure a minimum bandwidth value for a resource
class in the ACE, the ACE subtracts that configured value from the total
bandwidth maximum value of all contexts in the ACE, regardless of the
resource class with which they are associated. The total bandwidth rate of a
context consists of the following two components:
Rate Connections
•
Throughput—Limits through-the-ACE traffic. This is a derived value
(you cannot configure it directly) and it is equal to the bandwidth rate
minus the mgmt-traffic rate for the 1-Gbps and 2-Gbps licenses.
•
Management Traffic—Limits management (to-the-ACE) traffic in bytes
per second. To guarantee a minimum amount of management traffic
bandwidth, you must explicitly allocate a minimum percentage to
management traffic using the Resource Classes table (Config > Virtual
Contexts > admin context > System > Resource Class). When you
allocate a minimum percentage of bandwidth to management traffic, the
ACE subtracts that value from the maximum available management
traffic bandwidth for all contexts in the ACE.
Percentage of connections of any kind.
Note
If you consume all Rate Connections by allocating 100% to virtual
contexts, IP connectivity to the Admin context can be lost.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-37
Chapter 4
Configuring Virtual Contexts
Managing Resource Classes
Table 4-10
Resource Class Attributes (continued)
Resource
Definition
Rate Inspect
Connection
Percentage of application protocol inspection connections for FTP and
RTSP.
Rate MAC Miss
Percentage of messages destined for the ACE appliance that are sent to the
control plane when the encapsulation is not correct in packets.
Rate Management
Traffic
Percentage of management traffic connections.
Rate SSL Connections
Note
If you consume all Rate Management Traffic by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
Note
This resource option is not available with the ACE NPE software
version (see the “Information About the ACE No Payload
Encryption Software Version” section on page 1-2).
Percentage of SSL connections.
Note
If you consume all Rate Management Traffic by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
Rate Syslog
Percentage of syslog messages per second.
Regular Expressions
Percentage of regular expression memory.
Sticky
Percentage of entries in the sticky table.
Xlates
Percentage of network and port address translations entries.
Related Topics
•
Adding Resource Classes, page 4-38
•
Modifying Resource Classes, page 4-40
•
Deleting Resource Classes, page 4-41
•
Viewing Resource Class Use on Virtual Contexts, page 4-41
Adding Resource Classes
Note
This functionality is available for only Admin contexts.
Resource classes are used when provisioning services, establishing virtual contexts, managing devices,
and monitoring virtual context resource consumption.
Defining a resource class does not automatically apply it to a context. New resource classes are applied
only when a resource class is assigned to a virtual context.
Caution
If you allocate 100% of the resources to a resource class and then apply the resource class to virtual
contexts, connectivity to the Admin context can be lost. For more information, see the “Resource
Allocation Constraints” section on page 4-36.
Use this procedure to create a new resource class.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-38
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing Resource Classes
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Resource Class.
The Resource Classes table appears.
Step 2
Click Add to create a new resource class.
The New Resource Class configuration screen appears.
Step 3
In the Name field, enter a unique name for this resource class.
Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4
To use the same values for each resource, enter the following information in the All row (See Table 4-10
for a description of the resources):
a.
In the Min. field, enter the minimum percentage of each resource you want to allocate to this
resource class. Valid entries are numbers from 0 to 100 including those with decimals in increments
of .01.
b.
In the Max. field, choose the maximum percentage of each resource you want to allocate to this
resource class:
– Equal To Min.—Indicates that the maximum percentage allocated for each resource is equal to
the minimum specified in the Min. field.
– Unlimited—Indicates that there is no upper limit on the percentage of each resource that can be
allocated for this resource class.
Step 5
Step 6
Step 7
To use different values for the resources, for each resource, choose the method for allocating resources:
•
Select Default to use the values specified in Step 4.
•
Choose Min. to enter a specific minimum value for the resource. In the Min. field, enter the
minimum percentage of this resource you want to allocate to this resource class. For example, for
ACL memory, you would enter 10 in the Min. field to indicate that you want to allocate a minimum
of 10 percent of the available ACL memory to this resource class.
If you chose Min., in the Max. field, choose the maximum percentage of the resource you want to
allocate to this resource class:
•
Equal To Min.—Indicates that the maximum percentage allocated for this resource is equal to the
minimum specified in the Min. field.
•
Unlimited—Indicates that there is no upper limit on the percentage of the resource that can be
allocated for this resource class.
When you finish allocating the resources for this resource class, do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance. The ACE Appliance Device
Manager displays the number of virtual contexts that can be supported using this resource class in
the Maximum VC column. To support more or fewer virtual contexts, choose the resource class,
click Edit, and modify it as described in this procedure.
•
Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes
table.
Related Topics
•
Managing Resource Classes, page 4-35
•
Modifying Resource Classes, page 4-40
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-39
Chapter 4
Configuring Virtual Contexts
Managing Resource Classes
•
Deleting Resource Classes, page 4-41
•
Viewing Resource Class Use on Virtual Contexts, page 4-41
Modifying Resource Classes
Note
This functionality is available for only Admin contexts.
When you modify a resource class, the ACE Appliance Device Manager applies the changes to virtual
contexts that are associated with the resource class going forward. The changes are applied to existing
virtual contexts already associated with the resource class.
Caution
If you allocate 100% of the resources to a resource class and then apply the resource class to virtual
contexts, connectivity to the Admin context can be lost. For more information, see the “Resource
Allocation Constraints” section on page 4-36.
Use this procedure to modify an existing resource class.
Note
You cannot modify the default resource class.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Resource Class.
The Resource Classes table appears.
Step 2
Choose the resource class you want to modify, and then click Edit.
The Edit Resource Class configuration screen appears.
Step 3
Modify the fields as desired.
For details on setting values, see the “Adding Resource Classes” section on page 4-38. For descriptions
of the resources, see Table 4-10.
Step 4
When you finish allocating the resources for this resource class, do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance. The configuration screen
refreshes and the Max. Provisionable field beneath the Name field indicates the number of virtual
contexts that can be supported using this resource allocation. When you are satisfied with the
resource allocation and have saved your entries, click Cancel to return to the Resource Classes
table.
•
Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes
table.
The ACE Appliance Device Manager applies all changes to the virtual contexts that use this resource
class.
Related Topics
•
Managing Resource Classes, page 4-35
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-40
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing Resource Classes
•
Adding Resource Classes, page 4-38
•
Modifying Resource Classes, page 4-40
•
Deleting Resource Classes, page 4-41
•
Viewing Resource Class Use on Virtual Contexts, page 4-41
Deleting Resource Classes
Note
This functionality is available for only Admin contexts.
Use this procedure to remove resource classes from the ACE Appliance Device Manager database.
Note
When you remove a resource class from the ACE Appliance Device Manager, any virtual contexts that
were associated with this resource class automatically become members of the default resource class.
The default resource class allocates a minimum of 0.00% to a maximum of 100.00% of all ACE
appliance resources to each context. You cannot modify the default resource class.
Because of the impact of resource class deletion on virtual contexts, we recommend that you view a
resource class’s current deployment before deleting it. See the “Viewing Resource Class Use on Virtual
Contexts” section on page 4-41.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Resource Class.
The Resource Classes table appears.
Step 2
Choose the resource class you want to remove, and then click Delete.
A window appears, asking you to confirm the deletion.
Step 3
Click OK to continue deleting the resource class or click Cancel to keep the resource class.
The Resource Classes table refreshes with the updated information.
Related Topics
•
Managing Resource Classes, page 4-35
•
Adding Resource Classes, page 4-38
•
Modifying Resource Classes, page 4-40
•
Viewing Resource Class Use on Virtual Contexts, page 4-41
Viewing Resource Class Use on Virtual Contexts
Note
This functionality is available for only Admin contexts.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-41
Chapter 4
Configuring Virtual Contexts
Setting Resource Usage Thresholds to Receive SNMP Notifications
Use this procedure to view a list of all virtual contexts using a selected resource class.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Resource Class.
The Resource Classes table lists the number of virtual contexts using each resource class in the second
column.
Step 2
Choose the resource class whose usage you want to view and then click Virtual Contexts.
The Virtual Contexts Using Resource Class table appears, listing the associated contexts.
Step 3
Click Cancel to return to the Resource Classes table.
Related Topics
•
Managing Resource Classes, page 4-35
•
Adding Resource Classes, page 4-38
•
Modifying Resource Classes, page 4-40
•
Deleting Resource Classes, page 4-41
•
Viewing Resource Class Use on Virtual Contexts, page 4-41
Setting Resource Usage Thresholds to Receive SNMP
Notifications
You can configure the ACE to issue SNMP traps and syslog messages when the resource usage by the
ACE or a specific context breaches the specified thresholds (high, low, and watermark) for monitored
resources listed in Table 4-11.
Table 4-11
Monitored Resources with the Virtual Context
Resources
Virtual Context
System bandwidth
Admin
System concurrent connections
Admin
System connection rate
Admin
System active SSL connections
Admin
Note
System CPU utilization
Admin
System memory utilization
Admin
Bandwidth
All
This resource option is not available with
the ACE NPE software version (see the
“Information About the ACE No Payload
Encryption Software Version” section on
page 1-2).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-42
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Setting Resource Usage Thresholds to Receive SNMP Notifications
Table 4-11
Monitored Resources with the Virtual Context
Resources
Virtual Context
Concurrent connections
All
Connection rate
All
For each resource, you can specify the high, low, and watermark thresholds, which operate as follows:
•
High—Indicates the highest value of the threshold defined. This value is configured as a percentage
between 1 to 100 and is represented as the highest percentage of the maximum number of allocated
resources. The ACE sends a notification/trap to the SNMP when the current resource usage exceeds
the highest threshold value.
•
Low—Indicates the lowest value of the threshold defined. This value is configured as a percentage
between 1 to 100 and is represented as the lowest percentage of the minimum number of allocated
resources. The ACE sends a notification/trap to the SNMP when the current resource usage is less
than the specified lowest threshold value.
Note
•
You cannot set a lower limit for active SSL connections, CPU utilization, and memory
utilization because there is no lower limit imposed on these resources.
Watermark—Indicates the defined watermark threshold. A watermark is configured as a percentage
between 1 to 100 and is represented as the percentage of the maximum and minimum allocated resource,
which operates as follows:
– High watermark—The ACE sends a Falling Watermark notification when the current resource
usage level exceeds the high watermark value.
– Low watermark—The ACE sends a Rising Watermark notification when the current resource usage
level is below the low watermark value.
Prerequisites
•
The context is configured for SNMP (see the “Configuring SNMP for Virtual Contexts” section on
page 4-19).
•
A resource class is configured and associated with the context (see the “Managing Resource
Classes” section on page 4-35).
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Resource Usage Threshold.
The Resource Usage Threshold window appears.
Step 2
From the Resource Usage Threshold window, specify the high, low, and watermark percentages.
Enter the percentage values using the following guide:
1 <= Low < Watermark < High <= 100 (percent)
Decimal values are not allowed.
Step 3
Click Deploy Now.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-43
Chapter 4
Configuring Virtual Contexts
Setting Resource Usage Thresholds to Receive SNMP Notifications
Related Topics
•
Configuring the Resource Usage Threshold for Real Server, page 4-44
•
Configuring the Resource Usage Threshold for VIP, page 4-45
•
Configuring SNMP for Virtual Contexts, page 4-19
•
Managing Resource Classes, page 4-35
Configuring the Resource Usage Threshold for Real Server
You can configure the ACE to issue SNMP traps and syslog messages at the real server level for the
following monitored resources:
•
Bandwidth—Thresholds are applied to the aggregated bandwidth for a particular real server.
•
Concurrent connections—Thresholds are applied to the aggregated concurrent connections for a
particular real server.
•
Connection rate—Thresholds are applied to the aggregated connection rate for a particular real
server.
All the resources configured under the server farm are monitored at a particular real server level. For
each resource, you can specify the high, low, and watermark thresholds.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Resource Usage Threshold > Real Server
Threshold.
The Real Server Threshold table appears.
Step 2
Click Add to add a new real server threshold, or select a real server threshold you want to modify, and
then click Edit. The Real Server Threshold screen appears.
Step 3
In the Real Server Name field, enter the name of the real server that is associated with the selected
server farm.
Step 4
In the Server Farm Name field, enter the name of the server farm.
Step 5
For each resource, specify the high, low, and watermark percentages.
Enter the percentage values using the following guide:
1 <= Low < Watermark < High <= 100 (percent)
Decimal values are not allowed.
Step 6
Do one of the following:
•
Click Deploy Now.
•
Click Cancel to exit this procedure without saving your selection and to return to the Real Server
Threshold table.
•
Click Add Another to save your entries and to add another entry to the Real Server Threshold table.
The screen refreshes and you can select another Real Server Threshold option.
Related Topics
•
Configuring the Resource Usage Threshold for VIP, page 4-45
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-44
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Setting Resource Usage Thresholds to Receive SNMP Notifications
•
Configuring SNMP for Virtual Contexts, page 4-19
•
Managing Resource Classes, page 4-35
Configuring the Resource Usage Threshold for VIP
You can configure the ACE to issue SNMP traps and syslog messages for a VIP for the following
monitored resources:
•
Bandwidth—Thresholds are applied to the aggregated bandwidth for a particular VIP.
•
Concurrent connections—Thresholds are applied to the aggregated concurrent connections for a
particular VIP.
•
Connection rate—Thresholds are applied to the aggregated connection rate for a particular VIP.
For each resource, you can specify the high, low, and watermark thresholds.
Procedure
Step 1
Choose Config > Virtual Contexts > context > System > Resource Usage Threshold > VIP
Threshold.
The VIP Threshold table appears.
Step 2
Click Add to add a VIP threshold, or select a VIP threshold you want to modify, and then click Edit.
The VIP Threshold screen appears.
Step 3
In the VIP Address field, enter the virtual IP address.
Step 4
In the Class Map Name field, enter the name of the Layer 3/4 Network Traffic class map.
Step 5
In the Policy Map Name field, enter the name of the Layer 3/4 Network Traffic (Multi-Match) policy map.
Step 6
For each resource, specify the high, low, and watermark percentages.
Enter the percentage values using the following guide:
1 <= Low < Watermark < High <= 100 (percent)
Decimal values are not allowed.
Step 7
Do one of the following:
•
Click Deploy Now.
•
Click Cancel to exit this procedure without saving your selection and to return to the VIP table.
•
Click Add Another to save your entries and to add another entry to the VIP table. The screen
refreshes and you can select another VIP option.
Related Topics
•
Configuring the Resource Usage Threshold for Real Server, page 4-44
•
Configuring SNMP for Virtual Contexts, page 4-19
•
Managing Resource Classes, page 4-35
•
Configuring Virtual Context Policy Maps, page 12-34
•
Configuring Virtual Context Class Maps, page 12-8
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-45
Chapter 4
Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Using the Configuration Checkpoint and Rollback Service
At some point, you may want to modify your ACE running configuration. If you run into a problem with
the modified configuration, you may need to reboot your ACE. To prevent having to reboot your ACE
after unsuccessfully modifying a running configuration, you can create a checkpoint (a snapshot in time)
of a known stable running configuration before you begin to modify it. If you encounter a problem with
the modifications to the running configuration, you can roll back the configuration to the previous stable
configuration checkpoint.
Note
Before you upgrade your ACE software, we strongly recommend that you create a checkpoint in your
running configuration. For software release A4(1.0), use the backup function to create a backup of the
running configuration (see the “Performing Device Backup and Restore Functions” section on
page 4-49).
The ACE allows you to make a checkpoint configuration at the context level. The ACE stores the
checkpoint for each context in a hidden directory in Flash memory. If, after you make configuration
changes that modify the current running configuration, when you roll back the checkpoint, the ACE
causes the running configuration to revert to the checkpointed configuration.
This section includes the following topics:
•
Creating a Configuration Checkpoint, page 4-46
•
Deleting a Configuration Checkpoint, page 4-47
•
Rolling Back a Running Configuration, page 4-48
•
Comparing the Checkpoint with the Running Configuration, page 4-48
•
Displaying Checkpoint Information, page 4-49
Creating a Configuration Checkpoint
You can create a configuration checkpoint for a specific context. The ACE supports a maximum of
10 checkpoints for each context.
Assumption
This topic assumes the following:
•
Make sure that the current running configuration is stable and is the configuration that you want to
make as a checkpoint. If you change your mind after creating the checkpoint, you can delete it (see
the “Deleting a Configuration Checkpoint” section on page 4-47).
•
The ACE-Admin, DM-Admin, and Org-Admin predefined roles have access to the configuration
checkpoint function.
•
A custom role with the Device Manager Inventory and Virtual Context role tasks set to create or
modify has the required privileges to create a configuration checkpoint.
•
A checkpoint will not include the SSL keys/certificates, probe scripts, and licenses.
•
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the
ssh key rsa 1024 force command is applied on the appliance.
•
Adding a checkpoint from an ACE context directly will not trigger an autosynchronization on the
ACE Appliance Device Manager for that context.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-46
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
For descriptions of the checkpoints, see Table 4-12.
Table 4-12
Step 2
Checkpoints Table
Field
Description
Name
Unique identifier of the checkpoint.
Size (In Bytes)
Size of the configuration checkpoint, shown in bytes.
Date (Created On)
Date that the configuration checkpoint was created.
In the Checkpoints table, click Create Checkpoint.
The Create Checkpoint dialog box appears.
Step 3
In the Checkpoint Name field of the Create Checkpoint dialog box, specify a unique identifier for the
checkpoint.
Enter a text string with no spaces and a maximum of 25 alphanumeric characters.
If the checkpoint already exists, you are prompted to use a different name.
Step 4
Do one of the following:
•
Click OK to save your configuration checkpoint. You return to the Checkpoints table and the new
checkpoint appears in the table.
•
Click Cancel to exit the procedure without saving the configuration checkpoint and to return to the
Checkpoints table.
Deleting a Configuration Checkpoint
You can delete a checkpoint. Deleting a checkpoint from an ACE context directly will not trigger an
autosynchronization to occur on the ACE Appliance Device Manager for that context.
Prerequisite
Before you perform this procedure, make sure that you want to delete the checkpoint. Once you click
the Trash icon, the ACE removes the checkpoint from Flash memory.
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh
key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
To choose a virtual context that you want to create a configuration checkpoint, choose Config > Virtual
Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-47
Chapter 4
Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Step 2
In the Checkpoints table, choose the radio button to the left of any table entry, and click the Trash icon
to delete the checkpoint.
Rolling Back a Running Configuration
You can roll back the current running configuration of a context to the previously checkpointed running
configuration.
Note
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh
key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
Step 2
Choose the radio button to the left of the checkpoint that you wish to roll back, and click Rollback.
The ACE Appliance Device Manager displays a confirmation popup window to warn you about this
change and to instruct you that the rollback operation may take longer depending on the differences
detected between the two configurations.
Note
The ACE Appliance Device Manager synchronizes the device after performing a rollback. This
synchronization may take some time.
Comparing the Checkpoint with the Running Configuration
You can compare an existing checkpoint with the running configuration.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
Step 2
In the Checkpoints table, choose the radio button to the left of the checkpoint that you want to compare,
and click Compare.
The ACE Appliance Device Manager uses the ACE compare checkpoint_name CLI command to
compare the running configuration of the specified checkpoint.
If the checkpoint configuration is the same as the running-config, the output of this command is as
follows:
Checkpoint config is same as running config
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-48
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
If the checkpoint configuration is different from the running-config, the output will be the difference
between the two configurations. The items in red are in the current running configuration and will be
removed. The items in green are not in the current running configuration and will be added.
Step 3
Click Close to exit the dialog box and return to the Checkpoints table.
Displaying Checkpoint Information
You can display checkpoint information.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
Step 2
In the Checkpoints table, choose the radio button to the left of the checkpoint that you want to display,
and click Details.
The ACE Appliance Device Manager uses the ACE show checkpoint detail {name} CLI command to
display the running configuration of the specified checkpoint.
Step 3
Click Close to exit the dialog box and return to the Checkpoints table.
Performing Device Backup and Restore Functions
The backup and restore functions allow you to back up or restore the configuration and dependencies of
an entire ACE or of a particular virtual context. Configuration dependencies are those files that are
required to exist on the ACE so that a configuration can be applied to it. Such files include
health-monitoring scripts, SSL certificates, SSL keys, and so on.
Note
This section includes information about backing up and restoring SSL files, which is not applicable with
the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software
Version” section on page 1-2).
This feature allows you to back up and restore the following configuration files and dependencies:
•
Running-configuration files
•
Startup-configuration files
•
Checkpoints
•
SSL files (SSL certificates and keys)
•
Health-monitoring scripts
•
Licenses
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-49
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Note
The backup feature does not back up the sample SSL certificate and key pair files.
Typical uses for this feature are as follows:
•
Back up a configuration for later use
•
Recover a configuration that was lost because of a software failure or user error
•
Restore configuration files to a new ACE when a hardware failure resulted in a Return Merchandise
Authorization (RMA) of the old ACE
•
Transfer the configuration files to a different ACE
The backup and restore functions are supported in both the Admin and virtual contexts. If you perform
these functions in the Admin context, you can back up or restore the configuration files for either the
Admin context only or for all contexts in the ACE. If you perform these functions in a virtual context,
you can back up or restore the configuration files only for that context. Both the backup and the restore
functions run asynchronously (in the background).
Archive Naming Conventions
Context archive files have the following naming convention format:
Hostname_ctxname_timestamp.tgz
The filename fields are as follows:
– Hostname—Name of the ACE. If the hostname contains special characters, the ACE uses the
default hostname “switch” in the filename. For example, if the hostname is Active@~!#$%^,
then the ACE assigns the following filename: switch_Admin_2009_08_30_15_45_17.tgz
– ctxname—Name of the context. If the context name contains special characters, the ACE uses
the default context name “context” in the filename. For example, if the context name is
Test!123*, then the ACE assigns the following filename:
switch_context_2009_08_30_15_45_17.tgz
– timestamp—Date and time that the ACE created the file. The time stamp has the following
24 hour format: YYYY_MM_DD_hh_mm_ss
An example is as follows:
ACE-1_ctx1_2009_05_06_15_24_57.tgz
If you back up the entire ACE, the archive filename does not include the ctxname field. So, the format
is as follows:
Hostname_timestamp.tgz
An example is as follows:
ACE-1_2009_05_06_15_24_57.tgz
Archive Directory Structure and Filenames
The ACE uses a flat directory structure for the backup archive. The ACE provides file extensions for the
individual files that it backs up so that you can identify the types of files easily when restoring an
archive. All files are stored in a single directory that is tarred and GZIPed as follows:
ACE-1_Ctx1_2009_05_06_07_24_57.tgz
ACE-1_Ctx1_2009_05_06_07_24_57\
context_name-running
context_name-startup
context_name-chkpt_name.chkpt
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-50
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
context_name-cert_name.cert
context_name-key_name.key
context_name-script_name.tcl
context_name-license_name.lic
Guidelines and Limitations
The backup and restore functions have the following configuration guidelines and limitations:
•
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the
ssh key rsa 1024 force command is applied on the appliance.
•
Store the backup archive on disk0: in the context of the ACE where you intend to restore the files.
Use the Admin context for a full backup and the corresponding context for user contexts.
•
When you back up the running-configuration file, the ACE uses the output of the show
running-configuration CLI command as the basis for the archive file.
•
The ACE backs up only exportable certificates and keys.
•
License files are backed up only when you back up the Admin context.
•
Use a pass phrase to back up SSL keys in encrypted form. Remember the pass phrase or write it
down and store it in a safe location. When you restore the encrypted keys, the ACE prompts you for
the pass phrase to decrypt the keys. If you do not use a pass phrase when you back up the SSL keys,
the ACE restores the keys with AES-256 encryption using OpenSSL software.
•
Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the
probe: directory are always available. When you perform a backup, the ACE automatically
identifies and backs up the scripts in disk0: that are required by the configuration.
•
The ACE does not resolve any other dependencies required by the configuration during a backup
except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL
proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds
anyway as if the certificates still existed.
•
To perform a restore operation, you must have the admin RBAC feature in your user role. DM-admin
and ORG-admin have access to this feature by default. Custom roles with the Device Manager
Inventory and Virtual Context role tasks set to create or modify can also access this feature.
•
When you instruct the ACE to restore the archive for the entire ACE, it restores the Admin context
completely first, and then it restores the other contexts. The ACE restores all dependencies before
it restores the running configuration. The order in which the ACE restores dependencies is as
follows:
– License files
– SSL certificates and key files
– Health-monitoring scripts
– Checkpoints
– Startup-configuration file
– Running-configuration file
•
When you restore the ACE, previously installed license files are uninstalled and the license files in
the backup file are installed in their place.
•
In a redundant configuration, if the archive that you want to restore is different from the peer
configurations in the FT group, redundancy may not operate properly after the restore.
•
You can restore a single context from a full backup archive provided that you do the following:
– You execute the restore operation in the context that you want to restore
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-51
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
– All files dependencies for the context exist in the full backup archive
•
To enable the ACE Device Manager to synchronize the CLI after a successful restore, do not
navigate from the Backup / Restore page until the Latest Restore status changes from In Progress to
Success. If you navigate to another page before the restore process is complete, the CLI will not
synchronize until you return to the Backup / Restore page or until the automatic or manual CLI CLI
synchronization occurs.
Defaults
Table 4-13 lists the default settings for the backup and restore function parameters.
Table 4-13
Default Backup and Restore Parameters
Parameter
Default
Backed up files
By default the ACE backs up the following files in the current context:
SSL key restore encryption
•
Running-configuration file
•
Startup-configuration file
•
Checkpoints
•
SSL certificates
•
SSL keys
•
Health-monitoring scripts
•
Licenses
None
This section includes the following topics:
•
Backing Up Device Configuration and Dependencies, page 4-52
•
Restoring Device Configuration and Dependencies, page 4-55
Backing Up Device Configuration and Dependencies
You can create a backup of an ACE configuration and its dependencies.
Note
When you perform the backup process from the Admin context, you can either back up the Admin
context files only or you can back up the Admin context and all user contexts. When you back up from
a user context, you back up the current context files only and cannot back up the ACE licenses.
Note
If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Procedure
Step 1
Choose Config > Virtual Contexts > System > Backup / Restore.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-52
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
The Backup / Restore table appears and displays the latest backup and restore statistics.
Note
To refresh the table content at any time, click Poll Now.
Note
When you choose the Backup / Restore operation, the Appliance Device Manager must poll a
context if that context has not been accessed previously for this operation. The polling operation,
which is necessary to obtain the latest backup and restore information, can cause a delay in the
display time of the Backup / Restore table.
The Backup / Restore fields are described in Table 4-14.
Table 4-14
Backup / Restore Fields
Field
Description
Latest Backup
Backup Archive
Name of the last *.tgz file created that contains the backup files.
Type
Type of backup: Context or Full (all contexts).
Start-time
Date and time that the last backup began.
Finished-time
Date and time that the last backup ended.
Status
Status of the last context to be backed up: Success, In Progress, or Failed. Click the status link to
view status details.
Current vc
Name of the last context in the backup process.
Completed
Number of context backups completed compared to the total number of context backup requests.
For example:
•
2/2 = Two context backups completed/Two context backups requested
•
0/1 = No context backup completed/One context backup requested
Latest Restore
Backup Archive
Name of the *.tgz file used in during the restore process.
Type
Type of restore: Context or Full (all contexts).
Start-time
Date and time that the last restore began.
Finished-time
Date and time that the last restore ended.
Status
Status of the last restore: Success, In Progress, or Failed. Click the status to view status details.
Current vc
Name of the last context in the restore process.
Completed
Number of context restores completed compared to the total number of context restore requests.
For example:
Step 2
•
2/2 = Two context restores completed/Two context restores requested
•
0/1 = No context restore completed/One context restore requested
Click Backup.
The Backup window appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-53
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Step 3
Step 4
Step 5
In the Backup window, click the radio button of the location where the ACE is to save the backup files:
•
Backup config on ACE (disk0:)—This is the default. Go to Step 9.
•
Backup config on ACE (disk0:) and then copy to remote system—The Remote System attributes
step appears. Go to Step 4.
Click the radio button of the transfer protocol to use:
•
FTP—File Transfer Protocol
•
SFTP—Secure File Transfer Protocol
•
TFTP—Trivial File Transfer Protocol
In the Username field, enter the username that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 6
In the Password field, enter the password that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 7
In the IP Address field, enter the IP address of the remote server.
Step 8
In the Backup File Path in Remote System field, enter the full path for the remote server.
Step 9
Check the Backup All Contexts check box if you want the ACE to create a backup that contains the
files of the Admin context and every user context or uncheck the check box to create a backup of the
Admin context files only.
This field appears for the Admin context only.
Step 10
Indicate the components to exclude from the backup process: Checkpoints or SSL Files.
Note
The SSL Files option is not available for the ACE NPE software version (see the “Information
About the ACE No Payload Encryption Software Version” section on page 1-2).
To exclude a component, double-click on it in the Available box to move it to the Selected box. You can
also use the right and left arrows to move selected items between the two boxes.
Caution
Step 11
If you exclude the SSL Files component and then restore the ACE using this archived backup,
these files are removed from the ACE. To save these files prior to performing a restore with
this backup, use the crypto export CLI command to export the keys to a remote server and
use the copy CLI command to copy the license files to disk0: as .tar files.
In the Pass Phrase field, enter the pass phrase that you specify to encrypt the backed up SSL keys.
Note
This field is not available with the ACE NPE software version (see the “Information About the
ACE No Payload Encryption Software Version” section on page 1-2).
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters. If you enter a pass phrase but exclude the SSL files from the archive, the ACE does not use
the pass phrase.
Step 12
Click OK to begin the backup process.
The following actions occur depending on where the ACE Device Manager saves the files:
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-54
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Step 13
•
disk0: only—The Device Manager permits continued GUI functionality during the backup process
and polls the ACE for the backup status, which it displays on the Backup / Restore page.
•
disk0: and a remote server—The Device Manager suspends GUI operation and displays a “Please
Wait” message in the Backup dialog box until the process is complete. During this process, the ACE
Device Manager instructs the ACE to create and save the backup file locally to disk0: and then place
a copy of the file on the specified remote server.
In the Backup / Restore page, click Poll Now to ensure that the latest backup statistics are displayed, and
then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to
view details of the backup operation.
If the backup status is either Success or In Progress, then the Show Backup Status Detail pop-up window
appears and displays a list of the files successfully backed up. When the backup status is In Progress,
the ACE Device Manager polls the ACE every 2 minutes to retrieve the latest status information and
then it automatically updates the status information displayed. The polling continues until the ACE
Device Manager receives a status of either Success or Failed. If the backup status is Failed, then the
Show Backup Errors popup window appears, displaying the reason for the failed backup attempt.
Related Topics
•
Restoring Device Configuration and Dependencies, page 4-55
Restoring Device Configuration and Dependencies
You can restore an ACE configuration and its dependencies using a backup file.
Caution
The restore operation clears any existing SSL certificate and key-pair files, license files, and checkpoints
in a context before it restores the backup archive file. If your configuration includes SSL files or
checkpoints and you excluded them when you created the backup archive, those files will no longer exist
in the context after you restore the backup archive. To preserve any existing exportable SSL certificate
and key files in the context, before you execute the restore operation, export the certificates and keys
that you want to keep to an FTP, SFTP, or TFTP server by using the CLI and the crypto export
command. After you restore the archive, import the SSL files into the context. For details on exporting
and importing SSL certificate and key pair files using the CLI, see the SSL Guide, Cisco ACE
Application Control Engine.
You can also use the exclude option of the restore command to instruct the ACE not to clear the SSL
files in disk0: and to ignore the SSL files in the backup archive when the ACE restores the backup.
Ignore this Caution if the ACE is using the NPE software version, which does not allow encryption
protocols (see the “Information About the ACE No Payload Encryption Software Version” section on
page 1-2)
Note
If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-55
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Prerequisites
If you are going to restore the Admin context files plus all user context files, use a backup file that was
created from the Admin context with the Backup All Contexts check box checked (see the “Backing Up
Device Configuration and Dependencies” section on page 4-52).
Procedure
Step 1
Choose Config > Virtual Contexts > System > Backup / Restore.
The Backup / Restore table appears.
Note
To refresh the table content at any time, click Poll Now.
Note
When you perform the restore process from the Admin context, you can either restore the Admin
context files only or you can restore the Admin context files plus all user context files. When
you perform the restore process from a user context, you can restore the current context files
only.
The Backup / Restore fields are described in Table 4-14.
Step 2
Click Restore.
The Restore window appears.
Note
Step 3
Step 4
Step 5
The display of the Restore window may be delayed because the Device Manager is retrieving
the list of the disk0: archive (*.tgz) files.
In the Restore window, click the desired radio button to specify the location where the backup files are
located saved:
•
Choose a backup file on the ACE (disk0:)—This is the default. Go to Step 9.
•
Choose a backup file from remote system—The Remote System attributes step appears. Go to
Step 4.
Click the radio button of the transfer protocol to use:
•
FTP—File Transfer Protocol
•
SFTP—Secure File Transfer Protocol
•
TFTP—Trivial File Transfer Protocol
In the Username field, enter the username that the remote file system requires for user authentication.
This field appears for FTP and SFTP only.
Step 6
In the Password field, enter the password that the remote file system requires for user authentication.
This field appears for FTP and SFTP only.
Step 7
In the IP Address field, enter the IP address of the remote server.
Step 8
In the Backup File Path in Remote System field, enter the full path of the backup file, including the
backup filename, to be copied from the remote server.
Step 9
Check the Restore All Contexts check box if you want the ACE to restore the files for every context or
uncheck the check box to restore the Admin context files only.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-56
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
This field appears for the Admin context only.
Step 10
Check the Exclude SSL Files check box if you want to preserver the SSL files currently loaded on the
ACE and not use the backup file’s SSL files.
Note
Caution
Step 11
This check box is not available with the ACE NPE software version (see the “Information About
the ACE No Payload Encryption Software Version” section on page 1-2).
The restore function deletes all SSL files currently loaded on the ACE unless you check the
Exclude SSL Files option. If you do not check this option, the restore functions loads the SSL
files included in the backup file. If the backup files does not include SSL files, the ACE will
not have any SSL files loaded on it when the restore process is complete. You will then need
to import copies of the SSL files from a remote server.
In the Pass Phrase field, enter the pass phrase that is used to encrypt the backed up SSL keys in the
archive.
Note
This field is not available with the ACE NPE software version (see the “Information About the
ACE No Payload Encryption Software Version” section on page 1-2).
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters. The Pass Phrase field does not appear when you check the Exclude SSL Files check box.
Step 12
Click OK to begin the restore process.
The following actions occur depending on where the ACE Device Manager retrieves the backup files:
•
disk0: only—The ACE Device Manager permits continued GUI functionality during the restore
process and polls the ACE for the backup status, which it displays on the Backup / Restore page.
Note
•
Step 13
To enable the Device Manager to synchronize the CLI after a successful restore, do not navigate
from the Backup / Restore window until the Latest Restore status changes from In Progress to
Success. If you navigate to another window before the restore process is complete, the CLI will
not synchronize until you return to the Backup / Restore window or until the automatic or
manual CLI synchronization occurs.
disk0: and a remote server—The ACE Device Manager suspends GUI operation and displays a
“Please Wait” message in the Restore dialog box until the process is complete. During this process,
the ACE Device Manager instructs the ACE to copy the backup file from the specified remote server
to disk0: on the ACE and then apply the backup file to the context.
In the Backup / Restore page, click Poll Now to ensure that the latest restore statistics are displayed, and
then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to
view details of the restore operation.
If the restore status is either Success or In Progress, then the Show Restore Status Detail popup window
appears and displays a list of the files successfully restored. When the restore status is In Progress, the
ACE Device Manager polls the ACE every 2 minutes to retrieve the latest status information and then it
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-57
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
automatically updates the status information displayed. The polling continues until the ACE Device
Manager receives a status of either Success or Failed. If the restored status is Failed, then the Show
Restored Errors popup window appears, displaying the reason for the failed restore attempt.
Related Topics
•
Performing Device Backup and Restore Functions, page 4-49
Configuring Security with ACLs
An ACL (access control list) consists of a series of statements called ACL entries that collectively define
the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the
parts of your network specified in the entry. Besides an action element (“permit” or “deny”), each entry
also contains a filter element based on criteria such as source address, destination address, protocol, or
protocol-specific parameters. An implicit “deny all” entry exists at the end of every ACL, so you must
configure an ACL on every interface where you want to permit connections. Otherwise, the ACE denies
all traffic on the interface.
ACLs provide basic security for your network by allowing you to control network connection setups
rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features; for example, security, network address translation
(NAT), or server load balancing (SLB). The ACE merges these individual ACLs into one large ACL
called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup
mechanisms. A match on this merged ACL can result in multiple actions. You can add, modify, or delete
entries to an ACL already in the summary table, or add a new ACL to the list.
When you use ACLs, you may want to permit all e-mail traffic on a circuit, but block FTP traffic. You
can also use ACLs to allow one client to access a part of the network and prevent another client from
accessing that same area.
When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface.
Applying an ACL on an interface assigns the ACL and its entries to that interface.
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can
also apply the same ACL on multiple interfaces.You can apply EtherType ACLs in only the inbound
direction and on only Layer 2 interfaces.
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
This section contains the following topics:
•
Creating ACLs, page 4-59
•
Setting EtherType ACL Attributes, page 4-67
•
Setting Extended ACL Attributes, page 4-61
•
Resequencing Extended ACLs, page 4-66
•
Viewing All ACLs by Context, page 4-68
•
Editing or Deleting ACLs, page 4-69
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-58
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Creating ACLs
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
Use this procedure to create, modify, or delete ACLs.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > ACLs.
The ACL summary table appears, listing the existing ACLs. ACL summary fields are described in
Table 4-15.
Table 4-15
ACL Summary Table
Field
Description
Name
Enter a unique identifier for the ACL. Valid entries are unquoted text strings
with a maximum of 64 alphanumeric characters.
Type
Specifies the type of ACL:
IP Address Type
•
Extended—This ACL allows you to specify both the source and the
destination IP addresses of traffic as well as the protocol and the action
to be taken. For more information, see the “Setting Extended ACL
Attributes” section on page 4-61.
•
Ethertype—This ACL controls network access for non-IP traffic based
on its EtherType. An EtherType is a sub-protocol identifier. For more
information, see the “Setting EtherType ACL Attributes” section on
page 4-67.
Specifies the type of IP address:
•
IPv4—This ACL controls network access for IPv4 traffic.
•
IPv6—This ACL controls network access for IPv6 traffic.
# (Line Number)
ACL line number for extended type ACL entries.
Action
Action to be taken (permit/deny).
Protocol
Protocol number or service object group to apply to this ACL entry.
Source
Source IPv6 or IPv4 address or source network object group (if configured)
that is being applied to this ACL entry.
Destination
Destination IPv6 or IPv4 address or destination network object group (if
configured) that is applied to this ACL entry.
ICMP
Indicates whether or not this ACL uses ICMP (Internet Control Message
Protocol). For more information, see the “Table 4-18Protocol Names and
Numbers” section on page 4-64.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-59
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Table 4-15
Step 2
Step 3
ACL Summary Table (continued)
Field
Description
Interface
VLAN interface(s) that is/are associated with this ACL, for example
in4,5:4out where, in denotes the input direction, out denotes the output
direction.
Remark
Enter any comments you want to include for this ACL. Valid entries are
unquoted text strings with a maximum of 100 characters. You can enter
leading spaces at the beginning of the text or special characters. Trailing
spaces are ignored.
From the summary table, do one of the following:
•
To view full details of an ACL inline, click the plus sign to the left of any table entry.
•
To create an ACL, click the Add icon. The New Access List screen appears (go to Step 3).
•
To modify an ACL, select the radio button to the left of any table entry, and then click the Edit icon.
The Edit ACL or Edit ACL entry screen appears based on the selected radio button to the left of any
table entry (go to Step 3).
•
To delete an ACL, select the radio button to the left of any table entry, and then click the Delete icon.
Add or edit required fields as described in Table 4-16.
Table 4-16
ACL Configuration Attributes
Field
Description
ACL Properties
Includes name, type (Extended, Ethertype), IP address type (IPv6 andIPv4),
and remarks. For more information, see the “Table 4-15ACL Summary
Table” task on page 4-59.
ACL Entries
Entry Attributes
Includes line number, action (Permit, Deny), protocol or service object
group, and associated drop down descriptor menu. For more information for
these attributes, see the “Setting Extended ACL Attributes” section on
page 4-61 or “Setting EtherType ACL Attributes” section on page 4-67.
Source
(Extended type ACL only) Source IPv6 address and prefix length, IPv4
address and netmask with port number (if configured), or network object
group (if configured) that is being applied to this ACL entry. For more
information see the “Setting Extended ACL Attributes” section on
page 4-61.
Destination
(Extended type ACL only) Destination IPv6 address and prefix length, IPv4
address and netmask with port number (if configured), or network object
group (if configured) that is being applied to this ACL entry. For more
information see the “Setting Extended ACL Attributes” section on
page 4-61.
Add To Table button
Used to add multiple ACL entries, adding one at a time using this button,
before clicking Deploy. In the past only one entry could be added at a time
in a two-step process hopping between two different locations in the UI.
Remove From Table
button
Used to remove multiple ACL entries, removing one at a time using this
button, before clicking Deploy.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-60
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Table 4-16
ACL Configuration Attributes (continued)
Field
Description
Interfaces
Allows you to associate the ACL with one or more interfaces allowing only
one input and one output ACL for each interface. The top left check box
under the Interfaces section allows you to select and apply to all interfaces
Currently Assigned
“access-group input.”
(ACL:Direction)
Input/Output
Direction
•
•
Note
Step 4
To add, modify, or delete Object Groups, see the “Configuring Object Groups” section on
page 4-70.
Do one of the following:
•
Click Deploy to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Related Topics
•
Configuring Security with ACLs, page 4-58
•
Setting EtherType ACL Attributes, page 4-67
•
Setting Extended ACL Attributes, page 4-61
•
Resequencing Extended ACLs, page 4-66
•
Editing or Deleting ACLs, page 4-69
Setting Extended ACL Attributes
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
An extended ACL allows you to specify both the source and the destination IP addresses of traffic as
well as the protocol and the action to be taken.
For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface
to allow returning traffic, because the ACE allows all returning traffic for established connections.
Note
The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the
destination address as any and do not specify the ports in an extended ACL.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-61
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Step 2
Click Add. The New Access List configuration screen appears.
Step 3
Enter the ACL name in the ACL Properties pane and choose the type as Extended.
Choose the IP Address Type as either IPV6 or IPv4.
Step 4
Table 4-17
Configure extended ACL entries using the information in Table 4-17.
Extended ACL Configuration Options
Field
Description
Entry Attributes
Line Number
Enter a number that specifies the position of this entry in the ACL. The position of an entry
affects the lookup order of the entries in an ACL. To change the sequence of existing extended
ACLs, see the “Resequencing Extended ACLs” section on page 4-66.
Action
Action to be taken (permit/deny).
Service Object Group
Select a service object group to apply to this ACL.
Protocol
Select the protocol or protocol number to apply to this ACL entry. Table 4-18 lists common
protocol names and numbers.
ICMP Type
Select the ICMP type or number for this protocol.
Message Code Operator
Message Code
•
Table 4-19 lists common ICMP types and numbers, per RFC 792.
•
Table 4-20 lists the common ICMPv6 types and associated numbers, per RFC 4443.
Choose the operand to use when comparing message codes for this service object:
•
Equal To—The message code must be the same as the number in the Message Code field.
•
Greater Than—The message code must be greater than the number in the Message Code
field.
•
Less Than—The message code must be less than the number in the Message Code field.
•
Not Equal To—The message code must not equal the number in the Message Code field.
•
Range—The message code must be within the range of codes specified by the Min.
Message Code field and the Max. Message Code field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the
Message Code Operator field.
Enter the ICMP message code for this service object.
Min. Message Code
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the beginning value for a range of services for this service object.
Valid entries are integers from 0 to 255. The number in this field must be less than the number
entered in the Max. Message Code field.
Max. Message Code
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid
entries are integers from 0 to 255. The number in this field must be greater than the number
entered in the Min. Message Code field.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-62
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Table 4-17
Extended ACL Configuration Options (continued)
Field
Description
Source
Source Network
Source Port Operator
Defines the network traffic being received from the source network to the ACE:
•
Any—Select the Any radio button to indicate that network traffic from any source is
allowed.
•
IP/Netmask—(IPv4 address type) Use this field to limit access to a specific source IP
address. Enter the source IPv4 address that is allowed for this ACL and select its subnet
mask.
•
IP/Prefix-length—(IPv6 address type) Use this field to limit access to a specific source IP
address. Enter the source IPv6 address that is allowed for this ACL and its prefix length.
•
Network Object Group—Select a source network object group to apply to this ACL.
This field appears if you select TCP or UPD in the Protocol field.
Choose the operand to use to compare source port numbers:
Source Port Number
•
Equal To—The source port must be the same as the number in the Source Port Number
field.
•
Greater Than—The source port must be greater than the number in the Source Port
Number field.
•
Less Than—The source port must be less than the number in the Source Port Number
field.
•
Not Equal To—The source port must not equal the number in the Source Port Number
field.
•
Range—The source port must be within the range of ports specified by the Lower Source
Port Number field and the Upper Source Port Number field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the
Source Port Operator field.
Enter the port name or number from which you want to permit or deny access.
Lower Source Port Number
This field appears if you select Range in the Source Port Operator field.
Enter the number of the lowest port from which you want to permit or deny access. Valid
entries are integers from 0 to 65535. The number in this field must be less than the number
entered in the Upper Source Port Number field.
Upper Source Port Number
This field appears if you select Range in the Source Port Operator field.
Enter the port number of the upper port from which you want to permit or deny access. Valid
entries are integers from 0 to 65535. The number in this field must be greater than the number
entered in the Lower Source Port Number field.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-63
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Table 4-17
Extended ACL Configuration Options (continued)
Field
Description
Destination
Destination Network
Defines the network traffic being transmitted to the destination network from the ACE:
Destination Port Operator
•
Any—Select the Any radio button to indicate that network traffic to any destination is
allowed.
•
IP/Netmask—(IPv4 address type) Use this field to limit access to a specific destination IP
address. Enter the destination IPv4 address that is allowed for this ACL and select its
subnet mask.
•
IP/Prefix-length—(IPv6 address type) Use this field to limit access to a specific
destination IP address. Enter the destination IPv6 address that is allowed for this ACL and
its prefix length.
•
Network Object Group—Select a destination network object group to apply to this ACL.
This field appears if you select TCP or UPD in the Protocol field.
Select the operand to use to compare destination port numbers:
Destination Port Number
•
Equal To—The destination port must be the same as the number in the Destination Port
Number field.
•
Greater Than—The destination port must be greater than the number in the Destination
Port Number field.
•
Less Than—The destination port must be less than the number in the Destination Port
Number field.
•
Not Equal To—The destination port must not equal the number in the Destination Port
Number field.
•
Range—The destination port must be within the range of ports specified by the Lower
Destination Port Number field and the Upper Destination Port Number field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the
Destination Port Operator field.
Enter the port name or number from which you want to permit or deny access.
Lower Destination Port
Number
This field appears if you select Range in the Destination Port Operator field.
Upper Destination Port
Number
This field appears if you select Range in the Destination Port Operator field.
Enter the number of the lowest port to which you want to permit or deny access. Valid entries
are integers from 0 to 65535. The number in this field must be less than the number entered
in the Upper Destination Port Number field.
Enter the port number of the upper port to which you want to permit or deny access. Valid
entries are integers from 0 to 65535. The number in this field must be greater than the number
entered in the Lower Destination Port Number field.
Table 4-18
Protocol Names and Numbers
Protocol Name1
Protocol Number
Description
AH
51
Authentication Header
EIGRP
88
Enhanced IGRP
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-64
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Table 4-18
Protocol Names and Numbers (continued)
Protocol Name1
Protocol Number
Description
ESP
50
Encapsulated Security Payload
GRE
47
Generic Routing Encapsulation
1
Internet Control Message Protocol version 4
58
Internet Control Message Protocol version 6
IGMP
2
Internet Group Management Protocol
IP
0 (Any)
Internet Protocol
IP-In-IP
4
IP-in-IP Layer 3 Tunneling Protocol
OSPF
89
Open Shortest Path First
PIM
103
Protocol Independent Multicast
TCP
6
Transmission Control Protocol
UDP
17
User Datagram Protocol
ICMP
ICMPv6
2
1. For a complete list of all protocols and their numbers, see the Internet Assigned Numbers Authority available at
www.iana.org/numbers/.
2. ICMPv6 is not available for an IPv4 service object group.
Table 4-19
ICMP Type Names and Numbers
ICMP Type Name
Number
Alternate-Address
6
Conversion-Error
31
Echo
8
Echo-Reply
0
Information-Reply
16
Information-Request
15
Mask-Reply
18
Mask-Request
17
Mobile-Redirect
32
Parameter-Problem
12
Redirect
5
Router-Advertisement
9
Router-Solicitation
10
Source-Quench
4
Time-Exceeded
11
Timestamp-Reply
14
Timestamp-Request
13
Traceroute
30
Unreachable
3
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-65
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Table 4-20
Step 5
ICMPv6 Type Names and Numbers
ICMP Type Name
Number
Echo
128
Echo-Reply
129
Information-Reply
140
Information-Request
139
Parameter-Problem
4
Redirect
137
Time-Exceeded
3
Traceroute
30
Unreachable
1
Click Add To Table if you want to add one or more ACL entries to the table.
See Step 4 for information on configuring the extended ACL entries.
Step 6
Associate any VLAN interface to this ACL if required and do one of the following:
•
Click Deploy to immediately deploy this configuration.
•
Click Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
•
Configuring Security with ACLs, page 4-58
•
Creating ACLs, page 4-59
•
Setting EtherType ACL Attributes, page 4-67
•
Resequencing Extended ACLs, page 4-66
•
Editing or Deleting ACLs, page 4-69
Resequencing Extended ACLs
Use this procedure to change the sequence of entries in an Extended ACL. EtherType ACL entries cannot
be resequenced.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2
Choose the Extended ACL you want to renumber and then click the Resequence icon appearing to the
left of the filter field.
The ACL Line Number Resequence window appears.
Step 3
In the Start field, enter the number that is to be assigned to the first entry in the ACL.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-66
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
Valid entries are 1 to 2147483647.
Step 4
In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry.
You can enter any integer.
Valid entries are 1 to 2147483647.
Step 5
Do one of the following:
•
Click Resequence to save your entries and to return to the ACLs table.
•
Click Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Related Topics
•
Configuring Security with ACLs, page 4-58
•
Creating ACLs, page 4-59
•
Setting EtherType ACL Attributes, page 4-67
•
Setting Extended ACL Attributes, page 4-61
•
Editing or Deleting ACLs, page 4-69
Setting EtherType ACL Attributes
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a sub-protocol
identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support
802.3-formatted frames because they use a length field as opposed to a type field. The only exception is
bridge protocol data units (BPDUs), which are SNAP-encapsulated, and the ACE is designed to
specifically handle BPDUs.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2
Click Add.
The New Access List configuration screen appears.
Step 3
Enter the ACL name in the ACL Properties pane and choose Ethertype.
Note that the only selectable IP Address Type is IPv4.
Step 4
Step 5
Choose one of the following radio buttons:
•
Deny to indicate that the ACE is to block connections.
•
Permit to indicate that the ACE is to allow connections.
Choose one of the following from the Protocol field drop down menu for this ACL:
•
Any—Specifies any EtherType.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-67
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
•
BPDU—Specifies Bridge Protocol Data Units. The ACE receives trunk port (Cisco proprietary)
BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the
payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you
configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid
bridging loops. For for information about configuring redundancy, see the “Configuring High
Availability” section on page 11-1.
•
IPv6—Specifies Internet Protocol version 6.
•
MPLS—Specifies Multi Protocol Label Switching. The MPLS selection applies to both MPLS
unicast and MPLS multicast traffic. If you allow MPLS, ensure that Label Distribution Protocol
(LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by
configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as
the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels
(addresses) used to forward packets.
Step 6
Click Add To Table and add one or more ACL entries if required repeating Step 4 and Step 5 as needed.
Step 7
Associate any VLAN interface to this ACL if required and do one of the following:
•
Click Deploy to immediately deploy this configuration.
•
Click Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
•
Configuring Security with ACLs, page 4-58
•
Creating ACLs, page 4-59
•
Setting Extended ACL Attributes, page 4-61
•
Resequencing Extended ACLs, page 4-66
•
Editing or Deleting ACLs, page 4-69
Viewing All ACLs by Context
Use this procedure to view all access control lists that have been configured.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Choose the virtual context with the ACLs you want to view, and then select Security > ACLs.
The ACLs table appears, listing the existing ACLs with their name, their type (Extended or EtherType),
and any comments.
Related Topics
•
Configuring Virtual Context Expert Options, page 4-79
•
Creating ACLs, page 4-59
•
Setting EtherType ACL Attributes, page 4-67
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-68
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Security with ACLs
•
Setting Extended ACL Attributes, page 4-61
•
Editing or Deleting ACLs, page 4-69
Editing or Deleting ACLs
Use this procedure to delete or edit an ACL or any of its subentries.
Considerations
•
You cannot mix IPv6 and IPv4 access-list entries in the same ACL.
•
Before you change the IP address type for an existing ACL, you must remove the entries that are not
applicable to the new IP address type.
•
If you change the ACL protocol, the ACE removes all of the existing settings for the ACL.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2
Click the radio button to the left of the ACL that you want to edit or delete.
Expand entries if necessary by clicking the plus sign to the left of any ACL entry until you see the
subentry ACL for which you are looking, or click the Expand All icon to view all ACLs and subentries.
To hide the subentries under an ACL, click the minus sign to the left of any ACL entry. Click the
Collapse All icon to hide the subentries under all ACLs.
Step 3
Do one of the following:
•
Click Edit if you are editing an ACL or one of its entries. Edit the entry using the summary
information listed in Table 4-16 if needed, and click Deploy when done.
•
Click Delete if you are deleting an ACL or one of its entries. A window appears asking you to
confirm the deletion. If you click OK, the ACLs table refreshes without the deleted ACL.
Related Topics
•
Creating ACLs, page 4-59
•
Setting EtherType ACL Attributes, page 4-67
•
Setting Extended ACL Attributes, page 4-61
•
Resequencing Extended ACLs, page 4-66
Displaying ACL Information and Statistics
You can display information and statistics for a particular ACL by using the Details button.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > ACLs.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-69
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
The ACLs table appears listing the existing ACLs.
Step 2
In the ACLs table, choose an ACL, and click Details.
The show access-list access-list detail CLI command output appears. For details about the displayed
output fields, see the Security Guide, Cisco ACE Application Control Engine, Chapter 1, Configuring
Security Access Control Lists.
Step 3
Click Update Details to refresh the output for the show access-list access-list detail CLI command.
Step 4
Click Close to return to the ACLs table.
Related Topics
•
Configuring Virtual Context Expert Options, page 4-79
•
Creating ACLs, page 4-59
•
Setting Extended ACL Attributes, page 4-61
•
Resequencing Extended ACLs, page 4-66
•
Editing or Deleting ACLs, page 4-69
Configuring Object Groups
An object group is a logical grouping of objects such as hosts (servers and clients), services, and
networks. When you create an object group, you select a type, such as network or service, and then
specify the objects that belong to the groups. In all, there are four types of object groups: Network,
protocol, service, and ICMP-type.
After you configure an object group, you can include it in ACLs, thereby including all objects within
that group and reducing overall configuration size.
Use this procedure to configure object groups that you can associate with ACLs.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > Object Groups.
The Object Groups table appears, listing existing object groups.
Step 2
Click Add to create a new object group, or select an existing object group, and then click Edit to modify
it.
The Object Groups configuration screen appears.
Step 3
In the Name field, enter a unique name for this object group.
Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
In the Description field, enter a brief description for the object group.
Step 5
In the Type field, select the type of object group you are creating:
Step 6
•
Network—The object group is based on a group of hosts or subnet IP addresses.
•
Service—The object group is based on TCP or UDP protocols and ports, or ICMP types, such as
echo or echo-reply.
Do one of the following:
•
Click Deploy Now to immediately deploy this configuration. This option appears for virtual
contexts. The screen refreshes with tables additional configuration options.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-70
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
Step 7
•
Click Cancel to exit without saving your entries and to return to the Object Groups table.
•
Click Next to deploy your entries and to add another entry to the Object Groups table.
Configure objects for the object group.
For network-type object groups, options include:
•
Configuring IP Addresses for Object Groups, page 4-71
•
Configuring Subnet Objects for Object Groups, page 4-72
For service-type object groups, options include:
•
Configuring Protocols for Object Groups, page 4-73
•
Configuring TCP/UDP Service Parameters for Object Groups, page 4-73
•
Configuring ICMP Service Parameters for an Object Group, page 4-76
Related Topics
•
Configuring Virtual Context Expert Options, page 4-79
•
Creating ACLs, page 4-59
•
Setting Extended ACL Attributes, page 4-61
•
Resequencing Extended ACLs, page 4-66
Configuring IP Addresses for Object Groups
Use this procedure to specify host IP addresses for network-type object groups.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > Object Groups.
The Object Groups table appears, listing existing object groups.
Step 2
Choose the object group you want to configure host IP addresses for and then click the Host Setting For
Object Group tab.
The Host Setting For Object Group table appears.
Step 3
Click Add to add an entry to this table.
Step 4
Choose one of the following:
Step 5
•
IPv4—A host with an IPv4 IP address. In the IPv4 Address field, enter the IP address of a host to
include in this group.
•
IPv6—A host with an IPv6 IP address. In the IPv6 Address field, enter the IP address of a host to
include in this group.
Do one of the following:
•
Click Deploy Now to immediately deploy this configuration. This option appears for virtual
contexts.
•
Click Cancel to exit this procedure without saving your entries.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-71
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
•
Click Next to deploy your entries and to add another entry to the Host Setting table.
Related Topics
•
Configuring Object Groups, page 4-70
•
Configuring Subnet Objects for Object Groups, page 4-72
•
Configuring Protocols for Object Groups, page 4-73
•
Configuring TCP/UDP Service Parameters for Object Groups, page 4-73
•
Configuring ICMP Service Parameters for an Object Group, page 4-76
Configuring Subnet Objects for Object Groups
Use this procedure to specify subnet objects for a network-type object group.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > Object Groups.
The Object Groups table appears, listing existing object groups.
Step 2
Choose the object group you want to configure subnet objects for and then click the Network Setting
For Object Group tab.
The Network Setting For Object Group table appears.
Step 3
Click Add to add an entry to this table.
Step 4
Choose one of the following:
Step 5
•
IPv4—A subnet object with an IPv4 IP address. In the IPv4 Address field, enter the IP address. In
the Netmask field, select the subnet mask for this subnet object.
•
IPv6—A object with an IPv6 IP address. In the IPv6 Address field, enter the IP address. In the
Network Prefix Length field, enter the prefix length for this object.
Do one of the following:
•
Click Deploy Now to immediately deploy this configuration. This option appears for virtual
contexts.
•
Click Cancel to exit this procedure without saving your entries.
•
Click Next to deploy your entries and to add another entry to the Network Setting table.
Related Topics
•
Configuring Object Groups, page 4-70
•
Configuring IP Addresses for Object Groups, page 4-71
•
Configuring Protocols for Object Groups, page 4-73
•
Configuring TCP/UDP Service Parameters for Object Groups, page 4-73
•
Configuring ICMP Service Parameters for an Object Group, page 4-76
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-72
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
Configuring Protocols for Object Groups
Use this procedure to specify protocols for a service-type object group.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > Object Groups.
The Object Groups table appears, listing existing object groups.
Step 2
Choose an existing service-type object group and then click the Protocol Selection tab.
The Protocol Selection table appears.
Step 3
Click Add to add an entry to this table.
Step 4
In the Protocol Number field, select the protocol or protocol number to add to this object group.
See Table 4-18 for common protocols and their numbers.
Step 5
Do one of the following:
•
Click Deploy Now to immediately deploy this configuration. This option appears for virtual
contexts.
•
Click Cancel to exit this procedure without saving your entries.
•
Click Next to deploy your entries and to add another entry to the Protocol Selection table.
Related Topics
•
Configuring Object Groups, page 4-70
•
Configuring IP Addresses for Object Groups, page 4-71
•
Configuring Subnet Objects for Object Groups, page 4-72
•
Configuring TCP/UDP Service Parameters for Object Groups, page 4-73
•
Configuring ICMP Service Parameters for an Object Group, page 4-76
Configuring TCP/UDP Service Parameters for Object Groups
Use this procedure to add TCP or UDP service objects to a service-type object group.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > Object Groups.
The Object Groups table appears, listing existing object groups.
Step 2
Choose an existing service-type object group and then select the TCP/UDP Service Parameters tab.
The TCP/UDP Service Parameters table appears.
Step 3
Click Add to add an entry to this table.
Step 4
Configure TCP or UDP service objects using the information in Table 4-21.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-73
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
Table 4-21
TCP and UDP Service Parameters
Field
Description
Protocol
Select the protocol for this service object:
Source Port Operator
Source Port
•
TCP—TCP is the protocol for this service object.
•
UDP—UDP is the protocol for this service object.
•
TCP And UDP—Both TCP and UDP are the protocols for this service object.
Select the operand to use when comparing source port numbers for this service object:
•
Equal To—The source port must be the same as the number in the Source Port field.
•
Greater Than—The source port must be greater than the number in the Source Port field.
•
Less Than—The source port must be less than the number in the Source Port field.
•
Not Equal To—The source port must not equal the number in the Source Port field.
•
Range—The source port must be within the range of ports specified by the Lower Source Port
field and the Upper Source Port field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Source
Port Operator field.
Enter the source port name or number for this service object.
Lower Source Port
This field appears if you select Range in the Source Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid
entries are integers from 1 to 65535. The number in this field must be less than the number entered
in the Upper Source Port field.
Upper Source Port
This field appears if you select Range in the Source Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid
entries are integers from 2 to 65535. The number in this field must be greater than the number
entered in the Lower Source Port field.
Destination Port
Operator
Destination Port
Choose the operand to use when comparing destination port numbers:
•
Equal To—The destination port must be the same as the number in the Destination Port field.
•
Greater Than—The destination port must be greater than the number in the Destination Port
field.
•
Less Than—The destination port must be less than the number in the Destination Port field.
•
Not Equal To—The destination port must not equal the number in the Destination Port field.
•
Range—The destination port must be within the range of ports specified by the Lower
Destination Port field and the Upper Destination Port field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the
Destination Port Operator field.
Enter the destination port name or number for this service object.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-74
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
Table 4-21
TCP and UDP Service Parameters (continued)
Field
Description
Lower Destination Port This field appears if you select Range in the Destination Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid
entries are integers from 0 to 65535. The number in this field must be less than the number entered
in the Upper Destination Port field.
Upper Destination Port
This field appears if you select Range in the Destination Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid
entries are integers from 0 to 65535. The number in this field must be greater than the number
entered in the Lower Destination Port field.
Step 5
Do one of the following:
•
Click Deploy Now to immediately deploy this configuration. This option appears for virtual
contexts.
•
Click Cancel to exit this procedure without saving your entries.
•
Click Next to deploy your entries and to add another entry to the TCP/UDP Service Parameters
table.
Related Topics
•
Configuring Object Groups, page 4-70
•
Configuring IP Addresses for Object Groups, page 4-71
•
Configuring Subnet Objects for Object Groups, page 4-72
•
Configuring Protocols for Object Groups, page 4-73
•
Configuring ICMP Service Parameters for an Object Group, page 4-76
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-75
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
Configuring ICMP Service Parameters for an Object Group
Use this procedure to add ICMP service parameters to a service-type object group.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Security > Object Groups.
The Object Groups table appears, listing existing object groups.
Step 2
Choose an existing service-type object group and then click the ICMP Service Parameters tab.
The ICMP Service Parameters table appears.
Step 3
Click Add to add an entry to this table.
Step 4
Configure ICMP type objects using the information in Table 4-22.
Table 4-22
ICMP Type Service Parameters
Field
Description
ICMP Version
Check either of the following check boxes for the ICMP version:
ICMP Type
•
ICMP—Internet Control Message Protocol (ICMP) for Internet Protocol
version 4 (IPv4).
•
ICMPv6—Internet Control Message Protocol version 6 (ICMPv6) for
Internet Protocol version 6 (IPv6).
Select the ICMP type or number for this service object. Table 4-23 lists
common ICMP types and numbers. Table 4-24 lists the ICMPv6 types and
numbers.
Message Code Operator Select the operand to use when comparing message codes for this service
object:
Message Code
•
Equal To—The message code must be the same as the number in the
Message Code field.
•
Greater Than—The message code must be greater than the number in the
Message Code field.
•
Less Than—The message code must be less than the number in the
Message Code field.
•
Not Equal To—The message code must not equal the number in the
Message Code field.
•
Range—The message code must be within the range of codes specified
by the Min. Message Code field and the Max. Message Code field.
This field appears if you select Equal To, Greater Than, Less Than, or Not
Equal To in the Message Code Operator field.
Enter the ICMP message code for this service object.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-76
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
Table 4-22
ICMP Type Service Parameters (continued)
Field
Description
Min. Message Code
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the beginning value for a range of services for this
service object. Valid entries are integers from 0 to 255. The number in this
field must be less than the number entered in the Max. Message Code field.
Max. Message Code
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the ending value for a range of services for this
service object. Valid entries are integers from 0 to 255. The number in this
field must be greater than the number entered in the Min. Message Code
field.
Table 4-23
ICMP Type Numbers and Names
ICMP Type Name
Number
Alternate-Address
6
Conversion-Error
31
Echo
8
Echo-Reply
0
Information-Reply
16
Information-Request
15
Mask-Reply
18
Mask-Request
17
Mobile-Redirect
32
Parameter-Problem
12
Redirect
5
Router-Advertisement
9
Router-Solicitation
10
Source-Quench
4
Time-Exceeded
11
Timestamp-Reply
14
Timestamp-Request
13
Traceroute
30
Unreachable
3
Table 4-24
ICMPv6 Type Names and Numbers
ICMP Type Name
Number
Echo
128
Echo-Reply
129
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-77
Chapter 4
Configuring Virtual Contexts
Configuring Object Groups
Table 4-24
Step 5
ICMPv6 Type Names and Numbers (continued)
ICMP Type Name
Number
Information-Reply
140
Information-Request
139
Parameter-Problem
4
Redirect
137
Time-Exceeded
3
Traceroute
30
Unreachable
1
Do one of the following:
•
Click Deploy Now to immediately deploy this configuration. This option appears for virtual
contexts.
•
Click Cancel to exit this procedure without saving your entries.
•
Click Next to deploy your entries and to add another entry to the ICMP Service Parameters table.
Related Topics
•
Configuring Object Groups, page 4-70
•
Configuring IP Addresses for Object Groups, page 4-71
•
Configuring Subnet Objects for Object Groups, page 4-72
•
Configuring Protocols for Object Groups, page 4-73
•
Configuring TCP/UDP Service Parameters for Object Groups, page 4-73
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-78
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Configuring Virtual Context Expert Options
Configuring Virtual Context Expert Options
Table 4-25 identifies ACE Appliance Device Manager virtual context Expert configuration options and
related topics for more information.
Table 4-25
Virtual Context Expert Configuration Options
Expert Configuration Options
Establish traffic policies by classifying types of
network traffic and then applying rules and
actions for handling the traffic
Related Topics
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Context Class Maps,
page 12-8
•
Configuring Virtual Context Policy Maps,
page 12-34
Configure HTTP header modify action lists
Configuring an HTTP Header Modify Action
List, page 12-90
Configure HTTP optimization action lists
Configuring an HTTP Optimization Action List,
page 13-3
Managing Virtual Contexts
You can perform the following administrative actions on virtual contexts:
•
Synchronizing Virtual Context Configurations, page 4-79
•
Editing Virtual Contexts, page 4-84
•
Deleting Virtual Contexts, page 4-84
•
Viewing All Virtual Contexts, page 4-84
Synchronizing Virtual Context Configurations
ACE Appliance Device Manager identifies virtual contexts with different configurations on the ACE
appliance and in ACE Appliance Device Manager. Discrepancies between these configurations occur
when a user configures the ACE appliance directly using the CLI instead of the ACE Appliance Device
Manager.
The ACE Appliance Device Manager automatically polls the CLI once every two minutes. When you
use the CLI to change a virtual context’s configuration on the ACE appliance, and the Device Manager
detects an out-of-band configuration change in a context during this polling period, the configuration
changes are applied by the Device Manager.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-79
Chapter 4
Configuring Virtual Contexts
Managing Virtual Contexts
The status bar at the bottom right of the ACE Appliance Device Manager displays two indicators for you
to monitor CLI and DM GUI synchronization status (Figure 4-1). One indicator displays ACE appliance
Device Manager GUI and CLI synchronization status along with a summary count of the contexts in the
various synchronization states, and the other indicator displays CLI synchronization and polling status
for the active context. The status bar auto-refreshes every 10 seconds.
Figure 4-1
CLI and DM GUI Synchronization Status Bar
For example, as illustrated in Figure 4-1, the message “DM out of sync with CLI (1/17)” indicates that
out of the 17 configured contexts, one context is in the “Out of sync” CLI synchronization status state.
Note
If a user attempt to deploy a configuration from the ACE Appliance Device Manager (clicks the Deploy
Now button) while synchronization is in process for a particular context, an error message appears
indicating that synchronization is in process and the user should try to deploy the configuration at a later
point in time.
ACE Appliance Device Manager provides the following options for identifying and synchronizing
configuration discrepancies:
•
Viewing Virtual Context Synchronization Status, page 4-80
•
High Availability and Virtual Context Configuration Status, page 4-81
•
Manually Synchronizing Individual Virtual Context Configurations, page 4-82
•
Manually Synchronizing All Virtual Context Configurations, page 4-83
Viewing Virtual Context Synchronization Status
ACE Appliance Device Manager identifies virtual contexts with different configurations in the ACE
appliance and in the ACE Appliance Device Manager. Discrepancies between these configurations occur
when a user configures the ACE appliance directly using the CLI instead of ACE Appliance Device
Manager.
In Config screens, CLI and DM GUI configuration status appears in the following locations in the ACE
Appliance Device Manager:
•
In the All Virtual Contexts table (Config > Virtual Contexts), in the CLI Sync Status column.
•
The status bar at the bottom of the ACE Appliance Device Manager browser (see Figure 4-1).
The following reported CLI synchronization states appear in the All Virtual Context table:
•
OK—The configurations for the selected virtual context are synchronized with the CLI.
•
Out Of Sync—The configurations for the selected virtual context are not synchronized with the CLI.
•
Sync In Progress—The CLI to DM GUI synchronization for this context is in process, either started
automatically by the ACE Appliance Device Manager or manually (using either the CLI Sync or
CLI Sync All buttons).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-80
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing Virtual Contexts
•
Sync Failed—The last synchronization attempt failed and you must perform a manual
synchronization using either the CLI Sync or CLI Sync All buttons. The failed state could be due to
an unrecognized CLI command on the context, or due to an internal error on the ACE Appliance
Device Manager. Once the problem is resolved, another manual synchronization will be required to
move the context into the OK synchronization state.
The status bar at the bottom of the ACE Appliance Device Manager browser (see Figure 4-1) displays
DM GUI and CLI synchronization status along with a summary count of the contexts in the various
synchronization states. For example, the message “DM out of sync with CLI (1/10), DM sync with CLI
failed (2/10)” indicates that out of the 10 configured contexts, one context is in the “Out Of Sync” state
and two are is the “Sync Failed” state, and the remaining contexts are in the “OK” state. The status bar
auto-refreshes every 10 seconds.
Note
Clicking the summary count in the status bar from any context-specific page accesses the All Virtual
Contexts table. You can view the CLI synchronization status for all contexts.
If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual
Contexts table, the information in the CLI Sync Status column does not automatically update to reflect
an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view
out-of-sync configurations.
For information on synchronizing out-of-sync virtual context configurations, see the following topics:
•
Manually Synchronizing Individual Virtual Context Configurations, page 4-82
•
Manually Synchronizing All Virtual Context Configurations, page 4-83
Related Topics
•
Synchronizing Virtual Context Configurations, page 4-79
•
High Availability and Virtual Context Configuration Status, page 4-81
High Availability and Virtual Context Configuration Status
In a high availability pair, the two configured virtual contexts synchronize with each other as part of their
ongoing communications. However, their copies do not synchronize in ACE Appliance Device Manager
and the configuration on the standby member can become out of sync with the configuration on the ACE
appliance.
After the active member of a high availability pair fails and the standby member becomes active, ACE
Appliance Device Manager on the newly active member detects any out-of-sync virtual context
configurations and reports that status in the All Virtual Contexts table so that you can synchronize the
virtual context configurations.
Note
When a virtual context is in either the Standby Hot or Standby Warm state (see the “High Availability
Polling” section on page 11-2), the virtual context may receive configuration changes from its ACE peer
without updating the Device Manager GUI. As a result, the ACE appliance Device Manager GUI will
be out of synchronization with the CLI configuration. If you need to check configuration on a standby
virtual context using HA Tracking And Failure Detection (see the “Tracking VLAN Interfaces for High
Availability” section on page 11-19), we recommend that you first perform a manual synchronization
using either the CLI Sync or CLI Sync All buttons before checking the configuration values.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-81
Chapter 4
Configuring Virtual Contexts
Managing Virtual Contexts
For information on synchronizing out-of-sync virtual context configurations, see the following topics:
•
Manually Synchronizing Individual Virtual Context Configurations, page 4-82
•
Manually Synchronizing All Virtual Context Configurations, page 4-83
Related Topics
•
Viewing Virtual Context Synchronization Status, page 4-80
•
Configuring ACE High Availability, page 11-8
Manually Synchronizing Individual Virtual Context Configurations
Use this procedure if you want to manually synchronize the configuration for a selected virtual context.
This procedure removes the configuration information for this virtual context from ACE Appliance
Device Manager and replaces it with its CLI configuration from the ACE appliance. You may want to
manually synchronize a virtual context configuration if you do not want to wait for auto synchronization
to occur and you want the CLI context configuration changes immediately applied to the ACE Appliance
Device Manager.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears. Contexts with configurations that are not synchronized display
Out of sync in the CLI Sync Status column.
Note
Step 2
If a user changes the configuration for a context by using the CLI while you are viewing the All
Virtual Contexts table, the information in the CLI Sync Status column is not automatically
updated to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking
Auto Refresh to view out-of-sync configurations.
Choose the virtual context with the configuration that you want to synchronize and then click CLI Sync.
A window appears, asking you to confirm the operation.
Step 3
Click OK to upload the configuration from the ACE appliance or Cancel to exit this procedure without
uploading the configuration.
If you click OK, the screen reports progress and then refreshes with updated configuration status in the
CLI Sync Status column.
Related Topics
•
Synchronizing Virtual Context Configurations, page 4-79
•
Viewing Virtual Context Synchronization Status, page 4-80
•
Manually Synchronizing All Virtual Context Configurations, page 4-83
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-82
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing Virtual Contexts
Manually Synchronizing All Virtual Context Configurations
Use this procedure to manually synchronize all virtual context configurations. This procedure removes
all virtual context configurations from ACE Appliance Device Manager and replaces them with their
CLI configurations from the ACE appliance. You may want to manually synchronize all virtual contexts
if you do not want to wait for auto-synchronization to occur and you want the CLI context configuration
changes immediately applied to the ACE Appliance Device Manager.
This operation can take several minutes to finish, depending on the number of virtual contexts.
Note
If you configure a virtual server using the CLI and then use the CLI Sync All option (Config > Virtual
Contexts) to manually synchronize configurations, the configuration that appears in ACE Appliance
Device Manager for the virtual server might not display all configuration options for that virtual server.
The configuration that appears in ACE Appliance Device Manager depends on a number of items, such
as the protocols configured in class maps or the rules defined for policy maps.
For example, if you configure a virtual server on the CLI that includes a class map that can match any
protocol, you will not see the virtual server Application Acceleration and Optimization configuration
subset in ACE Appliance Device Manager.
Note
This procedure is available for only the admin user in an Admin context.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Click CLI Sync All. A window appears, asking you to confirm the operation.
Step 3
Click OK to continue with this option or click Cancel to exit this procedure.
If you click OK, the screen refreshes with the All Virtual Contexts table listing the contexts that have
been imported so far and displays configuration update progress.
Note
Step 4
Depending on the number of contexts, this process can take several minutes to complete.
Click Refresh to view additional contexts that have been imported.
Related Topics
•
Synchronizing Virtual Context Configurations, page 4-79
•
Manually Synchronizing Individual Virtual Context Configurations, page 4-82
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-83
Chapter 4
Configuring Virtual Contexts
Managing Virtual Contexts
Editing Virtual Contexts
Use this procedure to modify the configuration of an existing virtual context.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Choose the virtual context and then select the configuration attributes you want to modify.
For information on configuration options, see the “Configuring Virtual Contexts” section on page 4-7.
Step 3
Click Deploy Now to deploy this configuration on the ACE appliance.
To exit a procedure without saving your entries, click Cancel, or select another item in the menu bar or
another attribute to configure. A window appears, confirming that you have not saved your entries.
Related Topic
•
Using Virtual Contexts, page 4-2
Deleting Virtual Contexts
Use this procedure to remove an existing virtual context.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Chose the virtual context you want to remove and then click Delete.
A window appears, asking you to confirm the deletion.
Step 3
Do one of the following:
•
Click OK to delete the selected context. The device tree refreshes and the deleted context no longer
appears.
•
Click Cancel to exit this procedure and to retain the selected context.
Related Topic
•
Using Virtual Contexts, page 4-2
Viewing All Virtual Contexts
To view all virtual contexts, choose Config > Virtual Contexts. The All Virtual Contexts table appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-84
OL-26645-02
Chapter 4
Configuring Virtual Contexts
Managing Virtual Contexts
Note
Clicking the summary count in the status bar from any context-specific page accesses the All Virtual
Contexts table. You can then review the synchronization configuration details for all of the available
contexts. If you are not the administrator, you will only see the details for your user context.
The All Virtual Contexts table displays the following information for each virtual context
•
Name
•
Resource class
•
Management IP address
•
Virtual context synchronization status; that is, whether the ACE Appliance Device Manager GUI
and CLI configurations for the context are synchronized, not synchronized, being synchronized, or
the synchronization attempt failed. For more information, see the “Viewing Virtual Context
Synchronization Status” section on page 4-80.
•
ACE high availability state; for more information on the available ACE high availability states, see
the “High Availability Polling” section on page 11-2.
Note
For information on the implication of ACE high availability on ACE appliance Device Manager
GUI and CLI configuration synchronization, see the “Synchronizing High Availability
Configurations with ACE Appliance Device Manager” section on page 11-6.
•
State of the ACE high availability peer
•
ACE high availability peer name
•
Whether automatic synchronization for high availability pairs has been configured
Note
If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual
Contexts table, or if the high availability state changes, the information in the table columns does not
automatically update to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by
clicking Auto Refresh to view out-of-sync configurations.
Note
If a user creates a new virtual context in a different session while you are viewing the All Virtual
Contexts table, the new virtual context does not automatically appear in this table. Click Refresh or set
an automatic refresh rate by clicking Auto Refresh to view newly-created contexts.
Polling status for the selected context appears above the content area in the upper right corner (see
Figure 1-2). Table 14-1 describes the various polling states.
From this screen you can:
•
Add a new virtual context—See the Creating Virtual Contexts, page 4-2.
•
Edit an existing virtual context—See Configuring Virtual Contexts, page 4-7.
•
Delete an existing virtual context—See Deleting Virtual Contexts, page 4-84.
•
Manually synchronize ACE Appliance Device Manager and CLI configurations for one or all virtual
contexts—See Synchronizing Virtual Context Configurations, page 4-79.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
4-85
Chapter 4
Configuring Virtual Contexts
Managing Virtual Contexts
Related Topic
•
Managing Virtual Contexts, page 4-79
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
4-86
OL-26645-02
C H A P T E R
5
Configuring Virtual Servers
This chapter provides an overview of server load balancing and procedures for configuring virtual
servers for load balancing on an ACE appliance.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
This chapter contains the following topics:
•
Load Balancing Overview, page 5-1
•
Configuring Virtual Servers, page 5-2
•
Managing Virtual Servers, page 5-63
Load Balancing Overview
Server load balancing (SLB) is the process of deciding to which server a load-balancing device should
send a client request for service. For example, a client request can consist of an HTTP GET for a Web
page or an FTP GET to download a file. The job of the load balancer is to select the server that can
successfully fulfill the client request and do so in the shortest amount of time without overloading either
the server or the server farm as a whole.
Depending on the load-balancing algorithm or predictor that you configure, the ACE appliance performs
a series of checks and calculations to determine the server that can best service each client request. The
ACE appliance bases server selection on several factors, including the server with the fewest
connections with respect to load, source or destination address, cookies, URLs, or HTTP headers.
The ACE Appliance Device Manager allows you to configure load balancing as described in the
following topics:
•
Virtual servers—See Configuring Virtual Servers, page 5-2.
•
Real servers—See Configuring Real Servers, page 6-5.
•
Server farms—See Configuring Server Farms, page 6-18.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-1
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
Sticky groups—See Configuring Sticky Groups, page 7-11.
•
Parameter maps—See Configuring Parameter Maps, page 8-1.
For information about SLB as configured and performed by the ACE appliance, see the following topics:
•
Configuring Virtual Servers, page 5-2
•
Load-Balancing Predictors, page 6-2
•
Real Servers, page 6-3
•
Server Farms, page 6-5
•
Configuring Health Monitoring, page 6-39
•
TCL Scripts, page 6-40
•
Configuring Sticky Groups, page 7-11
Configuring Virtual Servers
In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to
appear as one for load-balancing purposes. A virtual server is bound to physical services running on real
servers in a server farm and uses IP address and port information to distribute incoming client requests
to the servers in the server farm according to a specified load-balancing algorithm.
You use class maps to configure a virtual server address and definition. The load-balancing predictor
algorithms (for example, round-robin, least connections, and so on) determine the servers to which the
ACE sends connection requests.
For more information about virtual servers and the ACE Appliance Device Manager, see the following
topics:
•
Understanding Virtual Server Configuration and ACE Appliance Device Manager, page 5-2
•
Information About Using Device Manager to Configure Virtual Servers, page 5-5
•
Virtual Server Configuration Procedure, page 5-7
Understanding Virtual Server Configuration and ACE Appliance Device
Manager
The ACE Appliance Device Manager Virtual Server configuration interface, an abstraction of the
Modular Policy CLI, simplifies, reorders, and makes more atomic the configuration and deployment of
a functional load-balancing environment. With simplification or abstraction, some constraints or
limitations are necessarily introduced. This section identifies the constraints and framework used by
ACE Appliance Device Manager for virtual server configuration.
In ACE Appliance Device Manager, a viable virtual server has the following attributes:
•
A single Layer 3/Layer 4 match condition
This means that you can specify only a single IP address (or single IP address range if an IPv4
netmask or IPv6 prefix length is used), with only a single port (or port range). Having a single match
condition greatly simplifies and aids virtual server configuration.
•
A default Layer 7 action
•
A Layer 7 policy map
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-2
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
A Layer 3/Layer 4 class map
•
A multi-match policy map, a class-map match, and an action
In addition:
•
The virtual server multi-match policy map is associated with an interface or is global.
•
The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.
Example 5-1 shows the minimum configuration statements required for a virtual server.
Example 5-1
Minimum Configuration Required for a Virtual Server
IPv4
class-map match-all Example_VIP
2 match virtual-address 10.10.10.10 tcp eq www
policy-map type loadbalance first-match Example_VIP-l7slb
class class-default
forward
policy-map multi-match int10
class Example_VIP
loadbalance policy Example_VIP-l7slb
interface vlan 10
ip address 192.168.65.37 255.255.255.0
service-policy input int10
no shutdown
IPv6
class-map match-all Example2_VIP
2 match virtual-address 2001:DB8:10::5 tcp eq www
policy-map type loadbalance first-match Example2_VIP-l7slb
class class-default
forward
policy-map multi-match int11
class Example2_VIP
loadbalance policy Example2_VIP-l7slb
interface vlan 10
ip address 2001:DB8:10::21/64
service-policy input int11
no shutdown
Note the following items regarding the ACE Appliance Device Manager and virtual servers:
•
Additional configuration options
The Virtual Server configuration screen allows you to configure additional items for a functional
VIP. These items include server farms, sticky groups, real servers, probes, parameter maps,
inspection, class maps, and inline match conditions. Because too many items on a screen can be
overwhelming, not all configuration options appear on Virtual Server configuration screen, such as
sticky statics or backup real servers. These options are available elsewhere in the ACE Appliance
Device Manager interface instead of on the Virtual Server configuration screen.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-3
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
Configuration options and roles
To support and maintain the separation of roles, some objects cannot be configured using the Virtual
Server configuration screen. These objects include SSL certificates, SSL keys, NAT pools, interface
IP addresses, and ACLs. Providing these options as separate configuration options in the ACE
Appliance Device Manager interface ensures that a user who can view or modify virtual servers or
aspects of virtual servers cannot create or delete virtual servers.
•
RBAC role and domain requirements
If you want to create, modify, or delete a virtual server, we recommend that you use the pre-defined
Admin role (see Table 15-4).Only the Admin pre-defined role supports the ability to successfully
deploy a functional virtual server from the ACE appliance Device Manager.
If a user prefers to be assigned a custom role, and wants the ability to create, modify, or delete a
virtual server, that user requires the proper role permissions to be defined by the administrator to
allow them to perform those virtual server activities.
Note
A user must be assigned with a default domain (default-domain) to be able to configure a virtual
server. A domain is the namespace in which a user operates.
Included below are a list of RBAC permissions which are required for a user to create, modify, or
delete a virtual server:
--------------------------------------------Rule
Type
Permission
Feature
--------------------------------------------1.
Permit
Create
real
2.
Permit
Create
serverfarm
3.
Permit
Create
vip
4.
Permit
Create
probe
5.
Permit
Create
loadbalance
6.
Permit
Create
nat
7.
Permit
Create
interface
8.
Permit
Create
connection
9.
Permit
Create
ssl
10.
Permit
Create
pki
11.
Permit
Create
sticky
12.
Permit
Create
inspect
Note that certain configured virtual servers may only cover a subset of the features and may not
require all the permissions outlined above. In general, the above set of permissions are required for
allowing users to configure all elements of a virtual server.
For background information, see the “Managing User Roles” section in Chapter 15, “Managing the
ACE Appliance”.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Information About Using Device Manager to Configure Virtual Servers, page 5-5
•
Virtual Server Configuration Procedure, page 5-7
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-4
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Information About Using Device Manager to Configure Virtual Servers
It is important to understand the following when using the ACE Appliance Device Manager to configure
virtual servers:
•
Virtual server configuration screens
The ACE Appliance Device Manager Virtual Server configuration screens are designed to aid you
in configuring virtual servers by presenting configuration options that are relevant to your choices.
For example, the protocols that you select in the Properties configuration subset determine the other
configuration subsets that appear.
•
Use the virtual server configuration method that suits you
The ACE Appliance Device Manager Virtual Server configuration screens simplify the process of
creating, modifying, and deploying virtual servers by displaying those options that you are most
likely to use. In addition, as you specify attributes for a virtual server, such as protocols, the
interface refreshes with related configuration options, such as Protocol Inspection or Application
Acceleration and Optimization, thereby speeding virtual server configuration and deployment.
While Virtual Server configuration screens remove some configuration complexities, they have a
few constraints that the Expert configuration options do not. If you are comfortable using the CLI,
you can use the Expert options (such as Config > Virtual Contexts > context > Expert > Class
Maps or Policy or Config > Virtual Contexts > context > Load Balancing > Parameter Map to
configure more complex attributes of virtual servers, traffic policies, and parameter maps.
•
Synchronizing virtual server configurations
When you use the CLI to change a virtual context’s configuration on the ACE appliance, the ACE
Appliance Device Manager periodically polls the CLI (approximately once every two minutes) for
configuration changes. When it detects an out-of-band configuration change in a context, the
changes are applied to the configuration maintained by ACE Appliance Device Manager. The status
bar at the bottom of the ACE Appliance Device Manager indicates a summary count of the contexts
in the various synchronization states
If you configure a virtual server using the CLI and then use the CLI Sync option (Config > Virtual
Contexts > CLI Sync) to manually synchronize configurations, the configuration that appears in the
ACE Appliance Device Manager for the virtual server might not display all configuration options
for that virtual server. The configuration that appears in the ACE Appliance Device Manager
depends on a number of items, such as the protocols configured in class maps or the rules defined
for policy maps.
For example, if you configure a virtual server on the CLI that includes a class map that can match
any protocol, you will not see the virtual server Application Acceleration and Optimization
configuration subset in the ACE Appliance Device Manager.
•
Modifying shared objects
Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or
parameter map, could impact the other virtual servers. See Shared Objects and Virtual Servers,
page 5-9 for more information about modifying objects used by multiple virtual servers.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Understanding Virtual Server Configuration and ACE Appliance Device Manager, page 5-2
•
Virtual Server Configuration Procedure, page 5-7
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-5
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Virtual Server Usage Guidelines
The Virtual Server configuration window provides you with numerous configuration options. However,
instead of setting every option in one pass, configure your virtual server in stages. The first stage should
always be to establish basic “pass through” connectivity with simple load balancing and include minimal
additional features. This level of setup should verify that ports, VLANs, interfaces, SSL termination (if
applicable), and real servers have been set up properly, enabling basic connectivity.
After you establish this level of connectivity, additional virtual server features will be easier to configure
and troubleshoot.
Common features to add to a working basic virtual server are as follows:
•
Health monitoring probes
•
Session persistence (sticky)
•
Additional real servers to a server farm
•
Application protocol inspection
•
Application acceleration and optimization
Table 5-1 identifies and describes virtual server configuration subsets with links to related topics for
configuration information.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Information About Using Device Manager to Configure Virtual Servers, page 5-5
•
Virtual Server Testing and Troubleshooting, page 5-6
•
Virtual Server Configuration Procedure, page 5-7
Virtual Server Testing and Troubleshooting
As outlined in the “Virtual Server Usage Guidelines” section on page 5-6, first set up a basic virtual
server that only enables connectivity and simple load balancing, such as round-robin between two real
servers. Next, use a client, such as a web browser, to send a request from the client network to the virtual
server VIP address. If the request is successful, you can now make changes or add virtual server features.
If the request is not successful, begin virtual server troubleshooting as outlined in the following
sequence:
1.
Wait and retry your request after a minute or two, especially if the existing ACE configuration is
large. It can take seconds or even minutes for configuration changes to affect how traffic is handled
by ACE.
2.
Click the Details button in the lower right of the Virtual Server page. The Details button displays
the output of the show service-policy CLI command.
3.
Verify that the VIP State in the show service-policy CLI command output is INSERVICE. If the
VIP state is not INSERVICE, this may indicate the following:
– The virtual server has been manually disabled in the configuration.
– The real servers are all unreachable from ACE or manually disabled. If all of a virtual server's
real servers are out of service due to one of those reasons, the virtual server itself will be marked
Out Of Service.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-6
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
4.
Verify the Hit Count in the show service-policy CLI command output. Hit Count shows the number
of requests received by ACE. This value should increase for each request attempted by your client.
If the hit count does not increase with each request, this indicates that the request is not reaching
your virtual server configuration.
This could be a problem with one of the following:
– A physical connection.
– VLAN or VLAN interface configuration.
– Missing or incorrect ACL applied to the client interface.
– Incorrect IP address (that is, a VIP that is not valid on the selected VLANs for the virtual server,
or a VIP that is not accessible to your client).
If the Hit Count value increases but no response is received (Server Pkt Count does not increases),
the problem is more likely to be in the connectivity between the ACE and the backend real servers.
This issue is typically caused by one or more of the following problems:
– You are working on a one-armed configuration (that is, do not plan to change routing for your
real servers) and have not selected an appropriate NAT pool for your virtual server to use with
source NAT.
– A different routing problem (for example, server traffic does not know how to get back to the
ACE).
– Addressing problem (for example, you have an incorrect real server address, or the real server
is not accessible to ACE due to network topology).
Note
Hit count can increase by more than one, even if you make only a single request from your web
browser, because retrieving a typical web page makes many requests from the client to the
server.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Information About Using Device Manager to Configure Virtual Servers, page 5-5
•
Virtual Server Usage Guidelines, page 5-6
•
Virtual Server Configuration Procedure, page 5-7
Virtual Server Configuration Procedure
Use this procedure to add virtual servers to the ACE Appliance Device Manager for load-balancing
purposes.
Assumptions
•
Depending on the protocol to be used for the virtual server, parameter maps need to be defined.
•
For SSL service, SSL certificates, keys, chain groups, and parameter maps must be configured.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Virtual Servers.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-7
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
The Virtual Servers table appears.
Step 2
Click Add to add a new virtual server, or select an existing virtual server, and then click Edit to modify
it.
The Virtual Server configuration screen appears with a number of configuration subsets. The subsets that
you see depend on whether you use the Basic View or the Advanced View and configuration entries you
make in the Properties subset. Change views by using the View object selector at the top of the
configuration pane.
Table 5-1 identifies and describes virtual server configuration subsets with links to related topics for
configuration information.
Table 5-1
Virtual Server Configuration Subsets
Configuration
Subset
Description
Related Topics
Properties
This subset allows you to specify basic virtual server
characteristics, such as the virtual server name, IP
address, protocol, port, and VLANs.
Configuring Virtual
Server Properties,
page 5-10
SSL Termination1
This subset appears when TCP is the selected protocol Configuring Virtual
Server SSL
and Other or HTTPS is the application protocol.
Termination, page 5-18
This subset allows you to configure the virtual server
to act as an SSL proxy server and terminate SSL
sessions between it and its clients.
Protocol Inspection This subset appears in the Advanced View for the
following:
•
TCP with FTP, HTTP, HTTPS, RTSP, or SIP
•
UDP with DNS or SIP
Configuring Virtual
Server Protocol
Inspection, page 5-20
This subset appears in the Basic view for TCP with
FTP.
This subset allows you to configure the virtual server
so that it can verify protocol behavior and identify
unwanted or malicious traffic passing through the ACE
appliance on selected application protocols.
L7 Load-Balancing This subset appears only in the Advanced View for the Configuring Virtual
following:
Server Layer 7 Load
Balancing, page 5-30
• TCP with Generic, HTTP, HTTPS, RTSP, or SIP
•
UDP with Generic, RADIUS, or SIP
This subset allows you to configure Layer 7
load-balancing options, including SSL initiation1.
Default L7
Load-Balancing
Action
This subset allows you to establish the default Layer 7 Configuring Virtual
load-balancing actions for all network traffic that does Server Default Layer 7
not meet previously specified match conditions.
Load Balancing,
page 5-55
1
It also allows you to configure SSL initiation . SSL
initiation appears only in the Advanced View.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-8
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-1
Virtual Server Configuration Subsets (continued)
Configuration
Subset
Description
Related Topics
Application
Acceleration And
Optimization
This subset appears only in the Advanced View and
when HTTP or HTTPS is the selected application
protocol.
Configuring
Application
Acceleration and
Optimization,
page 5-57
This subset allows you to configure application
acceleration and optimization options for HTTP or
HTTPS traffic.
NAT
This subset appears in the Advanced View only.
This subset allows you to set up Name Address
Translation (NAT) for the virtual server.
Configuring Virtual
Server NAT, page 5-61
1. The SSL initiation and termination configuration options do not apply to the ACE NPE software version (see the “Information
About the ACE No Payload Encryption Software Version” section on page 1-2).
Step 3
Step 4
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to deploy the configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Virtual Servers
table.
(Optional) To display statistics and status information for an existing virtual server, from the Virtual
Servers table, choose a virtual server and click Details.
A pop-up window appears that displays the detailed virtual server information (see the “Displaying
Virtual Server Statistics and Status Information” section on page 5-62 for details).
Note
This feature requires ACE software Version A3(2.1) or later. An error displays with earlier
software versions.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Understanding Virtual Server Configuration and ACE Appliance Device Manager, page 5-2
•
Information About Using Device Manager to Configure Virtual Servers, page 5-5
•
Shared Objects and Virtual Servers, page 5-9
•
Role Mapping in ACE Appliance Device Manager, page 15-19
Shared Objects and Virtual Servers
A shared object is one that is used by multiple virtual servers. Examples of shared objects are as follows:
•
Action lists
•
Class maps
•
Parameter maps
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-9
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
Real servers
•
Server farms
•
SSL services
•
Sticky groups
Because these objects are shared, modifying an object’s configuration in one virtual server can impact
other virtual servers that use the same object.
Configuring Shared Objects
ACE Appliance Device Manager offers the following options for shared objects in virtual server
configuration screens (Config > Virtual Contexts > context > Load Balancing > Virtual Servers):
•
View—Click View to review the object’s configuration. The screen refreshes with read-only fields
and the following three buttons.
•
Cancel—Click Cancel to close the read-only view and to return to the previous screen.
•
Edit—Click Edit to modify the selected object’s configuration. The screen refreshes with fields that
can be modified, except for the Name field which remains read-only.
Note
•
Before changing a shared object’s configuration, make sure you understand the effect of the
changes on other virtual servers using the same object. As an alternative, consider using the
Duplicate option instead.
Duplicate—Click Duplicate to create a new object with the same configuration as the selected
object. The screen refreshes with configurable fields. In the Name field, enter a unique name for the
new object, and then modify the configuration as desired. This option allows you to create a new
object without impacting other virtual servers using the same object.
Deleting Virtual Servers with Shared Objects
If you create a virtual server and include shared objects in its configuration, deleting the virtual server
does not delete the associated shared objects. This ensures that other virtual servers using the same
shared objects are not impacted.
Related Topics
•
Managing Virtual Servers, page 5-63
•
Configuring Virtual Server Properties, page 5-10
•
Configuring Virtual Server SSL Termination, page 5-18
•
Configuring Virtual Server Protocol Inspection, page 5-20
•
Configuring Virtual Server Layer 7 Load Balancing, page 5-30
•
Configuring Virtual Server Default Layer 7 Load Balancing, page 5-55
•
Configuring Application Acceleration and Optimization, page 5-57
Configuring Virtual Server Properties
Use this procedure to configure virtual server properties.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-10
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual
Servers table appears.
Step 2
Click Add to add a new virtual server, or select an existing virtual server, and then click Edit to modify
it. The Virtual Server configuration screen appears. The Properties configuration subset is open by
default.
The fields that you see in the Properties configuration subset depend on whether you are using Advanced
View or Basic View:
Step 3
•
To configure Advanced View properties, continue with Step 3.
•
To configure Basic View properties, continue with Step 4.
To configure virtual server properties in the Advanced View, enter the information in Table 5-2.
Table 5-2
Virtual Server Properties – Advanced View
Field
Description
Virtual Server Name
Enter the name for the virtual server.
IP Address Type
Select either IPv4 or IPv6 for the address type of the virtual server.
Virtual IP Address
Enter the IP address for the virtual server.
Virtual IP Mask
(IPv4 address type only) Select the subnet mask to apply to the virtual server
IP address.
Virtual IP Prefix Length (IPv6 address type only) Enter the prefix length to apply to the virtual server
IP address. The default length for the prefix is 128.
Transport Protocol
Select the protocol the virtual server supports:
•
Any—Indicates the virtual server is to accept connections using any IP
protocol.
•
TCP—Indicates that the virtual server is to accept connections that use
TCP.
•
UDP—Indicates that the virtual server is to accept connections that use
UDP.
Note
This field is read-only if you are editing an existing virtual server.
The Device Manager does not allow changes between protocols that
require a change to the Layer 7 server load-balancing policy map.
You need to delete the virtual server and create a new one with the
desired protocol.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-11
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-2
Virtual Server Properties – Advanced View (continued)
Field
Description
Application Protocol
This field appears if TCP or UDP is selected. Select the application protocol
to be supported by the virtual server.
Note
This field is read-only if you are editing an existing virtual server.
The Device Manager does not allow changes between protocols that
require a change to the Layer 7 server load-balancing policy map.
You need to delete the virtual server and create a new one with the
desired application protocol.
For TCP, the options are as follows:
•
FTP—File Transfer Protocol
•
Generic—Generic protocol parsing
•
HTTP—Hyper Text Transfer Protocol
•
HTTPS—HTTP over SSL
If you select HTTPS, the SSL Termination configuration subset
appears. See the “Configuring Virtual Server SSL Termination” section
on page 5-18.
•
Other—Any protocol other than those specified
•
RDP—Remote Desktop Protocol
•
RTSP—Real Time Streaming Protocol
•
SIP—Session Initiation Protocol
•
Unterminated HTTPS
Note
This option is not available if the ACE is using the NPE
software version (see the “Information About the ACE No
Payload Encryption Software Version” section on page 1-2).
For UDP, the options are as follows:
•
DNS—Domain Name System
•
Generic—Generic protocol parsing
•
Other—Any protocol other than those specified
•
RADIUS—Remote Authentication Dial-In User Service
•
SIP—Session Initiation Protocol
If you select any specific application protocol, the Protocol Inspection
configuration subset appears. See the “Configuring Virtual Server Protocol
Inspection” section on page 5-20.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-12
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-2
Virtual Server Properties – Advanced View (continued)
Field
Description
Port
By default, this field appears with the default port number for the specified
protocol.
To change the port number, enter the port to be used for the specified
protocol. Valid entries are integers from 0 to 65535 or a range of integers,
such as 10-20. Enter 0 (zero) to indicate all ports.
For a complete list of protocols and ports, see the Internet Assigned
Numbers Authority available at www.iana.org/numbers/.
All VLANs
Check the check box to support incoming traffic from all VLANs. Clear the
check box to support incoming traffic from specific VLANs only.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-13
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-2
Virtual Server Properties – Advanced View (continued)
Field
Description
VLAN
This field appears if the All VLANs check box is cleared.
In the Available list, select the VLANs to use for incoming traffic, and then
click Add to Selection. The items appear in the Selected list.
To remove VLANs, select them in the Selected lists and then click Remove
from Selection. The items appear in the Available list.
Note
HTTP Parameter Map
You cannot change the VLAN for a virtual server once it is
specified. Instead, you need to delete the virtual server and create a
new one with the desired VLAN.
This field appears if HTTP or HTTPS is the selected application protocol.
Select an existing HTTP parameter map or click *New* to create a new one:
Connection Parameter
Map
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See the “Shared Objects and
Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you click *New*, the HTTP Parameter Map configuration pane
appears. Configure the HTTP parameter map as described in Table 8-2.
This field appears if TCP is the selected protocol.
Select an existing connection parameter map or click *New* to create a new
one:
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See the “Shared Objects and
Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you click *New*, the Connection Parameter Map configuration pane
appears. Configure the connection parameter map as described in
Table 8-3.
Note
Click More Settings to access the additional Connection Parameter
Maps configuration attributes. By default, Device Manager hides the
default Connection Parameter Maps configuration attributes and the
attributes which are not commonly used.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-14
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-2
Virtual Server Properties – Advanced View (continued)
Field
Description
KAL-AP-TAG Name
The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS)
proprietary KAL-AP protocol to extract load and availability information
from the ACE when a firewall is positioned between the GSS and the ACE.
This feature allows you to configure a tag (name) per VIP for a maximum
of 4,096 tags on an ACE. This feature does not replace the tag per domain
feature. For more information about this feature, see the Configuring Health
Monitoring chapter in the Server Load-Balancing Guide, Cisco ACE
Application Control Engine.
In the KAL-AP-TAG Name field, enter the name as an unquoted text string
with no spaces and a maximum of 76 alphanumeric characters.
The following scenarios are not supported and will result in an error:
Kal-AP Primary Out of
Service
•
You cannot configure a tag name for a VIP that already has a tag
configuration as part of a different policy configuration.
•
You cannot associate the same tag name with more than one VIP.
•
You cannot associate the same tag name with a domain and a VIP.
•
You cannot assign two different tags to two different Layer 3 class maps
that have the same VIP, but different port numbers. The KAL-AP
protocol considers these class maps to have the same VIP and calculates
the load for both Layer 3 rules together when the GSS queries the VIP.
Check this box for the ACE to notify the Global Site Selector (GSS) that the
primary server farm is down when the backup server farm is in use.
By default, when you configure a redirect server farm as a backup server
farm on the ACE and the primary server farm fails, the backup server farm
redirects the client requests to another data center. However, the VIP
remains in the INSERVICE state.
When you configure the ACE to communicate with a GSS, it provides
information for server availability. When a backup server is in use after the
primary server farm is down and this feature is enabled, the ACE informs
the GSS that the VIP for the primary server farm is out of service by
returning a load value of 255. The GSS recognizes that the primary server
farm is down and sends future DNS requests with the IP address of the other
data center.
Clear this check box to disable this feature.
DNS Parameter Map
This field appears if DNS is the selected protocol over UDP.
Select an existing DNS parameter map or click *New* to create a new one:
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See the “Shared Objects and
Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you click *New*, the DNS Parameter Map configuration pane
appears. Configure the DNS parameter map as described in Table 8-11.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-15
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-2
Virtual Server Properties – Advanced View (continued)
Field
Description
Generic Parameter Map This field appears if Generic is the selected application protocol over TCP
or UDP.
Select an existing Generic parameter map or click *New* to create a new
one:
RTSP Parameter Map
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See the “Shared Objects and
Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you click *New*, the Generic Parameter Map configuration pane
appears. Configure the Generic parameter map as described in
Table 8-7.
This field appears if RTSP is the selected application protocol over TCP.
Select an existing RTSP parameter map or click *New* to create a new one:
ICMP Reply
Status
Step 4
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See the “Shared Objects and
Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you click *New*, the RTSP Parameter Map configuration pane
appears. Configure the RTSP parameter map as described in Table 8-8.
Indicate how the virtual server is to respond to ICMP ECHO requests:
•
None—Indicates that the virtual server is not to send ICMP
ECHO-REPLY responses to ICMP requests.
•
Active—Indicates that the virtual server is to send ICMP
ECHO-REPLY responses only if the configured VIP is active.
•
Always—Indicates that the virtual server is always to send ICMP
ECHO-REPLY responses to ICMP requests.
•
Primary Inservice—The virtual server is to reply to an ICMP ping only
if the primary server farm state is UP, regardless of the state of the
backup server farm. If this option is selected and the primary server
farm state is DOWN, the ACE discards the ICMP request and the
request times out.
Indicate whether the virtual server is to be in service or out of service:
•
In Service—Enables the virtual server for load-balancing operations.
•
Out Of Service—Disables the virtual server for load-balancing
operations.
To configure virtual server properties in the Basic View, enter the information in Table 5-3.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-16
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-3
Virtual Server Properties – Basic View
Field
Description
Virtual Server Name
Enter the name for the virtual server.
IP Address Type
Select either IPv4 or IPv6 for the address type of the virtual server.
Virtual IP Address
Enter the IP address for the virtual server.
Transport Protocol
Select the protocol that the virtual server supports:
Application Protocol
•
Any—Indicates that the virtual server is to accept connections using
any IP protocol.
•
TCP—Indicates that the virtual server is to accept connections that use
TCP.
•
UDP—Indicates that the virtual server is to accept connections that use
UDP.
Select the application protocol to be supported by the virtual server.
For TCP, the options as follows:
•
FTP—File Transfer Protocol
•
HTTP—Hyper Text Transfer Protocol
•
HTTPS—HTTP over SSL
If you select HTTPS, the SSL Termination configuration subset
appears. See the “Configuring Virtual Server SSL Termination” section
on page 5-18.
Note
This option is not available if the ACE is using the NPE
software version (see the “Information About the ACE No
Payload Encryption Software Version” section on page 1-2).
•
Generic—Generic protocol parsing
•
Other—Any protocol other than those specified.
•
RTSP—Real Time Streaming Protocol
•
RDP—Remote Desktop Protocol
•
SIP—Session Initiation Protocol
For UDP, the options as follows:
•
DNS—Domain Name System
•
Generic—Generic protocol parsing
•
Other—Any protocol other than those specified.
•
RTSP—Real Time Streaming Protocol
•
RADIUS—Remote Authentication Dial-In User Service
•
SIP—Session Initiation Protocol
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-17
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-3
Virtual Server Properties – Basic View (continued)
Field
Description
Port
By default, this field appears with the default port number for the specified
protocol.
To change the port number, enter the port to be used for the specified
protocol. Valid entries are integers from 0 to 65535 or a range of integers,
such as 10-20. Enter 0 (zero) to indicate all ports.
For a complete list of all protocols and ports, see the Internet Assigned
Numbers Authority available at www.iana.org/numbers/.
All VLANs
Check the check box to support incoming traffic from all VLANs. Clear the
check box to support incoming traffic from specific VLANs only.
VLAN
This field appears if the All VLANs check box is cleared.
In the Available list, select the VLANs to use for incoming traffic, and then
click Add to Selection. The items appear in the Selected list.
To remove VLANs, select them in the Selected lists, and then click Remove
from Selection. The items appear in the Available list.
Note
Step 5
You cannot change the VLAN for a virtual server once it is
specified. Instead, you need to delete the virtual server and create a
new one with the desired VLAN.
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to deploy the configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Configuring Virtual Server SSL Termination, page 5-18
Configuring Virtual Server SSL Termination
Note
The information in this section does not apply to the ACE NPE software version (see the “Information
About the ACE No Payload Encryption Software Version” section on page 1-2).
SSL termination service allows the virtual server to act as an SSL proxy server and terminate SSL
sessions between it and its clients and then establishes a TCP connection to an HTTP server. When the
ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as
clear text to an HTTP server.
Use this procedure to configure virtual server SSL termination service.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-18
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Assumption
A virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties
configuration subset. For more information, see the “Configuring Virtual Server Properties” section on
page 5-10.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual
Servers table appears.
Step 2
Select the virtual server you want to configure for SSL termination, and then click Edit. The Virtual
Server configuration screen appears.
Step 3
Click SSL Termination. The Proxy Service Name field appears.
Step 4
In the Proxy Service Name field, select an existing SSL termination service, or select *New* to create
a new SSL proxy service:
Step 5
•
If you select an existing SSL service, the screen refreshes and allows you to view, modify, or
duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on
page 5-9 for more information about modifying shared objects.
•
If you select *New*, the Proxy Service configuration subset appears.
Configure the SSL service using the in Table 5-4.
Table 5-4
Virtual Server SSL Termination Attributes
Field
Description
Name
Enter a name for this SSL proxy service. Valid entries are alphanumeric
strings with a maximum of 64 characters.
Keys
Select the SSL key pair to use during the SSL handshake for data encryption.
Certificates
Select the SSL certificate to use during the SSL handshake.
Chain Groups
Select the chain group to use during the SSL handshake.
Auth Groups
Select the SSL authentication group to associate with this proxy server
service.
CRL Best-Effort
This option appears if you select an authentication group in the Auth Group
Name field.
Check the check box to allow the ACE to search client certificates for the
service to determine if it contains a CRL in the extension and retrieve the
value, if it exists.
Clear the check box to disable this feature.
CRL Name
This option appears if the CRL Best-Effort check box is clear.
Select the Certificate Revocation List if the ACE is to use for this proxy
service.
Parameter Maps
Select the SSL parameter map to associate with this proxy server service.
For more information about SSL, see the “Configuring SSL” section on page 9-1.
Step 6
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-19
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
Click Cancel to exit this procedure without saving your entries.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Configuring Virtual Server Properties, page 5-10
Configuring Virtual Server Protocol Inspection
Configuring protocol inspection allows the virtual server to verify protocol behavior and identify
unwanted or malicious traffic passing through the ACE appliance.
In the Advanced View, protocol inspection configuration is available for the following virtual server
protocol configurations:
•
TCP with FTP, HTTP, HTTPS, RTSP, or SIP
•
UDP with DNS or SIP
In the Basic View, protocol inspection configuration is available for TCP with FTP.
Use this procedure to configure protocol inspection on a virtual server.
Assumption
A virtual server has been configured to use one of the protocols that supports protocol inspection in the
Properties configuration subset. See the “Configuring Virtual Server Properties” section on page 5-10
for information on configuring these protocols.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server that you want to configure for protocol inspection, and then click Edit. The
Virtual Server configuration screen appears.
Step 3
Click Protocol Inspection. The Enable Inspect check box appears.
Step 4
Check the Enable Inspect check box to enable inspection on the specified traffic. Clear this check box
to disable inspection on this traffic. By default, ACE appliances allow all request methods.
Step 5
If you checked the Enable Inspect check box, configure additional inspection options according to
virtual server application protocol configuration:
Note
•
For DNS, in the Length field enter the maximum length of the DNS packet in bytes. Valid entries
are from 512 to 65535 bytes. If you do not enter a value in this field, the DNS packet size is not
checked.
•
For FTP, continue with Step 6.
•
For HTTP and HTTPS, continue with Step 7.
•
For SIP, continue with Step 9.
There are no protocol-specific inspection options for RTSP.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-20
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Step 6
For FTP protocol inspection, do the following:
a.
Check the Use Strict check box to indicate that the virtual server is to perform enhanced inspection
of FTP traffic and enforce compliance with RFC standards. Clear this check box to indicate that the
virtual server is not to perform enhanced FTP inspection.
b.
If you checked the Use Strict check box, in the Blocked FTP Commands field, identify the
commands that are to be denied by the virtual server. See Table 12-13 for more information about
the FTP commands.
– Select the commands that are to be blocked by the virtual server in the Available list, and then
click Add. The commands appear in the Selected list.
– To remove commands that you do not want to be blocked, select them in the Selected list, and
then click Remove. The commands appear in the Available list.
Step 7
For HTTP or HTTPS inspection, do the following:
a.
Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When
enabled, this feature logs every URL request that is sent in the specified class of traffic, including
the source or destination IP address and the URL that is accessed. Clear this check box to disable
monitoring of Layer 3 and Layer 4 traffic.
b.
In the Policy subset, click Add to add a new match condition and action, or select an existing match
condition and action, and then click Edit to modify it. The Policy configuration pane appears.
c.
In the Matches field, select an existing class map or *New* or *Inline Match* to configure new
match criteria for protocol inspection.
If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate
the selected class map. See the “Shared Objects and Virtual Servers” section on page 5-9 for more
information about modifying shared objects.
d.
Table 5-5
Configure match criteria and related actions by following the steps in Table 5-5.
Protocol Inspection Match Criteria Configuration
Selection
Action
Existing class map
1.
Click View to review the match condition information for the selected class map.
2.
Do the following:
– Click Cancel to continue without making changes and to return to the previous screen.
– Click Edit to modify the existing configuration.
– Click Duplicate to create a new class map with the same attributes without affecting other
virtual servers using the same class map.
See the “Shared Objects and Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
3.
In the Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
– Permit—Indicates that the specified traffic is to be received by the virtual server if it meets
the specified deep inspection match criteria.
– Reset—Indicates that the specified traffic is to be denied by the virtual server, which then
sends a TCP reset message to the client or server to close the connection.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-21
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-5
Protocol Inspection Match Criteria Configuration (continued)
Selection
Action
*New*
1.
In the Name field, specify a unique name for this class map.
2.
In the Match field, select the method to be used to evaluate multiple match statements when
multiple match conditions exist:
– All—Indicates that a match exists only if all match conditions are satisfied.
– Any—Indicates that a match exists if at least one of the match conditions is satisfied.
3.
In the Conditions table, click Add to add a new set of conditions, or select an existing entry, and
then click Edit to modify it. The Type field appears.
4.
In the Type field, select the type of condition that is to be met for protocol inspection and configure
protocol-specific criteria using the information in Table 5-6.
5.
In the Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
– Permit—Indicates that the specified traffic is to be received by the virtual server if it meets
the specified deep inspection match criteria.
– Reset—Indicates that the specified traffic is to be denied by the virtual server, which then
sends a TCP reset message to the client or server to close the connection.
*Inline Match*
1.
In the Conditions Type field, select the type of inline match condition that is to be met for protocol
inspection.
Table 5-6 describes the types of conditions and their related configuration options.
2.
Provide condition-specific criteria using the information in Table 5-6.
3.
In the Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
– Permit—Indicates that the specified traffic is to be received by the virtual server if it meets
the specified deep inspection match criteria.
– Reset—Indicates that the specified traffic is to be denied by the virtual server, which then
sends a TCP reset message to the client or server to close the connection.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-22
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-6
HTTP and HTTPS Protocol Inspection Conditions and Options
Condition
Description
Content
Specific content contained within the HTTP entity-body is to be used for application inspection
decisions.
Content Length
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset field, enter the number of bytes to be ignored starting with the first byte
of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body
of the message. Valid entries are from 1 to 255 bytes.
The content parse length is used for application inspection decisions.
1.
In the Content Length Operator field, select the operand to use to compare content length:
– Equal To—The content length must equal the number in the Content Length Value field.
– Greater Than—The content length must be greater than the number in the Content Length
Value field.
– Less Than—The content length must be less than the number in the Content Length Value
field.
– Range—The content length must be within the range specified in the Content Length
Lower Value field and the Content Length Higher Value field.
2.
Enter values to apply for content length comparison:
– If you select Equal To, Greater Than, or Less Than in the Content Length Operator field,
the Content Length Value field appears. In the Content Length Value field, enter the
number of bytes for comparison. Valid entries are integers from 0 to 4294967295.
– If you select Range in the Content Length Operator field, the Content Length Lower Value
and the Content Length Higher Value fields appear:
1. In the Content Length Lower Value field, enter the lowest number of bytes to be used
for this match condition. Valid entries are integers from 0 to 4294967295. The number in
this field must be less than the number entered in the Content Length Higher Value field.
2. In the Content Length Higher Value field, enter the highest number of bytes to be used
for this match condition. Valid entries are integers from 0 to 4294967295. The number in
this field must be greater than the number entered in the Content Length Lower Value
field.
Content Type
Verification
Verification of MIME-type messages with the header MIME-type is to be used for application
inspection decisions. This option verifies that the header MIME-type value is in the internal list
of supported MIME-types and that the header MIME-type matches the content in the data or body
portion of the message.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-23
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-6
HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition
Description
Header
The name and value in an HTTP header are used for application inspection decisions.
Header Length
1.
In the Header field, select one of the predefined HTTP headers to match, or select HTTP
Header to specify a different HTTP header.
2.
If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to
match. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
3.
In the Header Value field, enter the header-value expression string to compare against the
value in the specified field in the HTTP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header
expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the
header map must be matched. See Table 12-33 for a list of the supported characters that you
can use in regular expressions.
The length of the header in the HTTP message is used for application inspection decisions.
1.
In the Header Length Type field, specify whether HTTP header request or response messages
are to be used for application inspection decisions:
– Request—HTTP header request messages are to be checked for header length.
– Response—HTTP header response messages are to be checked for header length.
2.
In the Header Length Operator field, select the operand to be used to compare header length:
– Equal To—The header length must equal the number in the Header Length Value field.
– Greater Than—The header length must be greater than the number in the Header Length
Value field.
– Less Than—The header length must be less than the number in the Header Length Value
field.
– Range—The header length must be within the range specified in the Header Length
Lower Value field and the Header Length Higher Value field.
3.
Enter values to apply for header length comparison:
– If you select Equal To, Greater Than, or Less Than in the Header Length Operator field,
the Header Length Value field appears. In the Header Length Value field, enter the number
of bytes for comparison. Valid entries are integers from 0 to 255.
– If you select Range in the Header Length Operator field, the Header Length Lower Value
and the Header Length Higher Value fields appear:
1. In the Header Length Lower Value field, enter the lowest number of bytes to be used
for this match condition. Valid entries are integers from 0 to 255. The number in this field
must be less than the number entered in the Header Length Higher Value field.
2. In the Header Length Higher Value field, enter the highest number of bytes to be used
for this match condition. Valid entries are integers from 1 to 255. The number in this field
must be greater than the number entered in the Header Length Lower Value field.
Header MIME Type
Multipurpose Internet Mail Extension (MIME) message types are used for application inspection
decisions.
In the Header MIME Type field, select the MIME message type to use for this match condition.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-24
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-6
HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition
Description
Port Misuse
The misuse of port 80 (or any other port running HTTP) is to be used for application inspection
decisions.
Indicate the application category to use for this match condition:
Request Method
•
IM—Instant messaging applications are to be checked.
•
P2P—Peer-to-peer applications are to be checked.
•
Tunneling—Tunneling applications are to be checked.
A request method is to be used for protocol inspection decisions. By default, the ACE allows all
request and extension methods. This option allows you to configure protocol inspection decisions
based on compliance to request methods defined in RFC 2616 and by HTTP extension methods.
1.
Select the type of request method to use for this match condition:
– Ext—An HTTP extension method is to be used.
Note
The list of available HTTP extension methods from which to choose varies
depending on the version of software installed in the ACE.
– RFC—The request method defined in RFC 2616 is to be used.
2.
In the Request Method field, select the request method that is to be inspected.
Strict HTTP
Compliance with HTTP RFC 2616 is to be used for application inspection decisions.
Transfer Encoding
An HTTP transfer-encoding type is to be used for application inspection decisions. The
transfer-encoding general-header field indicates the type of transformation, if any, that has been
applied to the HTTP message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, select the type of encoding that is to be checked:
•
Chunked—The message body is transferred as a series of chunks.
•
Compress—The encoding format that is produced by the UNIX file compression program
compress.
•
Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE
compression mechanism described in RFC 1951.
•
Gzip—The encoding format that is produced by the file compression program GZIP (GNU
zip) as described in RFC 1952.
•
Identity—The default (identity) encoding which does not require the use of transformation.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-25
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-6
HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition
Description
URL
URL names are to be used for application inspection decisions.
In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from
1 to 255 alphanumeric characters and include only the portion of the URL following
www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html,
include only /latest/whatsnew.html.
URL Length
URL length is to be used for application inspection decisions.
1.
In the URL Length Operator field, select the operand to use to compare URL length:
– Equal To—The URL length must equal the number in the URL Length Value field.
– Greater Than—The URL length must be greater than the number in the URL Length Value
field.
– Less Than—The URL length must be less than the number in the URL Length Value field.
– Range—The URL length must be within the range specified in the URL Length Lower
Value field and the URL Length Higher Value field.
2.
Enter values to apply for URL length comparison:
– If you select Equal To, Greater Than, or Less Than in the URL Length Operator field, the
URL Length Value field appears. In the URL Length Value field, enter the value for
comparison. Valid entries are from 1 to 65535 bytes.
– If you select Range in the URL Length Operator field, the URL Length Lower Value and
the URL Length Higher Value fields appear:
1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for
this match condition. Valid entries are integers from 1 to 65535. The number in this field
must be less than the number entered in the URL Length Higher Value field.
2. In the URL Length Higher Value field, enter the highest number of bytes to be used for
this match condition. Valid entries are integers from 1 to 65535. The number in this field
must be greater than the number entered in the URL Length Lower Value field.
e.
Do the following:
– Click OK to save your entries. The Conditions table refreshes with the new entry.
– Click Cancel to exit the Policy subset without saving your entries.
f.
In the Default Action field, select the default action that the virtual server is to take when specified
match conditions for protocol inspection are not met:
– Permit—Indicates that the specified HTTP traffic is to be received by the virtual server.
– Reset—Indicates that the specified HTTP traffic is to be denied by the virtual server.
– N/A—Indicates that this attribute is not set.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-26
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Step 8
For SIP inspection, do the following:
a.
In the Actions subset, click Add to add a new match condition and action, or select an existing match
condition and action, and then click Edit to modify it. The Actions configuration pane appears.
b.
In the Matches field, select an existing class map or *New* or *Inline Match* to configure new
match criteria for protocol inspection.
If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate
the selected class map. See the “Shared Objects and Virtual Servers” section on page 5-9 for more
information about modifying shared objects.
c.
Table 5-7
Configure match criteria and related actions using the information in Table 5-7.
SIP Protocol Inspection Conditions and Options
Condition
Description
Called Party
The destination or called party specified in the URI of the SIP To header is used for SIP protocol
inspection decisions.
In the Called Party field, enter a regular expression that identifies the called party in the URI of
the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces
and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 12-33 lists the supported characters that you can use for
matching string expressions.
Calling Party
The source or caller specified in the URI of the SIP From header is used for SIP protocol
inspection decisions.
In the Calling Party field, enter a regular expression that identifies the calling party in the URI of
the SIP From header for this match condition. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 12-33 lists the supported characters that you can use for
matching string expressions.
IM Subscriber
An IM (instant messaging) subscriber is used for application inspection decisions.
In the IP Subscriber field, enter a regular expression that identifies the IM subscriber for this
match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching string expressions.
Table 12-33 lists the supported characters that you can use for matching string expressions.
Message Path
SIP inspection allows you to filter messages coming from or transiting through certain SIP proxy
servers. The ACE maintains a list of the unauthorized SIP proxy IP addresses or URIs in the form
of regular expressions and checks this list against the VIA header field in each SIP packet.
In the Message Path field, enter a regular expression that identifies the SIP proxy server for this
match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching string expressions.
Table 12-33 lists the supported characters that you can use for matching string expressions.
SIP Content Type
The content type in the SIP message body is used for SIP protocol inspection decisions.
In the Content Type field, enter a regular expression that identifies the content type in the SIP
message body to use for this match condition. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 12-33 lists the supported characters that you can use for
matching string expressions.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-27
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-7
SIP Protocol Inspection Conditions and Options (continued)
Condition
Description
SIP Content Length
The SIP message body content length is used for SIP protocol inspection decisions.
To specify SIP traffic based on SIP message body length:
SIP Request Method
1.
In the Content Operator field, confirm that Greater Than is selected.
2.
In the Content Length field, enter the maximum size of a SIP message body in bytes that the
ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the
specified value, the ACE performs SIP protocol inspection as defined in an associated policy
map. Valid entries are integers from 0 to 65534 bytes.
A SIP request method is used for application inspection decisions.
In the Request Method field, select the request method that is to be inspected.
Third Party
SIP allows users to register other users on their behalf by sending REGISTER messages with
different values in the From and To header fields. This process can pose a security threat if the
REGISTER message is actually a DEREGISTER message. A malicious user could cause a DoS
(denial-of-service) attack by deregistering all users on their behalf. To prevent this security threat,
you can specify a list of privileged users who can register or unregister someone else on their
behalf. The ACE maintains the list as a regex table. If you configure this policy, the ACE drops
REGISTER messages with mismatched From and To headers and a From header value that does
not match any of the privileged user IDs.
In the Third Party Registration Entities field, enter a regular expression that identifies a privileged
user who is authorized for third-party registrations. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 12-33 lists the supported characters that you can use for
matching string expressions.
URI Length
The ACE can validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier that a
calling party (source) uses to contact the called party (destination). A Tel URI is a telephone
number that identifies the endpoint of a SIP connection. For more information about SIP URIs and
Tel URIs, see RFC 2534 and RFC 3966, respectively.
To filter SIP traffic based on URIs, do the following:
1.
In the URI Type field, indicate the type of URI to be used:
– SIP URI—The calling party URI is to be used for this match condition.
– Tel URI—A telephone number is to be used for this match condition.
2.
In the URI Operator field, confirm that Greater Than is selected.
3.
In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid
entries are integers from 0 to 254 bytes.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-28
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
d.
In the Action field, select the action that the virtual server is to take when the specified match
conditions are met:
– Drop—The specified SIP traffic is to be discarded by the virtual server.
– Permit—The specified SIP traffic is to be received by the virtual server.
– Reset—The specified SIP traffic is to be denied by the virtual server.
e.
Do the following:
– Click OK to save your entries. The Conditions table refreshes with the new entry.
– Click Cancel to exit the Conditions subset without saving your entries and to return to the
Conditions table.
f.
In the SIP Parameter Map field, select an existing parameter map or select *New* to configure a
new one.
If you select an existing parameter map, the screen refreshes and allows you to view, modify, or
delete the selected parameter map. See the “Shared Objects and Virtual Servers” section on page 5-9
for more information about modifying shared objects.
g.
Configure SIP parameter map options using the information in Table 8-9.
h.
In the Secondary Connection Parameter Map field, select an existing parameter map or select
*New* to configure a new one.
If you select an existing parameter map, the screen refreshes and allows you to view, modify, or
delete the selected parameter map. See the “Shared Objects and Virtual Servers” section on page 5-9
for more information about modifying shared objects.
i.
Configure secondary connection parameter map options using the information in Table 8-3.
j.
In the Default Action field, select the default action that the virtual server is to take when specified
match conditions for SIP protocol inspection are not met:
– Drop—The specified SIP traffic is to be discarded by the virtual server.
– Permit—The specified SIP traffic is to be received by the virtual server.
– Reset—The specified SIP traffic is to be denied by the virtual server.
k.
Step 9
Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When
enabled, this feature logs every URL request that is sent in the specified class of traffic, including
the source or destination IP address and the URL that is accessed. Clear this check box to disable
monitoring of Layer 3 and Layer 4 traffic.
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries.
Related Topics
•
Configuring Virtual Server Properties, page 5-10
•
Configuring Virtual Server SSL Termination, page 5-18
•
Configuring Virtual Server Layer 7 Load Balancing, page 5-30
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-29
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Configuring Virtual Server Layer 7 Load Balancing
Layer 7 load balancing is available for virtual servers configured with one of the following protocol
combinations:
•
TCP with Generic, HTTP, HTTPS, RTSP, or SIP
•
UDP with Generic, RADIUS, or SIP
See the “Configuring Virtual Server Properties” section on page 5-10 for information on configuring
these protocols.
Use this procedure to configure Layer 7 load balancing on a virtual server.
Assumption
A virtual server has been configured with one of the following protocol combinations:
•
TCP with Generic, HTTP, HTTPS, RTSP, or SIP
•
UDP with Generic, RADIUS, or SIP0
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2
Select the virtual server you want to configure for Layer 7 load balancing, and then click Edit.
The Virtual Server configuration screen appears.
Step 3
Click L7 Load-Balancing. The Layer 7 Load-Balancing Rule Match table appears.
Step 4
In the Rule Match table, click Add to add a new match condition and action, or select an existing match
condition and action, and then click Edit to modify it.
The Rule Match configuration pane appears.
Step 5
Step 6
In the Rule Match field, select an existing class map or *New* or *Inline Match* to configure new
match criteria for Layer 7 load balancing:
•
If you select an existing class map, click View to review, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 5-9 for more
information about modifying shared objects.
•
If you click *New* or *Inline Match*, the Rule Match configuration subset appears.
Configure match criteria by following the steps in Table 5-8.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-30
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-8
Layer 7 Load-Balancing Match Criteria Configuration
Selection
Action
Existing class map
1.
Click View to review the match condition information for the selected class map.
2.
Do the following:
– Click Cancel to continue without making changes and to return to the previous screen.
– Click Edit to modify the existing configuration.
– Click Duplicate to create a new class map with the same attributes without affecting other
virtual servers using the same class map.
See the “Shared Objects and Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
*New*
1.
In the Name field, enter a unique name for this class map.
2.
In the Matches field, select the method to be used to evaluate multiple match statements when
multiple match conditions exist:
– Any—Indicates that a match exists if at least one of the match conditions is satisfied.
– All—Indicates that a match exists only if all match conditions are satisfied.
3.
In the Conditions table, click Add to add a new set of conditions or select an existing entry,
and then click Edit to modify it.
4.
In the Type field, select the match condition and configure any protocol-specific options:
– For Generic protocol options, see Table 12-8.
– For HTTP and HTTPS protocol options, see Table 5-9.
– For RADIUS protocol options, see Table 12-9.
– For RTSP protocol options, see Table 12-10.
– For SIP protocol options, see Table 12-11.
5.
Configure any condition-specific options using the information in Table 5-9.
6.
Do the following:
– Click OK to accept your entries and to return to the Conditions table.
– Click Cancel to exit this procedure without saving your entries and to return to the
Conditions table.
*Inline Match*
In the Conditions Type field, select the type of inline match condition and configure any
protocol-specific options:
•
For Generic protocol options, see Table 12-8
•
For HTTP and HTTPS protocol options, see Table 5-9
•
For RADIUS protocol options, see Table 12-9
•
For RTSP protocol options, see Table 12-10
•
For SIP protocol options, see Table 12-11
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-31
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-9
Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration
Match Condition
Description
Class Map
Indicates that this rule is to use an existing class map to establish match conditions.
If you select this method, in the Class Map field, select the class map to be used.
Note
HTTP Content
HTTP Cookie
This option is not available for inline match conditions.
Specific content contained within the HTTP entity-body is used to establish a match condition.
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset field, enter the number of bytes to be ignored starting with the first byte
of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body
of the message. Valid entries are integers from 1 to 255.
Indicates that HTTP cookies are to be used for this rule.
If you select this method:
HTTP Header
1.
In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE
appliance supports regular expressions for matching string expressions. Table 12-33 lists the
supported characters that you can use for matching string expressions.
3.
Check the Secondary Cookie Matching check box to indicate that the ACE appliance is to use
both the cookie name and the cookie value to satisfy this match condition. Clear this check
box to indicate that the ACE appliance is to use either the cookie name or the cookie value to
satisfy this match condition.
Indicates that the HTTP header and a corresponding value are to be used for this rule.
If you select this method:
1.
In the Header Name field, enter the name of the generic field in the HTTP header. Valid entries
are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Header Value field, enter the header-value expression string to compare against the
value in the specified field in the HTTP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE appliance supports regular expressions for
matching. Header expressions allow spaces, provided that the spaces are escaped or quoted.
All headers in the header map must be matched. Table 12-33 lists the supported characters that
you can use in regular expressions.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-32
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-9
Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration (continued)
Match Condition
Description
HTTP URL
Indicates that this rule is to perform regular expression matching against the received packet data
from a particular connections based on the HTTP URL string.
If you select this method:
1.
In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL
following www.hostname.domain in the match statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the
www.anydomain.com portion, the URL string can take the form of a URL regular expression.
The ACE appliance supports regular expressions for matching URL strings. Table 12-33 lists
the supported characters that you can use in regular expressions.
2.
In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters. The method can
either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT,
DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example,
CORVETTE).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-33
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-9
Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration (continued)
Match Condition
Description
Source Address
Indicates that this rule is to use a client source IP address to establish match conditions.
If you select this method:
1.
In the Source Address field, enter the source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.2).
2.
In the Netmask field, select the subnet mask to apply to the source IP address.
SSL
Note
The SSL option does not apply to the ACE NPE software version (see the “Information
About the ACE No Payload Encryption Software Version” section on page 1-2).
Defines load balancing decisions based on the specific SSL cipher or cipher strength. Enables the
ACE to load balance client traffic to different server farms based on the SSL encryption level
negotiated with the ACE during SSL termination.
If you select this method:
1.
In the SSL Cipher Match Type field, select the match type. Options are as follows:
– Equal To—Specifies an SSL cipher for the load balancing decision.
– Less Than—Specifies SSL cipher strength for the load balancing decision.
2.
If you selected Equal To, in the Cipher Name field specify an SSL cipher for the load
balancing decision. The possible values are as follows:
– RSA_EXPORT1024_WITH_DES_CBC_SHA
– RSA_EXPORT1024_WITH_RC4_56_MD5
– RSA_EXPORT1024_WITH_RC4_56_SHA
– RSA_EXPORT_WITH_DES40_CBC_SHA
– RSA_EXPORT_WITH_RC4_40_MD5
– RSA_WITH_3DES_EDE_CBC_SHA
– RSA_WITH_AES_128_CBC_SHA
– RSA_WITH_AES_256_CBC_SHA
– RSA_WITH_DES_CBC_SHA
– RSA_WITH_RC4_128_MD5
– RSA_WITH_RC4_128_SHA
3.
If you selected Less Than, in the Specify Minimum Cipher Strength field specify a
non-inclusive minimum SSL cipher bit strength. For example, if you specify a cipher strength
value of 128, any SSL cipher that was no greater than 128 would hit the traffic policy. If the
SSL cipher was 128-bit or greater, the connection would miss the policy.
The possible values are as follows:
– 128—128-bit strength
– 168—168-bit strength
– 256—256-bit strength
– 56—56-bit strength
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-34
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Step 7
Step 8
In the Primary Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
•
Drop—Indicates that client requests for content are to be discarded when match conditions are met.
Continue with Step 10.
•
Forward—Indicates that client requests for content are to be forwarded without performing load
balancing on the requests when match conditions are met. Continue with Step 10.
•
Load Balance—Indicates that client requests for content are to be directed to a server farm when
match conditions are met. Continue with Step 8.
•
Sticky—Client requests for content are handled by a sticky group when match conditions are met.
Continue with Step 8.
If you select Load Balance as the primary action, you can configure load balancing using a server farm,
a server farm/backup server farm pair, an existing sticky group, or a new sticky group.
If you select an existing object in any of these scenarios, you can view, modify, or duplicate the selected
object’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 5-9 for
more information about modifying shared objects in virtual servers.
Note
To display statistics and status information for an existing server farm, choose a server farm
in the list, and click Details. DM accesses the show serverfarm name detail CLI command
to display detailed server farm information. See the “Displaying Server Farm Statistics and
Status Information” section on page 6-39.
Configure load balancing using the information in Table 5-10.
Table 5-10
Virtual Server Load-Balancing Options
To configure...
Do this...
Load balancing using a server farm
In the Server Farm field, select the server farm1 to be used for load
balancing for this virtual server, or select *New* to configure a new
server farm (see Table 5-11).
Load balancing using a server farm/backup server
farm pair
1.
In the Server Farm field, select the primary server farm1 to use for
load balancing, or select *New* to configure a new server farm (see
Table 5-11).
2.
In the Backup Server Farm field, select the server farm1 to act as the
backup server farm for load balancing if the primary server farm is
unavailable, or select *New* to configure a new backup server farm
(see Table 5-11).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-35
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-10
Virtual Server Load-Balancing Options (continued)
To configure...
Do this...
Load balancing using an existing sticky group
1.
In the Server Farm field, select the primary server farm1 to use for
load balancing. This must be the primary server farm specified in
the existing sticky group.
2.
In the Backup Server Farm field, select the backup server farm1 to
use for load balancing. This must be the backup server farm
specified in the existing sticky group.
3.
In the Sticky Group field, select the sticky group to use.
Note
Load balancing using a new sticky group
Sticky groups appear in the Sticky Group field only when their
configured primary and backup server farms are selected,
respectively. If you select a sticky group and then select a
different primary or backup server farm, the sticky group that
you selected in the Sticky Group field no longer appears. To
change an existing sticky group configuration, modify it in the
Stickiness configuration screen (Config > Virtual Contexts >
context > Load Balancing > Stickiness).
1.
In the Server Farm field, select the primary server farm1 to use for
load balancing, or select *New* to configure a new server farm (see
Table 5-11).
2.
In the Backup Server Farm field, select the server farm1 to act as the
backup server farm for load balancing if the primary server farm is
unavailable, or select *New* to configure a new backup server farm
(see Table 5-11).
3.
In the Sticky Group field, select *New*, and then configure a new
sticky group using the information in Table 5-13.
Note
The context in which you configure a sticky group must be
associated with a resource class that allocates a portion of ACE
appliance resources to stickiness. See the “Managing Resource
Classes” section on page 4-35 for more information on resource
classes.
1. When you select an existing server farm, you can do the following using the function buttons that appear:
- Click View to display the server farm configuration, which you can then edit or duplicate using the functions buttons that appear.
- Click Details to display the show serverfarm sf_name detail command output in a pop-up window. This command output provides server farm configuration
information.
- Click Buddy Group to display the show buddy group command output in a pop-up window. This command output shows the list of buddy groups that are
configured in the virtual context (for more information, see the “Buddy Sticky Groups” section on page 7-6).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-36
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes
Field
Description
Name
Enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces and a
maximum of 64 characters.
Type
Select the type of server farm:
•
Host—A typical server farm that consists of real servers that provide content and services to clients.
By default, if you configure a backup server farm and all real servers in the primary server farm go
down, the primary server farm fails over to the backup server farm. Use the following options to specify
thresholds for failover and returning to service.
a. In the Partial-Threshold Percentage field, enter the minimum percentage of real servers in the
primary server farm that must remain active for the server farm to stay up. If the percentage of
active real servers falls below this threshold, the ACE takes the server farm out of service. Valid
entries are integers from 0 to 99.
b. In the Back Inservice field, enter the percentage of real servers in the primary server farm that must
be active again for the ACE to place the server farm back into service. Valid entries are integers
from 0 to 99. The value in this field should be larger than the value in the Partial Threshold
Percentage field.
•
Fail Action
Redirect—A server farm that consists only of real servers that redirect client requests to alternate
locations specified in the real server configuration.
Select the action the ACE appliance is to take with respect to connections if any real server in the server
farm fails:
•
N/A—Indicates that the ACE appliance is to take no action if any server in the server farm fails.
•
Purge—Indicates that the ACE appliance is to remove connections to a real server if that real server in
the server farm fails. The ACE appliance sends a reset command to both the client and the server that
failed.
•
Reassign—Indicates that the ACE reassign the existing server connections to the backup real server (if
configured) if the real server fails after you enter this command. If a backup real server has not been
configured for the failing server, this selection leaves the existing connections untouched in the failing
real server.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-37
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Failaction
Reassign
Across Vlans
This field appears only when the L7 Load-Balancing Action parameters are set as follows:
Primary Action: LoadBalance, ServerFarm: New, Fail Action: Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the backup real
server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real server fails. If
a backup real server has not been configured for the failing server, this option has no effect and leaves the
existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
•
Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to translate the
ACE VIP address to the server IP address. The Failaction Reassign Across Vlans option is intended for
use in stateful firewall load balancing (FWLB) on your ACE, where the destination IP address for the
connection coming in to the ACE is for the end-point real server, and the ACE reassigns the connection
so that it is transmitted through a different next hop.
•
Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going to and
coming from the same server in a flow will traverse the same firewalls or stateful devices (see the
“Configuring Virtual Context VLAN Interfaces” section on page 10-10).
•
Configure the Predictor Hash Address option. See Table 5-12 for the supported predictor methods and
configurable attributes for each predictor method.
•
You must configure identical policies on the primary interface and the backup-server interface. The
backup interface must have the same feature configurations as the primary interface.
•
If you configure a policy on the backup-server interface that is different from the policies on the
primary-server interface, that policy will be effective only for new connections. The reassigned
connection will always have only the primary-server interface policies.
•
Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs, or
SYN cookie) are not supported.
•
You cannot reassign connections to the failed real server after it comes back up. This restriction also
applies to same-VLAN backup servers.
•
Real servers must be directly connected to the ACE. This requirement also applies to same-VLAN
backup server.
•
You must disable sequence number randomization on the firewall (see the “Configuring Connection
Parameter Maps” section on page 8-5).
•
Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2, the
reassigned connections may become stuck because of the probe configuration mismatch. ACE-2 with
the low interval value will detect the primary server failure first and will reassign all its incoming
connections to the backup-server interface VLAN. ACE-1 with the high interval value may not detect
the failure before the primary server comes back up and will still point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs: Interval: 2,
Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-38
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Transparent
This field appears only for real servers identified as host servers.
Check the check box to specify that network address translation from the VIP address to the server IP is to
occur. Clear the check box to indicates that network address translation from the VIP address to the server
IP address is not to occur (default).
Dynamic
Workload
Scaling
This field appears only for host server farms.
Allows the ACE to burst traffic to remote VMs when the average CPU usage, memory usage, or both of the
local VMs has reached its specified maximum threshold value. The ACE stops bursting traffic to the remote
VMs when the average CPU or memory usage of the local VMs has dropped to its specified minimum
threshold value. This option requires that you have the ACE configured for Dynamic Workload Scaling
using a Nexus 7000, VM Controller, and VM probe (see the “Configuring Dynamic Workload Scaling”
section on page 6-14).
Click one of the following radio button options:
•
N/A—Not applicable (default).
•
Local—The ACE can use the VM Controller local VMs only for load balancing (bursting is not
allowed).
•
Burst—Enables the ACE to burst traffic to a remote VM Controller VMs.
When you choose Burst, the VM Probe Name field appears along with a list of available VM probes.
Choose an available VM probe or click Add to display the Health Monitoring pop-up window and
create a new VM probe or edit an existing one (see the “Configuring Health Monitoring” section on
page 6-39).
Fail-On-All
This field appears only for host server farms.
By default, real servers that you configure in a server farm inherit the probes that you configure directly on
that server farm. When you configure multiple probes on a server farm, the real servers in the server farm
use an OR logic with respect to the probes, which means that if one of the probes configured on the server
farm fails, all the real servers in that server farm fail and enter the PROBE-FAILED state.
With AND logic, if one server farm probe fails, the real servers in the server farm remain in the
OPERATIONAL state. If all the probes associated with the server farm fail, then all the real servers in that
server farm fail and enter the PROBE-FAILED state. You can also configure AND logic for probes that you
configure directly on real servers in a server farm.
Check this check box to configure the real servers in a server farm to use AND logic with respect to multiple
server farm probes.
The Fail On All function is applicable to all probe types.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-39
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Inband-Health
Check
This field appears only for host server farms.
By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs and
health probes. However, there is latency period between when the real server goes down and when the ACE
becomes aware of the state. The inband health monitoring feature allows the ACE to monitor the health of
the real servers in the server farm through the following connection failures:
•
For TCP, resets (RSTs) from the server or SYN timeouts.
•
For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages.
When you configure the failure-count threshold and the number of these failures exceeds the threshold
within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service, and
removes it from load balancing. The server is not considered for load balancing until the optional
resume-service interval expires.
Choose one of the following:
•
Count—Tracks the total number of TCP or UDP failures, and increments the counters as displayed by
the show serverfarm name inband CLI command.
•
Log—Logs a syslog error message when the number of events reaches the configured connection
failure threshold.
•
Remove—Logs a syslog error message when the number of events reaches the threshold and removes
the server from service.
Note
You can configure this feature and health probes to monitor a server. When you do, both are required
to keep a real server in service within a server farm. If either feature detects a server is out of service,
the ACE does not select the server for load balancing.
This field appears only when the Inband-Health Check is set to Log or Remove.
Connection
Failure
Threshold
Count
Enter the maximum number of connection failures that a real server can exhibit in the reset-time interval
before ACE marks the real server as failed. Valid entries are integers from 1 to 4294967295.
Reset Timeout
(Milliseconds)
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to 300000.
The default interval is 100.
This interval starts when the ACE detects a connection failure. If the connection failure threshold is reached
during this interval, the ACE generates a syslog message. When the Inband-Health Check is set to Remove,
the ACE also removes the real server from service.
Changing the setting of this option affects the behavior of the real server, as follows:
•
When the real server is in the OPERATIONAL state, even if several connection failures have occurred,
the new reset-time interval takes effect the next time that a connection error occurs.
•
When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes effect the
next time that a connection error occurs after the server transitions to the OPERATIONAL state.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-40
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Resume
Service
(Seconds)
This field appears only when the Inband-Health Check is set to Remove.
Predictor
Enter the number of seconds after a server has been marked as failed to reconsider it for sending live
connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting of this option
affects the behavior of the real server in the inband failed state, as follows:
•
When this field is not configured and has the default setting of 0, the real server remains in the failed
state until you manually suspend and then reactivate it.
•
When this field is not configured and has the default setting of 0 and then you configure this option
with an integer between 30 and 3,600, the failed real server immediately transitions to the Operational
state.
•
When you configure this field and then increase the value, the real server remains in the failed state for
the duration of the previously-configured value. The new value takes effect the next time the real server
transitions to the failed state.
•
When you configure this field and then decrease the value, the failed real server immediately transitions
to the Operational state.
•
When you configure this field with an integer between 30 and 3,600 and then reset it to the default of
0, the real server remains in the failed state for the duration of the previously-configured value. The
default setting takes effect the next time the real server transitions to the failed state. Then the real
server remains in the failed state until you manually suspend and then reactivate it.
•
When you change this field within the reset-time interval and the real server is in the OPERATIONAL
state with several connection failures, the new threshold interval takes effect the next time that a
connection error occurs, even if it occurs within the current reset-time interval.
Specify the method for selecting the next server in the server farm to respond to client requests. Round
Robin is the default predictor method for a server farm.
See Table 5-12 for the supported predictor methods and configurable attributes for each predictor method.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-41
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Probes
Specify the health monitoring probes to use:
•
To include a probe that you want to use for health monitoring, select it in the Available list, and then
click Add. The probe appears in the Selected list.
The redirect real server probe list contains only configured probes of the type Is Routed, which means
that the ACE routes the probe address according to the ACE internal routing table (see the “Configuring
Health Monitoring for Real Servers” section on page 6-41).
Note
You can associate both IPv6 and IPv4 probes to a server farm.
Note
The list of available probes does not include VM health monitoring probes. To choose a VM
probe for monitoring local VM usage, see the Dynamic Workload Scaling field.
•
To remove a probe that you do not want to use for health monitoring, select it in the Selected list, and
then click Remove. The probe appears in the Available list.
•
To specify a sequence for probe use, select probes in the Selected list, and then click Up or Down until
you have the desired sequence.
•
To view the configuration for an existing probe, select a probe in the list on the right, and then click
View.
•
To display statistics and status information for an existing probe, choose a probe in the list on the right,
and click Details. DM accesses the show probe name detail CLI command to display detailed probe
information. See the “Displaying Health Monitoring Statistics and Status Information” section on
page 6-69.
To add a new probe, click Create. See the “Configuring Health Monitoring for Real Servers” section on
page 6-41 for details on adding a new health monitoring probe and defining attributes for the specific probe
type. In addition, set the following probe configuration parameters in the Probes section under Server Farm:
•
Expect Addresses—To configure expect addresses for a DNS probe in Expect Addresses configuration
screen, in the IPv4/IPv6 Address field, enter the IP address that the ACE appliance expects as a server
response to a DNS request. You can enter multiple addresses in this field. However, you cannot mix
IPv4 and IPv6 addresses.
•
Probe Headers—To configure probe headers for either an HTTP or HTTPS probe, in the Probe Headers
field enter the name of the HTTP header and the value to be matched using the format
header_name=header_value where:
– header_name represents the HTTP header name the probe is to use. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined
header or any custom header name provided that it does not exceed the maximum length limit.
– header_value represents the string to assign to the header field. Valid entries are text strings with
a maximum of 255 characters. If the string includes spaces, enclose the string with quotes.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-42
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Probes (Cont.)
•
Probe Expect Status—To configure probe expect status for an FTP, HTTP, HTTPS, RTSP, SIP-TCP,
SIP-UDP, or SMTP probe, in the Probe Expect Status field enter the following information:
– To configure a single expect status code, enter the minimum expect status code for this probe
followed by the same expect status code that you entered as the minimum. Valid entries are integers
from 0 to 999.
– To configure a range of expect status codes, enter the lower limit of the range of status codes
followed by the upper limit of the range of status codes. The maximum expect status code must be
greater than or equal to the value specified for the minimum expect status code. Valid entries are
integers from 0 to 999.
•
SNMP OID Table—To configure the SNMP OID for an SNMP probe, see the “Configuring an OID for
SNMP Probes” section on page 6-68.
After you add a probe, you can modify the attributes for a health probe from the Health Monitoring table
(Config > Virtual Contexts > context > Load Balancing > Health Monitoring) as described in the
“Configuring Health Monitoring for Real Servers” section on page 6-41. You can also delete an existing
health probe from the Health Monitoring table.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-43
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Real Servers
The Real Servers table allows you to add, modify, remove, or change the order of real servers.
1.
Select an existing server, or click Add to add a real server to the server farm:
– If you select an existing server, you can view, modify, or duplicate the server’s existing
configuration. See the “Shared Objects and Virtual Servers” section on page 5-9 for more
information about modifying shared objects.
– If you click Add, the table refreshes and allows you to enter server information.
2.
For the IP Address Type, select either IPv6 or IPv4.
3.
In the IP Address field, enter the IP address.
4.
In the Name field, enter the name of the real server.
5.
In the Port field, enter the port number to be used for server port address translation (PAT). Valid entries
are integers from 1to 65535.
6.
In the Weight field, enter the weight to assign to this server in the server farm. Valid entries are integers
from 1 to 100, and the default is 8.
7.
In the Redirection Code field, select the appropriate redirection code. This field appears only for real
servers identified as redirect servers.
– N/A—Indicates that the webhost redirection code is not defined.
– 301—Indicates that the requested resource has been moved permanently. For future references to
this resource, the client should use one of the returned URIs.
– 302—Indicates that the requested resource has been found, but has been moved temporarily to
another location. For future references to this resource, the client should use the request URI
because the resource may be moved to other locations from time to time.
8.
In the Web Host Redirection field, enter the URL string used to redirect requests to another server. This
field appears only for real servers identified as redirect servers. Enter the URL and port used to redirect
requests to another server. Valid entries are in the form http://host.com:port where host is the name of
the server and port is the port to be used. Valid host entries are unquoted text strings with no spaces and
a maximum of 255 characters. Valid port numbers are from 1 to 65535.
The relocation string supports the following special characters:
– %h—Inserts the hostname from the request Host header
– %p—Inserts the URL path string from the request
9.
In the Rate Bandwidth, field, specify the real server bandwidth limit in bytes per second. Valid entries
are integers from 1 to 300000000.
10. In the Rate Connection field, specify the limit for connections per second. Valid entries are integers
from 1 to 350000.
11. In the State field, select the administrative state of this server:
– In Service—The server is to be placed in use as a destination for server load balancing
– In Service Standby—The server is a backup server and is to remain inactive unless the primary
server fails. If the primary server fails, the backup server becomes active and starts accepting
connections.
– Out Of Service—The server is not to be placed in use by a server load balancer as a destination for
client connections.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-44
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-11
New Server Farm Attributes (continued)
Field
Description
Real Servers
(continued)
12. In the Buddy Real Group field, associate the real server with a buddy group by creating a buddy real
server group or select an existing one (for more information, see the “Buddy Sticky Groups” section on
page 7-6).
13. In the Fail-On-All field, check this check box to configure a real server to remain in the
OPERATIONAL state unless all probes associated with it fail (AND logic). The Fail-On-All function
is applicable to all probe types.
Fail-On-All is applicable only for host real servers.
14. In the Cookie String field, enter a cookie string value of the real server, which is to be used for HTTP
cookie insertion when establishing a sticky connection. Valid entries are text strings with a maximum
of 32 alphanumeric characters. You can include spaces and special characters in a cookie string value.
See Chapter 7, “Configuring Stickiness” for details on HTTP cookie sticky connections.
Cookie String is applicable only for host real servers
15. Do the following:
– Click OK to accept your entries and add this real server to the server farm. The table refreshes with
updated information.
– Click Cancel to exit this procedure without saving your entries and to return to the Real Servers
table.
To display statistics and status information for an existing real server, choose a real server in the list, and
then click Details. DM accesses the show rserver name detail CLI command to display detailed real server
information. See the “Displaying Real Server Statistics and Status Information” section on page 6-8.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-45
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-12
Predictor Methods and Attributes
Predictor Method
Description / Action
Hash Address
The ACE selects the server using a hash value based on the source or destination IP address.
To configure the hash address predictor method:
1.
In the Mask Type field, indicate whether server selection is based on the source IP address or the
destination IP address:
– N/A—Indicates that this option is not defined.
– Destination—Indicates that the server is selected based on the destination IP address.
– Source—Indicates that the server is selected based on the source IP address.
2.
Hash Content
In the IP Netmask field, select the subnet mask to apply to the address. If none is specified, the
default is 255.255.255.255.
The ACE selects the server by using a hash value based on the specified content string of the HTTP
packet body.
1.
In the Begin Pattern field, enter the beginning pattern of the content string and the pattern string
to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the
HTTP body immediate following the offset byte. You cannot configure different beginning and
ending patterns for different server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 12-33
lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either
a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field
or the end of the packet, or until it reaches the maximum body parse length. You cannot configure
different beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 12-33
lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the content (starting with the byte
after the offset value) that the ACE uses for sticking the client to the server. Valid entries are
integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but
shorter than the offset plus the length of the payload, the ACE sticks the connection based on that
portion of the payload starting with the byte after the offset value and ending with the byte
specified by the offset plus the length. The total of the offset and the length cannot exceed 1000.
You cannot specify both the length and the end-pattern options for a Hash Content predictor.
4.
Hash Cookie
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick the
client on a particular server by indicating the bytes to ignore starting with the first byte of the
payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates that the
ACE does not exclude any portion of the content.
The ACE selects the server by using a hash value based on the cookie name.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces
and a maximum of 64 characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-46
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-12
Predictor Methods and Attributes (continued)
Predictor Method
Description / Action
Hash Secondary
Cookie
The ACE selects the server by using the hash value based on the specified cookie name in the URL
query string, not the cookie header.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces
and a maximum of 64 characters.
Hash Header
The ACE selects the server by using a hash value based on the header name.
In the Header Name field, select the HTTP header to be used for server selection:
Hash Layer 4
•
To specify an HTTP header that is not one of the standard HTTP headers, select the first radio
button and enter the HTTP header name in the Header Name field. Valid entries are unquoted text
strings with no spaces and a maximum of 64 characters.
•
To specify one of the standard HTTP headers, select the second radio button, and then select one
of the HTTP headers from the list.
The ACE selects the server by using a Layer 4 generic protocol load-balancing method. Use this
predictor to load balance packets from protocols that are not explicitly supported by the ACE.
1.
In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern string
to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the
HTTP body immediate following the offset byte. You cannot configure different beginning and
ending patterns for different server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 12-33
lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either
a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field
or the end of the packet, or until it reaches the maximum body parse length. You cannot configure
different beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 12-33
lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the payload (starting with the byte
after the offset value) that the ACE uses for sticking the client to the server. Valid entries are
integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but
shorter than the offset plus the length of the payload, the ACE sticks the connection based on that
portion of the payload starting with the byte after the offset value and ending with the byte
specified by the offset plus the length. The total of the offset and the length cannot exceed 1000.
You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor.
4.
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick the
client on a particular server by indicating the bytes to ignore starting with the first byte of the
payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates that the
ACE does not exclude any portion of the content.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-47
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-12
Predictor Methods and Attributes (continued)
Predictor Method
Description / Action
Hash URL
The ACE selects the server by using a hash value based on the URL. Use this method to load balance
firewalls.
Enter values in one or both of the pattern fields:
•
In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to
parse.
•
In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse.
Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters for each pattern you configure.
Least Bandwidth
Least Connections
The ACE selects the server with the least amount of network traffic over a specified sampling period.
1.
In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic
information. Valid entries are integers from 1 to 10 seconds.
2.
In the Least Bandwidth Samples field, enter the number of samples over which you want to weight
and average the results of the probe query to calculate the final load value. Valid entries are 1, 2,
4, 8, and 16 (integers from 1 to 16 that are also a power of 2).
The ACE selects the server with the fewest number of connections.
In the Slowstart Duration field, enter the slow-start value to be applied to this predictor method. Valid
entries are integers from 1 to 65535, where 1 is the slowest ramp-up value.
The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you
have just put into service.
Least Loaded
The ACE selects the server with the lowest load based on information from SNMP probes.
1.
In the SNMP Probe Name field, select the name of the SNMP probe to use.
2.
In the Auto Adjust field, configure the autoadjust feature to instruct the ACE to apply the
maximum load of 16000 to a real server whose load reaches zero or override the default behavior.
By default, the ACE applies the average load of the server farm to a real server whose load is zero.
The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and
other configured options.
Options are as follows:
– Average—Applies the average load of the server farm to a real server whose load is zero. This
setting allows the server to participate in load balancing, while preventing it from being
flooded by new connections. This is the default setting.
– Maxload—Instruct the ACE to apply the maximum load of 16000 to a real server whose load
reaches zero.
– Off—Instruct the ACE to send all new connections to the server that has a load of zero until
the next load update arrives from the SNMP probe for this server. If two servers have the same
lowest load (either zero or nonzero), the ACE load balances the connections between the two
servers in a round-robin manner.
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option, the
ACE includes the current connection count in the total load calculation for each real server in a
server farm. Clear the check box to reset the behavior of the ACE to the default of excluding the
current connection count from the load calculation.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-48
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-12
Predictor Methods and Attributes (continued)
Predictor Method
Description / Action
Response
The ACE selects the server with the lowest response time for a requested response-time measurement.
1.
In the Response Type field, select the type of measurement to use:
– App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a server
to the time that the ACE receives a response from the server for that request.
– Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to the
time that the ACE receives a CLOSE from the server.
– Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to the
time that the ACE receives a SYN-ACK from the server.
Round Robin
2.
In the Response Samples field, enter the number of samples over which you want to average the
results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (integers from 1 to
16 that are also a power of 2).
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option, the
ACE includes the current connection count in the total load calculation for each real server in a
server farm. Clear the check box to reset the behavior of the ACE to the default of excluding the
current connection count from the load calculation.
The ACE selects the next server in the list of servers based on server weight. This is the default
predictor method.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-49
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-13
Sticky Group Attributes
Field
Description
Group Name
Enter a unique identifier for the sticky type. You can either accept the automatically incremented
entry given or you can enter your own. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Type
Select the method to be used when establishing sticky connections:
•
HTTP Content—The virtual server is to stick client connections to the same real server based
on a string in the data portion of the HTTP packet. See Table 7-2 for additional configuration
options.
•
HTTP Cookie—Indicates that the virtual server is either to learn a cookie from the HTTP
header of a client request or to insert a cookie in the Set-Cookie header of the response from
the server to the client, and then use the learned cookie to provide stickiness between the client
and server for the duration of the transaction.
•
HTTP Header—Indicates that the virtual server is to stick client connections to the same real
server based on HTTP headers.
•
IP Netmask—Indicates that the virtual server is to stick a client to the same server for multiple
subsequent connections as needed to complete a transaction using the client source IPv4
address, the destination IPv4 address, or both.
Note
Cookie Name
If an organization uses a megaproxy to load balance client requests across multiple proxy
servers when a client connects to the Internet, the source IP address is no longer a reliable
indicator of the true source of the request. In this situation, you can use cookies or another
sticky method to ensure session persistence.
•
V6 Prefix—Indicates that the virtual server is to stick a client to the same server for multiple
subsequent connections as needed to complete a transaction using the client source IPv6
address, the destination IPv6 address, or both.
•
Layer 4 Payload—The virtual server is to stick client connections to the same real server based
on a string in the payload portion of the Layer 4 protocol packet. See Table 7-6 for additional
configuration options.
•
RADIUS—The virtual server is to stick client connections to the same real server based on a
RADIUS attribute. See Table 7-7 for additional configuration options.
•
RTSP Header—The virtual server is to stick client connections to the same real server based
on the RTSP Session header field. Table 7-8 for additional configuration options.
•
SIP Header—The virtual server is to stick client connections to the same real server based on
the SIP Call-ID header field.
This option appears for sticky type HTTP Cookie.
Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-50
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-13
Sticky Group Attributes (continued)
Field
Description
Enable Insert
This option appears for sticky type HTTP Cookie.
Check this check box if the virtual server is to insert a cookie in the Set-Cookie header of the
response from the server to the client. This option is useful when you want to use a session cookie
for persistence but the server is not currently setting the appropriate cookie. When selected, the
virtual server selects a cookie value that identifies the original server from which the client
received a response. For subsequent connections of the same transaction, the client uses the cookie
to stick to the same server.
Clear this check box to disable cookie insertion.
Browser Expire
This option appears for sticky type HTTP Cookie and you select Enable Insert.
Check this check box to allow the client's browser to expire a cookie when the session ends.
Clear this check box to disable browser expire.
Offset (Bytes)
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the number of bytes the virtual server is to ignore starting with the first byte of the cookie.
Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the virtual
server does not exclude any portion of the cookie.
Length (Bytes)
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the length of the portion of the cookie (starting with the byte after the offset value) that the
ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to
1000.
Secondary Name
This option appears for sticky type HTTP Cookie.
Enter an alternate cookie name that is to appear in the URL string of the Web page on the server.
The virtual server uses this cookie to maintain a sticky connection between a client and a server
and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces
and a maximum of 64 characters.
Header Name
This option appears for sticky type HTTP Header.
Select the HTTP header to use for sticking client connections.
Netmask
This field appears for sticky type IP Netmask. This field is optional for the sticky type V6 Prefix.
Select the netmask to apply to the source IPv4 address, destination IPv4 address, or both.
Prefix Length
This field appears for sticky type V6 Prefix. This field is optional for the sticky type IP Netmask.
Enter the prefix length to apply to the source IPv6 address, destination IPv6 address, or both.
Address Type
This field appears for sticky type IP Netmask.
Indicate whether this sticky type is to be applied to the client source IP address, the destination IP
address, or both:
Sticky Server Farm
•
Both—Indicates that this sticky type is to be applied to both the source IP address and the
destination IP address.
•
Destination—Indicates that this sticky type is to be applied to the destination IP address only.
•
Source—Indicates that this sticky type is to be applied to the source IP address only.
Select an existing server farm to act as the primary server farm for this sticky group, or select
*New* to create a new server farm. If you select *New*, configure the server farm using the
information in Table 5-11.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-51
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-13
Sticky Group Attributes (continued)
Field
Description
Backup Server Farm
Select an existing server farm to act as the backup server farm this sticky group, or select *New*
to create a new server farm. If you select *New*, configure the server farm using the information
in Table 5-11.
Aggregate State
Check this check box to indicate that the state of the primary server farm is to be tied to the state
of all real servers in the server farm and in the backup server farm, if configured. The ACE
appliance declares the primary server farm down if all real servers in the primary server farm and
all real servers in the backup server farm are down.
Clear this check box if the state of the primary server farm is not to be tied to all real servers in the
server farm and in the backup server farm.
Enable Sticky On
Backup Server Farm
Check this check box to specify that the backup server farm is sticky. Clear this check box if the
backup server farm is not sticky.
Buddy Group
Associate the serverfarm with a buddy member group by creating a buddy sticky group or selecting
an existing one (for more information, see the “Buddy Sticky Groups” section on page 7-6).
Replicate On HA Peer
Check this check box to indicate that the virtual server is to replicate sticky table entries on the
backup server farm. If a failover occurs and this option is selected, the new active server farm can
maintain the existing sticky connections.
Clear this check box to indicate that the virtual server is not to replicate sticky table entries on the
backup server farm.
Timeout (Minutes)
Enter the number of minutes that the virtual server keeps the sticky information for a client
connection in the sticky table after the latest client connection terminates. Valid entries are integers
from 1 to 65535; the default is 1440 minutes (24 hours).
Timeout Active
Connections
Check this check box to specify that the virtual server is to time out sticky table entries even if
active connections exist after the sticky timer expires.
Clear this check box to specify that the virtual is not to time out sticky table entries even if active
connections exist after the sticky timer expires. This is the default behavior.
Step 9
In the Compression Method field, select the HTTP compression method to indicate how the ACE
appliance is to compress packets when a client request indicates that the client browser is capable of
packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP
compression using the ACE, the ACE compresses data in the HTTP GET responses from the real servers.
The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses.
Note
By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps).
Installing an optional HTTP compression license allows you to increase this value to a maximum
of 2 Gbps. See the Administration Guide, Cisco ACE Application Control Engine for
information on ACE licensing options.
Options are as follows:
•
Deflate—Specifies the deflate compression format as the method to use when the client browser
supports both the deflate and gzip compression methods. deflate, the data format for compression
described in RFC1951
•
Gzip—Specifies the gzip compression format as the method to use when the client browser supports
both the deflate and gzip compression methods. Gzip is the file format for compression described
in RFC1952.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-52
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
N/A—HTTP compression is disabled.
When configuring HTTP compression, we recommend that you exclude the following MIME types from
HTTP compression: “.*gif”, “.*css”, “.*js”, “.*class”, “.*jar”, “.*cab”, “.*txt”, “.*ps”, “.*vbs”, “.*xsl”,
“.*xml”, “.*pdf”, “.*swf”, “.*jpg”, “.*jpeg”, “.*jpe”, or “.*png”.
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
Step 10
•
Mime type—All text formats (text/*).
•
Minimum size—512 bytes.
•
User agent—None.
In the SSL Initiation field, select an existing service, or select *New* to create a new service.
Note
The SSL Initiation field appears only in the Advanced View, and when TCP is the selected
protocol and Other, HTTP, or HTTPS is the application protocol.
Note
The SSL initiation option does not apply to the ACE NPE software version (see the “Information
About the ACE No Payload Encryption Software Version” section on page 1-2).
SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL
connection between itself and an SSL server. In this particular application, the ACE receives clear text
from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse
side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client
as clear text.
•
If you select an existing SSL service, you can view, modify, or duplicate the existing configuration.
See the “Shared Objects and Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you select *New*, configure the service using the information in Table 5-14.
Table 5-14
Virtual Server SSL Initiation Attributes
Field
Description
Name
Enter a name for this SSL proxy service. Valid entries are alphanumeric
strings with a maximum of 26 characters.
Keys
Select the SSL key pair to use during the SSL handshake for data encryption.
Certificates
Select the SSL certificate to use during the SSL handshake.
Chain Groups
Select the chain group to use during the SSL handshake.
Auth Groups
Select the SSL authentication group to associate with this proxy server
service.
CRL Best-Effort
This option appears if you select an authentication group in the Auth Group
Name field.
Check the check box to allow the ACE to search client certificates for the
service to determine if it contains a CRL in the extension and retrieve the
value, if it exists.
Clear the check box to disable this feature.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-53
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-14
Virtual Server SSL Initiation Attributes
Field
Description
CRL Name
This option appears if the CRL Best-Effort check box is clear.
Select the Certificate Revocation List if the ACE is to use for this proxy
service.
Parameter Maps
Select the SSL parameter map to associate with this proxy server service.
For more information about SSL, see the “Configuring SSL” section on page 9-1.
Step 11
In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using
the format header_name=header_value where:
•
header_name represents the name of the HTTP header to insert in the client HTTP request. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You
can specify predefined header or any custom header name provided that it does not exceed the
maximum length limit.
•
header_value represents the expression string to compare against the value in the specified field in
the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters.
The ACE appliance supports regular expressions for matching. Header expressions allow spaces,
provided that the spaces are escaped or quoted. All headers in the header map must be matched.
Table 12-33 lists the supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 12
Step 13
Do the following:
•
Click OK to save your entries and to return to the Rule Match table.
•
Click Cancel to exit this procedure without saving your entries and to return to the Rule Match table.
If you are adding Rule Match entries for a new virtual server and you want to modify the sequence of
rules in the L7 Load Balancing section of the Virtual Server configuration page, click Up or Down to
change the order of the entries in the Rule Match table.
Note
Step 14
The Up and Down buttons are not available for an existing virtual server, only for a new virtual
server. To reorder the entries in the Rule Match table for an existing virtual server, go to Config
> Expert > Policy Maps and choose the Layer 7 load balancing policy map, delete the rule entry
that you want to reorder, and then add it again by using the Insert Before option to put it in the
correct order. See the “Configuring Rules and Actions for Policy Maps” section on page 12-36
for details.
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Configuring Virtual Server Properties, page 5-10
•
Configuring Virtual Server SSL Termination, page 5-18
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-54
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
Configuring Virtual Server Protocol Inspection, page 5-20
Configuring Virtual Server Default Layer 7 Load Balancing
Use this procedure configure default Layer 7 load-balancing actions for all network traffic that does not
meet previously specified match conditions.
Assumption
A virtual server has been configured. See the “Configuring Virtual Servers” section on page 5-2 for
information on configuring a virtual server.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for default Layer 7 load balancing, and then click Edit.
The Virtual Server configuration screen appears.
Step 3
Click Default L7 Load-Balancing Action. The Default L7 Load-Balancing Action configuration pane
appears.
Step 4
In the Primary Action field, indicate the default action the virtual server is to take in response to client
requests for content when specified match conditions are not met:
Step 5
•
Drop—Indicates that client requests that do not meet specified match conditions are to be discarded.
Continue with Step 7.
•
Forward—Indicates that client requests that do not meet specified match conditions are to be
forwarded without performing load balancing on the requests. Continue with Step 7.
•
Load Balance—Indicates that client requests for content are to be directed to a server farm. If you
select Load Balance, server farm, backup server farm, and sticky configuration options appear.
Continue with Step 5.
•
Sticky—Client requests for content are handled by a sticky group when match conditions are met.
Continue with Step 6.
If you select Load Balance as the primary action, you can configure load balancing using a server farm,
a server farm/backup server farm pair, an existing sticky group, or a new sticky group.
Note
If you select an existing object in any of these scenarios, you can view, modify, or duplicate the
selected object’s existing configuration. See the “Shared Objects and Virtual Servers” section on
page 5-9 for more information about modifying shared objects in virtual servers.
Configure load-balancing using the information in Table 5-10.
Step 6
(Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky
group or click *New* to add a new sticky group (see Table 5-13).
Note
To display statistics and status information for an existing server farm, choose a server farm in
the list, and then click Details. DM accesses the show serverfarm name detail CLI command
to display detailed server farm information. See the “Displaying Server Farm Statistics and
Status Information” section on page 6-39.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-55
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Note
Step 7
If you chose an existing sticky group, you can view, modify, or duplicate the selected object’s
existing configuration. See the “Shared Objects and Virtual Servers” section on page 5-9 for
more information about modifying shared objects in virtual servers.
In the Compression Method field, select the HTTP compression method to indicate how the ACE
appliance is to compress packets when a client request indicates that the client browser is capable of
packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP
compression using the ACE, the ACE compresses data in the HTTP GET responses from the real servers.
The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses.
Note
By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps).
Installing an optional HTTP compression license allows you to increase this value to a maximum
of 2 Gbps. See the Administration Guide, Cisco ACE Application Control Engine for
information on ACE licensing options.
Options are as follows:
•
Deflate—Specifies the deflate compression format as the method to use when the client browser
supports both the deflate and gzip compression methods. deflate, the data format for compression
described in RFC1951
•
Gzip—Specifies the gzip compression format as the method to use when the client browser supports
both the deflate and gzip compression methods. Gzip is the file format for compression described
in RFC1952.
•
N/A—HTTP compression is disabled.
When configuring HTTP compression, we recommend that you exclude the following MIME types from
HTTP compression: “.*gif”, “.*css”, “.*js”, “.*class”, “.*jar”, “.*cab”, “.*txt”, “.*ps”, “.*vbs”, “.*xsl”,
“.*xml”, “.*pdf”, “.*swf”, “.*jpg”, “.*jpeg”, “.*jpe”, or “.*png”.
Note
If you enable the Gzip or Deflate compression format, the DM GUI automatically inserts a L7
Load Balance Primary Action to exclude the MIME types listed above. However, if you disable
HTTP compression later on, you will need to remove the auto-inserted Load Balance Primary
Action.
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
Step 8
•
Mime type—All text formats (text/*).
•
Minimum size—512 bytes.
•
User agent—None.
In the SSL Initiation field, select an existing service, or select *New* to create a new service.
Note
The SSL Initiation field appears only in the Advanced View, and when TCP is the selected
protocol and Other, HTTP, or HTTPS is the application protocol.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-56
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Note
The SSL initiation option does not apply to the ACE NPE software version (see the “Information
About the ACE No Payload Encryption Software Version” section on page 1-2).
SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL
connection between itself and an SSL server. In this particular application, the ACE receives clear text
from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse
side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client
as clear text.
•
If you select an existing SSL service, you can view, modify, or duplicate the existing configuration.
See the “Shared Objects and Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you select *New*, configure the service using the information in Table 5-14.
For more information about SSL, see the “Configuring SSL” section on page 9-1.
Step 9
In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using
the format header_name=header_value where:
•
header_name represents the name of the HTTP header to insert in the client HTTP request. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You
can specify predefined header or any custom header name provided that it does not exceed the
maximum length limit.
•
header_value represents the expression string to compare against the value in the specified field in
the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters.
The ACE appliance supports regular expressions for matching. Header expressions allow spaces,
provided that the spaces are escaped or quoted. All headers in the header map must be matched.
Table 12-33 lists the supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 10
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
Related Topics
•
Configuring Virtual Server Properties, page 5-10
•
Configuring Virtual Server SSL Termination, page 5-18
•
Configuring Virtual Server Protocol Inspection, page 5-20
•
Configuring Virtual Server Layer 7 Load Balancing, page 5-30
Configuring Application Acceleration and Optimization
The ACE appliance includes configuration options that allow you to accelerate enterprise applications,
resulting in increased employee productivity, enhanced customer retention, and increased online
revenues. The application acceleration functions of the ACE appliance apply several optimization
technologies to accelerate Web application performance. The application acceleration functionality in
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-57
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
the ACE appliance enables enterprises to optimize network performance and improve access to critical
business information. This capability accelerates the performance of Web applications, including
customer relationship management (CRM), portals, and online collaboration by up to 10 times.
See the “Configuring Application Acceleration and Optimization” section on page 13-1 or the
Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine
Appliance for more information about application acceleration and optimization.
Use this procedure to configure acceleration and optimization on virtual servers.
Assumption
A virtual server has been configured. See the “Configuring Virtual Servers” section on page 5-2 for
information on configuring a virtual server.
Consideration
Application acceleration and optimization is only supported in IPv4 to IPv4 server load-balancing
configurations.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for optimization, and then click Edit. The Virtual Server
configuration screen appears.
Step 3
Click Application Acceleration And Optimization. The Application Acceleration And Optimization
configuration pane appears.
Step 4
In the Configuration field, indicate the method you want to use to configure application acceleration and
optimization:
Step 5
•
EZ—Indicates that you want to use standard acceleration and optimization options. Continue with
Step 5.
•
Custom—Indicates that you want to associate specific match criteria, actions, and parameter maps
for application acceleration and optimization for this virtual server. If you choose this option,
continue with Step 6.
If you select EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization (Delta) fields
appear.
a.
Check the Latency Optimization (FlashForward) check box to indicate that the ACE appliance is to
use bandwidth reduction and download acceleration techniques to objects embedded within HTML
pages. Clear this check box to indicate that the ACE appliance is not to employ these techniques to
objects embedded within HTML pages. Latency optimization corresponds to FlashForward
functionality. For more information about FlashForward functionality, see the “Optimization
Overview” section on page 13-2.
b.
Check the Bandwidth Optimization (Delta) check box to indicate that the ACE appliance is to
dynamically update client browser caches with content differences, or deltas. Clear this check box
to indicate that the ACE appliance is not to dynamically update client browser caches. Bandwidth
optimization corresponds to action list Delta optimization. For more information about Delta
optimization, see the “Optimization Overview” section on page 13-2 and the “Configuring an HTTP
Optimization Action List” section on page 13-3.
c.
Continue with Step 11.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-58
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Step 6
If you select Custom, the Actions configuration pane appears with a table listing match criteria and
actions. Click Add to add an entry to this table, or select an existing entry, and then click Edit to modify
it. The configuration subset refreshes with the available configuration options.
Step 7
In the Apply Template field, select one of the configuration templates for the type of optimization you
want to configure, or leave blank to configure optimization without a template:
•
Bandwidth Optimization—Maximizes bandwidth for Web-based traffic.
•
Latency Optimization For Embedded Objects—Reduces the latency associated with embedded
objects in Web-based traffic.
•
Latency Optimization For Embedded Images—Reduces the latency associated with embedded
images in Web-based traffic.
•
Latency Optimization For Containers—Reduces the latency associated with Web containers.
If you do not select a template and select *New* in the Rule Match and Actions fields, you are creating
your own optimization rules and actions.
Step 8
In the Rule Match field, select an existing class map or click *New* to specify new match criteria:
•
If you select an existing class map, you can view, modify, or duplicate the existing configuration.
See the “Shared Objects and Virtual Servers” section on page 5-9 for more information about
modifying shared objects.
•
If you click *New*, the screen refreshes with the default configuration settings for the template you
selected. You can accept the default settings or modify them using the information in Table 5-15.
Table 5-15
Field
Description
Name
Enter a unique name for this match criteria rule.
Matches
Select the method to be used to evaluate multiple match statements when
multiple match conditions exist:
Conditions
Step 9
Optimization Rule Match Configuration Options
•
Any—A match exists if at least one of the match conditions is satisfied.
•
All—A match exists only if all match conditions are satisfied.
Click Add to add a new set of conditions or select an existing entry, and then
click Edit to modify it:
1.
In the Type field, select the match condition to be used, and then
configure any condition-specific options using the information in
Table 5-9.
2.
Click OK to save your entries, or Cancel to exit this procedure without
saving your entries.
In the Actions field, select an existing action list to use for optimization or click *New* to create a new
action list.
•
If you select an existing optimization action list, you can view, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 5-9 for more
information about modifying shared objects.
•
If you click *New*, the screen refreshes with the default configuration settings for the template you
selected. You can accept the default settings or modify them using the information in Table 5-16.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-59
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-16
Optimization Action List Configuration Options
Field
Description
Action List Name
Enter a unique name for the optimization action list. Valid entries are unquoted text strings with a
maximum of 64 alphanumeric characters.
Enable Delta
Delta optimization dynamically updates client browser caches directly with content differences, or
deltas, resulting in faster page downloads.
Check this check box to enable delta optimization for the specified URLs.
Clear this check box to disable delta optimization for the specified URLs.
Note
Enable AppScope
The ACE restricts you from enabling delta optimization if you have previously specified either
Cache Dynamic or Dynamic Entity Tag.
AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and
measures end-to-end application performance.
Check this check box to enable AppScope performance monitoring for use with the ACE appliance.
Clear this check box to disable AppScope performance monitoring for use with the ACE appliance.
Flash Forward
The FlashForward feature reduces bandwidth usage and accelerates embedded object downloading by
combining local object storage with dynamic renaming of embedded objects, thereby enforcing object
freshness within the parent HTML page.
Specify how the ACE appliance is to implement FlashForward:
Cache Dynamic
•
N/A—Indicates that this feature is not enabled.
•
Flash Forward—Indicates that FlashForward is to be enabled for the specified URLs and that
embedded objects are to be transformed.
•
Flash Forward Object—Indicates that FlashForward static caching is to be enabled for the objects
that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files.
Check this check box to enable Adaptive Dynamic Caching for the specified URLs even if the expiration
settings in the response indicate that the content is dynamic. The expiration of cache objects is
controlled by the cache expiration settings based on time or server load.
Clear this check box to disable this feature.
Note
Cache Forward
The ACE restricts you from enabling Cache Dynamic if you have previously specified either
Enable Delta or Dynamic Entity Tag.
Check this check box to enables the cache forward feature for the corresponding URLs. Cache forward
allows the ACE to serve the object from its cache (static or dynamic) even when the object has expired
if the maximum cache TTL time period has not yet expired (set by specifying the Cache Time-To-Live
Duration (%): field in an Optimization parameter map). At the same time, the ACE sends an
asynchronous request to the origin server to refresh its cache of the object.
Clear this check box to disable this feature.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-60
OL-26645-02
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
Table 5-16
Optimization Action List Configuration Options (continued)
Field
Description
Dynamic Entity
Tag
This feature enables the acceleration of noncacheable embedded objects, which results in improved
application response time. When enabled, this feature eliminates the need for users to download
noncacheable objects on each request.
Check this check box to indicate that the ACE appliance is to implement just-in-time object acceleration
for noncacheable embedded objects.
Clear this check box to disable this feature.
Note
Fine Tune
Optimization
Parameters
The ACE restricts you from enabling Dynamic Entity Tag if you have previously specified either
Enable Delta or Cache Dynamic.
Click this header to configure additional optimization attributes. When expanded, the configuration
pane displays options specific to the type of optimization you are configuring and features that you
enable.
Refer to Table 8-5 for information about specific options that appear.
Step 10
Step 11
When you finish configuring match criteria and actions, do the following:
•
Click OK to save your entries and to return to the Rule Match and Actions table.
•
Click Cancel to exit this procedure without saving your entries and to return to the Rule Match and
Actions table.
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to save your entries. The ACE appliance validates the optimization action list
configuration and deploys it on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
Related Topics
•
Configuring Virtual Server Properties, page 5-10
•
Optimization Traffic Policies and Typical Configuration Flow, page 13-2
•
Configuring Traffic Policies for HTTP Optimization, page 13-6
•
Configuring Virtual Server Protocol Inspection, page 5-20
•
Configuring Virtual Server Layer 7 Load Balancing, page 5-30
•
Configuring Virtual Server Default Layer 7 Load Balancing, page 5-55
Configuring Virtual Server NAT
Use this procedure to configure Name Address Translation (NAT) for virtual servers.
Assumptions
•
A virtual server has been configured. See the “Configuring Virtual Servers” section on page 5-2 for
information on configuring a virtual server.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-61
Chapter 5
Configuring Virtual Servers
Configuring Virtual Servers
•
A VLAN has been configured. See the “Configuring Virtual Context VLAN Interfaces” section on
page 10-10 for information on configuring a VLAN interface.
•
At least one NAT pool has been configured on a VLAN interface. See the “Configuring VLAN
Interface NAT Pools and Displaying NAT Utilization” section on page 10-32 for information on
configuring a NAT pool.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for NAT, and then click Edit. The Virtual Server
configuration screen appears.
Step 3
Click NAT. The NAT table appears.
Step 4
Click Add to add an entry, or select an existing entry, and then click Edit to modify it.
Step 5
In the VLAN field, select the VLAN you want to use NAT. For more information about NAT, see the
“Configuring VLAN Interface NAT Pools and Displaying NAT Utilization” section on page 10-32.
Step 6
In the NAT Pool ID field, select the NAT pool that you want to associate with the selected VLAN.
Step 7
Do the following:
Step 8
•
Click OK to save your entries and to return to the NAT table. The NAT table refreshes with the new
entry.
•
Click Cancel to exit the procedure without saving your entries and to return to the NAT table.
When you finish configuring virtual server properties, do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Configuring Virtual Server Properties, page 5-10
•
Configuring Virtual Server SSL Termination, page 5-18
•
Configuring Virtual Server Protocol Inspection, page 5-20
•
Configuring Virtual Server Layer 7 Load Balancing, page 5-30
•
Configuring Virtual Server Default Layer 7 Load Balancing, page 5-55
Displaying Virtual Server Statistics and Status Information
You can display virtual server statistics and status information for a particular virtual server by using the
Details button.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Virtual Servers.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-62
OL-26645-02
Chapter 5
Configuring Virtual Servers
Managing Virtual Servers
The Virtual Servers table appears.
Step 2
In the Virtual Servers table, choose a virtual server from the Virtual Servers table, and click Details.
The show service-policy policy_name class-map class_name detail CLI command output appears. For
details about the displayed fields, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
Note
This feature requires ACE software Version A3(2.1) or later. An error displays with earlier
software versions.
Step 3
(Optional) Click Update Details to refresh the window information.
Step 4
Click Close to return to the Virtual Servers table.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Managing Virtual Servers, page 5-63
•
Viewing All Virtual Servers, page 5-65
Managing Virtual Servers
After you have created a virtual server the following options are available:
Task
Related Topics
Modify a virtual server configuration
Configuring Virtual Servers, page 5-2
List virtual servers by virtual context
Viewing Virtual Servers by Context, page 5-63
Activate a virtual server
Activating Virtual Servers, page 5-64
Suspend a virtual server
Suspending Virtual Servers, page 5-65
View all virtual servers and its configured state
Viewing All Virtual Servers, page 5-65
Viewing Virtual Servers by Context
Use this procedure to view all virtual servers associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the context associated with the virtual servers you want to view, and then select Load
Balancing > Virtual Servers. The Virtual Servers table appears with the following information:
•
Virtual server name
•
Configured state, such as Inservice
•
Virtual IP address
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-63
Chapter 5
Configuring Virtual Servers
Managing Virtual Servers
•
Port
•
Associated VLANs
•
Associated server farms
•
Virtual context name
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Managing Virtual Servers, page 5-63
Displaying Virtual Server Statistics and Status Information
You can display virtual server statistics and status information for a particular virtual server by using the
Details button. DM accesses the show service-policy policy_name detail CLI command to display
detailed virtual server information.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2
In the Virtual Servers table, choose a virtual server from the Virtual Servers table, and click Details.
The show service-policy policy_name detail CLI command output appears. For details on the displayed
output fields, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Step 3
Click Update Details to refresh the output for the show service-policy policy_name detail CLI
command.
Step 4
Click Close to return to the Virtual Servers table.
Related Topics
•
Configuring Virtual Servers, page 5-2
•
Managing Virtual Servers, page 5-63
•
Viewing All Virtual Servers, page 5-65
Activating Virtual Servers
Use this procedure to activate a virtual server.
Procedure
Step 1
Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-64
OL-26645-02
Chapter 5
Configuring Virtual Servers
Managing Virtual Servers
Step 2
Select the server that you want to activate, and then click Activate. The server is activated and the screen
refreshes with updated information in the Configured State column.
Related Topics
•
Managing Virtual Servers, page 5-63
•
Viewing All Virtual Servers, page 5-65
•
Suspending Virtual Servers, page 5-65
Suspending Virtual Servers
Use this procedure to suspend a virtual server.
Procedure
Step 1
Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Step 2
Select the virtual server that you want to suspend, and then click Suspend. The Suspend Virtual Server
screen appears.
Step 3
In the Reason field, enter the reason for this action. You might enter a trouble ticket, an order ticket, or
a user message.
Caution
Step 4
Do not enter a password in the Reason field.
Do the following:
•
Click Deploy Now to deploy this configuration. The virtual server is taken out of service and the
Device Manager returns to the Virtual Servers table. The screen refreshes with updated information
in the Oper State column.
•
Click Cancel to exit this procedure without suspending the virtual server and to return to the Virtual
Servers table.
Related Topics
•
Managing Virtual Servers, page 5-63
•
Viewing All Virtual Servers, page 5-65
•
Activating Virtual Servers, page 5-64
Viewing All Virtual Servers
To view all virtual servers, choose Config > Operations > Virtual Servers. The Virtual Servers table
appears with the following information for each server: Table 5-17 describes the Virtual Servers table
information.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
5-65
Chapter 5
Configuring Virtual Servers
Managing Virtual Servers
Table 5-17
Virtual Server Table Fields
Item
Description
Name
Server farm name sorted by virtual context.
Policy Map
Associated policy map.
IP Address/Protocol/Port
Server farm IP address, protocol, and port number used for communications.
Context
Virtual context associated with the server farm.
Admin
Administrative state of the virtual server: Up or Down.
Oper
Operational state of the virtual server: Up or Down.
To display detailed information about the virtual server in a popup window, click the linked
state value in this column.
Note
DWS
The display virtual server details feature requires ACE software Version A3(2.1) or
later. An error displays with earlier software versions.
Operating state of Dynamic Workload Scaling for the virtual server, which can be:
•
N/A—Not applicable; he server farms associated with the virtual server are not
configured to use Dynamic Workload Scaling.
•
Local—At least one server farm associated the virtual server is configured to use
Dynamic Workload Scaling, but the ACE is sending traffic to the VM Controller’s local
VMs only.
•
Expanded—At least one server farm associated the virtual server is configured to use
Dynamic Workload Scaling and the ACE is sending traffic to the VM Controller’s local
and remote VMs.
Conn
Number of active connections.
Stat Age
Time as of the loading of the page since the SNMP values were polled.
Server farms
Associated server farms.
VLANs
Associated VLANs.
You can activate or suspend virtual servers from this table and obtain additional information about the
state of the virtual server.
Related Topics
•
Activating Virtual Servers, page 5-64
•
Suspending Virtual Servers, page 5-65
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
5-66
OL-26645-02
C H A P T E R
6
Configuring Real Servers and Server Farms
This chapter provides an overview of server load balancing and procedures for configuring real servers
and server farms for load balancing on an ACE appliance.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
This chpater contains the following sections:
•
Server Load Balancing Overview, page 6-1
•
Configuring Real Servers, page 6-5
•
Managing Real Servers, page 6-9
•
Configuring Dynamic Workload Scaling, page 6-14
•
Configuring Server Farms, page 6-18
•
Configuring Health Monitoring, page 6-39
•
Configuring Secure KAL-AP, page 6-70
Server Load Balancing Overview
Server load balancing (SLB) is the process of deciding to which server a load-balancing device should
send a client request for service. For example, a client request can consist of an HTTP GET for a Web
page or an FTP GET to download a file. The job of the load balancer is to select the server that can
successfully fulfill the client request and do so in the shortest amount of time without overloading either
the server or the server farm as a whole.
Depending on the load-balancing algorithm or predictor that you configure, the ACE appliance performs
a series of checks and calculations to determine the server that can best service each client request. The
ACE appliance bases server selection on several factors, including the server with the fewest
connections with respect to load, source or destination address, cookies, URLs, or HTTP headers.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-1
Chapter 6
Configuring Real Servers and Server Farms
Server Load Balancing Overview
The ACE Appliance Device Manager allows you to configure load balancing using:
•
Virtual servers—See Configuring Virtual Servers, page 5-2.
•
Real servers—See Configuring Real Servers, page 6-5.
•
Dynamic Workload Scaling—See Configuring Dynamic Workload Scaling, page 6-14.
•
Server farms—See Configuring Server Farms, page 6-18.
•
Sticky groups—See Configuring Sticky Groups, page 7-11.
•
Parameter maps—See Configuring Parameter Maps, page 8-1.
For information about SLB as configured and performed by the ACE appliance, see the following topics:
•
Configuring Virtual Servers, page 5-2
•
Load-Balancing Predictors, page 6-2
•
Real Servers, page 6-3
•
Dynamic Workload Scaling Overview, page 6-4
•
Server Farms, page 6-5
•
Configuring Health Monitoring, page 6-39
•
TCL Scripts, page 6-40
•
Configuring Stickiness, page 7-1
Load-Balancing Predictors
The ACE appliance uses the following predictors to select the best server to satisfy a client request:
•
Hash Address—Selects the server using a hash value based on either the source or destination IP
address, or both. Use these predictors for firewall load balancing (FWLB).
Note
FWLB allows you to scale firewall protection by distributing traffic across multiple firewalls on
a per-connection basis. All packets belonging to a particular connection must go through the
same firewall. The firewall then allows or denies transmission of individual packets across its
interfaces. For more information about configuring FWLB on the ACE appliance, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
•
Hash Content— Selects the server by using a hash value based on the specified content string of the
HTTP packet body
•
Hash Cookie—Selects the server using a hash value based on a cookie name.
•
Hash Secondary Cookie—The ACE selects the server by using the hash value based on the specified
cookie name in the URL query string, not the cookie header.
•
Hash Header—Selects the server using a hash value based on the HTTP header name.
•
Hash Layer4—Selects the server using a Layer 4 generic protocol load-balancing method.
•
Hash URL—Selects the server using a hash value based on the requested URL.You can specify a
beginning pattern and an ending pattern to match in the URL. Use this predictor method to
load-balance cache servers. Cache servers perform better with the URL hash method because you
can divide the contents of the caches evenly if the traffic is random enough. In a redundant
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-2
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Server Load Balancing Overview
configuration, the cache servers continue to work even if the active ACE appliance switches over to
the standby ACE appliance. For information about configuring redundancy, see Configuring High
Availability, page 11-1.
Note
•
Least Bandwidth—Selects the server with the least amount of network traffic or a specified
sampling period. Use this type for server farms with heavy traffic, such as downloading video clips.
•
Least Connections—Selects the server with the fewest number of active connections based on server
weight. For the least connection predictor, you can configure a slow-start mechanism to avoid
sending a high rate of new connections to servers that you have just put into service.
•
Least Loaded—Selects the server with the lowest load as determined by information from SNMP
probes.
•
Response—Selects the server with the lowest response time for a specific response-time
measurement.
•
Round Robin—Selects the next server in the list of real servers based on server weight (weighted
roundrobin). Servers with a higher weight value receive a higher percentage of the connections. This
is the default predictor.
The different hash predictor methods do not recognize the weight value that you configure for real
servers. The ACE uses the weight that you assign to real servers only in the round-robin and
least-connections predictor methods.
Related Topic
Configuring Health Monitoring, page 6-39
Real Servers
To provide services to clients, you configure real servers on the ACE appliance. Real servers are
dedicated physical servers or VMware virtual machines (VMs) that you configure in groups called server
farms.
Note
VMs that you define as real servers are VMs that the ACE recognizes when configured for Dynamic
Workload Scaling (see the “Configuring Dynamic Workload Scaling” section on page 6-14).
These servers provide client services such as HTTP or XML content, website hosting, FTP file uploads
or downloads, redirection for web pages that have moved to another location, and so on. You identify
real servers with names and characterize them with IP addresses, connection limits, and weight values.
The ACE appliance also allows you to configure backup servers in case a server is taken out of service
for any reason.
After you create and name a real server on the ACE appliance, you can configure several parameters,
including connection limits, health probes, and weight. You can assign a weight to each real server based
on its relative importance to other servers in the server farm. The ACE appliance uses the server weight
value for the weighted round-robin and the least-connections load-balancing predictors. The
load-balancing predictor algorithms (for example, round-robin, least connections, and so on) determine
the servers to which the ACE appliance sends connection requests. For a listing and brief description of
the load-balancing predictors, see Load-Balancing Predictors, page 6-2.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-3
Chapter 6
Configuring Real Servers and Server Farms
Server Load Balancing Overview
The ACE appliance uses traffic classification maps (class maps) within policy maps to filter out
interesting traffic and to apply specific actions to that traffic based on the SLB configuration. You use
class maps to configure a virtual server address and definition.
If a primary real server fails, the ACE appliance takes that server out of service and no longer includes
it in load-balancing decisions. If you configured a backup server for the real server that failed, the ACE
appliance redirects the primary real server connections to the backup server. For information about
configuring a backup server, see the Configuring Virtual Server Layer 7 Load Balancing, page 5-30.
The ACE appliance can take a real server out of service for the following reasons:
•
Probe failure
•
ARP timeout
•
Neighbor Discovery (ND) failure (IPv6 only)
•
Retcode failure
•
Reaching the maximum number of connections
•
Specifying Out Of Service as the administrative state of a real server
•
Specifying In Service Standby as the administrative state of a real server
The Out Of Service and In Service Standby selections both provide the graceful shutdown of a server.
Related Topics
•
Configuring Real Servers, page 6-5
•
Configuring Health Monitoring for Real Servers, page 6-41
Dynamic Workload Scaling Overview
The ACE Dynamic Workload Scaling feature permits on-demand access to remote resources, such as
VMs, that you own or lease from an Internet service provider or cloud service provider. This feature uses
Cisco Nexus 7000 Series switches with Overlay Transport Virtualization (OTV) technology to create a
Data Center Interconnect (DCI) on a Layer 2 link over an existing IP network between geographically
distributed data centers. The local data center Nexus 7000 contains an OTV forwarding table that lists
the MAC addresses of the Layer 2 extended virtual private network (VPN) and identifies the addresses
as either local or remote.
When you configure the ACE to use this feature, the ACE uses an XML query to poll the Cisco Nexus
7000 Series Switch and obtain the OTV forwarding table information to determine the locality of the
local or remote VMs. The ACE also uses a health monitor probe that it sends to the local VMware
vCenter Server to monitor the load of the local VMs based on CPU usage, memory usage, or both. When
the average CPU or memory usage of the local VMs reaches its configured maximum threshold value,
the ACE bursts traffic to the remote VMs. The ACE stops bursting traffic to the remote VMs when the
average CPU or memory usage of the local VMs drops below its configured minimum threshold value.
To use Dynamic Workload Scaling, you configure the ACE to connect to the Data Center Interconnect
device (Cisco Nexus 7000 Series switch) and the VMware Controller associated with the local and
remote VMs. You also configure the ACE with the probe type VM to monitor a server farm’s local VM
CPU and memory usage, which determines when the ACE bursts traffic to the remote VMs.
For more details on this feature, see the Server Load-Balancing Guide, Cisco ACE Application Control
Engine.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-4
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Real Servers
Related Topic
•
Configuring Dynamic Workload Scaling, page 6-14
Server Farms
Typically, in data centers, servers are organized into related groups called server farms. Servers within
server farms often contain identical content (referred to as mirrored content) so that if one server
becomes inoperative, another server can take its place immediately. Also, having mirrored content
allows several servers to share the load of increased demand during important local or international
events, such as the Olympic Games. This phenomenon of a sudden large demand for content is called a
flash crowd.
After you create and name a server farm, you can add existing real servers to it and configure other server
farm parameters, such as the load-balancing predictor, server weight, backup server, health probe, and
so on. For a listing and brief description of load-balancing predictors, see Load-Balancing Predictors,
page 6-2.
Related Topic
Configuring Server Farms, page 6-18
Configuring Real Servers
Real servers are dedicated physical servers that are typically configured in groups called server farms.
These servers provide services to clients, such as HTTP or XML content, streaming media (video or
audio), TFTP or FTP services, and so on. When configuring real servers, you assign names to them and
specify IP addresses, connection limits, and weight values.
The ACE appliance uses traffic classification maps (class maps) within policy maps to filter specified
traffic and to apply specific actions to that traffic based on the load-balancing configuration. A
load-balancing predictor algorithm (round-robin or least connections) determines the servers to which
the ACE appliance sends connection requests. For information about configuring class maps, see
Configuring Virtual Context Class Maps, page 12-8.
Use this procedure to configure load balancing on real servers.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Real Servers. The Real Servers
table appears.
Step 2
Click Add to add a new real server, or select a real server you want to modify, and then click Edit. The
Real Servers configuration screen appears.
Step 3
Configure the server using the information in Table 6-1.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-5
Chapter 6
Configuring Real Servers and Server Farms
Configuring Real Servers
Table 6-1
Real Server Attributes
Field
Description
Name
Either accept the automatically incremented value in this field, or enter a
unique name for this server. Valid entries are unquoted text strings with no
spaces and a maximum of 64 characters.
Type
Select the type of server:
State
•
Host—Indicates that this is a typical real server that provides content
and services to clients.
•
Redirect—Indicates that this server is used to redirect traffic to a new
location.
Select the state of this real server:
•
In Service—The real server is in service.
•
Out Of Service—The real server is out of service.
Description
Enter a brief description for this real server. Valid entries are unquoted
alphanumeric text strings with no spaces and a maximum of 240 characters.
IP Address Type
These selections appear for only real servers specified as hosts.
Select the IP address type of this real server:
IPv6/IPv4 Address
•
IPv6—The real server has an IPv6 address.
•
IPv4—The real server has an IPv4 address.
This field appears for only real servers specified as hosts.
Enter a unique IP address as indicated by the IP Address Type field. The IP
address cannot be of an existing virtual IP address (VIP), real server or
interface in the context.
Fail-On-All
This field appears only for real servers identified as host servers.
By default, real servers with multiple probes configured for them have an
OR logic associated with them. This means that if one of the real server
probes fails, the real server fails and enters the PROBE-FAILED state.
Click this check box to configure a real server to remain in the
OPERATIONAL state unless all probes associated with it fail (AND logic).
The Fail-On-All function is applicable to all probe types.
Min. Connections
Enter the minimum number of connections to be allowed on this server
before the ACE appliance starts sending connections again after it has
exceeded the Max. Connections limit. This value must be less than or equal
to the Max. Connections value. By default, this value is equal to the Max.
Connections value. Valid entries are integers from 1 to 4000000.
Max. Connections
Enter the maximum number of active connections allowed on this server.
When the number of connections exceeds this value, the ACE appliance
stops sending connections to this server until the number of connections falls
below the Min. Connections value. Valid entries are integers from 1 to
4000000, and the default is 4000000.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-6
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Real Servers
Table 6-1
Real Server Attributes (continued)
Field
Description
Weight
This field appears only for real servers identified as hosts.
Enter the weight to be assigned to this real server in a server farm. Valid
entries are integers from 1 to 100, and the default is 8.
Web Host Redirection
URL string used to redirect requests to another server. This field appears
only for real servers identified as redirect servers. Enter the URL and port
used to redirect requests to another server.
Valid entries are in the form http://host.com:port where host is the name of
the server and port is the port to be used. Valid host entries are unquoted text
strings with no spaces and a maximum of 255 characters. Valid port
numbers are from 1 to 65535.
The relocation string supports the following special characters:
Redirection Code
•
%h—Inserts the hostname from the request Host header
•
%p—Inserts the URL path string from the request
This field appears only for real servers identified as redirect servers.
Select the appropriate redirection code:
Probes
•
N/A—Indicates that the webhost redirection code is not defined.
•
301—Indicates that the requested resource has been moved
permanently. For future references to this resource, the client should use
one of the returned URIs.
•
302—Indicates that the requested resource has been found, but has been
moved temporarily to another location. For future references to this
resource, the client should use the request URI because the resource may
be moved to other locations from time to time.
In the Probes field, select the probes that are to be used for health monitoring
in the list on the left, and then click Add. The selected probes appear in the
list on the right.
Note
The probe must have the same IP address type (IPv6 or IPv4) as the
real server. For example, you cannot configure an IPv6 probe to an
IPv4 real server.
The redirect real server probe list contains only configured probes of the type
Is Routed, which means that the ACE routes the probe address according to
the ACE internal routing table (see the “Configuring Health Monitoring for
Real Servers” section on page 6-41).
Note
The Probes field list on the left does not display the VM probe type.
To remove probes that you do not want to use for health monitoring, select
them in the list on the right, and then click Remove. The selected probes
appear in the list on the left.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-7
Chapter 6
Configuring Real Servers and Server Farms
Configuring Real Servers
Table 6-1
Real Server Attributes (continued)
Field
Description
Rate Bandwidth
The bandwidth rate is the number of bytes per second and applies to the
network traffic exchanged between the ACE and the real server in both
directions.
Specify the real server bandwidth limit in bytes per second. Valid entries are
integers from 1 to 300000000.
Rate Connection
The connection rate is the number of connections per second received by the
ACE and applies only to new connections destined to a real server.
Specify the limit for connections per second. Valid entries are integers from
1 to 350000.
Step 4
Step 5
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Real Servers
table.
•
Click the Add another icon to save your entries and to configure another real server.
To display statistics and status information for an existing real server, choose a real server from the Real
Servers table, and then click Details. The show rserver name detail CLI command output appears. See
the “Displaying Real Server Statistics and Status Information” section on page 6-8 for details.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
Configuring Server Farms, page 6-18
•
Configuring Sticky Groups, page 7-11
Displaying Real Server Statistics and Status Information
You can display statistics and status information for a particular real server.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Real Servers.
The Real Servers table appears.
Step 2
In the Real Servers table, choose a real server from the Real Servers table, and click Details.
The show rserver name detail CLI command output appears. For details on the displayed output fields,
see the Server Load-Balancing Guide, Cisco ACE Application Control Engine, Chapter 2, “Configuring
Real Servers and Server Farms.”
Step 3
Click Update Details to refresh the output for the show rserver name detail CLI command. The new
information appears in a separate panel with a new timestamp; both the old and the new real server
statistics and status information appear side-by-side to avoid overwriting the last updated information.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-8
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Managing Real Servers
Step 4
Click Close to return to the Real Servers table.
Related Topics
•
Configuring Real Servers, page 6-5
•
Managing Real Servers, page 6-9
•
Viewing All Real Servers, page 6-12
Managing Real Servers
The Real Servers table (Config > Operations > Real Servers) provides the following information by
default for each server:
•
Server name
•
IP address
•
Port
•
Associated virtual server
•
Associated virtual context
•
Admin State (In Service, Out Of Service, or In Service Standby)
•
Operational state (See Table 6-3 for descriptions of real server operational states.)
•
Number of current connections
•
Current server weight
•
Locality
•
Stat Age, time as the page load since the SNMP values were polled
•
Associated server farm
In the table, Disabled indicates that either the information is not available from the database or that it is
not being collected via SNMP. To identify any SNMP-related issues, select the real server’s virtual
context in the object selector. If there are problems with SNMP, SNMP status will appear in the upper
right above the content pane.
The following options are available from the Real Servers table:
•
Activating Real Servers, page 6-10
•
Suspending Real Servers, page 6-10
•
Modifying Real Servers, page 6-11
•
Viewing All Real Servers, page 6-12
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-9
Chapter 6
Configuring Real Servers and Server Farms
Managing Real Servers
Activating Real Servers
Use this procedure to activate a real server.
Procedure
Step 1
Choose Config > Operations > Real Servers. The Real Servers table appears.
Step 2
Select the servers that you want to activate, and then click Activate. The Activate Server screen appears.
Step 3
In the Task field, confirm that this is the server that you want to activate.
Step 4
In the Reason field, enter a reason for this action. You might enter a trouble ticket, an order ticket, or a
user message.
Caution
Step 5
Do not enter a password in this field.
Do the following:
•
Click Deploy Now to deploy this configuration and to return to the Real Servers table. The server
appears in the table with the status Inservice.
•
Click Cancel to exit this procedure without activating the server and to return to the Real Servers
table.
Related Topics
•
Managing Real Servers, page 6-9
•
Suspending Real Servers, page 6-10
•
Viewing All Real Servers, page 6-12
Suspending Real Servers
Use this procedure to suspend a real server.
Procedure
Step 1
Choose Config > Operations > Real Servers. The Real Servers table appears.
Step 2
Select the server that you want to suspend, and then click Suspend. The Suspend Server screen appears.
Step 3
In the Reason field, enter the reason for this action. You might enter a trouble ticket, an order ticket, or
a user message. Do not enter a password in this field.
Step 4
Select one of the following from the Type drop down menu:
•
Graceful
•
Suspend
•
Suspend and Clear Connections to clear the existing connections to this server as part of the
shutdown process
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-10
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Managing Real Servers
Step 5
Do the following:
•
Click Deploy Now to deploy this configuration and to return to the Real Servers table. The server
appears in the table with the status Out Of Service.
•
Click Cancel to exit this procedure without suspending the server and to return to the Real Servers
table.
Related Topics
•
Managing Real Servers, page 6-9
•
Activating Real Servers, page 6-10
•
Viewing All Real Servers, page 6-12
Modifying Real Servers
Use this procedure to modify weight and connection limits for real servers.
Procedure
Step 1
Select the servers whose configuration you want to modify, and then click Change Weight below the
table to the right of Activate and Suspend. The Change Weight Real Servers window appears.
Step 2
Enter the following information for the selected server:
Step 3
•
Reason for change—Such as trouble ticket, order ticket or user message. Do not enter a password
in this field.
•
Weight—Select a value from 1 to 100.
Do the following:
•
Click Deploy Now to accept your entries and to return to the Real Servers table. The server appears
in the table with the updated information.
•
Click Cancel to exit this procedure without saving your entries and to return to the Real Servers
table.
Related Topics
•
Managing Real Servers, page 6-9
•
Activating Real Servers, page 6-10
•
Viewing All Real Servers, page 6-12
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-11
Chapter 6
Configuring Real Servers and Server Farms
Managing Real Servers
Viewing All Real Servers
To view all real servers, choose Config > Operations > Real Servers. The Real Servers table displays
the following information in Table 6-2 by default:
Table 6-2
Real Server Table Fields
Item
Description
Name
Real server name.
IP address
Real server IP address.
Port
Port used to by the real server for communications.
Vservers
Associated virtual server.
Context
Associated virtual context.
Admin
Administrative state of the real server: In Service, Out Of Service, or In Service Standby.
Oper
Operational state of the real server (see Table 6-3 for descriptions of real server operational states).
Conn
Number of current connections.
Wt
Current server weight.
Locality
Locality requires that you configure the Dynamic Workload Scaling on the ACE (see the “Configuring
Dynamic Workload Scaling” section on page 6-14).
Location of the real server, which must be a VM and not a physical server. Possible locality states are
as follows:
•
N/A—he ACE cannot determine the real server location (local or remote). A possible cause for
this issue is that Dynamic Workload Scaling is not configured correctly.
•
Local—The real server is located in the local network.
•
Remote—The real server is located in the remote network. The ACE bursts traffic to this server
when the CPU or memory usage of the local real server reaches the specified maximum threshold
value.
Stat Age
Time as of the page load when the SNMP values were polled.
Server Farm
Associated server farm.
In the previous table, Disabled indicates that either the information is not available from the database or
that it is not being collected via SNMP. To identify any SNMP-related issues, select the real server’s
virtual context in the object selector. If there are problems with SNMP, SNMP status will appear in the
upper right above the content pane.
Table 6-3
Real Server Operational States
State
Description
ARP Failed
An ARP request to this server has failed.
Failed
The server has failed and will not be retried for the amount of time specified
by its retry timer.
Inactive
The server is disabled as it has become inactive such as in the case when the
real server is not associated to any server farm.
Inband probe failed
The server has failed the inband Health Probe agent.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-12
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Managing Real Servers
Table 6-3
Real Server Operational States (continued)
State
Description
Inservice
The server is in use as a destination for server load balancing client
connections.
Inservice standby
The server is in standby state. No connections will be assigned to it unless
the primary server fails.
Max. Load
The server is under maximum load and cannot receive any additional
connections.
ND Failed
For IPv6, Neighbor Discovery (ND) was unable to resolve the address of the
real server.
Operation wait
The server is ready to become operational but is waiting for the associated
redirect virtual server to be in service.
Out of service
The server is not in use by a server load balancer as a destination for client
connections.
Probe failed
The server load-balancing probe to this server has failed. No new
connections will be assigned to this server until a probe to this server
succeeds.
Probe testing
The server has received a test probe from the server load balancer.
Ready to test
The server has failed and its retry timer has expired; test connections will
begin flowing to it soon.
Return code failed
The server has been disabled because it returned an HTTP code that matched
a configured value.
Test wait
The server is ready to be tested. This state is applicable only when the server
is used for HTTP redirect load balancing.
Testing
The server has failed and has been given another test connection. The
success of this connection is not known.
Throttle: DFP
DFP has lowered the weight of the server to throttle level; no new
connections will be assigned to the server until DFP raises its weight.
Throttle: max clients
The server has reached its maximum number of allowed clients.
Throttle: max
connections
The server has reached its maximum number of connections and is no longer
being given connections.
Unknown
The state of the server is not known.
Related Topics
•
Activating Real Servers, page 6-10
•
Suspending Real Servers, page 6-10
•
Modifying Real Servers, page 6-11
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-13
Chapter 6
Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
Configuring Dynamic Workload Scaling
This section describes how to configure the ACE Dynamic Workload Scaling (DWS) feature. DWS
enables an ACE to burst traffic to a remote pool of VMs when the average CPU or memory usage of the
local VMs has reached a specified maximum threshold value. When the usage drops to a specified
minimum threshold value, the ACE stops bursting traffic to the remote VMs. For more information about
the Dynamic Workload Scaling feature, see the “Dynamic Workload Scaling Overview” section on
page 6-4.
DWS requires configuring an ACE with the following:
•
Nexus 7000 Series switches—XML interface IP address of the local Cisco Nexus 7000 series
switches that the ACE polls to obtain VM location information (local or remote).
Note
Note
With Device Manager software Version A5(1.2), you can specify up to two Nexus 7000
switches that the ACE is to poll. With Device Manager software Version A5(1.1), you can
specify only one Nexus 7000 switch.
•
VM Controller—IP address of the VM Controller (also known as VMware vCenter Server) that the
ACE sends a health probe to monitor local VM load.
•
VM probe—Probe that the ACE sends to the VM Controller to monitor local VM load based on CPU
usage, memory usage, or both (see the “Configuring Health Monitoring” section on page 6-39).
•
Server Farms—Groups of networked real servers (physical servers and VMs) that provide content
delivery. See the “Configuring Server Farms” section on page 6-18.
To enable the ACE to use the VMs associated with DWS for load balancing, you must configure them
as real servers on the ACE (see the “Configuring Real Servers” section on page 6-5).
Prerequisites
Dynamic Workload Scaling requires the following configuration elements:
•
A Cisco Nexus 7000 Series switch configured for DCI/OTV in the local data center and in the
remote data center. For details about configuring a Nexus 7000 for DCI/OTV, see the Cisco Nexus
7000 NX-OS OTV Configuration Guide, Release 5.x.
•
VMware vCenter Server 4.0 or later.
•
Multiple local and remote VMs configured as real servers and associated with server farms
configured on the ACE.
•
ACE backend interface MTU set to 1430 or less to accommodate DCI encapsulation and the Don’t
Fragment (DF) bit is automatically set on the DCI link. For details about setting the ACE MTU, see
the Routing and Bridging Guide, Cisco ACE Application Control Engine.
This section contains the following topics:
•
Configuring and Verifying a Cisco Nexus 7000 Connection, page 6-15
•
Configuring and Verifying a VM Controller Connection, page 6-16
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-14
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
Configuring and Verifying a Cisco Nexus 7000 Connection
This procedure describes how to configure an ACE with the Cisco Nexus 7000 Series switch attributes
required to allow the ACE to communicate with the Cisco Nexus 7000 Series switch using SSH. The
ACE uses the Cisco Nexus 7000 Series swtich to obtain VM location information (local or remote).
Note
With Device Manager software Version A5(1.2), you can specify up to two Cisco Nexus 7000 Series
switches that the ACE is to poll. With Device Manager software Version A5(1.1), you can specify only
one Cisco Nexus 7000 Series switch.
You can also use this procedure to edit the attributes of an existing Cisco Nexus 7000 Series switch
profile or remove a switch profile.
Guidelines and Restrictions
Configure up to two Cisco Nexus 7000 Series switches per ACE in the Admin context.
Procedure
Step 1
Choose Config > Virtual Contexts > Load Balancing > Dynamic Workload Scaling > Nexus 7000
Setup.
The Nexus 7000 Setup pane appears.
Note
Step 2
If existing Cisco Nexus 7000 Series switch profiles already exist, the Name field lists their
profile names in drop-down list on the right.
From the Nexus 7000 Setup pane, do one of the following:
•
Define a new Cisco Nexus 7000 Series switch profile as follows:
a. From the Name field, click the text box radio button if it is not already selected and enter a Nexus
7000 name with a maximum of 64 characters. See the Note at the beginning of this chapter for ACE
object naming specifications.
b. From the Primary IP filed, enter the Cisco Nexus 7000 Series XML interface IP address in
dotted-decimal format (such as 192.168.11.1).
c. From the User Name field, enter the username that the ACE uses for access and authentication on
the Nexus 7000. Valid entries are unquoted text strings with a maximum of 64 characters with no
spaces.
Note
The user must have either the vdc-admin or network-admin role to receive the Nexus 7000
output for the VM location information in XML format.
d. From the Password field, enter the password that the ACE uses for authentication on the
Nexus 7000. Valid entries are unquoted text strings with a maximum of 64 characters with no
spaces.
e. From the Confirm field, reenter the password and go to Step 3.
•
Edit an existing Cisco Nexus 7000 Series switch profile as follows:
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-15
Chapter 6
Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
a. From the Name field, click the radio button for the drop down list that contains the list of existing
switch profile names.
b. From the drop down list, choose the switch profile to edit. The current profile attributes display.
c. Edit the profile fields as described in the procedure above for creating a new profile and go to
Step 3.
Step 3
Click Deploy Now to deploy this configuration on the ACE and save your entry to the
running-configuration and startup-configuration files. If you specified a new switch profile, it is added
to the drop down list located in the Name field.
Note
Step 4
Configuring the ACE for Dynamic Workload Scaling also requires configuring the ACE with
the VM Controller information (see “Configuring and Verifying a VM Controller Connection”
section on page 6-16) and configuring a VM health probe (see the “Configuring Health
Monitoring” section on page 6-39).
(Optional) Use the function buttons available from this window as follows:
•
Click Details to verify connectivity between the ACE and the selected Nexus 7000 switch profile.
The ACE show nexus-device device_name detail CLI command output displays in a pop-up
window and includes the device name, IP address, and connection information. For more
information about the command output, see the Server Load-Balancing Guide, Cisco ACE
Application Control Engine.
•
Caution
Click Delete to delete the currently selected Nexus 7000 switch profile.
If the ACE is currently configured for Dynamic Workload Scaling, deleting a Nexus 7000 switch profile
disables the feature if only one switch profile is defined.
Related Topics
•
Configuring and Verifying a VM Controller Connection, page 6-16
•
Configuring Health Monitoring, page 6-39
•
Configuring Dynamic Workload Scaling, page 6-14
•
Dynamic Workload Scaling Overview, page 6-4
•
Configuring Real Servers, page 6-5
•
Configuring Server Farms, page 6-18
Configuring and Verifying a VM Controller Connection
This procedure describes how to configure an ACE with the VM Controller (VMware vCenter Server)
attributes required to allow the ACE to communicate with the VM Controller to obtain local VM load
information.
Guidelines and Restrictions
Configure only one VM Controller per ACE Admin context.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-16
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
Prerequisites
The ACE is configured to communicate with the local Nexus 7000 that enables the ACE to discover the
locality of the VM Controller VMs (see the “Configuring and Verifying a Cisco Nexus 7000
Connection” section on page 6-15).
Procedure
Step 1
Choose Config > Virtual Contexts > Load Balancing > Dynamic Workload Scaling > VM
Controller Setup.
The VM Controller Setup pane appears.
Step 2
Table 6-4
From the VM Controller Setup pane, define the VM Controller using the information in Table 6-4.
VM Controller Setup
Field
Description
Name
VM Controller name (see the Note at the beginning of this chapter for ACE object naming specifications).
URL
IP address or URL for the VM Controller web services API agent. The URL must point to the
VM Controller software development kit (SDK), for example, https://1.2.3.4/sdk). Enter a maximum of
255 characters.
User Name
Username that the ACE uses for access and authentication on the VM Controller. The user must have a
read-only role at least or a role with a read privilege. Valid entries are unquoted text strings with a maximum
of 64 characters and no spaces.
Password
Password to be used for authentication on the VM Controller. Valid entries are unquoted text strings with a
maximum of 64 characters and no spaces.
Reenter the password in the Confirm field.
Step 3
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Note
Step 4
Configuring the ACE for Dynamic Workload Scaling also requires configuring the ACE with
the Nexus 7000 information (see “Configuring and Verifying a Cisco Nexus 7000 Connection”
section on page 6-15) and configuring a VM health probe (see the “Configuring Health
Monitoring” section on page 6-39).
(Optional) Click Details to verify connectivity between the ACE and the remote VM Controller.
The ACE show vm-controller device_name detail CLI command output displays in a pop-up window
and includes VM Controller status, IP address, and connection information.
Step 5
(Optional) Click Delete to delete the currently configured VM Controller.
Note
If the ACE is currently configured to use the Dynamic Workload Scaling, before you can delete
the VM controller, you must delete the associated VM health probe (see the “Configuring Health
Monitoring” section on page 6-39).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-17
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Related Topics
•
Configuring and Verifying a Cisco Nexus 7000 Connection, page 6-15
•
Configuring Health Monitoring, page 6-39
•
Configuring Dynamic Workload Scaling, page 6-14
•
Dynamic Workload Scaling Overview, page 6-4
•
Configuring Real Servers, page 6-5
•
Configuring Server Farms, page 6-18
Configuring Server Farms
Server farms are groups of networked real servers (physical servers and VMs) that contain the same
content and that typically reside in the same physical location in a data center.
Note
With Dynamic Workload Scaling configured on the ACE, the real servers that are VMs can also reside
in a remote datacenter (see the “Configuring Dynamic Workload Scaling” section on page 6-14).
Web sites often comprise groups of servers configured in a server farm. Load-balancing software
distributes client requests for content or services among the real servers based on the configured policy
and traffic classification, server availability and load, and other factors. If one server goes down, another
server can take its place and continue to provide the same content to the clients who requested it.
Note
A server farm can support a mix of IPv6 and IPv4 real servers, and can be associated with both IPv6 and
IPv4 probes.
Use this procedure to configure load balancing on server farms.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Server Farms.
The Server Farms window appears. For information about this window, see the “Viewing All Server
Farms” section on page 6-38).
Step 2
Click Add to add a new server farm, or select an existing server farm, and then click Edit.
The Server Farms configuration screen appears.
Step 3
Enter the server farm attributes (see Table 6-5).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-18
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-5
Server Farm Attributes
Field
Description
Name
Either accept the automatically incremented value in this field, or enter a unique name for this
server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Type
Select the type of server farm:
•
Host—Indicates that this is a typical server farm that consists of real servers that provide
content and services to clients
•
Redirect—Indicates that this server farm consists only of real servers that redirect client
requests to alternate locations specified in the real server configuration. (See Configuring Real
Servers, page 6-5.)
Description
Enter a brief description for this server farm. Valid entries are unquoted alphanumeric text strings
with no spaces and a maximum of 240 characters.
Fail Action
Select the action the ACE appliance is to take with respect to connections if any real server in the
server farm fails:
•
N/A—Indicates that the ACE appliance is to take no action if any server in the server farm fails.
•
Purge—Indicates that the ACE appliance is to remove connections to a real server if that real
server in the server farm fails. The ACE appliance sends a reset command to both the client and
the server that failed.
•
Reassign—The ACE is to reassign the existing server connections to the backup real server (if
configured) if the real server fails after you enter this command. If a backup real server has not
been configured for the failing server, this selection leaves the existing connections untouched
in the failing real server.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-19
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-5
Server Farm Attributes (continued)
Field
Description
Failaction Reassign
Across Vlans
This field appears only when the Fail Action is set to Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the backup
real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real
server fails. If a backup real server has not been configured for the failing server, this option has no
effect and leaves the existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
•
Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to
translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans
option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the
destination IP address for the connection coming in to the ACE is for the end-point real server,
and the ACE reassigns the connection so that it is transmitted through a different next hop.
•
Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going
to and coming from the same server in a flow will traverse the same firewalls or stateful devices
(see the “Configuring Virtual Context VLAN Interfaces” section on page 10-10).
•
Configure the Predictor Hash Address option. See the “Configuring the Predictor Method for
Server Farms” section on page 6-29 for the supported predictor methods and configurable
attributes for each predictor method.
•
You must configure identical policies on the primary interface and the backup-server interface.
The backup interface must have the same feature configurations as the primary interface.
•
If you configure a policy on the backup-server interface that is different from the policies on
the primary-server interface, that policy will be effective only for new connections. The
reassigned connection will always have only the primary-server interface policies.
•
Interface-specific features (for example, NAT, application protocol inspection, outbound
ACLs, or SYN cookie) are not supported.
•
You cannot reassign connections to the failed real server after it comes back up. This restriction
also applies to same-VLAN backup servers.
•
Real servers must be directly connected to the ACE. This requirement also applies to
same-VLAN backup server.
•
You must disable sequence number randomization on the firewall (see the “Configuring
Connection Parameter Maps” section on page 8-5).
•
Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2,
the reassigned connections may become stuck because of the probe configuration mismatch.
ACE-2 with the low interval value will detect the primary server failure first and will reassign
all its incoming connections to the backup-server interface VLAN. ACE-1 with the high
interval value may not detect the failure before the primary server comes back up and will still
point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs:
Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-20
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-5
Server Farm Attributes (continued)
Field
Description
Dynamic Workload
Scaling
This field appears only for host server farms.
Allows the ACE to burst traffic to remote VMs when the average CPU or memory usage of the local
VMs has reached it’s specified maximum threshold value. The ACE stops bursting traffic to the
remote VMs when the average CPU or memory usage of the local VMs has dropped below its
specified minimum threshold value. This option requires that you configure the ACE for Dynamic
Workload Scaling using a Cisco Nexus 7000 Series switch, VM Controller, and VM probe (see the
“Configuring Dynamic Workload Scaling” section on page 6-14).
Click one of the following radio button options:
•
N/A—Not applicable (default).
•
Local—Restricts the ACE to use of local VMs only for server load balancing.
•
Burst—Enables the ACE to burst traffic to remote VMs when needed.
When you choose Burst, the VM Probe Name field appears along with a list of available VM
probes. Choose an available VM probe or click Add to display the Health Monitoring pop-up
window and create a new VM probe or edit an existing one (see the “Configuring Health
Monitoring” section on page 6-39).
Fail-On-All
This field appears only for host server farms.
By default, real servers that you configure in a server farm inherit the probes that you configure
directly on that server farm. When you configure multiple probes on a server farm, the real servers
in the server farm use an OR logic with respect to the probes, which means that if one of the probes
configured on the server farm fails, all the real servers in that server farm fail and enter the
PROBE-FAILED state. With AND logic, if one server farm probe fails, the real servers in the server
farm remain in the operational state. If all the probes associated with the server farm fail, then all
the real servers in that server farm fail and enter the PROBE-FAILED state.
Click this check box to configure the real servers in a server farm to use AND logic with respect to
multiple server farm probes.
The Fail-On-All function is applicable to all probe types.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-21
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-5
Server Farm Attributes (continued)
Field
Description
Inband-Health Check
This field appears only for host server farms.
By default, the ACE monitors the health of all real servers in a configuration through the use of
ARPs and health probes. However, there is latency period between when the real server goes down
and when the ACE becomes aware of the state. The inband health monitoring feature allows the
ACE to monitor the health of the real servers in the server farm through the following connection
failures:
•
For TCP, resets (RSTs) from the server or SYN timeouts.
•
For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages.
When you configure the failure-count threshold and the number of these failures exceeds the
threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it
out of service, and removes it from load balancing. The server is not considered for load balancing
until the optional resume-service interval expires.
Choose one of the following:
•
Count—Tracks the total number of TCP or UDP failures, and increments the counters as
displayed by the show serverfarm name inband CLI command.
•
Log—Logs a syslog error message when the number of events reaches the configured
connection failure threshold.
•
Remove—Logs a syslog error message when the number of events reaches the threshold and
removes the server from service.
Note
You can configure this feature and health probes to monitor a server. When you do, both are
required to keep a real server in service within a server farm. If either feature detects a
server is out of service, the ACE does not select the server for load balancing.
Connection Failure
Threshold Count
This field appears only when the Inband-Health Check is set to Log or Remove.
Reset Timeout
(Milliseconds)
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the maximum number of connection failures that a real server can exhibit in the reset-time
interval before ACE marks the real server as failed. Valid entries are integers from 1 to 4294967295.
Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to
300000. The default interval is 100.
This interval starts when the ACE detects a connection failure. If the connection failure threshold
is reached during this interval, the ACE generates a syslog message.When Inband-Health Check is
set to Remove, the ACE also removes the real server from service.
Changing the setting of this option affects the behavior of the real server, as follows:
•
When the real server is in the OPERATIONAL state, even if several connection failures have
occurred, the new reset-time interval takes effect the next time that a connection error occurs.
•
When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes
effect the next time that a connection error occurs after the server transitions to the
OPERATIONAL state.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-22
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-5
Server Farm Attributes (continued)
Field
Description
Resume Service
(Seconds)
This field appears only when the Inband-Health Check is set to Remove.
Transparent
Enter the number of seconds after a server has been marked as failed to reconsider it for sending
live connections. Valid entries are integers from 30 to 3600. By default, this field is not configured.
The setting of this option affects the behavior of the real server in the inband failed state, as follows:
•
When this field is not configured, the real server remains in the failed state until you manually
suspend and then reactivate it.
•
When this field is not configured and then you configure this option with an integer between
30 and 3,600, the failed real server immediately transitions to the Operational state.
•
When you configure this field and then increase the value, the real server remains in the failed
state for the duration of the previously-configured value. The new value takes effect the next
time the real server transitions to the failed state.
•
When you configure this field and then decrease the value, the failed real server immediately
transitions to the Operational state.
•
When you configure this field with an integer between 30 and 3,600 and then reset it deleting
the value from the field, the real server remains in the failed state for the duration of the
previously-configured value. The unconfigured setting takes effect the next time the real server
transitions to the failed state. Then the real server remains in the failed state until you manually
suspend and then reactivate it.
•
When you change this field within the reset-time interval and the real server is in the
OPERATIONAL state with several connection failures, the new threshold interval takes effect
the next time that a connection error occurs, even if it occurs within the current reset-time
interval.
This field appears only for real servers identified as host servers.
Check the check box to specify that network address translation from the VIP address to the server
IP is to occur. Clear the check box to indicates that network address translation from the VIP address
to the server IP address is not to occur (default).
Partial-Threshold
Percentage
This field appears only for host server farms.
Enter the minimum percentage of real servers in the primary server farm that must remain active
for the server farm to stay up. If the percentage of active real servers falls below this threshold, the
ACE takes the server farm out of service. Valid entries are integers from 0 to 99.
After you configure a value in this field, enter a value in the Back Inservice field to bring the
primary server farm back into service.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-23
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-5
Server Farm Attributes (continued)
Field
Description
Back Inservice
This field appears only for host server farms.
Enter the percentage of real servers in the primary server farm that must be active again for the ACE
to place the server farm back into service. Valid entries are integers from 0 to 99. The value in this
field must be greater than or equal the value in the Partial Threshold Percentage field.
Probes
In the Available list, choose the probes to use for health monitoring, and click Add. The selected
probes appear in the Selected list.
The redirect server farm probe list contains only configured probes of the type Is Routed, which
means that the ACE routes the probe address according to the ACE internal routing table (see the
“Configuring Health Monitoring for Real Servers” section on page 6-41).
Note
You can associate both IPv6 and IPv4 probes to a server farm.
Note
The list of Available probes does not display the VM probe type. To choose a VM probe for
monitoring local VM usage, see the Dynamic Workload Scaling field.
To remove probes that you do not want to use for health monitoring, select them in the Selected list,
and then click Remove. The selected probes appear in the Available list.
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance. To add real servers to the
farm and to configure server farm attributes, see the following topics:
– Adding Real Servers to a Server Farm, page 6-26
– Configuring Health Monitoring, page 6-39
– Configuring Server Farm HTTP Return Error-Code Checking, page 6-36
Step 5
•
Click Cancel to exit the procedure without saving your entries and to return to the Server Farms
table.
•
Click Next to save your entries and to configure another server farm.
(Optional) To display statistics and status information for an existing server farm, choose a server farm
from the Server Farms table, and click Details.
The show serverfarm name detail CLI command output appears. See the “Displaying Server Farm
Statistics and Status Information” section on page 6-39 for details.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
Configuring Real Servers, page 6-5
•
Configuring Sticky Groups, page 7-11
•
Configuring Health Monitoring, page 6-39
•
Configuring Server Farm HTTP Return Error-Code Checking, page 6-36
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-24
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
•
Configuring Dynamic Workload Scaling, page 6-14
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-25
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Adding Real Servers to a Server Farm
After adding a server farm, (see Configuring Server Farms, page 6-18), you can associate real servers
with it and configure predictors and retcode maps. The configuration screens for these attributes appear
beneath the Server Farms table or after you have successfully added a new server farm.
Note
If you do not see these tabs beneath the Server Farms table, click the Switch between Configure and
Browse Modes button.
When creating or editing a server farm, if the real server to be added has the same name as an existing
global real server but contains a different IP address (or no IP address), the Device Manager displays the
following error message:
IP address of pre-existing real sever cannot be changed: “<rs-name>” (ip-addr>).
If this error message appears, ensure that you specify an existing real server with the matching IP
address.
Use this procedure to add real servers to a server farm.
Assumptions
•
A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server
Farms, page 6-18.)
•
At least one real server exists.
Consideration
A server farm can support a mix of IPv6 and IPv4 real servers.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms
table appears.
Step 2
Select the server farm you want to associate with real servers, and then select the Real Servers tab. The
Real Servers table appears.
Step 3
Click Add to add a new entry to the Real Servers table, or select an existing server, and then click Edit
to modify it. The Real Servers configuration screen appears.
Step 4
Configure the real server using the information in Table 6-6.
Table 6-6
Real Server Configuration Attributes
Field
Description
Name
Select the server that you want to associate with the server farm.
Port
Enter the port number to be used for server port address translation (PAT).
Valid entries are integers from 1 to 65535.
Backup Server Name
Select the server that is to act as the backup server for the server farm. Leave
this field blank to indicate that there is no designated backup server for the
server farm.
Backup Server Port
If you select a backup server, enter the backup server port number. Valid
entries are integers from 1 to 65535.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-26
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-6
Real Server Configuration Attributes (continued)
Field
Description
State
Select the state of this server:
•
In Service—Indicates that this server is in service.
•
In Service Standby—Indicates that this server is a backup server and is
to remain inactive unless the primary server fails. If the primary server
fails, the backup server becomes active and starts accepting
connections.
•
Out Of Service—Indicates that this server is out of service.
Buddy Real Group
Name
Create a buddy real server group or select an existing one to enable
persistence to the same real server or group of real servers across multiple
server farms (for more information, see the “Buddy Sticky Groups” section
on page 7-6).
Fail-On-All
This field appears only for real servers identified as host servers.
By default, real servers with multiple probes configured for them have an
OR logic associated with them. This means that if one of the real server
probes fails, the real server fails and enters the PROBE-FAILED state.
Click this check box to configure a real server to remain in the
OPERATIONAL state unless all probes associated with it fail (AND logic).
The Fail On All function is applicable to all probe types.
Min. Connections
Enter the minimum number of connections that the number of connections
must fall below before the ACE appliance resumes sending connections to
the server after it has exceeded the number in the Max. Connections field.
The number in this field must be less than or equal to the number in the Max.
Connections field. 1 to 4000000. The default value is 4000000.
Max. Connections
Enter the maximum number of active connections that can be sent to the
server. When the number of connections exceeds this number, the ACE
appliance stops sending connections to the server until the number of
connections falls below the number specified in the Min. Connections field.
Valid entries are integers from 1 to 4000000. The default is 4000000.
Weight
Enter the weight to assign to the server. Valid entries are integers from 1 to
100, and the default is 8.
Cookie String
This field appears only for real servers identified as hosts.
Enter a cookie string value of the real server, which is to be used for HTTP
cookie insertion when establishing a sticky connection. Valid entries are text
strings with a maximum of 32 alphanumeric characters. You can include
spaces and special characters in a cookie string value.
Use cookie insertion when you want to use a session cookie for persistence
if the server is not currently setting the appropriate cookie. With this feature
enabled, the ACE inserts the cookie in the Set-Cookie header of the response
from the server to the client. See Chapter 7, “Configuring Stickiness” for
details on HTTP cookie sticky connections.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-27
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-6
Real Server Configuration Attributes (continued)
Field
Description
Probes
Select the probes in the Available list that you want to apply to this server,
and then click Add. The selected probes appear in the Selected list. To
remove probes you do not want to apply to this server, select the probes in
the Selected list, and then click Remove.
Note
Rate Bandwidth
The Available list does not display the VM probe type.
The bandwidth rate is the number of bytes per second and applies to the
network traffic exchanged between the ACE and the real server in both
directions.
Specify the bandwidth limit in bytes per second. Valid entries are integers
from 1 to 300000000.
Rate Connection
The connection rate is the number of connections per second received by the
ACE and applies only to new connections destined to a real server.
Specify the limit for connections per second. Valid entries are integers from
1 to 350000.
Step 5
When you finish configuring this server for this server farm, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Real Servers table.
•
Next to save your entries and to add another real server for this server farm.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
Configuring Real Servers, page 6-5
•
Configuring Sticky Groups, page 7-11
•
Configuring Health Monitoring, page 6-39
•
Configuring Server Farm HTTP Return Error-Code Checking, page 6-36
•
Configuring Dynamic Workload Scaling, page 6-14
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-28
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Configuring the Predictor Method for Server Farms
After adding a server farm, (Configuring Server Farms, page 6-18), you can associate real servers with
it and configure the predictor method and retcode maps. The configuration screens for these attributes
appear beneath the Server Farms table or after you have successfully added a new server farm.
Note
If you do not see these tabs beneath the Server Farms table, click the Switch between Configure and
Browse Modes button.
Use this procedure to configure the predictor method for a server farm. The predictor method specifies
how the ACE appliance is to select a server in the server farm when it receives a client request for a
service.
Note
You can configure only one predictor method per server farm.
Assumptions
•
A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server
Farms, page 6-18.)
•
At least one real server exists.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms
table appears.
Step 2
Select the server farm you want to configure the predictor method for, and then select the Predictor tab.
The Predictor configuration screen appears.
Step 3
In the Type field, select the method that the ACE appliance is to use to select a server in this server farm
when it receives a client request. Table 6-7 lists the available options and describes them.
Step 4
Enter the required information for the selected predictor method. Round Robin is the default predictor
method. See Table 6-7.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-29
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-7
Predictor Method Attributes
Predictor Method
Description / Action
Hash Address
The ACE selects the server using a hash value based on the source or destination IP address.
To configure the hash address predictor method:
1.
In the Mask Type field, indicate whether server selection is based on source IP address or the
destination IP address:
– N/A—This option is not defined.
– Destination—The server is selected based on the destination IP address.
– Source—The server is selected based on the source IP address.
Note
If you configure the server farm with IPv6 and IPv4 Hash Address predictors at the
same time, both predictors must have the same mask type.
2.
In the IP Netmask field, select the subnet mask to apply to the address. If none is specified,
the default is 255.255.255.255.
3.
In the IPv6 Prefix-Length field, enter the IPv6 prefix length. If none is specified, the default
is 128.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-30
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-7
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Hash Content
The ACE selects the server by using a hash value based on the specified content string of the HTTP
packet body.
1.
In the Begin Pattern field, enter the beginning pattern of the content string and the pattern
string to match before hashing. If you do not specify a beginning pattern, the ACE starts
parsing the HTTP body immediate following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 12-33 lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify
either a length or an end pattern, the ACE continues to parse the data until it reaches the end
of the field or the end of the packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 12-33 lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the content (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries
are integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset
but shorter than the offset plus the length of the payload, the ACE sticks the connection based
on that portion of the payload starting with the byte after the offset value and ending with the
byte specified by the offset plus the length. The total of the offset and the length cannot exceed
1000.
You cannot specify both the length and the end-pattern options for a Hash Content predictor.
4.
Hash Cookie
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of
the payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates
that the ACE does not exclude any portion of the content.
The ACE selects the server by using a hash value based on the cookie name.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no
spaces and a maximum of 64 characters.
Hash Secondary
Cookie
The ACE selects the server by using the hash value based on the specified cookie name in the URL
query string, not the cookie header.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no
spaces and a maximum of 64 characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-31
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-7
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Hash Header
The ACE selects the server by using a hash value based on the header name.
In the Header Name field, select the HTTP header to be used for server selection:
Hash Layer4
•
To specify an HTTP header that is not one of the standard HTTP headers, select the first radio
button and enter the HTTP header name in the Header Name field. Valid entries are unquoted
text strings with no spaces and a maximum of 64 characters.
•
To specify one of the standard HTTP headers, select the second radio button, then select one
of the HTTP headers from the list.
The ACE selects the server by using a Layer 4 generic protocol load-balancing method. Use this
predictor to load balance packets from protocols that are not explicitly supported by the ACE.
1.
In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern
string to match before hashing. If you do not specify a beginning pattern, the ACE starts
parsing the HTTP body immediate following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 12-33 lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify
either a length or an end pattern, the ACE continues to parse the data until it reaches the end
of the field or the end of the packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 12-33 lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the payload (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries
are integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset
but shorter than the offset plus the length of the payload, the ACE sticks the connection based
on that portion of the payload starting with the byte after the offset value and ending with the
byte specified by the offset plus the length. The total of the offset and the length cannot exceed
1000.
You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor.
4.
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of
the payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates
that the ACE does not exclude any portion of the content.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-32
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-7
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Hash URL
The ACE selects the server using a hash value based on the URL. Use this method to load balance
firewalls.
Enter values in one or both of the pattern fields:
•
In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string
to parse.
•
In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to
parse.
Valid entries for these fields are unquoted text strings with no spaces and a maximum of
255 alphanumeric characters for each pattern you configure. The following special characters are
also allowed: @ # $
Least Bandwidth
Least Connections
The ACE selects the server with the least amount of network traffic over a specified sampling
period.
1.
In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic
information. Valid entries are integers from 1 to 10 seconds.
2.
In the Least Bandwidth Samples field, enter the number of samples over which you want to
weight and average the results of the probe query to calculate the final load value. Valid entries
are 1, 2, 4, 8, and 16 (integers from 1 to 16 that are also a power of 2).
The ACE selects the server with the fewest number of connections.
In the Slow Start Duration field, enter the slow-start value to be applied to this predictor method.
Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up value.
The slow-start mechanism is used to avoid sending a high rate of new connections to servers that
you have just put into service.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-33
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-7
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Least Loaded
The ACE selects the server with the lowest load based on information from SNMP probes.
1.
In the SNMP Probe Name field, select the name of the SNMP probe to use.
2.
In the Auto Adjust field, configure the autoadjust feature to instruct the ACE to apply the
maximum load of 16000 to a real server whose load reaches zero or override the default
behavior. By default, the ACE applies the average load of the server farm to a real server
whose load is zero. The ACE periodically adjusts this load value based on feedback from the
server SNMP probe and other configured options.
Options are as follows:
– Average—Applies the average load of the server farm to a real server whose load is zero.
This setting allows the server to participate in load balancing, while preventing it from
being flooded by new connections. This is the default setting.
– Maxload—Instruct the ACE to apply the maximum load of 16000 to a real server whose
load reaches zero.
– Off—Instruct the ACE to send all new connections to the server that has a load of zero
until the next load update arrives from the SNMP probe for this server. If two servers have
the same lowest load (either zero or nonzero), the ACE load balances the connections
between the two servers in a round-robin manner.
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this
option, the ACE includes the current connection count in the total load calculation for each
real server in a server farm. Clear the check box to reset the behavior of the ACE to the default
of excluding the current connection count from the load calculation.
To instruct the ACE to select the server with the lowest load, use the predictor least-loaded
command in server farm host or redirect configuration mode. With this predictor, the ACE uses
SNMP probes to query the real servers for load parameter values (for example, CPU utilization or
memory utilization). This predictor is considered adaptive because the ACE continuously provides
feedback to the load-balancing algorithm based on the behavior of the real server.
To use this predictor, you must associate an SNMP probe with it. The ACE queries user-specified
OIDs periodically based on a configurable time interval. The ACE uses the retrieved SNMP load
value to determine the server with the lowest load.
The syntax of this predictor command is as follows:
predictor least-loaded probe name
The name argument specifies the identifier of the existing SNMP probe that you want the ACE to
use to query the server. Enter an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
For example, to configure the ACE to select the real server with the lowest load based on feedback
from an SNMP probe called PROBE_SNMP, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor least-loaded probe PROBE_SNMP
host1/Admin(config-sfarm-host-predictor)#
To reset the predictor method to the default of Round Robin, enter:
host1/Admin(config-sfarm-host)# no predictor
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-34
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 6-7
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Response
The ACE selects the server with the lowest response time for a requested response-time
measurement.
1.
In the Response Type field, select the type of measurement to use:
– App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a
server to the time that the ACE receives a response from the server for that request.
– Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to
the time that the ACE receives a CLOSE from the server.
– Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to
the time that the ACE receives a SYN-ACK from the server.
Round Robin
Step 5
2.
In the Response Samples field, enter the number of samples over which you want to average
the results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (integers from
1 to 16 that are also a power of 2).
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this
option, the ACE includes the current connection count in the total load calculation for each
real server in a server farm. Clear the check box to reset the behavior of the ACE to the default
of excluding the current connection count from the load calculation.
The ACE selects the next server in the list of servers based on server weight. This is the default
predictor method.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the t Connection field
table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
Configuring Real Servers, page 6-5
•
Configuring Sticky Groups, page 7-11
•
Adding Real Servers to a Server Farm, page 6-26
•
Configuring Server Farm HTTP Return Error-Code Checking, page 6-36
•
Configuring Dynamic Workload Scaling, page 6-14
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-35
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Configuring Server Farm HTTP Return Error-Code Checking
After adding a server farm, (see the “Configuring Server Farms” section on page 6-18), you can
associate real servers with it and configure the predictor method and retcode maps. The configuration
screens for these attributes appear beneath the Server Farms table or after you have successfully added
a new server farm.
Use this procedure to configure HTTP return error-code checking (retcode map) for a server farm.
Note
This feature is available only for server farms configured as hosts. It is not available for server farms
configured with the type Redirect.
Assumption
A host type server farm has been added to the ACE Appliance Device Manager. (See Configuring Server
Farms, page 6-18.)
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms
table appears.
Step 2
Select the server farm you want to configure return error-code checking for, and then select the Retcode
Map tab. The Retcode Map table appears. If you do not see tabs beneath the Server Farms table, click
the Switch Between Configure And Browse Modes button.
Step 3
Click Add to add a new entry to the table. The Retcode Map configuration screen appears.
Note
You cannot modify an entry in the Retcode Map table. Instead, delete the existing entry, and then
add a new one.
Step 4
In the Lowest Retcode field, enter the minimum value for an HTTP return error code. Valid entries are
integers from 100 to 599. This number must be less than or equal to the number in the Highest Retcode
field.
Step 5
In the Highest Retcode field, enter the maximum number for an HTTP return error code. Valid entries
are integers from 100 to 599. This number must be greater than or equal to the number in the Lowest
Retcode field.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-36
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
Step 6
Table 6-8
In the Type field, specify the action to be taken and related options using the information in Table 6-8.
Return-Code Type Configuration Options
Option
Description
Count
The ACE tracks the total number of return codes received for each return code number that you specify.
Log
The ACE generates a syslog error message when the number of events reaches a specified threshold.
1.
In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error
message. Valid entries are integers from 1 to 4294967295.
2.
In the Reset field, enter the time interval in seconds for which the ACE checks for the return code. Valid entries
are integers from 1 to 2147483647 seconds.
Remove The ACE generates a syslog error message when the number of events reaches a specified threshold and then
removes the server from service.
1.
In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error
message and removing the server from service. Valid entries are integers from 1 to 4294967295.
2.
In the Reset field, enter the time interval in seconds for which the ACE checks for the return code. Valid entries
are integers from 1 to 2147483647 seconds.
3.
In the Resume Service field, enter the number of seconds that the ACE waits before it resumes service for the
real server automatically after taking the real server out of service. Valid entries are 30 to 3600 seconds. By
default, this field is not configured. The setting of this field affects the behavior of the real server in the failed
state, as follows:
– When this field is not configured, the real server remains in the failed state until you manually remove it
from service and read it.
– When this field is not configured and then you configure it with an integer between 30 and 3,600, the failed
real server immediately transitions to the Operational state.
– When you configure this field and then increase the value, the real server remains in the failed state for
the duration of the previously-configured value. The new value takes effect the next time the real server
transitions to the failed state.
– When you configure this field and then decrease the value, the failed real server immediately transitions
to the Operational state.
– When you configure this field with an integer between 30 and 3,600 and then reset it by deleting the value
from the field, the real server remains in the failed state for the duration of the previously-configured
value. The unconfigured setting takes effect the next time the real server transitions to the failed state.
Then the real server remains in the failed state until you manually remove it from service and read it.
Step 7
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Retcode Map
table.
•
Click Next to save your entries and to add another retcode map.
Related Topics
•
Using Virtual Contexts, page 4-2
•
Configuring Virtual Context Class Maps, page 12-8
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-37
Chapter 6
Configuring Real Servers and Server Farms
Configuring Server Farms
•
Configuring Virtual Context Policy Maps, page 12-34
•
Configuring Real Servers, page 6-5
•
Configuring Sticky Groups, page 7-11
•
Configuring Dynamic Workload Scaling, page 6-14
Viewing All Server Farms
Use this procedure to view all server farms associated with a virtual context.
Procedure
Step 1
Choose Config > Virtual Contexts.
The All Virtual Contexts table appears.
Step 2
Choose the virtual context with the server farms that you want to view and choose Load Balancing >
Server Farms.
The Server Farms table appears with the following information:
•
Server farm name
•
Server farm type (either host or redirect)
•
Description
Depending on the server farms selected, additional tables appear below the Server Farms table. These
tables include:
Step 3
•
Real Servers—Displays the real servers associated with the selected server farm.
•
Predictor—Displays the selected predictor method for the selected server farm.
•
Retcode Map—Displays the HTTP return error-code checking that has been configured for the
selected server farm.
(Optional) Do the following:
•
Add or edit a server farm (see the “Configuring Server Farms” section on page 6-18)
•
Choose a server farm and click Buddy Group to view a pop-up window that displays the output of
the show buddy group command. The pop-up window displays the list of buddy groups configured
in the virtual context (for more information, see the “Buddy Sticky Groups” section on page 7-6).
•
Click the Real Servers tab to display the real servers associated with the selected server farm. From
this tab you can manage the server farm real servers (see the “Adding Real Servers to a Server Farm”
section on page 6-26).
•
Click the Predictor tab to display the predictor method associated with the selected server farm.
From this tab you can choose the predictor method (see the “Configuring the Predictor Method for
Server Farms” section on page 6-29).
•
Click the Retcode Map tab to display the HTTP return error-code checking that has been configured
for the selected server farm. From this tab you can manage the error-code checking (see the
“Configuring Server Farm HTTP Return Error-Code Checking” section on page 6-36).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-38
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Related Topics
•
Configuring Server Farms, page 6-18
•
Adding Real Servers to a Server Farm, page 6-26
•
Configuring Health Monitoring, page 6-39
•
Configuring Server Farm HTTP Return Error-Code Checking, page 6-36
•
Configuring Dynamic Workload Scaling, page 6-14
Displaying Server Farm Statistics and Status Information
You can display statistics and status information for a particular server farm.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Server Farms.
The Server Farms table appears.
Step 2
In the Server Farms table, choose a server farm from the Server Farms table, and click Details.
The show serverfarm name detail CLI command output appears. For details about the displayed output
fields, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine, Chapter 2,
Configuring Real Servers and Server Farms.
Step 3
Click Update Details to refresh the output for the show serverfarm name detail CLI command.
The new information appears in a separate panel with a new timestamp; both the old and the new server
farm statistics and status information appear side-by-side to avoid overwriting the last updated
information.
Step 4
Click Close to return to the Server Farms table.
Related Topics
•
Viewing All Server Farms, page 6-38
•
Configuring Server Farms, page 6-18
•
Adding Real Servers to a Server Farm, page 6-26
•
Configuring Health Monitoring, page 6-39
•
Configuring Server Farm HTTP Return Error-Code Checking, page 6-36
•
Configuring Dynamic Workload Scaling, page 6-14
Configuring Health Monitoring
You can instruct the ACE appliance to check the health of servers and server farms by configuring health
probes (sometimes referred to as keepalives). After you create a probe, you assign it to a real server or
a server farm. A probe can be one of many types, including TCP, ICMP, Telnet, HTTP, and so on. You
can also configure scripted probes using the TCL scripting language (see TCL Scripts, page 6-40).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-39
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
The ACE appliance sends out probes periodically to determine the status of a server, verifies the server
response, and checks for other network problems that may prevent a client from reaching a server. Based
on the server response, the ACE appliance can place the server in or out of service, and, based on the
status of the servers in the server farm, can make reliable load-balancing decisions.
Health monitoring on the ACE appliance tracks the state of a server by sending out probes. Also referred
to as out-of-band health monitoring, the ACE appliance verifies the server response or checks for any
network problems that can prevent a client to reach a server. Based on the server response, the ACE
appliance can place the server in or out of service, and can make reliable load balancing decisions.
Note
You can configure the inband health monitoring feature and health probes to monitor the health of the
real servers in a server farm. For more information on inband health monitoring, see the “Configuring
Server Farms” section on page 6-18.
The ACE appliance identifies the health of a server in the following categories:
•
Passed—The server returns a valid response.
•
Failed—The server fails to provide a valid response to the ACE or the ACE is unable to reach a
server for a specified number of retries.
By configuring the ACE appliance for health monitoring, the ACE appliance sends active probes
periodically to determine the server state.
The ACE appliance supports 4000 unique probe configurations which includes ICMP, TCP, HTTP, and
other predefined health probes. The ACE appliance also allows the opening of 1000 sockets
simultaneously.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
TCL Scripts, page 6-40
TCL Scripts
The ACE appliance supports several specific types of health probes (for example HTTP, TCP, or ICMP
health probes) when you need to use a diverse set of applications and health probes to administer your
network. The basic health probe types supported in the current ACE appliance software release may not
support the specific probing behavior that your network requires. To support a more flexible
health-probing functionality, the ACE appliance allows you to upload and execute TCL scripts on the
ACE appliance.
The TCL interpreter code in the ACE appliance is based on Release 8.44 of the standard TCL
distribution. You can create a script to configure health probes. Script probes operate similar to other
health probes available in the ACE appliance software. As part of a script probe, the ACE appliance
executes the script periodically, and the exit code that is returned by the executing script indicates the
relative health and availability of specific real servers. For information on health probes, see
Configuring Health Monitoring for Real Servers, page 6-41.
For your convenience, the following sample scripts for the ACE appliance are available to support the
TCL feature and are supported by Cisco TAC:
•
ECHO_PROBE_SCRIPT
•
FINGER_PROBE_SCRIPT
•
FTP_PROBE_SCRIPT
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-40
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
•
HTTP_PROBE_SCRIPT
•
HTTPCONTENT_PROBE
•
HTTPHEADER_PROBE
•
HTTPPROXY_PROBE
•
IMAP_PROBE
•
LDAP_PROBE
•
MAIL_PROBE
•
POP3_PROBE
•
PROBENOTICE_PROBE
•
RTSP_PROBE
•
SSL_PROBE_SCRIPT
These scripts are located in the probe: directory and are accessible in both the Admin and user contexts.
Note that the script files in the probe: directory are read-only, so you cannot copy or modify them.
However, you can copy files from the probe: directory. For more information, see the Administration
Guide, Cisco ACE Application Control Engine.
To load a script into memory on the ACE appliance and enable it for use, use the script file command.
For detailed information on uploading and executing Toolkit Command Language (TCL) scripts on the
ACE appliance, refer to the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Configuring Health Monitoring for Real Servers
To check the health and availability of a real server, the ACE appliance periodically sends a probe to the
real server. Depending on the server response, the ACE appliance determines whether to include the
server in its load-balancing decision.
Note
You can configure the inband health monitoring feature and health probes to monitor the health of the
real servers in a server farm. When you do, both are required to keep a real server in service within a
server farm. If either feature detects a server is out of service, the ACE does not select the server for load
balancing. For more information on inband health monitoring, see the “Configuring Server Farms”
section on page 6-18.
Use this procedure to establish monitoring of real servers to determine their viability in load-balancing
decisions.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Click Add to add a new health monitoring probe, or select an existing entry, and then click Edit to
modify it. The Health Monitoring screen appears.
Step 3
In the Name field, enter a name that identifies the probe and that associates the probe with the real server.
Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4
In the Type field, select the type of probe you want to use. The probe type determines what the probe
sends to the real server. See Table 6-9 for the types of probes and their descriptions.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-41
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-9
Probe Types
Probe Type
Description
DNS
Sends a request to a DNS server giving it a configured domain. To determine
if the server is up, the ACE appliance must receive the configured IP address
for that domain.
ECHO-TCP
Sends a string to the server and compares the response with the original
string. If the response string matches the original, the server is marked as
passed. If not, the ACE appliance retries as configured before the server is
marked as failed.
ECHO-UDP
Sends a string to the server and compares the response with the original
string. If the response string matches the original, the server is marked as
passed. If not, the ACE appliance retries as configured before the server is
marked as failed.
FINGER
Sends a probe to the server to verify that a defined username is a username
on the server.
FTP
Initiates an FTP session. By default, this probe is for an anonymous login
with the option of configuring a user ID and password. The ACE appliance
performs an FTP GET or LS to determine the outcome of the problem. This
probe supports only active connections.
HTTP
Sets up a TCP connection and issues an HTTP request. Any valid HTTP
response causes the probe to mark the real server as passed.
HTTPS
Similar to an HTTP probe, but this probe uses SSL to generate encrypted
data.
Note
This option is not available for the ACE NPE software version (see
the “Information About the ACE No Payload Encryption Software
Version” section on page 1-2).
ICMP
Sends an ICMP request and listens for a response. If the server returns a
response, the ACE appliance marks the real server as passed. If there is no
response and times out, or an ICMP standard error occurs, such as
DESTINATION_UNREACHABLE, the ACE appliance marks the real
server as failed.
IMAP
Initiates an IMAP session, using a configured user ID and password. Then,
the probe attempts to retrieve e-mail from the server and validates the result
of the probe based on the return codes received from the server.
POP
Initiates a POP session, using a configured user ID and password. Then, the
probe attempts to retrieve e-mail from the server and validates the result of
the probe based on the return codes received from the server.
RADIUS
Connects to a RADIUS server and logs into it to determine if the server is up.
RTSP
Establishes a TCP connection and sends a request packet to the server. The
ACE compares the response with the configured response code to determine
whether the probe succeeded.
Scripted
Executes probes from a configured script to perform health probing. This
method allows you to author specific scripts with features not present in
standard probes.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-42
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-9
Probe Types (continued)
Probe Type
Description
SIP-TCP
Establishes a TCP connection and sends an OPTIONS request packet to the
user agent on the server. The ACE compares the response with the
configured response code or expected string, or both, to determine whether
the probe has succeeded. If you do not configure an expected status code,
any response from the server is marked as failed.
SIP-UDP
Establishes a UDP connection and sends an OPTIONS request packet to the
user agent on the server. The ACE compares the response with the
configured response code or expected string, or both, to determine whether
the probe has succeeded. If you do not configure an expected status code,
any response from the server is marked as failed.
SMTP
Initiates an SMTP session by logging into the server.
SNMP
Establishes a UDP connection and sends a maximum of eight SMNP OID
queries to probe the server. The ACE weighs and averages the load
information that is retrieved and uses it as input to the least-loaded algorithm
for load-balancing decisions. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the
server is marked as failed.
TCP
Initiates a TCP handshake and expects a response. By default, a successful
response causes the probe to mark the server as passed. The probe then sends
a FIN to end the session. If the response is not valid, or if there is no
response, the probe marks the real server as failed.
TELNET
Establishes a connection to the real server and verifies that a greeting from
the application was received.
UDP
Sends a UDP packet to a real server. The probe marks the server as failed
only if an ICMP Port Unreachable messages is returned.
VM
Sends a probe to the VMware VM Controller to determine the average
amount of both CPU and memory usage of its associated local VMs. The
probe response determines whether the ACE load-balances traffic to the
local VMs only or bursts traffic to the remote VMs due to high usage of the
local VMs.
Note
Use a VM probe when you configure the ACE for Dynamic
Workload Scaling (see the “Configuring Dynamic Workload
Scaling” section on page 6-14).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-43
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Step 5
Note
Enter health monitoring general attributes (see Table 6-10).
Click More Settings to access the additional general attributes for the selected probe type. By default,
the Device Manager hides the probe attributes with default values and the probe attributes which are not
commonly used.
Table 6-10
Health Monitoring General Attributes
Field
Action
Description
Enter a description for this probe. Valid entries are unquoted alphanumeric text
strings with no spaces and a maximum of 240 characters.
Probe Interval
(Seconds)
Enter the number of seconds that the ACE is to wait before sending another probe
to a server marked as passed. Valid entries are from 2 to 65535 for all probe types
except the VM probe, which has a range from 300 to 65535.
The default is 15 for all probe types except the VM probe, which has a default of
300 seconds.
Pass Detect
Enter the number of seconds that the ACE is to wait before sending another probe
Interval (Seconds) to a server marked as failed. Valid entries are integers from 2 to 65535 with a
default of 60.
Note
Fail Detect
This field is not applicable for the VM probe type.
Enter the consecutive number of times that an ACE must detect that probes have
failed to contact a server before marking the server as failed. Valid entries are
integers from 1 to 65535 with a default of 3.
Note
This field is not applicable for the VM probe type.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-44
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-10
Health Monitoring General Attributes (continued)
Field
Action
More Settings (Not applicable for the VM probe type)
Pass Detect Count
Enter the number of successful probe responses from the server before the server
is marked as passed. Valid entries are integers from 1 to 65535 with a default of 3.
Receive Timeout
(Seconds)
Enter the number of seconds the ACE is to wait for a response from a server that
has been probed before marking the server as failed. Valid entries are integers
from 1 to 65535 with a default of 10.
Destination
IPv4/IPv6
Address1
By default, the probe uses the IP address from the real or virtual server
configuration for the destination IP address. To override the destination address
that the probe uses, enter the preferred destination IP address in this field.
Note
The following probes support IPv6 destination addresses: DNS, HTTP,
HTTPS, ICMP, TCP, and UDP.
Note
When you assign a probe to a real server, they must be configured with
the same IP address type (IPv6 or IPv4).
Is Routed2
Check the check box to indicate that the destination IP address is routed according
to the ACE internal routing table. Clear the check box to indicate that the
destination IP address is not routed according to the ACE internal routing table.
Port
By default, the precedence in which the probe inherits the port number is as
follows:
•
The port number that you configure for the probe.
•
The configured port number from the real server in server farm.
•
The configured port number from the VIP in a Layer 3 and Layer 4 class map.
•
The default port number. Table 6-11 lists the default port number for each
probe type.
If you explicitly configure a default port, the ACE always sends the probe to the
default port. The probe does not dynamically inherit the port number from the real
server in a server farm or from the VIP specified in the class map.
1. The Dest IP Address field is not applicable to the Scripted probe type.
2. The Is Routed field is not applicable to the RTSP, Scripted, SIP-TCP, and SIP-UDP probe types.
Table 6-11
Default Port Numbers for Probe Types
Probe Type
Default Port Number
DNS
53
Echo
7
Finger
79
FTP
21
HTTP
80
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-45
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-11
Step 6
Default Port Numbers for Probe Types (continued)
Probe Type
Default Port Number
HTTPS
443
ICMP
Not applicable
IMAP
143
POP3
110
RADIUS
1812
RTSP
554
Scripted
1
SIP (both TCP and UDP)
5060
SMTP
25
SNMP
161
Telnet
23
TCP
80
UDP
53
VM
443
Enter the attributes for the specific probe type selected:
•
For DNS probes, see Table 6-12.
•
For Echo-TCP probes, see Table 6-13.
•
For Echo-UDP probes, see Table 6-14.
•
For Finger probes, see Table 6-15.
•
For FTP probes, see Table 6-16.
•
For HTTP probes, see Table 6-17.
•
For HTTPS probes, see Table 6-18.
•
There are no specific attributes for ICMP probes.
•
For IMAP probes, see Table 6-19.
•
For POP probes, see Table 6-20.
•
For RADIUS probes, see Table 6-21.
•
For RTSP probes, see Table 6-22.
•
For Scripted probes, see Table 6-23.
•
For SIP-TCP probes, see Table 6-24.
•
For SIP-UDP probes, see Table 6-25.
•
For SMTP probes, see Table 6-26.
•
For SNMP probes, see Table 6-27.
•
For TCP probes, see Table 6-28.
•
For Telnet probes, see Table 6-29.
•
For UDP probes, see Table 6-30.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-46
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
•
Step 7
Step 8
For VM probes, see Table 6-31.
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Health
Monitoring table.
•
Click Next to save your entries and to configure another probe.
(Optional) To display statistics and status information for a particular probe, choose the probe from the
Health Monitoring table, and click Details.
The show probe name detail CLI command output appears. See the “Displaying Health Monitoring
Statistics and Status Information” section on page 6-69 for details.
Related Topics
•
Configuring DNS Probe Expect Addresses, page 6-66
•
Configuring Headers for HTTP and HTTPS Probes, page 6-66
•
Configuring Health Monitoring Expect Status, page 6-67
•
Configuring Real Servers, page 6-5
•
Configuring Server Farms, page 6-18
•
Configuring Sticky Groups, page 7-11
Probe Attribute Tables
Refer to the following topics to configure health monitoring probe-specific attributes:
•
DNS Probe Attributes, page 6-48
•
Echo-TCP Probe Attributes, page 6-48
•
Echo-UDP Probe Attributes, page 6-49
•
Finger Probe Attributes, page 6-49
•
FTP Probe Attributes, page 6-50
•
HTTP Probe Attributes, page 6-50
•
HTTPS Probe Attributes, page 6-52
•
IMAP Probe Attributes, page 6-54
•
POP Probe Attributes, page 6-55
•
RADIUS Probe Attributes, page 6-56
•
RTSP Probe Attributes, page 6-56
•
Scripted Probe Attributes, page 6-57
•
SIP-TCP Probe Attributes, page 6-59
•
SIP-UDP Probe Attributes, page 6-59
•
SMTP Probe Attributes, page 6-60
•
SNMP Probe Attributes, page 6-60
•
TCP Probe Attributes, page 6-61
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-47
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
•
Telnet Probe Attributes, page 6-62
•
UDP Probe Attributes, page 6-63
•
VM Probe Attributes, page 6-65
Refer to the following topics for additional configuration options for health monitoring probes:
•
Configuring DNS Probe Expect Addresses, page 6-66
•
Configuring Headers for HTTP and HTTPS Probes, page 6-66
•
Configuring Health Monitoring Expect Status, page 6-67
•
Configuring an OID for SNMP Probes, page 6-68
DNS Probe Attributes
Note
Click More Settings to access the additional attributes for the DNS probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-12
DNS Probe Attributes
Field
Action
Domain Name
Enter the domain name that the probe is to send to the DNS server. Valid
entries are unquoted text strings with a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
To configure expect addresses for DNS probes, see Configuring DNS Probe Expect Addresses,
page 6-66.
Echo-TCP Probe Attributes
Note
Click More Settings to access the additional attributes for the Echo-TCP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-13
Echo-TCP Probe Attributes
Field
Action
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-48
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-13
Echo-TCP Probe Attributes (continued)
Field
Action
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Echo-UDP Probe Attributes
Note
Click More Settings to access the additional attributes for the Echo-UDP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-14
Echo-UDP Probe Attributes
Field
Action
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Finger Probe Attributes
Note
Click More Settings to access the additional attributes for the Finger probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-15
Finger Probe Attributes
Field
Action
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-49
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-15
Finger Probe Attributes (continued)
Field
Action
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
FTP Probe Attributes
Note
Click More Settings to access the additional attributes for the FTP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-16
FTP Probe Attributes
Field
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
To configure probe expect statuses for FTP probes, see Configuring Health Monitoring Expect Status,
page 6-67.
HTTP Probe Attributes
Note
Click More Settings to access the additional attributes for the HTTP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-50
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-17
HTTP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Request Method Type
Select the type of HTTP request method that is to be used for this probe:
Request HTTP URL
•
N/A—This option is not defined.
•
Get—The HTTP request method is a GET with a URL of “/”. This
request method directs the server to get the page, and the ACE calculates
a hash value for the content of the page. If the page content information
changes, the hash value no longer matches the original hash value and
the ACE assumes the service is down. This is the default request
method.
•
Head—The server is to only get the header for the page. Using this
method can prevent the ACE from assuming that the service is down due
to changed content and therefore changed hash values.
This field appears if you select Head or Get in the Request Method Type
field.
Enter the URL path on the remote server. Valid entries are strings of up to
255 characters specifying the URL path. The default path is “/’.
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Append Port Host Tag
Check the check box to append port information in the HTTP Host header
when you configure a non-default destination port for an HTTP probe. Clear
the check box to not append the port information in the HTTP Host header.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Valid entries are integers from 1 to 4000.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-51
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-17
HTTP Probe Attributes (continued)
Field
Action
Hash
Check the Hash check box to indicate that the ACE is to use an MD5 hash
for an HTTP GET probe. Clear the Hash check box to indicate that the ACE
should not use an MD5 hash for an HTTP GET probe.
Hash String
This field appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE is to compare with the hash that is
generated from the HTTP page sent by the server. If you do not provide this
value, the ACE generates a value the first time it queries the server, stores
this value, and matches this value with other responses from the server. A
successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with
16 characters.
To configure probe headers and expect statuses for HTTP probes, see the following topics:
•
Configuring Headers for HTTP and HTTPS Probes, page 6-66
•
Configuring Health Monitoring Expect Status, page 6-67
HTTPS Probe Attributes
Note
Click More Settings to access the additional attributes for the HTTPS probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-18
HTTPS Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Request Method Type
Select the type of HTTP request method that is to be used for this probe:
•
N/A—This option is not defined.
•
Get—The HTTP request method is a GET with a URL of “/”. This
request method directs the server to get the page, and the ACE calculates
a hash value for the content of the page. If the page content information
changes, the hash value no longer matches the original hash value and
the ACE assumes the service is down. This is the default request
method.
•
Head—The server is to only get the header for the page. Using this
method can prevent the ACE from assuming that the service is down due
to changed content and therefore changed hash values.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-52
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-18
HTTPS Probe Attributes (continued)
Field
Action
Request HTTP URL
This field appears if you select Head or Get in the Request Method Type
field.
Enter the URL path on the remote server. Valid entries are strings of up to
255 characters specifying the URL path. The default path is “/’.
Cipher
Select the cipher suite to be used with this HTTPS probe:
SSL Version
•
RSA_ANY—The HTTPS probe accepts all RSA-configured cipher
suites and that no specific suite is configured. This is the default action.
•
RSA_EXPORT1024_WITH_DES_CBC_SHA
•
RSA_EXPORT1024_WITH_RC4_56_MD5
•
RSA_EXPORT1024_WITH_RC4_56_SHA
•
RSA_EXPORT_WITH_DES40_CBC_SHA
•
RSA_EXPORT_WITH_RC4_40_MD5
•
RSA_WITH_3DES_EDE_CBC_SHA
•
RSA_WITH_AES_128_CBC_SHA
•
RSA_WITH_AES_256_CBC_SHA
•
RSA_WITH_DES_CBC_SHA
•
RSA_WITH_RC4_128_MD5
•
RSA_WITH_RC4_128_SHA
Select the version of SSL or TLS to be used in ClientHello messages sent to
the server:
•
All—The probe is to use all SSL versions.
•
SSLv3—The probe is to use SSL version 3.
•
TLSv1—The probe is to use TLS version 1.
By default, the probe sends ClientHello messages with an SSL version 3
header and a TLS version 1 message.
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Append Port Host Tag
Check the check box to append port information in the HTTP Host header
when you configure a non-default destination port for an HTTPS probe.
Clear the check box to not append the port information in the HTTP Host
header.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-53
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-18
HTTPS Probe Attributes (continued)
Field
Action
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
Hash
Check the Hash check box to indicate that the ACE is to use an MD5 hash
for an HTTP GET probe. Clear this check box to indicate that the ACE is not
to use an MD5 hash for an HTTP GET probe.
Hash String
This field appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE is to compare with the hash that is
generated from the HTTP page sent by the server. If you do not provide this
value, the ACE generates a value the first time it queries the server, stores
this value, and matches this value with other responses from the server. A
successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with
16 characters.
Ignore Certificate
Expiration
Check the Ignore Certificate Expiration check box to configure the probe to
ignore the certificate expiration date so the probe does not affect ACE
functionality when the certificate has expired. Uncheck the check box to
configure the ACE not to ignore the certificate expiration date.
To configure probe headers and expect statuses for HTTPS probes, see the following topics:
•
Configuring Headers for HTTP and HTTPS Probes, page 6-66
•
Configuring Health Monitoring Expect Status, page 6-67
IMAP Probe Attributes
Note
Click More Settings to access the additional attributes for the IMAP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-54
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-19
IMAP Probe Attributes
Field
Action
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Mailbox Name
Enter the user mailbox name from which to retrieve e-mail for this IMAP
probe. Valid entries are unquoted text strings with a maximum of
64 characters.
Request Command
Enter the request method command for this probe. Valid entries are text
strings with a maximum of 32 characters and no spaces.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
POP Probe Attributes
Note
Click More Settings to access the additional attributes for the POP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-20
POP Probe Attributes
Field
Action
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Request Command
Enter the request method command for this probe. Valid entries are text
strings with a maximum of 32 characters and no spaces.
More Settings
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-55
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-20
POP Probe Attributes (continued)
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
RADIUS Probe Attributes
Note
Click More Settings to access the additional attributes for the RADIUS probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-21
RADIUS Probe Attributes
Field
Action
User Secret
Enter the shared secret to be used to allow probe access to the RADIUS
server. Valid entries are case-sensitive strings with no spaces and a
maximum of 64 characters.
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
NAS IP Address
Enter the IP address of the Network Access Server (NAS) in dotted-decimal
format, such as 192.168.11.1.
RTSP Probe Attributes
Note
Click More Settings to access the additional attributes for the RTSP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-56
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-22
RTSP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
RTSP Require Header
Value
Enter the Require header for this probe.
RTSP Proxy Require
Header Value
Enter the Proxy-Require header for this probe.
RTSP Request Method
Type
Select the request method type:
Request HTTP URL
•
N/A—No request method is selected.
•
Describe—This probe is to use the DESCRIBE request method.
This field appears if you select Describe in the RTSP Request Method Type
field.
Enter the URL path for the URL request of the RTSP media stream on the
server. Valid entries are strings with a maximum of 255 characters.
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
To configure probe expect statuses for RTSP probes, see Configuring Health Monitoring Expect Status,
page 6-67.
Scripted Probe Attributes
Note
Click More Settings to access the additional attributes for the Scripted probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-57
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-23
Scripted Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Script Name
Enter the local name that you want to assign to this file on the ACE. This file
can reside in the disk0: directory or the probe: directory (if the probe:
directory exists).
Note
The script file must first be established on the ACE device and the
name must be entered exactly as is appears on the device. Please
refer to your ACE documentation for more details.
Valid entries are unquoted text strings with no spaces and a maximum of 255
characters.
Script Arguments
Valid arguments are unquoted text strings with no spaces; separate multiple
arguments with a space. The field limit is 255 characters.
More Settings
Script Needs To Be
Copied From Remote
Location?
Check this check box to indicate that the file needs to be copied from a
remote server. Clear this check box to indicate that the script resides locally.
Protocol
This field appears if the script is to be copied from a remote server.
Select the protocol to be used for copying the script:
User Name
•
FTP—The script is to be copied using FTP.
•
TFTP—The script is to be copied using TFTP.
This field appears if FTP is selected in the Protocol field.
Enter the name of the user account on the remote server.
Password
This field appears if FTP is selected in the Protocol field.
Enter the password for the user account on the remote server.
Reenter the password in the Confirm field.
Source File Name
This field appears if the script is to be copied from a remote server.
Enter the host IP address, path, and filename of the file on the remote server
in the format host-ip/path/filename where:
•
host-ip represents the IP address of the remote server.
•
path represents the directory path of the file on the remote server.
•
filename represents the filename of the file on the remote server.
For example, your entry might resemble
192.168.11.2/usr/bin/my-script.ext.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-58
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
SIP-TCP Probe Attributes
Note
Click More Settings to access the additional attributes for the SIP-TCP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-24
SIP-TCP Probe Attributes
Field
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the general
attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections
gracefully by sending a FIN to the server. Uncheck the check box to configure
the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries are text
strings with a maximum of 255 characters. This field accepts both single and
double quotes. Double quotes are considered delimiters so they don't appear on
the device. Single quotes will appear on the device.
Expect Regex
Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular Expression
field. Value entries are integers from 1 to 4000.
To configure probe expect statuses for SIP-TCP probes, see Configuring Health Monitoring Expect
Status, page 6-67.
SIP-UDP Probe Attributes
Note
Click More Settings to access the additional attributes for the SIP-UDP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-25
Field
SIP-UDP Probe Attributes
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-59
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-25
SIP-UDP Probe Attributes (continued)
Field
Action
Enable Rport
Check the check box to indicate that the server will be forced to send a reply
from the same port on which the request was received. Clear the check box
to indicate that the server can send the reply from a different port than the
port from which the request was received.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings with a maximum of 255 characters. This field accepts both
single and double quotes. Double quotes are considered delimiters so they
don't appear on the device. Single quotes will appear on the device.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
To configure probe expect statuses for SIP-UDP probes, see Configuring Health Monitoring Expect
Status, page 6-67.
SMTP Probe Attributes
Note
Click More Settings to access the additional attributes for the SMTP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-26
SMTP Probe Attributes
Field
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
To configure probe expect statuses for SMTP probes, see Configuring Health Monitoring Expect Status,
page 6-67.
SNMP Probe Attributes
Note
Click More Settings to access the additional attributes for the SNMP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-60
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-27
SNMP Probe Attributes
Field
Action
SNMP Community
Enter the SNMP community string. Valid entries are unquoted text strings
with no spaces and a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
SNMP Version
Select the SNMP version for this probe:
•
N/A—No version is selected.
•
SNMPv1—This probe is to use SNMP version 1.
•
SNMPv2c—This probe is to use SNMP version 2c.
To configure the SNMP OID for SNMP probes, see Configuring an OID for SNMP Probes, page 6-68.
TCP Probe Attributes
Note
Click More Settings to access the additional attributes for the TCP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-28
TCP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
Send Hex Data
Enter the data in hex format to be sent as part of probe request. The Hex data
entered must be of even numbers and must be a single string consisting of
alphanumeric within the range of 0-9,a-f or A-F, and a maximum of 254
characters. The conversion from Hex ASCII to Binary will happen when the
probe data is sent out.
Data Format
Users can enter only one data format either in “send-hex-data” or
in“send-data” format. Click the radio button “send-hex-data” or “send-data”
to choose the format. Expect Regex / Expect Hex Regex and Expect Regex
Offset / Expect Hex Regex Offset shall be displayed based on the radio
button selection.
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-61
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-28
TCP Probe Attributes (continued)
Field
Action
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
Expect Hex Regex
Enter the expected response data from the probe destination. The Hex data
entered must be of even numbers and must be a single string consisting of
alphanumeric within the range of 0-9,a-f or A-F, and a maximum of 255
characters.
Expect Hex Regex
Offset
Enter the expected response data in Hex format. The Hex data entered must
be of even numbered size and of maximum size of 254.
CLI "expect ?" will show both hex-regex and regex for user to configure, irrespective of type(ASCII
or HEX) of send-data configured. TCP probe is created using CLI with Send-data and Expect hex-regex
data with offset as given below:
switch/Admin(config)# probe tcp test1
switch/Admin(config-probe-tcp)# send-data "abcde"
switch/Admin(config-probe-tcp)# expect ?
hex-regex Configure Hex data expected as response
regex
Configure probe expected response
switch/Admin(config-probe-tcp)# send-hex-data "abcd"
switch/Admin(config-probe-tcp)# expect ?
hex-regex Configure Hex data expected as response
regex
Configure probe expected response
switch/Admin(config-probe-tcp)# expect
Note
If send-hex-data is configured then expect hex-regex should be configured. Similarly, if send-data is
configured, expect regex should be configured.
Telnet Probe Attributes
Note
Click More Settings to access the additional attributes for the Telnet probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-62
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-29
Telnet Probe Attributes
Field
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP
connections gracefully by sending a FIN to the server. Uncheck the check
box to configure the ACE to terminate a TCP connection by sending an RST.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
UDP Probe Attributes
Note
Click More Settings to access the additional attributes for the UDP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 6-30
UDP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses port
inheritance to determine the port number. For more information, see the
general attribute Port field description.
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
Send Hex Data
Enter the data in hex format to be sent as part of probe request. The Hex data
entered must be of even numbers and must be a single string consisting of
alphanumeric within the range of 0-9,a-f or A-F, and a maximum of 254
characters. The conversion from Hex ASCII to Binary will happen when the
probe data is sent out.
Data Format
Users can enter only one data format either in “send-hex-data” or
in“send-data” format. Click the radio button “send-hex-data” or “send-data”
to choose the format. Expect Regex / Expect Hex Regex and Expect Regex
Offset / Expect Hex Regex Offset shall be displayed based on the radio
button selection.
More Settings
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-63
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 6-30
UDP Probe Attributes (continued)
Field
Action
Expect Hex Regex
Enter the expected response data from the probe destination. The Hex data
entered must be of even numbers and must be a single string consisting of
alphanumeric within the range of 0-9,a-f or A-F, and a maximum of 255
characters.
Expect Hex Regex
Offset
Enter the expected response data in Hex format. The Hex data entered must
be of even numbered size and of maximum size of 254.
CLI "expect ?" will show both hex-regex and regex for user to configure, irrespective of type(ASCII
or HEX) of send-data configured. UDP probe is created using CLI with Send-data and Expect hex-regex
data with offset as given below:
switch/Admin(config)# probe udp test1
switch/Admin(config-probe-udp)# send-data "abcde"
switch/Admin(config-probe-udp)# expect ?
hex-regex Configure Hex data expected as response
regex
Configure probe expected response
switch/Admin(config-probe-udp)# send-hex-data "abcd"
switch/Admin(config-probe-udp)# expect ?
hex-regex Configure Hex data expected as response
regex
Configure probe expected response
switch/Admin(config-probe-udp)# expect
Note
If send-hex-data is configured then expect hex-regex should be configured. Similarly, if send-data is
configured, expect regex should be configured.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-64
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
VM Probe Attributes
Note
Use a VM probe when you configure the ACE for Dynamic Workload Scaling (see the “Configuring
Dynamic Workload Scaling” section on page 6-14).
Configure the VM probe attributes to control when the ACE bursts traffic to remote VMs based on an
average of local VM CPU usage, memory usage, or both. The ACE obtains the usage information by
sending the VM probe to the specified VM Controller associated with the local VMs It calculates the
average aggregate load information for all local VMs as a percentage of CPU usage or memory usage
and uses either or both percentages to determine when to burst traffic to the remote data center. If the
server farm consists of both physical servers and VMs, the ACE considers load information only from
the VMs.
By default, the VM probe checks the percentage of usage for either the CPU or memory against the
maximum threshold value. Whichever percentage reaches its maximum threshold value first causes the
ACE to burst traffic to the remote data center. The default maximum burst threshold value of 99 percent
instructs the ACE to always load balance traffic to the local VMs unless the load value is equal to
100 percent or the VMs are not in the OPERATIONAL state. If you configure the maximum burst
threshold value to1 percent, the ACE always bursts traffic to the remote data center.
When the usage percentage is less than the minimum threshold value, the ACE stops bursting traffic to
the remote data center and continues to load balance traffic to the local VMs. Any active connections to
the remote data center are allowed to complete.
Table 6-31 lists the VM probe attributes, which allow you to control when the ACE bursts traffic to
remote VMs.
Table 6-31
VM Probe Attributes
Field
Action
Probe Interval (seconds) Frequency in seconds with which the ACE sends probes to the VM controller. Enter an integer
from 300 to 65535. The default is 300 (5 minutes).
Max CPU Burst
Threshold
Threshold for the maximum percentage of the CPU usage based on the average load information
for all local VMs. When the CPU usage percentage reaches or exceeds this threshold, the ACE
starts bursting traffic to the remote VMs. Enter a value from 1 to 99. The default is 99.
Min CPU Burst
Threshold
Threshold for the minimum percentage of the CPU usage based on the average load information
for all local VMs. When the CPU usage percentage drops below this threshold, the ACE stops
bursting traffic to the remote VMs. Enter a value from 1 to 99 percent. The default is 99.
Max Memory Burst
Threshold
Threshold for the maximum percentage of the memory usage based on the average load
information for all local VMs. When the memory usage percentage reaches or exceeds this
threshold, the ACE starts bursting traffic to the remote VMs. Enter a value from 1 to 99 percent.
The default is 99
Min Memory Burst
Threshold
Threshold for the minimum percentage of the memory usage based on the average load
information for all local VMs. When the memory usage percentage drops below this threshold, the
ACE stops bursting traffic to the remote VMs. Enter a value from 1 to 99 percent. The default is 99.
VM Controller Name
Identifier of the VM controller that you configured in the “Configuring and Verifying a VM
Controller Connection” section on page 6-16. Click the radio button for the VM controller.
Related Topics
•
Configuring Dynamic Workload Scaling, page 6-14
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-65
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Configuring DNS Probe Expect Addresses
When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address
by matching the received IP address with the configured addresses.
Use this procedure to specify the IP address that the ACE appliance expects to receive in response to a
DNS request.
Assumption
A DNS probe has been configured. See Configuring Health Monitoring for Real Servers, page 6-41 for
more information.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the DNS probe that you want to configure with an expected IP address. The Expect Addresses
subtable appears.
Step 3
Click Add to add an entry to the Expect Addresses table. The Expect Address configuration screen
appears.
Note
You cannot modify an entry in the Expect Addresses table. Instead, delete the existing entry, and
then add a new one.
Step 4
In the IPv4/IPv6 Address field, enter the IP address that the ACE appliance is to expect as a server
response to a DNS request. You can enter multiple addresses in this field. However, you cannot mix IPv4
and IPv6 addresses.
Step 5
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entry and to return to the Expect Addresses
table.
•
Click Next to save your entry and to add another IP Address to the Expect Addresses table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
DNS Probe Attributes, page 6-48
Configuring Headers for HTTP and HTTPS Probes
Use this procedure to specify header fields for HTTP and HTTPS probes.
Assumption
An HTTP or HTTPS probe has been configured. See Configuring Health Monitoring for Real Servers,
page 6-41 for more information.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-66
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the HTTP or HTTPS probe that you want to configure with header. The Probe Headers subtable
appears.
Step 3
Click Add to add an entry, or select an existing entry, and then click Edit to modify it. The Probe
Headers configuration screen appears.
Step 4
In the Header Name field, select the HTTP header the probe is to use.
Step 5
In the Header Value field, enter the string to assign to the header field. Valid entries are text strings with
a maximum of 255 characters. If the string includes spaces, enclose the string with quotes.
Step 6
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entry and to return to the Probe Headers
table.
•
Click Next to save your entry and to add another header entry to the Probe Headers table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
HTTP Probe Attributes, page 6-50
•
HTTPS Probe Attributes, page 6-52
Configuring Health Monitoring Expect Status
When the ACE appliance receives a response from the server, it expects a status code to mark a server
as passed. By default, there are no status codes configured on the ACE appliance. If you do not configure
a status code, any response code from the server is marked as failed.
Expect status codes can be configured for FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, and SMTP
probes.
Use this procedure to configure a single or range of code responses that the ACE appliance expects from
the probe destination.
Assumption
An FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, or SNMP probe has been configured. See
Configuring Health Monitoring for Real Servers, page 6-41 for more information.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the FTP, HTTP, HTTPS, or SMTP probe that you want to configure for expect status codes. The
Expect Status subtable appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-67
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Step 3
Click Add to add an entry, or select an existing entry, and then click Edit to modify it. The Expect Status
configuration screen appears.
Step 4
To configure a single expect status code:
Step 5
Step 6
a.
In the Min. Expect Status Code field, enter the expect status code for this probe. Valid entries are
integers from 0 to 999.
b.
In the Max. Expect Status code, enter the same expect status code that you entered in the Min.
Expect Status Code field.
To configure a range of expect status codes:
a.
In the Min. Expect Status Code, enter the lower limit of the range of status codes. Valid entries are
integers from 0 to 999.
b.
In the Max. Expect Status Code, enter the upper limit of a range of status codes. Valid entries are
integers from 0 to 999. The value in this field must be greater than or equal to the value in the Min.
Expect Status Code field.
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Expect Status
table.
•
Click Next to save your entries and to add another expect status code to the Expect Status table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
FTP Probe Attributes, page 6-50
•
HTTP Probe Attributes, page 6-50
•
SNMP Probe Attributes, page 6-60
Configuring an OID for SNMP Probes
When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. Least-loaded load balancing bases the server
selection on the server with the lowest load value. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed.
The ACE allows a maximum of eight OID queries to probe the server.
Assumption
An SNMP probe has been configured. See Configuring Health Monitoring for Real Servers, page 6-41
for more information.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the SNMP probe that you want to specify an OID for. The SNMP OID for Server Load Query
table appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-68
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Step 3
Click Add to add an entry, or select an existing entry, and then click Edit to modify it. The SNMP OID
configuration pane appears.
Step 4
In the SNMP OID field, enter the OID that the probe is to use to query the server for a value. Valid entries
are unquoted strings with a maximum of 255 alphanumeric characters in dotted-decimal notation, such
as .1.3.6.1.4.2021.10.1.3.1. The OID string is based on the server type.
Step 5
In the Maximum Absolute Server Load Value field, enter the OID value in the form of an integer and to
indicate that the retrieved OID value is an absolute value instead of a percent. Valid entries are integers
from 1 to 4294967295.
When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. By default, the ACE assumes that the retrieved OID
value is a percentile value. Use this option to specify that the retrieved OID value is an absolute value.
Step 6
In the Server Load Threshold Value field, specify the threshold at which the server is to be taken out of
service:
•
When the OID value is based on a percent, valid entries are integers from 1 to 100.
•
When the OID is based on an absolute value, valid entries are from 1 to the value specified in the
Maximum Absolute Server Load Value field.
Step 7
In the Server Load Weighting field, enter the weight to assign to this OID for the SNMP probe. Valid
entries are integers from 0 to 16000.
Step 8
Do the following:
•
Click Deploy Now to deploy this configuration.
•
Click Cancel to exit this procedure without saving your entries and to return to the SNMP OID table.
•
Click Next to deploy your entries and to add another item to the SNMP OID table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 6-41
•
SNMP Probe Attributes, page 6-60
Displaying Health Monitoring Statistics and Status Information
You can display statistics and status information for a particular probe.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Health Monitoring.
The Health Monitoring table appears.
Step 2
In the Health Monitoring table, choose a probe from the Health Monitoring table, and click Details.
The show probe name detail CLI command output appears. For details on the displayed output fields,
see the Server Load-Balancing Guide, Cisco ACE Application Control Engine, Chapter 4, Configuring
Health Monitoring.
Note
For a DNS probe, the detailed probe results always identify a default DNS domain of
www.Cisco.com.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-69
Chapter 6
Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
Step 3
Click Update Details to refresh the output for the show probe name detail CLI command.
Step 4
Click Close to return to the Health Monitoring table.
Related Topic
•
Configuring Health Monitoring for Real Servers, page 6-41
Configuring Secure KAL-AP
A keepalive-appliance protocol (KAL-AP) on the ACE allows communication between the ACE and the
Global Site Selector (GSS), which send KAL-AP requests, to report the server states and loads for
global-server load-balancing (GSLB) decisions. The ACE uses KAL-AP through a UDP connection to
calculate weights and provide information for server availability to the KAL-AP device. The ACE acts
as a server and listens for KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens
on the standard 5002 port for any KAL-AP requests. You cannot configure any other port.
The ACE supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption,
you must configure a shared secret as a key for authentication between the GSS and the ACE context.
When configuring a KAL-AP, you can use the wildcard KAL-AP GSS IP address (0.0.0.0) to establish
a secure communications channel between the ACE and multiple GSS devices that use the same MD5
encryption secret.
Use this procedure to configure secure KAL-AP associated with a virtual context.
Assumptions
•
You have created a virtual context that specifies the Keepalive Appliance Protocol over UDP.
•
You have enabled KAL-AP on the ACE by configuring a management class map and policy map,
and apply it to the appropriate interface.
Guidelines and Restrictions
Use the following guidelines and restrictions when using the 0.0.0.0 wildcard KAL-AP GSS IP address:
•
Use the wildcard IP address when both the following conditions exist:
– All GSS devices in the cluster use a secure channel for KAL-AP message exchange with ACE.
Do not use the wildcard IP address if any GSS in the cluster uses an unsecure channel.
– All or a set of GSS devices in the cluster use the same MD5 secret.
Note
•
You can only use the wildcard VIP address for one set of GSS devices that use the same
MD5 secret. You must configure all other GSS devices individually for KAL-AP.
When removing a KAL-AP IP address, using the wildcard IP address removes only those GSS IP
addresses that use the secret associated with the wildcard value. KAL-AP IP addresses that were
defined using a specific GSS IP addresses remain and must be removed individually.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Secure KAL-AP.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-70
OL-26645-02
Chapter 6
Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
The Secure KAL-AP table appears.
Step 2
Click Add to configure secure KAL-AP for MD5 encryption of data.
The Secure KAL-AP configuration screen appears.
Step 3
In the IP Address field, enable secure KAL-AP by configuring the IP address for the GSS.
Using dotted-decimal notation (for example, 192.168.11.1), enter the IP address of a specific GSS device
or enter the wildcard value (0.0.0.0) if all GSS devices in the cluster use the same MD5 encryption secret
(see the “Guidelines and Restrictions” section on page 6-70).
In the Hash Key field, enter the MD5 encryption method shared secret between the KAL-AP device and
the ACE. Enter the shared secret as a case-sensitive string with no spaces and a maximum of
31 alphanumeric characters. The ACE supports the following special characters in a shared secret:
,./=+-^@!%~#$*()
Step 4
Do one of the following:
•
Click Deploy Now to save your entries. The ACE appliance validates the secure KAL-AP
configuration and deploys it.
•
Click Cancel to exit this procedure without accepting your entries and to return to the Secure
KAL-AP table.
•
Click Next to accept your entries.
Related Topics
•
Creating Virtual Contexts, page 4-2
•
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 12-14
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
6-71
Chapter 6
Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
6-72
OL-26645-02
C H A P T E R
7
Configuring Stickiness
This chapter provides an information about sticky behavior and procedures for configuring stickiness
with an ACE appliance.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
This chapter contains the following sections:
•
Stickiness Overview, page 7-1
•
Configuring Sticky Groups, page 7-11
•
Configuring Sticky Statics, page 7-21
Stickiness Overview
When customers visit an e-commerce site, they usually start out by browsing the site, the Internet
equivalent of window shopping. Depending on the application, the site may require that the client
become “stuck” to one server once the connection is established, or the application may not require this
until the client starts to build a shopping cart.
In either case, once the client adds items to the shopping cart, it is important that all of the client requests
get directed to the same server so that all the items are contained in one shopping cart on one server. An
instance of a customer's shopping cart is typically local to a particular Web server and is not duplicated
across multiple servers.
E-commerce applications are not the only types of applications that require stickiness. Any Web
application that maintains client information may require stickiness, such as banking applications or
online trading. Other uses include FTP and HTTP file transfers.
Stickiness allows the same client to maintain multiple simultaneous or subsequent TCP or IP
connections with the same real server for the duration of a session. A session, as used here, is defined
as a series of transactions between a client and a server over some finite period of time (from several
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-1
Chapter 7
Configuring Stickiness
Stickiness Overview
minutes to several hours). This feature is particularly useful for e-commerce applications where a client
needs to maintain multiple connections with the same server while shopping online, especially while
building a shopping cart using HTTP requests and during the checkout process using HTTPS.
Depending on the configured SLB policy, the ACE appliance “sticks” a client to an appropriate server
after the ACE appliance has determined which load-balancing method to use. If the ACE appliance
determines that a client is already stuck to a particular server, then the ACE appliance sends that client
request to that server, regardless of the load-balancing criteria specified by the matched policy. If the
ACE appliance determines that the client is not stuck to a particular server, it applies the normal
load-balancing rules to the content request.
You can configure stickiness to stick a client to a real server that is associated with a server farm or you
can use the buddy sticky group feature to enable persistence to a real server or real server group across
multiple server farms (see the “Buddy Sticky Groups” section on page 7-6).
For overview information on stickiness, see the following topics:
•
Sticky Types
•
Sticky Groups
•
Sticky Table
•
Buddy Sticky Groups
Related Topics
•
Configuring Virtual Server Layer 7 Load Balancing, page 5-30
•
Configuring Sticky Groups, page 7-11
Sticky Types
The ACE appliance supports stickiness based on:
•
HTTP cookies
•
HTTP headers
•
IP addresses
•
HTTP content
•
IP Netmask
•
IPv6 Prefix
•
Layer 4 payloads
•
RADIUS attributes
•
RTSP headers
•
SIP headers
•
SSL session ID
Related Topics
•
HTTP Content Stickiness, page 7-3
•
HTTP Cookie Stickiness, page 7-3
•
HTTP Header Stickiness, page 7-4
•
IP Netmask and IPv6 Prefix Stickiness, page 7-4
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-2
OL-26645-02
Chapter 7
Configuring Stickiness
Stickiness Overview
•
Layer 4 Payload Stickiness, page 7-4
•
RADIUS Stickiness, page 7-5
•
RTSP Header Stickiness, page 7-5
•
SIP Header Stickiness, page 7-5
•
SSL Stickiness, page 7-5
HTTP Content Stickiness
HTTP content stickiness allows you to stick a client to a server based on the content of an HTTP packet.
You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that
specifies how many bytes to ignore from the beginning of the data.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
HTTP Cookie Stickiness
Client cookies uniquely identify clients to the ACE and the servers providing content. A cookie is a small
data structure within the HTTP header that is used by a server to deliver data to a Web client and request
that the client store the information. In certain applications, the client returns the information to the
server to maintain the connection state or persistence between the client and the server.
When the ACE examines a request for content and determines through policy matching that the content
is sticky, it examines any cookie or URL present in the content request. The ACE uses the information
in the cookie or URL to direct the content request to the appropriate server.
The ACE supports the following types of cookie stickiness:
•
Dynamic cookie learning
You can configure the ACE to look for a specific cookie name and automatically learn its value
either from the client request HTTP header or from the server Set-Cookie message in the server
response. Dynamic cookie learning is useful when dealing with applications that store more than
just the session ID or user ID within the same cookie. Only very specific bytes of the cookie value
are relevant to stickiness.
By default, the ACE learns the entire cookie value. You can optionally specify an offset and length
to instruct the ACE to learn only a portion of the cookie value.
Alternatively, you can specify a secondary cookie value that appears in the URL string in the HTTP
request. This option instructs the ACE to search for (and eventually learn or stick to) the cookie
information as part of the URL. URL learning is useful with applications that insert cookie
information as part of the HTTP URL. In some cases, you can use this feature to work around clients
that reject cookies.
•
Cookie insert
The ACE inserts the cookie on behalf of the server upon the return request, so that the ACE can
perform cookie stickiness even when the servers are not configured to set cookies. The cookie
contains information that the ACE uses to ensure persistence to a specific real server.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-3
Chapter 7
Configuring Stickiness
Stickiness Overview
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
HTTP Header Stickiness
You can use HTTP-header information to provide stickiness. With HTTP header stickiness, you can
specify a header offset to provide stickiness based on a unique portion of the HTTP header.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
IP Netmask and IPv6 Prefix Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual
clients and their requests for stickiness purposes based on their IP netmask or IPv6 prefix. However, if
an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the
source IP address no longer is a reliable indicator of the true source of the request. In this case, you can
use cookies or one of the other sticky methods to ensure session persistence.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
Layer 4 Payload Stickiness
Layer 4 payload stickiness allows you to stick a client to a server based on the data in Layer 4 frames.
You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that
specifies how many bytes to ignore from the beginning of the data.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-4
OL-26645-02
Chapter 7
Configuring Stickiness
Stickiness Overview
RADIUS Stickiness
RADIUS stickiness can be based on the following RADIUS attributes:
•
Calling station ID
•
Username
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
RTSP Header Stickiness
RTSP stickiness is based on information in the RTSP session header. With RTSP header stickiness, you
can specify a header offset to provide stickiness based on a unique portion of the RTSP header.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
SIP Header Stickiness
SIP header stickiness is based on the SIP Call-ID header field. SIP header stickiness requires the entire
SIP header, so you cannot specify an offset.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
SSL Stickiness
SSL stickiness allows you to stick a client to a server based on the SSL session ID. You can associate an
SSL sticky group with an HTTPS server load balancing policy map.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Groups, page 7-6
•
Sticky Table, page 7-11
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-5
Chapter 7
Configuring Stickiness
Stickiness Overview
Sticky Groups
Sticky groups allow the ACE to keep a client stuck to a real server or group of real servers within a server
farm. The ACE uses the concept of sticky groups to configure stickiness. A sticky group allows you to
specify the sticky attributes. After you configure a sticky group and its attributes, you associate the
sticky group with a Layer 7 policy-map action in a Layer 7 SLB policy map.You can create a maximum
of 4096 sticky groups in each context. Each sticky group that you configure on the ACE appliance
contains a series of parameters that determine the following:
•
Sticky method
•
Timeout
•
Replication
•
Cookie offset and other cookie-related attributes
•
HTTP header offset and other header-related attributes
•
Buddy group name
Related Topics
•
Stickiness Overview, page 7-1
•
Sticky Types, page 7-2
•
Sticky Table, page 7-11
•
Configuring Sticky Groups, page 7-11
Buddy Sticky Groups
Buddy sticky groups allow the ACE to keep a client stuck to a real server or group of real servers even
when the client requests are processed by different server farms.
To use the buddy sticky group feature, you perform the following steps:
1.
Create real server buddy groups when specifying the real servers in a server farm (see the
“Configuring Server Farms” section on page 6-18).
2.
Create sticky server farm buddy groups when specifying the server farms in a sticky group (see the
“Configuring Sticky Groups” section on page 7-11). You make each sticky server farm to be buddied
together a group member.
This section describes the following buddy sticky group applications:
•
One-to-one association—Sticks the client to the same physical server instances in two different
server farms.
•
Asymmetric association—Sticks a client to a real server that is configured across different
serverfarms even when the client comes back with a non-HTTP request or different HTTP header.
•
Many-to-one association—Sticks multiple, first-tier real servers to one real server in a second tier
that contains fewer servers.
This section includes the following topics:
•
Guidelines and Restrictions, page 7-7
•
One-to-One Association Example, page 7-7
•
Asymmetric Association Example, page 7-8
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-6
OL-26645-02
Chapter 7
Configuring Stickiness
Stickiness Overview
•
Many-to-One Association Example, page 7-9
Guidelines and Restrictions
Observe the following guidelines and restrictions when using the buddy sticky group feature:
•
When two sticky groups with different timeout values are buddied together, the ACE uses the
shortest timeout value for the buddy group.
•
Sticky groups that are buddied together must of the same type, such as all IP-sticky, all http-cookie,
and so forth. The ACE does not support different types of sticky groups buddied together.
•
When two sticky groups are buddied together and one of them is configured for timeout active
connections, the member group is also configured for timeout active connections.
•
When two sticky groups are configured with different IP netmask (IPv4) or prefix-length (IPv6), the
ACE uses the one with the most granular netmask or prefix-length.
•
When a static entry is created under a buddy sticky group, its behavior is unchanged and it sticks to
the same real server configured regardless of the buddy group that real server is associated with.
•
Before you can configure a sticky group as a member, you must have a server farm configured under
that sticky group and all the real servers that belong to that server farm have buddy group configured
under them. This requirement prevents invalid configurations.
•
The ACE does not support configuring the following types of sticky groups as buddy sticky group
members:
– SSL
– RTSP Header
•
The ACE supports PTMP sticky group such as SIP sticky; however, you must make sure that the
configuration is the same across both sticky groups for the buddy sticky group feature to work.
•
For real server backup applications:
– We recommend only one level of backup-rserver with buddy sticky.
– If you add a buddy group to the primary real server, the backup server inherits this buddy group.
However, if you remove the buddy group from the primary real server, the buddy group is not
removed from the backup real server and vice versa.
One-to-One Association Example
In a one-to-one buddy sticky group association, you create a buddy sticky group that sticks a client to
the same physical server instances in two different server farms. In the network example shown in
Figure 7-1, the ACE is configured with the following server farms, their associated real servers, and the
buddy sticky groups that group both items:
Server Farm
Buddy Member Group Real Server
Real Server
Buddy Group
http
(for HTTP requests)
alpha
1nx1:192.168.1.11:80
blue
1nx2:192.168.1.12:80
red
https
(for HTTPS requests)
alpha
1nx1:192.168.1.11:443
blue
1nx2:192.168.1.12:443
red
Server Farm
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-7
Chapter 7
Configuring Stickiness
Stickiness Overview
Buddy Sticky Groups: One-to-One Association
Int: 172.16.1.5
VIP 172.16.1.100
Internet
Client
VLAN 20
172.16.1.1
Multilayer
Switch
Feature Card
1nx1
192.168.1.11:80
192.168.1.11:443
Server Farm
http
(alpha)
blue
VLAN 40
192.168.1.1
ACE
1nx2
192.168.1.12:80
192.168.1.12:443
red
Server Farm
https
(alpha)
332431
Figure 7-1
The ACE is configured to load balance HTTP requests to server farm http using either real server
1nx1:192.168.1.11:80 or 1nx2:192.168.1.12:80. The ACE is also configured to load balance HTTPS
requests using server farm https and either real server 1nx1:192.168.1.11:443 or 1nx2:192.168.1.12:443.
The buddy groups allow the ACE to stick a client to the same real server (for example, 1nx1) while
building a shopping cart using HTTP requests and then checking out using HTTPS.
In this example, the client hits VIP 172.16.1.100, destination port 80 with an HTTP request to begin to
build a shopping cart. The ACE load balances the request to server farm http, real server
1nx1:192.168.1.11:80 and creates a sticky entry based on the corresponding sticky group (for example,
source IP address) that sticks the client to the real server while the client builds their shopping cart.
When the client moves to the secured connection (port 443) for checkout, it hits the VIP with destination
port 443 and the ACE sends the client to server farm https. The ACE finds an existing sticky entry with
real server Inx1:192.168.1.11:80 and directs the client to 1nx1:192.168.1.11:443 because the two real
servers are buddied together under the blue buddy group.
Asymmetric Association Example
In an asymmetric buddy sticky group association, you create a buddy sticky group that sticks all Layer 7
traffic from a client to a specific real server even when some of the traffic does not match the Layer 7
class map. In the network example shown in Figure 7-2, the ACE is configured to include the following
server farms, their associated real servers, and real server buddy sticky groups.
Server Farm
Server Farm
Buddy Member Group Real Server
Real Server
Buddy Group
foo bar
alpha
1nx1
blue
1nx2
red
foo
alpha
1nx1
blue
bar
alpha
1nx2
red
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-8
OL-26645-02
Chapter 7
Configuring Stickiness
Stickiness Overview
Figure 7-2
Buddy Sticky Groups: Asymmetric Association
Server Farm
foo
(alpha)
Int: 172.16.1.5
VIP 172.16.1.100
Internet
Client
VLAN 20
172.16.1.1
Multilayer
Switch
Feature Card
VLAN 40
192.168.1.1
ACE
1nx1
192.168.1.11
blue
Server Farm
bar
(alpha)
Server Farm
foobar
(alpha)
332433
1nx2
192.168.1.12
red
The ACE is configured to send client traffic with Layer 3 matches to server farm foobar, which contains
the nested server farms foo and bar. The ACE load balances the client traffic to one of the nested server
farms based on Layer 7 class map matches. By defining buddy sticky groups, the ACE is also able to
stick non-matching client traffic to the same real server.
In this example, the client sends traffic with Layer 3 matches that the ACE directs and sticks (using ip
sticky) to server farm foobar. The ACE uses a Layer 7 class map to check for HTTP URL and if present,
sends the traffic to server farm foo and sticks the client traffic to that server using sticky that is based on
the source IP address. Using a buddy stick group, the ACE uses the sticky entry to send any other traffic
type from the client to the same real server. For example, if the ACE sticks the client HTTP traffic to
server farm foo:real server lnx1 based on a Layer 7 class map match, the buddy stick group allows the
ACE to send non-HTTP traffic from the client to the same real server.
Many-to-One Association Example
In a many-to-one buddy sticky group association, you create a buddy sticky group that sticks a group of
real servers to a specific real server, which is useful when clients are load balanced to a first-tier server
farm containing many real servers and are then directed to a second tier server farm that contains fewer
real servers. In this type of application, you create buddy sticky groups that stick each first-tier real
server group to a specific second-tier real server.
In the network example shown in Figure 7-3, the ACE is configured with the following server farms,
their associated real servers, and assigned real server buddy groups:
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-9
Chapter 7
Configuring Stickiness
Stickiness Overview
Server Farm
Server Farm
Buddy Member Group
Real Server
Real Server
Buddy Group
web (first tier)
alpha
1nx1:192.168.1.11:80
blue
1nx2:192.168.1.12:80
blue
1nx3:192.168.1.13:80
red
1nx4:192.168.1.14:80
red
db1:192.168.1.21:123
blue
db1:192.168.1.22:123
red
app (second tier)
Figure 7-3
alpha
Buddy Sticky Groups: Many-to-One Association
First Tier Servers
Second Tier Servers
Server Farm
web
(alpha)
Server Farm
app
(alpha)
1nx1
192.168.1.11:80
blue
db1
192.168.1.21:123
1nx2
192.168.1.12:80
1nx3
192.168.1.13:80
red
1nx4
192.168.1.14:80
332432
db2
192.168.1.22:123
The buddy sticky groups blue and red divide the first-tier real servers into groups and then sticks each
of these groups to a specific second-tier real server.
In this example, when the ACE load balances clients to either real server 1nx1 or 1nx2 in the server farm
web, the clients are directed only to real server db1 when they are ready to move to the server farm app.
Notice also that clients that the ACE load balances to 1nx3 and 1nx4 are directed only to real server db2
when they are ready to move to the server farm app.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-10
OL-26645-02
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Sticky Table
To keep track of sticky connections, the ACE appliance uses a sticky table. Table entries include the
following items:
•
Sticky groups
•
Sticky methods
•
Sticky connections
•
Real servers
The sticky table can hold a maximum of four million entries (four million simultaneous users). When
the table reaches the maximum number of entries, additional sticky connections cause the table to wrap
and the first users become unstuck from their respective servers.
The ACE appliance uses a configurable timeout mechanism to age out sticky table entries. When an
entry times out, it becomes eligible for reuse. High connection rates may cause the premature aging out
of sticky entries. In this case, the ACE appliance reuses the entries that are closest to expiration first.
Sticky entries can be either dynamic (generated by the ACE appliance on-the-fly) or static
(user-configured). When you create a static sticky entry, the ACE appliance places the entry in the sticky
table immediately. Static entries remain in the sticky database until you remove them from the
configuration. You can create a maximum of 4096 static sticky entries in each context.
If the ACE appliance takes a real server out of service for whatever reason (probe failure, no inservice
command, or ARP timeout), the ACE appliance removes from the database any sticky entries that are
related to that server.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Sticky Types, page 7-2
•
Sticky Table, page 7-11
Configuring Sticky Groups
Stickiness (or session persistence) is a feature that allows the same client to maintain multiple
simultaneous or subsequent TCP connections with the same real server for the duration of a session. A
session, as used here, is defined as a series of transactions between a client and a server over some finite
period of time (from several minutes to several hours). This feature is particularly useful for e-commerce
applications where a client needs to maintain multiple TCP connections with the same server while
shopping online, especially while building a shopping cart and during the checkout process.
E-commerce applications are not the only types of applications that require stickiness. Any Web
application that maintains client information may require stickiness, such as banking applications or
online trading. Other uses include FTP and HTTP file transfers.
The ACE appliance uses the concept of sticky groups to configure stickiness. A sticky group allows you
to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky
group with a Layer 7 policy-map action in a Layer 7 SLB policy map.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-11
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table
appears.
Step 2
Click Add to add a new sticky group, or select an existing sticky group you want to modify, and then
click Edit.
Step 3
Enter the sticky group attributes (see Table 7-1).
Table 7-1
Sticky Group Attributes
Field
Description
Group Name
The sticky group identifier. Valid entries are unquoted text strings with no spaces and a maximum
of 64 alphanumeric characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-12
OL-26645-02
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Table 7-1
Sticky Group Attributes (continued)
Field
Description
Type
The method to be used when establishing sticky connections:
•
HTTP Content—The ACE sticks client connections to the same real server based on a string
in the data portion of the HTTP packet. See Table 7-2 for additional configuration options.
•
HTTP Cookie—Indicates that the ACE appliance is either to learn a cookie from the HTTP
header of a client request or to insert a cookie in the Set-Cookie header of the response from
the server to the client, and then use the learned cookie to provide stickiness between the client
and server for the duration of the transaction.
•
HTTP Header—Indicates that the ACE appliance is to stick client connections to the same real
server based on HTTP headers.
•
IP Netmask—Indicates that the ACE appliance is to stick a client to the same server for
multiple subsequent connections as needed to complete a transaction using the client source
IP address, the destination IP address, or both based on their IP netmask. You can optionally
configure an IPv6 prefix length with this sticky type.
Note
•
IPv6 Prefix—Indicates that the ACE appliance is to stick a client to the same server for
multiple subsequent connections as needed to complete a transaction using the client source
IP address, the destination IP address, or both based on their IPv6 prefix. You can optionally
configure an IPv4 netmask with this sticky type.
•
Layer 4 Payload—The ACE sticks client connections to the same real server based on a string
in the payload portion of the Layer 4 protocol packet. See Table 7-6 for additional
configuration options.
•
RADIUS—The ACE sticks client connections to the same real server based on a RADIUS
attribute. See Table 7-7 for additional configuration options.
•
RTSP Header—The ACE sticks client connections to the same real server based on the RTSP
Session header field. See Table 7-8 for additional configuration options.
•
SIP Header—The ACE sticks client connections to the same real server based on the SIP
Call-ID header field.
•
SSL—The ACE sticks client connections to the same real server based on the SSL session ID.
Note
Cookie Name
If an organization uses a megaproxy to load balance client requests across multiple proxy
servers when a client connects to the Internet, the source IP address is no longer a reliable
indicator of the true source of the request. In this situation, you can use cookies or another
sticky method to ensure session persistence.
This option is not available with the ACE NPE software version (see the “Information
About the ACE No Payload Encryption Software Version” section on page 1-2).
This option appears for sticky type HTTP Cookie.
Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-13
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Table 7-1
Sticky Group Attributes (continued)
Field
Description
Enable Insert
This option appears only for sticky type HTTP Cookie.
Check this check box if the ACE appliance is to insert a cookie in the Set-Cookie header of the
response from the server to the client. This option is useful when you want to use a session cookie
for persistence but the server is not currently setting the appropriate cookie. When selected, the
ACE appliance selects a cookie value that identifies the original server from which the client
received a response. For subsequent connections of the same transaction, the client uses the cookie
to stick to the same server.
Clear this check box to disable cookie insertion.
Browser Expire
This option appears for sticky type HTTP Cookie and you select Enable Insert.
Check this check box to allow the client's browser to expire a cookie when the session ends. Clear
this check box to disable browser expire.
Offset (Bytes)
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the number of bytes the ACE appliance is to ignore starting with the first byte of the cookie.
Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the ACE
appliance does not exclude any portion of the cookie.
Length (Bytes)
This option appears for sticky types HTTP Cookie, HTTP Header, and SSL.
Enter the length of the portion of the cookie (starting with the byte after the offset value) that the
ACE appliance is to use for sticking the client to the server. For the SSL sticky type, enter the SSL
session ID length that needs to be parsed. Valid entries are integers from 1 to 1000.
Secondary Name
This option appears only for sticky type HTTP Cookie.
Enter an alternate cookie name that is to appear in the URL string of the Web page on the server.
The ACE appliance uses this cookie to maintain a sticky connection between a client and a server
and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no
spaces and a maximum of 64 characters.
Header Name
This option appears for sticky type HTTP Header.
Select the HTTP header to use for sticking client connections.
IPv4 Netmask
This option appears only for sticky type IP Netmask or IPv6 Prefix. This option is mandatory for
the sticky type IP Netmask and optional for the sticky type IPv6 Prefix.
Select the netmask to apply to the source IP address, the destination IP address, or both.
IPv6 Prefix Length
This option appears only for sticky type IPv6 Prefix or IP Netmask. This option is mandatory for
the sticky type IPv Prefix and optional for the sticky type IP Netmask.
Enter the IPv6 prefix length to apply to the source IP address, the destination IP address, or both.
Address Type
This option appears only for sticky type IP Netmask or IPv6 Prefix.
Indicate whether this sticky type is to be applied to the client source IP address, the destination IP
address, or both:
•
Both—Indicates that this sticky type is to be applied to both the source IP address and the
destination IP address.
•
Destination—Indicates that this sticky type is to be applied to the destination IP address only.
•
Source—Indicates that this sticky type is to be applied to the source IP address only.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-14
OL-26645-02
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Table 7-1
Sticky Group Attributes (continued)
Field
Description
Enable Sticky For
Response
This check box option appears for sticky types: Layer 4 Payload and SSL.
Sticky Server Farm
Select a server farm you want to associate with this sticky group.
Backup Server Farm
This field appears when a server farm is selected.
Check this check box to instruct the ACE to parse the response bytes from a server and perform
sticky learning. Clear the check box when you do not want the ACE to perform this operation.
Select a backup server farm to be associated with this sticky group. If the primary server farm is
down, the ACE appliance uses the backup server farm.
Aggregate State
This field appears when a server farm and backup server farm are selected.
Check this check box to indicate that the state of the backup server farm is tied to the virtual server
state. Clear this check box if the backup server farm is not tied to the virtual server state.
Enable Sticky on
Backup Server Farm
This field appears when a server farm and backup server farm are selected.
Check this check box to indicate that the backup server farm is sticky. Clear this check box if the
backup server farm is not sticky.
Buddy Group
This field appears when a server farm is selected.
Associate the server farm with an existing buddy sticky group or create a buddy sticky group.
When you associate multiple server farms with the same buddy group, client requests are stuck to
the same real server even when the requests are processed by different server farms. For more
information, see the “Buddy Sticky Groups” section on page 7-6.
Note
Replicate on HA Peer
The ACE does not support the buddy group feature for SSL or RTSP sticky types.
Check this check box to indicate that the ACE appliance to replicate sticky table entries on the
standby ACE appliance. If a failover occurs and this option is selected, the new active ACE
appliance can maintain the existing sticky connections.
Clear this check box to indicate that the ACE appliance is not to replicate sticky table entries on
the standby ACE appliance.
Timeout (Minutes)
Enter the number of minutes that the ACE appliance keeps the sticky information for a client
connection in the sticky table after the latest client connection terminates. Valid entries are integers
from 1 to 65535; the default is 1440 minutes (24 hours).
Timeout Active
Connections
Check this check box to specify that the ACE appliance is to time out sticky table entries even if
active connections exist after the sticky timer expires.
Clear this check box to specify that the ACE appliance is not to time out sticky table entries even
if active connections exist after the sticky timer expires. This is the default behavior.
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance. To configure sticky statics,
see Configuring Sticky Statics, page 7-21.
•
Click Cancel to exit the procedure without saving your entries and to return to the Sticky Groups
table.
•
Click Next to save your entries and to configure another sticky group.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-15
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Related Topics
•
Configuring Sticky Statics, page 7-21
•
Configuring Virtual Context Class Maps, page 12-8
•
Configuring Virtual Context Policy Maps, page 12-34
•
Configuring Real Servers, page 6-5
•
Configuring Server Farms, page 6-18
Sticky Group Attribute Tables
Refer to the following topics for sticky group type-specific attributes:
•
HTTP Content Sticky Group Attributes, page 7-16
•
HTTP Cookie Sticky Group Attributes, page 7-17
•
HTTP Header Sticky Group Attributes, page 7-18
•
IP Netmask Sticky Group Attributes, page 7-18
•
Layer 4 Payload Sticky Group Attributes, page 7-19
•
RADIUS Sticky Group Attributes, page 7-20
•
RTSP Header Sticky Group Attributes, page 7-20
•
SSL Header Sticky Group Attributes, page 7-21
HTTP Content Sticky Group Attributes
Table 7-2
HTTP Content Sticky Group Attributes
Field
Description
HTTP Content
HTTP content may change over time with only a portion remaining constant
throughout a transaction between the client and a server.
Check the check box to configure the ACE to use the constant portion of
HTTP content to make persistent connections to a specific server. Clear the
check box to identify specific content for stickiness in the Offset, Length,
Begin Pattern, and End Pattern fields.
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-16
OL-26645-02
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Table 7-2
HTTP Content Sticky Group Attributes (continued)
Field
Description
Begin Pattern
Enter the beginning pattern of the HTTP content payload and the pattern
string to match before hashing. If you do not specify a beginning pattern, the
ACE begins parsing immediately after the offset byte. You cannot configure
different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 12-33 lists the
supported characters that you can use for matching string expressions.
End Pattern
Enter the pattern that marks the end of hashing. If you do not specify an end
pattern or a length, the ACE continues to parse the data until it reaches the
end of the field or packet, or until it reaches the maximum body parse length.
You cannot configure different beginning and ending patterns for different
server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 12-33 lists the
supported characters that you can use for matching string expressions.
HTTP Cookie Sticky Group Attributes
Table 7-3
HTTP Cookie Sticky Group Attributes
Field
Description
Cookie Name
Enter a unique identifier for the cookie. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Enable Insert
Check the check box if the virtual server is to insert a cookie in the
Set-Cookie header of the response from the server to the client. This option
is useful when you want to use a session cookie for persistence but the server
is not currently setting the appropriate cookie. When selected, the virtual
server selects a cookie value that identifies the original server from which
the client received a response. For subsequent connections of the same
transaction, the client uses the cookie to stick to the same server.
Clear the check box to disable cookie insertion.
Browser Expire
This option appears for sticky type HTTP Cookie and you select Enable
Insert.
Check this check box to allow the client's browser to expire a cookie when
the session ends. Clear this check box to disable browser expire.
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-17
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Table 7-3
HTTP Cookie Sticky Group Attributes (continued)
Field
Description
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Secondary Name
Enter an alternate cookie name that is to appear in the URL string of the Web
page on the server. The virtual server uses this cookie to maintain a sticky
connection between a client and a server and adds a secondary entry in the
sticky table. Valid entries are unquoted text strings with no spaces and a
maximum of 64 characters.
HTTP Header Sticky Group Attributes
Table 7-4
HTTP Header Sticky Group Attributes
Field
Description
Header Name
Select the HTTP header to use for sticking client connections.
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
IP Netmask Sticky Group Attributes
Table 7-5
IP Netmask Sticky Group Attributes
Field
Description
Netmask
Select the netmask to apply to the source IP address, destination IP address,
or both.
Address Type
Indicate whether this sticky type is to be applied to the client source IP
address, the destination IP address, or both:
•
Both—The sticky type is to be applied to both the source IP address and
the destination IP address.
•
Destination—The sticky type is to be applied to the destination IP
address only.
•
Source—The sticky type is to be applied to the source IP address only.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-18
OL-26645-02
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
Layer 4 Payload Sticky Group Attributes
Table 7-6
Layer 4 Payload Sticky Group Attributes
Field
Description
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Begin Pattern
Enter the beginning pattern of the Layer 4 payload and the pattern string to
match before hashing. If you do not specify a beginning pattern, the ACE
begins parsing immediately after the offset byte. You cannot configure
different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 12-33 lists the
supported characters that you can use for matching string expressions.
End Pattern
Enter the pattern that marks the end of hashing. If you do not specify an end
pattern or a length, the ACE continues to parse the data until it reaches the
end of the field or packet, or until it reaches the maximum body parse length.
You cannot configure different beginning and ending patterns for different
server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 12-33 lists the
supported characters that you can use for matching string expressions.
Enable Sticky For
Response
Check the check box to enable the ACE to parse server responses and
perform sticky learning. The ACE uses a hash of the server response bytes
to populate the sticky database. The next time that the ACE receives a client
request with those same bytes, it sticks the client to the same server.
Clear the check box to reset the behavior of the ACE to the default of not
parsing server responses and performing sticky learning.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-19
Chapter 7
Configuring Stickiness
Configuring Sticky Groups
RADIUS Sticky Group Attributes
Table 7-7
RADIUS Sticky Group Attributes
Field
Description
RADIUS Types
Select the RADIUS attribute to use for sticking client connections:
Enter User IPv6Prefix
Length
•
N/A—This option is not configured.
•
RADIUS Calling ID—Stickiness is based on the RADIUS framed IP
attribute and the calling station ID attribute.
•
RADIUS User Name—Stickiness is based on the RADIUS framed IP
attribute and the username attribute.
Enter the IPv6 prefix length for IPv6 end user packets when using RADIUS
IPv6 attributes. For RADIUS-framed IP sticky using IPv6, the sticky entry
is based on the framed IPv6 prefix and prefix length in the RADIUS packet.
Use a matching prefix length for the sticky lookup of end user packets.
Enter a prefix length from 1 to 128. The default is 64.
Wait For
Acknowledgement
Check this check box to configure the ACE to reload-balance RADIUS
requests that hit framed-ip sticky entries (excluding the real server in sticky
entry) when the Accounting-Start does not receive a response. This feature
is designed for scenarios in which sticky entries are created during the
Accounting phase.
Clear this check box to configure the ACE not to use the wait for an
acknowledgement feature.
Radius Purge
Information
When the user chooses the TYPE option as RADIUS in the drop down,
Radius Purge Information checkbox is displayed.
RTSP Header Sticky Group Attributes
Table 7-8
RTSP Header Sticky Group Attributes
Field
Description
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-20
OL-26645-02
Chapter 7
Configuring Stickiness
Configuring Sticky Statics
SSL Header Sticky Group Attributes
Table 7-9
SSL Sticky Group Attributes
Field
Description
Enable Sticky For
Response
Check the check box to instruct the ACE to parse the response bytes from a server and perform
sticky learning. Clear the check box when you do not want the ACE to perform this operation.
Length (Bytes)
Length of the SSL session ID that needs to be parsed. Valid entries are integers from 1 to 1000.
Viewing All Sticky Groups by Context
Use this procedure to view all sticky groups associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context with the sticky groups you want to view, and then select Load Balancing >
Stickiness. The Sticky Groups table appears, listing the sticky groups associated with the selected
context.
Related Topics
•
Configuring Sticky Groups, page 7-11
•
Configuring Sticky Statics, page 7-21
Configuring Sticky Statics
Use this procedure to configure sticky statics.
Assumption
A sticky group has been configured. See Configuring Sticky Groups, page 7-11 for more information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table
appears.
Step 2
Select the sticky group you want to configure for sticky statics, and then select the Sticky Statics tab. If
you do not see the Sticky Statics tab beneath the Sticky Groups table, click the Switch between
Configure and Browse Modes button.
Step 3
Click Add to add a new entry to the table, or select an existing entry, and then click Edit to modify it.
The Sticky Statics configuration screen appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-21
Chapter 7
Configuring Stickiness
Configuring Sticky Statics
Step 4
In the Sequence Number field, either accept the automatically incremented number for this entry or enter
a new sequence number.The sequence number indicates the order in which multiple sticky static
configurations are applied.
Step 5
In the Type field, confirm that the correct sticky group type is selected. If you select multiple sticky
groups and are creating a new static sticky entry, select the sticky group type to use as shown in
Table 7-10.
Table 7-10
Sticky Group Types
Sticky Group
Description
HTTP Content
Indicates that the ACE appliance is to stick a client to a server based on the
content of an HTTP packet. You can specify a beginning pattern and ending
pattern, the number of bytes to parse, and an offset that specifies how many
bytes to ignore from the beginning of the data.
HTTP Cookie
Indicates that the ACE appliance is either to learn a cookie from the HTTP
header of a client request or to insert a cookie in the Set-Cookie header of
the response from the server to the client, and then use the learned cookie to
provide stickiness between the client and server for the duration of the
transaction.
HTTP Header
Indicates that the ACE appliance is to stick client connections to the same
real server based on HTTP headers.
IP Netmask
Indicates that the ACE appliance is to stick a client to the same server for
multiple subsequent connections as needed to complete a transaction using
the client source IP address, the destination IP address, or both based on the
IPv4 netmask. You can optionally configure an IPv6 prefix length with this
sticky type.
Note
If an organization uses a megaproxy to load balance client requests
across multiple proxy servers when a client connects to the Internet,
the source IP address is no longer a reliable indicator of the true
source of the request. In this situation, you can use cookies or
another sticky method to ensure session persistence.
IPv6 Prefix
Indicates that the ACE appliance is to stick a client to the same server for
multiple subsequent connections as needed to complete a transaction using
the client source IP address, the destination IP address, or both based on the
IPv6 prefix length. You can optionally configure an IPv4 netmask with this
sticky type.
Layer 4 Payload
Indicates that the ACE appliance is to stick a client to a server based on the
data in Layer 4 frames. You can specify a beginning pattern and ending
pattern, the number of bytes to parse, and an offset that specifies how many
bytes to ignore from the beginning of the data.
RADIUS
Indicates that the ACE appliance is to stick client connections based on the
following RADIUS attributes: Calling station ID or Username.
RTSP Header
Indicates that the ACE appliance is to stick client connections based on
information in the RTSP session header. With RTSP header stickiness, you
can specify a header offset to provide stickiness based on a unique portion
of the RTSP header.
SIP Header
Indicates that the ACE appliance is to stick client connections based on the
SIP Call-ID header field. SIP header stickiness requires the entire SIP
header, so you cannot specify an offset.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-22
OL-26645-02
Chapter 7
Configuring Stickiness
Configuring Sticky Statics
Step 6
If you select either HTTP Cookie, HTTP Header, HTTP Content, Layer 4 Payload, RTSP header, or SIP
header for sticky type, in the Static Value field, enter the cookie string value. Valid entries are unquoted
text strings with a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the
string with quotes.
Step 7
If you select IP Netmask or IPv6 Prefix for the sticky type:
a.
For the IP Address Type, select either IPv4 or IPv6.
b.
In the Static Source field, enter the source IP address of the client.
c.
In the Static Destination field, enter the destination IP address of the client.
Step 8
In the Named Real Server field, select the real server to associate with this static sticky entry.
Step 9
In the Port field, enter the port number of the real server. Valid entries are integers from 1 to 65535.
Step 10
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Sticky Statics
table.
•
Click Next to save your entries and to configure another sticky static entry.
Related Topic
Configuring Sticky Groups, page 7-11
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
7-23
Chapter 7
Configuring Stickiness
Configuring Sticky Statics
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
7-24
OL-26645-02
C H A P T E R
8
Configuring Parameter Maps
This chapter describes how to configure parameter maps. Parameter maps provide a means of
performing actions on traffic received by the ACE, based on certain criteria such as protocol or
connection attributes. After you configure a parameter map, you associate it with a policy map to
implement configured behavior.
Table 8-1 describes the parameter maps you can configure using the ACE.
Table 8-1
Parameter Map Types
Parameter
Map
Description
Connection
Connection parameter maps combine all IP and TCP connection-related behaviors pertaining to the
following:
•
TCP normalization, termination, and server reuse
•
IP normalization, fragmentation, and reassembly
DNS
Domain Name System (DNS) parameter maps configure DNS actions for DNS packet inspection.
Generic
Generic parameter maps combine related generic protocol actions for server load-balancing connections.
HTTP
HTTP parameter maps configure ACE behavior for HTTP load-balanced connections.
Optimization
Optimization parameter maps specify optimization-related commands that pertain to application
acceleration and optimization functions performed by the ACE.
RDP
Remote Desktop Protocol (RDP) parameter maps configure routing-token-rebalance in which the ACE
redirects a connection that contains RDP packets to another server when the real server that matches the
token information in the client request is down.
RTSP
RTSP parameter maps configure advanced RTSP behavior for server load-balancing connections.
SIP
Session Initiation Protocol (SIP) parameter maps configure SIP deep packet inspection on the ACE.
Skinny
Skinny Client Control Protocol (SCCP) parameter maps configure SCCP packet inspection on the ACE.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-1
Chapter 8
Configuring Parameter Maps
Configuring HTTP Parameter Maps
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
This chapter contains the following sections:
•
Configuring HTTP Parameter Maps, page 8-2
•
Configuring Connection Parameter Maps, page 8-5
•
Configuring Optimization Parameter Maps, page 8-11
•
Configuring Generic Parameter Maps, page 8-17
•
Configuring RTSP Parameter Maps, page 8-19
•
Configuring SIP Parameter Maps, page 8-20
•
Configuring Skinny Parameter Maps, page 8-22
•
Configuring DNS Parameter Maps, page 8-23
•
Configuring RDP Parameter Maps, page 8-24
•
Configuring Traffic Policies, page 12-1
•
Configuring Parameter Maps, page 8-1
•
Configuring Virtual Contexts, page 4-1
Configuring HTTP Parameter Maps
Use this procedure to configure an HTTP parameter map for use with a Layer 3/Layer 4 policy map.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Parameter Maps > HTTP
Parameter Maps. The HTTP Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The HTTP Parameter Maps configuration screen appears.
Step 3
In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
Enter the information in Table 8-2.
Table 8-2
HTTP Parameter Map Attributes
Field
Description
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Case-Insensitive
Check this check box to indicate that the ACE appliance is to be case insensitive. Clear
this check box to indicate that the ACE appliance is to be case sensitive. This check box
is cleared by default.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-2
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring HTTP Parameter Maps
Table 8-2
HTTP Parameter Map Attributes (continued)
Field
Description
Header Modify Per-Request
Check the check box to require SSL information be inserted for every HTTP GET request.
Current functionality only requires that the information be inserted at the first GET
request.
Exceed Max. Parse Length
Indicate how the ACE appliance is to handle cookies, HTTP headers, and URLs that
exceed the maximum parse length:
HTTP Persistence Rebalance
•
Continue—Indicates that the ACE appliance is to continue load balancing. When this
option is selected, the HTTP Persistence Rebalance option is disabled if the total
length of all cookies, HTTP headers, and URLs exceeds the maximum parse value.
•
Drop—Indicates that the ACE appliance is to stop load balancing and to discard the
packet.
Check this check box to enabled persistence rebalance. Persistence is sometimes referred
to as a connection keepalive.
With persistence rebalance enabled, when successive GET requests result in load
balancing that chooses the same policy, the ACE sends the request to the real server used
for the last GET request. This behavior prevents the ACE from load balancing every
request and recreating the server-side connection on every GET request, producing less
overhead and better performance.
Another effect of persistence rebalance is that header insertion and cookie insertion, if
enabled, occur for every request instead of only the first request.
By default, persistence rebalance is enabled. Clear this check box to indicate that this
option is disabled.
TCP Server Connection Reuse
Check this check box to indicate that the ACE appliance is to reduce the number of open
connections on a server by allowing connections to persist and be reused by multiple
client connections. If you enable this feature:
•
Ensure that the ACE appliance maximum segment size (MSS) is the same as the
server maximum segment size.
•
Configure port address translation (PAT) on the interface that is connected to the real
server.
•
Configure on the ACE appliance the same TCP options that exist on the TCP server.
•
Ensure that each server farm is homogeneous (all real servers within a server farm
have identical configurations).
Clear this check box to disable this option.
Enable Drop on Parsing Error
Check this check box to have the ACE drop a connection when it detects a parse error.
Clear the check box to disable this option and configure the ACE maintain a connection
even when it detects a parse error. This is the default setting.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-3
Chapter 8
Configuring Parameter Maps
Configuring HTTP Parameter Maps
Table 8-2
HTTP Parameter Map Attributes (continued)
Field
Description
Enable Non Strict on Parsing
Error
Check this check box to configure the ACE to allow the presence of a CRLF in the header
before the header name, which is inserted for header name continuation purposes.
Normally, the ACE considers a CRLF in the header a parse error. When you enable this
feature and the ACE encounters a CRLF in the header, the ACE ignores the parse error
and allows the Layer 7 connection.
Clear the check box to disable this feature and configure the ACE to not allow a CRLF in
the header. When the ACE encounters a CRLF, it considers it a parsing error and reacts
according to how you set the Enable Drop on Parsing Error field. This is the default
setting.
Content Max. Parse Length
(Bytes)
Enter the maximum number of bytes to parse in HTTP content. Valid entries are integers
from 1 to 65535, with a default of 4096.
Header Max. Parse Length
(Bytes)
Enter the maximum number of bytes to parse for the total length of cookies, HTTP
headers, and URLs. Valid entries are integers from 1 to 65535 with a default of 4096.
Secondary Cookie Delimiters
Enter the ASCII-character delimiters to be used to separate cookies in a URL string. Valid
entries are unquoted text strings with no spaces and a maximum of 4 characters. The
default delimiters are /&#+.
MIME Type To Compress
In the field on the left, enter the Multipurpose Internet Mail Extension (MIME) type to
compress, and then click Add. The MIME type appears in the column on the right. To
remove or change a MIME type, select it in the column on the right, and then click
Remove. The selected MIME type appears in the field on the left where you can modify
or delete it.
To specify the sequence in which compression is to be applied, select MIME types in the
column on the right, and then click Up or Down to arrange the MIME types.
Supported MIME Types, page 8-25 lists the supported MIME types. You can use an
asterisk (*) to indicate a wildcard, such as text/*, which would include all text MIME
types (text/html, text/plain, and so on).
User Agent Not To Compress
A user agent is a client that initiates a request. Examples of user agents include browsers,
editors, and other end-user tools. When you specify a user agent string in this field, the
ACE appliance does not compress the response to a request when the request contains the
matching user agent string.
In the field on the left, enter the user agent string to be matched, and then click Add. The
string appears in the column on the right. To remove or change a user agent string, select
it in the column on the right, and then click Remove. The selected string appears in the
field on the left where you can modify or delete it.
To specify the sequence in which strings are to be matched, select strings in the column
on the right, and then click Up or Down to arrange the strings in the desired sequence.
Valid entries are 64 characters.
Min. Size To Compress (Bytes)
Step 5
Enter the threshold at which compression is to occur. The ACE appliance compresses files
that are the minimum size or larger. Valid entries are integers from 1 to 4096 bytes.
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without accepting your entries and to return to the Parameter
Maps table.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-4
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring Connection Parameter Maps
•
Click Next to accept your entries and to add another parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Optimization Parameter Maps, page 8-11
•
Configuring Virtual Contexts, page 4-1
Configuring Connection Parameter Maps
Connection parameter maps combine all IP and TCP connection-related behaviors that pertain to the
following:
•
TCP normalization, termination, and server reuse
•
IP normalization, fragmentation, and reassembly
Use this procedure to configure a Connection parameter map for use with a Layer 3/Layer 4 policy map.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Connection
Parameter Maps. The Connection Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The Connection Parameter Maps configuration screen appears.
Step 3
In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
Enter the information in Table 8-3. Click More Settings to access the additional Connection Parameter
Map configuration attributes. By default, ACE appliance Device Manager hides the default Connection
Parameter Map configuration attributes and the attributes which are not commonly used.
Table 8-3
Connection Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces
and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Enter double quotes as
matching pairs.
Inactivity Timeout
(Seconds)
Enter the number of seconds that the ACE is to wait before disconnecting idle connections. Valid
entries are integers from 0 to 3217203. A value of 0 indicates that ACE is never to time out a TCP
connection.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-5
Chapter 8
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 8-3
Connection Parameter Map Attributes (continued)
Field
Description
More Settings
Exceeds MSS
Indicate how the ACE is to handle segments that exceed the maximum segment size (MSS):
•
Allow—The ACE is to permit segments that exceed the configured MSS.
•
Drop—The ACE is to discard segments that exceed the configured MSS.
Full Proxy MSS
Mismatch
Allows the ACE to splice together the client front-end and the server back-end connections when the
ACE is proxying Layer 7 traffic flow and the negotiated front-end and back-end TCP handshakes do
not match. Uncheck the check box when you do not want the ACE to enable a connection when the
TCP handshakes do not match.
Max. Connection
Limit
Enter the maximum number of concurrent connections to allow for the parameter map. Valid entries
are integers from 0 to4000000.
Nagle
The Nagle algorithm instructs a sender to buffer any data to be sent until all outstanding data has been
acknowledged or until there is a full segment of data to send. Enabling the Nagle algorithm increases
throughput, but it can increase latency in your TCP connection.
Check the check box to enable the Nagle algorithm. Clear the check box to disable the Nagle
algorithm.
Note
Random Sequence
Number
Disable the Nagle algorithm when you observe unacceptable delays in TCP connections.
Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it
more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Check the check box to enable the use of random TCP sequence numbers. Clear the check box to
disable the use of random TCP sequence numbers.
This option is enabled by default.
Bandwidth Rate Limit Enter the bandwidth-rate limit in bytes per second for the parameter map. Valid entries are integers
from 0 to 300000000 bytes.
Connection Rate
Limit
Enter the connection-rate limit in connections per second. Valid entries are integers from 0 to350000.
Reserved Bits
Indicate how the ACE is to handle segments with the reserved bits set in the TCP header:
Type-of-Service IP
Header
•
Allow—Segments with the reserved bits are to be permitted.
•
Drop—Segments with the reserved bits are to be discarded.
•
Clear—Reserved bits in TCP headers are to be cleared and segments are to be allowed.
The type of service for an IP packet determines how the network handles the packet and balances its
precedence, throughput, delay, reliability, and cost.
Enter the type-of-service value to be applied to IP packets. Valid entries are integers from 0 to 255.
For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168.
ACK Delay Time
(Milliseconds)
Enter the number of milliseconds that the ACE is to wait before sending an acknowledgement from
a client to a server. Valid entries are integers from 0 to 400.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-6
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 8-3
Connection Parameter Map Attributes (continued)
Field
Description
TCP Buffer Share
(Bytes)
To improve throughput and overall performance, the ACE buffers the number of bytes you specify
before processing received data or transmitting data. Use this option to increase the default buffer
size and thereby realize improved network performance.
Enter the maximum size of the TCP buffer in bytes. Valid entries are integers from 8192 to 262143
bytes. Default is 32768.
Note
If you enter a value in this field for an ACE device that does not support this option, an error
message appears. Leave this field blank when creating or modifying a connection parameter
map for devices that do not support this option.
TCP Buffer Threshold Select the TCP buffer threshold, expressed as a percent, to indicate when the TCP connection is to
(%)
be reset. This entry represents the maximum number of TCP connections that the hosts can open. This
entry prevents the ACE from exhausting all available buffers due to the outage caused by DDoS
attack.
The options are 50, 75, 77, 88, 95, and 100. The default value is 100.
Smallest TCP MSS
(Bytes)
Enter the size of the smallest segment of TCP data that the ACE is to accept. Valid entries are integers
from 0 to 65535 bytes. The value 0 indicates that the ACE is not to set a minimum limit.
Largest TCP MSS
(Bytes)
Enter the size of the largest segment of TCP data that the ACE is to accept. Valid entries are integers
from 0 to 65535 bytes. The value 0 indicates that the ACE is not to set a maximum limit.
SYN Retries
Enter the number of attempts that the ACE is to make to transmit a TCP segment when initiating a
Layer 7 connection. Valid entries are integers from 1 to 15 with a default of 4.
TCP WAN
Optimization RTT
This option specifies how the ACE is to apply TCP optimizations to packets on a connection
associated with a Layer 7 policy map using a round-trip time (RTT) value:
•
An entry of 0 (zero) indicates that the ACE is to apply TCP optimizations to packets for the life
of a connection.
•
An entry of 65535 (the default) indicates that the ACE is to perform normal operations (that is,
without optimizations) for the life of a connection.
•
Entries from 1 to 65534 indicate that the ACE is to use the following guidelines:
– If the actual client RTT is less than the configured RTT, the ACE performs normal operations
for the life of the connection.
– If the actual client RTT is greater than or equal to the configured RTT, the ACE performs
TCP optimizations on the packets for the life of a connection.
Valid entries are integers from 0 to 65535.
Timeout For
Embryonic
Connections
(Seconds)
An embryonic connection is a TCP three-way handshake for a connection that does not complete for
some reason.
Half Closed Timeout
(Seconds)
A half-closed connection is one in which the client or server sends a FIN and the server or client
acknowledges the FIN without sending a FIN itself.
Enter the number of seconds that the ACE is to wait before timing out an embryonic connection.
Valid entries are integers from 0 to 4294967295 with a default of 5. A value of 0 indicates that the
ACE is never to time out an embryonic connection.
Enter the number of seconds the ACE is to wait before closing a half-closed connection. Valid entries
are integers from 0 to 4294967295 with a default of 3600 (1 hour). A value of 0 indicates that the
ACE is never to time out a half-closed connection.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-7
Chapter 8
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 8-3
Connection Parameter Map Attributes (continued)
Field
Description
Slow Start Algorithm
When enabled, the slow start algorithm increases the TCP window size as ACK handshakes arrive
so that new segments are injected into the network at the rate at which acknowledgements are
returned by the host at the other end of the connection.
Check this check box to enable the slow start algorithm, and clear this check box to disable the slow
start algorithm. This option is disabled by default.
SYN Segments With
Data
Indicate how the ACE is to handle TCP SYN segments that contain data:
•
Allow—The ACE is to permit SYN segments that contain data and mark them for processing.
•
Drop—The ACE is to discard SYN segments that contain data.
Urgent Pointer Policy Urgent data, as indicated by a control bit in the TCP header, indicates that urgent data is to be
processed as soon as possible, even before normal data.
Indicate how the ACE is to handle urgent data as identified by the Urgent data control bit:
TCP Window Scale
Factor
•
Allow—The ACE is to permit the status of the Urgent control bit.
•
Clear—The ACE is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent
Pointer which provides segment information.
The TCP window scaling extension expands the definition of the TCP window to 32 bits and uses a
scale factor to carry the 32-bit value in the 16-bit window of the TCP header. Increasing the window
size improves TCP performance in network paths with large bandwidth, long-delay characteristics.
Enter the window scale factor in this field. Valid entries are integers from 0 to 14 (the maximum scale
factor).
For more information on TCP window scaling, refer to RFC 1323.
Action For TCP
Options Range
Indicate how the ACE is to handle the TCP options:
•
Selective ACK
•
Timestamps
•
Action For TCP Window Scale Factor
By selecting one of the options:
Lower TCP Options
•
N/A—This option is not set.
•
Allow—The ACE is to allow any segment with the specified option set.
•
Drop—The ACE is to discard any segment with the specified option set.
Appears if you select Allow or Drop for the Action For TCP Options Range.
Enter the lower limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See
Table 8-4 for information on TCP options.
Upper TCP Options
Appears if you select Allow or Drop for the Action For TCP Options Range.
Enter the upper limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See
Table 8-4 for information on TCP options.
Selective ACK
Indicate how the ACE is to handle the selective ACK option that is specified in SYN segments:
•
Allow—The ACE is to allow any segment with the specified option set.
•
Clear—The ACE is to clear the specified option from any segment that has it set and allow the
segment.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-8
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 8-3
Connection Parameter Map Attributes (continued)
Field
Description
Timestamps
Indicate how the ACE is to handle the timestamp option that is specified in SYN segments:
Action For TCP
Window Scale Factor
•
Allow—The ACE is to allow any segment with the specified option set.
•
Clear—The ACE is to clear the specified option from any segment that has it set and allow the
segment.
Indicate how the ACE is to handle the TCP window scale factor option that is specified in SYN
segments:
•
Allow—The ACE is to allow any segment with the specified option set.
•
Clear—The ACE is to clear the specified option from any segment that has it set and allow the
segment.
•
Drop—The ACE is to discard any segment with the specified option set.
Table 8-4
TCP Options for Connection Parameter Maps1
Kind
Length
Meaning
6
6
Echo (obsoleted by option 8)
7
6
Echo Reply (obsoleted by option 8)
9
2
Partial Order Connection Permitted
10
3
Partial Order Service Profile
11
CC
12
CC.NEW
13
CC.ECHO
14
3
TCP Alternate Checksum Request
15
N
TCP Alternate Checksum Data
16
Skeeter
17
Bubba
18
3
Trailer Checksum Option
19
18
MD5 Signature Option
20
SCPS Capabilities
21
Selective Negative Acknowledgements (SNACK)
22
Record Boundaries
23
Corruption Experienced
24
SNAP
25
Unassigned (released 12/18/2000)
26
TCP Compression Filter
1. For more information on TCP options, refer to the Security Guide, Cisco ACE Application Control Engine.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-9
Chapter 8
Configuring Parameter Maps
Configuring Connection Parameter Maps
Step 5
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without accepting your entries and to return to the Parameter
Maps table.
•
Click Next to accept your entries and to add another parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-10
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Configuring Optimization Parameter Maps
Use this procedure to configure an Optimization parameter map for use with a Layer 3/Layer 4 policy
map.
See the “Configuring Application Acceleration and Optimization” section on page 13-1 or the
Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine
Appliance for more information about application acceleration and optimization.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Optimization
Parameter Maps. The Optimization Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The Optimization Parameter Maps configuration screen appears.
Step 3
In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
Configure the Optimization parameter map using the information in Table 8-5.
Table 8-5
Optimization Parameter Map Attributes
Field
Description
Description
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be
entered as matching pairs.
Set Browser Freshness
Period
Select the method that the ACE is to use to determine the freshness of objects in the client’s
browser:
Duration For Browser
Freshness (Seconds)
•
N/A—This option is not configured.
•
Disable Browser Object Freshness Control—Browser freshness control is not to be used
•
Set Freshness Similar To Flash Forward Objects—The ACE is to set freshness similar to that
used for FlashForwarded objects and to use the values specified in the Maximum Time for
Cache Time-To-Live and Minimum Time for Cache Time-To-Live fields.
This field appears if the Set Browser Freshness Period option is not configured.
Enter the number of seconds that objects in the client’s browser are considered fresh. Valid entries
are 0 to 2147483647 seconds.
Response Codes To
Ignore (Comma
Separated)
Enter a comma-separated list of HTTP response codes for which the response body must not be
read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302
(redirect) response from the origin server. Valid entries are unquoted text strings with a maximum
of 64 alphanumeric characters and integers from 100 to 599, inclusive.
Appscope Optimize
Rate (%)
Enter the percentage of all requests or sessions to be sampled for performance with acceleration
(or optimization) applied. All applicable optimizations for the class will be performed. Valid
entries are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value
entered in the Passthru Rate Percent field must not exceed 100.
Appscope Passthrough
Rate (%)
Enter the percentage of all requests or sessions to be sampled for performance without
optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100,
with a default of 10 percent. The sum of this value and the value entered in the Optimize Rate
Percent field must not exceed 100.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-11
Chapter 8
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 8-5
Optimization Parameter Map Attributes (continued)
Field
Description
Max. Number for
Parameter Summary
Log (Bytes)
Enter the maximum number of bytes that are to be logged for each parameter value in the
parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this
limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes.
Max. For Post Data to
Scan for Logging
(KBytes)
Enter the maximum number of kilobytes of POST data the ACE is to scan for parameters for the
purpose of logging transaction parameters in the statistics log.
String For Grouping
Requests
Enter the string the ACE is to use to sort requests for AppScope reporting. The string can contain
a URL regular expression that defines a set of URLs in which URLs that differ only by their query
parameters are to be treated as separate URLs in AppScope reports.
Valid entries are 0 to 1000 KB.
For example, to define a string that is used to identify the URLs
http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two
separate reporting categories, you would enter http_query_param(region).
Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed
in Table 8-6.
Base File Anonymous
Level
Information that is common to a large set of users is generally not confidential or user-specific.
Conversely, information that is unique to a specific user or a small set of users is generally
confidential or user-specific. The anonymous base file feature enables the ACE to create and
deliver condensed base files that contain only information that is common to a large set of users.
No information unique to a particular user, or across a very small subset of users, is included in
anonymous base files.
Enter the value for base file anonymity for the all-user condensation method. Valid entries are
integers from 0 to 50; the default value of 0 disables the base file anonymity feature.
Cache-Key Modifier
Expression
A cache object key is a unique identifier that is used to identify a cached object to be served to a
client, replacing a trip to the origin server. The cache key modifier feature allows you to modify
the canonical form of a URL; that is, the portion before “?” in a URL. For example, the canonical
URL of “http://www.xyz.com/somepage.asp?action=browse&level=2” is
“http://www.xyz.com/somepage.asp”.
Enter a regular expression containing embedded variables as described in Table 8-6. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. If the string includes spaces, enclose the string with quotation marks (“).
Min. Time For Cache
Time-To-Live
(Seconds)
Enter the minimum number of seconds that an object without an explicit expiration time should be
considered fresh in the ACE cache. This value specifies the minimum time that content can be
cached. If the ACE is configured for FlashForward optimization, this value should normally be 0.
If the ACE is configured for dynamic caching, this value should indicate how long the ACE should
cache the page. (See Table 5-16 for information about these configuration options.)
Valid entries are 0 to 2147483647 seconds.
Max. Time For Cache
Time-To-Live
(Seconds)
Enter the maximum number of seconds that an object without an explicit expiration time should
be considered fresh in the ACE cache. Valid entries are 0 to 2147483647 seconds.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-12
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 8-5
Optimization Parameter Map Attributes (continued)
Field
Description
Cache Time-To-Live
Duration (%)
Enter the percent of an object’s age at which an embedded object without an explicit expiration
time is considered fresh.
Valid entries are 0 to 100 percent.
Expression To Modify
Cache Key Query
Parameter
The cache parameter feature allows you to modify the query parameter of a URL; that is, the
portion after “?” in a URL. For example, the query parameter portion of
“http://www.xyz.com/somepage.asp?action=browse&level=2” is “action=browse&level=2”.
Enter a regular expression containing embedded variables as described in Table 8-6. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here. If no string is specified, the query parameter portion of the URL is used as the default
value for this portion of the cache key.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters.
Canonical URL
Expressions (Comma
Separated)
The ACE uses the canonical URL feature to eliminate the “?” and any characters that follow to
identify the general part of the URL. This general URL is then used to create the base file. In this
way, the ACE maps multiple URLs to a single canonical URL.
Enter a comma-separated list of parameter expander functions as defined in Table 8-6 to identify
the URLs to associate with this parameter map.
Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.
Enable Cacheable
Content Optimization
This feature allows the ACE to detect content that can be cached and perform delta optimization
on it.
Check the check box to enable delta optimization of content that can be cached. Clear the check
box to disable this feature.
Enable Delta
Optimization On First
Visit To Web Page
Check the check box to enable condensation on the first visit to a Web page. Clear the check box
to disable this feature.
Min. Page Size For
Delta Optimization
(Bytes)
Enter the minimum page size, in bytes, that can be condensed. Valid entries are integers from 1 to
250000 bytes.
Max. Page Size For
Delta Optimization
(Bytes)
Enter the maximum page size, in bytes, that can be condensed. Valid entries are integers from 1 to
250000 bytes.
Set Default Client
Script
Indicate the scripting language that the ACE is to recognize on condensed content pages:
•
N/A—This option is not configured.
•
Javascript—The default scripting language is JavaScript.
•
Visual Basic Script—The default scripting language is Visual Basic.
Exclude Iframes From
Delta Optimization
Check the check box to indicate that delta optimization is not to be applied to IFrames (inline
frames). Clear the check box to indicate that delta optimization is to be applied to IFrames.
Exclude Non-ASCII
Data From Delta
Optimization
Check the check box to indicate that delta optimization is not to be applied to non-ASCII data.
Clear the check box to indicate that delta optimization is to be applied to non-ASCII data.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-13
Chapter 8
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 8-5
Optimization Parameter Map Attributes (continued)
Field
Description
Exclude JavaScripts
From Delta
Optimization
Check the check box to indicate that delta optimization is not to be applied to JavaScript. Clear
the check box to indicate that delta optimization is to be applied to JavaScript.
MIME Types To
Exclude From Delta
Optimization
1.
In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail
Extension) type messages that are not to have delta optimization applied, such as image/Jpeg,
text/html, application/msword, or audio/mpeg. See Supported MIME Types, page 8-25 for a
list of supported MIME types.
2.
Click Add to add the entry to the list box on the right. You can position the entries in the list
box by using the Up and Down buttons.
Remove HTML META
Elements From
Documents
Check the check box to indicate that HTML META elements are to be removed from documents
to prevent them from being condensed. Clear the check box to indicate that HTML META
elements are not to be removed from documents.
Set Flash Forward
Refresh Policy
Select the method the ACE is to use to refresh stale embedded objects:
•
N/A—This option is not configured.
•
Allow Flash Forward To Indirect Refresh Of Objects—The ACE is to use FlashForward to
indirectly refresh embedded objects.
•
Bypass Flash Forward To Direct Refresh Of Objects—The ACE is to bypass FlashForward for
stale embedded objects so that they are refreshed directly.
Rebase Delta
Enter the delta threshold, expressed as a percent, when rebasing is to be triggered. This entry
Optimization Threshold represents the size of a page delta relative to total page size, expressed as a percent. This entry
(%)
triggers rebasing when the delta response size exceeds the threshold as a percentage of base file
size.
Valid entries are 0 to 10000 percent.
Rebase Flash Forward
Threshold (%)
Enter the threshold, expressed as a percent, when rebasing is to be triggered based on the percent
of FlashForwarded URLs in the response. This entry triggers rebasing when the difference
between the percentages of FlashForwarded URLs in the delta response and the base file exceeds
the threshold.
Valid entries are 0 to 10000 percent.
Rebase History Size
(Pages)
Enter the number of pages to be stored before the ACE resets all rebase control parameters to zero
and starts over. This option prevents the base file from becoming too rigid.
Valid entries are 10 to 2147483647.
Rebase Modify
Cool-Off Period
(Seconds)
Enter the number of seconds after the last modification before performing a rebase.
Rebase Reset Period
(Seconds)
Enter the period of time, in seconds, for performing a meta data refresh.
Valid entries are 1 to 14400 seconds (4 hours).
Valid entries are 1 to 900 seconds (15 minutes).
Override Client Request Indicate how the ACE is to handle client request headers (primarily for embedded objects):
Headers
• N/A—This feature is not enabled.
•
All Cache Request Headers Are Ignored—The ACE is to ignore all cache request headers.
•
Overrides The Cache Control: No Cache HTTP Header From A Request—The ACE is to
ignore cache control request headers that state no cache.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-14
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 8-5
Optimization Parameter Map Attributes (continued)
Field
Description
Override Server
Response Headers
Indicate how the ACE is to handle origin server response headers (primarily for embedded
objects):
UTF-8 Character Set
Threshold
•
N/A—This feature is not enabled.
•
All Cache Request Headers Are Ignored—The ACE is to ignore all response headers.
•
Overrides The Cache Control: Private HTTP Header From A Response—The ACE is to ignore
cache control response headers that state private.
The UTF-8 (8-bit Unicode Transformation Format) character set is an international standard that
allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any
universal character in the Unicode standard and is backwards compatible with ASCII.
Enter the number of UTF-8 characters that need to appear on a page to constitute a UTF-8
character set page. Valid entries are integers from 1 to 1,000,000.
Server Load Threshold
Trigger (%)
The server load threshold trigger indicates that the time-to-live (TTL) period for cached objects is
to be based dynamically on server load. With this method, TTL periods increase if the current
response time from the origin sever is greater than the average response time and decrease if the
current response time from the origin server is less than the average response time when the
difference in response times exceeds a specified threshold amount.
Enter the threshold, expressed as a percent, at which the TTL for cached objects is to be changed.
Valid entries are from 0 to 100 percent.
Server Load
Time-To-Live Change
(%)
This option specifies the percentage by which the cache TTL is increased or decreased in response
to a change in server load. For example, if this value is set to 20 and the current TTL for a response
is 300 seconds. and if the current server response times exceeds the trigger threshold, the cache
TTL for the response is raised to 360 seconds.
Enter the percent by which the cache TTL is to be increased or decreased when the server load
threshold trigger is met.
Valid entries are from 0 to 100 percent.
Delta Optimization
Mode
String To Be Used For
Server HTTP Header
Select the method by which delta optimization is to be implemented:
•
N/A—This option is not configured.
•
Enable The All-User Mode For Delta Optimization—The ACE is to generate the delta against
a single base file that is shared by all users of the URL. This option is usable in most cases if
the structure of a page is common across all users, and the disk space overhead is minimal.
•
Enable The Per-User Mode For Delta Optimization—The ACE is to generate the delta against
a base file that is created specifically for that user. This option is useful when page contents,
including layout elements, are different for each user, and delivers the highest level of
condensation. However, this increases disk space requirements because a copy of the base
page that is delivered to each user is cached. This option is useful when privacy is required
because base pages are not shared among users.
Use this option to define a string that is to be sent in the server header for an HTTP response. This
option provides you with a method for uniquely tagging the context or URL match statement by
setting the server header value to a particular string. The server header string can be used when a
particular URL is not being transmitted to the correct target context or match statement.
Enter the string that is to appear in the server header. Valid entries are quoted text strings with a
maximum of 64 alphanumeric characters.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-15
Chapter 8
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 8-6 lists the parameter expander functions that you can use.
Table 8-6
Parameter Expander Functions
Variable
Description
$(number)
Expands to the corresponding matching subexpression (by number)
in the URL pattern. Subexpressions are marked in a URL pattern
using parentheses (). The numbering of the subexpressions begins
with 1 and is the number of the left-parenthesis “(“ counting from
the left. You can specify any positive integer for the number. $(0)
matches the entire URL. For example, if the URL pattern is
((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$(0) = http://server/main/sub/a.jsp
$(1) = http://server/main/sub/
$(2) = http://server/main
$(3) = sub
If the specified subexpression does not exist in the URL pattern,
then the variable expands to the empty string.
$http_query_string()
Expands to the value of the whole query string in the URL. For
example, if the URL is
http://myhost/dothis?param1=value1&param2=value2, then the
following is correct:
$http_query_string() = param1=value1&param2=value2
This function applies to both GET and POST requests.
$http_query_param(query-param-name)
Expands to the value of the named query parameter (case-sensitive).
The obsolete syntax is also supported:
For example, if the URL is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$param(query-param-name)
$http_query_param(category) = shoes
$http_query_param(session) = 99999
If the specified parameter does not exist in the query, then the
variable expands to the empty string. This function applies to both
GET and POST requests.
$http_cookie(cookie-name)
Evaluates to the value of the named cookie. For example,
$http_cookie(cookiexyz). The cookie name is case-sensitive.
$http_header(request-header-name)
Evaluates to the value of the specified HTTP request header. In the
case of multivalued headers, it is the single representation as
specified in the HTTP specification. For example,
$http_header(user-agent). The HTTP header name is not
case-sensitive.
$http_method()
Evaluates to the HTTP method used for the request, such as GET or
POST.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-16
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring Generic Parameter Maps
Table 8-6
Parameter Expander Functions (continued)
Variable
Description
Boolean Functions:
Evaluates to a Boolean value: True or False, depending on the
presence or absence of the element in the request. The elements are
a specific query parameter (query-param-name), a specific cookie
(cookie-name), a specific request header (request-header-name), or
a specific HTTP method (method-name). All identifiers are
case-sensitive except for the HTTP request header name.
$http_query_param_present(query-param-name)
$http_query_param_notpresent(query-param-name)
$http_cookie_present(cookie-name)
$http_cookie_notpresent(cookie-name)
$http_header_present(request-header-name)
$http_header_notpresent(request-header-name)
$http_method_present(method-name)
$http_method_notpresent(method-name)
$regex_match(param1, param2)
Evaluates to a Boolean value: True if the two parameters match and
False if they do not match. The two parameters can be any two
expressions, including regular expressions, that evaluate to two
strings. For example, this function:
$regex_match($http_query_param(URL), .*Store\.asp.*)
compares the query URL with the regular expression string
.*Store\.asp.*
If the URL matches this regular expression, this function evaluates
to True.
Step 5
Do the following:
•
Click Deploy Now to save your entries. The ACE appliance validates the parameter map
configuration and deploys it.
•
Click Cancel to exit this procedure without accepting your entries and to return to the Parameter
Maps table.
•
Click Next to accept your entries and to add another parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Configuring Generic Parameter Maps
Generic parameter maps allow you to specify nonprotocol-specific behavior for data parsing. Generic
parameter maps examine the payload and make decisions regardless of the protocol.
Use this procedure to configure a generic parameter map.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-17
Chapter 8
Configuring Parameter Maps
Configuring Generic Parameter Maps
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Generic
Parameter Maps. The Generic Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The Generic Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 8-7.
Table 8-7
Generic Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Case-Insensitive
Check this check box to indicate that the ACE is to be case insensitive for this parameter map.
Clear this check box to indicate that the ACE is to be case sensitive for this parameter map.
Max. Parse Length (Bytes)
Enter the number of bytes to parse for the total length of all generic headers. Valid entries are
integers from 1 to 65535 with a default of 2048 bytes.
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration.
•
Click Cancel to exit this procedure without saving your entries and to return to the Generic
Parameter Maps table.
•
Click Next to deploy your entries and to configure another generic parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-18
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring RTSP Parameter Maps
Configuring RTSP Parameter Maps
RTSP parameter maps allow you to configure advanced RTSP behavior for server load-balancing
connections.
Use this procedure to configure an RTSP parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > RTSP
Parameter Maps. The RTSP Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The RTSP Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 8-8.
Table 8-8
RTSP Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Case-Insensitive
Check this check box to indicate that the ACE is to be case insensitive. Clear this check box
to indicate that the ACE is to be case sensitive.
Header Max. Parse Length
(Bytes)
Enter the number of bytes to parse for the total length of RTSP headers. Valid entries are
integers from 1 to 65535 with a default of 2048 bytes.
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration.
•
Click Cancel to exit this procedure without saving your entries and to return to the RTSP Parameter
Maps table.
•
Click Next to deploy your entries and to configure another RTSP parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-19
Chapter 8
Configuring Parameter Maps
Configuring SIP Parameter Maps
Configuring SIP Parameter Maps
SIP parameter maps allow you to configure SIP deep-packet inspection policy maps on the ACE.
Use this procedure to configure a SIP parameter map.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Load Balancing > Parameter Maps > SIP Parameter
Maps. The SIP Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The SIP Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 8-9.
Table 8-9
SIP Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Instant Messaging
Check the check box to enable instant messaging (IM) over SIP after it has been disabled.
Clear this check box to disable this feature.
Logging All
Check the check box to enable the logging of all received and transmitted packets in the
system log (syslog). By default, the ACE disables the logging of these packets, however
allows the logging of dropped SIP packets in the syslog.
The ACE allows all headers sent in the SIP packet, including proprietary headers. In the event
of a failover for SIP sessions over UDP, the ACE continues to process SIP packets for
established SIP sessions.
Clear this check box to disable this feature.
Max. Forward Validation
This option allows you to configure the ACE to validate the value of the Max-Forward header
field.
Specify how the ACE is to handle the validation of Max-Forward header fields:
Log Max. Forward
Validation Event
•
N/A—The ACE is not to validate Max-Forward header fields.
•
Drop—The ACE is to drop the SIP message if it does not pass Max-Forward header
validation.
•
Reset—The ACE is to reset the SIP connection if it does not pass Max-Forward header
validation.
Check the check box to indicate that the ACE is to log Max-Forward validation events.
Clear the check box to disable this feature.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-20
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring SIP Parameter Maps
Table 8-9
SIP Parameter Map Attributes (continued)
Field
Description
Mask UA Software Version
If the software version of a user agent is exposed, that user agent might be vulnerable to
attacks from hackers who exploit the security holes present in that particular software version.
This option allows you to mask or log the user agent software version so that it is not exposed.
Check the check box to indicate that the ACE is to mask the user agent software version.
Clear the check box to disable this feature.
Log UA Software Version
Check the check box to indicate that the ACE is to log the user agent software version.
Clear the check box to disable this feature.
Strict Header Validation
You can ensure the validity of SIP packet headers by configuring the ACE to check for the
presence of the following mandatory SIP header fields:
•
From
•
To
•
Call-ID
•
CSeq
•
Via
•
Max-Forwards
If one of the header fields is missing in a SIP packet, the ACE considers that packet invalid.
The ACE also checks for forbidden header fields, according to RFC 3261.
Specify how the ACE is to handle header validation.
•
N/A—The ACE is not to perform header validation.
•
Drop—The ACE is to drop the SIP message if the SIP packet does not pass header
validation.
•
Reset—The ACE is to reset the connection if the SIP packet does not pass header
validation.
Log Strict Header Validation Check the check box to indicate that the ACE is to log header validation events.
Clear the check box to disable this feature.
Mask Non SIP URI
This option and the next enable the detection of non-SIP URIs in SIP messages.
Check the check box to indicate that the ACE is to mask non-SIP URIs in SIP messages.
Clear the check box to disable this feature.
Log Non SIP URI
Check the check box to indicate that the ACE is to log non-SIP URIs in SIP messages.
Clear the check box to disable this feature.
SIP Media Pinhole Timeout Specify the timeout period for SIP media pinhole (secure port) connections in seconds. Valid
(Seconds)
entries are integers from 1 to 65535 seconds. The default is 5 seconds.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-21
Chapter 8
Configuring Parameter Maps
Configuring Skinny Parameter Maps
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration.
•
Click Cancel to exit this procedure without saving your entries and to return to the SIP Parameter
Maps table.
•
Click Next to deploy your entries and to configure another SIP parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Configuring Skinny Parameter Maps
Skinny Client Control Protocol (SCCP or Skinny) parameter maps allow you to configure SCCP packet
inspection on the ACE.
Use this procedure to configure a Skinny parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Skinny
Parameter Maps. The Skinny Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The Skinny Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 8-10.
Table 8-10
Skinny Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Enforce Registration
You can configure the ACE to allow only registered Skinny clients to make calls. To
accomplish this task, the ACE maintains the state of each Skinny client. After a client registers
with CCM, the ACE opens a secure port (pinhole) to allow that client to make a call.
Check the check box to enable Skinny registration enforcement.
Clear the check box to disable this feature.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-22
OL-26645-01
Chapter 8
Configuring Parameter Maps
Configuring DNS Parameter Maps
Table 8-10
Skinny Parameter Map Attributes (continued)
Field
Description
Message Id Max.
Enter the largest value for the station message ID in hexadecimal that the ACE is to accept.
Valid entries are hexadecimal values from 0x0 to 0x4000. The default value is 0x181.
Note
The Message Id Max. hexadecimal value should always start with 0x or 0X.
If a packet arrives with a station message ID greater than the specified value, the ACE drops
the packet and generates a syslog message.
Min. SCCP Prefix Length
(Bytes)
By default, the ACE drops SCCP messages that have an SCCP Prefix length that is less than
the message ID. The ACE drops Skinny message packets that fail this check and generates a
syslog message.
Enter the minimum SCCP prefix length in bytes. Valid entries are integers from 4 to 4000
bytes.
Max. SCCP Prefix Length
(Bytes)
This feature allows you to configure the ACE so that it checks the maximum SCCP prefix
length. The ACE drops Skinny message packets that fail this check and generates a syslog
message.
Enter the maximum SCCP prefix length in bytes. Valid entries are integers from 4 to 4000
bytes.
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration.
•
Click Cancel to exit this procedure without saving your entries and to return to the Skinny
Parameter Maps table.
•
Click Next to deploy your entries and to configure another Skinny parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Configuring DNS Parameter Maps
Domain Name System (DNS) parameter maps allow you to configure DNS actions for DNS packet
inspection.
Use this procedure to configure a DNS parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > DNS Parameter
Maps. The DNS Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to
modify it. The DNS Parameter Maps configuration screen appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-23
Chapter 8
Configuring Parameter Maps
Configuring RDP Parameter Maps
Step 3
Table 8-11
Configure the parameter map using the information in Table 8-11.
DNS Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Timeout (Seconds)
Configure the ACE to time out DNS queries that have no matching server response. Specify
the length of time in seconds that the ACE keeps the query entries without answers in the hash
table before timing them out. Enter an integer from 2 to 120 seconds. The default is 10
seconds.
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration.
•
Click Cancel to exit this procedure without saving your entries and to return to the DNS Parameter
Maps table.
•
Click Next to deploy your entries and to configure another DNS parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Configuring RDP Parameter Maps
Remote Desktop Protocol (RDP) parameter maps configure routing-token-rebalance in which the ACE
redirects connections that contain RDP packets to another server when the real server that matches the
routing token information in the client request is down.
Use this procedure to configure a RDP parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > RDP Parameter
Maps. The RDP Parameter Maps table appears.
Step 2
From the RDP Parameter Maps table, click Add to add a new parameter map, or select an existing
parameter map, and then click Edit to modify it. The New Parameter Map configuration table appears.
Step 3
From the New Parameter Map table, configure the parameter map using the information in Table 8-11.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-24
OL-26645-01
Chapter 8
Configuring Parameter Maps
Supported MIME Types
Table 8-12
RDP Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Routing Token Rebalance
Check this check box to enable routing-token-rebalance.
Uncheck this check box to disable routing-token-rebalance and have the ACE drop the RDP
packets when the real server that matches the routing token information is down.
Step 4
Do the following:
•
Click Deploy Now to deploy this configuration.
•
Click Cancel to exit this procedure without saving your entries and to return to the RDP Parameter
Maps table.
•
Click Next to deploy your entries and to configure another RDP parameter map.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Contexts, page 4-1
Supported MIME Types
The ACE appliance supports following MIME types:
•
application/msexcel
•
application/mspowerpoint
•
application/msword
•
application/octet-stream
•
application/pdf
•
application/postscript
•
application/\x-gzip
•
application/\x-java-archive
•
application/\x-java-vm
•
application/\x-messenger
•
application/\zip
•
audio/*
•
audio/basic
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-25
Chapter 8
Configuring Parameter Maps
Supported MIME Types
•
audio/midi
•
audio/mpeg
•
audio/x-adpcm
•
audio/x-aiff
•
audio/x-ogg
•
audio/x-wav
•
image/*
•
image/gif
•
image/jpeg
•
image/png
•
image/tiff
•
image/x-3ds
•
image/x-bitmap
•
image/x-niff
•
image/x-portable-bitmap
•
image/x-portable-greymap
•
image/x-xpm
•
text/*
•
text/css
•
text/html
•
text/plain
•
text/richtext
•
text/sgml
•
text/xmcd
•
text/xml
•
video/*
•
video/flc
•
video/mpeg
•
video/quicktime
•
video/sgi
•
video/x-fli
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-26
OL-26645-01
Chapter 8
Configuring Parameter Maps
Supported MIME Types
Viewing All Parameter Maps by Context
Use this procedure to view all parameter maps associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context with the parameter maps you want to view, and then select Load Balancing >
Parameter Maps. The Parameter Maps table appears listing each parameter map and its type.
Related Topics
•
Configuring Parameter Maps, page 8-1
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-01
8-27
Chapter 8
Configuring Parameter Maps
Supported MIME Types
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
8-28
OL-26645-01
C H A P T E R
9
Configuring SSL
Note
The information in this chapter does not apply to the ACE NPE software version in which payload
encryption protocols are removed (see the “Information About the ACE No Payload Encryption
Software Version” section on page 1-2).
This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets
Layer (SSL) server for SSL initiation or termination.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
The chapter contains the following section:
•
SSL Overview, page 9-2
•
SSL Configuration Prerequisites, page 9-3
•
Summary of SSL Configuration Steps, page 9-4
•
SSL Setup Sequence, page 9-5
•
Using SSL Certificates, page 9-6
•
Using SSL Keys, page 9-11
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Generating CSRs, page 9-27
•
Configuring SSL Proxy Service, page 9-28
•
Configuring SSL OCSP Service, page 9-30
•
Enabling Client Authentication, page 9-31
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-1
Chapter 9
Configuring SSL
SSL Overview
SSL Overview
SSL is an application-level protocol that provides encryption technology for the Internet, ensuring
secure transactions such as the transmission of credit card numbers for e-commerce Web sites. SSL
initiation occurs when the ACE appliance acts as a client and initiates the SSL session between it and
the SSL server. SSL termination occurs when the ACE, acting as an SSL server, terminates an SSL
connection from a client and then establishes a TCP connection to an HTTP server.
SSL provides the secure transaction of data between a client and a server through a combination of
privacy, authentication, and data integrity. SSL relies upon certificates and private-public key exchange
pairs for this level of security.
Figure 9-1 shows the following network connections in which the ACE terminates the SSL connection
with the client:
•
Client to ACE—SSL connection between a client and the ACE acting as an SSL proxy server
•
ACE to Server—TCP connection between the ACE and the HTTP server
Client
SSL Termination with Client
Front-end
Back-end
Ciphertext
Clear Text
SSL Termination
(ACE as Server)
Server
153357
Figure 9-1
The ACE uses parameter maps, SSL proxy services, and class maps to build the policy maps that
determine the flow of information between the client, the ACE, and the server. SSL termination is a
Layer 3 and Layer 4 application because it is based on the destination IP addresses of the inbound traffic
flow from the client. For this type of application, you create a Layer 3 and Layer 4 policy map that the
ACE applies to the inbound traffic.
If you have a need to delete any of the SSL objects (auth groups, chain groups, parameter maps, keys,
CRLs, or certificates), you must remove the dependency from within the proxy service first before
removing the SSL object.
Before configuring the ACE for SSL, see SSL Configuration Prerequisites, page 9-3.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-2
OL-26645-02
Chapter 9
Configuring SSL
SSL Configuration Prerequisites
SSL Configuration Prerequisites
Before configuring your ACE for SSL operation, you must first ensure:
•
Your ACE hardware is configured for server load balancing (SLB).
Note
During the real server and server farm configuration process, when you associate a real server
with a server farm, ensure that you assign an appropriate port number for the real server. The
default behavior by the ACE is to automatically assign the same destination port that was used
by the inbound connection to the outbound server connection if you do not specify a port.
•
Your policy map is configured to define the SSL session parameters and client/server authentication
tools, such as the certificate and RSA key pair.
•
Your class map is associated with the policy map to define the virtual SSL server IP address that the
destination IP address of the inbound traffic must match.
•
You must import a digital certificate and its corresponding public and private key pair to the desired
ACE context.
•
At least one SSL certificate is available.
•
If you do not have a certificate and corresponding key pair, you can generate an RSA key pair and
a certificate signing request (CSR). Create a CSR when you need to apply for a certificate from a
certificate authority (CA). The CA signs the CSR and returns the authorized digital certificate to
you.
RBAC User Role Requirements for SSL Configurations
For all SSL-related configurations on the ACE, a user with a custom role should include the following
two rules as part of the assigned role:
•
A rule that includes the SSL feature.
•
A rule that includes the PKI feature.
For details on user roles and rules, see the “Creating User Roles” section in Chapter 15, “Managing the
ACE Appliance.”
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-3
Chapter 9
Configuring SSL
Summary of SSL Configuration Steps
Summary of SSL Configuration Steps
Table 9-1 describes the steps for using SSL keys and certificates.
Table 9-1
Step 1
SSL Key and Certificate Procedure Overview
Task
Description
Create an SSL
parameter map.
Create an SSL parameter map to specify the options that apply to
SSL sessions such as the method to be used to close SSL
connections, the cipher suite, and version of SSL or TLS.
See Configuring SSL Parameter Maps, page 9-19.
Step 2
Create an SSL key pair
file.
Create an SSL RSA key pair file to generate a CSR, create a digital
signature, and encrypt packet data during the SSL handshake with
an SSL peer.
See Generating SSL Key Pairs, page 9-15.
Step 3
Configure CSR
parameters.
Set CSR parameters to define the distinguished name attributes of a
CSR.
See Configuring SSL CSR Parameters, page 9-26.
Step 4
Create a CSR.
Create a CSR to submit with the key pair file when you apply for an
SSL certificate.
See Generating CSRs, page 9-27.
Step 5
Copy and paste the CSR Using the SSL key pair and CSR, apply for an approved certificate
from a Certificate Authority.
into the Certificate
Authority (CA)
Use the method specified by the CA for submitting your request.
Web-based application
or e-mail the CSR to the
CA.
Step 6
When you receive the approved certificate, save it in the format in
Save the approved
certificate from the CA which it was received on a network server accessible via FTP, SFTP,
in its received format on or TFTP.
an FTP, SFTP, or TFTP
server.
Step 7
Import the approved
certificate and key pair
into the desired virtual
context.
Import the approved certificate and the associated SSL key pair into
the appropriate context using ACE Appliance Device Manager.
See the following topics:
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
Step 8
Confirm that the public
key in the key pair file
matches the public key
in the certificate file.
Examine the contents of the files to confirm that the key pair
information is the same in both the key pair file and the certificate
file.
Step 9
Configure the virtual
context for SSL.
See Configuring Traffic Policies, page 12-1.
Step 10
Configure auth group.
Create a group of certificates that are trusted as certificate signers
by creating an authentication group. See Configuring SSL
Authentication Groups, page 9-32.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-4
OL-26645-02
Chapter 9
Configuring SSL
SSL Setup Sequence
Table 9-1
SSL Key and Certificate Procedure Overview (continued)
Task
Description
Step 11
Configure CRL.
See Configuring CRLs for Client Authentication, page 9-33.
Step 12
Configure an SSL
OCSP service
See Configuring SSL OCSP Service, page 9-30.
For more information about using SSL with ACE appliances, see the SSL Guide, Cisco ACE Application
Control Engine.
To configure ACE appliances for SSL, see the following topics:
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL Proxy Service, page 9-28
•
Configuring SSL OCSP Service, page 9-30
SSL Setup Sequence
The SSL setup sequence provides detailed instructions with illustrations for configuring SSL using the
ACE Appliance Device Manager (Figure 9-2). The purpose of this option is to provide a visual guide for
performing typical SSL operations, such as SSL CSR generation, SSL proxy creation, and so on. This
option does not replace any existing SSL functions or configuration screens already present in ACE
Appliance Device Manager. It is only intended as an additional guide for anyone unfamiliar or unclear
with the SSL operations that need to be performed on the ACE. From the SSL setup sequence, you are
allowed to configure all SSL operations, without duplicating the edit/delete/table/view operations that
the other SSL configuration screens provide.
The purpose of this option is to provide details about typical SSL flows and the operations involved in
performing typical SSL operations, including the following:
Note
•
SSL import/create keys
•
SSL import certificates
•
SSL CSR generation
•
SSL proxy creation
The SSL Setup Sequence in the ACE Device Manager uses the terms SSL Policies and SSL Proxy Service
interchangeably.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-5
Chapter 9
Configuring SSL
Using SSL Certificates
For more information on SSL configuration features, see Summary of SSL Configuration Steps.
Figure 9-2
SSL Setup Sequence
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL Proxy Service, page 9-28
Using SSL Certificates
You can display a list of the certificates and their matching key pairs that are installed on the ACE for a
context by choosing Config > Virtual Contexts > context > Certificates. The Certificates window
appears, displaying the list of installed certificates.
Digital certificates and key pairs are a form of digital identification for user authentication. Certificate
Authorities issue certificates that attest to the validity of the public keys they contain. A client or server
certificate includes the following identification attributes:
•
Name of the Certificate Authority and Certificate Authority digital signature
•
Name of the client or server (the certificate subject) that the certificate authenticates
•
Issuer
•
Serial number
•
Subject’s matching public key of the certificate
•
Time stamps that indicate the certificate's start date and expiration date
•
CA certificate
A Certificate Authority has one or more signing certificates that it uses for creating SSL certificates and
certificate revocation lists (CRL). Each signing certificate has a matching private key that is used to
create the Certificate Authority signature. The Certificate Authority makes the signing certificates (with
the public key embedded) available to the public, enabling anyone to access and use the signing
certificates to verify that an SSL certificate or CRL was actually signed by a specific Certificate
Authority.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-6
OL-26645-02
Chapter 9
Configuring SSL
Using SSL Certificates
Note
The ACE supports the creation of a maximum of eight CRLs for any context.
ACE appliances require certificates and corresponding key pairs for:
•
SSL termination—The ACE appliance acts as an SSL proxy server and terminates the SSL session
between it and the client. For SSL termination, you must obtain a server certificate and
corresponding key pair.
•
SSL initiation—The ACE appliance acts as a client and initiates the SSL session between it and the
SSL server. For SSL initiation, you must obtain a client certificate and corresponding key pair.
The Matching Key column in the Certificates window (Config > Virtual Contexts > context >
Certificates) displays the name of a key pair that ACE Appliance Device Manager was able to match up
with certificate. If ACE Appliance Device Manager cannot detect a matching key pair for a certificate,
it leaves the Matching Key table cell blank. If the number of unmatched certificates and key pairs
exceeds 50, then ACE Appliance Device Manager leaves the entire Matching Key column blank, even
when matching certificates and key pairs exist for the context. When this condition occurs, you can
verify that a certificate and key pair match by using the SSL Setup Sequence feature.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Setup Sequence.
The Setup Sequence window appears.
Step 2
In the Setup Sequence window, click Configure SSL Polices.
The Configure SSL Policies window appears.
Step 3
From the Certificate drop-down list in the Configure SSL Policies - Basic Settings section, choose a
certificate.
Step 4
From the Keys drop-down list in the Configure SSL Policies - Basic Settings section, choose a key pair.
Step 5
Click Verify Key.
ACE Appliance Device Manager checks to see if the selected certificate and key pair match. A popup
window appears to indicate if the two items match.
Note
The ACE includes a preinstalled sample certificate and corresponding key pair. The certificate is for
demonstration purposes only and does not have a valid domain. It is a self-signed certificate with basic
extensions named cisco-sample-cert. The key pair is an RSA 1024-bit key pair named cisco-sample-key.
You can display the sample certificate and corresponding key pair files as follows:
•
To display the cisco-sample-cert file, choose Config > Virtual
Contexts > context > SSL > Certificates.
•
To display the cisco-sample-key file, choose Config > Virtual Contexts > context > SSL > Keys.
You can add these files to an SSL-proxy service (see the “Configuring SSL Proxy Service” section on
page 9-28) and are available for use in any context with the filenames remaining the same in each
context.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-7
Chapter 9
Configuring SSL
Importing SSL Certificates
The ACE allows you to export these files but does not allow you to import any files with these names.
When you upgrade the ACE software, these files are overwritten with the files provided in the upgrade
image. You cannot use the crypto delete CLI command to delete these files unless you downgrade the
ACE software because a software downgrade preserves these files as if they were user-installed SSL
files.
Related Topics
•
Configuring SSL, page 9-1
•
Exporting SSL Certificates, page 9-16
•
Importing SSL Certificates, page 9-8
•
Using SSL Keys, page 9-11
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL CSR Parameters, page 9-26
•
Generating CSRs, page 9-27
Importing SSL Certificates
Use this procedure to import SSL certificates.
Note
The ACE supports a maximum of 4,096 certificates.
Assumptions
•
You have configured an ACE appliance for server load balancing. (See Load Balancing Overview,
page 5-1.)
•
You have obtained an SSL certificate from a certificate authority (CA) and have placed it on a
network server accessible by the ACE appliance.
•
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the
ssh key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Certificates. The Certificates table appears,
listing any valid SSL certificates.
The cisco-sample-cert certificate is included in the list. For information on this sample certificate, see
the “Using SSL Certificates” section on page 9-6.
Step 2
Click Import. The Import dialog box appears.
To import multiple SSL certificates, click Bulk Import. The Bulk Import dialog box appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-8
OL-26645-02
Chapter 9
Configuring SSL
Importing SSL Certificates
Note
Step 3
SSL bulk import can take longer based on the number of SSL certificates being imported. It will
progress to completion on the ACE. To see the imported certificates in the ACE Device
Manager, perform a CLI synchronization for this context once the SSL bulk import has
completed. For information on synchronizing contexts, see the “Synchronizing Virtual Context
Configurations” section on page 4-79.
Enter the applicable information:
•
For the Import dialog box, see Table 9-2.
•
For the Bulk Import dialog box, see Table 9-3.
Table 9-2
SSL Certificate Management Import Attributes
Field
Description
Protocol
Specify the method to be used for accessing the network server:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
importing the SSL certificate.
•
SFTP—Indicates that SFTP is to be used to access the network server
when importing the SSL certificate.
•
TFTP—Indicates that TFTP is to be used to access the network server
when importing the SSL certificate.
•
TERMINAL—Indicates that you will import the file using cut and paste
by pasting the certificate information to the terminal display. You can
only use the terminal method to display PEM files, which are in ASCII
format.
This field appears for FTP, TFTP, and SFTP.
Enter the IPv4 address of the remote server on which the SSL certificate file
resides.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename of the certificate file on the network server.
Local File Name
Enter the filename to be used for the SSL certificate file when it is imported
to the ACE appliance.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Passphrase
This field appears for FTP, TFTP, SFTP, and TERMINAL.
Enter the passphrase that was created with the file. Without this phrase, you
cannot use the file. Passphrases are used only with encrypted PEM and
PKCS files.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-9
Chapter 9
Configuring SSL
Importing SSL Certificates
Table 9-2
SSL Certificate Management Import Attributes (continued)
Field
Description
Confirm
This field appears for FTP, SFTP, and TERMINAL.
Reenter the passphrase.
Non-Exportable
The ability to export SSL certificates allows you to copy signed certificates
to another server on your network so that you can then import them onto
another ACE appliance or Web server. Exporting is similar to copying in that
the original files are not deleted.
Check the check box to indicate that this certificate file cannot be exported
from the ACE appliance.
Import Text
This field appears for Terminal.
Cut the certificate information from the remote server and paste it into this
field.
Table 9-3
SSL Certificate Management Bulk Import Attributes
Field
Description
Protocol
SFTP is to be used to access the network server when importing the SSL certificates. SFTP is the
only supported protocol for bulk import.
IP Address
Enter the IPv4 address of the remote server on which the SSL certificate files reside.
Remote Path
Path to the SSL certificate files that reside on the remote server. The ACE fetches only files
specified by the path; it does not recursively fetch remote directories. Enter a filename path
including wildcards (for example, /remote/path/*.pem). The ACE supports POSIX pattern
matching notation, as specified in section 2.13 of the “Shell and Utilities” volume of IEEE Std
1003.1-2004. This notation includes the “*,” “?” and “[ ” metacharacters.
To fetch all files from a remote directory, specify a remote path that ends with a wildcard character
(for example, /remote/path/*). Do not include spaces or the following special characters:
;<>\|`@$&()
The ACE fetches all files on the remote server that matches the wildcard criteria. However, it
imports only files with names that have a maximum of 40 characters. If the name of a file exceeds
40 characters, the ACE does not import the file and discards it.
User Name
Enter the name of the user account on the network server.
Password
Enter the password for the user account on the network server.
Confirm
Reenter the password.
Passphrase
Enter the passphrase that was created with the file. Without this phrase, you cannot use the file.
Passphrases are used only with encrypted PEM and PKCS files.
Confirm
Reenter the passphrase.
Non-Exportable
The ability to export SSL certificates allows you to copy signed certificates to another server on
your network so that you can then import them onto another ACE or Web server. Exporting is
similar to copying in that the original files are not deleted.
Check the check box to specify that this certificate file cannot be exported from the ACE.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-10
OL-26645-02
Chapter 9
Configuring SSL
Using SSL Keys
Step 4
Do the following:
•
Click OK to accept your entries and to return to the Certificates table. The ACE Appliance Device
Manager updates the Certificates table with the newly installed certificate.
•
Click Cancel to exit this procedure without saving your entries and to return to the Certificates table.
Related Topics
•
Configuring SSL, page 9-1
•
Using SSL Keys, page 9-11
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Proxy Service, page 9-28
Using SSL Keys
An ACE appliance and its peer use a public key cryptographic system named Rivest, Shamir, and
Adelman Signatures (RSA) for authentication during the SSL handshake to establish an SSL session.
The RSA system uses key pairs that consist of a public key and a corresponding private (secret) key.
During the handshake, the RSA key pairs encrypt the session key that both devices will use to encrypt
the data that follows the handshake.
Use this procedure to view options for working with SSL and SSL keys.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Continue with one of the following options:
•
Generate a key pair—See Generating SSL Key Pairs, page 9-15.
•
Import a key pair—See Importing SSL Key Pairs, page 9-12.
•
Export a key pair—See Exporting SSL Key Pairs, page 9-18.
•
Generate a CSR—See Generating CSRs, page 9-27.
Related Topics
•
Generating SSL Key Pairs, page 9-15
•
Importing SSL Key Pairs, page 9-12
•
Generating SSL Key Pairs, page 9-15
•
Exporting SSL Key Pairs, page 9-18
•
Configuring SSL, page 9-1
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-11
Chapter 9
Configuring SSL
Using SSL Keys
Importing SSL Key Pairs
Use this procedure to import an SSL key pair file.
Note
The ACE supports a maximum of 4,096 key pairs.
Assumptions
•
You have configured an ACE appliance for server load balancing. (See Load Balancing Overview,
page 5-1.)
•
You have obtained an SSL key pair from a certificate authority (CA) and have placed the pair on a
network server accessible by the ACE appliance.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Keys. The Keys table appears, listing existing
SSL keys.
The cisco-sample-key key pair is included in the list. For information on this sample key pair, see the
“Using SSL Certificates” section on page 9-6.
Step 2
Click Import. The Import dialog box appears.
To import multiple SSL key pairs, click Bulk Import. The Bulk Import dialog box appears.
Note
Step 3
SSL bulk import can take longer based on the number of SSL keys being imported. It will
progress to completion on the ACE. To see the imported keys in the ACE Device Manager,
perform a CLI synchronization for this context once the SSL bulk import has completed. For
information on synchronizing contexts, see the “Synchronizing Virtual Context Configurations”
section on page 4-79.
Enter the applicable information as follows:
•
For the Import dialog box, see Table 9-4.
•
For the Bulk Import dialog box, see Table 9-5.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-12
OL-26645-02
Chapter 9
Configuring SSL
Using SSL Keys
Table 9-4
SSL Key Pair Import Attributes
Field
Description
Protocol
Specify the method to be used for accessing the network server:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
importing the SSL key pair file.
•
SFTP—Indicates that SFTP is to be used to access the network server
when importing the SSL key pair file.
•
TFTP—Indicates that TFTP is to be used to access the network server
when importing the SSL key pair file.
•
TERMINAL—Indicates that you will import the file using cut and paste
by pasting the certificate and key pair information to the terminal
display. You can only use the terminal method to display PEM files, which
are in ASCII format.
This field appears for FTP, TFTP, and SFTP.
Enter the IPv4 address of the remote server on which the SSL key pair file
resides.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename of the key pair file on the network server.
Local File Name
Enter the filename to be used for the SSL key pair file when it is imported to
the ACE appliance.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Passphrase
This field appears for FTP, TFTP, SFTP, and TERMINAL.
Enter the passphrase that was created with the file. Without this phrase, you
cannot use the file. Passphrases are used only with encrypted PEM and
PKCS files.
Confirm
This field appears for FTP, SFTP, and TERMINAL.
Reenter the passphrase.
Non-Exportable
The ability to export SSL key pair files allows you to copy key pair files to
another server on your network so that you can then import them onto
another ACE appliance or Web server. Exporting is similar to copying in that
the original files are not deleted.
Check the check box to indicate that this key pair file cannot be exported
from the ACE appliance. Clear the check box to indicate that this key pair
file can be exported from the ACE appliance.
Import Text
This field appears for Terminal.
Cut the key pair information from the remote server and paste it into this
field.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-13
Chapter 9
Configuring SSL
Using SSL Keys
Table 9-5
SSL Key Pair Bulk Import Attributes
Field
Description
Protocol
SFTP is to be used to access the network server when importing the SSL key
pairs. SFTP is the only supported protocol for bulk import.
IP Address
Enter the IPv4 address of the remote server on which the SSL key pair files
resides.
Remote Path
Enter the path to the key pair files that reside on the remote server. The ACE
fetches only files specified by the path; it does not recursively fetch remote
directories. Enter a filename path including wildcards (for example,
/remote/path/*.pem). The ACE supports POSIX pattern matching notation,
as specified in section 2.13 of the “Shell and Utilities” volume of IEEE Std
1003.1-2004. This notation includes the “*,” “?” and “[” metacharacters.
To fetch all files from a remote directory, specify a remote path that ends
with a wildcard character (for example, /remote/path/*). Do not include
spaces or the following special characters:
;<>\|`@$&()
The ACE fetches all files on the remote server that matches the wildcard
criteria. However, it imports only files with names that have a maximum of
40 characters. If the name of a file exceeds 40 characters, the ACE does not
import the file and discards it.
Step 4
User Name
Enter the name of the user account on the network server.
Password
Enter the password for the user account on the network server.
Confirm
Reenter the password.
Passphrase
Enter the passphrase that was created with the file. Without this phrase, you
cannot use the file. Passphrases are used only with encrypted PEM and
PKCS files.
Confirm
Reenter the passphrase.
Non-Exportable
Check this check box to specify that this certificate file cannot be exported
from the ACE. The ability to export SSL key pairs allows you to copy signed
certificates to another server on your network so that you can then import
them onto another ACE or Web server. Exporting is similar to copying in that
the original files are not deleted.
Do the following:
•
Click OK to accept your entries and to return to the Keys table. The ACE Appliance Device
Manager updates the Keys table with the imported key pair file information.
•
Click Cancel to exit this procedure without saving your entries and to return to the Keys table.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Configuring SSL Parameter Maps, page 9-19
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-14
OL-26645-02
Chapter 9
Configuring SSL
Using SSL Keys
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Proxy Service, page 9-28
Generating SSL Key Pairs
If you do not have any matching key pairs, you can use the ACE appliance to generate a key pair.
Use this procedure to generate SSL RSA key pairs.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Click Add to add a new key pair. The Keys configuration screen appears.
Note
You cannot modify an existing entry in the Keys table. Instead, delete the existing entry, and then
add a new one.
Step 3
In the Name field, enter the name of the SSL key pair. Valid entries are alphanumeric strings with a
maximum of 40 characters.
Step 4
In the Size field, select the key pair security strength. The number of bits in the key pair file defines the
size of the RSA key pair used to secure Web transactions. Longer keys produce more secure
implementations by increasing the strength of the RSA security policy. Options and their relative levels
of security are as follows:
•
512—Least security
•
768—Normal security
•
1024—High security, level 1
•
1536—High security, level 2
•
2048—High security, level 3
•
4096—High security, level 4
Step 5
In the Type field, specify RSA as the public-key cryptographic system used for authentication.
Step 6
In the Exportable Key field, check the check box to indicate that the key pair file can be exported. Clear
the check box to indicate that the key pair file cannot be exported.
Step 7
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Keys table.
•
Click Next to save your entries and to define another RSA key pair.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-15
Chapter 9
Configuring SSL
Using SSL Keys
After generating an RSA key pair, you can:
•
Create a CSR parameter set. The CSR parameter set defines the distinguished name attributes for
the ACE appliance to use during the CSR-generating process. For details on defining a CSR
parameter set, see the Configuring SSL CSR Parameters, page 9-26.
•
Generate a CSR for the RSA key pair file and transfer the CSR request to the certificate authority
for signing. This provides an added layer of security because the RSA private key originates directly
within the ACE appliance and does not have to be transported externally. Each generated key pair
must be accompanied by a corresponding certificate to work. For details on generating a CSR, see
Generating CSRs, page 9-27.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Proxy Service, page 9-28
Exporting SSL Certificates
The ability to export SSL certificates allows you copy signed certificates to another server on your
network so that you can then import them onto another ACE appliance or Web server. Exporting
certificates is similar to copying in that the original certificates are not deleted.
Use this procedure to export SSL certificates from an ACE appliance to a remote server.
Assumption
•
The SSL certificate can be exported. (See Importing SSL Certificates, page 9-8.)
•
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the
ssh key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Certificates. The Certificates table appears,
listing any valid SSL certificates.
Step 2
Select the certificate you want to export, and then click Export. The Export dialog box appears.
Step 3
Enter the information in Table 9-6.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-16
OL-26645-02
Chapter 9
Configuring SSL
Using SSL Keys
Table 9-6
SSL Certificate Export Attributes
Field
Description
Protocol
Specify the method to be used for exporting the SSL certificate:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
exporting the SSL certificate.
•
SFTP—Indicates that SFTP is to be used to access the network server
when exporting the SSL certificate.
•
TFTP—Indicates that TFTP is to be used to access the network server
when exporting the SSL certificate.
•
TERMINAL—Indicates that you will export the certificate using cut
and paste by pasting the certificate and key pair information to the
terminal display. You can only use the terminal method to display PEM
files, which are in ASCII format.
This field appears for FTP, TFTP, and SFTP.
Enter the IPv4 address of the remote server to which the SSL certificate file
is to be exported.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename to be used for the SSL certificate file on the
remote network server.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the remote network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the remote network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Step 4
Do the following:
•
Click OK to export the certificate and to return to the Certificates table.
•
Click Cancel to exit this procedure without exporting the certificate and to return to the Certificates
table.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Generating SSL Key Pairs, page 9-15
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Proxy Service, page 9-28
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-17
Chapter 9
Configuring SSL
Using SSL Keys
Exporting SSL Key Pairs
The ability to export SSL key pairs allows you copy SSL key pair files to another server on your network
so that you can then import them onto another ACE appliance or Web server. Exporting key pair files is
similar to copying in that the original key pairs are not deleted.
Use this procedure to export SSL key pairs from an ACE appliance to a remote server.
Assumption
The SSL key pair can be exported (see Generating SSL Key Pairs, page 9-15).
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Select the key entry you want to export, and then click Export. The Export dialog box appears.
Step 3
Enter the information in Table 9-7.
Table 9-7
SSL Key Export Attributes
Field
Description
Protocol
Specify the method to be used for exporting the SSL key pair:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
exporting the SSL key pair.
•
SFTP—Indicates that SFTP is to be used to access the network server
when exporting the SSL key pair.
•
TFTP—Indicates that TFTP is to be used to access the network server
when exporting the SSL key pair.
•
TERMINAL—Indicates that you will export the key pair using cut and
paste by pasting the key pair information to the terminal display. You
can only use the terminal method to display PEM files, which are in
ASCII format.
This field appears for FTP, TFTP, and SFTP.
Enter the IPv4 address of the remote server to which the SSL key pair is to
be exported.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename to be used for the SSL key pair file on the
remote network server.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the remote network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the remote network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-18
OL-26645-02
Chapter 9
Configuring SSL
Configuring SSL Parameter Maps
Step 4
Do the following:
•
Click OK to export the key pair and to return to the Keys table.
•
Click Cancel to exit this procedure without exporting the key pair and to return to the Keys table.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Generating SSL Key Pairs, page 9-15
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Proxy Service, page 9-28
Configuring SSL Parameter Maps
An SSL parameter map defines the SSL session parameters that an ACE appliance applies to an SSL
proxy service. SSL parameter maps let you apply the same SSL session parameters to different proxy
services.
Use this procedure to create SSL parameter maps.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Parameter Maps. The Parameter Maps table
appears.
Step 2
Click Add to add a new SSL parameter map, or select an existing entry to modify, and then click Edit.
The Parameter Map configuration screen appears.
Step 3
In the Parameter Map Name field, enter a unique name for the parameter map. Valid entries are
alphanumeric strings with a maximum of 64 characters.
Step 4
In the Description field, enter a brief description of the parameter map. Enter a text string with a
maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Enter double quotes as matching pairs.
Step 5
In the Queue Delay Timeout (Milliseconds) field, set the amount of time (in milliseconds) to wait before
emptying the queued data for encryption. The default delay is 200 milliseconds, and can be adjusted
from 0 (disabled) to 10000. If disabled (set to 0), the ACE encrypts the data from the server as soon as
it arrives and then sends the encrypted data to the client.
Note
Step 6
The Queue Delay Timeout is only applied to data that the SSL module sends to the client. This
avoids a potentially long delay in passing a small HTTP GET to the real server.
In the Session Cache Timeout (Milliseconds) field, specify a timeout value of an SSL session ID to
remain valid before the ACE requires the full SSL handshake to establish a new SSL session. This value
allows the ACE to reuse the master key on subsequent connections with the client, which can speed up
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-19
Chapter 9
Configuring SSL
Configuring SSL Parameter Maps
the SSL negotiation process.The default value is 300 seconds (5 minutes), and can be adjusted from 0
(to indicate an infinite timeout, so that session IDs are removed from the cache only when the cache
becomes full), up to 72000 seconds (20 hours). Specifying 0 causes the ACE to implement a least
recently used (LRU) timeout policy. By disabling this option, the full SSL handshake occurs for each
new connection with the ACE.
Step 7
In the Reject Expired CRLs field, click the check box to specify whether expired CRLs can be used. If
checked, no expired CRLs are allowed.
Step 8
In the Close Protocol Behavior field, select the method to be used to close the SSL connection:
Step 9
•
Disabled—Indicates that the ACE appliance is to send a close-notify alert message to the SSL peer;
however, the SSL peer does not expect a close-notify alert before removing the session. Whether the
SSL peer sends a close-notify alert message or not, the session information is preserved, allowing
session resumption for future SSL connections.
•
None—Indicates that the ACE appliance is not to send a close-notify alert message to the SSL peer,
nor does the ACE appliance expect a close-notify alert message from the peer. The ACE appliance
preserves the session information so that SSL resumption can be used for future SSL connections.
In the SSL Version field, enter the version of SSL be to used during SSL communications:
•
All—Indicates that the ACE appliance is to use both SSL v3 and TLS v1 in its communications with
peer ACE appliances.
•
SSL3—Indicates that the ACE appliance is to use only SSL v3 in its communications with peer ACE
appliances.
•
TLS1—Indicates that the ACE appliance is to use only TLS v1 in its communications with peer
ACE appliances.
•
TLS1_1—Indicates that the ACE appliance is to use only TLS Version 1.1 in its communication
with peer ACE appliances.
•
TLS1_2—Indicates that the ACE appliance is to use only TLS Version 1.2 in its communication
with peer ACE appliances.
•
Upto_TLS1_1—Indicates all SSL versions upto TLS 1.1.
•
Upto_TLS1_2—Indicates all SSL versions upto TLS 1.2.
Note
For TLS1_1 and TLS1_2 SSL versions, only certain ‘Ciphers’ are supported as mentioned in the
tables below. If the user tries to configure any unsupported SSL version or unsupported Cipher,
an error message will be displayed.
Folowing tables shows the list of supported cipher suites for TLS1_1 and TLS1_2 in ACE”
Table 9-8
Cipher suites supported by TLS 1.1
Cipher Suite Name
Cipher Suite Number
RSA_WITH_RC4_128_MD5
{ 0x00,0x04 }
RSA_WITH_RC4_128_SHA
{ 0x00,0x05 }
RSA_WITH_DES_CBC_SHA
{ 0x00,0x09 }
RSA_WITH_3DES_EDE_CBC_SHA
{ 0x00,0x0A }
RSA_WITH_AES_128_CBC_SHA
{ 0x00,0x2F }
RSA_WITH_AES_256_CBC_SHA
{ 0x00,0x35 }
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-20
OL-26645-02
Chapter 9
Configuring SSL
Configuring SSL Parameter Maps
Table 9-9
Table 9-10
Step 10
Step 11
Cipher suites supported by TLS 1.2
Cipher Suite Name
Cipher Suite Number
RSA_WITH_RC4_128_MD5
{ 0x00,0x04 }
RSA_WITH_RC4_128_SHA
{ 0x00,0x05 }
RSA_WITH_3DES_EDE_CBC_SHA
{ 0x00,0x0A }
RSA_WITH_AES_128_CBC_SHA
{ 0x00,0x2F }
RSA_WITH_AES_256_CBC_SHA
{ 0x00,0x35 }
RSA_WITH_AES_128_CBC_SHA256
{ 0x00,0x3C }
In the Ignore Authentication Failure field, check the check box to ignore expired or invalid client or
server certificates and to continue setting up the SSL connection. Clear the check box to return to the
default setting of disabled. This field allows the ACE appliance to ignore the following nonfatal errors
with respect to either client certificates for SSL termination configurations, or server certificates for SSL
initiation configurations:
•
Certificate not yet valid (both)
•
Certificate has expired (both)
•
Certificate revoked (both)
•
Unknown issuer (both)
•
No client certificate (client certificate only)
•
CRL not available (client certificate only)
•
CRL has expired (client certificate only)
•
Certificate has signature failure (client certificate only)
•
Certificate other error (client certificate only)
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance. The updated Parameter Map
screen appears along with the Parameter Map Cipher table. Continue with Step 12.
•
Click Cancel to exit this procedure without saving your entries and to return to the Parameter Map
table.
•
Click Next to save your entries and to define another parameter map.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-21
Chapter 9
Configuring SSL
Configuring SSL Parameter Maps
Step 12
In the Parameter Map Cipher table, click Add to add a cipher, or select an existing cipher, and then click
Edit. The Parameter Map Cipher configuration screen appears.
Enter the information in Table 9-11.
Table 9-11
SSL Parameter Map Cipher Configuration Attributes
Field
Description
Cipher Name
Cipher to use.
For more information on the SSL cipher suites that ACE supports, see SSL Guide, Cisco ACE
Application Control Engine.
Cipher Priority
Priority that you want to assign to this cipher suite. The priority indicates the cipher’s preference
for use.
Valid entries are from 1 to 10 with 1 indicating the least preferred and 10 indicating the most
preferred. When determining which cipher suite to use, the ACE chooses the cipher suite with the
highest priority.
Step 13
Step 14
In the Parameter Map Cipher table, do one of the following:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Parameter Map Cipher
table.
•
Next to save your entries and to add another entry to the Parameter Map Cipher table.
Click the Redirect Authentication Failure tab and click Add to add a redirect or choose an existing
redirect, and click Edit.
Enter the information in Table 9-12.
Note
The Redirect Authentication Failure feature is only for SSL termination configurations in which
the ACE performs client authentication. The ACE ignores these attributes if you configure them
for an SSL initiation configuration.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-22
OL-26645-02
Chapter 9
Configuring SSL
Configuring SSL Parameter Maps
Table 9-12
SSL Parameter Map Redirect Configuration Attributes
Field
Description
Client Certificate
Validation
Select the type of certificate validation failure to redirect. From the drop-down list, choose the type
to redirect:
Redirect Type
•
Any—Associates any of the certificate failures with the redirect. You can configure the
authentication-failure redirect any command with individual reasons for redirection. When you
do, the ACE attempts to match one of the individual reasons before using the any reason. You
cannot configure the authentication-failure redirect any command with the
authentication-failure ignore command.
•
Cert-expired—Associates an expired certificate failure with a redirect.
•
Cert-has-signature-failure—Associates a certificate signature failure with a redirect.
•
Cert-not-yet-valid—Associates a certificate that is not yet valid failure with the redirect.
•
Cert-other-error—Associates a all other certificate failures with a redirect.
•
Cert-revoked—Associates a revoked certificate failure with a redirect.
•
CRL-has-expired—Associates an expired CRL failure with a redirect.
•
CRL-not-available—Associates a CRL that is not available failure with a redirect.
•
No-client-cert—Associates no client certificate failure with a redirect.
•
Unknown-issuer—Associates an unknown issuer certificate failure with a redirect.
Select the redirect type to use:
•
Server Farm—Specifies a server farm for the redirect.
•
URL—Specifies a static URL path for the redirect.
Server Farm Name
This field appears when the Redirect Type is set to Server Farm. The ACE Device Manager displays
all configured host and redirect server farms. Choose one of the available server farm options or
click Plus (+) to open the server farm configuration popup and configure a redirect server farm (see
the “Configuring Server Farms” section on page 6-18).
Redirect URL
This field appears when the Redirect Type is set to URL. Enter the static URL path for the redirect.
Enter a string with a maximum of 255 characters and no spaces.
Redirect Code
This field appears when the Redirect Type is set to URL.
Enter the redirect code that is sent back to the client:
Step 15
•
301—Status code for a resource permanently moving to a new location.
•
302—Status code for a resource temporarily moving to a new location.
In the Redirect Authentication Failure table, do one of the following:
•
Click Deploy Now to deploy the Redirect Authentication Failure table on the ACE and save your
entries to the running-configuration and startup-configuration files.
•
Click Cancel to exit the procedure without saving your entries and to return to the Redirect
Authentication Failure table.
•
Click Next to deploy your entries and to add another entry to the Redirect Authentication Failure
table.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-23
Chapter 9
Configuring SSL
Configuring SSL Parameter Maps
Step 16
In the Parameter Map table, do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
•
Click Cancel to exit the procedure without saving your entries and to return to the Parameter Map
table.
•
Click Next to deploy your entries and to add another entry to the Parameter Map table.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Generating SSL Key Pairs, page 9-15
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Proxy Service, page 9-28
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-24
OL-26645-02
Chapter 9
Configuring SSL
Configuring SSL Chain Group Parameters
Configuring SSL Chain Group Parameters
A chain group specifies the certificate chains that the ACE appliance sends to its peer during the
handshake process. A certificate chain is a hierarchal list of certificates that includes the ACE
appliance’s certificate, the root certificate authority certificate, and any intermediate certificate authority
certificates. Using the information provided in a certificate chain, the certificate verifier searches for a
trusted authority in the certificate hierarchal list up to and including the root certificate authority. If the
verifier finds a trusted authority before reaching the root certificate authority certificate, it stops
searching further.
Use this procedure to configure certificate chains for a virtual context.
Assumption
At least one SSL certificate is available.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Chain Group Parameters. The Chain Group
Parameters table appears.
Step 2
Click Add to add a new chain group, or select an existing chain group, and then click Edit to modify it.
The Chain Group Parameters configuration screen appears.
Step 3
In the Name field, enter a unique name for the chain group. Valid entries are alphanumeric strings with
a maximum of 64 characters.
Step 4
Do the following:
Step 5
•
Click Deploy Now to deploy this configuration on the ACE appliance. The updated Chain Group
Parameters screen appears along with the Chain Group Certificates table. Continue with Step 5.
•
Click Cancel to exit the procedure without saving your entries and to return to the Chain Group
Parameters table.
•
Click Next to save your entries and to add another entry to the Chain Group Parameters table.
In the Chain Group Certificates table, click Add to add an entry. The Chain Group Certificates
configuration screen appears.
Note
You cannot modify an existing entry in the Chain Group Certificates table. Instead, delete the
entry, and then add a new one.
Step 6
In the Certificate Name field, select the certificate to add to this chain group.
Step 7
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit the procedure without saving your entries and to return to the Chain Group
Certificates table.
•
Click Next to save your entries and to add another certificate to this chain group table.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-25
Chapter 9
Configuring SSL
Configuring SSL CSR Parameters
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Generating SSL Key Pairs, page 9-15
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL Proxy Service, page 9-28
Configuring SSL CSR Parameters
A certificate signing request (CSR) is a message you send to a certificate authority such as VeriSign and
Thawte to apply for a digital identity certificate. The CSR contains information that identifies the SSL
site, such as location and a serial number, and a public key that you choose. A corresponding private key
is not included in the CSR, but is used to digitally sign the request. The CSR may be accompanied by
other credentials or proofs of identity required by the certificate authority, and the certificate authority
may contact the applicant for more information.
If the request is successful, the certificate authority returns a digitally signed (with the private key of the
certificate authority) identity certificate.
CSR parameters define the distinguished name attributes the ACE appliance applies to the CSR during
the CSR-generating process. These attributes provide the certificate authority with the information it
needs to authenticate your site. Defining a CSR parameter set lets you to generate multiple CSRs with
the same distinguished name attributes.
Each context on an ACE appliance can contain up to eight CSR parameter sets.
Use this procedure to define the distinguished name attributes for SSL CSRs.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > CSR Parameters. The CSR Parameters table
appears.
Step 2
Click Add to add new set of CSR attributes, or select an existing entry to modify, and then click Edit.
The CSR Parameters configuration screen appears.
Step 3
In the Name field, enter a unique name for this parameter set. Valid entries are alphanumeric strings with
a maximum of 64 characters.
Step 4
In the Country field, enter the name of the country where the SSL site resides. Valid entries are 2
alphabetic characters representing the country, such as US for the United States. The International
Organization for Standardization (ISO) maintains the complete list of valid country codes on its Web site
(www.iso.org).
Step 5
In the State field, enter the name of the state or province where the SSL site resides.
Step 6
In the Locality field, enter the name of the city where the SSL site resides.
Step 7
In the Common Name field, enter the name of the domain or host of the SSL site. Valid entries are
alphanumeric strings with a maximum of 64 characters. The ACE supports the following special
characters: , . / = + - ^ @ ! % ~ # $ * ( ).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-26
OL-26645-02
Chapter 9
Configuring SSL
Generating CSRs
Step 8
In the Serial Number field, enter a serial number to assign to the certificate. Valid entries are
alphanumeric strings with a maximum of 16 characters.
Step 9
In the Organization Name field, enter the name of the organization to include in the certificate. Valid
entries are alphanumeric strings with a maximum of 64 characters.
Step 10
In the Email field, enter the site e-mail address. Valid entries are alphanumeric strings with a maximum
of 40 characters.
Step 11
In the Organization Unit field, enter the name of the organization to include in the certificate. Valid
entries are alphanumeric strings with a maximum of 64 characters.
Step 12
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the CSR Parameters
table.
•
Click Next to save your entries and to define another set of CSR attributes.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL Proxy Service, page 9-28
Generating CSRs
A certificate signing request (CSR) is a message you send to a certificate authority such as VeriSign and
Thawte to apply for a digital identity certificate. Create a CSR when you need to apply for a certificate
from a certificate authority. When the certificate authority approves a request, it signs the CSR and
returns the authorized digital certificate to you. This certificate includes the private key of the certificate
authority. When you receive the authorized certificate and key pair, you can import them for use (see
Importing SSL Certificates, page 9-8 and Importing SSL Key Pairs, page 9-12).
Use this procedure to generate SSL CSRs.
Assumption
•
You have configured SSL CSR parameters (see Configuring SSL CSR Parameters, page 9-26).
•
This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the
ssh key rsa 1024 force command is applied on the appliance.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Select a key in the table, and then click Generate CSR. The Generate a Certificate Signing Request
dialog box appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-27
Chapter 9
Configuring SSL
Configuring SSL Proxy Service
Step 3
In the CSR Parameter field, select the CSR parameter to be used.
Step 4
Do the following:
•
Click OK to generate the CSR. The CSR appears in a popup window which you can now submit to
a certificate authority for approval. Work with your certificate authority to determine the method of
submission, such as e-mail or a Web-based application. Click Close to close the popup window and
to return to the Keys table.
•
Click Cancel to exit this procedure without generating the CSR and to return to the Keys table.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL Proxy Service, page 9-28
Configuring SSL Proxy Service
SSL proxy service defines the SSL parameter map, key pair, certificate, and chain group an ACE
appliance uses during SSL handshakes. By configuring an SSL proxy server service on an ACE
appliance, the ACE appliance can act as an SSL server.
Use this procedure to define the attributes that the ACE appliance is to use during SSL handshakes so
that it can act as an SSL server.
Assumption
You have configured at least one SSL key pair, certificate, chain group, or parameter map to apply to
this proxy service.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Proxy Service. The Proxy Service table appears.
Step 2
Click Add to add a new proxy service, or select an existing service, and then click Edit to modify it. The
Proxy Service configuration screen appears.
Step 3
In the Name field, enter a unique name for this proxy service. Valid entries are alphanumeric strings with
a maximum of 64 characters.
Step 4
In the Keys field, select the key pair that the ACE appliance is to use during the SSL handshake for data
encryption.
Caution
When choosing the key pair from the drop-down list, be sure to choose the keys that
correspond to the certificate that you choose.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-28
OL-26645-02
Chapter 9
Configuring SSL
Configuring SSL Proxy Service
Note
If you use SSL Setup Sequence to create the proxy service, ACE appliance Device Manager
selects the keys that correspond to the certificate that you choose. If ACE appliance Device
Manager cannot detect a corresponding key pair, you can select a key pair from the drop-down
list and click Verify Key to have ACE appliance Device Manager verify that the keys correspond
to the selected certificate. ACE appliance Device Manager displays a message to let you know
that your key pair selection either matches or does not match the selected certificate. For more
information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 9-5.
The cisco-sample-key option is available for the sample key pair. For information about this sample key
pair, see the “Using SSL Certificates” section on page 9-6.
Step 5
In the Certificates field, select the certificate that the ACE appliance is to use during the SSL handshake
to prove its identity.
Caution
Note
When choosing the certificate from the drop-down list, be sure to choose the certificate that
corresponds to the keys that you choose.
If you use SSL Setup Sequence to create the proxy service, ACE appliance Device Manager
selects the keys that correspond to the certificate that you choose. If ACE appliance Device
Manager cannot detect a corresponding key pair, you can select a key pair from the drop-down
list and click Verify Key to have ACE appliance Device Manager verify that the keys correspond
to the selected certificate. ACE appliance Device Manager displays a message to let you know
that your key pair selection either matches or does not match the selected certificate. For more
information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 9-5.
The cisco-sample-cert option is available for the sample certificate. For information on this sample
certificate, see the “Using SSL Certificates” section on page 9-6.
Step 6
In the Chain Groups field, select the chain group that the ACE appliance is to use during the SSL
handshake.
Step 7
For the Auth Groups field, perform either of the following:
Step 8
•
Select N/A when authentication is not applicable for this proxy service. Then, proceed to Step 11.
•
Select the auth group name that the ACE is to use during the SSL handshake. To create an auth
group, see Configuring SSL Authentication Groups, page 9-32.
Check the CRL Best-Effort check box to allow the ACE appliance to search client certificates for the
service to determine if it contains a CRL in the extension. The ACE appliance then retrieves the value,
if it exists.
Clear the check box to display the CRL name field to select the CRL name.
Step 9
Step 10
For the CRL Name field, perform either of the following:
•
Select N/A when the CRL name is not applicable.
•
Select the CRL name that the ACE used for authentication.
Check the OCSP Best-Effort check box to allow the ACE appliance to extract the extension to find the
OCSP server information from the certificate itself where, from the revocation status, information about
the certificate could be obtained. If this extension is missing from the certificate and the best effort
OCSP server information is configured with the SSL proxy, the cert is considered revoked.
Clear the check box to display the OCSP server field to select the available OCSP server.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-29
Chapter 9
Configuring SSL
Configuring SSL OCSP Service
Step 11
In the Parameter Maps field, select the SSL parameter map to associate with this SSL proxy server
service.
Step 12
For the Revcheck priority order, select one of the following to set the priority for the revocation check:
Step 13
•
N/A—Indicates that this field is not applicable.
•
CRL-OCSP—The ACE uses the CRLs first to determine the revocation status, and then the OCSP
servers.
•
OCSP-CRL—The ACE uses the OCSP servers first to determine the revocation status, and then the
CRLs.
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the Proxy Service
table.
•
Click Next to save your entries and to add another proxy service.
Related Topics
•
Configuring SSL, page 9-1
•
Importing SSL Certificates, page 9-8
•
Importing SSL Key Pairs, page 9-12
•
Configuring SSL Parameter Maps, page 9-19
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring SSL CSR Parameters, page 9-26
•
Configuring SSL OCSP Service, page 9-30
Configuring SSL OCSP Service
SSL Online Certificate Status Protocol (OCSP) service defines the host server for certificate revocation
checks using OCSP. The OCSP server, also known as the OCSP responder, maintains or obtains the
information about the certificates issued by different CAs that are revoked and possibly non-revoked,
and provides this information when requested by OCSP clients. OCSP can provide latest information
about the revocation status of the certificate. Use of OCSP removes the need to download and cache the
CRLs which could be very large in sizes and impose large memory requirements on systems.
You can configure a maximum of 64 OCSP server configurations system-wide on the ACE. You can
configure all of these servers in a single or multiple contexts.
Use this procedure to define the attributes that the ACE appliance is to use during SSL handshakes so
that it can act as an SSL server.
Assumption
Configure OCSP on an associated proxy service.
You can configure both OCSP and CRLs for authentication.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-30
OL-26645-02
Chapter 9
Configuring SSL
Enabling Client Authentication
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > OCSP Service. The OCSP Service table appears.
Step 2
Click Add to add a new OCSP service, or select an existing service, and then click Edit to modify it.
The OCSP Service configuration screen appears.
Step 3
In the Name field, enter a unique name for this OCSP service. Valid entries are alphanumeric strings with
a maximum of 64 characters. This name is used when you apply this configuration to an SSL proxy
service.
Step 4
In the URL field, enter an HTTP based URL for the OCSP host name and optional port ID in the form
of http://ocsp_hostname.com:port_id. If you do not specify a port ID, the ACE uses the default value of
2560.
Step 5
Optionally, in the Request Signer’s Certificate field, you can select a file name for the signer certificate
to sign the requests to the server. By default, the request is not signed.
Step 6
Optionally, in the Response Signer’s Certificate field, you can select a file name for the signer certificate
to verify the signature on the server responses. By default, the responses are not verified.
Step 7
Check the Enable Nonce check box to enable the inclusion of the nonce in the requests to the server. By
default, nonce is disabled (unchecked).
Clear the check box to disable the inclusion of the nonce in requests to the server.
Step 8
In the TCP Connection Inactivity Timeout field, enter an integer from 2 to 3600 to specify the TCP
connection inactivity timeout in seconds. The default is 300 seconds.
Step 9
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance.
•
Click Cancel to exit this procedure without saving your entries and to return to the OCSP Service
table.
•
Click Next to save your entries and to add another proxy service.
Related Topics
•
Configuring SSL, page 9-1
•
Configuring SSL Proxy Service, page 9-28
Enabling Client Authentication
During the flow of a normal SSL handshake, the SSL server sends its certificate to the client. Then the
client verifies the identity of the server through the certificate. However, the client does not send any
identification of its own to the server. When you enable the client authentication feature enabled on the
ACE, it will require that the client send a certificate to the server. Then the server verifies the following
information on the certificate:
•
A recognized CA issued the certificate.
•
The valid period of the certificate is still in effect.
•
The certificate signature is valid and not tampered.
•
The CA has not revoked the certificate.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-31
Chapter 9
Configuring SSL
Enabling Client Authentication
•
At least one SSL certificate is available.
Use the following procedures to enable or disable client authentication:
•
Configuring SSL Proxy Service, page 9-28
•
Configuring SSL Authentication Groups, page 9-32
•
Configuring CRLs for Client Authentication, page 9-33
Configuring SSL Authentication Groups
On the ACE, you can implement a group of certificates that are trusted as certificate signers by creating
an authentication group. After creating the authentication group and assigning its certificates, then you
can assign the authentication group to a proxy service in an SSL termination configuration to enable
client authentication. For information on client authentication, see Enabling Client Authentication,
page 9-31.
For information on server authentication and assigning an authentication group, see Configuring SSL
Proxy Service, page 9-28.
Use this procedure to specify the certificate authentication groups that the ACE uses during the SSL
handshake and enable client authentication on this SSL-proxy service. The ACE includes the certificates
configured in the group along with the certificate that you specified for the SSL proxy service.
Assumptions
•
At least one SSL certificate is available.
•
Your ACE appliance supports authentication groups.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Auth Group Parameters.
The Auth Group Parameters table appears.
Step 2
Click Add to add a authentication group, or select an existing auth group, and then click Edit to modify
it. The Auth Group Parameters configuration screen appears.
Step 3
In the Name field, enter a unique name for the auth group. Valid entries are alphanumeric strings with a
maximum of 64 characters.
Step 4
Do the following:
Step 5
•
Click Deploy Now to deploy this configuration on the ACE. The updated Auth Group Parameters
screen appears along with the Auth Group Certificates table. Continue with Step 5.
•
Click Cancel to exit the procedure without saving your entries and to return to the Auth Group
Parameters table.
•
Click Next to deploy your entries and to add another entry to the Auth Group Parameters table.
In the Auth Group Certificate field, click Add to add an entry. The Auth Group Certificates
configuration screen appears.
Note
Step 6
You cannot modify an existing entry in the Auth Group Certificates table. Instead, delete the
entry, and then add a new one.
In the Certificate Name field, select the certificate to add to this auth group.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-32
OL-26645-02
Chapter 9
Configuring SSL
Enabling Client Authentication
Step 7
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE.
•
Click Cancel to exit the procedure without saving your entries and to return to the Auth Group
Parameters table.
•
Click Next to deploy your entries and to add another entry to the Auth Group Parameters table.
Step 8
You can repeat the previous step to add more certificates to the auth group or click Deploy Now.
Step 9
After you configure auth group parameters, you can configure the SSL proxy service to use a CRL. See
Configuring CRLs for Client Authentication, page 9-33.
Note
When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Related Topics
•
Configuring SSL Chain Group Parameters, page 9-25
•
Configuring CRLs for Client Authentication, page 9-33
Configuring CRLs for Client Authentication
By default, ACE does not use certificate revocation lists (CRLs) during client authentication. You can
configure the SSL proxy service to use a CRL by having the ACE scan each client certificate for the
service to determine if it contains a CRL in the extension and then retrieve the value, if it exists. For
more information about SSL termination on the ACE, see the SSL Guide, Cisco ACE Application Control
Engine.
Note
The ACE supports the creation of a maximum of eight CRLs for any context.
Note
When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Use this procedure to configure ACE to scan for CRLs and retrieve them.
Assumption
A CRL cannot be configured on an SSL proxy without first configuring an auth group.
Procedure
Step 1
Choose Config > Virtual Contexts > context > SSL > Certificate Revocation Lists (CRL). The
Certificate Revocation List table appears.
Step 2
Click Add to add a CRL or select an existing CRL, and then click Edit to modify it. The Certificate
Revocation List screen appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
9-33
Chapter 9
Configuring SSL
Enabling Client Authentication
Step 3
Enter the information in Table 9-13.
Table 9-13
Step 4
SSL Certificate Revocation List
Field
Description
Name
Enter the CRL name. Valid entries are unquoted alphanumeric strings with a
maximum of 64 characters.
URL
Enter the URL where the ACE retrieves the CRL. Valid entries are unquoted
alphanumeric strings with a maximum of 255 characters. Only HTTP URLs
are supported. ACE checks the URL and displays an error if it does not
match.
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE. The updated Certificate Revocation
List table appears.
•
Click Cancel to exit the procedure without saving your entries and to return to the Certificate
Revocation List table.
•
Click Next to deploy your entries and to add another entry to the Certificate Revocation List table.
Related Topics
•
Configuring SSL Proxy Service, page 9-28
•
Configuring SSL Authentication Groups, page 9-32
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
9-34
OL-26645-02
C H A P T E R
10
Configuring Network Access
This chapter describes how to configure network access. The ACE appliance has four physical Ethernet
interface ports. All VLANs are allocated to the physical ports. After the VLANs are assigned, you can
configure the corresponding VLAN interfaces as either routed or bridged for use. When you configure
an IP address on an interface, the ACE appliance automatically makes it a routed mode interface.
Similarly, when you configure a bridge group on an interface VLAN, the ACE appliance automatically
makes it a bridged interface. Then, you associate a bridge-group virtual interface (BVI) with the bridge
group.
The ACE appliance also supports shared VLANs; multiple interfaces in different contexts on the same
VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing
across contexts even when shared VLANs are configured.
In routed mode, the ACE is considered a router hop in the network. In the Admin or user contexts, the
ACE supports static routes only. The ACE supports up to eight equal cost routes for load balancing.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
This chapter contains the following sections:
•
Configuring Port Channel Interfaces, page 10-2
•
Configuring Gigabit Ethernet Interfaces, page 10-5
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context BVI Interfaces, page 10-23
•
Configuring VLAN Interface NAT Pools and Displaying NAT Utilization, page 10-32
•
Configuring Virtual Context Static Routes, page 10-34
•
Configuring Global IP DHCP, page 10-35
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-1
Chapter 10
Configuring Network Access
Configuring Port Channel Interfaces
Configuring Port Channel Interfaces
This section discusses how to configure port channel interfaces for the ACE appliance. It consists of the
following topics:
•
Why Use Port Channels?, page 10-2
•
Configuring a Port-Channel Interface, page 10-3
Why Use Port Channels?
A port channel groups multiple physical ports into a single logical port. This is also called “port
aggregation” or “channel aggregation.” A port channel containing multiple physical ports has several
advantages:
•
Improves link reliability through physical redundancy.
•
Allows greater total throughput to the ACE appliance. For example, four 1-Gigabit Ethernet
interfaces can be aggregated into a single 4 Gigabit channel.
•
Allows traffic capacity to be scaled up in the future, without network disruption at that time. A port
channel can do everything a switched port can do, but a switched port cannot do everything a port
channel can do. We recommend that you use a port channel.)
•
Provides maximum flexibility of network configuration and focuses network configuration on
VLANs rather than physical cabling
The disadvantage of a port channel is that it requires additional configuration on the switch the ACE is
connected to, as well as the ACE itself. There are many methods of port aggregation implemented by
different switches, and not every method works with ACE.
Using a port channel also requires more detailed knowledge of your network's VLANs, because all
“cabling” to and from the ACE will be handled over VLANs rather than using physical cables.
Nonetheless, use of port channels is highly recommended, especially in a production deployment of
ACE.
Figure 10-1 illustrates a port channel interface.
Figure 10-1
Example of a Port Channel Interface
Switch
ACE Appliance
VLANs
247843
Ethernet
Ports
Port Channel
Related Topic
Configuring a Port-Channel Interface, page 10-3
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-2
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Port Channel Interfaces
Configuring a Port-Channel Interface
You can group physical ports together on the ACE to form a logical Layer 2 interface called the
port-channel. All the ports belonging to the same port-channel must be configured with same values; for
example, port parameters, VLAN membership, and trunk configuration. Only one port-channel in a
channel group is allowed, and a physical port can belong to only to a single port-channel interface.
Step 1
Choose Config > Virtual Contexts > context > Network > Port Channel Interfaces. The Port Channel
Interfaces table appears.
Step 2
Click Add to add a port channel interface, or select an existing port channel interface, and then click
Edit to modify it.
Note
Step 3
If you click Edit, not all of the fields can be modified.
Enter the port channel interface attributes (see Table 10-1).
Table 10-1
Port Channel Interface Attributes
Field
Description
Interface Number
Specify a channel number for the port-channel interface, which can be
from 1 to 255.
Description
Enter a brief description for this interface.
Fault Tolerance VLAN
Specify the fault tolerant (FT) VLAN used for communication between
the members of the FT group
Admin Status
Indicate whether you want the interface to be Up or Down.
Load Balancing Method
Specify one of the following load balancing methods:
•
Dst-IP—Loads distribution on the destination IP address.
•
Dst-MAC—Loads distribution on the destination MAC address.
•
Dst-Port—Loads distribution on the destination TCP or UDP port.
•
Src-Dst-IP—Loads distribution on the source or destination IP
address.
•
Src-Dst-MAC—Loads distribution on the source or destination
MAC address.
•
Src-Dst-Port—Loads distribution on the source or destination port.
•
Src-IP—Loads distribution on the source IP address.
•
Src-MAC—Loads distribution on the source MAC address.
•
Src-Port—Loads distribution on the TCP or UDP source port.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-3
Chapter 10
Configuring Network Access
Configuring Port Channel Interfaces
Table 10-1
Port Channel Interface Attributes (continued)
Field
Description
Switch Port Type
Specify the interface switchport type:
•
N/A—Indicates that the switchport type is not specified.
•
Access—Specifies that the port interface is an access port. You must
specify a VLAN as an access port in the Access VLAN field.
•
Trunk—Specifies that the port interface is a trunk port. When you
select Trunk, you must complete one of the following fields:
– Trunk Native VLAN—Identifies the 802.1Q native VLAN for
a trunk.
– Trunk Allowed VLANs—Selectively allocate individual
VLANs to a trunk link.
Step 4
Step 5
Do the following:
•
Click Deploy Now to save your entries and to return to the Port Channel Interface table.
•
Click Cancel to exit the procedure without saving your changes and to return to the Port Channel
Interface table.
•
Click Next to save your entries and to add another port-channel interface.
(Optional) To display statistics and status information for a particular port-channel interface, choose the
interface from the Port Channel Interfaces table, and click Details.
The show interface port-channel CLI command output appears. See the “Displaying Port Channel
Interface Statistics and Status Information” section on page 10-5 for details.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-4
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Displaying Port Channel Interface Statistics and Status Information
You can display statistics and status information for a particular port-channel interface.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > Port Channel Interfaces.
The Port Channel Interfaces table appears.
Step 2
In the Port Channel Interfaces table, choose a port-channel interface from the Port Channel Interfaces
table, and click Details.
The show interface port-channel CLI command output appears. For details about the displayed output
fields, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.
Step 3
(Optional) Click Update Details to refresh the display.
Step 4
Click Close to return to the Port Channel Interfaces table.
Related Topics
Configuring a Port-Channel Interface, page 10-3
Configuring Gigabit Ethernet Interfaces
The ACE appliance provides physical Ethernet ports to connect servers, PCs, routers, and other devices
to the ACE. The ACE supports four Layer 2 Ethernet ports for performing Layer 2 switching. You can
configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or
1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex
operation on an Ethernet LAN, and can carry traffic within a designated VLAN.
A Layer 2 Ethernet port can be configured as follows:
•
Member of Port-Channel Group—The port is configured as a member of a port-channel group,
which associates a physical port on the ACE to a logical port to create a port-channel logical
interface. The VLAN association is derived from port-channel configuration. The port is configured
as a Layer 2 EtherChannel, where each EtherChannel bundles the individual physical Ethernet data
ports into a single logical link that provides the aggregate bandwidth of up to four physical links on
the ACE.
•
Access VLAN—The port is assigned to a single VLAN. This port is referred to as an access port
and provides a connection for end users or node devices, such as a router or server.
•
Trunk port—The port is associated with IEEE 802.1Q encapsulation-based VLAN trunking to
allocate VLANs to ports and to pass VLAN information (including VLAN identification) between
switches for all Ethernet channels defined in a Layer 2 Ethernet data port or a Layer 2 EtherChannel
(port-channel) group on the ACE.
The following procedure describes how to configure a Gigabit Ethernet interface.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > Gigabit Ethernet Interfaces. The
GigabitEthernet Interfaces table appears.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-5
Chapter 10
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Step 2
Select an existing Gigabit Ethernet interface, and then click Edit to modify it.
Step 3
Enter the Gigabit Ethernet physical interface attributes (see Table 10-2).
Table 10-2
Gigabit Ethernet Physical Interface Attributes
Field
Description
Interface Name
Name of the Gigabit interface, which is the slot_number/port_number where
slot_number is the physical slot on the ACE for the specified port, and
port_number is the physical Ethernet data port on the ACE for the specified
port.
Description
Enter a brief description for this interface.
Admin Status
Indicate whether you want the interface to be Up or Down.
Speed
Specifies the port speed, which can be
Duplex
•
Auto—Autonegotiate with other devices
•
10 Mbps
•
100 Mbps
•
1000 Mbps
Specifies an interface duplex mode, which can be:
•
Auto—Resets the specified Ethernet port to automatically negotiate port
speed and duplex of incoming signals. This is the default setting.
•
Half—Configures the specified Ethernet port for half-duplex operation.
A half-duplex setting ensures that data only travels in one direction at any
given time.
•
Full—Configures the specified Ethernet port for full-duplex operation,
which allows data to travel in both directions at the same time.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-6
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Table 10-2
Gigabit Ethernet Physical Interface Attributes (continued)
Field
Description
Port Operation Mode
Specifies the port operation mode, which can be:
•
N/A—Indicates that this option is not to be used.
•
Channel Group—Specifies to map the port to a port channel. You must
specify
– Port Channel Group Number—Specify the port channel group
number
– Fault Tolerant VLAN—Specify the fault tolerant (FT) VLAN used
for communication between the members of the FT group.
•
Switch Port—Specifies the interface switchport type:
– Access —Specifies that the port interface is an access port. You must
specify a VLAN as an access port in the Access VLAN field.
– Trunk—Specifies that the port interface is a trunk port. When you
select Trunk, you must complete only one of the following fields:
Trunk Native VLAN—Identifies the 802.1Q native VLAN for a
trunk.
Trunk Allowed VLANs—Selectively allocate individual VLANs to
a trunk link.
Fault Tolerant VLAN
Specifies the fault tolerant (FT) VLAN used for communication between the
members of the FT group.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-7
Chapter 10
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Table 10-2
Gigabit Ethernet Physical Interface Attributes (continued)
Field
Description
Carrier Delay
Adds a configurable delay at the physical port level to address any issues with
transition time, based on the variety of peers. Valid values are 0 to 120
seconds. The default is 0 (no carrier delay).
Note
QoS Trust COS
If you connect an ACE to a Catalyst 6500 series switch, your
configuration on the Catalyst may include the Spanning-Tree
Protocol (STP). However, the ACE does not support STP. In this case,
you may find that the Layer 2 convergence time is much longer than
the physical port up time. For example, the physical port would
normally be up within 3 seconds, but STP moving to the forward state
may need approximately 30 seconds. During this transitional time,
although the ACE declares the port to be up, the traffic will not pass.
In this case, specify a carrier delay.
Enables Quality of Service (QoS) for the physical Ethernet port. By default,
QoS is disabled for each physical Ethernet port on the ACE.
QoS for a configured physical Ethernet port based on VLAN Classes of
Service (CoS) bits (priority bits that segment the traffic in eight different
classes of service). When you enable QoS on a port (a trusted port), traffic is
mapped into different ingress queues based on their VLAN CoS bits. If there
are no VLAN CoS bits, or QoS is not enabled on the port (untrusted port), the
traffic is then mapped into the lowest priority queue.
You can enable QoS for an Ethernet port configured for fault tolerance. In this
case, heartbeat packets are always tagged with COS bits set to 7 (a weight of
High).
Note
Step 4
Step 5
We recommend that you enable QoS on the FT VLAN port to provide
higher priority for FT traffic.
Do the following:
•
Click Deploy Now to save your entries and to return to the Physical Interface table.
•
Click Cancel to exit the procedure without saving your changes and to return to the Physical
Interface table.
•
Click Next or Previous to go to the next or previous physical channel.
•
Click Delete to remove this entry from the Physical Interface table and to return to the table.
(Optional) To display statistics and status information for a particular Gigabit Ethernet interface, choose
the interface from the GigabitEthernet Interfaces table, and click Details.
The show interface gigabitEthernet CLI command output appears. See the “Displaying Gigabit
Ethernet Interface Statistics and Status Information” section on page 10-9 for details.
Related Topics
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context BVI Interfaces, page 10-23
•
Configuring Virtual Context Static Routes, page 10-34
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-8
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Displaying Gigabit Ethernet Interface Statistics and Status Information
You can display statistics and status information for a particular Gigabit Ethernet interface.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > GigabitEthernet Interfaces.
The GigabitEthernet Interfaces table appears.
Step 2
In the GigabitEthernet Interfaces table, choose a Gigabit Ethernet interface from the GigabitEthernet
Interfaces table, and click Details.
The show interface gigabitEthernet CLI command output appears. For details on the displayed output
fields, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.
Step 3
(Optional) Click Update Details to refresh the display.
Step 4
Click Close to return to the GigabitEthernet Interfaces table.
Related Topic
•
Configuring Gigabit Ethernet Interfaces, page 10-5
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-9
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Configuring Virtual Context VLAN Interfaces
The ACE Appliance Device Manager uses class maps and policy maps to classify (filter) traffic and to
direct it to different contexts. A virtual context uses VLANs to receive packets classified for that context.
Note
When you create a new VLAN interface for a virtual context, you can configure one or more VLAN
interfaces in any user context before you assign those VLAN interfaces to the associated user contexts
in a virtual context through the Allocate-Interface VLANs field (see the “Creating Virtual Contexts”
section on page 4-2).
Use this procedure to configure VLAN interfaces for virtual contexts.
Procedure
Step 1
To configure a virtual context, select Config > Virtual Contexts > context > Network > VLAN
Interfaces. The VLAN Interface table appears.
Step 2
Click Add to add a new VLAN interface, or select an existing VLAN interface, and then click Edit to
modify it.
Note
Step 3
If you click Edit, not all of the fields can be modified.
Enter the VLAN interface attributes (see Table 10-3). Click More Settings to access the additional
VLAN interface attributes. By default, ACE appliance Device Manager hides the default VLAN
interface attributes and the VLAN interface attributes which are not commonly used.
Note
If you create a fault-tolerant VLAN, do not use it for any other network traffic.
Table 10-3
VLAN Interface Attributes
Field
Description
VLAN
Either accept the automatically incremented entry or enter a different
value. Valid entries are integers from 2 to 4094.
Description
Enter a brief description for this interface.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-10
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
Interface Type
Select the role of the virtual context in the network topology of the
VLAN interface:
•
Routed—In a routed topology, the ACE virtual context acts as a
router between the client-side network and the server-side network.
In this topology, every real server for the application must be routed
through the ACE virtual context, either by setting the default
gateway on each real server to the virtual contexts server-side
VLAN interface address, or by using a separate router with
appropriate routes configured between the ACE virtual context and
the real servers.
Note
IP Address
A routed VLAN interface can support both IPv4 and IPv6
addresses at the same time.
•
Bridged—In a bridged topology, the ACE virtual context bridges
two VLANs, a client-side VLAN and a real-server VLAN, on the
same subnet using a bridged virtual interface (BVI). In this case, the
real server routing does not change to accommodate the ACE
virtual context. Instead, the ACE virtual context becomes a “bump
in the wire” that transparently handles traffic to and from the real
servers.
•
Unknown—Choose Unknown if you are unsure of the network
topology of the VLAN interface.
Enter the IPv4 address assigned to this interface. This address must be
a unique IP address that is not used in another context. Duplicate IP
addresses in different contexts are not supported.
If this interface is only used for IPv6 traffic, entering an IPv4 address is
optional.
Alias IP Address
Enter the IPv4 address of the alias this interface is associated with.
Peer IP Address
Netmask
Enter the IPv4 address of the remote peer.
Select the subnet mask to be used.
Admin Status
Indicate whether you want the interface to be Up or Down.
Enable MAC Sticky
Check the check box to indicate that the ACE appliance is to convert
dynamic MAC addresses to sticky secure MAC addresses and add this
information to the running configuration.
Clear the check box to indicate that the ACE appliance is not to convert
dynamic MAC addresses to sticky secure MAC addresses.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-11
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
Enable Normalization
Check the check boxes to indicate that normalization is to be enabled on
this interface for IPv4, IPv6, or both.
Clear the check box to indicate that normalization is to be disabled on
this interface.
Caution
Enable IPv6
Disabling normalization may expose your ACE appliance and
network to potential security risks. Normalization protects
your networking environment from attackers by enforcing
strict security policies that are designed to examine traffic for
malformed or malicious segments.
Check the check box to enable IPv6 on this interface. By default, IPv6
is disabled. The interface cannot be in bridged mode. When you enable
IPv6, the ACE automatically does the following:
•
Configures a link-local address (if not previously configured)
•
Performs duplicate address detection (DAD)
Clear the check box to indicate that IPv6 is disabled on this interface.
IPv6 Global Address
A global address is an IPv6 unicast address that is used for general IPv6
communication. Each global address is unique across the entire Internet.
Therefore, its scope is global. The low order 64 bits can be assigned in
several ways, including autoconfiguration using the EUI-64 format. You
can configure only one globally unique IPv6 address on an interface.
When you configure a global IPv6 address on an interface, the ACE
automatically does the following:
IPv6 Address
•
Configures a link-local address (if not previously configured)
•
Performs duplicate address detection (DAD) on both addresses
To configure an IPv6 global address on an interface, enter a complete
IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter
2001:DB8:1::0.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-12
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
Alias IPv6 Address
When you configure redundancy with active and standby ACEs, you can
configure a VLAN interface that has an alias global IPv6 address that is
shared between the active and standby ACEs. The alias IPv6 address
serves as a shared gateway for the two ACEs in a redundant
configuration. You can configure only one alias global IPv6 address on
an interface.
To configure an IPv6 alias global address, enter a complete IPv6 address
with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Note
Peer IPv6 Address
You must configure redundancy (fault tolerance) on the ACE
for the alias global IPv6 address to work.
To configure an IPv6 peer global address, enter a complete IPv6 address
with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Note
The IPv6 peer global address must be unique across multiple
contexts on a shared VLAN.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Prefix Length
Enter the prefix length for all global addresses to specify how many of
the most significant bits (MSBs) are used for the network identifier.
Enter an integer from 3 to 127. If you use the optional EUI-64 check box
for the global and peer addresses, the prefix must be less than or equal
to 64.
IPv6 Unique-Local Address A unique local address is an optional IPv6 unicast address that is used
for local communication within an organization and it is similar to a
private IPv4 address (for example, 10.10.2.1). Unique local addresses
have a global scope, but they are not routable on the internet, and they
are assigned by a central authority. All unique local addresses have a
predefined prefix of FC00::/7. You can configure only one IPv6 unique
local address on an interface.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-13
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
IPv6 Address
Description
To configure a unique local address, enter a complete IPv6 address with
an FC00::/7 prefix in the first field. In the second field after the /, enter
the prefix length to specify how many of the most significant bits
(MSBs) are used for the network identifier.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
IPv6 Peer Address
In a redundant configuration, you can configure an IPv6 peer unique
local address on the active that is synchronized to the standby ACE. You
can configure only one peer unique local IPv6 address on an interface.
To configure a peer unique local address, enter a complete IPv6 address
with an FC00::/7 prefix in the first field. In the second field after the /,
enter the prefix length to specify how many of the most significant bits
(MSBs) are used for the network identifier.
Note
The IPv6 peer unique local address must be unique across
multiple contexts on a shared VLAN.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Prefix Length
IPv6 Link-Local Address
Enter the prefix length for all unique-local addresses to specify how
many of the most significant bits (MSBs) are used for the network
identifier. Enter an integer from 7 to 127. If you use the optional EUI-64
check box for the global and peer addresses, the prefix must be less than
or equal to 64.
By default, when you enable IPv6 or configure a global IPv6 address on
an interface, the ACE automatically creates a link local address for it.
Every link local address must have a predefined prefix of FE80::/10.
You can configure only one IPv6 link local address on an interface. This
address always has the prefix of 64.
To manually configure the link local address, enter a complete IPv6
address with an FE80::/10 prefix in this field. For example, enter
FE80:DB8:1::1.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-14
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
IPv6 Peer Link-Local
Address
In a redundant configuration, you can configure an IPv6 peer link local
address for the standby ACE. You can configure only one peer link local
address on an interface.
To configure the peer link local address, enter a complete IPv6 address
with an FE80::/10 prefix in this field.
Note
The IPv6 peer link local address must be unique across multiple
contexts on a shared VLAN.
More Settings
Enable ICMP Guard
Check the IPv4, IPv6 or both check boxes to indicate that ICMP Guard
is to be enabled on the ACE appliance. Clear the check boxes to indicate
that ICMP Guard is not to be enabled on ACE appliance.
Caution
Enable DHCP Relay
Disabling ICMP security checks may expose your ACE
appliance and network to potential security risks. When you
disable ICMP Guard, the ACE appliance no longer performs
NAT translations on the ICMP header and payload in error
packets, which can potentially reveal real host IP addresses to
attackers.
Check the IPv4, IPv6 or both check boxes to indicate that the ACE
appliance is to accept DHCP requests from clients on this interface and
to enable the DHCP relay agent.
Clear the check boxes to indicate that the ACE appliance is not to accept
DHCP requests or enable the DHCP relay agent.
Reverse Path Forwarding
(RPF)
Check the IPv4, IPv6 or both check boxes to indicate that the ACE
appliance is to discard IP packets if no reverse route is found or if the
route does not match the interface on which the packets arrived.
Clear the check boxes to indicate that the ACE appliance is not to filter
or discard packets based on the ability to verify the source IP address.
Reassembly Timeout
(Seconds)
Max. Fragment Chains
Allowed
Enter the number of seconds that the ACE appliance is to wait before it
abandons the fragment reassembly process if it doesn’t receive any
outstanding fragments for the current fragment chain (that is, fragments
belonging to the same packet).
•
For IPv4, valid entries are 1 to 30 seconds. The default is 5.
•
For IPv6, valid entries are 1 to 60 seconds. The default is 60.
Enter the maximum number of fragments belonging to the same packet
that the ACE appliance is to accept for reassembly.
For IPv4 and IPv6, valid entries are 1 to 256. The default is 24.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-15
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
Min. Fragment MTU Value
Enter the minimum fragment size that the ACE appliance accepts for
reassembly for a VLAN interface.
Action For IP Header
Options
•
For IPv4, valid entries are 28 to 9216 bytes. The default is 576.
•
For IPv6, valid entries are 56 to 9216 bytes. The default is 1280.
Select the IPv4, IPv6 or both action the ACE appliance is to take when
an IP option is set in a packet:
•
Allow—Indicates that the ACE appliance is to allow the IP packet
with the IP options set.
•
Clear—Indicates that the ACE appliance is to clear all IP options
from the packet and to allow the packet.
•
Clear-Invalid—Indicates that the ACE appliance is to clear the
invalid IP options from the packet and then allow the packet. This
action is the default for IPv4.
•
Drop—Indicates that the ACE appliance is to discard the packet
regardless of any options that are set. This action is the default for
IPv6.
Enable MAC Address
Autogenerate
Allows you to configure a different MAC address for the VLAN
interface.
Min. TTL IP Header Value
Enter the minimum number of hops a packet is allowed to reach its
destination. Valid entries are integers from 1 to 255. This field is
applicable for IPv4 and IPv6 traffic.
Each router along the packet’s path decrements the TTL by one. If the
packet’s TTL reaches zero before the packet reaches its destination, the
packet is discarded.
MTU Value
Enter number of bytes for Maximum Transmission Units (MTUs). Valid
entries are integers from 68 to 9216, and the default is 1500.
Enable Syn Cookie
Threshold Value
Embryonic connection threshold above which the ACE applies
SYN-cookie DoS protection. Valid entries are integers from 1 to 65535.
Action For DF Bit
Indicate how the ACE appliance is to handle a packet that has it DF
(Don’t Fragment) bit set in the IP header:
•
Allow—Indicates that the ACE appliance is to permit the packet
with the DF bit set. If the packet is larger than the next-hop MTU,
ACE appliance discards the packet and sends an ICMP unreachable
message to the source host.
•
Clear—Indicates that the ACE appliance is to clear the DF bit and
permit the packet. If the packet is larger than the next-hop MTU, the
ACE appliance fragments the packet.
The default is Allow.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-16
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
ARP Inspection Type
Description
By default, ARP inspection is disabled on all interfaces, allowing all
ARP packets through the ACE. When you enable ARP inspection, the
ACE appliance uses the IPv4 address and interface ID (ifID) of an
incoming ARP packet as an index into the ARP table. ARP inspection
operates only on ingress bridged interfaces.
ARP inspection prevents malicious users from impersonating other
hosts or routers, known as ARP spoofing. ARP spoofing can enable a
“man-in-the-middle” attack. For example, a host sends an ARP request
to the gateway router. The gateway router responds with the gateway
router MAC address.
Note
If ARP inspection fails, then the ACE does not perform source
MAC validation.
The options are as follows:
UDP Config Commands
•
N/A—ARP inspection is disabled.
•
Flood—Enables ARP forwarding of nonmatching ARP packets.
The ACE appliance forwards all ARP packets to all interfaces in the
bridge group. This is the default setting. In the absence of a static
ARP entry, this option bridges all packets.
•
No-flood—Disables ARP forwarding for the interface and drops
nonmatching ARP packets. In the absence of a static ARP entry, this
option does not bridge any packets.
Select the UDP boost command:
•
N/A—not applicable
•
IP Destination Hash—Performs destination IP hash during
connection.
•
IP Source Hash—Performs source IP hash during connection
lookup.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-17
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
Secondary IP Groups
This option appears only when Interface Type is set to Routed.
Enter a maximum of four secondary IP groups for the VLAN. The IP,
alias IP, and peer IP addresses of each Secondary IP Group should be in
the same subnet.
Note
You cannot configure secondary IP addresses on FT VLANs.
To create up to four secondary IP groups for the VLAN, do the
following:
a.
Define one or more of the following secondary IP address types:
– IP—Secondary IP address assigned to this interface.The
primary address must be active for the secondary address to be
active.
– AliasIP—Secondary IP address of the alias associated with this
interface.
– PeerIP—Secondary IP address of the remote peer.
– Netmask—Secondary subnet mask to be used.
The ACE has a system limit of 1,024 for each secondary IP address
type.
Input Policies
b.
Click Add to selection (right arrow) to add the group to the group
display area.
c.
Repeat Steps 1 and 2 for each additional group.
d.
(Optional) Rearrange the order in which the groups are listed by
selecting one of the group listings in the group display area and
click either Move item up in list (up arrow) or Move item down in
list (down arrow). Note that the ACE does not care what order the
groups are in.
e.
(Optional) Edit a group or remove it from the list by selecting the
desired group in the group display area and click Remove from
selection (left arrow).
From the Available list, double-click the policy map name that is
associated with this VLAN interface or use the right arrow to move it to
the Selected list. This policy map is to be applied to the inbound
direction of the interface; that is, all traffic received by this interface.
If you choose more than one policy map, use the Up and Down arrows
to choose the priority of the policy map in the Selected list. These
arrows modify the order of the policy maps for new VLANs only; they
do not modify the policy map order when editing an existing policy
map.
Input Access Group
From the Available list, double-click an ACL name for the ACL input
access group to be associated with this VLAN interface or use the right
arrow to move it to the Selected list. Any ACL group listed in the
Selected list specifies that this access group is to be applied to the
inbound direction of the interface.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-18
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
Output Access Group
From the Available list, double-click an ACL name for the ACL output
access group that is associated with this VLAN interface or use the right
arrow to move it to the Selected list. Any ACL group listed in the
Selected list specifies that this access group is to be applied to the
outbound direction of the interface; that is, all traffic sent by this
interface.
Static ARP Entry (IP/MAC
Address)
For the Static ARP entry, do the following:
a.
In the ARP IP Address field, enter the IP address. This field accepts
IPv4 addresses only.
b.
In the ARP MAC Address field, enter the hardware MAC address for
the ARP table entry (for example, 00.02.9a.3b.94.d9).
c.
When completed, use the right arrow to move the static ARP entry
to the list box. Use the Up and Down arrows to choose the priority
of the static ARP entry in the list box. These arrows modify the
order of the static ARPs for new VLANs only; they do not modify
the static ARP order when editing an existing policy map.
DHCP Relay Configuration
Enter the IPv4 address of the DHCP server to which the DHCP relay
agent is to forward client requests. Enter the IP address in dotted-decimal
notation, such as 192.168.11.2.
IPv6 Forward Interface
VLAN
Enter the VLAN to forward all received client requests with destination
being the IPv6 DHCP address configured in the IPv6 DHCP Relay
Configuration field.
IPv6 DHCP Relay
Configuration
Enter the IPv6 address for the DHCP server where the DHCP relay
agent forwards client requests.
Select the VLAN when the server address is a link local address.
Note
Managed-Config
When you enter a DHCPv6 server global IPv6 address, a VLAN
is not required.
Check the check box to indicate that the interface use the stateful
autoconfiguration mechanism to configure IPv6 addresses.
Clear the check box to indicate that the interface does not use the
stateful autoconfiguration mechanism to configure IPv6 addresses.
Other-Config
Check the check box to indicate that the interface use the stateful
autoconfiguration mechanism to configure parameters other than IPv6
addresses.
Clear the check box to indicate that the interface does not use the
stateful autoconfiguration mechanism to configure parameters other
than IPv6 addresses.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-19
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
NS Interval
The ACE sends neighbor solicitation messages through ICMPv6 on the
local link to determine the IPv6 addresses of nearby nodes (hosts or
routers). You can configure the rate at which the ACE sends these
neighbor solicitation messages.
By default, the interval at which the ACE sends NS messages for DAD
default is 1000 milliseconds (msecs). To configure the interval, enter an
integer from 1000 to 2147483647.
NS Reachable Time
The neighbor solicitation reachable time is the time period in
milliseconds during which a host considers the peer is reachable after a
reachability confirmation from the peer. A reachability confirmation
can include neighbor solicitation or advertisement, or any upper
protocol traffic.
By default, this time period is 0 milliseconds. To configure this time,
enter an integer from 0 to 3600000.
Retransmission time
By default, the advertised retransmission time is 0 milliseconds.
To configure the retransmission time, enter an integer from 0 to
3600000.
DAD Attempts
By default, the number of attempts for sending duplicate address
detection (DAD) is 1.
To configure the DAD attempts, enter an integer from 0 to 255.
RA Hop Limit
By default, the hop limit that neighbors should use when originating
IPv6 packets is 64. To configure the hop limit in the IPv6 header, enter
an integer from 0 to 255.
RA Lifetime
The router advertisement (RA) lifetime is the length of time that
neighboring nodes should consider the ACE as the default router before
they send RS messages again.
By default, this length of time is 1800 seconds (30 minutes). To
configure the RA lifetime, enter an integer from 0 to 9000.
RA Interval
By default, the rate at which the ACE sends RA messages is
600 seconds. To configure the rate, enter an integer from 4 to 1800. This
interval must not exceed the RA lifetime.
Suppress RA
By default, the ACE automatically responds to RS messages that it
receives from neighbors with RA messages that include, for example,
the network prefix. You can instruct the ACE to not respond to RS
messages.
Check the check box to instruct the ACE to not respond to RS messages.
The ACE also stops periodic unsolicited RAs that it sends at the RA
interval.
Clear the check box to reset the default behavior of automatically
responding to RS messages.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-20
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 10-3
VLAN Interface Attributes (continued)
Field
Description
IPv6 Routing Prefix
Advertisement
Click the Add button to configure the IPv6 prefixes that the ACE
advertises in RA messages on the local link.
IPv6 Address/Prefix
Length
To configure IPv6 address advertised in the RA messages, enter a
complete IPv6 address in the first field. In the second field after the /,
enter the prefix length to specify how many of the most significant bits
(MSBs) are used for the network identifier.
No Advertisements
Check the check box to indicate that the route prefix is not advertised.
Clear the check box to indicate that the route prefix is advertised.
Lifetime
Configure the prefix lifetime attributes as follows:
•
Lifetime Duration:
– Valid Lifetime—By default, the prefix lifetime is 2592000
seconds (30 days). To configure the prefix lifetime in seconds,
enter an integer from 0 to 2147183647.
Select Infinite to indicate that the prefix never expires.
– Preferred Lifetime—By default, the prefix lifetime is 604800
seconds (10 days).To configure how long an IPv6 address
remains preferred in seconds, enter an integer from 0 to
2147183647. This lifetime must not exceed the Valid Lifetime.
Select Infinite to indicate that the preferred lifetime never
expires.
•
Lifetime Expiration Date:
– Valid Month/Day/Year/Time—Valid lifetime expiration date
and time.
– Preferred Month/Day/Year/Time—Preferred lifetime
expiration date and time.
Use the drop-down lists to select a day, month, and year. To specify
the time, use the hh:mm format.
Off-link:
This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate that the route prefix is on a different
subnet for a router to route to it.
Clear the check box to indicate that the route prefix is on the same
subnet for a router to route to it.
No-autoconfig
This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate to the host that it cannot use this prefix
when creating an stateless IPv6 address.
Clear the check box to indicate to the host that it can use this prefix
when creating an stateless IPv6 address.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-21
Chapter 10
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Step 4
Step 5
Do the following:
•
Click Deploy Now to save your entries and to return to the VLAN Interface table.
•
Click Cancel to exit the procedure without saving your changes and to return to the VLAN Interface
table.
(Optional) To display statistics and status information for a VLAN interface, choose the VLAN interface
from the VLAN Interface table, and then click Details.
The show interface vlan CLI command output appears. See the “Displaying VLAN Interface Statistics
and Status Information” section on page 10-23 for details.
Related Topic
•
Viewing All VLAN Interfaces, page 10-22
Viewing All VLAN Interfaces
Use this procedure to view all VLAN interfaces.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > VLAN Interfaces.
The VLAN Interface table appears listing all VLAN interfaces for the selected virtual context with the
information shown in Table 10-4.
Table 10-4
VLAN Interface Fields
Field
Description
VLAN
Name of the interface.
Description
Description for this interface.
Interface Type
Role of the virtual context in the network topology of the VLAN interface:
Routed, Bridged, or Unknown.
IP Address
IP address assigned to this interface including the netmask for an IPv4
address or a prefix length for an IPv6 address.
This table does not display the IPv6 link-local, unique-local, and multicast
addresses for the interface. To display these addresses, click Details to
display the output for the show ipv6 vlan command.
IPv6 Config Status
The status whether IPv6 is enabled or disabled on the interface.
Admin Status
The status of the interface, which can be Up or Down.
Operational Status
Operational state of the ACE (Up or Down).
Last Polled
Date and time of the last time that DM polled the ACE to display the current
values.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-22
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Related Topic
•
Configuring Virtual Context VLAN Interfaces, page 10-10
Displaying VLAN Interface Statistics and Status Information
You can display statistics and status information for a particular VLAN interface.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > VLAN Interfaces.
The VLAN Interfaces table appears.
Step 2
Choose a VLAN interface from the VLAN Interfaces table, and click Details.
The show interface vlan, show ipv6 vlan, and show ipv6 neighbors CLI commands appears. Click on
the command to display its output. For details on the displayed output fields, see the Routing and
Bridging Guide, Cisco ACE Application Control Engine.
Step 3
Click Close to return to the VLAN Interfaces table.
Related Topics
•
Configuring Virtual Context VLAN Interfaces, page 10-10
Configuring Virtual Context BVI Interfaces
The ACE Appliance Device Manager supports virtual contexts containing Bridge-Group Virtual
Interfaces (BVI). Use this procedure to configure BVI interfaces for virtual contexts.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > BVI Interfaces.
The BVI Interface tables appears.
Step 2
Click Add to add a new BVI interface, or select an existing BVI interface, and then click Edit to modify
it.
Note
Step 3
If you click Edit, not all of the fields can be modified.
Enter the interface attributes (see Table 10-5).
Table 10-5
BVI Interface Attributes
Field
Description
BVI
Either accept the automatically incremented entry or enter a different,
unique value. Valid entries are integers from 1 to 4094.
Description
Enter a brief description for this interface.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-23
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-5
BVI Interface Attributes (continued)
Field
Description
IP Address
Enter the IPv4 address assigned to this interface. This address must be a
unique IP address that is not used in another context. Duplicate IP
addresses in different contexts are not supported.
Note
If this interface is only used for IPv6 traffic, entering an IPv4
address is optional.
Alias IP Address
Enter the IPv4 address of the alias this interface is associated with.
Peer IP Address
Netmask
Enter the IPv4 address of the remote peer.
Enable MAC Address
Autogenerate
Admin Status
Allows you to configure a different MAC address for the BVI interface.
Secondary IP Groups
(Optional) Enter a maximum of four secondary IP groups for the BVI.
Select the subnet mask to be used.
Indicate whether you want the interface to be Up or Down.
To create up to four secondary IP groups for this BVI, do the following:
a.
Define one or more of the following secondary IP address types:
– IP—Secondary IP address assigned to this interface.The
primary address must be active for the secondary address to be
active.
– AliasIP—Secondary IP address of the alias associated with this
interface.
– PeerIP—Secondary IP address of the remote peer.
– Netmask—Secondary subnet mask to be used.
The ACE has a system limit of 1,024 for each secondary IP address
type.
b.
Click Add to selection (right arrow) to add the group to the group
display area.
c.
Repeat Steps 1 and 2 for each additional group.
d.
(Optional) Rearrange the order in which the groups are listed by
selecting one of the group listings in the group display area and
click either Move item up in list (up arrow) or Move item down in
list (down arrow). Note that the ACE does not care what order the
groups are in.
e.
(Optional) Edit a group or remove it from the list by selecting the
desired group in the group display area and click Remove from
selection (left arrow).
First VLAN
Enter the first VLAN whose bridge group is to be configured with this
BVI. This VLAN can be the server or client VLAN. Valid entries are
from 2 to 4094.
First VLAN Description
Enter a brief description for the first VLAN.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-24
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-5
BVI Interface Attributes (continued)
Field
Second VLAN
Description
Second VLAN Description
Enter a brief description for the second VLAN.
Enable IPv6
Check the check box to enable IPv6 on this interface. By default, IPv6
is disabled. The interface cannot be in bridged mode. When you enable
IPv6, the ACE automatically does the following:
Enter the second VLAN whose bridge group is to be configured with
this BVI. This VLAN can be the server or client VLAN. Valid entries
are from 2 to 4094.
•
Configures a link-local address (if not previously configured)
•
Performs duplicate address detection (DAD) on both addresses
Clear the check box to indicate that IPv6 is disabled on this interface.
IPv6 Global Address
A global address is an IPv6 unicast address that is used for general IPv6
communication. Each global address is unique across the entire Internet.
Therefore, its scope is global. The low order 64 bits can be assigned in
several ways, including autoconfiguration using the EUI-64 format. You
can configure only one globally unique IPv6 address on an interface.
When you configure a global address, the ACE automatically does the
following:
IPv6 Address
•
Configures a link-local address (if not previously configured)
•
Performs duplicate address detection (DAD) on both addresses
To configure an IPv6 global address on an interface, enter a complete
IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter
2001:DB8:1::0.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Alias IPv6 Address
When you configure redundancy with active and standby ACEs, you can
configure a VLAN interface that has an alias global IPv6 address that is
shared between the active and standby ACEs. The alias IPv6 address
serves as a shared gateway for the two ACEs in a redundant
configuration. You can configure only one alias global IPv6 address on
an interface.
To configure an IPv6 alias global address, enter a complete IPv6 address
with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Note
You must configure redundancy (fault tolerance) on the ACE for
the alias global IPv6 address to work.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-25
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-5
BVI Interface Attributes (continued)
Field
Peer IPv6 Address
Description
To configure an IPv6 peer global address, enter a complete IPv6 address
with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Note
Prefix Length
The IPv6 peer global address must be unique across multiple
contexts on a shared VLAN.
Enter the prefix length for all global addresses to specify how many of
the most significant bits (MSBs) are used for the network identifier.
Enter an integer from 3 to 127. If you use the optional EUI-64 check box
for the global and peer addresses, the prefix must be less than or equal
to 64.
IPv6 Unique-Local Address A unique local address is an optional IPv6 unicast address that is used
for local communication within an organization and it is similar to a
private IPv4 address (for example, 10.10.2.1). Unique local addresses
have a global scope, but they are not routable on the internet, and they
are assigned by a central authority. All unique local addresses have a
predefined prefix of FC00::/7. You can configure only one IPv6 unique
local address on an interface.
IPv6 Address
To configure a unique local address, enter a complete IPv6 address with
an FC00::/7 prefix in the first field. In the second field after the /, enter
the prefix length to specify how many of the most significant bits
(MSBs) are used for the network identifier.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-26
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-5
BVI Interface Attributes (continued)
Field
Description
Peer IPv6 Address
In a redundant configuration, you can configure an IPv6 peer unique
local address on the active that is synchronized to the standby ACE. You
can configure only one peer unique local IPv6 address on an interface.
To configure a peer unique local address, enter a complete IPv6 address
with an FC00::/7 prefix in the first field. In the second field after the /,
enter the prefix length to specify how many of the most significant bits
(MSBs) are used for the network identifier.
Note
The IPv6 peer unique local address must be unique across
multiple contexts on a shared VLAN.
Check the EUI-64 box to specify that the low order 64 bits are
automatically generated in the IEEE 64-bit Extended Unique Identifier
(EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix
Length field must be less than or equal to 64 and the host segment must
be all zeros.
Prefix Length
Enter the prefix length for all global addresses to specify how many of
the most significant bits (MSBs) are used for the network identifier.
Enter an integer from 7 to 127. If you use the optional EUI-64 check box
for the global and peer addresses, the prefix must be less than or equal
to 64.
IPv6 Link-Local Address
By default, when you enable IPv6 or configure any other valid IPv6
address on an interface, the ACE automatically creates a link local
address for it. Every link local address must have a predefined prefix of
FE80::/10. You can configure only one IPv6 link local address on an
interface. This address always has the prefix of 64.
To manually configure the link local address, enter a complete IPv6
address with an FE80::/10 prefix in this field. For example, enter
FE80:DB8:1::1.
IPv6 Peer Link-Local
Address
In a redundant configuration, you can configure an IPv6 peer link local
address for the standby ACE. You can configure only one peer link local
address on an interface.
To configure the peer link local address, enter a complete IPv6 address
with an FE80::/10 prefix in this field.
Note
The IPv6 peer link local address must be unique across multiple
contexts on a shared VLAN.
More Settings
Managed-Config
Check the check box to indicate that the interface use the stateful
autoconfiguration mechanism to configure IPv6 addresses.
Clear the check box to indicate that the interface does not use the stateful
autoconfiguration mechanism to configure IPv6 addresses.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-27
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-5
BVI Interface Attributes (continued)
Field
Description
Other-Config
Check the check box to indicate that the interface use the stateful
autoconfiguration mechanism to configure parameters other than IPv6
addresses.
Clear the check box to indicate that the interface does not use the stateful
autoconfiguration mechanism to configure parameters other than IPv6
addresses.
NS Interval
The ACE sends neighbor solicitation messages through ICMPv6 on the
local link to determine the IPv6 addresses of nearby nodes (hosts or
routers). You can configure the rate at which the ACE sends these
neighbor solicitation messages.
By default, the interval at which the ACE sends NS messages for DAD
default is 1000 milliseconds (msecs). To configure the interval, enter an
integer from 1000 to 2147483647.
NS Reachable Time
The neighbor solicitation reachable time is the time period in
milliseconds during which a host considers the peer is reachable after a
reachability confirmation from the peer. A reachability confirmation can
include neighbor solicitation or advertisement, or any upper protocol
traffic.
By default, this time period is 0 milliseconds. To configure this time,
enter an integer from 0 to 3600000.
Retransmission time
By default, the advertised retransmission time is 0 milliseconds.
To configure the retransmission time, enter an integer from 0 to
3600000.
DAD Attempts
By default, the number of attempts for sending duplicate address
detection (DAD) is 1.
To configure the DAD attempts, enter an integer from 0 to 255.
RA Hop Limit
By default, the hop limit that neighbors should use when originating
IPv6 packets is 64. To configure the hop limit in the IPv6 header, enter
an integer from 0 to 255.
RA Lifetime
The router advertisement (RA) lifetime is the length of time that
neighboring nodes should consider the ACE as the default router before
they send RS messages again.
By default, this length of time is 1800 seconds (30 minutes). To
configure the RA lifetime, enter an integer from 0 to 9000.
RA Interval
By default, the rate at which the ACE sends RA messages is 600
seconds. To configure the rate, enter an integer from 4 to 1800. This
interval must not exceed the RA lifetime.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-28
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-5
BVI Interface Attributes (continued)
Field
Description
Suppress RA
By default, the ACE automatically responds to RS messages that it
receives from neighbors with RA messages that include, for example,
the network prefix.
Check the check box to instruct the ACE to not respond to RS messages.
The ACE also stops periodic unsolicited RAs that it sends at the RA
interval.
Clear the check box to reset the default behavior of automatically
responding to RS messages.
IPv6 Routing Prefix
Advertisement
Click the Add button to configure the IPv6 prefixes that the ACE
advertises in RA messages on the local link.
IPv6 Address/Prefix
Length
To configure IPv6 address advertised in the RA messages, enter a
complete IPv6 address in the first field. In the second field after the /,
enter the prefix length to specify how many of the most significant bits
(MSBs) are used for the network identifier.
No Advertisements
Check the check box to indicate that the route prefix is not advertised.
Clear the check box to indicate that the route prefix is advertised.
Lifetime
Configure the prefix lifetime attributes as follows:
•
Lifetime Duration:
– Valid Lifetime—By default, the prefix lifetime is 2592000
seconds (30 days). To configure the prefix lifetime in seconds,
enter an integer from 0 to 2147183647.
Select Infinite to indicate that the prefix never expires.
– Preferred Lifetime—By default, the prefix lifetime is 604800
seconds (10 days).To configure how long an IPv6 address
remains preferred in seconds, enter an integer from 0 to
2147183647. This lifetime must not exceed the Valid Lifetime.
Select Infinite to indicate that the preferred lifetime never
expires.
•
Lifetime Expiration Date:
– Valid Month/Day/Year/Time—Valid lifetime expiration date
and time.
– Preferred Month/Day/Year/Time—Preferred lifetime
expiration date and time.
Use the drop-down lists to select a day, month, and year. To specify
the time, use the hh:mm format.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-29
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-5
BVI Interface Attributes (continued)
Field
Description
Off-link:
This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate that the route prefix is on a different
subnet for a router to route to it.
Clear the check box to indicate that the route prefix is on the same
subnet for a router to route to it.
No-autoconfig
This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate to the host that it cannot use this prefix
when creating an stateless IPv6 address.
Clear the check box to indicate to the host that it can use this prefix when
creating an stateless IPv6 address.
Step 4
Step 5
Do the following:
•
Click Deploy Now to save your entries and to return to the BVI Interface table.
•
Click Cancel to exit the procedure without saving your entries and to return to the BVI Interface
table.
To display statistics and status information for a BVI interface, choose the BVI interface from the BVI
Interface table, and click Details.
The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI commands appear. See
the “Displaying BVI Interface Statistics and Status Information” section on page 10-31 for details.
Related Topics
•
Configuring Network Access, page 10-1
•
Configuring Virtual Context Primary Attributes, page 4-11
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring Traffic Policies, page 12-1
Viewing All BVI Interfaces by Context
To view all BVI interfaces associated with a specific virtual context, select Config > Virtual Contexts >
context > Network > BVI Interfaces.
The BVI Interface table appears with the information shown in Table 10-6.
Table 10-6
BVI Interface Fields
Field
Description
BVI
Name of the interface.
Description
Description for this interface.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-30
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 10-6
BVI Interface Fields
Field
Description
IP Address
IP address assigned to this interface including the netmask for an IPv4
address or a prefix length for an IPv6 address.
IPv6 Config Status
The status whether IPv6 is enabled or disabled on the interface.
Admin Status
The status of the interface, which can be Up or Down.
Operational Status
Operational state of the ACE (Up or Down).
Last Polled Time
Date and time of the last time that DM polled the ACE to display the current
values.
Related Topics
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Using Virtual Contexts, page 4-2
•
Configuring Virtual Context Primary Attributes, page 4-11
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context Syslog Logging, page 4-12
•
Configuring Traffic Policies, page 12-1
Displaying BVI Interface Statistics and Status Information
You can display statistics and status information for a particular BVI interface by using the Details
button. DM accesses the show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI
commands to display detailed BVI interface information.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > BVI Interfaces.
The BVI Interface table appears.
Step 2
In the BVI Interface table, choose a BVI interface from the BVI Interface table, and click Details.
The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI commands appear.
Click on the command to display its output. For details on the displayed output fields, see the Routing
and Bridging Guide, Cisco ACE Application Control Engine.
Step 3
Click Close to return to the BVI Interface table.
Related Topics
•
Viewing All BVI Interfaces by Context, page 10-30
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-31
Chapter 10
Configuring Network Access
Configuring VLAN Interface NAT Pools and Displaying NAT Utilization
Configuring VLAN Interface NAT Pools and Displaying
NAT Utilization
You can configure Network Address Translation (NAT) pools, which are designed to simplify and
conserve IP addresses. A NAT pool allows private IP networks that use unregistered IP addresses to
connect to the Internet. NAT operates on a router, usually connecting two networks, and translates the
private (not globally unique) addresses in the internal network into legal addresses before the packets
are forwarded to another network.
In addition to creating a NAT pool, you can display the utilization information associated with it.
This section includes the following topics:
•
Configuring VLAN Interface NAT Pools, page 10-32
•
Displaying NAT Pool Utilization, page 10-33
Configuring VLAN Interface NAT Pools
This procedure shows how to configure NAT pools for a VLAN interface.
Guidelines and Restrictions
•
The ACE Appliance Device Manager allows you to configure NAT so that it advertises only one
address for the entire network to the outside world. This effectively hides the entire internal network
behind that address, thereby offering both security and address conservation.
•
Several internal addresses can be translated to only one or a few external addresses by using Port
Address Translation (PAT) in conjunction with NAT. With PAT, you can configure static address
translations at the port level and use the remainder of the IP address for other translations. PAT
effectively extends NAT from one-to-one to many-to-one by associating the source port with each
flow.
•
When server load balancing is IPv6 to IPv4 or IPv4 to IPv6, you must configure source NAT.
Prerequisites
At least one VLAN interface is configured on the ACE (see Configuring Virtual Context VLAN
Interfaces, page 10-10).
Procedure
Step 1
Choose Config > Virtual Contexts > virtual_context > Network > NAT Pools.
The NAT Pools table appears.
Step 2
In the NAT Pools table, click Add to add a new entry. The NAT Pool configuration screen appears.
Step 3
Select the VLAN interface you want to configure a NAT pool.
Step 4
In the NAT Pool Id field, either accept the automatically incremented entry or enter a new number to
uniquely identify this pool. Valid entries are integers from 1 to 2147483647.
Step 5
For the IP Address Type, select either IPv4 or IPv6.
Step 6
In the Start IP Address field, enter an IP address for the selected IP Address Type. This entry identifies
either a single IP address or, if using a range of IP addresses, the first IP address in a range of global
addresses for this NAT pool.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-32
OL-26645-02
Chapter 10
Configuring Network Access
Configuring VLAN Interface NAT Pools and Displaying NAT Utilization
Step 7
In the End IP Address field, enter the highest IP address in a range of global IP addresses for this NAT pool.
Enter the IP address for the selected IP Address Type.
Leave this field blank if you want to identify only the single IP address in the Start IP Address field.
Step 8
In the Netmask field for an IPv4 address, select the subnet mask for the global IP addresses in the NAT pool.
In the Prefix Length field for an IPv6 address, enter the prefix length for the global IP addresses in the
NAT pool.
Step 9
Check the PAT Enabled check box to indicate that the ACE appliance is to perform port address translation
(PAT) in addition to NAT. Clear the check box to indicate that the ACE appliance is not to perform port
address translation (PAT) in addition to NAT.
Step 10
Do the following:
•
Click Deploy Now to save your entries and to return to the NAT Pool table.
•
Click Cancel to exit this procedure without saving your entries and to return to the NAT Pool table.
•
Click Next to save your entries and to add another NAT Pool entry.
Related Topics
•
Configuring VLAN Interface NAT Pools and Displaying NAT Utilization, page 10-32
•
Displaying NAT Pool Utilization, page 10-33
•
Configuring Virtual Context VLAN Interfaces, page 10-10
•
Configuring Virtual Context BVI Interfaces, page 10-23
Displaying NAT Pool Utilization
This procedure shows how to display the utilization of all configured NAT pools on all VLANs.
Procedure
Step 1
Choose Config > Virtual Contexts > virtual_context > Network > NAT Pools.
The NAT Pools table appears.
Step 2
Click Show NAT Pool Utilization.
The show nat-fabric nat-pool-utilization command pop-up window appears, displaying the following
information:
•
Pool ID—Unique NAT pool identifier.
•
NP—ACE network processor to which the NAT is bound.
•
Total/Usage/Utilization (%):
– Total—Number of IP addresses configured in the NAT pool.
– Usage—Number of IP addresses being used.
– Utilization (%)—Percentage of configured IP addresses be used.
•
LowerIP/UpperIP—Lower and upper IP addresses configured in the NAT pool IP address range.
•
Context—Context to which the NAT pool belongs.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-33
Chapter 10
Configuring Network Access
Configuring Virtual Context Static Routes
Step 3
From the pop-up window, do one of the following:
•
Click Update Details to refresh the information displayed.
•
Click Close to close the pop-up window.
Related Topics
•
Configuring VLAN Interface NAT Pools and Displaying NAT Utilization, page 10-32
•
Configuring VLAN Interface NAT Pools, page 10-32
Configuring Virtual Context Static Routes
Admin and user context modes do not support dynamic routing, therefore you must use static routes for
any networks to which the ACE appliance is not directly connected, such as when there is a router
between a network and the ACE appliance.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > Static Routes.
The Static Route table appears.
Step 2
To add a static route for this context, click Add.
Note
You cannot modify an existing static route. To make changes to an existing static route, you must
delete the static route and then add it back.
Step 3
For the IP Address Type, select either IPv4 or IPv6 for the route.
Step 4
In the Destination Prefix field, enter the IP address based on the address type (IPv4 or IPv6) for the route.
The address you specify for the static route is the address that is in the packet before entering the ACE
appliance and performing network address translation.
Step 5
In the Destination Prefix Mask field for an IPv4 address, select the subnet to use for this route.
In the Destination Prefix-length field for an IPv6 address, enter the prefix length from 0 to 128 to use
for this route.
Step 6
(IPv6 IP Address Type only) For the Outgoing Interface Type, select one of the following:
•
N/A (Not applicable)
•
VLAN
•
BVI
If you select VLAN or BVI, select its number from the drop down menu. To configure an interface, click
Plus. After configuring it, select its number from the drop down menu.
Step 7
In the Next Hop field, enter the IP address of the gateway router based on the address type (IPv4 or IPv6)
for this route. The gateway address must be in the same network as a VLAN interface for this context.
Step 8
Do the following:
•
Click Deploy Now to save your entries and to return to the Static Route table.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-34
OL-26645-02
Chapter 10
Configuring Network Access
Configuring Global IP DHCP
•
Click Cancel to exit this procedure without saving your entries and to return to the Static Route
table.
•
Click Next to save your entries and to add another static route.
Related Topics
•
Configuring Virtual Contexts, page 4-7
•
Configuring Virtual Context Primary Attributes, page 4-11
•
Managing ACE Appliance Licenses, page 4-29
•
Configuring High Availability, page 11-1
Viewing All Static Routes by Context
Use this procedure to view all static routes associated with a virtual context.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > Static Routes.
The Static Route table appears with the following information:
•
Destination prefix address
•
Destination prefix mask or prefix length
•
Next hop IP address
Related Topics
•
Configuring Virtual Context Static Routes, page 10-34
•
Configuring Virtual Context VLAN Interfaces, page 10-10
Configuring Global IP DHCP
DM can configure the DHCP relay agent on the ACE. When you configure the ACE as a DHCP relay
agent, it is responsible for forwarding the requests and responses that are negotiated between the DHCP
clients and the server. By default, the DHCP relay agent is disabled. You must configure a DHCP server
when you enable the DHCP relay agent.
The following steps show you how to configure the DHCP relay agent at the context level so the
configuration applies to all interfaces associated with the context.
Note
The options that appear when you select Config > Virtual Contexts > context depend on the device
associated with the virtual context and the role associated with your account.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
10-35
Chapter 10
Configuring Network Access
Configuring Global IP DHCP
Procedure
Step 1
Choose Config > Virtual Contexts > context > Network > Global IP DHCP. The Global IP DHCP
configuration table appears.
Step 2
For Enable DHCP Relay For The Context, click IPv4, IPv6 or both to enable DHCP relay for the
context and all interfaces associated with this context.
Step 3
Select a relay agent information forwarding policy, as follows:
•
N/A—Specifies to not configure the DHCP relay to identify what is to be performed if a forwarded
message already contains relay information.
•
Keep—Specifies that existing information is left unchanged on the DHCP relay agent.
•
Replace—Specifies that existing information is overwritten on the DHCP relay agent.
Step 4
In the IP DHCP Server field, select the IP DHCP server to which the DHCP relay agent is to forward
client requests.
Step 5
In the IPv6 Forward Interface VLAN field, you can optionally enter the VLAN interface number that
you configured in the IPv6 Forward Interface VLAN field on the interface where the multicast DHCP
relay message is sent.
Step 6
In the IPv6 DHCP server, specify one or more IP DHCP servers and IPv6 addresses to which the DHCP
relay agent is to forward client requests.
Step 7
Click Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
Related Topics
•
Configuring Virtual Context VLAN Interfaces, page 10-10
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
10-36
OL-26645-02
C H A P T E R
11
Configuring High Availability
This chapter describes how to configure high availability. High Availability (or fault tolerance) uses a
maximum of two ACE appliances to ensure that your network remains operational even if one of the
appliances becomes unresponsive. Redundancy ensures that your network services and applications are
always available.
Note
Redundancy is not supported between an ACE appliance and an ACE module operating as peers.
Redundancy must be of the same ACE device type and software release.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Related Topics
•
Understanding ACE Redundancy, page 11-2
•
Configuring ACE High Availability, page 11-8
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Switching Over a High Availability Group, page 11-16
•
Deleting ACE High Availability Groups, page 11-17
•
High Availability Tracking and Failure Detection Overview, page 11-17
•
Tracking VLAN Interfaces for High Availability, page 11-19
•
Tracking Hosts for High Availability, page 11-20
•
Configuring Host Tracking Probes, page 11-21
•
Configuring Peer Host Tracking Probes, page 11-22
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-1
Chapter 11
Configuring High Availability
Understanding ACE Redundancy
Understanding ACE Redundancy
Redundancy provides seamless switchover of flows in case an ACE appliance becomes unresponsive or
a critical host or interface fails. Redundancy supports the following network applications that require
fault tolerance:
•
Mission-critical enterprise applications
•
Banking and financial services
•
E-commerce
•
Long-lived flows such as FTP and HTTP file transfers
The following overview topics describe high availability as performed by the ACE appliance:
•
High Availability Polling, page 11-2
•
Redundancy Protocol, page 11-3
•
Stateful Failover, page 11-4
•
Fault-Tolerant VLAN, page 11-5
•
Configuration Synchronization, page 11-5
•
Synchronizing High Availability Configurations with ACE Appliance Device Manager, page 11-6
•
Redundancy Configuration Requirements and Restrictions, page 11-6
Related Topics
•
Configuring ACE High Availability, page 11-8
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
High Availability Polling
Approximately every two minutes, the ACE appliance Device Manager issues the show ft group
command to the ACE appliance to gather the redundancy statistics of each virtual context. The state
information is displayed in the HA State and HA Peer State fields when you click Config > Virtual
Context. The possible states are as follows:
•
Active—Local member of the FT group is active and processing flows.
•
Standby Cold—Indicates if the FT VLAN is down but the peer device is still alive, or the
configuration or application state synchronization failed. When a context is in this state and a
switchover occurs, the transition to the ACTIVE state is stateless.
•
Standby Bulk—Local standby context is waiting to receive state information from its active peer
context. The active peer context receives a notification to send a snapshot of the current state
information for all applications to the standby context.
•
Standby Hot—Local standby context has all the state information it needs to statefully assume the
active state if a switchover occurs.
•
Standby Warm—Allows the configuration and state synchronization process to continue on a
best-effort basis when you upgrade or downgrade the ACE software.
•
N/A—Indicates that the ACE Device Manager received an empty state from the ACE which can
occur during a transition period between state changes, for example, during a switchover.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-2
OL-26645-02
Chapter 11
Configuring High Availability
Understanding ACE Redundancy
Note
When you upgrade or downgrade the ACE from one software version to another, there is a point
in the process when the two ACEs have different software versions and, therefore, a software
incompatibility. When the Standby Warm state appears, this means that the active ACE will
continue to synchronize configuration and state information to the standby even though the
standby may not recognize or understand the software commands or state information. This
standby state allows the standby ACE to come up with best-effort support.
Redundancy Protocol
You can configure a maximum of two ACE appliances (peers) for redundancy. Each peer appliance can
contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active
context and one standby context. An FT group has a unique group ID that you assign.
Note
For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is
00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP
tables does not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it.
For more information, see Configuring Virtual Contexts, page 4-7.
Each FT group acts as an independent redundancy instance. When a switchover occurs, the active
member in the FT group becomes the standby member and the original standby member becomes the
active member. A switchover can occur for the following reasons:
•
The active member becomes unresponsive.
•
A tracked host or interface fails.
•
You force a switchover for a high availability group by clicking Switchover in the ACE HA Groups
table (see Switching Over a High Availability Group, page 11-16).
To outside nodes (clients and servers), the active and standby FT group members appear as one node
with respect to their IP addresses and associated VMAC. The ACE provides active-active redundancy
with multiple contexts only when there are multiple FT groups configured on each appliance and both
appliances contain at least one active group member (context). With a single context, the ACE supports
active-backup redundancy and each group member is an Admin context.
The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data,
heartbeats, and state replication packets) on a dedicated FT VLAN. You cannot use this dedicated VLAN
for normal traffic.
To optimize the transmission of heartbeat packets for multiple FT groups and to minimize network
traffic, the ACE sends and receives heartbeat messages using a separate process. The ACE uses the
heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a
heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends
heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as
part of the FT peer configuration. For details about configuring the heartbeat, see Configuring High
Availability Peers, page 11-8.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-3
Chapter 11
Configuring High Availability
Understanding ACE Redundancy
The election of the active member within each FT group is based on a priority scheme. The member
configured with the higher priority is elected as the active member. If a member with a higher priority
is found after the other member becomes active, the new member becomes active because it has a higher
priority. This behavior is known as preemption and is enabled by default. You can override this default
behavior by disabling preemption. To disable preemption, use the Preempt parameter. Enabling Preempt
causes the member with the higher priority to assert itself and become active. For details about
configuring preemption, see Configuring ACE High Availability Groups, page 11-11.
Stateful Failover
The ACE replicates flows on the active FT group member to the standby group member per connection
for each context. The replicated flows contain all the flow-state information necessary for the standby
member to take over the flow if the active member becomes unresponsive. If the active member becomes
unresponsive, the replicated flows on the standby member become active when the standby member
assumes mastership of the context. The active flows on the former active member transition to a standby
state to fully back up the active flows on the new active member.
Note
For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
Note
By default, connection replication is enabled in the ACE appliance.
After a switchover occurs, the same connection information is available on the new active member.
Supported end-user applications do not need to reconnect to maintain the same network session.
The state information passed to the standby appliance includes the following data:
Note
•
Network Address Translation (NAT) table based on information synchronized with the connection
record
•
All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not
terminated by the ACE appliance
•
HTTP connection states (Optional)
•
Sticky table
In a user context, the ACE appliance allows a switchover only of the FT group that belongs to that
context. In the Admin context, the ACE appliance allows a switchover of all FT groups in all configured
contexts in the appliance.
To ensure that bridge learning occurs quickly upon a switchover in a Layer 2 configuration in the case
where a VMAC moves to a new location, the new active member sends a gratuitous ARP on every
interface associated with the active context. Also, when there are two VLANs on the same subnet and
servers need to send packets to clients directly, the servers must know the location of the gateway on the
client-side VLAN. The active member acts as the bridge for the two VLANs. In order to initiate learning
of the new location of the gateway, the new active member sends an ARP request to the gateway on the
client VLAN and bridges the ARP response onto the server VLAN.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-4
OL-26645-02
Chapter 11
Configuring High Availability
Understanding ACE Redundancy
Fault-Tolerant VLAN
Redundancy uses a dedicated fault-tolerant VLAN between redundant ACEs to transmit flow-state
information and the redundancy heartbeat. Do not use this dedicated VLAN for normal network traffic.
You must configure this same VLAN on both peer ACEs. You also must configure a different IP address
within the same subnet on each ACE for the fault-tolerant VLAN.
The two redundant ACEs constantly communicate over the fault-tolerant VLAN to determine the
operating status of each ACE. The standby member uses the heartbeat packet to monitor the health of
the active member. The active member uses the heartbeat packet to monitor the health of the standby
member. Communications over the switchover link include the following data:
•
Redundancy protocol packets
•
State information replication data
•
Configuration synchronization information
•
Heartbeat packets
For multiple contexts, the fault-tolerant VLAN resides in the system configuration data. Each
fault-tolerant VLAN on the ACE has one unique MAC address associated with it. The ACE uses these
device MAC addresses as the source or destination MACs for sending or receiving redundancy protocol
state and configuration replication packets.
Note
The IP address and the MAC address of the fault-tolerant VLAN do not change at switchover.
Configuration Synchronization
For redundancy to function properly, both members of an fault-tolerant group must have identical
configurations. Ensure that both ACE appliances include the same bandwidth software license (2G or
1G) and the same virtual context software license. If there is a mismatch in software license between the
two ACE appliances in an FT group, the following operational behavior can occur:
•
If there is a mismatch in virtual context software license, synchronization between the active ACE
and standby ACE may not work properly.
•
If both the active and the standby ACE appliances have the same virtual content software license
but have a different bandwidth software license, synchronization will work properly but the standby
ACE may experience a potential loss of traffic on switchover from the 2G ACE appliance to the 1G
ACE appliance.
See the Administration Guide, Cisco ACE Application Control Engine for details about the available
ACE software licenses.
The ACE automatically replicates the active configuration on the standby member using a process called
configuration synchronization (config sync). Config sync automatically replicates any changes made to
the configuration of the active member to the standby member. After the ACE synchronizes the
redundancy configuration from the active member to the standby peer, it disables configuration mode on
the standby. See Synchronizing High Availability Configurations with ACE Appliance Device Manager,
page 11-6.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-5
Chapter 11
Configuring High Availability
Understanding ACE Redundancy
Synchronizing High Availability Configurations with ACE Appliance
Device Manager
When two ACE appliances are configured as high availability peers, their configurations must be
synchronized at all times so that the standby ACE peer can seamlessly take over for the active ACE peer.
As the active and standby ACEs synchronize, the configuration on the standby ACE appliance can
become out of synchronization with the ACE Appliance Device Manager-maintained configuration data
for that ACE appliance.
When an ACE appliance is in a standby state, if you make configuration changes on the active ACE
appliance this change is also synchronized with the standby ACE appliance. However, when you access
the Device Manager GUI you will not observe the configuration changes on the standby ACE. Yet, if
you access the CLI on the standby ACE and display redundancy configurations using the show
running-config ft command in Exec mode, you will see these configuration changes.
As a result, it is important for you to manually synchronize the ACE Appliance Device Manager on the
standby appliance to observe the entire configuration. See the “Manually Synchronizing Individual
Virtual Context Configurations” section on page 4-82.
When the ACE appliance performs a context failover (proceeds from the Standby Warm state or Standby
Hot state) to the Active state), the new active ACE appliance auto-synchronizes the configuration and
updates the ACE appliance Device Manager GUI.
In a high availability pair, the two configured virtual contexts synchronize with each other as part of their
ongoing communications. However, their copies do not synchronize in ACE Appliance Device Manager
and the configuration on the standby member can become out of sync with the configuration on the ACE
appliance.
After the active member of a high availability pair fails and the standby member becomes active, ACE
Appliance Device Manager on the newly active member detects any out-of-sync virtual context
configurations and reports that status in the All Virtual Contexts table so that you can synchronize the
virtual context configurations.
For information on synchronizing some or all virtual context configurations, see the following topics:
•
Manually Synchronizing Individual Virtual Context Configurations, page 4-82
•
Manually Synchronizing All Virtual Context Configurations, page 4-83
Related Topics
•
High Availability Polling, page 11-2
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Manually Synchronizing Individual Virtual Context Configurations, page 4-82
•
Manually Synchronizing All Virtual Context Configurations, page 4-83
Redundancy Configuration Requirements and Restrictions
Follow these requirements and restrictions when configuring the redundancy feature.
•
In bridged mode (Layer 2), two contexts cannot share the same VLAN.
•
To achieve active-active redundancy, a minimum of two contexts and two fault-tolerant groups are
required on each ACE.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-6
OL-26645-02
Chapter 11
Configuring High Availability
Understanding ACE Redundancy
•
When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the
Down state. The IP address and the peer IP address that you assign to a VLAN interface should be
in the same subnet, but different IP addresses. For more information about configuring VLAN
interfaces, see Configuring Virtual Context VLAN Interfaces, page 10-10.
•
In a high availability pair, the two configured virtual contexts synchronize with each other as part
of their ongoing communications. However, their copies do not synchronize in ACE Appliance
Device Manager and the configuration on the standby member can become out of sync with the
configuration on the ACE appliance. After the active member of a high availability pair fails and
the standby member becomes active, ACE Appliance Device Manager on the newly active member
detects any out-of-sync virtual context configurations and reports that status in the All Virtual
Contexts table so that you can synchronize the virtual context configurations.
•
When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability
Polling, page 11-2), the virtual context may receive configuration changes from its ACE peer
without updating the Device Manager GUI. As a result, the ACE appliance Device Manager GUI
will be out of synchronization with the CLI configuration. If you need to check configuration on a
standby virtual context using the tracking and failure detection process (see Tracking VLAN
Interfaces for High Availability, page 11-19), we recommend that you first perform a manual
synchronization using either the CLI Sync or CLI Sync All buttons before checking the
configuration values.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-7
Chapter 11
Configuring High Availability
Configuring ACE High Availability
Configuring ACE High Availability
The tasks involved with configuring high availability are described in Table 11-1.
Table 11-1
High Availability Task Overview
Task
Reference
Step 1
Create a fault-tolerant VLAN and identify peer IP Configuring High Availability Peers, page 11-8
addresses and configure peer appliances for
heartbeat count and interval.
Step 2
Configuring ACE High Availability Groups,
Create a fault-tolerant group, assign peer
priorities, associate the group with a context, place page 11-11
the group in service, and enable automatic
synchronization.
Step 3
Configure tracking for switchover.
High Availability Tracking and Failure
Detection Overview, page 11-17
Related Topics
•
Understanding ACE Redundancy, page 11-2
•
High Availability Polling, page 11-2
•
Synchronizing High Availability Configurations with ACE Appliance Device Manager, page 11-6
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
High Availability Tracking and Failure Detection Overview, page 11-17
Configuring High Availability Peers
Note
This functionality is available for only Admin contexts.
Fault-tolerant peers use a fault-tolerant VLAN to transmit and receive heartbeat packets and state and
configuration replication packets. The standby member uses the heartbeat packet to monitor the health
of the active member, while the active member uses the heartbeat packet to monitor the health of the
standby member. When the heartbeat packets are not received from the active member when expected,
switchover occurs and the standby member assumes all active communications previously on the active
member.
Use this procedure to:
•
Identify the two members of a high availability pair.
•
Assign IP addresses to the peer ACE appliances.
•
Assign a fault-tolerant VLAN to high availability peers and bind a physical Gigabit Ethernet
interface to the FT VLAN.
•
Configure heartbeat frequency and count on the ACE appliances in a fault-tolerant VLAN.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-8
OL-26645-02
Chapter 11
Configuring High Availability
Configuring High Availability Peers
Assumption
•
At least one fault-tolerant VLAN has been configured.
Note
A fault-tolerant VLAN cannot be used for other network traffic.
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
window appears with two columns: One for the selected ACE appliance and one for a peer ACE
appliance.
Step 2
Click Edit, and then enter the information for the primary appliance and the peer appliance as described
in Table 11-2.
Table 11-2
ACE High Availability Management Configuration Attributes
Field
This Appliance
VLAN
Specify a fault-tolerant VLAN to be used Not applicable.
for this high availability pair. Valid
entries are integers from 2 to 4094.
Note
Peer Appliance
This VLAN cannot be used for
other network traffic.
Not applicable.
Interface
Select the interface (specified by
slot_number/port_number where
slot_number is the physical slot on the
ACE appliance, and port_number is the
physical Ethernet data port on the ACE
appliance) or the port channel.
IP Address
Enter an IP address for the fault-tolerant Enter the IP address of the peer
VLAN in dotted-decimal format, such as interface in dotted-decimal format so
192.168.11.2.
that the peer appliance can
communicate on the fault-tolerant
VLAN.
Netmask
Select the subnet mask that is to be used
for the fault-tolerant VLAN.
Not applicable.
Management IP
Address
Enter the IP address for the ACE.
Enter the Management IP Address of
the peer appliance. When you enter
this information, you can click on the
HA Peer hyperlink in the Config >
Virtual Contexts screen.
Query VLAN
Not applicable.
Select the VLAN that the standby
appliance is to use to determine whether
the active appliance is down or if there is
a connectivity problem with the
fault-tolerant VLAN.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-9
Chapter 11
Configuring High Availability
Configuring High Availability Peers
Table 11-2
Step 3
ACE High Availability Management Configuration Attributes (continued)
Field
This Appliance
Peer Appliance
Heartbeat Count
Not applicable.
Enter the number of heartbeat intervals
that must occur when no heartbeat packet
is received by the standby appliance
before the standby appliance determines
that the active member is not available.
Valid entries are integers from 10 to 50.
Heartbeat Interval
Enter the number of milliseconds that the Not applicable.
active appliance is to wait between each
heartbeat it sends to the standby
appliance. Valid entries are integers from
100 to 1000.
Interface Enabled
Check the Interface Enabled check box to Not applicable.
enable the high availability interface.
Clear the check box to disable the high
availability interface.
Shared VLAN Host Enter a specific bank of MAC addresses
ID
that the ACE uses. Valid entries are
integers from 1 to 16. Be sure to
configure different bank numbers for
multiple ACEs.
Not applicable.
Peer Shared VLAN Enter a specific bank of MAC addresses
Host ID
for the same ACE in a redundant
configuration. Valid entries are integers
from 1 to 16. Be sure to configure
different bank numbers for multiple
ACEs.
Not applicable.
HA State
Not applicable.
This is a read-only field with the current
state of high availability on the ACE
appliance.
Do the following:
•
Click Deploy Now to save your entries and to continue with configuring high availability groups.
The ACE HA Management screen appears at the top of the content area and the ACE HA Groups
table appears at the bottom. See Configuring ACE High Availability Groups, page 11-11 to
configure a high availability group.
•
Click Cancel to exit this procedure without saving your entries and to view the ACE HA
Management screen.
Related Topics
•
Understanding ACE Redundancy, page 11-2
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-10
OL-26645-02
Chapter 11
Configuring High Availability
Configuring ACE High Availability Groups
Clearing High Availability Pairs
Note
This functionality is available for only Admin contexts.
Use this procedure to remove a high availability link between two ACE appliances.
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears.
Step 2
Select the ACE appliance pair whose high availability configuration you want to remove, and then click
Clear. A message appears asking you to confirm the clearing of the high availability link.
Step 3
Do the following:
•
Click OK to confirm the removal of this high availability link and to return to the ACE HA
Management screen.
•
Click Cancel to exit this procedure without removing this high availability link and to return to the
ACE HA Management screen.
Related Topics
•
Understanding ACE Redundancy, page 11-2
•
Configuring High Availability Peers, page 11-8
•
Editing ACE High Availability Groups, page 11-14
•
High Availability Tracking and Failure Detection Overview, page 11-17
•
Tracking VLAN Interfaces for High Availability, page 11-19
•
Tracking Hosts for High Availability, page 11-20
Configuring ACE High Availability Groups
Note
This functionality is available for only Admin contexts.
A fault-tolerant group consists of a maximum of two contexts: One active context on one appliance and
one standby context on the peer appliance. You can create multiple fault-tolerant groups on each ACE
appliance up to a maximum of 21 groups (20 user contexts and 1 Admin context).
Use this procedure to configure high availability groups.
Note
For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-11
Chapter 11
Configuring High Availability
Configuring ACE High Availability Groups
Assumption
At least one high availability pair has been configured. (See Configuring High Availability Peers,
page 11-8.)
Procedure
Step 1
Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management screen
appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, click Add to add a new high availability group. The table refreshes with
the configurable fields.
Step 3
Check the Enabled check box to enable the high availability group. Clear the Enabled check box to
disable the high availability group.
Step 4
In the Context field, select the virtual context to associate with this high availability group.
Step 5
In the Priority (Actual) field, enter the priority you want to assign to the first appliance in the group.
Valid entries are integers from 1 to 255.
A member of a fault-tolerant group becomes the active member through a process based on the priority
assigned. In this process, the group member with the higher priority becomes the active member. When
you set up a fault-tolerant pair, use a higher priority for the group where the active member initially
resides.
Step 6
Check the Preempt check box to indicate that the group member with the higher priority is to always
assert itself and become the active member. Clear the Preempt check box to indicate that you do not want
the group member with the higher priority to always become the active member.
Step 7
In the Peer Priority (Actual) field, enter the priority you want to assign to the peer appliance in the group.
Valid entries are integers from 1 to 255.
A member of a fault-tolerant group becomes the active member through a process based on the priority
assigned. In this process, the group member with the higher priority becomes the active member. When
you set up a fault-tolerant pair, use a higher priority for the group where the active member initially
resides.
Step 8
Check the Autosync Run check box to enable automatic synchronization of the running configuration
files. Clear the Autosync Run check box to disable automatic synchronization of the running
configuration files. If you disable automatic synchronization, you need to update the configuration of
the standby context manually.
Note
To understand how synchronization works between the active and the standby ACE appliances,
see Understanding ACE Redundancy, page 11-2 and Redundancy Configuration Requirements
and Restrictions, page 11-6.
Step 9
Check the Autosync Startup check box to enable automatic synchronization of the startup configuration
files. Clear the Autosync Run check box to disable automatic synchronization of the startup
configuration files. If you disable automatic synchronization, you need to update the configuration of
the standby context manually. See Manually Synchronizing Individual Virtual Context Configurations,
page 4-82.
Step 10
Do the following:
•
Click Deploy Now to accept your entries. The ACE HA Groups table refreshes with the new high
availability group.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-12
OL-26645-02
Chapter 11
Configuring High Availability
Configuring ACE High Availability Groups
•
Step 11
Click Cancel to exit this procedure without saving your entries and to return to the ACE HA
Management screen and ACE HA Groups table.
(Optional) To display statistics and status information for a particular high availability group, choose the
group from the ACE HA Groups table, and click Details.
The show ft group group_id detail CLI command output appears. See the “Displaying High Availability
Group Statistics and Status Information” section on page 11-16 for details.
Related Topics
•
Configuring High Availability Peers, page 11-8
•
Editing ACE High Availability Groups, page 11-14
•
High Availability and Virtual Context Configuration Status, page 4-81
•
Tracking VLAN Interfaces for High Availability, page 11-19
•
Tracking Hosts for High Availability, page 11-20
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-13
Chapter 11
Configuring High Availability
Configuring ACE High Availability Groups
Editing ACE High Availability Groups
Note
This functionality is available for only Admin contexts.
Use this procedure to modify the attributes of a high availability group.
Note
If you need to modify a fault-tolerant group, take the group out of service before making any other
changes (see Taking a High Availability Group Out of Service, page 11-15). When you finish making all
changes, place the group back into service (see Enabling a High Availability Group, page 11-15).
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group you want to modify, and then click Edit.
The table refreshes with configurable fields.
Step 3
Modify the fields as desired. For information on these fields, see Configuring ACE High Availability
Groups, page 11-11.
Step 4
When you finish modifying this group, do the following:
•
Click Deploy Now to accept your entries and to return to the ACE HA Groups table.
•
Click Cancel to exit this procedure without saving your entries and to return to the ACE HA
Management screen.
Related Topics
•
Taking a High Availability Group Out of Service, page 11-15
•
Enabling a High Availability Group, page 11-15
•
Configuring High Availability Peers, page 11-8
•
High Availability Tracking and Failure Detection Overview, page 11-17
•
Tracking VLAN Interfaces for High Availability, page 11-19
•
Tracking Hosts for High Availability, page 11-20
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-14
OL-26645-02
Chapter 11
Configuring High Availability
Configuring ACE High Availability Groups
Taking a High Availability Group Out of Service
Note
This functionality is available for only Admin contexts.
If you need to modify a fault-tolerant group, you must first take the group out of service before making
any other changes. Use this procedure to take a high availability group out of service.
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group you want to take out of service, and then
click Edit. The table refreshes with configurable fields.
Step 3
Clear the Enabled check box.
Step 4
Click Deploy Now to take the high availability group out of service and to return to the ACE HA Groups
table.
You can now make the necessary modifications to the high availability group. To put the high availability
group back in service, see Enabling a High Availability Group, page 11-15.
Related Topic
•
Enabling a High Availability Group, page 11-15
Enabling a High Availability Group
Note
This functionality is available for only Admin contexts.
After you take a high availability group out of service to modify it, you need to reenable the group. Use
the following procedure to put a high availability group back in service.
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group you want to take out of service, and then
click Edit. The table refreshes with configurable fields.
Step 3
Check the Enabled check box.
Step 4
Click Deploy Now to put the high availability group in service and to return to the ACE HA Groups
table.
Related Topic
•
Taking a High Availability Group Out of Service, page 11-15
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-15
Chapter 11
Configuring High Availability
Switching Over a High Availability Group
Displaying High Availability Group Statistics and Status Information
You can display statistics and status information for a particular high availability group by using the
Details button. DM accesses the show ft group group_id detail CLI command to display detailed ACE
HA group information.
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2
Choose an ACE HA group from the ACE HA Groups table and click Details.
The show ft group group_id detail CLI command output appears. For details on the displayed output
fields, see the Administration Guide, Cisco ACE Application Control Engine.
Step 3
Click Update Details to refresh the output for the show ft group group_id detail CLI command.
Step 4
Click Close to return to the VLAN Interfaces table.
Related Topics
•
Understanding ACE Redundancy, page 11-2
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
Switching Over a High Availability Group
Note
This functionality is available for only Admin contexts.
You may need to cause a switchover when you want to make a particular context the standby (for
example, for maintenance or a software upgrade on the currently active context). If the standby group
member can statefully become the active member of the high availability group, a switchover occurs.
Use this procedure to force the failover of a high availability group.
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the group you want to switch over, and then click Switchover. The
standby group member becomes active, while the previously active group member becomes the standby
member.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-16
OL-26645-02
Chapter 11
Configuring High Availability
Deleting ACE High Availability Groups
Related Topics
•
Understanding ACE Redundancy, page 11-2
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
Deleting ACE High Availability Groups
Note
This functionality is available for only Admin contexts.
Use this procedure to remove a high availability group from ACE Appliance Device Manager
management.
Procedure
Step 1
Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group that you want to remove, and then click
Delete. A message appears asking you to confirm the deletion.
Step 3
Do the following:
•
Click Deploy Now to delete the high availability group and to return to the ACE HA Groups table.
The selected group no longer appears.
•
Click Cancel to exit this procedure without deleting the high availability group and to return to the
ACE HA Groups table.
Related Topics
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
High Availability Tracking and Failure Detection Overview
The tracking and detection of failures ensures that switchover occurs as soon as the criteria are met (see
Configuring High Availability Peers, page 11-8). With the ACE Appliance Device Manager, you can
track and detect failures on:
•
Hosts—See Tracking Hosts for High Availability, page 11-20.
•
Interfaces—See Tracking VLAN Interfaces for High Availability, page 11-19.
When the active member of a fault-tolerant group becomes unresponsive, the following occurs:
1.
The active member’s priority is reduced by 10.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-17
Chapter 11
Configuring High Availability
High Availability Tracking and Failure Detection Overview
Note
2.
If the resulting priority value is less than that of the standby member, the active member switches
over and the standby member becomes the new active member. All active flows continue
uninterrupted.
3.
When the failed member comes back up, its priority is incremented by 10.
4.
If the resulting priority value is greater than that of the currently active member, a switchover occurs
again, returning the flows to the originally active member.
In a user context, the ACE appliance allows a switchover only of the fault-tolerant groups belonging to
that context. In an Admin context, the ACE appliance allows a switchover of all fault-tolerant groups on
all configured contexts on the appliance.
Related Topics
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
•
Tracking Hosts for High Availability, page 11-20
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-18
OL-26645-02
Chapter 11
Configuring High Availability
Tracking VLAN Interfaces for High Availability
Tracking VLAN Interfaces for High Availability
Use this procedure to configure a tracking and failure detection process for a VLAN interface.
Note
When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability Polling,
page 11-2), the virtual context may receive configuration changes from its ACE peer without updating
the Device Manager GUI. As a result, the ACE appliance Device Manager GUI will be out of
synchronization with the CLI configuration. If you need to check configuration on a standby virtual
context using the tracking and failure detection process, we recommend that you first perform a manual
synchronization using either the CLI Sync or CLI Sync All buttons before checking the configuration
values.
Procedure
Step 1
Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Interfaces. The Track
Interface table appears.
Step 2
Click Add to add a new tracking process to this table, or select an existing entry, and then click Edit to
modify it. The Track Interface configuration screen appears.
Step 3
In the Track Object Name field, enter a unique identifier for the tracking process. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
In the Priority field, enter the priority for the interface on the active member. Valid entries are integers
from 1 to 255 with higher values indicating higher priorities. The values that you enter here and in the
Interface Peer Priority field (see Step 6) reflect the point at which you want switchover to occur. If the
tracked interface goes down, the priority of that fault-tolerant group is decremented by the value entered
in the Priority field. If the priority of the fault-tolerant group on the active member falls below that of
the standby member, a switchover occurs.
Step 5
In the VLAN Interface field, select the fault-tolerant VLAN that you want the active member to track.
Step 6
In the Interface Peer Priority field, enter the priority for the interface on the standby member. Valid
entries are integers from 1 to 255 with higher values indicating higher priorities. The values that you
enter here and in the Priority field (See Step 4) reflect the point at which you want switchover to occur.
If the tracked interface goes down, the priority of that fault-tolerant group is decremented by the value
entered in the Interface Peer Priority field. If the priority of the fault-tolerant group on the active member
falls below that of the standby member, a switchover occurs.
Step 7
In the Peer VLAN Interface field, enter the identifier of an existing fault-tolerant VLAN that you want
the standby member to track. Valid entries are integers from 1 to 4096.
Step 8
Do the following:
•
Click Deploy Now to save your entries and to return to the Track Interface table.
•
Click Cancel to exit this procedure without saving your entries and to return to the Track Interface
table.
•
Click Next to save your entries and to configure the next entry in the Track Interface table.
Related Topics
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-19
Chapter 11
Configuring High Availability
Tracking Hosts for High Availability
•
Tracking Hosts for High Availability, page 11-20
Tracking Hosts for High Availability
Use this procedure to configure a tracking and failure detection process for a gateway or host.
Procedure
Step 1
Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Click Add to add a new tracking process to the table, or select an existing entry, and then click Edit to
modify it. The Track Host configuration screen appears.
Step 3
In the Track Object Name field, enter a unique identifier for the tracking process. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
For the IP Address Type, select either IPv4 or IPv6 for the host address type.
Step 5
In the Track Host/IP Address field, enter the IPv4 or IPv6 address or hostname of the gateway or host
that you want the active member of the high availability group to track.
Step 6
In the Priority field, enter the priority of the probe sent by the active member. Valid entries are integers
from 0 to 255. Higher values indicate higher priorities. Assign a priority value based on the relative
importance of the host that the probe is tracking. If the probe goes down, the ACE appliance decrements
the priority of the fault-tolerant group on the active member by the value in the Priority field.
Step 7
In the Peer Host/IP Address field, enter the IPv4 or IPv6 address or hostname of the host that you want
the standby member to track.
Step 8
In the Peer Priority field, enter the priority of the probe sent by the standby member. Valid entries are
integers from 0 to 255. Higher values indicate higher priorities. Assign a priority value based on the
relative importance of the host that the probe is tracking. If the probe goes down, the ACE appliance
decrements the priority of the fault-tolerant group on the standby member by the value in the Priority
field.
Step 9
Do the following:
•
Click Deploy Now to save your entries and to continue with configuring track host probes. See
Configuring Host Tracking Probes, page 11-21.
•
Click Cancel to exit this procedure without saving your entries and to return to the Track Host table.
•
Click Next to save your entries and to configure another tracking process.
Related Topics
•
Configuring Host Tracking Probes, page 11-21
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-20
OL-26645-02
Chapter 11
Configuring High Availability
Configuring Host Tracking Probes
Configuring Host Tracking Probes
Use this procedure to configure probes on the active high availability group member to track the health
of the gateway or host.
Assumptions
•
At least one host tracking process for high availability has been configured (see Tracking Hosts for
High Availability, page 11-20.)
•
At least one health monitoring probe has been configured (see Configuring Health Monitoring for
Real Servers, page 6-41).
Procedure
Step 1
Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to configure a probe for, and then select the Track Host Probe tab.
The Track Host Probe table appears.
Step 3
In the Track Host Probe table, click Add to add a track host probe, or select an existing track host probe,
and then click Edit to modify it. The Track Host Probe configuration screen appears.
Step 4
In the Probe Name field, select the name of the probe to be used for the host tracking process.
Step 5
In the Priority field, enter a priority for the host you are tracking by the active member of the high
availability group. Valid entries are integers from 1 to 255 with higher values indicating higher priorities.
Assign a priority value based on the relative importance of the gateway or host that the probes are
tracking. If the host goes down, the ACE appliance decrements the priority of the high availability group
on the active member by the value in this Priority field. If the resulting priority of the high availability
group on the active member is less than the priority of the high availability group on the standby member,
a switchover occurs.
Step 6
Do the following:
•
Click Deploy Now to save your entries and to return to the Track Host Probe table. The table
includes the added probe.
•
Click Cancel to exit this procedure without saving your entries and to return to the Track Host Probe
table.
•
Click Next to save your entries and to configure another track host probe.
Related Topics
•
Configuring Peer Host Tracking Probes, page 11-22
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-21
Chapter 11
Configuring High Availability
Configuring Peer Host Tracking Probes
Deleting Host Tracking Probes
Use this procedure to remove a high availability host tracking probe.
Procedure
Step 1
Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to modify, and then select the Track Host Probe tab. The Track Host
Probe table appears.
Step 3
In the Track Host table, select the probe you want to remove, and then click Delete. The probe is deleted
and the Track Host Probe table refreshes without the deleted probe.
Related Topics
•
Configuring Peer Host Tracking Probes, page 11-22
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
Configuring Peer Host Tracking Probes
Use this procedure to configure probes on the standby member of a high availability group to track the
health of the gateway or host.
Assumptions
•
At least one host tracking process for high availability has been configured (see Tracking Hosts for
High Availability, page 11-20.)
•
At least one health monitoring probe has been configured (see Configuring Health Monitoring for
Real Servers, page 6-41).
Procedure
Step 1
Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to modify, and then select the Peer Track Host Probe tab. The Peer
Track Host Probes table appears.
Step 3
In the Peer Track Host Probes table, click Add to add a peer host tracking probe, or select an existing
peer host tracking probe, and then click Edit to modify it. The Peer Track Host Probes configuration
screen appears.
Step 4
In the Probe Name field, select the name of the probe to be used for the peer host tracking process.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-22
OL-26645-02
Chapter 11
Configuring High Availability
Configuring Peer Host Tracking Probes
Step 5
In the Priority field, enter a priority for the host you are tracking by the standby member of the high
availability group. Valid entries are integers from 1 to 255 with higher values indicating higher priorities.
Assign a priority value based on the relative importance of the gateway or host that the probes are
tracking. If the host goes down, the ACE appliance decrements the priority of the high availability group
on the standby member by the value in this Priority field.
Step 6
Do the following:
•
Click Deploy Now to save your entries and to return to the Peer Track Host Probes table. The table
includes the added probe.
•
Click Cancel to exit this procedure without saving your entries and to return to the Peer Track Host
Probes table.
•
Click Next to save your entries and to configure another peer track host probe.
Related Topics
•
Configuring Host Tracking Probes, page 11-21
•
Configuring High Availability Peers, page 11-8
•
Configuring ACE High Availability Groups, page 11-11
•
Tracking VLAN Interfaces for High Availability, page 11-19
Deleting Peer Host Tracking Probes
Use this procedure to remove a high availability peer host tracking probe.
Procedure
Step 1
Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to modify then, select the Peer Track Host Probe tab. The Peer
Track Host Probes table appears.
Step 3
In the Peer Track Host Probes table, select the probe you want to remove, and then click Delete. The
probe is deleted and the Peer Track Host Probes table refreshes without the deleted probe.
Related Topics
•
Configuring Peer Host Tracking Probes, page 11-22
•
Configuring Host Tracking Probes, page 11-21
•
Tracking VLAN Interfaces for High Availability, page 11-19
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
11-23
Chapter 11
Configuring High Availability
Configuring Peer Host Tracking Probes
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
11-24
OL-26645-02
C H A P T E R
12
Configuring Traffic Policies
This chapter describes how to configure traffic policies. ACE Appliance Device Manager helps you
configure class maps and policy maps to provide a global level of classification for filtering traffic
received by or passing through the ACE appliance. You create traffic policies and attach these policies
to one or more VLAN interfaces associated with the ACE appliance to apply feature-specific actions to
the matching traffic. The ACE appliance uses the individual traffic policies to implement functions such
as:
Note
•
Remote access using Secure Shell (SSH) or Telnet
•
Server load balancing
•
Network Address Translation (NAT)
•
Optimization of HTTP traffic
•
HTTP deep packet inspection, application protocol inspection, FTP command inspection, Skinny
Client Control Protocol (SCCP) deep packet inspection, or SIP inspection
•
Secure Socket Layer (SSL) security services between a Web browser (the client) and the HTTP
connection (the server)
•
TCP termination, normalization, and reuse
•
IP normalization and fragment reassembly
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Related Topics
•
Class Map and Policy Map Overview, page 12-2
•
Configuring Virtual Context Class Maps, page 12-8
•
Setting Match Conditions for Class Maps, page 12-10
•
Configuring Virtual Context Policy Maps, page 12-34
•
Configuring Rules and Actions for Policy Maps, page 12-36
•
Configuring Actions Lists, page 12-90
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-1
Chapter 12
Configuring Traffic Policies
Class Map and Policy Map Overview
Class Map and Policy Map Overview
You classify inbound network traffic destined to, or passing through, the ACE appliance based on a
series of flow match criteria specified by a class map. Each class map defines a traffic classification; that
is, network traffic that is of interest to you. A policy map defines a series of actions (functions) that you
want applied to a set of classified inbound traffic.
Class maps enable you to classify network traffic based on the following criteria:
•
Layer 3 and Layer 4 traffic flow information—Source or destination IP address, source or
destination port, virtual IP address, IP protocol and port, or management protocol
•
Layer 7 protocol information—HTTP cookie, HTTP URL, HTTP header, HTTP content, FTP
request commands, RADIUS, RDP, RTSP, Skinny, or SIP
Table 12-1 lists the available policies for the ACE.
Table 12-1
Traffic Policies
Policy Map
Description
Layer 3/4 Management Traffic
(First-Match)
Layer 3 and Layer 4 policy map for network management traffic received by the
ACE
Layer 3/4 Network Traffic (First-Match)
Layer 3 and Layer 4 policy map for traffic passing through the ACE
Layer 7 Command Inspection - FTP
(First-Match)
Layer 7 policy map for inspection of FTP commands
Layer 7 Deep Packet Inspection - HTTP
(All-Match)
Layer 7 policy map for inspection of HTTP packets
Layer 7 Deep Packet Inspection - SIP
(All-Match)
Layer 7 policy map for inspection of SIP packets
Layer 7 Deep Packet Inspection - Skinny
Layer 7 policy map for inspection of Skinny Client Control Protocol (SCCP)
Layer 7 HTTP Optimization (First-Match) Layer 7 policy map for optimizing HTTP traffic
Layer 7 Server Load Balancing
(First-Match)
Layer 7 policy map for HTTP server load balancing
Server Load Balancing - Generic
(First-Match)
Generic Layer 7 policy map for server load balancing
Server Load Balancing - HTTPS1
(First-Match)
Layer 7 policy map for HTTPS server load balancing
Server Load Balancing - RADIUS
(First-Match)
Layer 7 policy map for RADIUS server load balancing
Server Load Balancing - RDP
(First-Match)
Layer 7 policy map for RDP server load balancing
Server Load Balancing - RTSP
(First-Match)
Layer 7 policy map for RTSP server load balancing
1. This option is not available for ACE NPE software image.
The traffic classification process consists of the following three steps:
1.
Creating a class map, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic
classifications or Layer 7 protocol classifications.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
12-2
OL-26645-02
Chapter 12
Configuring Traffic Policies
Class Map and Policy Map Overview
2.
Creating a policy map, which refers to the class maps and identifies a series of actions to perform
based on the traffic match criteria.
3.
Activating the policy map and attaching it to a specific VLAN interface or globally to all VLAN
interfaces associated with a context by configuring a virtual context global traffic policy to filter
traffic received by the ACE appliance.
The following overview topics describe the components that define a traffic policy:
•
Class Maps, page 12-3
•
Policy Maps, page 12-4
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 12-5
•
Application Protocol Inspection Overview, page 12-5
•
Configuring Virtual Context Global Traffic Policies, page 4-28
Class Maps
A class map defines each type of Layer 3 and Layer 4 traffic class and each Layer 7 protocol class. You
create class maps to classify the traffic received and transmitted by the ACE appliance.
•
Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can
pass through the ACE appliance or network management traffic that can be received by the ACE
appliance.
•
Layer 7 protocol-specific classes identify server load balancing based on HTTP traffic, deep
inspection of HTTP traffic, or the inspection of FTP commands by the ACE appliance.
A traffic class contains the following components:
•
Class map name
•
Class map type
•
One or more match conditions that define the match criteria for the class map
•
Instructions on how the ACE appliance evaluates match conditions when you specify more than one
match statement in a traffic class (match-any, match-all)
The ACE supports a system-wide maximum of 8192 class maps.
The individual match conditions specify the criteria for classifying Layer 3 and Layer 4 network traffic
as well as the Layer 7 HTTP server load balancing and application protocol-specific fields. The ACE
appliance evaluates the packets to determine whether they match the specified criteria. If a statement
matches, the ACE appliance considers that packet to be a member of the class and forwards the packet
according to the specifications set in the traffic policy. Packets that fail to meet any of the matching
criteria are classified as members of the default traffic class if one is specified.
The ACE appliance allows you to configure two Layer 7 HTTP load-balancing class maps in a nested
traffic class configuration to create a single traffic class. You can perform Layer 7 class map nesting to
achieve complex logical expressions. The ACE appliance restricts the nesting of class maps to two levels
to prevent you from including one nested class map under a different class map.
Related Topics
•
Class Map and Policy Map Overview, page 12-2
•
Policy Maps, page 12-4
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 12-5
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-3
Chapter 12
Configuring Traffic Policies
Class Map and Policy Map Overview
•
Application Protocol Inspection Overview, page 12-5
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Context Class Maps, page 12-8
Policy Maps
A policy map creates the traffic policy. The purpose of a traffic policy is to implement specific ACE
appliance functions associated with a traffic class. A traffic policy contains the following components:
•
Policy map name
•
Previously created traffic class map or, optionally, the default class map
•
One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that specify the actions to be
performed by the ACE appliance
The ACE appliance supports a system-wide maximum of 4096 policy maps.
A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry
point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be
nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated
on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to
associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map by using the
Layer 3 and Layer 4 Policy map action type.
If none of the classifications specified in policy maps match, then the ACE appliance executes the
default actions specified against the class map configured with the Use Class Default option to use a
default class map (if specified). All traffic that fails to meet the other matching criteria in the named class
map belongs to the default traffic class. The Use Class Default feature has an implicit match-any match
statement and is used to match any traffic classification.
The ACE appliance supports flexible class map ordering within a policy map. The ACE appliance
executes only the actions for the first matching traffic classification, so the order of class maps within a
policy map is very important. The policy lookup order is based on the security features of the ACE
appliance. The policy lookup order is implicit, irrespective of the order in which you configure policies
on the interface.
The policy lookup order of the ACE appliance is as follows:
1.
Access control (permit or deny a packet)
2.
Permit or deny management traffic
3.
TCP/UDP connection parameters
4.
Load balancing based on a virtual IP (VIP)
5.
Application protocol inspection
6.
Source NAT
7.
Destination NAT
The sequence in which the ACE appliance applies the actions for a specific policy is independent of the
actions configured for a class map inside a policy.
Related Topics
•
Class Map and Policy Map Overview, page 12-2
•
Policy Maps, page 12-4
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
12-4
OL-26645-02
Chapter 12
Configuring Traffic Policies
Class Map and Policy Map Overview
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 12-5
•
Application Protocol Inspection Overview, page 12-5
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Context Policy Maps, page 12-34
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps
Parameter maps allow you to combine related actions in a Layer 3 and Layer 4 policy map. For example,
an HTTP parameter map provides a means of performing actions on traffic received by the ACE
appliance based on certain criteria such as HTTP header and cookie settings, server connection reuse,
action to be taken when an HTTP header, cookie or URL exceeds a configured maximum length, and so
on.
The ACE appliance uses policy maps to combine class maps and parameter maps into traffic policies and
to perform certain configured actions on the traffic that matches the specified criteria in the policies.
See Table 8-1 for a list of available ACE appliance parameter maps.
Related Topics
•
Configuring Parameter Maps, page 8-1
•
Class Map and Policy Map Overview, page 12-2
•
Class Maps, page 12-3
•
Policy Maps, page 12-4
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 12-5
•
Application Protocol Inspection Overview, page 12-5
Application Protocol Inspection Overview
Certain applications require special handling of the data portion of a packet as the packets pass through
the ACE. Application protocol inspection helps to verify the protocol behavior and identify unwanted
or malicious traffic passing through the ACE. Based on the specifications of the traffic policy, the ACE
accepts or rejects the packets to ensure the secure use of applications and services.
Certain applications require special handling of the data portion of a packet as the packets pass through
the ACE appliance. Application protocol inspection helps to verify the protocol behavior and identify
unwanted or malicious traffic passing through the ACE appliance. Based on the specifications of the
traffic policy, the ACE appliance accepts or rejects the packets to ensure the secure use of applications
and services.
You can configure the ACE to perform application protocol inspection, sometimes referred to as an
application protocol “fixup” for applications that do the following:
•
Embed IP addressing information in the data packet including the data payload.
•
Open secondary channels on dynamically assigned ports.
You may require the ACE to perform application inspection of Domain Name System (DNS), FTP (File
Transfer Protocol), H.323, HTTP, Internet Control Message Protocol (ICMP), Internet Locator Service
(ILS), Real-Time Streaming Protocol (RTSP), Skinny Client Control Protocol (SCCP), and Session
Initiation Protocol (SIP) as a first step before passing the packets to the destination server. For HTTP,
the ACE performs deep packet inspection to statefully monitor the HTTP protocol and permit or deny
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-5
Chapter 12
Configuring Traffic Policies
Class Map and Policy Map Overview
traffic based on user-defined traffic policies. HTTP deep packet inspection focuses mainly on HTTP
attributes such as the HTTP header, the URL, and the payload. For FTP, the ACE performs FTP
command inspection for FTP sessions, allowing you to restrict specific commands by the ACE.
Application inspection helps you to identify the location of the embedded IP addressing information in
the TCP or UDP flow. This inspection allows the ACE to translate embedded IP addresses and to update
any checksum or other fields that are affected by the translation.
Translating IP addresses embedded in the payload of protocols is especially important for NAT
(explicitly configured by the user) and server load balancing (an implicit NAT).
Application inspection also monitors TCP or UDP sessions to determine the port numbers for secondary
channels. Some protocols open secondary TCP or UDP ports to improve performance. The initial session
on a well-known port is used to negotiate dynamically assigned port numbers. The application protocol
inspection function monitors these sessions, identifies the dynamic port assignments, and permits data
exchange on these ports for the duration of the session.
Table 12-2 describes the application inspection protocols supported by the ACE, the default TCP or UDP
protocol and port, and whether the protocol is compatible with Network Address Translation (NAT) and
Port Address Translation (PAT).
Table 12-2
Application Inspection Support
Application
Protocol
Transpo
rt
Protocol
Port
NAT/PA Enabled
T
by
Standards
Support Default 1
Comments/Limitations
DNS
UDP
Src—Any
NAT
No
RFC 1123
Inspects DNS packets
destined to port 53. You
can specify the maximum
length of the DNS packet
to be inspected.
Both
No
RFC 959
Inspects FTP packets,
translates address and port
embedded in the payload,
and opens up a secondary
channel for data.
Both
No
RFC 959
The FTP Strict field
allows the ACE appliance
to track each FTP
command and response
sequence, and also
prevents an FTP client
from determining valid
usernames that are
supported on an FTP
server.
Both
No
RFC 2616
Inspects HTTP packets.
Both
No
—
Allows ICMP traffic to
have a “session” so that it
can be inspected similarly
to TCP and UDP traffic.
Dest—53
FTP
TCP
Src—Any
Dest—21
FTP strict
TCP
Src—Any
Dest—21
HTTP
TCP
Src—Any
Dest—80
ICMP
ICMP
Src—N/A
Dest—N/A
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
12-6
OL-26645-02
Chapter 12
Configuring Traffic Policies
Class Map and Policy Map Overview
Table 12-2
Application Inspection Support (continued)
Application
Protocol
Transpo
rt
Protocol
Port
NAT/PA Enabled
T
by
Standards
Support Default 1
Comments/Limitations
ICMP error
ICMP
Src—N/A
NAT
No
—
NAT
No
RFC 2251 Referral requests and
(LDAPv3) responses are not
supported.
Includes
support for Users in multiple
RFC 1777 directories are not unified.
(LDAPv2) Single users having
Dest—N/A
ILS
TCP
Src—Any
Dest—389
The ICMP Error field
supports NAT of ICMP
error messages. When you
enable ICMP error
inspection, the ACE
appliance creates
translation sessions for
intermediate hops that
send ICMP error
messages, based on the
NAT configuration. The
ACE appliance overwrites
the packet with the
translated IP addresses.
multiple identities in
multiple directories
cannot be recognized by
NAT.
RTSP
TCP
Src—Any
NAT
No
RFC 2326, Inspects RTSP packets
RFC 2327, and translates the payload
RFC 1889 according to NAT rules.
The ACE opens up the
secondary channels for
audio and video. Not all
the RTSP methods (packet
types) specified in the
RFC are supported.
NAT
No
—
NAT
No
RFC 2543, The ACE does not support
RFC 3261, PAT with SIP.
RFC 3265,
RFC 3428
Dest—554
SCCP
TCP
Src—Any
Dest—2000
SIP
TCP and
UDP
Src—Any
Dest—5060
The ACE does not support
PAT with SCCP.
1. The ACE is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example,
FTP commands are supposed to be in a particular order, but the ACE does not enforce the order.
For background information about application protocol inspection as performed by the ACE appliance,
see the Security Guide, Cisco ACE Application Control Engine.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-7
Chapter 12
Configuring Traffic Policies
Configuring Virtual Context Class Maps
Related Topics
•
Configuring Virtual Context Policy Maps, page 12-34
•
Setting Match Conditions for Class Maps, page 12-10
•
Configuring Virtual Context Policy Maps, page 12-34
•
Configuring Rules and Actions for Policy Maps, page 12-36
Configuring Virtual Context Class Maps
Class maps are used to define each Layer 3 and Layer 4 traffic class and each Layer 7 protocol class.
You create class maps to classify the traffic received and transmitted by the ACE appliance.
•
Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can
pass through the ACE appliance or network management traffic that can be received by the ACE
appliance.
•
Layer 7 protocol-specific classes identify:
– Server load balancing, based on generic, HTTP, RADIUS, RTSP, or SIP traffic
– HTTP or SIP traffic for deep inspection
– FTP traffic for inspection of commands
A traffic class contains:
Note
•
A class map name
•
One or more match commands that define the match criteria for the class map
•
Instructions on how the ACE appliance evaluates match commands when there is more than one
match command in a traffic class
To successfully delete a class map from a context, the class map must no longer be in use. To delete
multiple class maps, none of the class maps must be in use. If you attempt to delete multiple class maps
and one of the class maps is still in use, none of the class maps are deleted and a message appears stating
that one of the class maps is in use. Remove the class map that is still in use from your selection, and
then click Delete. The selected class maps are removed.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
Click Add to add a new class map, or select an existing class map, and then click Edit to modify it.
Step 3
The Name field contains an automatically incremented number for the class map. You can leave the
number as it is or enter a different, unique number.
Step 4
In the Class Map Type field, select the type of class map you are creating (Table 12-3).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
12-8
OL-26645-02
Chapter 12
Configuring Traffic Policies
Configuring Virtual Context Class Maps
Table 12-3
Class Maps Types
Class Map
Related Topic
Layer 3/4 Management Traffic
Setting Match Conditions for Layer 3/Layer 4 Management
Traffic Class Maps, page 12-14
Layer 3/4 Network Traffic
Setting Match Conditions for Class Maps, page 12-10
Layer 7 Command Inspection - FTP
Setting Match Conditions for Layer 7 FTP Command
Inspection Class Maps, page 12-30
Layer 7 Deep Packet Inspection HTTP
Setting Match Conditions for Layer 7 HTTP Deep Packet
Inspection Class Maps, page 12-25
Layer 7 Deep Packet Inspection - SIP Setting Match Conditions for Layer 7 SIP Deep Packet
Inspection Class Maps, page 12-31
Step 5
Layer 7 Server Load Balancing
Setting Match Conditions for Layer 7 Server Load-Balancing
Class Maps, page 12-16
Server Load Balancing - Generic
Setting Match Conditions for Generic Server Load Balancing
Class Maps, page 12-19
Server Load Balancing - RADIUS
Setting Match Conditions for RADIUS Server Load Balancing
Class Maps, page 12-20
Server Load Balancing - RTSP
Setting Match Conditions for RTSP Server Load Balancing
Class Maps, page 12-21
Server Load Balancing - SIP
Setting Match Conditions for SIP Server Load Balancing Class
Maps, page 12-23
For all selections except Layer 7 Command Inspection - FTP, in the Match Type field, select the method
the ACE appliance is to use to evaluate multiple match statements when multiple match conditions exist
in the class map:
•
Match-any—Indicates that the class map is a match if at least one of the match conditions listed in
the class map is satisfied.
•
Match-all—Indicates that the class map is a match only if all match conditions listed in the class
map are satisfied.
Step 6
In the Description field, enter a brief description for this class map.
Step 7
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance and to configure match
conditions for this class map. See Setting Match Conditions for Class Maps, page 12-10 for more
information.
•
Click Cancel to exit the procedure without saving your entries and to return to the Class Maps table.
•
Click Next to save your entries and to configure another class map.
Related Topics
•
Configuring Virtual Contexts, page 4-1
•
Deleting Class Maps, page 12-10
•
Setting Match Conditions for Class Maps, page 12-10
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-9
Chapter 12
Configuring Traffic Policies
Setting Match Conditions for Class Maps
•
Configuring Virtual Context Policy Maps, page 12-34
Deleting Class Maps
To successfully delete a class map from a context, the class map must no longer be in use. To delete
multiple class maps, none of the class maps must be in use.
Assumption
The class map to be deleted is not being used.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
Select the class maps you want to delete, and then click Delete.
If you attempt to delete multiple class maps and one of the class maps is still in use, none of the class
maps are deleted and a message appears stating that one of the class map is in use. Remove the class map
that is still in use from your selection, and then click Delete. The Class Maps table refreshes and the
deleted class maps no longer appear.
Related Topics
•
Class Map and Policy Map Overview, page 12-2
•
Configuring Virtual Context Class Maps, page 12-8
Setting Match Conditions for Class Maps
Table 12-4 lists the class maps available for the ACE and provides links to topics for setting match
conditions:
Table 12-4
Class Maps and Match Conditions
Class Map
Related Topic
Layer 3/4 Management Traffic
Setting Match Conditions for Layer 3/Layer 4 Management
Traffic Class Maps, page 12-14
Layer 3/4 Network Traffic
Setting Match Conditions for Layer 3/Layer 4 Network Traffic
Class Maps, page 12-11
Layer 7 Command Inspection - FTP
Setting Match Conditions for Layer 7 FTP Command
Inspection Class Maps, page 12-30
Layer 7 Deep Packet Inspection HTTP
Setting Match Conditions for Layer 7 HTTP Deep Packet
Inspection Class Maps, page 12-25
Layer 7 Deep Packet Inspection - SIP Setting Match Conditions for Layer 7 SIP Deep Packet
Inspection Class Maps, page 12-31
Layer 7 Server Load Balancing
Setting Match Conditions for Layer 7 Server Load-Balancing
Class Maps, page 12-16
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
12-10
OL-26645-02
Chapter 12
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 12-4
Class Maps and Match Conditions (continued)
Class Map
Related Topic
Server Load Balancing - Generic
Setting Match Conditions for Generic Server Load Balancing
Class Maps, page 12-19
Server Load Balancing - RADIUS
Setting Match Conditions for RADIUS Server Load Balancing
Class Maps, page 12-20
Server Load Balancing - RTSP
Setting Match Conditions for RTSP Server Load Balancing
Class Maps, page 12-21
Server Load Balancing - SIP
Setting Match Conditions for SIP Server Load Balancing Class
Maps, page 12-23
Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps
Use this procedure to specify the match criteria for a Layer 3/Layer 4 network traffic class map on the
ACE appliance.
Assumption
You have configured a Layer 3/Layer 4 class map and want to establish match conditions.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the Layer 3/4 network traffic class map you want to set match conditions
for. You can select multiple class maps (hold down the Shift key while selecting entries) and apply
common match conditions to them.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, and then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select the type of match condition to be used for this class map and
configure any match-specific attributes as described in Table 12-5.
Table 12-5
Layer 3/Layer 4 Network Traffic Class Map Match Condition Attributes
Match Condition Type Description
Access List
Indicates that an access list is the match type for this match condition.
In the Extended ACL field, select the ACL to use as the match condition.
Any
Indicates that any Layer 3 or Layer 4 traffic passing through the ACE appliance meets the match
condition.
Anyv6
This option appears for Device Manager software Version A5(1.2) and later only. Any Layer 3 or
Layer 4 IPv6 traffic passing through the ACE meets the match condition.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-11
Chapter 12
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 12-5
Layer 3/Layer 4 Network Traffic Class Map Match Condition Attributes (continued)
Match Condition Type Description
Destination Address
Indicates that a destination address is the match type for this match condition.
1.
For the IP Address Type, select either IPv4 or IPv6 for the address type.
2.
In the Destination Address field, enter the destination IP address for this match condition in
the format based on the address type (IPv4 or IPv6).
3.
For an IPv4 destination address, in the Destination Netmask field, select the subnet mask of
the IP address.
For an IPv6 destination address, in the Destination Prefix-length field, enter the prefix length
for the address.
Port
Indicates that a UDP or TCP port or range of ports is the match type for this match condition.
1.
In the Port Protocol field, select TCP or UDP as the protocol to be matched.
2.
In the Port Operator field, select the match criteria for the port:
– Any—Indicates that any port using the selected protocol meets the match condition.
– Equal To—Indicates that a specific port using the protocol meets the match condition.
In the Port Number field, enter the port to be matched. Valid entries are integers from 0 to
65535. A value of 0 indicates that the ACE appliance is to include all ports.
– Range—Indicates that the port must be one of a range of ports to meet the match condition.
a. In the Lower Port Number field, enter the first port number in the port range for the
match condition.
b. In the Upper Port Number field, enter the last port number in the port range for the
match condition.
Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance
is to include all ports.
Portv6
This option appears for Device Manager software Version A5(1.2) and later only. UDP or TCP port
or range of ports for IPv6 traffic that is the match type for this match condition.
For port configuration information, see Port.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
12-12
OL-26645-02
Chapter 12
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 12-5
Layer 3/Layer 4 Network Traffic Class Map Match Condition Attributes (continued)
Match Condition Type Description
Source Address
Indicates that a source IP address is the match type for this match condition.
1.
For the IP Address Type, select either IPv4 or IPv6 for the address type.
2.
In the Source IP Address field, enter the source IP address for this match condition in the
format based on the address type (IPv4 or IPv6).
3.
For an IPv4 source address, in the Source Netmask field, select the subnet mask of the IP
address.
For an IPv6 source address, in the Source Prefix-length field, enter the prefix length for the
address.
Virtual Address
Indicates that a virtual IP address is the match type for this match condition.
1.
For the IP Address Type, select either IPv4 or IPv6 for the address type.
2.
In the Virtual Address field, enter the virtual IP address for this match condition in the format
based on the address type (IPv4 or IPv6).
3.
For an IPv4 virtual address, in the Virtual Netmask field, select the subnet mask of the IP
address.
For an IPv6 virtual address, in the Virtual Prefix-length field, enter the prefix length for the
address.
4.
In the Virtual Address Protocol field, select the protocol to be used for this match condition.
For a list of protocols and their respective numbers, see Table 4-18.
Depending on the protocol that you select, additional fields appear. If they appear, enter the
information described in the following steps.
5.
In the Port Operator field, select the match criteria for the port:
– Any—Indicates that any port using the selected protocol meets the match condition.
– Equal To—Indicates that a specific port using the protocol meets the match condition.
In the Port Number field, enter the port to be matched. Valid entries are integers from 0 to
65535. A value of 0 indicates that the ACE appliance is to include all ports.
– Range—Indicates that the port must be one of a range of ports to meet the match condition.
Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance
is to include all ports.
a. In the Lower Port Number field, enter the first port number in the port range for the
match condition.
b. In the Upper Port Number field, enter the last port number in the port range for the
match condition.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-13
Chapter 12
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance and to return to the Match
Condition table.
Note
If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if
you have not made changes. If you have not altered existing match conditions, click Cancel
instead of Deploy Now to ensure uninterrupted traffic.
•
Click Cancel to exit the procedure without saving your entries and to return to the Match Condition
table.
•
Click Next to save your entries and to configure additional match conditions.
Related Topics
•
Configuring Traffic Policies, page 12-1
•
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 12-14
•
Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps, page 12-16
•
Configuring Virtual Context Policy Maps, page 12-34
•
Configuring Virtual Context Class Maps, page 12-8
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class
Maps
Use this procedure to identify the network management protocols that can be received by the ACE
appliance.
Assumption
You have configured a network management class map and want to establish the match conditions.
Procedure
Step 1
Choose Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the Layer 3/Layer 4 management class map you want to set match
conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and
apply common match conditions to them.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match conditions you want
to modify, and then click Edit. The Match Condition configuration screen appears.
Step 4
Enter the match conditions (see Table 12-6).
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
12-14
OL-26645-02
Chapter 12
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 12-6
Management Class Map Match Conditions
Field
Description
Sequence Number
Enter an integer from 2 to 255 as the line number. The number entered here
does not indicate a priority or sequence for the match conditions.
Match Condition Type
Select Management to confirm that this is for Layer 3/Layer 4 management
traffic.
Note
Management Protocol
Type
To change the type of match condition, you must delete the class map
and add it again with the correct match type.
This field identifies the network management protocols that can be received
by the ACE appliance.
Select the allowed protocol for this match condition:
Traffic Type
•
HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
•
HTTPS—Specifies the Hypertext Transfer Protocol Secure (HTTPS) for
connectivity with the ACE Appliance Device Manager GUI on the ACE
appliance. Communication is performed using port 443.
•
ICMP—Specifies the Internet Control Message Protocol (ICMP),
commonly referred to as ping.
•
ICMPv6—Specifies the Internet Control Message Protocol version 6
(ICMPv6).
•
KALAP UDP—Specifies the KeepAlive Appliance Protocol over UDP.
•
SNMP—Specifies the Simple Network Management Protocol (SNMP).
•
SSH—Specifies a Secure Shell (SSH) connection to the ACE appliance.
•
TELNET—Specifies a Telnet connection to the ACE appliance.
•
XML-HTTPS—Specifies HTTPS as the transfer protocol for sending
and receiving XML documents between the ACE appliance and a
Network Management System (NMS). Communication is performed
using port 10443.
Select the type of traffic:
Source Address
•
Any—Indicates that any client source IP address meets the match
condition.
•
Source Address—Indicates that a specific source IP address is part of
the match condition.
This field appears if Source Address is selected for Traffic Type.
Enter the source IP address of the client in dotted-decimal notation, such as
192.168.11.1.
For ICMPv6, enter a complete IPv6 address.
Source Netmask
This field appears if Source Address is selected for Traffic Type.
Select the subnet mask for the source IP address.
Source Prefix-length
This field appears if ICMPv6 is selected for the Management Protocol Type
and Source Address is selected for Traffic Type.
Enter the prefix length for the source IPv6 address.
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
12-15
Chapter 12
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 5
Do the following:
•
Click Deploy Now to deploy this configuration on the ACE appliance and to return to the Match
Condition table.
Note
If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if
you have not made changes. If you have not altered existing match conditions, click Cancel
instead of Deploy Now to ensure uninterrupted traffic.
•
Click Cancel to exit the procedure without saving your entries and to return to the Match Condition
table.
•
Click Next to save your entries and to configure additional match conditions.
Related Topics
•
Configuring Traffic Policies, page 12-1
•
Configuring Virtual Context Class Maps, page