Cisco ACE 4700 Series Appliance Device Manager GUI

Cisco 4700 Series Application Control
Engine Appliance Device Manager GUI
Configuration Guide
Software Version A4(1.0)
November 2010
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-23543-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide 
© 2007-2010 Cisco Systems, Inc. All rights reserved.
CONTENTS
About the Documentation
Audience
xiii
Organization
xiii
Related Documentation
Conventions
xiii
xiv
xvi
Obtaining Documentation, Obtaining Support, and Security Guidelines
xvii
Open-Source Software Included in Cisco 4700 Series Application Control Engine (ACE) appliance
Open Source License Acknowledgements
OpenSSL/Open SSL Project xviii
License Issues xviii
CHAPTER
1
Overview
xviii
1-1
ACE Appliance Device Manager Overview
Finding Information on CLI Tasks
Changing Your Account Password
1-1
1-2
Logging Into ACE Appliance Device Manager
1-3
1-5
ACE Appliance Device Manager Interface Overview 1-5
Understanding ACE appliance Device Manager Screens and Menus
Understanding ACE appliance Device Manager Buttons 1-8
Understanding Table Buttons 1-10
Conventions in Tables 1-11
Using the Advanced Editing Option 1-13
ACE Appliance Device Manager Screen Conventions 1-14
Viewing Monitoring Results 1-15
Configuration Overview
1-18
Understanding ACE appliance Device Manager Terminology
2
Configuring Virtual Contexts
Using Virtual Contexts
1-7
1-17
Understanding ACE Features
CHAPTER
xvii
1-19
2-1
2-2
Creating Virtual Contexts
Configuring Virtual Contexts
2-2
2-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
iii
Contents
Configuring Virtual Context System Attributes
2-10
Configuring Virtual Context Primary Attributes
2-11
Configuring Virtual Context Syslog Logging 2-12
Configuring Syslog Log Hosts 2-16
Configuring Syslog Log Messages 2-17
Configuring Syslog Log Rate Limits 2-18
Configuring SNMP for Virtual Contexts 2-19
Configuring SNMP Version 2c Communities 2-20
Configuring SNMP Version 3 Users 2-21
Configuring SNMP Trap Destination Hosts 2-23
Configuring SNMP Notification 2-25
Configuring Virtual Context Global Traffic Policies
2-26
Managing ACE Appliance Licenses 2-27
Viewing ACE Appliance Licenses 2-28
Installing ACE Appliance Licenses 2-28
Updating ACE Appliance Licenses 2-30
Uninstalling ACE Appliance Licenses 2-31
Displaying License Configuration and Statistics
Managing Resource Classes 2-33
Resource Allocation Constraints 2-34
Adding Resource Classes 2-36
Modifying Resource Classes 2-37
Deleting Resource Classes 2-38
Viewing Resource Class Use on Virtual Contexts
2-32
2-39
Using the Configuration Checkpoint and Rollback Service
Creating a Configuration Checkpoint 2-40
Deleting a Configuration Checkpoint 2-41
Rolling Back a Running Configuration 2-42
Displaying Checkpoint Information 2-42
2-40
Performing Device Backup and Restore Functions 2-43
Backing Up Device Configuration and Dependencies 2-46
Restoring Device Configuration and Dependencies 2-49
Configuring Security with ACLs 2-51
Creating ACLs 2-52
Setting Extended ACL Attributes 2-54
Resequencing Extended ACLs 2-58
Setting EtherType ACL Attributes 2-58
Viewing All ACLs by Context 2-60
Editing or Deleting ACLs 2-60
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
iv
OL-23543-01
Contents
Configuring Object Groups 2-61
Configuring IP Addresses for Object Groups 2-62
Configuring Subnet Objects for Object Groups 2-62
Configuring Protocols for Object Groups 2-63
Configuring TCP/UDP Service Parameters for Object Groups 2-64
Configuring ICMP Service Parameters for an Object Group 2-66
Configuring Virtual Context Expert Options
2-68
Managing Virtual Contexts 2-68
Synchronizing Virtual Context Configurations 2-68
Viewing Virtual Context Synchronization Status 2-69
High Availability and Virtual Context Configuration Status 2-70
Manually Synchronizing Individual Virtual Context Configurations
Manually Synchronizing All Virtual Context Configurations 2-71
Editing Virtual Contexts 2-72
Deleting Virtual Contexts 2-73
Viewing All Virtual Contexts 2-73
CHAPTER
3
Configuring Virtual Servers
Load Balancing Overview
2-71
3-1
3-1
Configuring Virtual Servers 3-2
Understanding Virtual Server Configuration and ACE Appliance Device Manager
Using ACE Appliance Device Manager to Configure Virtual Servers 3-4
Virtual Server Usage Guidelines 3-5
Virtual Server Testing and Troubleshooting 3-6
Virtual Server Configuration Procedure 3-7
Shared Objects and Virtual Servers 3-9
Configuring Virtual Server Properties 3-11
Configuring Virtual Server SSL Termination 3-17
Configuring Virtual Server Protocol Inspection 3-19
Configuring Virtual Server Layer 7 Load Balancing 3-29
Configuring Virtual Server Default Layer 7 Load Balancing 3-51
Configuring Application Acceleration and Optimization 3-54
Configuring Virtual Server NAT 3-58
Managing Virtual Servers 3-59
Viewing Virtual Servers by Context 3-59
Activating Virtual Servers 3-60
Suspending Virtual Servers 3-60
Viewing Detailed Virtual Server Information
Viewing All Virtual Servers 3-61
3-2
3-61
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
v
Contents
CHAPTER
4
Configuring Real Servers and Server Farms
4-1
Server Load Balancing Overview 4-1
Load-Balancing Predictors 4-2
Real Servers 4-3
Server Farms 4-4
Configuring Real Servers
4-4
Managing Real Servers 4-7
Activating Real Servers 4-8
Suspending Real Servers 4-8
Modifying Real Servers 4-9
Viewing All Real Servers 4-10
Configuring Server Farms 4-11
Adding Real Servers to a Server Farm 4-17
Configuring the Predictor Method for Server Farms 4-20
Configuring Server Farm HTTP Return Error-Code Checking
Viewing All Server Farms 4-29
4-27
Configuring Health Monitoring 4-29
TCL Scripts 4-30
Configuring Health Monitoring for Real Servers 4-31
Probe Attribute Tables 4-36
Configuring DNS Probe Expect Addresses 4-51
Configuring Headers for HTTP and HTTPS Probes 4-52
Configuring Health Monitoring Expect Status 4-53
Configuring an OID for SNMP Probes 4-54
Configuring Secure KAL-AP
CHAPTER
5
Configuring Stickiness
4-55
5-1
Stickiness Overview 5-1
Sticky Types 5-3
HTTP Content Stickiness 5-4
HTTP Cookie Stickiness 5-4
HTTP Header Stickiness 5-5
IP Netmask Stickiness 5-5
Layer 4 Payload Stickiness 5-5
RADIUS Stickiness 5-6
RTSP Header Stickiness 5-6
SIP Header Stickiness 5-6
Sticky Groups 5-6
Sticky Table 5-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
vi
OL-23543-01
Contents
Configuring Sticky Groups 5-7
Sticky Group Attribute Tables 5-10
Viewing All Sticky Groups by Context
Configuring Sticky Statics
CHAPTER
6
5-15
5-15
Configuring Parameter Maps
6-1
Configuring Connection Parameter Maps
Configuring Generic Parameter Maps
6-2
6-7
Configuring HTTP Parameter Maps
6-8
Configuring Optimization Parameter Maps
Configuring RTSP Parameter Maps
Configuring SIP Parameter Maps
6-11
6-18
6-19
Configuring Skinny Parameter Maps
6-21
Configuring DNS Parameter Maps
6-22
Supported MIME Types 6-23
Viewing All Parameter Maps by Context
CHAPTER
7
Configuring SSL
7-1
SSL Overview
7-2
6-25
SSL Configuration Prerequisites 7-3
RBAC User Role Requirements for SSL Configurations
Summary of SSL Configuration Steps
SSL Setup Sequence
Using SSL Certificates
7-3
7-4
7-5
7-6
Importing SSL Certificates
7-8
Using SSL Keys 7-11
Importing SSL Key Pairs 7-12
Generating SSL Key Pairs 7-15
Exporting SSL Certificates 7-16
Exporting SSL Key Pairs 7-18
Configuring SSL Parameter Maps
7-19
Configuring SSL Chain Group Parameters
Configuring SSL CSR Parameters
Generating CSRs
7-24
7-25
7-26
Configuring SSL Proxy Service
7-27
Enabling Client Authentication 7-29
Configuring SSL Authentication Groups
7-29
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
vii
Contents
Configuring CRLs for Client Authentication
CHAPTER
8
Configuring Network Access
7-31
8-1
Configuring Port Channel Interfaces 8-2
Why Use Port Channels? 8-2
Configuring a Port-Channel Interface 8-3
Configuring Gigabit Ethernet Interfaces
8-4
Configuring Virtual Context VLAN Interfaces
Viewing All VLAN Interfaces 8-14
8-8
Configuring VLAN Interface Options 8-14
Configuring VLAN Interface Policy Map Use 8-15
Configuring VLAN Interface Access Control 8-16
Configuring VLAN Interface Static ARP Entries 8-17
Configuring VLAN Interface NAT Pools 8-17
Configuring VLAN Interface DHCP Relay 8-19
CHAPTER
9
Configuring Virtual Context BVI Interfaces
Viewing All BVI Interfaces by Context
8-19
Configuring Virtual Context Static Routes
Viewing All Static Routes by Context
8-22
Configuring Global IP DHCP
8-23
Configuring High Availability
9-1
8-21
8-23
Understanding ACE Redundancy 9-2
Redundancy Protocol 9-2
Stateful Failover 9-3
Fault-Tolerant VLAN 9-4
Configuration Synchronization 9-5
Redundancy Configuration Requirements and Restrictions
9-5
Configuring High Availability Overview 9-6
High Availability Polling 9-6
Synchronizing High Availability Configurations with ACE Appliance Device Manager
9-7
Configuring High Availability Peers 9-8
Clearing High Availability Pairs 9-10
Configuring ACE High Availability Groups 9-11
Editing ACE High Availability Groups 9-13
Taking a High Availability Group Out of Service
Enabling a High Availability Group 9-14
Switching Over a High Availability Group
9-14
9-15
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
viii
OL-23543-01
Contents
Deleting ACE High Availability Groups
9-15
High Availability Tracking and Failure Detection Overview
Tracking VLAN Interfaces for High Availability
Tracking Hosts for High Availability
9-16
9-17
9-18
Configuring Host Tracking Probes 9-19
Deleting Host Tracking Probes 9-20
Configuring Peer Host Tracking Probes 9-20
Deleting Peer Host Tracking Probes 9-21
CHAPTER
10
Configuring Traffic Policies
10-1
Class Map and Policy Map Overview 10-2
Class Maps 10-3
Policy Maps 10-4
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps
Application Protocol Inspection Overview 10-5
Configuring Virtual Context Class Maps
Deleting Class Maps 10-10
10-5
10-8
Setting Match Conditions for Class Maps 10-10
Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps 10-11
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps 10-13
Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps 10-15
Setting Match Conditions for Generic Server Load Balancing Class Maps 10-18
Setting Match Conditions for RADIUS Server Load Balancing Class Maps 10-19
Setting Match Conditions for RTSP Server Load Balancing Class Maps 10-20
Setting Match Conditions for SIP Server Load Balancing Class Maps 10-22
Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps 10-24
Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps 10-29
Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps 10-30
Configuring Virtual Context Policy Maps
10-33
Configuring Rules and Actions for Policy Maps 10-35
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic 10-36
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic 10-42
Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic 10-43
Setting Policy Map Rules and Actions for Generic Server Load Balancing 10-50
Setting Policy Map Rules and Actions for RADIUS Server Load Balancing 10-53
Setting Policy Map Rules and Actions for RTSP Server Load Balancing 10-55
Setting Policy Map Rules and Actions for SIP Server Load Balancing 10-58
Setting Policy Map Rules and Actions for RDP Server Load Balancing 10-61
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
ix
Contents
Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection 10-63
Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection 10-69
Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection 10-72
Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet Inspection 10-74
Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization 10-76
Special Characters for Matching String Expressions 10-79
Configuring Actions Lists 10-80
Configuring an HTTP Header Modify Action List 10-80
Configuring HTTP Header Insertion, Deletion, and Rewrite
Configuring SSL URL Rewrite 10-83
Configuring SSL Header Insertion 10-85
CHAPTER
11
Configuring Application Acceleration and Optimization
Optimization Overview
11-1
11-2
Optimization Traffic Policies and Typical Configuration Flow
Configuring an HTTP Optimization Action List
Configuring Optimization Parameter Maps
11-2
11-3
11-6
Configuring Traffic Policies for HTTP Optimization
11-6
Enabling HTTP Optimization Using Virtual Servers
11-9
Configuring Global Application Acceleration and Optimization
CHAPTER
12
Monitoring Your Network
Error Monitoring
Graphing Data
12-2
12-3
Monitoring the CPU
12-5
12-6
Monitoring Application Acceleration and Optimization Statistics
Monitoring Interfaces
12-8
Setting Up Virtual Contexts Statistics Collection
Monitoring Probes
12-10
12-11
Displaying Resource Usage
13
12-7
12-8
Monitoring Real Servers
CHAPTER
11-9
12-1
Monitoring Load Balancing
Testing Ping
10-81
12-12
12-14
Managing the ACE Appliance
13-1
Overview of the Admin Functions
13-1
Controlling Access to the Cisco ACE Appliance
13-3
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
x
OL-23543-01
Contents
Types of Users 13-5
Understanding Roles 13-5
Understanding Operations Privileges
Understanding Domains 13-7
13-6
Managing Users 13-7
Guidelines for Managing Users 13-8
Displaying a List of Users 13-8
Creating User Accounts 13-8
Modifying User Accounts 13-10
Deleting User Accounts 13-10
Displaying Current User Sessions 13-11
Deleting Active Users 13-11
Ending Active User Sessions 13-12
Changing User Passwords 13-13
Changing the Admin Password 13-13
Managing User Roles 13-13
Guidelines for Managing User Roles 13-14
Role Mapping in ACE Appliance Device Manager 13-19
RBAC User Role Requirements Related to Virtual Servers
Displaying User Roles 13-27
Creating User Roles 13-28
Modifying User Roles 13-30
Deleting User Roles 13-30
Adding, Editing, or Deleting Rules 13-31
Managing Domains 13-31
Guidelines for Managing Domains 13-31
Displaying Network Domains 13-32
Creating Domains 13-33
Modifying Domains 13-34
Deleting Domains 13-34
Adding or Deleting Domain Objects from a Domain
13-35
Monitoring ACE Appliance Statistics 13-35
Viewing ACE Appliance Server Statistics 13-35
Configuring ACE Appliance Server Statistics Collection
13-36
Using Admin Tools
CHAPTER
14
13-27
13-37
Using ACE Appliance Device Manager Troubleshooting Tools
Generating a Diagnostic Package
Guidelines for Using Lifeline
14-1
14-1
14-2
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
xi
Contents
Creating a Lifeline Package from the ACE Appliance DM GUI 14-3
Downloading a Lifeline Package 14-3
Deleting a Lifeline Package 14-4
Creating a Lifeline Package from the ACE Appliance CLI 14-5
Manipulating ACE Appliance Files
About File Browser 14-6
Downloading Files 14-7
Uploading Files 14-7
Renaming Files 14-8
Deleting Files 14-8
Viewing Files 14-9
14-6
Checking the ACE Appliance DM GUI Status
14-10
GLOSSARY
INDEX
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
xii
OL-23543-01
About the Documentation
This documentation describes how to use the Device Manager to configure the Cisco 4700 Series
Application Control Engine (ACE) appliance.
This section provides the following topics about the documentation:
•
Audience, page xiii
•
Organization, page xiii
•
Related Documentation, page xiv
•
Conventions, page xvi
•
Obtaining Documentation, Obtaining Support, and Security Guidelines, page xvii
•
Open-Source Software Included in Cisco 4700 Series Application Control Engine (ACE) appliance,
page xvii
•
Open Source License Acknowledgements, page xviii
Audience
This documentation is intended for experienced system and network administrators. Depending on the
configuration required, readers should have specific knowledge in the following areas:
•
Networking and data communications
•
Network security
•
Router configuration
Organization
This documentation contains the following sections:
•
Chapter 1, “Overview” contains an summary of ACE features and the ACE Appliance Device
Manager interface, terms, and getting started configuration information.
•
Chapter 2, “Configuring Virtual Contexts” describes how to configure virtual contexts on the ACE
appliance so that you can effectively and efficiently manage and allocate resources, users, and
services.
•
Chapter 3, “Configuring Virtual Servers” contains procedures for configuring virtual servers for
load balancing on the ACE.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
xiii
About the Documentation
•
Chapter 4, “Configuring Real Servers and Server Farms” provides an overview of server load
balancing and procedures for configuring real servers and server farms for load balancing on the
ACE.
•
Chapter 5, “Configuring Stickiness” provides information about sticky behavior and procedures for
configuring stickiness with the ANM.
•
Chapter 6, “Configuring Parameter Maps” describes how to configure parameter maps so that the
ACE can perform actions on incoming traffic based on certain criteria, such as protocol or
connection attributes.
•
Chapter 7, “Configuring SSL” describes the SSL configuration process and details the procedures
for configuring SSL on the ACE appliance.
•
Chapter 8, “Configuring Network Access” includes information about configuring virtual context
VLAN interfaces, port channel interfaces, and gigabit Ethernet interfaces.
•
Chapter 9, “Configuring High Availability” contains an overview of the redundancy feature and
explains how to configure high available.
•
Chapter 10, “Configuring Traffic Policies” describes how to configure class maps and policy maps
to provide a global level of classification for filtering traffic received by or passing through the ACE
appliance.
•
Chapter 11, “Configuring Application Acceleration and Optimization” describes how to configure
application acceleration and optimization options on the ACE appliance.
•
Chapter 12, “Monitoring Your Network” allows you to monitor key areas of system usage.
•
Chapter 13, “Managing the ACE Appliance” describes the administrative tools that manage the ACE
appliance.
•
Chapter 14, “Using ACE Appliance Device Manager Troubleshooting Tools” describes the
administrator-only diagnostic tools to help troubleshoot ACE appliance management problems.
•
“Glossary” defines some of the terms used in this document.
Related Documentation
In addition to this documentation, the ACE documentation set includes the following:
Table 1
Document Title
ACE Appliance Documentation
Description
Release Note for the Cisco Provides information about operating considerations, caveats, and
4700 Series Application
command-line interface (CLI) commands for the ACE.
Control Engine Appliance
Cisco Application Control Provides information for installing the ACE appliance.
Engine Appliance
Hardware Installation
Guide
Regulatory Compliance
Regulatory compliance and safety information for the ACE appliance.
and Safety Information for
the Cisco Application
Control Engine Appliance
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
xiv
OL-23543-01
About the Documentation
Table 1
ACE Appliance Documentation (continued)
Document Title
Description
Cisco 4700 Series
Application Control
Engine Appliance Quick
Start Guide
Describes how to use the ACE appliance Device Manager and CLI to
perform the initial setup and VIP load-balancing configuration tasks.
Cisco 4700 Series
Application Control
Engine Appliance
Administration Guide
Describes how to perform the following administration tasks on the ACE:
Cisco 4700 Series
Application Control
Engine Appliance
Virtualization
Configuration Guide
•
Setting up the ACE appliance
•
Establishing remote access
•
Managing software licenses
•
Configuring class maps and policy maps
•
Managing the ACE software
•
Configuring SNMP
•
Configuring redundancy
•
Configuring the XML interface
•
Upgrading the ACE software
Describes how to operate your ACE in a single context or in multiple
contexts.
Cisco 4700 Series
Describes how to configure the following routing and bridging tasks on
Application Control
the ACE:
Engine Appliance Routing
• Ethernet ports
and Bridging
• VLAN interfaces
Configuration Guide
Cisco 4700 Series
Application Control
Engine Appliance Server
Load-Balancing
Configuration Guide
•
Routing
•
Bridging
•
Dynamic Host Configuration Protocol (DHCP).
Describes how to configure the following server load-balancing tasks on
the ACE:
•
Real servers and server farms
•
Class maps and policy maps to load-balance traffic to real servers in
server farms
•
Server health monitoring (probes)
•
Stickiness
•
Firewall load balancing
•
TCL scripts
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
xv
About the Documentation
Table 1
ACE Appliance Documentation (continued)
Document Title
Description
Cisco 4700 Series
Describes how to perform following ACE security configuration tasks:
Application Control
• Security access control lists (ACLs)
Engine Appliance Security
• User authentication and accounting using a Terminal Access
Configuration Guide
Controller Access Control System + (TACACS+), Remote
Authentication Dial-In User Service (RADIUS), or Lightweight
Directory Access Protocol (LDAP) server
•
Application protocol and HTTP deep packet inspection
•
TCP/IP normalization and termination parameters
•
Network address translation (NAT)
Cisco 4700 Series
Application Control
Engine Appliance
Application Acceleration
and Optimization
Configuration Guide
Describes the configuration of the application acceleration and
optimization features of the ACE appliance. It also provides an overview
and description of these features.
Cisco 4700 Series
Application Control
Engine Appliance SSL
Configuration Guide
Describes how to configure the following Secure Sockets Layer (SSL)
tasks on the ACE:
•
SSL certificates and keys
•
SSL initiation
•
SSL termination
•
End-to-end SSL
Cisco 4700 Series
Application Control
Engine Appliance System
Message Guide
Describes how to configure system message logging on the ACE. This
guide also lists and describes the system log (syslog) messages generated by
the ACE.
Cisco 4700 Series
Application Control
Engine Appliance
Command Reference
Provides an alphabetical list and descriptions of all CLI commands by
mode, including syntax, options, and related commands.
Cisco CSS-to-ACE
Conversion Tool User
Guide
Describes how to use the CSS-to-ACE conversion tool to migrate Cisco
Content Services Switches (CSS) running- or startup-configuration files
to the ACE.
Conventions
This documentation uses the following conventions:
Item
Convention
Commands and keywords
boldface font
Variables for which you supply values
italic font
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
xvi
OL-23543-01
About the Documentation
Note
Caution
Item
Convention
Displayed session and system information
screen
Information you enter
boldface screen font
Variables you enter
italic screen
Menu items and button names
boldface font
Selecting a menu item in paragraphs
Option > Network Preferences
Selecting a menu item in tables
Option > Network Preferences
font
font
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Obtaining Documentation, Obtaining Support, and Security
Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly
What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Open-Source Software Included in Cisco 4700 Series
Application Control Engine (ACE) appliance
•
Cisco 4700 Series Application Control Engine (ACE) appliance includes the following open-source
software, which is covered by the Apache 2.0 license (http://www.apache.org/): Ant, Apache Axis,
Avalon Logkit, Commons, Ehcache, Globus Toolkit, Jetty, Log4J, Oro, Tomcat.
•
Cisco 4700 Series Application Control Engine (ACE) appliance includes the following open-source
software, which is covered by The Legion of the Bouncy Castle
(http://www.bouncycastle.org/licence.html) license: BouncyCastle.
•
Cisco 4700 Series Application Control Engine (ACE) appliance includes the following open-source
software, which is covered by The Castor license (http://www.castor.org/license.html): Castor-0.9.5.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
xvii
About the Documentation
•
Cisco 4700 Series Application Control Engine (ACE) appliance includes the following open-source
software, which is covered by the GNU Lesser General Public License Version 2.1
(http://www.gnu.org/licenses/lgpl.html): c3p0-0.9.0.2.jar, Enterprise DT, Jasperreports 1.2,
Jcommon 1.2, Jfreechart 1.0.1
•
Cisco 4700 Series Application Control Engine (ACE) appliance includes the following open-source
software, which is covered by the Mozilla Public License Version 1.1
(http://www.mozilla.org/MPL/MPL-1.1.html): Itext 1.4.
Open Source License Acknowledgements
The following acknowledgements pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
© 1998-1999 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit. (http://www.openssl.org/)”
4.
The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
5.
Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6.
Redistributions of any form whatsoever must retain the following acknowledgment:
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
xviii
OL-23543-01
About the Documentation
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
© 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not
cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: “This product includes software written
by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
xix
About the Documentation
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
xx
OL-23543-01
C H A P T E R
1
Overview
This section contains the following:
•
ACE Appliance Device Manager Overview, page 1-1
•
Logging Into ACE Appliance Device Manager, page 1-3
•
Changing Your Account Password, page 1-5
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Configuration Overview, page 1-17
•
Understanding ACE Features, page 1-18
•
Understanding ACE appliance Device Manager Terminology, page 1-19
For more information on how to get started quickly, see the Cisco 4700 Series Application Control
Engine Appliance Quick Start Guide.
ACE Appliance Device Manager Overview
The ACE Appliance Device Manager, which resides in flash memory on the ACE appliance, provides a
browser-based interface for configuring and managing the ACE appliance. Its intuitive interface
combines easy navigation with point-and-click provisioning of services, reducing the complexity of
configuring virtual services and multiple feature sets.
ACE appliance Device Manager menus and options:
•
Supports end-to-end service provisioning of the ACE appliance and any associated virtual contexts,
including network access, port management, application acceleration and optimization,
load-balancing, SSL management, resource management, and fault tolerance.
•
Helps you manage ACE appliance licenses and role-based access control (RBAC).
•
Provides a monitoring interface with a flexible choice of statistics and graphs.
•
Enables you report any problem with the ACE appliance using the Lifeline feature, which allows
you to forward critical information about the problem to Cisco Technical Support.
•
Offers task-based context-sensitive help from each screen, providing information about fields on the
screen and related procedures.
For more information on how to get started quickly, see the Cisco 4700 Series Application Control
Engine Appliance Device Manager GUI Quick Configuration Note.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-1
Chapter 1
Overview
Finding Information on CLI Tasks
Finding Information on CLI Tasks
ACE Appliance Device Manager does not include a one-to-one mapping of all the possible command
line interface (CLI) tasks for the ACE appliance. Table 1-1 identifies some of the individual tasks to be
performed from the CLI and provides a reference to the applicable configuration guide. For tasks not
found in this table, see the Cisco 4700 Series Application Control Engine Appliance CLI Quick
Configuration Note.
Table 1-1
CLI Documentation References
Task Topic
Related CLI Documentation
ARP, configuring
Cisco 4700 Series Application Control Engine Appliance
Routing and Bridging Configuration Guide
Chapter 5, Configuring ARP
Authentication and accounting
(AAA) services
Cisco 4700 Series Application Control Engine Appliance
Security Configuration Guide
Chapter 2, Configuring Authentication and Accounting Services
Boot configuration (environment Cisco 4700 Series Application Control Engine Appliance
variable)
Administration Guide
Chapter 1, Setting Up the ACE
Date and time (time zone,
daylight savings time, clock
settings, and NTP)
Cisco 4700 Series Application Control Engine Appliance
Administration Guide
LDAP directory server
Cisco 4700 Series Application Control Engine Appliance
Security Configuration Guide
Chapter 1, Setting Up the ACE
Chapter 2, Configuring Authentication and Accounting Services
Message-of-the-day banner
Cisco 4700 Series Application Control Engine Appliance
Administration Guide
Chapter 1, Setting Up the ACE
Logging in to the ACE
Cisco 4700 Series Application Control Engine Appliance
Administration Guide
Chapter 1, Setting Up the ACE
RADIUS server
Cisco 4700 Series Application Control Engine Appliance
Security Configuration Guide
Chapter 2, Configuring Authentication and Accounting Services
script file
1
SSH management sessions
Cisco 4700 Series Application Control Engine Appliance
Command Reference
Cisco 4700 Series Application Control Engine Appliance
Administration Guide
Chapter 2, Enabling Remote Access to the ACE
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-2
OL-23543-01
Chapter 1
Overview
Logging Into ACE Appliance Device Manager
Table 1-1
CLI Documentation References
Task Topic
Related CLI Documentation
TACACS+ server
Cisco 4700 Series Application Control Engine Appliance
Security Configuration Guide
Chapter 2, Configuring Authentication and Accounting Services
VLAN interfaces, configuring
Cisco 4700 Series Application Control Engine Appliance
Routing and Bridging Configuration Guide
Chapter 2, Configuring VLAN Interfaces
1. ACE appliance Device Manager supports the domain object type Script for RBAC configuration. It does not configure the script
CLI command. To use the script file command, use the ACE Appliance CLI to load a script into memory on the ACE and enable
it for use.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Logging Into ACE Appliance Device Manager
You access ACE appliance Device Manager features and functions through a Web-based interface. The
following sections describe logging in, the interface, and terms used in ACE appliance Device Manager.
By default, your ACE provides an Admin context and five user contexts, which allow you to use multiple
contexts if you choose to configure them. ACE appliance Device Manager uses Hypertext Transfer
Protocol Secure (HTTPS) to securely encrypt HTTP requests and responses.
The ACE appliance Device Manager login screen allows you to:
•
Log into the ACE appliance Device Manager interface (First Time Login, page 1-3 or Logging In as
a User, page 1-4)
•
Change the password for your account (See Changing Your Account Password, page 1-5.)
•
Obtain online help by clicking Help
We recommend that before you log into the ACE appliance Device Manager that you log in to the ACE
appliance CLI and initially configure basic settings on the ACE. See the Cisco 4700 Series Application
Control Engine Appliance Administration Guide, Chapter 1, Setting Up the ACE, for details.
First Time Login
After you perform the initial setup of the ACE appliance using the CLI, use the following procedure to
log in the first time.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-3
Chapter 1
Overview
Logging Into ACE Appliance Device Manager
Procedure
Step 1
Use a Web browser and navigate to the ACE appliance Device Manager login screen by typing the IP
address of the management interface configured during initial setup, such as https://192.168.11.1. A
security alert screen appears.
Step 2
We recommend that you view the certificate to confirm it is from Cisco Systems, then click OK or Yes
to accept the certificate and proceed to the login screen. The keys you select may be different based on
your browser.
Step 3
In the User Name field, type admin.
The admin account was created when the system was installed. Once you are logged in using this
account, you can create additional user accounts and manage virtual contexts, roles, and domains. For
information on changing account passwords, see Changing User Passwords, page 13-13.
Step 4
In the Password field, type the password for the admin user account, admin. The password for the admin
user account was configured when the system was installed. Change the default admin login password
as outlined in Changing Your Account Password, page 1-5.
Note
Step 5
All ACE appliances shipped from Cisco Systems are configured with the same administrative
username and password. If you do not change the default Admin password, you will only be able
to log in to the ACE through the console port.
Click Login.
When you log in, the default window that appears is the All Virtual Contexts table (Config > Virtual
Contexts) as shown in Figure 1-1.
Step 6
We recommend you change your admin password. See Changing Your Account Password, page 1-5.
Logging In as a User
Procedure
Step 1
Use a Web browser and navigate to the ACE appliance Device Manager login screen by typing the IP
address of the management interface of a virtual context you wish to login into, such as
https://192.168.11.1. The login screen appears.
Step 2
To login as a user, enter userid in the User Name field (where userid is the login name provided by your
admin).
Step 3
Enter your password and click Login.
Related Topics
•
Changing Your Account Password, page 1-5
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Managing Users, page 13-7
•
Managing User Roles, page 13-13
•
Managing Domains, page 13-31
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-4
OL-23543-01
Chapter 1
Overview
Changing Your Account Password
Changing Your Account Password
All ACE appliances are shipped from Cisco Systems with the same administrative username and
password. If you do not change the default Admin password, you will only be able to log in to the ACE
through the console port.
Use this procedure to change your account password.
Procedure
Step 1
Using a Web browser, navigate to the ACE appliance Device Manager login screen by typing the IP
address of the management interface configured during initial setup, such as https://192.168.11.1. The
login screen appears.
Step 2
In the User Name field, enter your account user name.
Step 3
Click Change Password. The Change Password configuration screen appears.
Step 4
In the User Name field, enter the user name of the account you want to modify.
For a user name in a context other than the Admin context, you must include the context name after the
user name in the following format: username@context_name
For example, for the test_1 user name in the C1 context, enter test_1@C1.
Step 5
In the Old Password field, enter the current password for this account.
Step 6
In the New Password field, enter the new password for this account.
Password attributes such as minimum and maximum length or accepted characters are defined at the
appliance level. Valid passwords are unquoted text strings with a maximum of 64 characters.
Step 7
In the Confirm New Password field, reenter the new password for this account.
Step 8
Click:
•
OK to save your entries and to return to the login screen.
•
Cancel to exit this procedure without saving your entries and to return to the login screen.
Related Topics
•
Logging Into ACE Appliance Device Manager, page 1-3
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Changing the Admin Password, page 13-13
ACE Appliance Device Manager Interface Overview
When you log into the ACE Appliance Device Manager, the default window that appears is the All
Virtual Contexts table (Config > Virtual Contexts) as shown in Figure 1-1. Table 1-2 describes the
numbered fields. A description of the buttons in the ACE Appliance Device Manager window are in
Table 1-4 on page 1-8.
Features that are not accessible from your user login or context due to permission settings will not
display or may display grayed out. For more details on roles and features, see Managing User Roles,
page 13-13.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-5
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Figure 1-1
ACE Appliance Device Manager Interface Components
1
243768
2
3
Table 1-2
4
5
ACE appliance Device Manager Interface Components Descriptions
Field
Description
1
Navigation pane, which contains:
•
The high-level navigation path within the ACE Appliance Device Manager interface,
which includes Config, Monitor, and Admin functions. You can click a tab in the
navigation path to view the next level of menus below the tabs.
•
The Logout button.
•
A Help menu that provides links to context-sensitive help and ACE Appliance Device
Manager version information.
2
A second-level navigation path, which contains another level of navigation. Clicking an option
in this submenu displays its associated menus in the navigation pane.
3
Third-level navigation pane, which contains additional levels of navigation. Clicking on the
menu bar in this pane toggles the task menu display options.
4
Content area, which contains the display and input area of the window. It can include tables,
graphical maps, configuration screens, graphs, buttons, or combinations of these items. For a
description of buttons, see Table 1-4 on page 1-8.
5
Status bar, which displays Device Manager and CLI synchronization information, polling
status for a context, and the current date and time of the ACE appliance.
Note
Time values are displayed using a fixed time zone (GMT). The Device Manager
automatically converts the timezone setting of the ACE appliance to GMT and
displays the GMT string adjacent to the current time.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-6
OL-23543-01
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Related Topics
•
Understanding ACE appliance Device Manager Screens and Menus, page 1-7
•
Understanding Table Buttons, page 1-10
Understanding ACE appliance Device Manager Screens and Menus
Figure 1-2 contains many common screen elements as described in Table 1-3.
Figure 1-2
Example ACE appliance Device Manager Screen
2
3
4
243770
1
5
Table 1-3
6
Example ACE appliance Device Manager Screen Descriptions
Number Description
1
The high-level navigation path within the ACE Appliance Device Manager interface, which
includes Config, Monitor, and Admin functions. You can click a tab in the navigation path
to view the next level of menus below the tabs.
2
Content area. Contains the display and input area of the window. It can include tables,
graphical maps, configuration screens, graphs, buttons, or combinations of these items.
3
Content buttons, which are described in Table 1-4.
4
Object selector. Use this field to change virtual contexts.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-7
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Table 1-3
Example ACE appliance Device Manager Screen Descriptions
Number Description
5
Input fields. Use these fields to make selections and provide information. Fields with 2 or 3
options use radio buttons. Fields with more than 3 options use dropdown lists.
6
Synchronization and configuration section of the status bar. One indicator displays DM GUI
and CLI synchronization and summary count information and the other indicator displays
CLI synchronization information and polling status for a context. See Viewing Virtual
Context Synchronization Status, page 2-69 for CLI Config Status message descriptions or
Error Monitoring, page 12-2 for polling state message descriptions.
Related Topics
•
Understanding ACE appliance Device Manager Buttons, page 1-8
•
Understanding Table Buttons, page 1-10
•
ACE Appliance Device Manager Screen Conventions, page 1-14
Understanding ACE appliance Device Manager Buttons
Table 1-4 describes the buttons that appear in some of the Config, Monitor, and Admin screens.
Note
ACE appliance Device Manager documentation, including online help, uses the names of buttons in all
procedures. For example, “Click Back to return to the previous screen.”
Table 1-4
Button
Button and Element Descriptions
Name
Description
Back
Returns you to the previous screen.
Forward
Takes you to the screen previously visited from the current location.
Refresh
Immediately refreshes the information in the content area with the current
information.
Auto
Refresh
Pauses the automatic refresh feature. You can pause the automatic refresh
for 30, 60, 120, 300, 600, or 3600 seconds. If you disable the automatic
refresh feature, ACE appliance Device Manager times out after 30
minutes.
Help
Launches context-sensitive help for the current screen.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-8
OL-23543-01
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Table 1-4
Button
Button and Element Descriptions (continued)
Name
Description
Add
Another
Saves the current entries and refreshes the screen so you can add another
entry.
Advanced
Editing
Mode
Lets you view or enter advanced arguments for the selected display.
Switch
between
Configure
and
Browse
modes
Displays the subtables for those items that have additional sets of
parameters that can be configured, such as Config > Virtual Contexts >
context > Load Balancing > Server Farms.
Key
Indicates that the associated field is a key field for this table. This field is
mandatory and should be unique. If there are two fields with this key, then
the combination must be unique.
Plus
Displays a table with information related to the field where Plus appears.
For example, when Plus appears next to the field label Role, clicking Plus
displays a list of all Role Names in a separate window. Indicates that the
associated field is a key field for this table. This field is mandatory and
should be unique. If there are two fields with this key, then the
combination must be unique.
Note
This button is not available on single-row tables such as Config >
Virtual Contexts > System > SNMP. To switch between these
modes, navigate to another screen where the button appears (for
example, Config > Virtual Contexts > context > Load
Balancing > Server Farms), click the button to enter the desired
mode, then return to the screen on which the button was missing.
You will remain in the mode you selected.
In File Browser only: expands or collapses the folder structure and reloads
the specific directory.
Screen
Mode
Toggles from partial to full screen mode. Maximizes the content area and
removes the navigation aids.
Reorder
List
Toggles list by alpha-order.
Related Topics
•
Understanding ACE appliance Device Manager Screens and Menus, page 1-7
•
Understanding Table Buttons, page 1-10
•
ACE Appliance Device Manager Screen Conventions, page 1-14
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-9
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Understanding Table Buttons
When the content area of the ACE appliance Device Manager screen contains a table, there are several
buttons that appear as described in Table 1-5.
Table 1-5
Button
ACE Appliance Device Manager Table Buttons
Name
Description
Add
Lets you an entry to the displayed table.
View/Edit
Opens the configuration screen of a selected entry in the table.
Delete
Deletes the selected entry in the table.
Filter
Filters the displayed list of items according to the criteria you
specify. (See Filtering Entries, page 1-12.)
Go
Appears when filtering is enabled; updates the table with the
filtering criteria.
Save
Displays the current information in a new window in either raw data
or Excel format so you can save it to a file or print it.
Related Topics
•
Understanding ACE appliance Device Manager Buttons, page 1-8
•
ACE Appliance Device Manager Screen Conventions, page 1-14
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Conventions in Tables, page 1-11
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-10
OL-23543-01
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Conventions in Tables
Selecting Table Entries
Double-clicking an entry in a table opens its corresponding configuration screen.
You can select multiple entries in a table in two ways:
•
To select all table entries, check the check box at the top of the first column (where available).
•
To select multiple entries individually, select the desired entries.
Parent Rows
If you select multiple entries in a table and then choose an option that can apply to only one entry at a
time, the Parent Row field appears first in the configuration screen (see Figure 1-3).
The Parent Row field lists the selected entries and requires you to select one. Subsequent configuration
choices in this screen are applied only to the entry identified in the Parent Row field.
Parent Row columns appear in subtables when multiple items are selected in the primary table.
Figure 1-3
Parent Rows in Configuration Screens
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-11
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Filtering Entries
Click Filter to view table entries using criteria you select. When filtering is enabled, a filter row appears
above the first table entry that allows you to filter entries in the following ways:
•
In a drop-down list, select one of the ACE Appliance Device Manager-identified categories (see
Figure 1-4). The table refreshes automatically with the entries that match the selected criterion.
•
In fields without drop-down lists, enter the string you want to match, then click Go above the first
table entry. The table refreshes with the entries that match your input.
Figure 1-4
Example Table with Filtering Enabled
Related Topics
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Using the Advanced Editing Option, page 1-13
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-12
OL-23543-01
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Using the Advanced Editing Option
By default, tables include columns that contain configured attributes, or a subset of columns related to
a key field.
To view all configurable attributes in table format, click Advanced Editing Mode (the highlighted
button in Figure 1-5). When advanced editing mode is enabled, all columns appear for your review (see
Figure 1-5).
Figure 1-5
Advanced Editing Enabled Screen
243769
Advanced editing mode
Related Topics
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Conventions in Tables, page 1-11
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-13
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
ACE Appliance Device Manager Screen Conventions
Table 1-6 describes other conventions used in ACE appliance Device Manager screens.
Table 1-6
Convention
ACE Appliance Device Manager Screen Conventions
Example
Description
Dimmed field
Dimmed fields signify items that cannot be modified or that
are not accessible from the current screen.
Some buttons are dimmed if more than one item is selected
in the list. For example, if multiple servers are selected in
the Real Servers table, the View/Edit button is dimmed.
Dropdown lists
Fields with 2 or 3 options use radio buttons. Fields with
more than 3 options use dropdown lists.
Light yellow
field with green
font
Warning text that appears below the affected field as green
font against a light yellow background. In the example, a
message stating that the community string must be entered
if virtual context monitoring is used resulted in this display.
Red asterisk
A red asterisk indicates a required field.
Yellow field
with red font
Incorrect, invalid, or incomplete entries appear as red font
against a yellow background. In the example, an IP address
cannot begin with four digits, resulting in this display.
Warning text may also display below the affected field in
green text on a yellow background.
Related Topics
•
Conventions in Tables, page 1-11
•
ACE Appliance Device Manager Interface Overview, page 1-5
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-14
OL-23543-01
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Viewing Monitoring Results
Figure 1-6 shows an example graph from the Monitor component.
Figure 1-6
Monitoring Results Screen
Monitor graphs offer many options including graph type, viewing raw data, graph layout, and values to
be included. Table 1-7 identifies these options and their associated buttons. When viewing a graph, click
the button to select the option. ACE Appliance Device Manager displays graph data in GMT.
Note
The maximum number of statistics that can be graphed is five.
Note
On the ACE, statistics are kept for 7 days or 20,000 hourly records, whichever comes first. The duration
it takes to reach 20,000 hourly records is determined by the number of contexts, interfaces and real
servers configured. The “All dates” graph provides all available data in the database, up to the above
mentioned numbers. An ACE reboot will reset the statistics database.
Table 1-7
Button
ACE Appliance Device Manager Monitor Buttons
Name
Description
Line graph
Creates a line graph using the displayed information.
Stacked bar
graph
Creates a stacked bar chart using the displayed information.
Graph Options
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-15
Chapter 1
Overview
ACE Appliance Device Manager Interface Overview
Table 1-7
Button
ACE Appliance Device Manager Monitor Buttons (continued)
Name
Description
Bar graph
Creates a bar graph using the displayed information.
Show raw data
Displays the raw data in table format.
Viewing Options
Output to Excel Displays the raw data in Excel format in a separate browser window.
Layout, Value, and Time Options
Change Legend Displays the location of the legend.
Location
Multigraph
Mode
Displays two line graphs next to each other.
Value delta per Displays data points over time. See Graphing Data, page 12-3 for a
time
comparison of regular and value delta per time graphs. Time values
are displayed using a fixed time zone (GMT).
Time range
Displays the selected time range of the data to graph. Includes
previous 1, 2, 8, or 24 hours or all dates.
Related Topics
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Understanding ACE appliance Device Manager Terminology, page 1-19
•
Graphing Data, page 12-3
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-16
OL-23543-01
Chapter 1
Overview
Configuration Overview
Configuration Overview
Use the flow chart in Figure 1-7 to get started with the ACE Appliance Device Manager. Table 1-8
describes these tasks in more detail.
Figure 1-7
High-Level Configuration Process
Install ACE Appliance
Licenses
Configure Virtual
Contexts
Configure Load-Balancing
Services
Update Resource
Classes
Perform Administrative
Tasks
Table 1-8
181773
Add User
Accounts
Configuration Task Overview
Task
Description
Step 1
Install ACE appliance
licenses.
In this step you install licenses for ACE appliances that let you
increase the number of virtual contexts, appliance bandwidth, and
SSL TPS (transactions per second). See Managing ACE Appliance
Licenses, page 2-27 for details.
Step 2
Configure virtual contexts.
In this step you partition the ACE appliance into multiple virtual
devices or contexts. Each context contains its own set of policies,
interfaces, resources, and administrators, allowing you to efficiently
manage resources, users, and the services you provide to your
customers. See Using Virtual Contexts, page 2-2 for details.
Step 3
Configure load-balancing
services.
In this step you configure load balancing to manage client requests
for service. See Load Balancing Overview, page 3-1 for details.
Step 4
Update resource classes.
In this step you configure resource usage models that you can apply
across your network. See Managing Resource Classes, page 2-33
for details.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-17
Chapter 1
Overview
Understanding ACE Features
Table 1-8
Configuration Task Overview (continued)
Task
Description
Step 5
Add user accounts.
In this step you set up tiered access for users. See Managing the
ACE Appliance, page 13-1 for details.
Step 6
Perform administrative
tasks.
This step includes ongoing maintenance and administrative tasks,
such as:
•
Updating ACE appliance software (see Managing ACE
Appliance Licenses, page 2-27).
•
Monitoring virtual context or ACE Appliance Device Manager
statistics (see “Monitoring Your Network” section on
page 12-1).
Understanding ACE Features
The ACE performs high-performance server load balancing (SLB) among groups of servers, server
farms, firewalls, and other network devices, based on Layer 3 as well as Layer 4 through Layer 7 packet
information. The ACE provides the following major features and functionality.
•
Ethernet Interfaces—The ACE provides four physical Ethernet ports that provide an interface for
connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports
autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN, and can carry traffic within
a designated VLAN interface.
•
Routing and Bridging—You configure the corresponding VLAN interfaces on the ACE as either
routed or bridged. When you configure an IP address on an interface, the ACE automatically
configures it as a routed mode interface. When you configure a bridge group on an interface VLAN,
the ACE automatically configures it as a bridged interface.
•
Traffic Policies—The ACE allows you to perform advanced administration tasks such as using
traffic policies to classify traffic flow and the action to take for the type of traffic. Traffic policies
consist of class maps, policy maps, and service policies.
•
Redundancy—Redundancy provides fault tolerance for the stateful switchover of flow, and offers
increased uptime for a more robust network.
•
Virtualization—Virtualization allow you to manage ACE system resources and users, as well as the
services provided to your customers. Multiple contexts use the concept of virtualization to partition
your ACE into multiple virtual devices or contexts. Each context contains its own set of policies,
interfaces, resources, and administrators.
•
Server Load Balancing— Server load balancing (SLB) on the ACE provides network traffic
policies for SLB, real servers and server farms, health monitoring through probes, and firewall load
balancing.
•
ACE Security Features—The ACE contains several security features including ACLs, NAT, user
authentication and accounting, HTTP deep packet inspection, FTP command request inspection, and
application protocol inspection of DNS, HTTP, ICMP, or RTSP.
•
Secure Sockets Layer—The SSL protocol on the ACE provides encryption technology for the
Internet, ensuring secure transactions.
•
Application Acceleration and Optimization—The ACE includes several optimization
technologies to accelerate Web application performance, optimize network performance, and
improve access to critical business information.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-18
OL-23543-01
Chapter 1
Overview
Understanding ACE appliance Device Manager Terminology
•
Command-Line Interface—The command-line interface (CLI) is a line-oriented user interface that
provides commands for configuring, managing, and monitoring the ACE. For more information, see
the Cisco 4700 Series Application Control Engine Appliance Command Reference.
Related Topics
•
ACE Appliance Device Manager Overview, page 1-1
•
Cisco 4700 Series Application Control Engine Appliance Command Reference
Understanding ACE appliance Device Manager Terminology
It is useful to understand the following terms when using the ACE Appliance Device Manager:
•
Virtual context
A virtual context is a concept that allows users to partition an ACE appliance into multiple virtual
devices. Each virtual context contains its own set of policies, interfaces, and resources, allowing
administrators to more efficiently manage system resources and services.
•
Virtual server
In a load-balancing environment, a virtual server is a construct that allows multiple physical servers
to appear as one for load-balancing purposes. A virtual server is bound to physical services running
on real servers in a server farm and uses IP address and port information to distribute incoming client
requests to the servers in the server farm according to a specified load-balancing algorithm.
•
Role-Based Access Control
Managing users using role-based access allows administrators to set up users, roles, and domain
access to your virtual contexts. Each user is assigned a role and a domain which defines what virtual
contexts they can view and configure. Roles determine which commands and resources are available
to a user. Domains determine which objects they can use. Only users associated with an admin
virtual context are allowed to see other virtual contexts.
There are two types of virtual contexts:
– Admin context
The Admin context, which contains the basic settings for each virtual device or context, allows
a user to configure and manage all contexts. When a user logs into the Admin context, he or she
has full system administrator access to the entire ACE appliance and all contexts and objects
within it. The Admin context provides access to network-wide resources, for example, a syslog
server or context configuration server. All global commands for ACE appliance settings,
contexts, resource classes, and so on, are available only in the Admin context.
– User context
A user context has access to the resources in which the context was created. For example, a user
context that was created by an administrator while in the Admin context, by default, has access
to all resources in an ACE appliance. Any user created by someone in a user-defined context
only has access to the resources within that context. In addition, roles and domains create access
parameters for each user. For a description of the predefined user roles, see Managing User
Roles, page 13-13.
For more information on RBAC, see Controlling Access to the Cisco ACE Appliance, page 13-3.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
1-19
Chapter 1
Overview
Understanding ACE appliance Device Manager Terminology
•
Resource class
A resource class is a defined set of resources and allocations available for use by a virtual context.
Using resource classes prevents a single context from using all available resources and can be used
to ensure that every context is guaranteed the minimum set of resources necessary.
Related Topics
•
Controlling Access to the Cisco ACE Appliance, page 13-3
•
ACE Appliance Device Manager Interface Overview, page 1-5
•
Conventions in Tables, page 1-11
•
Glossary
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
1-20
OL-23543-01
C H A P T E R
2
Configuring Virtual Contexts
Cisco Application Control Engine Appliance Device Manager (ACE appliance Device Manager)
provides a number of options for creating, configuring, and managing ACE appliances.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
For information about these options, see:
•
Using Virtual Contexts, page 2-2
•
Creating Virtual Contexts, page 2-2
•
Configuring Virtual Contexts, page 2-7
•
Configuring Virtual Context System Attributes, page 2-10
•
Configuring Virtual Context Primary Attributes, page 2-11
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring SNMP for Virtual Contexts, page 2-19
•
Configuring Virtual Context Global Traffic Policies, page 2-26
•
Managing ACE Appliance Licenses, page 2-27
•
Managing Resource Classes, page 2-33
•
Using the Configuration Checkpoint and Rollback Service, page 2-40
•
Performing Device Backup and Restore Functions, page 2-43
•
Configuring Security with ACLs, page 2-51
•
Configuring Object Groups, page 2-61
•
Configuring Virtual Context Expert Options, page 2-68
•
Managing Virtual Contexts, page 2-68
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-1
Chapter 2
Configuring Virtual Contexts
Using Virtual Contexts
Using Virtual Contexts
Virtual contexts use the concept of virtualization to partition your ACE appliance into multiple virtual
devices or contexts. Each context contains its own set of policies, interfaces, resources, and
administrators. This feature enables you to more closely and efficiently manage resources, users, and the
services you provide to your customers.
The first time you configure a virtual context, you will see only the Admin context. In addition to the
configurable attributes of other virtual contexts, the Admin context can configure:
•
ACE appliance licenses
•
Resource classes
•
Port channel, management, and gigabit Ethernet interfaces
•
High Availability (HA or fault tolerance between ACE appliances)
•
Application acceleration and optimization on the ACE appliance
Related Topics
•
Creating Virtual Contexts, page 2-2
•
Configuring Virtual Contexts, page 2-7
•
Deleting Virtual Contexts, page 2-73
Creating Virtual Contexts
Use this procedure to create virtual contexts.
Note
If you do not configure a management VLAN for SNMP access, the ACE appliance Device Manager will
not be able to poll the context.
Note
If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot be
modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby
members display Standby Hot in the HA State column in the All Virtual Contexts table (Config >
Virtual Contexts). For more information, see High Availability Polling, page 9-6.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Click Add. The New Virtual Context screen appears.
Step 3
Configure the virtual context using the information in Table 2-1.
Tip
Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-2
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Creating Virtual Contexts
Table 2-1
Virtual Context Configuration Attributes
Field
Description
Basic Settings
Name
Enter a unique name for the virtual context. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
This field is read-only for existing contexts.
Description
Enter a brief description of the virtual context. Enter a description as an unquoted text string
with a maximum of 240 alphanumeric characters.
Resource Class
Select the resource class this virtual context is to use.
Allocate Interface VLANs
Enter the number of a VLAN or a range of VLANs so that the context can receive the
associated traffic. You can specify VLANs in any of the following ways:
•
For a single VLAN, enter an integer from 2 to 4096.
•
For multiple, non-sequential VLANs, use comma-separated entries, such as 101, 201,
302.
•
For a range of VLANs, use the format <beginning-VLAN>-<ending-VLAN>, such as
101-150.
Note
Default Gateway IP
VLANs cannot be modified in an Admin context.
Enter the IP address of the default gateway. Use a comma-separated list to specify multiple IP
addresses, such as 192.168.65.1, 192.168.64.2.
Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the
ACE appear in this field.
Management Settings
VLAN Id
Enter the VLAN number that you want to assign to the management interface. Valid values
are from 2 to 4094. By default, all devices are assigned to VLAN1, known as the default
VLAN.
The ACE Device Manager identifies the management class maps and policy maps associated
with the selected VLAN ID assigned to the management interface.
This field is read-only if configured for existing contexts.
VLAN Description
Enter a description for the management interface. Enter an unquoted text string that contains
a maximum of 240 alphanumeric characters including spaces.
Interface Mode
Select the topology that reflects the relationship of the selected ACE virtual context to the real
servers in the network:
•
Routed—The ACE virtual context acts as a router between the client-side network and
the server-side network. In this topology, every real server for the application must be
routed through the ACE virtual context, either by setting the default gateway on each real
server to the virtual context server-side VLAN interface address, or by using a separate
router with appropriate routes configured between the ACE virtual context and the real
servers.
•
Bridged—The virtual ACE bridges two VLANs—a client-side VLAN and a real-server
VLAN—on the same subnet using a bridged virtual interface (BVI). In this case, the real
server routing does not change to accommodate the ACE virtual context. Instead, the
virtual ACE transparently handles traffic to and from the real servers.
This field is read-only if configured for existing contexts.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-3
Chapter 2
Configuring Virtual Contexts
Creating Virtual Contexts
Table 2-1
Virtual Context Configuration Attributes (continued)
Field
Description
Management IP
Enter the IP address that is to be used for remote management of the context.
Note
The Device Manager considers an interface as a management interface if it has a
management policy map associated with the VLAN interface. See the “Configuring
VLAN Interface Policy Map Use” section on page 8-15.
Management Netmask
Select the subnet mask to apply to this IP address.
Alias IP Address
Enter the IP address of the alias associated with this interface.
Peer IP Address
Enter the IP address of the remote peer.
Access Permission
Select the source IP addresses that are allowed on the management interface:
•
Allow All—Allows all configured client source IP addresses on the management interface
as the network traffic matching criteria.
•
Deny All—Denies all configured client source IP addresses on the management interface
as the network traffic matching criteria.
•
Match—Displays the Match Conditions table, where you specify the match criteria that
the ACE is to use for traffic on the management interface.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-4
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Creating Virtual Contexts
Table 2-1
Virtual Context Configuration Attributes (continued)
Field
Description
Match Conditions
When you enter the VLAN ID for the management interface, the Match Conditions table
appears.
To add or modify the protocols allowed on this management VLAN, do the following:
1.
Click Add to choose a protocol for the management interface, or choose an existing
protocol entry listed in the Match Conditions table and click Edit to modify it.
2.
In the Protocol drop-down list, choose a protocol:
– HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
– HTTPS—Specifies the Hypertext Transfer Protocol Secure (HTTPS) for
connectivity with the interface using port 443.
– ICMP—Specifies the Internet Control Message Protocol (ICMP), commonly
referred to as ping.
– KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP.
– SNMP—Specifies the Simple Network Management Protocol (SNMP).
Note
If SNMP is not selected, the ACE appliance Device Manager cannot poll the
context.
– SSH—Specifies a Secure Shell (SSH) connection to the ACE.
– TELNET—Specifies a Telnet connection to the ACE.
– XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving
XML documents between the ACE appliance and a Network Management System
(NMS) using port 10443. This option is available for ACE appliances only.
3.
In the Allowed From field, specify the matching criteria for the client source IP address:
– Any—Specifies any client source address for the management traffic classification.
– Source Address—Specifies a client source host IP address and subnet mask as the
network traffic matching criteria.
4.
Note
Enable SNMP Get
Click OK to accept the protocol selection (or click Cancel to exit without accepting your
entries).
To remove a protocol from the management VLAN, choose the entry in the Match
Conditions table, and click Delete.
Check this check box to add an SNMP Get community string to enable SNMP polling on this
context.
This field is read-only if configured for existing contexts.
SNMP v2c Read-Only
Community String
When you check the Enable SNMP Get check box, this field appears.
Enter the SNMPv2c read-only community string to be used as the SNMP Get community
string.
This field is read-only if configured for existing contexts.
Note
If SNMP is not an allowed protocol, the ACE appliance Device Manager will not be
able to poll the context.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-5
Chapter 2
Configuring Virtual Contexts
Creating Virtual Contexts
Table 2-1
Virtual Context Configuration Attributes (continued)
Field
Description
More Settings
Switch Mode
Check this check box to change the way that the ACE processes TCP connections that are not
destined to a VIP or that do not have any policies associated with their traffic. For such traffic,
the ACE still creates connection objects but processes the connections as stateless
connections, which means that they do not undergo any TCP normalization checks. With this
option enabled, the ACE also creates stateless connections for non-SYN TCP packets if they
satisfy all other configured requirements. This process ensures that a long-lived persistent
connection passes through the ACE successfully (even if it times out) by being reestablished
by any incoming packet related to the connection.
By default, these stateless connections time out after 2 hours and 15 minutes unless you
configure the inactivity timeout otherwise in a parameter map. When a stateless connection
times out, the ACE does not send a TCP RST packet but silently closes the connection. Even
though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the
connections are closed when the ACE sees these flags in the received packets.
Shared VLAN Host Id
Specific bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to
configure different bank numbers for multiple ACEs. This field is available only in the Admin
context.
Add Admin User
When initially configuring the context, check this check box to configure this context for an
Admin user. When the fields appear, enter the user name and password, and confirm the
password.
Step 4
Click
•
Deploy Now to deploy this virtual context. To configure other virtual context attributes, see
Configuring Virtual Contexts, page 2-7.
•
Cancel to exit this procedure without saving your entries and to return to the All Virtual Contexts
table.
Related Topics
•
Using Virtual Contexts, page 2-2
•
Configuring Virtual Contexts, page 2-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-6
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Contexts
Configuring Virtual Contexts
After creating a virtual context, you can configure it. Configuring a virtual context involves configuring
a number of attributes, grouped into configuration subsets. Table 2-2 describes ACE appliance Device
Manager configuration subsets and provides links to related topics.
Note
If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot be
modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby
members display Standby Hot in the HA State column in the All Virtual Contexts table (Config >
Virtual Contexts). For more information, see High Availability Polling, page 9-6.
Note
To add objects such as real servers or server farms to a customized domain, use the CLI and then use the
synchronize feature in ACE appliance Device Manager to add this object into its customized domain on
ACE appliance Device Manager. Adding objects to customized domains directly in ACE appliance
Device Manager results in the object being added to the default domain.

Synchronization options are available in the All Virtual Contexts table (Config > Virtual Contexts).
Tip
Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-7
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Contexts
Table 2-2
ACE Appliance and Virtual Context Configuration Options
Configuration
Subset
Description
System
System configuration options allow you to configure:
•
Primary attributes such as VLANs, SNMP access,
and resource class.
Configuring Virtual Context Primary Attributes,
page 2-11
•
Syslog attributes including the type and severity
of syslog messages that are to be logged, the
syslog log host, log messages, and log rate limits.
Configuring Virtual Context Syslog Logging,
page 2-12
•
Configuring SNMP for Virtual Contexts,
page 2-19
•
SNMP options.
•
•
Global policy map configuration for all VLANs
on a virtual context.
Configuring Virtual Context Global Traffic
Policies, page 2-26
•
Managing ACE Appliance Licenses, page 2-27
•
ACE appliance license use on the ACE appliance.
•
Managing Resource Classes, page 2-33
•
Resource classes for allocation of ACE appliance
resources.
•
Configuring Global Application Acceleration and
Optimization, page 11-9
•
Application acceleration and optimization on the
ACE appliance.
•
Using the Configuration Checkpoint and
Rollback Service, page 2-40
•
Checkpoint (snapshot in time) of a known stable
running configuration
•
Performing Device Backup and Restore
Functions, page 2-43
•
Back up or restore the configuration and
dependencies of an entire ACE or of a particular
virtual context
•
Load Balancing Overview, page 3-1
•
Configuring Virtual Servers, page 3-2
•
Configuring Server Farms, page 4-11
•
Configuring Health Monitoring for Real Servers,
page 4-31
•
Configuring Sticky Groups, page 5-7
•
Configuring Parameter Maps, page 6-1
•
•
Note
Load
Balancing
Related Topics
ACE appliance licenses, resource classes, and
acceleration and optimization can be
configured only in an Admin context.
Load-balancing attributes allow you to
•
Configure virtual servers, real servers, and server
farms for load balancing
•
Establish the predictor method and return code
checking
•
Implement sticky groups for session persistence
•
Configure parameter maps to combine related
actions for policy maps
Load-balancing configuration options include:
•
Virtual servers
•
Real servers
•
Server farms
•
Health monitoring
•
Sticky attributes
•
Parameter maps
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-8
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Contexts
Table 2-2
ACE Appliance and Virtual Context Configuration Options (continued)
Configuration
Subset
Description
SSL
SSL configuration options allow you to:
Security
Network
•
Configuring SSL, page 7-1
•
Import and export SSL certificates and keys
•
Using SSL Certificates, page 7-6
•
Set up SSL parameter maps and chain group
parameters
•
Using SSL Keys, page 7-11
•
Generating CSRs, page 7-26
•
Generate certificate signing requests for
submission to a certificate authority
•
Configuring SSL Parameter Maps, page 7-19
•
Authenticate peer certificates
•
Configuring SSL Chain Group Parameters,
page 7-24
•
Configure certificate revocation lists for use
during client authentication
•
Configuring SSL Proxy Service, page 7-27
•
Configuring SSL Authentication Groups,
page 7-29
•
Configuring CRLs for Client Authentication,
page 7-31
•
Configuring Virtual Context Expert Options,
page 2-68
•
Creating ACLs, page 2-52
•
Configuring Object Groups, page 2-61
•
Configuring Virtual Context BVI Interfaces,
page 8-19
•
Configuring Gigabit Ethernet Interfaces,
page 8-4
•
Configuring Virtual Context VLAN Interfaces,
page 8-8
•
Configuring Virtual Context BVI Interfaces,
page 8-19
•
Configuring VLAN Interface NAT Pools,
page 8-17
•
Configuring Virtual Context Static Routes,
page 8-22
•
Configuring Global IP DHCP, page 8-23
•
Configuring High Availability, page 9-1
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups,
page 9-11
Security configuration options allow you to create
access control lists, set ACL attributes, resequence
ACLs, delete ACLs, and configure object groups.
Network configuration options allow you to
configure:
•
Port channel interfaces
•
Gigabit Ethernet interfaces
•
VLAN interfaces
•
BVI interfaces
•
Network Address Translation (NAT) pools for a
VLAN interface
•
Static routes
•
DHCP relay agents
Note
High
Availability
Related Topics
You can configure port channel and gigabit
Ethernet interfaces only in an Admin context.
High Availability (HA) attributes allow you to
configure two ACE appliances for fault-tolerant
redundancy.
Note
You can set up high availability only in an
Admin virtual context.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-9
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context System Attributes
Table 2-2
ACE Appliance and Virtual Context Configuration Options (continued)
Configuration
Subset
Description
HA Tracking
And Failure
Detection
HA Tracking And Failure Detection attributes allow
you to configure tracking processes that can help
ensure reliable fault tolerance.
Expert
Related Topics
Expert options allow you to:
•
Configure traffic policies for filtering and
handling traffic received by or passing through
the ACE appliance.
•
Configure optimization action lists.
•
Configure HTTP header modify action lists.
•
High Availability Tracking and Failure Detection
Overview, page 9-16
•
Tracking VLAN Interfaces for High Availability,
page 9-17
•
Tracking Hosts for High Availability, page 9-18
•
Configuring Traffic Policies, page 10-1
•
Configuring an HTTP Optimization Action List,
page 11-3
•
Configuring an HTTP Header Modify Action
List, page 10-80
Configuring Virtual Context System Attributes
Table 2-3 identifies the ACE appliance Device Manager virtual context System configuration options
and related topics for more information.
Table 2-3
Virtual Context System Configuration Options
System Configuration Options
Related Topics
Specify virtual context primary attributes
Configuring Virtual Context Primary Attributes,
page 2-11
Configure syslog options
Configure SNMP options
•
Configuring Virtual Context Syslog Logging,
page 2-12
•
Configuring Syslog Log Hosts, page 2-16
•
Configuring Syslog Log Messages, page 2-17
•
Configuring Syslog Log Rate Limits,
page 2-18
•
Configuring SNMP for Virtual Contexts,
page 2-19
•
Configuring SNMP Version 2c Communities,
page 2-20
•
Configuring SNMP Version 3 Users,
page 2-21
•
Configuring SNMP Trap Destination Hosts,
page 2-23
•
Configuring SNMP Notification, page 2-25
Establish global policy maps for all VLANs on a Configuring Virtual Context Global Traffic
virtual context
Policies, page 2-26
Manage ACE appliance licenses
Managing ACE Appliance Licenses, page 2-27
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-10
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Primary Attributes
Table 2-3
Virtual Context System Configuration Options (continued)
System Configuration Options
Related Topics
Manage ACE appliance resources across virtual
contexts
Managing Resource Classes, page 2-33
Establish application acceleration and
optimization for the ACE appliance
Configuring Global Application Acceleration and
Optimization, page 11-9
Back up or restore the configuration and
dependencies of an entire ACE or of a particular
virtual context
Performing Device Backup and Restore
Functions, page 2-43
Configuring Virtual Context Primary Attributes
Primary attributes specify a name and resource class for each virtual context. After providing this
information, you can configure other attributes, such as interfaces, monitoring, or load-balancing. For a
complete list of configuration options, see Configuring Virtual Contexts, page 2-7.
Use this procedure to configure virtual context primary attributes.
Procedure
Step 1
Select Config > Virtual Contexts > context > System > Primary Attributes. The Primary Attributes
configuration screen appears.
Step 2
Enter the primary attributes for this virtual context as described in Table 2-1.
Step 3
Click Deploy Now to deploy this configuration on the ACE appliance.
To exit this procedure without accepting your entries, select a different configuration option.
Related Topics
•
Using Virtual Contexts, page 2-2
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Configuring Virtual Context BVI Interfaces, page 8-19
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring Traffic Policies, page 10-1
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-11
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Configuring Virtual Context Syslog Logging
The ACE appliance Device Manager uses syslog logging to send log messages to a process which logs
messages to designated locations asynchronously to the processes that generated the messages.
Procedure
Step 1
Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen
appears.
Step 2
Enter the syslog logging attributes in the displayed fields (see Table 2-5).
All fields that require you to select syslog severity levels use the values in Table 2-4.
Table 2-4
Syslog Logging Levels
Severity
Description
0-Emergency
Unusable system
1-Critical
Critical condition
2-Warning
Warning condition
3-Alert
Immediate action required
4-Error
Error condition
5-Notification
Normal but significant condition
6-Information
Informational message only
7-Debug
Appears only during debugging
The severity level that you specify indicates that you want syslog messages at that level and the more
severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency
messages.
Note
If you set all syslog levels to Debug, some commands like switchover are not processed
successfully. These commands are issued via the CLI and ACE appliance Device Manager
cannot parse the returned prompt if Debug level is enabled. Instead, a timeout message is
displayed. 

If you set syslog levels to Debug and then issue a command that results in a timeout message,
click Refresh to view the result of the operation.
Note
Setting all syslog levels to Debug during normal operation can degrade overall performance.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-12
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Table 2-5
Virtual Context Syslog Configuration Attributes
Field
Description
Action
Enable Syslog
This option indicates whether syslog
logging should be enabled or disabled.
Check the check box to enable syslog logging or clear
the check box to disable syslog logging.
Facility
The syslog daemon uses the specified
syslog facility to determine how to
process the messages it receives. Syslog
servers file or direct messages based on
the facility number in the message.
Enter the facility appropriate for your network.
Valid entries are 16 (LOCAL0) through 23 (LOCAL7).
The default for an ACE appliance is 20 (LOCAL4).
For more information on the syslog
daemon and facility levels, refer to your
syslog daemon documentation.
Buffered Level
Console Level
This option enables system logging to a
local buffer and limits the messages sent
to the buffer based on severity.
Select the desired level for sending system log
messages to a local buffer.
This option specifies the maximum level
for system log messages sent to the
console.
Select the desired level for sending system log
messages to the console.
This option is disabled by default.
This option is disabled by default.
Note
History Level
This option specifies the maximum level
for system log messages sent as traps to
an SNMP network management station.
Logging into the console can degrade system
performance. Therefore, we recommend that
you log messages to the console only when you
are testing or debugging problems. Do not use
this option when the network is busy, as it can
reduce ACE appliance performance.
Select the desired level for sending system log
messages as traps to an SNMP network management
station.
This option is disabled by default.
Note
Monitor Level
For more information about configuring
SNMP, see Configuring SNMP Notification,
page 2-25.
This option specifies the maximum level Select the desired level for sending system log
for system log messages sent to a remote messages to a remote connection using SSH or Telnet
connection using Secure Shell (SSH) or on the ACE appliance.
Telnet on the ACE appliance.
This option is disabled by default.
Note
You must enable remote access on the ACE
appliance and establish a remote connection
using the SSH or Telnet protocol from a PC for
this option to work.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-13
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Table 2-5
Virtual Context Syslog Configuration Attributes (continued)
Field
Description
Action
Persistence Level
This option specifies the maximum level
for system log messages sent to Flash
memory.
Select the desired level for sending system log
messages to Flash memory.
This option is disabled by default.
Note
Trap Level
This option specifies the maximum level
for system log messages sent to a syslog
server.
We recommend that you use a lower severity
level, such as 3, since logging at a high rate to
Flash memory on the ACE appliance might
impact performance.
Select the desired level for sending system log
messages to a syslog server.
This option is disabled by default.
Queue Size
This option specifies the size of the buffer Enter the desired queue size.
for storing syslog messages received from
Valid entries are from 0 to 8192 messages.
other processes within the ACE appliance
The default is 100 messages.
while they await processing. When the
queue exceeds the specified value, the
excess messages are discarded.
Enable Timestamp
This option indicates whether syslog
messages should include the date and
time that the message was generated.
Check the check box to enable timestamps on syslog
messages or clear the check box to disable timestamps
on syslog messages.
This option is disabled by default.
Enable Standby
Enable Fastpath
Logging
This option indicates whether logging is
enabled on the failover standby ACE
appliance. When enabled:
•
This feature causes twice the
message traffic on the syslog server.
•
The standby ACE appliance syslog
messages remain synchronized if
failover occurs.
Check the check box to enable logging on the failover
standby ACE appliance or clear the check box to
disable logging on the failover standby ACE appliance.
This option indicates whether connection Check the check box to enable the logging of setup and
setup and teardown messages are logged. teardown messages or clear the check box to disable
the logging of setup and teardown messages.
This option is disabled by default.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-14
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Table 2-5
Virtual Context Syslog Configuration Attributes (continued)
Field
Description
Action
Device Id Type
This option specifies the type of unique Select the type of device identifier to be used:
device identifier to be included in syslog
• Any String—Indicates that a test string is to be
messages sent to the syslog server.
used to uniquely identify syslog messages send
from the ACE appliance.
The device identifier does not appear in
EMBLEM-formatted messages, SNMP
• Context Name—Indicates that the name of the
traps, or on the ACE appliance console,
current virtual context is to be used to uniquely
management session, or buffer.
identify the syslog messages sent from the ACE
appliance.
•
Host Name—Indicates that the hostname of the
ACE appliance is to be used to uniquely identify
the syslog messages sent from the ACE appliance.
•
Interface—Indicates that the IP address of the
interface is to be used to uniquely identify the
syslog messages sent from the ACE appliance.
•
Undefined—Indicates that no identifier is to be
used.
Device Interface Name
This field appears if the Device Id Type is Enter a text string that uniquely identifies the logging
Interface.
device interface name whose ID is to be included in
system messages. The maximum string length is 64
This option specifies the logging device
characters without spaces. Do not use the following
interface to be used to uniquely identify
characters: & (ampersand), ‘ (single quote), “ (double
syslog messages sent from the ACE
quote), < (less than), > (greater than), or ? (question
appliance.
mark).
Logging Device Id
This field appears if the Device ID Type
is Any String.
Step 3
Enter a text string that uniquely identifies the syslog
messages sent from the ACE appliance. The maximum
string length is 64 characters without spaces. Do not
This option specifies the text string to be
use the following characters: & (ampersand), ‘ (single
used to uniquely identify syslog messages
quote), “ (double quote), < (less than), > (greater than),
sent from the ACE appliance.
or ? (question mark).
Click Deploy Now to deploy this configuration on the ACE appliance. To configure other Syslog
attributes for this virtual context, see:
•
Configuring Syslog Log Hosts, page 2-16
•
Configuring Syslog Log Messages, page 2-17
•
Configuring Syslog Log Rate Limits, page 2-18
Related Topics
•
Configuring Virtual Contexts, page 2-7
•
Configuring Syslog Log Hosts, page 2-16
•
Configuring Syslog Log Messages, page 2-17
•
Configuring Syslog Log Rate Limits, page 2-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-15
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Configuring Syslog Log Hosts
After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging,
page 2-12), you can configure the log host, log messages, and log rate limits. The tabs for these attributes
appear beneath the Syslog configuration screen.
Use this procedure to configure Syslog log hosts.
Procedure
Step 1
Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen
appears.
Step 2
Select the Log Host tab. The Log Host table appears.
Step 3
Click Add to add a new log host, or select an existing log host, then click Edit to modify it. The Log
Host configuration screen appears.
Step 4
In the IP Address field, enter the IP address of the host to be used as the syslog server.
Step 5
In the Protocol field, select TCP or UDP as the protocol to be used.
Step 6
In the Protocol Port field, enter the number of the port that the syslog server listens to for syslog
messages. Valid entries are from 1024 to 65535; the default is 514.
Step 7
The Default UDP check box appears if TCP is selected in the Protocol field (Step 5). Check the Default
UDP check box to specify that the ACE appliance is to default to UDP if the TCP transport fails to
communicate with the syslog server. Clear this check box to prevent the ACE appliance from defaulting
to UDP if the TCP transport fails.
Step 8
In the Format field, indicate whether EMBLEM-format logging is to be used:
Step 9
•
N/A—Indicates that you do not want to enable EMBLEM-format logging.
•
Emblem—Indicates that EMBLEM-format logging is to be enabled for each syslog server. If you
use Cisco Resource Manager Essentials (RME) software to collect and process syslog messages on
your network, enable EMBLEM-format logging so that RME can handle them. Similarly, UDP
needs to be enabled because the Cisco Resource Manager Essentials (RME) syslog analyzer
supports only UDP syslog messages.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Log Host table.
•
Next to configure another syslog host.
Related Topics
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring Syslog Log Messages, page 2-17
•
Configuring Syslog Log Rate Limits, page 2-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-16
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Configuring Syslog Log Messages
After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging,
page 2-12), you can configure the log host, log messages, and log rate limits. The tabs for these attributes
appear beneath the Syslog configuration screen.
Use this procedure to configure Syslog log messages.
Procedure
Step 1
Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen
appears.
Step 2
Select the Log Message tab. The Log Message table appears.
Step 3
Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The
Log Message configuration screen appears.
Step 4
In the Message Id field, select the system log message ID of the syslog messages that are to be sent to
the syslog server or that are not to be sent to the syslog server.
Step 5
Check the Enable State check box to indicate that logging is enabled for the specified message ID. Clear
the check box to indicate that logging is not enabled for the specified message ID. If you check the
Enable State check box, the Log Level field appears.
Step 6
In the Log Level field, select the desired level of syslog messages to be sent to the syslog server, using
the levels identified in Table 2-4.
Step 7
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Log Message table.
•
Next to save your entries and to configure additional syslog message entries for this virtual context.
Related Topics
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring Syslog Log Hosts, page 2-16
•
Configuring Syslog Log Rate Limits, page 2-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-17
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Syslog Logging
Configuring Syslog Log Rate Limits
After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging,
page 2-12), you can configure the log host, log messages, and log rate limits. The tabs for these attributes
appear beneath the Syslog configuration screen.
Use this procedure to limit the rate at which the ACE appliance generates messages in the syslog.
Procedure
Step 1
Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen
appears.
Step 2
Select the Log Rate Limit tab. The Log Rate Limit table appears.
Step 3
Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The
Log Rate Limit configuration screen appears.
Step 4
In the Type field, indicate the method by which syslog messages are to be limited:
•
Select Level to limit syslog messages by syslog level. In the Level field, select the level of syslog
messages to be sent to the syslog server, using the levels identified in Table 2-4.
•
Select Message to limit syslog messages by message identification number. In the Message Id field,
select the syslog message ID for those messages for which you want to suppress reporting.
Step 5
Check the Unlimited check box to indicate that limits are not to be applied to system message logging.
Clear the Unlimited check box to indicate that limits are to be applied to system message logging. If you
clear the Unlimited check box, the Rate and Time Interval fields appear.
Step 6
If you clear the Unlimited check box, specify the limits to apply to system message logging:
Step 7
a.
In the Rate field, enter the number at which syslog message creation is to be limited. When this limit is
reached, the ACE appliance limits the creation of new syslog messages to be no greater than the specified
rate. Valid entries are integers from 0 to 2147483647.
b.
In the Time Interval (Seconds) field, enter the length of time (in seconds) over which the system
message logs should be limited. The default time interval is one second. For example, if you enter 42 in
the Rate field and 60 in the Time Interval (Seconds) field, the ACE appliance limits the creation of syslog
messages that are sent to a maximum of 42 messages in that 60-second period. Valid entries are from 0
to 2147483647 seconds.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Log Rate Limit table.
•
Next to save your entries and to add another entry to the Log Rate Limit table.
Related Topics
•
Configuring Virtual Contexts, page 2-7
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring Syslog Log Hosts, page 2-16
•
Configuring Syslog Log Messages, page 2-17
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-18
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Configuring SNMP for Virtual Contexts
Use this procedure to configure SNMP for use with this virtual context.
Procedure
Step 1
Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen
appears.
Step 2
Enter SNMP attributes (see Table 2-6).
Table 2-6
SNMP Attributes
Field
Description
Contact Information
Enter contact information for the SNMP server within the virtual context
as a text string with a maximum of 240 characters including spaces. In
addition to a name, you might want to include a phone number or e-mail
address. To include spaces, add quotation marks at the beginning and
end of the entry.
Location
Enter the physical location of the system as a text string with a
maximum of 240 characters including spaces. To include spaces, add
quotation marks at the beginning and end of the entry.
Unmask Community
Check the check box to unmask the snmpCommunityName and
snmpCommunitySecurityName OIDs of the
SNMP-COMMUNITY-MIB.
Clear the check box to mask these OIDs . By default, they are masked
(the checkbox is unchecked).
Trap Source Interface
Enter a valid VLAN number that identifies the interface from which the
SNMP traps originate.
IETF Trap
Check the check box to indicate that the ACE appliance is to send
linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863)
variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus.
Clear the check box to indicate that the ACE appliance is not to send
linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863)
variable bindings. Instead, the ACE appliance sends Cisco var-binds by
default.
Step 3
Click Deploy Now to deploy this configuration on the ACE appliance. To configure other SNMP
attributes, see:
•
Configuring SNMP Version 2c Communities, page 2-20
•
Configuring SNMP Version 3 Users, page 2-21
•
Configuring SNMP Trap Destination Hosts, page 2-23
•
Configuring SNMP Notification, page 2-25
Related Topic
Configuring Virtual Contexts, page 2-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-19
Chapter 2
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Configuring SNMP Version 2c Communities
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual
Contexts, page 2-19), you can configure other SNMP attributes such as SNMP version 2c communities,
SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes
appear below the SNMP configuration screen.
All SNMP communities in ACE appliance Device Manager are read-only communities and all
communities belong to the group network monitors.
Note
Use this procedure to configure SNMP version 2c communities for a virtual context.
Assumption
You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts,
page 2-19).
Procedure
Step 1
Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen
appears.
Step 2
Select the SNMP v2c Configuration tab. The SNMP v2c Configuration table appears.
Step 3
Click Add to add an SNMP v2c community. The SNMP v2c Configuration screen appears.
You cannot modify an existing SNMP v2c community. Instead, delete the existing SNMP v2c
community, then add a new one.
Note
Step 4
In the Read-Only Community field, enter the SNMP v2c community name for this context. Valid entries
are unquoted text strings with no spaces and a maximum of 32 characters.
Step 5
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entry and to return to the SNMP v2c Community
table.
•
Next to save your entry and to configure another SNMP community for this virtual context. The
screen refreshes and you can enter another community name.
Related Topics
•
Configuring Virtual Contexts, page 2-7
•
Configuring SNMP Version 3 Users, page 2-21
•
Configuring SNMP Trap Destination Hosts, page 2-23
•
Configuring SNMP Notification, page 2-25
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-20
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Configuring SNMP Version 3 Users
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual
Contexts, page 2-19), you can configure other SNMP attributes such as SNMP version 2c communities,
SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes
appear below the SNMP configuration screen.
Use this procedure to configure SNMP version 3 users for a virtual context.
Assumption
You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts,
page 2-19).
Procedure
Step 1
Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen
appears.
Step 2
Select the SNMP v3 Configuration tab. The SNMP v3 Configuration table appears.
Step 3
Click Add to add users, or select an existing entry, then Edit to modify it. The SNMP v3 Configuration
screen appears.
Step 4
Enter SNMP v3 user attributes (see Table 2-7).
Table 2-7
SNMP v3 User Configuration Attributes
Field
Description
User Name
Enter the SNMP v3 username. Valid entries are unquoted text strings with no
spaces and a maximum of 24 characters.
Authentication
Algorithm
Select the authentication algorithm to be used for this user.
Authentication
Password
•
N/A—Indicates that no authentication is to be used.
•
Message Digest (MD5)—Indicates that Message Digest 5 is to be used
as the authentication mechanism.
•
Secure Hash Algorithm (SHA)—Indicates that Secure Hash Algorithm
is to be used as the authentication mechanism.
Appears if you select an authentication algorithm. The ACE appliance
automatically updates the password for the CLI user with the SNMP
authentication password.
Enter the authentication password for this user as follows:
Confirm
•
If the passphrases are specified in clear text, enter an unquoted text
string with no space that is from 8 to 64 alphanumeric characters in
length. The password length can be an odd or even value.
•
If use of a localized key is enabled, enter an unquoted text string with no
space that is from 8 to 130 alphanumeric characters in length. The
password length must be an even value.
Appears if you select an authentication algorithm.
Reenter the authentication password.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-21
Chapter 2
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Table 2-7
SNMP v3 User Configuration Attributes (continued)
Field
Description
Localized
Appears if you select an authentication algorithm.
Indicate whether the password is in localized key format for security
encryption:
Privacy
•
N/A—Indicates that this option is not configured.
•
False—Indicates that the password is not in localized key format for
encryption.
•
True—Indicates that the password is in localized key format for
encryption.
Appears if you select an authentication algorithm.
Indicate whether encryption attributes are to be configured for this user:
AES 128
•
N/A—Indicates that no encryption attributes are specified.
•
False—Indicates that encryption parameters are not to be configured for
this user.
•
True—Indicates that encryption parameters are to be configured for this
user.
Appears if you set Privacy to True.
Indicate whether the 128-byte Advanced Encryption standard (AES)
algorithm is to be used for privacy. AES is a symmetric cipher algorithm and
is one of the privacy protocols for SNMP message encryption.
Privacy Password
Confirm
•
N/A—Indicates that no standard is specified.
•
False—Indicates that AES 128 is not be used for privacy.
•
True—Indicates that AES 128 is to be used for privacy.
Appears if you set Privacy to True. Enter the user encryption password as
follows:
•
If the passphrases are specified in clear text, enter an unquoted text
string with no space that is from 8 to 64 alphanumeric characters in
length. The password length can be an odd or even value.
•
If use of a localized key is enabled, enter an unquoted text string with no
space that is from 8 to 130 alphanumeric characters in length. The
password length must be an even value.
Appears if you set Privacy to True.
Reenter the privacy password.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-22
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Step 5
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the SNMP v3
Configuration table.
•
Next to save your entries and to add another entry to the SNMP v3 Configuration table. The screen
refreshes and you can enter another SNMP v3 user.
Related Topics
•
Configuring Virtual Contexts, page 2-7
•
Configuring SNMP Version 2c Communities, page 2-20
•
Configuring SNMP Trap Destination Hosts, page 2-23
•
Configuring SNMP Notification, page 2-25
Configuring SNMP Trap Destination Hosts
To receive SNMP notifications you must configure:
•
At least one SNMP trap destination host. This section describes how to do this.
•
At least one type of notification. See Configuring SNMP Notification, page 2-25.
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual
Contexts, page 2-19), you can configure other SNMP attributes such as SNMP version 2c communities,
SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes
appear below the SNMP configuration screen.
Use this procedure to configure SNMP trap destination hosts for a virtual context.
Assumption
You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts,
page 2-19).
Procedure
Step 1
Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen
appears.
Step 2
Select the Trap Destination Host tab. The Trap Destination Host table appears.
Step 3
Click Add to add a host, or select an existing entry in the table, then Edit to modify it. The Trap
Destination Host configuration screen appears.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-23
Chapter 2
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Configure the SNMP trap destination host using the information in Table 2-8.
Step 4
Table 2-8
SNMP Trap Destination Host Configuration Attributes
Field
Description
IP Address
Enter the IP address of the server that is to receive SNMP notifications. Enter the address in
dotted-decimal format, such as 192.168.11.1.
Port
Enter the port to be used for SNMP notification. The default port is 162.
Version
Select the version of SNMP used to send traps:
•
V1—Indicates that SNMP version 1 is to be used to send traps. This option is not available for use
with SNMP inform requests.
•
V2c—Indicates that SNMP version 2c is to be used to send traps.
•
V3—Indicates that SNMP version 3 is to be used to send traps. This version is the most secure
model because it allows packet encryption.
Community
Enter the SNMP community string or username to be sent with the notification operation. Valid entries
are unquoted text strings with no spaces and a maximum of 32 characters.
Security Level
This field appears if V3 is the selected version.
Select the level of security that is to be implemented:
Step 5
•
Auth—Indicates that Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are to be used
for packet authentication.
•
Noauth—Indicates that the noAuthNoPriv security level is to be used.
•
Priv—Indicates that Data Encryption Standard (DES) is to be used for packet encryption.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Trap Destination Host
table.
•
Next to save your entries and to add another entry to the Trap Destination Host table. The screen
refreshes and you can add another trap destination host.
Related Topics
•
Configuring Virtual Contexts, page 2-7
•
Configuring SNMP Version 2c Communities, page 2-20
•
Configuring SNMP Version 3 Users, page 2-21
•
Configuring SNMP Notification, page 2-25
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-24
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Configuring SNMP Notification
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual
Contexts, page 2-19), you can configure other SNMP attributes such as SNMP version 2c communities,
SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes
appear below the SNMP configuration screen.
To receive SNMP notifications you must configure:
•
At least one SNMP trap destination host. See Configuring SNMP Trap Destination Hosts, page 2-23.
•
At least one type of notification. This section describes how to do this.
Use this procedure to configure SNMP notification for a virtual context.
Assumptions
•
You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts,
page 2-19).
•
At least one SNMP server host has been configured (see Configuring SNMP Trap Destination Hosts,
page 2-23).
Procedure
Step 1
Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen
appears.
Step 2
Select the SNMP Notification tab. The SNMP Notification table appears.
Step 3
Click Add to add a new entry. The SNMP Notification configuration screen appears.
Note
Step 4
You cannot modify an existing entry. Instead, delete the existing notification entry, then add a
new one.
In the Options field, select the type of notifications to be sent to the SNMP host. Some options are
available only in the Admin context.
•
License—SNMP license notifications are to be sent. This option is available only in the Admin
context.
•
SLB—Server load-balancing notifications are to be sent.
•
SLB Real Server—Notifications of real server state changes are to sent.
•
SLB Virtual Server—Notifications of virtual server state changes are to be sent.
•
SNMP—SNMP notifications are to be sent.
•
SNMP Authentication—Notifications of incorrect community strings in SNMP requests are to be
sent.
•
SNMP Cold-Start—SNMP agent restart notifications are to be sent after a cold restart (full power
cycle) of the ACE. This option is available only in the Admin context.
•
SNMP Link-Down—Notifications are to be sent when a VLAN interface is down.
•
SNMP Link-Up—Notifications are to be sent when a VLAN interface is up.
•
Syslog—Error message notifications (Cisco Syslog MIB) are to be sent.
•
Virtual Context—Virtual context notifications are to be sent.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-25
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Global Traffic Policies
Step 5
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your selection and to return to the SNMP Notification
table.
•
Next to save your entries and to add another entry to the SNMP Notification table. The screen
refreshes and you can select another SNMP notification option.
Related Topics
•
Configuring Virtual Contexts, page 2-7
•
Configuring SNMP Version 2c Communities, page 2-20
•
Configuring SNMP Version 3 Users, page 2-21
Configuring Virtual Context Global Traffic Policies
With the ACE appliance Device Manager, you can apply traffic policies to a specific VLAN interface or
to all VLAN interfaces in the same virtual context.
Use this procedure to apply a policy to all VLAN interfaces in the selected context.
To apply a policy to a specific VLAN, see Configuring Traffic Policies, page 10-1.
Note
You cannot modify an existing policy. Instead, delete the existing global policy, then create a
new one.
Assumption
A Layer 3/Layer 4 or Management policy map has been configured for this virtual context. For more
information, see Configuring Virtual Context Policy Maps, page 10-33.
Procedure
Step 1
Select Config > Virtual Contexts > context > System > Global Policies. The Global Policies table
appears.
Step 2
Click Add to add a new global policy. The Global Policies configuration screen appears.
Note
You cannot modify an existing policy. Instead, delete the existing global policy, then create a
new one.
Step 3
In the Policy Maps field, select the policy map that you want to apply to all VLANs in this context.
Step 4
In the Direction field, verify that the policy is being applied to incoming communications.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-26
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Step 5
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Global Policies table.
•
Next to save your entries and to configure another global policy for this context.
Related Topics
•
Using Virtual Contexts, page 2-2
•
Configuring Virtual Context Primary Attributes, page 2-11
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring Traffic Policies, page 10-1
Managing ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
Cisco Systems offers licenses for ACE appliances that let you increase performance throughput, the
number of default contexts, SSL TPS (transactions per second), HTTP compression performance, and
application acceleration and optimization. For more information on these licenses, refer to the Cisco
4700 Series Application Control Engine Appliance Administration Guide on cisco.com.
You can view, install, remove, or update ACE appliance licenses using the ACE appliance Device
Manager.
Installing or updating an ACE appliance license involves two processes:
•
Copying the license from a remote network server to the disk0: file system in Flash memory on the
ACE appliance.
•
Installing or updating the license on the ACE appliance.
You can use the ACE appliance Device Manager to perform both processes from a single dialog box. If
you previously copied the license to disk0: on the ACE by using the copy CLI command, you can use
this dialog box to install the new license or upgrade license on your ACE.
Related Topics
•
Viewing ACE Appliance Licenses, page 2-28
•
Installing ACE Appliance Licenses, page 2-28
•
Updating ACE Appliance Licenses, page 2-30
•
Uninstalling ACE Appliance Licenses, page 2-31
•
Displaying License Configuration and Statistics, page 2-32
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-27
Chapter 2
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Viewing ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
Use this procedure to view the licenses that are currently installed on an ACE appliance.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Context table appears.
Step 2
Select the Admin context whose ACE appliance licenses you want to view, then click System >
Licenses. The Licenses table appears listing all installed licenses.
Related Topics
•
Managing ACE Appliance Licenses, page 2-27
•
Installing ACE Appliance Licenses, page 2-28
•
Updating ACE Appliance Licenses, page 2-30
•
Uninstalling ACE Appliance Licenses, page 2-31
•
Displaying License Configuration and Statistics, page 2-32
Installing ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
Use this procedure to copy and install a new or upgrade ACE appliance license from a remote server onto
the ACE appliance.
Assumption
•
You have received the proper software license key for the ACE appliance.
•
ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you
have received the software license key and have copied the license file to the disk0: filesystem on
the ACE appliance using the copy disk0: CLI command.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the Admin context you want to import and install a license for, then click System > Licenses. The
Licenses table appears listing all installed licenses.
Step 3
Click Install License. The Copy a License File and Install It On The ACE dialog box appears.
Step 4
If the license currently exists on the ACE appliance disk0: file system in Flash memory, leave the
License needs to be copied to disk0:? check box unchecked. Proceed to Step10.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-28
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Step 5
If the update license must be copied to the disk0: file system in Flash memory, check the License needs
to be copied to disk0:? check box. Proceed to Step 6.
Step 6
In the Protocol field, select the protocol to be used to import the license file from the remote server to
the ACE appliance:
Step 7
Step 8
•
If you select FTP, the User and Password fields appear. Continue with Step 7.
•
If you select SFTP, the User and Password fields appear. Continue with Step 7.
•
If you select TFTP, continue with Step 8.
If you select FTP or SFTP:
a.
In the User field, enter the username of the account on the network server.
b.
In the Password field, enter the password for the user account. Reenter the password in the Confirm
field.
In the Source File Name field, enter the host IP address, path, and filename of the license file on the
remote server in the format host-ip/path/filename where:
•
host-ip represents the IP address of the remote server.
•
path represents the directory path of the license file on the remote server.
•
filename represents the filename of the license file on the remote server.
For example, your entry might resemble 192.168.11.2/usr/bin/ACE-VIRT-020.lic.
Step 9
In the Destination field, enter the location where you want the license file to reside on the ACE appliance
in preparation for installation or updating. The default location is disk0:.
Step 10
In the User-Specified Name for the License file: field, enter the name that you would like to use for this
license file, such as myACE-AP-VIRT-020.lic.
Step 11
Click:
•
OK to accept your entries and to copy the file from the remote server to the ACE appliance and then
install it.
•
Cancel to exit this procedure without copying the file from the remote server and to return to the
Licenses table.
Related Topics
•
Managing ACE Appliance Licenses, page 2-27
•
Viewing ACE Appliance Licenses, page 2-28
•
Updating ACE Appliance Licenses, page 2-30
•
Uninstalling ACE Appliance Licenses, page 2-31
•
Displaying License Configuration and Statistics, page 2-32
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-29
Chapter 2
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Updating ACE Appliance Licenses
Note
This functionality is available for only Admin contexts.
ACE appliance Device Manager allows you to convert demonstration licenses to permanent licenses and
to upgrade permanent licenses to increase the number of virtual contexts.
Use this procedure to install ACE appliance update licenses.
Assumption
•
You have received the proper update software license for the ACE appliance.
•
ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you
have received the update software license and have copied the license file to the disk0: filesystem
on the ACE appliance using the copy disk0: CLI command.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the Admin context with the license you want to update, then click System > Licenses. The
Licenses table appears listing all installed licenses.
Step 3
Select the license to be updated, then click Update. The Update License On The ACE dialog box
appears.
Step 4
If the update license currently exists on the disk0: file system in Flash memory in the ACE (perhaps by
using the copy disk0: CLI command), perform the following sequence:
a.
Leave the Update License needs to be copied to disk0:? check box unchecked.
b.
In the License File Name field, enter the name of the update license file on disk0:.
Step 5
If the update license must be copied to the disk0: file system in Flash memory, check the Update License
needs to be copied to disk0:? check box. Proceed to Step 6.
Step 6
In the Protocol field, select the protocol to be used to import the license file from the remote server to
the ACE appliance:
Step 7
Step 8
•
If you select FTP, the User and Password fields appear. Continue with Step 7.
•
If you select SFTP, the User and Password fields appear. Continue with Step 7.
•
If you select TFTP, continue with Step 8.
If you select FTP or SFTP:
a.
In the User field, enter the username of the account on the network server.
b.
In the Password field, enter the password for the user account. Reenter the password in the Confirm
field.
In the Source File Name field, enter the host IP address, path, and filename of the license file on the
remote server in the format host-ip/path/filename where:
•
host-ip represents the IP address of the remote server.
•
path represents the directory path of the license file on the remote server.
•
filename represents the filename of the license file on the remote server.
For example, your entry might resemble 192.168.11.2/usr/bin/ACE-VIRT-020.lic.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-30
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Step 9
In the Destination field, enter the location where you want the license file to reside on the ACE appliance
in preparation for installation or updating. The default location is disk0:.
Step 10
Click:
•
OK to update the license and to return to the Licenses table. The Licenses table displays the updated
information.
•
Cancel to exit this procedure without updating the license and to return to the Licenses table.
Related Topics
•
Managing ACE Appliance Licenses, page 2-27
•
Viewing ACE Appliance Licenses, page 2-28
•
Installing ACE Appliance Licenses, page 2-28
•
Uninstalling ACE Appliance Licenses, page 2-31
•
Displaying License Configuration and Statistics, page 2-32
Uninstalling ACE Appliance Licenses
Note
Caution
This functionality is available for only Admin contexts.
Removing licenses can affect an ACE appliance’s bandwidth or performance. For detailed information
on the effect of license removal on your ACE appliance, see the Cisco 4700 Series Application Control
Engine Appliance Administration Guide.
Use this procedure to remove ACE appliance licenses.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the Admin context with the license you want to remove, then click System > Licenses. The
Licenses table appears listing all installed licenses.
Step 3
Select the license to be removed.
Step 4
Click Uninstall. A window appears, asking you to confirm the license removal process.
Note
Removing licenses can affect the number of contexts, ACE appliance bandwidth, or SSL TPS
(transactions per second). Be sure you understand the effect of removing the license on your
environment before continuing.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-31
Chapter 2
Configuring Virtual Contexts
Managing ACE Appliance Licenses
Step 5
Click OK to confirm the removal or Cancel to stop the removal process.
If you click OK, a status window appears with the status of license removal. When the license has been
removed, the Licenses table refreshes without the deleted license.
Related Topics
•
Managing ACE Appliance Licenses, page 2-27
•
Installing ACE Appliance Licenses, page 2-28
•
Updating ACE Appliance Licenses, page 2-30
•
Viewing ACE Appliance Licenses, page 2-28
•
Displaying License Configuration and Statistics, page 2-32
Displaying License Configuration and Statistics
Note
This functionality is available for only Admin contexts.
Use this procedure to view information about ACE appliance licenses.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the Admin context with the license information you want to view, then select System > Licenses.
The Licenses table appears listing all installed licenses.
Step 3
Select the license with the information you want to view, then click Status. The Show License Status
window appears with the following information:
Step 4
•
Compression performance in megabits or gigabits per second
•
Application acceleration and optimization in the number of concurrent connections
•
SSL transactions per second
•
Number of supported virtual contexts
•
ACE appliance bandwidth in gigabits per second
Click Close when you finish viewing the information.
Related Topics
•
Installing ACE Appliance Licenses, page 2-28
•
Updating ACE Appliance Licenses, page 2-30
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-32
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing Resource Classes
Managing Resource Classes
Resource classes are the means by which you manage virtual context access to ACE appliance resources,
such as concurrent connections or bandwidth rate. ACE appliances are preconfigured with a default
resource class that is applied to the Admin context and any user context upon creation. The default
resource class is configured to allow a context to operate within a range that can vary from no resource
access (0%) to complete resource access (100%). When you use the default resource class with multiple
contexts, you run the risk of oversubscribing ACE appliance resources. This means that the ACE
appliance permits all contexts to have full access to all resources on a first-come, first-served basis.
When a resource is utilized to its maximum limit, the ACE appliance denies additional requests made by
any context for that resource.
To avoid oversubscribing resources and to help guarantee access to a resource by any context, you can
create customized resource classes that you associate with one or more contexts. A context becomes a
member of the resource class when you make the association. Creating a resource class allows you to set
limits on the minimum and maximum amounts of each ACE appliance resource that a member context
is entitled to use. You define the minimum and maximum values as a percentage of the whole. For
example, you can create a resource class that allows its member contexts access to no less that 25% of
the total number of SSL connections that the ACE appliance supports.
You can limit and manage the allocation of the following ACE appliance resources:
•
ACL memory
•
Application acceleration connections
•
Buffers for syslog messages and TCP out-of-order (OOO) segments
•
Concurrent connections (through-the-ACE traffic)
•
Management connections (to-the-ACE traffic)
•
HTTP compression percentage
•
Proxy connections
•
Set resource limit as a rate (number per second)
•
Regular expression (regexp) memory
•
SSL connections
•
Sticky entries
•
Static or dynamic network address translations (Xlates)
Table 2-9 identifies and defines the resources that you can establish for resource classes.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-33
Chapter 2
Configuring Virtual Contexts
Managing Resource Classes
Resource Allocation Constraints
Note
This functionality is available for only Admin contexts.
The following resources are critical for maintaining connectivity to the Admin context:
Caution
•
Rate Bandwidth
•
Rate Management Traffic
•
Rate SSL Connections
•
Rate Connections
•
Management Connections
•
Concurrent Connections
If you allocate 100% of these resources to a resource class and then apply the resource class to virtual
contexts, connectivity to the Admin context can be lost.
We recommend that you create a resource class specifically for the Admin context and apply it to the
context so that you can maintain IP connectivity.
Table 2-9
Resource Class Attributes
Resource
Definition
All
Limits all resources to the specified value for all contexts assigned to this
resource class, except for management traffic bandwidth. Management
traffic bandwidth remains at the default values until you explicitly configure
a minimum value for management traffic.
Acceleration
Connections
Percentage of application acceleration connections.
ACL Memory
Percentage of memory allocated for ACLs.
Concurrent
Connections
Percentage of simultaneous connections.
HTTP Compression
Percentage of compression for HTTP data.
Management
Connections
Percentage of management connections.
Proxy Connections
Percentage of proxy connections.
Regular Expressions
Percentage of regular expression memory.
Sticky
Percentage of entries in the sticky table.
Xlates
Percentage of network and port address translations entries.
Buffer Syslog
Percentage of the syslog buffer.
Rate Inspect
Connection
Percentage of application protocol inspection connections for FTP and
RTSP.
Note
Note
If you consume all Concurrent Connections by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
If you consume all Management Connections by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-34
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing Resource Classes
Table 2-9
Resource Class Attributes (continued)
Resource
Definition
Rate Bandwidth
Percentage of context throughput. This attribute limits the total ACE
throughput in bytes per second for one or more contexts.
Note
If you consume all rate bandwidth by allocating 100% to virtual
contexts, IP connectivity to the Admin context can be lost.
The maximum bandwidth rate per context is determined by your bandwidth
license. By default, the ACE supports 1 gigabit per second (Gbps) appliance
throughput. You can upgrade the ACE with an optional 2-Gbps bandwidth
license. When you configure a minimum bandwidth value for a resource
class in the ACE, the ACE subtracts that configured value from the total
bandwidth maximum value of all contexts in the ACE, regardless of the
resource class with which they are associated. The total bandwidth rate of a
context consists of the following two components:
Rate Connections
•
Throughput—Limits through-the-ACE traffic. This is a derived value
(you cannot configure it directly) and it is equal to the bandwidth rate
minus the mgmt-traffic rate for the 1-Gbps and 2-Gbps licenses.
•
Management Traffic—Limits management (to-the-ACE) traffic in bytes
per second. To guarantee a minimum amount of management traffic
bandwidth, you must explicitly allocate a minimum percentage to
management traffic using the Resource Classes table (Config > Virtual
Contexts > admin context > System > Resource Class). When you
allocate a minimum percentage of bandwidth to management traffic, the
ACE subtracts that value from the maximum available management
traffic bandwidth for all contexts in the ACE.
Percentage of connections of any kind.
Note
If you consume all Rate Connections by allocating 100% to virtual
contexts, IP connectivity to the Admin context can be lost.
Rate Management
Traffic
Percentage of management traffic connections.
Rate SSL Connections
Percentage of SSL connections.
Note
Note
If you consume all Rate Management Traffic by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
If you consume all Rate Management Traffic by allocating 100% to
virtual contexts, IP connectivity to the Admin context can be lost.
Rate Syslog
Percentage of syslog messages per second.
Rate MAC Miss
Percentage of messages destined for the ACE appliance that are sent to the
control plane when the encapsulation is not correct in packets.
Related Topics
•
Adding Resource Classes, page 2-36
•
Modifying Resource Classes, page 2-37
•
Deleting Resource Classes, page 2-38
•
Viewing Resource Class Use on Virtual Contexts, page 2-39
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-35
Chapter 2
Configuring Virtual Contexts
Managing Resource Classes
Adding Resource Classes
Note
This functionality is available for only Admin contexts.
Resource classes are used when provisioning services, establishing virtual contexts, managing devices,
and monitoring virtual context resource consumption.
Defining a resource class does not automatically apply it to a context. New resource classes are applied
only when a resource class is assigned to a virtual context.
Caution
If you allocate 100% of the resources to a resource class and then apply the resource class to virtual
contexts, connectivity to the Admin context can be lost. For more information, refer to Resource
Allocation Constraints, page 2-34.
Use this procedure to create a new resource class.
Procedure
Step 1
Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes
table appears.
Step 2
Click Add to create a new resource class. The New Resource Class configuration screen appears.
Step 3
In the Name field, enter a unique name for this resource class. Valid entries are unquoted text strings
with no spaces and a maximum of 64 characters.
Step 4
To use the same values for each resource, enter the following information in the All row: (See Table 2-9
for a description of the resources.)
a.
In the Min. field, enter the minimum percentage of each resource you want to allocate to this
resource class. Valid entries are numbers from 0 to 100 including those with decimals in increments
of .01.
b.
In the Max. field, select the maximum percentage of each resource you want to allocate to this
resource class:
– Equal To Min.—Indicates that the maximum percentage allocated for each resource is equal to
the minimum specified in the Min. field.
– Unlimited—Indicates that there is no upper limit on the percentage of each resource that can be
allocated for this resource class.
Step 5
Step 6
To use different values for the resources, for each resource, select the method for allocating resources:
•
Select Default to use the values specified in Step 4.
•
Select Min. to enter a specific minimum value for the resource.
If you select Min.:
a.
In the Min. field, enter the minimum percentage of this resource you want to allocate to this resource
class. For example, for ACL memory, you would enter 10 in the Min. field to indicate that you want
to allocate a minimum of 10% of the available ACL memory to this resource class.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-36
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing Resource Classes
b.
In the Max. field, select the maximum percentage of the resource you want to allocate to this
resource class:
– Equal To Min.—Indicates that the maximum percentage allocated for this resource is equal to
the minimum specified in the Min. field.
– Unlimited—Indicates that there is no upper limit on the percentage of the resource that can be
allocated for this resource class.
Step 7
Step 8
When you finish allocating the resources for this resource class, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.
If you click Deploy Now, the ACE appliance Device Manager displays the number of virtual contexts
that can be supported using this resource class in the Maximum VC column. To support more or fewer
virtual contexts, select the resource class, click Edit, and modify it as described in this procedure.
Related Topics
•
Managing Resource Classes, page 2-33
•
Modifying Resource Classes, page 2-37
•
Deleting Resource Classes, page 2-38
•
Viewing Resource Class Use on Virtual Contexts, page 2-39
Modifying Resource Classes
Note
This functionality is available for only Admin contexts.
When you modify a resource class, the ACE appliance Device Manager applies the changes to virtual
contexts that are associated with the resource class going forward. The changes are applied to existing
virtual contexts already associated with the resource class.
Caution
If you allocate 100% of the resources to a resource class and then apply the resource class to virtual
contexts, connectivity to the Admin context can be lost. For more information, refer to Resource
Allocation Constraints, page 2-34.
Use this procedure to modify an existing resource class.
Note
You cannot modify the default resource class.
Procedure
Step 1
Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes
table appears.
Step 2
Select the resource class you want to modify, then click Edit. The Edit Resource Class configuration
screen appears.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-37
Chapter 2
Configuring Virtual Contexts
Managing Resource Classes
Step 3
Modify the fields as desired. For details on setting values, see Adding Resource Classes, page 2-36. For
descriptions of the resources, see Table 2-9.
Step 4
When you finish allocating the resources for this resource class, click:
•
Deploy Now to deploy this configuration on the ACE appliance. The configuration screen refreshes
and the Max. Provisionable field beneath the Name field indicates the number of virtual contexts
that can be supported using this resource allocation. When you are satisfied with the resource
allocation and have saved your entries, click Cancel to return to the Resource Classes table.
•
Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.
The ACE appliance Device Manager applies all changes to the virtual contexts that use this resource
class.
Related Topics
•
Managing Resource Classes, page 2-33
•
Adding Resource Classes, page 2-36
•
Modifying Resource Classes, page 2-37
•
Deleting Resource Classes, page 2-38
•
Viewing Resource Class Use on Virtual Contexts, page 2-39
Deleting Resource Classes
Note
This functionality is available for only Admin contexts.
Use this procedure to remove resource classes from the ACE appliance Device Manager database.
Note
When you remove a resource class from the ACE appliance Device Manager, any virtual contexts that
were associated with this resource class automatically become members of the default resource class.
The default resource class allocates a minimum of 0.00% to a maximum of 100.00% of all ACE
appliance resources to each context. You cannot modify the default resource class.
Because of the impact of resource class deletion on virtual contexts, we recommend that you view a
resource class’s current deployment before deleting it. See Viewing Resource Class Use on Virtual
Contexts, page 2-39.
Procedure
Step 1
Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes
table appears.
Step 2
Select the resource class you want to remove, then click Delete. A window appears, asking you to
confirm the deletion.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-38
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing Resource Classes
Step 3
Click OK to continue deleting the resource class, or click Cancel to keep the resource class.
The Resource Classes table refreshes with the updated information.
Related Topics
•
Managing Resource Classes, page 2-33
•
Adding Resource Classes, page 2-36
•
Modifying Resource Classes, page 2-37
•
Viewing Resource Class Use on Virtual Contexts, page 2-39
Viewing Resource Class Use on Virtual Contexts
Note
This functionality is available for only Admin contexts.
Use this procedure to view a list of all virtual contexts using a selected resource class.
Procedure
Step 1
Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes
table lists the number of virtual contexts using each resource class in the second column.
Step 2
Select the resource class whose usage you want to view, then click Virtual Contexts. The Virtual
Contexts Using Resource Class table appears, listing the associated contexts.
Step 3
Click Cancel to return to the Resource Classes table.
Related Topics
•
Managing Resource Classes, page 2-33
•
Adding Resource Classes, page 2-36
•
Modifying Resource Classes, page 2-37
•
Deleting Resource Classes, page 2-38
•
Viewing Resource Class Use on Virtual Contexts, page 2-39
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-39
Chapter 2
Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Using the Configuration Checkpoint and Rollback Service
At some point, you may want to modify your ACE running configuration. If you run into a problem with
the modified configuration, you may need to reboot your ACE. To prevent having to reboot your ACE
after unsuccessfully modifying a running configuration, you can create a checkpoint (a snapshot in time)
of a known stable running configuration before you begin to modify it. If you encounter a problem with
the modifications to the running configuration, you can roll back the configuration to the previous stable
configuration checkpoint.
Note
Before you upgrade your ACE software, we strongly recommend that you create a checkpoint in your
running configuration. For software release A4(1.0), use the backup function to create a backup of the
running configuration (see the “Performing Device Backup and Restore Functions” section on
page 2-43).
The ACE allows you to make a checkpoint configuration at the context level. The ACE stores the
checkpoint for each context in a hidden directory in Flash memory. If, after you make configuration
changes that modify the current running configuration, when you roll back the checkpoint, the ACE
causes the running configuration to revert to the checkpointed configuration.
This section includes the following topics:
•
Creating a Configuration Checkpoint, page 2-40
•
Deleting a Configuration Checkpoint, page 2-41
•
Rolling Back a Running Configuration, page 2-42
•
Displaying Checkpoint Information, page 2-42
Creating a Configuration Checkpoint
You can create a configuration checkpoint for a specific context. The ACE supports a maximum of
10 checkpoints for each context.
Assumption
This topic assumes the following:
•
Make sure that the current running configuration is stable and is the configuration that you want to
make as a checkpoint. If you change your mind after creating the checkpoint, you can delete it (see
the “Deleting a Configuration Checkpoint” section on page 2-41).
•
The ACE-Admin, DM-Admin, and Org-Admin predefined roles have access to the configuration
checkpoint function.
•
A custom role with the Device Manager Inventory and Virtual Context role tasks set to create or
modify has the required privileges to create a configuration checkpoint.
•
A checkpoint will not include the SSL keys/certificates, probe scripts, and licenses.
•
Adding a checkpoint from an ACE context directly will not trigger an autosynchronzation on the
ACE appliance Device Manager for that context.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-40
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
For descriptions of the checkpoints, see Table 2-10.
Table 2-10
Step 2
Checkpoints Table
Field
Description
Name
Unique identifier of the checkpoint.
Size (In Bytes)
Size of the configuration checkpoint, shown in bytes.
Date (Created On)
Date that the configuration checkpoint was created.
In the Checkpoints table, click the Create Checkpoint button.
The Create Checkpoint dialog box appears.
Step 3
In the Checkpoint Name field of the Create Checkpoint dialog box, specify a unique identifier for the
checkpoint.
Enter a text string with no spaces and a maximum of 25 alphanumeric characters.
If the checkpoint already exists, you are prompted to use a different name.
Step 4
Do one of the following:
•
Click OK to save your configuration checkpoint. You return to the Checkpoints table and the new
checkpoint appears in the table.
•
Click Cancel to exit the procedure without saving the configuration checkpoint and to return to the
Checkpoints table.
Deleting a Configuration Checkpoint
You can delete a checkpoint. Deleting a checkpoint from an ACE context directly will not trigger an
autosynchronzation to occur on the ACE appliance Device Manager for that context.
Prerequisite
Before you perform this procedure, make sure that you want to delete the checkpoint. Once you click
the Trash icon, the ACE removes the checkpoint from Flash memory.
Procedure
Step 1
To choose a virtual context that you want to create a configuration checkpoint, choose Config > Virtual
Contexts > admin context > System >Checkpoints.
The Checkpoints table appears.
Step 2
In the Checkpoints table, choose the radio button to the left of any table entry, and click the Trash icon
to delete the checkpoint.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-41
Chapter 2
Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Rolling Back a Running Configuration
You can roll back the current running configuration of a context to the previously checkpointed running
configuration.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
Step 2
Choose the radio button to the left of the checkpoint that you wish to roll back, and click Rollback.
The ACE appliance Device Manager displays a confirmation popup window to warn you about this
change and to instruct you that the rollback operation may take longer depending on the differences
detected between the two configurations.
Note
The ACE appliance Device Manager synchronizes the device after performing a rollback. This
synchronzation may take some time.
Displaying Checkpoint Information
You can display checkpoint information.
Procedure
Step 1
Choose Config > Virtual Contexts > admin context > System > Checkpoints.
The Checkpoints table appears.
Step 2
In the Checkpoints table, choose the radio button to the left of the checkpoint that you want to display,
and click Details.
The ACE appliance Device Manager uses the ACE show checkpoint detail {name} CLI command to
display the running configuration of the specified checkpoint.
Step 3
Click Close to exit the dialog box and return to the Checkpoints table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-42
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Performing Device Backup and Restore Functions
The backup and restore functions allow you to back up or restore the configuration and dependencies of
an entire ACE or of a particular virtual context. Configuration dependencies are those files that are
required to exist on the ACE so that a configuration can be applied to it. Such files include
health-monitoring scripts, SSL certificates, SSL keys, and so on.This feature allows you to back up and
restore the following configuration files and dependencies:
Note
•
Running-configuration files
•
Startup-configuration files
•
Checkpoints
•
SSL files (SSL certificates and keys)
•
Health-monitoring scripts
•
Licenses
The backup feature does not back up the sample SSL certificate and key pair files.
Typical uses for this feature are as follows:
•
Back up a configuration for later use
•
Recover a configuration that was lost because of a software failure or user error
•
Restore configuration files to a new ACE when a hardware failure resulted in a Return Merchandise
Authorization (RMA) of the old ACE
•
Transfer the configuration files to a different ACE
The backup and restore functions are supported in both the Admin and virtual contexts. If you perform
these functions in the Admin context, you can back up or restore the configuration files for either the
Admin context only or for all contexts in the ACE. If you perform these functions in a virtual context,
you can back up or restore the configuration files only for that context. Both the backup and the restore
functions run asynchronously (in the background).
Archive Naming Conventions
Context archive files have the following naming convention format:
Hostname_ctxname_timestamp.tgz
The filename fields are as follows:
– Hostname—Name of the ACE. If the hostname contains special characters, the ACE uses the
default hostname “switch” in the filename. For example, if the hostname is Active@~!#$%^,
then the ACE assigns the following filename: switch_Admin_2009_08_30_15_45_17.tgz
– ctxname—Name of the context. If the context name contains special characters, the ACE uses
the default context name “context” in the filename. For example, if the context name is
Test!123*, then the ACE assigns the following filename:
switch_context_2009_08_30_15_45_17.tgz
timestamp—Date and time that the ACE created the file. The time stamp has the following 24 hour
format: YYYY_MM_DD_hh_mm_ss
An example is as follows:
ACE-1_ctx1_2009_05_06_15_24_57.tgz
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-43
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
If you back up the entire ACE, the archive filename does not include the ctxname field. So, the format
is as follows:
Hostname_timestamp.tgz
An example is as follows:
ACE-1_2009_05_06_15_24_57.tgz
Archive Directory Structure and Filenames
The ACE uses a flat directory structure for the backup archive. The ACE provides file extensions for the
individual files that it backs up so that you can identify the types of files easily when restoring an archive.
All files are stored in a single directory that is tarred and GZIPed as follows:
ACE-1_Ctx1_2009_05_06_07_24_57.tgz
ACE-1_Ctx1_2009_05_06_07_24_57\
context_name-running
context_name-startup
context_name-chkpt_name.chkpt
context_name-cert_name.cert
context_name-key_name.key
context_name-script_name.tcl
context_name-license_name.lic
Guidelines and Limitations
The backup and restore functions have the following configuration guidelines and limitations:
•
Store the backup archive on disk0: in the context of the ACE where you intend to restore the files.
Use the Admin context for a full backup and the corresponding context for user contexts.
•
When you back up the running-configuration file, the ACE uses the output of the show
running-configuration CLI command as the basis for the archive file.
•
The ACE backs up only exportable certificates and keys.
•
License files are backed up only when you back up the Admin context.
•
Use a pass phrase to back up SSL keys in encrypted form. Remember the pass phrase or write it
down and store it in a safe location. When you restore the encrypted keys, the ACE prompts you for
the pass phrase to decrypt the keys. If you do not use a pass phrase when you back up the SSL keys,
the ACE restores the keys with AES-256 encryption using OpenSSL software.
•
Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the
probe: directory are always available. When you perform a backup, the ACE automatically identifies
and backs up the scripts in disk0: that are required by the configuration.
•
The ACE does not resolve any other dependencies required by the configuration during a backup
except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL
proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds
anyway as if the certificates still existed.
•
To perform a restore operation, you must have the admin RBAC feature in your user role. DM-admin
and ORG-admin have access to this feature by default. Custom roles with the Device Manager
Inventory and Virtual Context role tasks set to create or modify can also access this feature.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-44
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
•
When you instruct the ACE to restore the archive for the entire ACE, it restores the Admin context
completely first, and then it restores the other contexts. The ACE restores all dependencies before
it restores the running configuration. The order in which the ACE restores dependencies is as
follows:
– License files
– SSL certificates and key files
– Health-monitoring scripts
– Checkpoints
– Startup-configuration file
– Running-configuration file
•
When you restore the ACE, previously installed license files are uninstalled and the license files in
the backup file are installed in their place.
•
In a redundant configuration, if the archive that you want to restore is different from the peer
configurations in the FT group, redundancy may not operate properly after the restore.
•
You can restore a single context from a full backup archive provided that:
– You execute the restore operation in the context that you want to restore
– All files dependencies for the context exist in the full backup archive
•
To enable the ACE Device Manager to synchronize the CLI after a successful restore, do not
navigate from the Backup / Restore page until the Latest Restore status changes from In Progress to
Success. If you navigate to another page before the restore process is complete, the CLI will not
synchronize until you return to the Backup / Restore page or until the automatic or manual CLI CLI
synchronization occurs.
Defaults
Table 2-11 lists the default settings for the backup and restore function parameters.
Table 2-11
Default Backup and Restore Parameters
Parameter
Default
Backed up files
By default the ACE backs up the following files in the current context:
SSL key restore encryption
•
Running-configuration file
•
Startup-configuration file
•
Checkpoints
•
SSL certificates
•
SSL keys
•
Health-monitoring scripts
•
Licenses
None
This section includes the following topics:
•
Backing Up Device Configuration and Dependencies, page 2-46
•
Restoring Device Configuration and Dependencies, page 2-49
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-45
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Backing Up Device Configuration and Dependencies
You can create a backup of an ACE configuration and its dependencies.
Note
When you perform the backup process from the Admin context, you can either back up the Admin
context files only or you can back up the Admin context and all user contexts. When you back up from
a user context, you back up the current context files only and cannot back up the ACE licenses.
Note
If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Procedure
Step 1
Choose Config > Virtual Contexts > System > Backup / Restore.
The Backup / Restore table appears and displays the latest backup and restore statistics.
Note
To refresh the table content at any time, click Poll Now.
Note
When you choose the Backup / Restore operation, the Appliance Device Manager must poll a
context if that context has not been accessed previously for this operation. The polling operation,
which is necessary to obtain the latest backup and restore information, can cause a delay in the
display time of the Backup / Restore table.
The Backup / Restore fields are described in Table 2-12.
Table 2-12
Backup / Restore Fields
Field
Description
Latest Backup
Backup Archive
Name of the last *.tgz file created that contains the backup files.
Type
Type of backup: Context or Full (all contexts).
Start-time
Date and time that the last backup began.
Finished-time
Date and time that the last backup ended.
Status
Status of the last context to be backed up: Success, In Progress, or Failed. Click the status link to
view status details.
Current vc
Name of the last context in the backup process.
Completed
Number of context backups completed compared to the total number of context backup requests.
For example:
•
2/2 = Two context backups completed/Two context backups requested
•
0/1 = No context backup completed/One context backup requested
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-46
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Table 2-12
Backup / Restore Fields (continued)
Field
Description
Latest Restore
Backup Archive
Name of the *.tgz file used in during the restore process.
Type
Type of restore: Context or Full (all contexts).
Start-time
Date and time that the last restore began.
Finished-time
Date and time that the last restore ended.
Status
Status of the last restore: Success, In Progress, or Failed. Click the status to view status details.
Current vc
Name of the last context in the restore process.
Completed
Number of context restores completed compared to the total number of context restore requests.
For example:
Step 2
•
2/2 = Two context restores completed/Two context restores requested
•
0/1 = No context restore completed/One context restore requested
Click Backup.
The Backup window appears.
Step 3
Step 4
Step 5
In the Backup window, click the radio button of the location where the ACE is to save the backup files:
•
Backup config on ACE (disk0:)—This is the default. Go to Step 9.
•
Backup config on ACE (disk0:) and then copy to remote system—The Remote System attributes
step appears. Go to Step 4.
Click the radio button of the transfer protocol to use:
•
FTP—File Transfer Protocol
•
SFTP—Secure File Transfer Protocol
•
TFTP—Trivial File Transfer Protocol
In the Username field, enter the username that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 6
In the Password field, enter the password that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 7
In the IP Address field, enter the IP address of the remote server.
Step 8
In the Backup File Path in Remote System field, enter the full path for the remote server.
Step 9
Check the Backup All Contexts checkbox if you want the ACE to create a backup that contains the files
of the Admin context and every user context or uncheck the check box to create a backup of the Admin
context files only.
This field appears for the Admin context only.
Step 10
Indicate the components to exclude from the backup process: Checkpoints or SSL Files.
To exclude a component, double-click on it in the Available box to move it to the Selected box. You can
also use the right and left arrows to move selected items between the two boxes.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-47
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Caution
Step 11
If you exclude the SSL Files component and then restore the ACE using this archived backup,
these files are removed from the ACE. To save these files prior to performing a restore with
this backup, use the crypto export CLI command to export the keys to a remote server and
use the copy CLI command to copy the license files to disk0: as .tar files.
In the Pass Phrase field, enter the pass phrase that you specify to encrypt the backed up SSL keys.
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters. If you enter a pass phrase but exclude the SSL files from the archive, the ACE does not use
the pass phrase.
Step 12
Click OK to begin the backup process.
The following actions occur depending on where the ACE Device Manager saves the files:
Step 13
•
disk0: only—The Device Manager permits continued GUI functionality during the backup process
and polls the ACE for the backup status, which it displays on the Backup / Restore page.
•
disk0: and a remote server—The Device Manager suspends GUI operation and displays a “Please
Wait” message in the Backup dialog box until the process is complete. During this process, the ACE
Device Manager instructs the ACE to create and save the backup file locally to disk0: and then place
a copy of the file on the specified remote server.
In the Backup / Restore page, click Poll Now to ensure that the latest backup statistics are displayed, and
then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to
view details of the backup operation.
If the backup status is either Success or In Progress, then the Show Backup Status Detail pop-up window
appears and displays a list of the files successfully backed up. When the backup status is In Progress, the
ACE Device Manager polls the ACE every 2 minutes to retrieve the latest status information and then it
automatically updates the status information displayed. The polling continues until the ACE Device
Manager receives a status of either Success or Failed. If the backup status is Failed, then the Show
Backup Errors popup window appears, displaying the reason for the failed backup attempt.
Related Topics
•
Restoring Device Configuration and Dependencies, page 2-49
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-48
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Restoring Device Configuration and Dependencies
You can restore an ACE configuration and its dependencies using a backup file.
Caution
Note
The restore operation clears any existing SSL certificate and key-pair files, license files, and checkpoints
in a context before it restores the backup archive file. If your configuration includes SSL files or
checkpoints and you excluded them when you created the backup archive, those files will no longer exist
in the context after you restore the backup archive. To preserve any existing exportable SSL certificate
and key files in the context, before you execute the restore operation, export the certificates and keys that
you want to keep to an FTP, SFTP, or TFTP server by using the CLI and the crypto export command.
After you restore the archive, import the SSL files into the context. For details on exporting and
importing SSL certificate and key pair files using the CLI, see the Cisco 4700 Series Application Control
Engine Appliance SSL Configuration Guide.

You can also use the exclude option of the restore command to instruct the ACE not to clear the SSL files
in disk0: and to ignore the SSL files in the backup archive when the ACE restores the backup.
If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Prerequisites
If you are going to restore the Admin context files plus all user context files, use a backup file that was
created from the Admin context with the Backup All Contexts checkbox checked (see the “Backing Up
Device Configuration and Dependencies” section on page 2-46).
Procedure
Step 1
Choose Config > Virtual Contexts > System > Backup / Restore.
The Backup / Restore table appears.
Note
To refresh the table content at any time, click Poll Now.
Note
When you perform the restore process from the Admin context, you can either restore the Admin
context files only or you can restore the Admin context files plus all user context files. When
you perform the restore process from a user context, you can restore the current context files
only.
The Backup / Restore fields are described in Table 2-12.
Step 2
Click Restore.
The Restore window appears.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-49
Chapter 2
Configuring Virtual Contexts
Performing Device Backup and Restore Functions
The display of the Restore window may be delayed because the Device Manager is retrieving the
list of the disk0: archive (*.tgz) files.
Note
Step 3
Step 4
Step 5
In the Restore window, click the desired radio button to specify the location where the backup files are
located saved:
•
Choose a backup file on the ACE (disk0:)—This is the default. Go to Step 9.
•
Choose a backup file from remote system—The Remote System attributes step appears. Go to
Step 4.
Click the radio button of the transfer protocol to use:
•
FTP—File Transfer Protocol
•
SFTP—Secure File Transfer Protocol
•
TFTP—Trivial File Transfer Protocol
In the Username field, enter the username that the remote file system requires for user authentication.
This field appears for FTP and SFTP only.
Step 6
In the Password field, enter the password that the remote file system requires for user authentication.
This field appears for FTP and SFTP only.
Step 7
In the IP Address field, enter the IP address of the remote server.
Step 8
In the Backup File Path in Remote System field, enter the full path of the backup file, including the
backup filename, to be copied from the remote server.
Step 9
Check the Restore All Contexts checkbox if you want the ACE to restore the files for every context or
uncheck the checkbox to restore the Admin context files only.
This field appears for the Admin context only.
Step 10
Check the Exclude SSL Files checkbox if you want to preserver the SSL files currently loaded on the
ACE and not use the backup file’s SSL files.
Caution
Step 11
The restore function deletes all SSL files currently loaded on the ACE unless you check the
Exclude SSL Files option. If you do not check this option, the restore functions loads the SSL
files included in the backup file. If the backup files does not include SSL files, the ACE will
not have any SSL files loaded on it when the restore process is complete. You will then need
to import copies of the SSL files from a remote server.
In the Pass Phrase field, enter the pass phrase that is used to encrypt the backed up SSL keys in the
archive.
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters. The Pass Phrase field does not appear when you check the Exclude SSL Files checkbox.
Step 12
Click OK to begin the restore process.
The following actions occur depending on where the ACE Device Manager retrieves the backup files:
•
disk0: only—The ACE Device Manager permits continued GUI functionality during the restore
process and polls the ACE for the backup status, which it displays on the Backup / Restore page.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-50
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Note
•
Step 13
To enable the Device Manager to synchronize the CLI after a successful restore, do not navigate
from the Backup / Restore window until the Latest Restore status changes from In Progress to
Success. If you navigate to another window before the restore process is complete, the CLI will
not synchronize until you return to the Backup / Restore window or until the automatic or manual
CLI CLI synchronization occurs.
disk0: and a remote server—The ACE Device Manager suspends GUI operation and displays a
“Please Wait” message in the Restore dialog box until the process is complete. During this process,
the ACE Device Manager instructs the ACE to copy the backup file from the specified remote server
to disk0: on the ACE and then apply the backup file to the context.
In the Backup / Restore page, click Poll Now to ensure that the latest restore statistics are displayed, then
click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to view
details of the restore operation.
If the restore status is either Success or In Progress, then the Show Restore Status Detail popup window
appears and displays a list of the files successfully restored. When the restore status is In Progress, the
ACE Device Manager polls the ACE every 2 minutes to retrieve the latest status information and then it
automatically updates the status information displayed. The polling continues until the ACE Device
Manager receives a status of either Success or Failed. If the restored status is Failed, then the Show
Restored Errors popup window appears, displaying the reason for the failed restore attempt.
Related Topics
•
Performing Device Backup and Restore Functions, page 2-43
Configuring Security with ACLs
An ACL (access control list) consists of a series of statements called ACL entries that collectively define
the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the
parts of your network specified in the entry. Besides an action element (“permit” or “deny”), each entry
also contains a filter element based on criteria such as source address, destination address, protocol, or
protocol-specific parameters. An implicit “deny all” entry exists at the end of every ACL, so you must
configure an ACL on every interface where you want to permit connections. Otherwise, the ACE denies
all traffic on the interface.
ACLs provide basic security for your network by allowing you to control network connection setups
rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features; for example, security, network address translation
(NAT), or server load balancing (SLB). The ACE merges these individual ACLs into one large ACL
called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup
mechanisms. A match on this merged ACL can result in multiple actions. You can add, modify, or delete
entries to an ACL already in the summary table, or add a new ACL to the list.
When you use ACLs, you may want to permit all e-mail traffic on a circuit, but block FTP traffic. You
can also use ACLs to allow one client to access a part of the network and prevent another client from
accessing that same area.
When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface.
Applying an ACL on an interface assigns the ACL and its entries to that interface.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-51
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can
also apply the same ACL on multiple interfaces.You can apply EtherType ACLs in only the inbound
direction and on only Layer 2 interfaces.
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
For specific procedures, see:
•
Creating ACLs, page 2-52
•
Setting EtherType ACL Attributes, page 2-58
•
Setting Extended ACL Attributes, page 2-54
•
Resequencing Extended ACLs, page 2-58
•
Viewing All ACLs by Context, page 2-60
•
Editing or Deleting ACLs, page 2-60
Creating ACLs
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
Use this procedure to create, modify, or delete ACLs.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > ACLs. The ACL summary table appears,
listing the existing ACLs. ACL summary fields are described in Table 2-13.
Table 2-13
ACL Summary Table
Field
Description
Name
Enter a unique identifier for the ACL. Valid entries are unquoted text strings
with a maximum of 64 alphanumeric characters.
Type
Specifies the type of ACL:
•
Extended—allows you to specify both the source and the destination IP
addresses of traffic as well as the protocol and the action to be taken. For
more information see “Setting Extended ACL Attributes”.
•
Ethertype—This ACL controls network access for non-IP traffic based
on its EtherType. An EtherType is a sub-protocol identifier. For more
information see “Setting EtherType ACL Attributes”.
Line Number
ACL line number for extended type ACL entries.
Action
Action to be taken (permit/deny).
Protocol
Protocol number or service object group to apply to this ACL entry.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-52
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Table 2-13
Step 2
ACL Summary Table (continued)
Field
Description
Source
Source IP address (and source netmask with port number if configured for
extended type ACL) or source network object group if configured that is
being applied to this ACL entry.
Destination
Destination IP address (and destination netmask with port number if
configured for extended type ACL) or destination network object group if
configured that is applied to this ACL entry.
ICMP
Indicates whether or not this ACL uses ICMP (Internet Control Message
Protocol). For more information, see “Protocol Names and Numbers”.
Interface(s)
VLAN interface(s) that is/are associated with this ACL, for example <4,5:4>
where, < denotes the input direction, > denotes the output direction.
Remark
Enter any comments you want to include for this ACL. Valid entries are
unquoted text strings with a maximum of 100 characters. You can enter
leading spaces at the beginning of the text or special characters. Trailing
spaces are ignored.
From the summary table, perform one of the following:
•
To view full details of an ACL inline, click the plus sign to the left of any table entry.
•
To create an ACL click the Add icon.
•
To modify an ACL, select the radio button to the left of any table entry, then click the Edit icon.
•
To delete an ACL, select the radio button to the left of any table entry, then click the Delete icon.
If you choose create, the New Access List screen appears.
If you choose modify, the Edit ACL or Edit ACL entry screen appears based on the selected radio button
to the left of any table entry.
Step 3
Add or edit required fields as described in Table 2-14.
Table 2-14
ACL Configuration Attributes
Field
Description
ACL Properties
Includes name, type (Extended, Ethertype), remarks. For more information
see “ACL Summary Table”.
ACL Entries
Entry Attributes
Includes line number, action and protocol/service object group drop down
descriptor menu.
Source
Source IP address (and source netmask with port number if configured for
extended type ACL) or source network object group if configured that is
being applied to this ACL entry.
Destination
Destination IP address (and destination netmask with port number if
configured for extended type ACL) or destination network object group if
configured that is applied to this ACL entry.
Add To Table button
Used to add multiple ACL entries, adding one at a time using this button,
before clicking Deploy. In the past only one entry could be added at a time
in a two-step process hopping between two different locations in the UI.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-53
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Table 2-14
ACL Configuration Attributes (continued)
Field
Description
Remove From Table
button
Used to remove multiple ACL entries, removing one at a time using this
button, before clicking Deploy.
Interfaces
Allows you to associate the ACL with one or more interfaces allowing only
one input and one output ACL for each interface. The top left checkbox
under the Interfaces section allows you to select and apply to all interfaces
• Currently Assigned
“access-group input.”.
(ACL:Direction)
•
Input/Output
Direction
Deploy button
Allows deployment of newly created ACL entries along with VLAN
interface assignments that were configured.
Cancel button
Exits without saving your entries.
To add, modify, or delete Object Groups go to the “Configuring Object Groups” section on
page 2-61.
Note
Step 4
Click:
•
Deploy to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Related Topics
•
Configuring Security with ACLs, page 2-51
•
Setting EtherType ACL Attributes, page 2-58
•
Setting Extended ACL Attributes, page 2-54
•
Resequencing Extended ACLs, page 2-58
•
Editing or Deleting ACLs, page 2-60
Setting Extended ACL Attributes
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
An extended ACL allows you to specify both the source and the destination IP addresses of traffic as
well as the protocol and the action to be taken.
For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface
to allow returning traffic, because the ACE allows all returning traffic for established connections.
Note
The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the
destination address as any and do not specify the ports in an extended ACL.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-54
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the
existing ACLs.
Step 2
Click Add. The New Access List configuration screen appears.
Step 3
Enter the ACL name in the ACL Properties pane and choose the type as Extended.
Step 4
Configure extended ACL entries using the information in Table 2-15.
Table 2-15
Extended ACL Configuration Options
Field
Description
Entry Attributes
Line Number
Enter a number that specifies the position of this entry in the ACL. The position of an entry
affects the lookup order of the entries in an ACL. To change the sequence of existing extended
ACLs, see Resequencing Extended ACLs, page 2-58.
Action
Action to be taken (permit/deny).
Service Object Group
Select a service object group to apply to this ACL.
Protocol
Select the protocol or protocol number to apply to this ACL entry. Table 2-16 lists common
protocol names and numbers.
Source
Source Network
Source Port Operator
Defines the network traffic being received from the source network to the ACE:
•
Any—Select the Any radio button to indicate that network traffic from any source is
allowed.
•
IP/Netmask—Use this field to limit access to a specific source IP address. Enter the
source IP address that is allowed for this ACL. Enter a specific source IP address and
select its subnet mask.
•
Network Object Group—Select a source network object group to apply to this ACL.
This field appears if you select TCP or UPD in the Protocol field.
Select the operand to use to compare source port numbers:
Source Port Number
•
Equal To—The source port must be the same as the number in the Source Port Number
field.
•
Greater Than—The source port must be greater than the number in the Source Port
Number field.
•
Less Than—The source port must be less than the number in the Source Port Number
field.
•
Not Equal To—The source port must not equal the number in the Source Port Number
field.
•
Range—The source port must be within the range of ports specified by the Lower Source
Port Number field and the Upper Source Port Number field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the
Source Port Operator field.
Enter the port name or number from which you want to permit or deny access.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-55
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Table 2-15
Extended ACL Configuration Options (continued)
Field
Description
Lower Source Port Number
This field appears if you select Range in the Source Port Operator field.
Enter the number of the lowest port from which you want to permit or deny access. Valid
entries are integers from 0 to 65535. The number in this field must be less than the number
entered in the Upper Source Port Number field.
Upper Source Port Number
This field appears if you select Range in the Source Port Operator field.
Enter the port number of the upper port from which you want to permit or deny access. Valid
entries are integers from 0 to 65535. The number in this field must be greater than the number
entered in the Lower Source Port Number field.
Destination
Destination Network
Destination Port Operator
Defines the network traffic being transmitted to the destination network from the ACE:
•
Any—Select the Any radio button to indicate that network traffic to any destination is
allowed.
•
IP/Netmask—Use this field to limit access to a specific destination IP address. Enter the
source IP address that is allowed for this ACL. Enter a specific destination IP address and
select its subnet mask.
•
Network Object Group—Select a destination network object group to apply to this ACL.
This field appears if you select TCP or UPD in the Protocol field.
Select the operand to use to compare destination port numbers:
Destination Port Number
•
Equal To—The destination port must be the same as the number in the Destination Port
Number field.
•
Greater Than—The destination port must be greater than the number in the Destination
Port Number field.
•
Less Than—The destination port must be less than the number in the Destination Port
Number field.
•
Not Equal To—The destination port must not equal the number in the Destination Port
Number field.
•
Range—The destination port must be within the range of ports specified by the Lower
Destination Port Number field and the Upper Destination Port Number field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the
Destination Port Operator field.
Enter the port name or number from which you want to permit or deny access.
Lower Destination Port
Number
This field appears if you select Range in the Destination Port Operator field.
Upper Destination Port
Number
This field appears if you select Range in the Destination Port Operator field.
Enter the number of the lowest port to which you want to permit or deny access. Valid entries
are integers from 0 to 65535. The number in this field must be less than the number entered
in the Upper Destination Port Number field.
Enter the port number of the upper port to which you want to permit or deny access. Valid
entries are integers from 0 to 65535. The number in this field must be greater than the number
entered in the Lower Destination Port Number field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-56
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Table 2-16
Protocol Names and Numbers
Protocol Name1
Protocol Number
Description
AH
51
Authentication Header
EIGRP
88
Enhanced IGRP
ESP
50
Encapsulated Security Payload
GRE
47
Generic Routing Encapsulation
ICMP
1
Internet Control Message Protocol
IGMP
2
Internet Group Management Protocol
IP
0
Internet Protocol
IP-In-IP
4
IP-in-IP Layer 3 Tunneling Protocol
OSPF
89
Open Shortest Path First
PIM
103
Protocol Independent Multicast
TCP
6
Transmission Control Protocol
UDP
17
User Datagram Protocol
1. For a complete list of all protocols and their numbers, see the Internet Assigned Numbers Authority available at
www.iana.org/numbers/.
Step 5
Click Add To Table if you want to add one or more ACL entries to the table. See Step 4 for information
on configuring the extended ACL entries.
Step 6
Associate any VLAN interface to this ACL if required and click:
•
Deploy to immediately deploy this configuration.
•
Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
•
Configuring Security with ACLs, page 2-51
•
Creating ACLs, page 2-52
•
Setting EtherType ACL Attributes, page 2-58
•
Resequencing Extended ACLs, page 2-58
•
Editing or Deleting ACLs, page 2-60
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-57
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Resequencing Extended ACLs
Use this procedure to change the sequence of entries in an Extended ACL. EtherType ACL entries cannot
be resequenced.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the
existing ACLs.
Step 2
Select the Extended ACL you want to renumber, then click the Resequence icon appearing to the left of
the filter field. The ACL Line Number Resequence window appears.
Step 3
In the Start field, enter the number that is to be assigned to the first entry in the ACL. Valid entries are
1 to 2147483647.
Step 4
In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry.
You can enter any integer. Valid entries are 1 to 2147483647.
Step 5
Click:
•
Resequence to save your entries and to return to the ACLs table.
•
Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Related Topics
•
Configuring Security with ACLs, page 2-51
•
Creating ACLs, page 2-52
•
Setting EtherType ACL Attributes, page 2-58
•
Setting Extended ACL Attributes, page 2-54
•
Editing or Deleting ACLs, page 2-60
Setting EtherType ACL Attributes
Note
By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a sub-protocol
identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support
802.3-formatted frames because they use a length field as opposed to a type field. The only exception is
bridge protocol data units (BPDUs), which are SNAP-encapsulated, and the ACE is designed to
specifically handle BPDUs.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the
existing ACLs.
Step 2
Click Add. The New Access List configuration screen appears.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-58
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Step 3
Enter the ACL name in the ACL Properties pane and choose Ethertype.
Step 4
Select one of the following radio buttons:
Step 5
•
Deny to indicate that the ACE is to block connections.
•
Permit to indicate that the ACE is to allow connections.
Select one of the following from the Protocol field pulldown menu for this ACL:
•
Any—Specifies any EtherType.
•
BPDU—Specifies Bridge Protocol Data Units. The ACE receives trunk port (Cisco proprietary)
BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the
payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you
configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid
bridging loops. For for information about configuring redundancy, refer to Configuring High
Availability, page 9-1.
•
IPv6—Specifies Internet Protocol version 6.
•
MPLS—Specifies Multi-Protocol Label Switching. The MPLS selection applies to both MPLS
unicast and MPLS multicast traffic. If you allow MPLS, ensure that Label Distribution Protocol
(LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by
configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as
the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels
(addresses) used to forward packets.
Step 6
Click Add To Table and add one or more ACL entries if required repeating Step 4 and Step 5 as needed.
Step 7
Associate any VLAN interface to this acl if required and click:
•
Deploy to immediately deploy this configuration.
•
Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
•
Configuring Security with ACLs, page 2-51
•
Creating ACLs, page 2-52
•
Setting Extended ACL Attributes, page 2-54
•
Resequencing Extended ACLs, page 2-58
•
Editing or Deleting ACLs, page 2-60
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-59
Chapter 2
Configuring Virtual Contexts
Configuring Security with ACLs
Viewing All ACLs by Context
Use this procedure to view all access control lists that have been configured.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context with the ACLs you want to view, then select Security > ACLs. The ACLs table
appears, listing the existing ACLs with their name, their type (Extended or Ethertype), and any
comments.
Related Topics
•
Configuring Virtual Context Expert Options, page 2-68
•
Creating ACLs, page 2-52
•
Setting EtherType ACL Attributes, page 2-58
•
Setting Extended ACL Attributes, page 2-54
•
Editing or Deleting ACLs, page 2-60
Editing or Deleting ACLs
Use this procedure to delete or edit an ACL or any of its subentries.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the
existing ACLs.
Step 2
Select the radio button to the left of the ACL you want to Edit or Delete. Expand entries if necessary by
clicking the plus sign to the left of any ACL entry until you see the subentry ACL for which you are
looking, or click the Expand All icon to view all ACLs and subentries.
Step 3
Perform one of the following steps:
•
Click Edit if you are editing an ACL or one of its entries and go to Step 4.
or
•
Click Delete if you are deleting an ACL or one of its entries and go to Step 5.
Step 4
Edit the entry using the summary information listed in Table 2-14 if needed, and click Deploy when
done.
Step 5
Click Delete. A window appears asking you to confirm the deletion. If you click OK, the ACLs table
refreshes without the deleted ACL.
Related Topics
•
Creating ACLs, page 2-52
•
Setting EtherType ACL Attributes, page 2-58
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-60
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Object Groups
•
Setting Extended ACL Attributes, page 2-54
•
Resequencing Extended ACLs, page 2-58
Configuring Object Groups
An object group is a logical grouping of objects such as hosts (servers and clients), services, and
networks. When you create an object group, you select a type, such as network or service, and then
specify the objects that belong to the groups. In all, there are four types of object groups: Network,
protocol, service, and ICMP-type.
After you configure an object group, you can include it in ACLs, thereby including all objects within
that group and reducing overall configuration size.
Use this procedure to configure object groups that you can associate with ACLs.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table
appears, listing existing object groups.
Step 2
Click Add to create a new object group, or select an existing object group, then click Edit to modify it.
The Object Groups configuration screen appears.
Step 3
In the Name field, enter a unique name for this object group. Valid entries are unquoted text strings with
no spaces and a maximum of 64 alphanumeric characters.
Step 4
In the Description field, enter a brief description for the object group.
Step 5
In the Type field, select the type of object group you are creating:
Step 6
•
Network—The object group is based on a group of hosts or subnet IP addresses.
•
Service—The object group is based on TCP or UDP protocols and ports, or ICMP types, such as
echo or echo-reply.
Click:
•
Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•
Cancel to exit without saving your entries and to return to the Object Groups table.
•
Next to deploy your entries and to add another entry to the Object Groups table.
If you click Deploy Now or OK, the screen refreshes with tables additional configuration options.
Step 7
Configure objects for the object group.
For network-type object groups, options include:
•
Configuring IP Addresses for Object Groups, page 2-62
•
Configuring Subnet Objects for Object Groups, page 2-62
For service-type object groups, options include:
•
Configuring Protocols for Object Groups, page 2-63
•
Configuring TCP/UDP Service Parameters for Object Groups, page 2-64
•
Configuring ICMP Service Parameters for an Object Group, page 2-66
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-61
Chapter 2
Configuring Virtual Contexts
Configuring Object Groups
Related Topics
•
Configuring Virtual Context Expert Options, page 2-68
•
Creating ACLs, page 2-52
•
Setting Extended ACL Attributes, page 2-54
•
Resequencing Extended ACLs, page 2-58
Configuring IP Addresses for Object Groups
Use this procedure to specify host IP addresses for network-type object groups.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table
appears, listing existing object groups.
Step 2
Select the object group you want to configure host IP addresses for, then select the Host Setting For
Object Group tab. The Host Setting For Object Group table appears.
Step 3
Click Add to add an entry to this table.
Step 4
In the Host IP Address field, enter the IP address of a host to include in this group.
Step 5
Click:
•
Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•
Cancel to exit this procedure without saving your entries.
•
Next to deploy your entries and to add another entry to the Host Setting table.
Related Topics
•
Configuring Object Groups, page 2-61
•
Configuring Subnet Objects for Object Groups, page 2-62
•
Configuring Protocols for Object Groups, page 2-63
•
Configuring TCP/UDP Service Parameters for Object Groups, page 2-64
•
Configuring ICMP Service Parameters for an Object Group, page 2-66
Configuring Subnet Objects for Object Groups
Use this procedure to specify subnet objects for a network-type object group.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table
appears, listing existing object groups.
Step 2
Select the object group you want to configure subnet objects for, then select the Network Setting For
Object Group tab. The Network Setting For Object Group table appears.
Step 3
Click Add to add an entry to this table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-62
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Object Groups
Step 4
In the IP Address field, enter an IP address that, with the subnet mask, defines the subnet object.
Step 5
In the Netmask field, select the subnet mask for this subnet object.
Step 6
Click:
•
Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•
Cancel to exit this procedure without saving your entries.
•
Next to deploy your entries and to add another entry to the Network Setting table.
Related Topics
•
Configuring Object Groups, page 2-61
•
Configuring IP Addresses for Object Groups, page 2-62
•
Configuring Protocols for Object Groups, page 2-63
•
Configuring TCP/UDP Service Parameters for Object Groups, page 2-64
•
Configuring ICMP Service Parameters for an Object Group, page 2-66
Configuring Protocols for Object Groups
Use this procedure to specify protocols for a service-type object group.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table
appears, listing existing object groups.
Step 2
Select an existing service-type object group, then select the Protocol Selection tab. The Protocol
Selection table appears.
Step 3
Click Add to add an entry to this table.
Step 4
In the Protocol Number field, select the protocol or protocol number to add to this object group. See
Table 2-16 for common protocols and their numbers.
Step 5
Click:
•
Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•
Cancel to exit this procedure without saving your entries.
•
Next to deploy your entries and to add another entry to the Protocol Selection table.
Related Topics
•
Configuring Object Groups, page 2-61
•
Configuring IP Addresses for Object Groups, page 2-62
•
Configuring Subnet Objects for Object Groups, page 2-62
•
Configuring TCP/UDP Service Parameters for Object Groups, page 2-64
•
Configuring ICMP Service Parameters for an Object Group, page 2-66
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-63
Chapter 2
Configuring Virtual Contexts
Configuring Object Groups
Configuring TCP/UDP Service Parameters for Object Groups
Use this procedure to add TCP or UDP service objects to a service-type object group.
Procedure
Table 2-17
Step 1
Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table
appears, listing existing object groups.
Step 2
Select an existing service-type object group, then select the TCP/UDP Service Parameters tab. The
TCP/UDP Service Parameters table appears.
Step 3
Click Add to add an entry to this table.
Step 4
Configure TCP or UDP service objects using the information in Table 2-17.
TCP and UDP Service Parameters
Field
Description
Protocol
Select the protocol for this service object:
Source Port Operator
Source Port
•
TCP—TCP is the protocol for this service object.
•
UDP—UDP is the protocol for this service object.
•
TCP And UDP—Both TCP and UDP are the protocols for this service object.
Select the operand to use when comparing source port numbers for this service object:
•
Equal To—The source port must be the same as the number in the Source Port field.
•
Greater Than—The source port must be greater than the number in the Source Port field.
•
Less Than—The source port must be less than the number in the Source Port field.
•
Not Equal To—The source port must not equal the number in the Source Port field.
•
Range—The source port must be within the range of ports specified by the Lower Source Port
field and the Upper Source Port field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Source
Port Operator field.
Enter the source port name or number for this service object.
Lower Source Port
This field appears if you select Range in the Source Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid
entries are integers from 0 to 65535. The number in this field must be less than the number entered
in the Upper Source Port field.
Upper Source Port
This field appears if you select Range in the Source Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid
entries are integers from 0 to 65535. The number in this field must be greater than the number
entered in the Lower Source Port field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-64
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Object Groups
Table 2-17
TCP and UDP Service Parameters (continued)
Field
Description
Destination Port
Operator
Select the operand to use when comparing destination port numbers:
Destination Port
•
Equal To—The destination port must be the same as the number in the Destination Port field.
•
Greater Than—The destination port must be greater than the number in the Destination Port
field.
•
Less Than—The destination port must be less than the number in the Destination Port field.
•
Not Equal To—The destination port must not equal the number in the Destination Port field.
•
Range—The destination port must be within the range of ports specified by the Lower
Destination Port field and the Upper Destination Port field.
This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the
Destination Port Operator field.
Enter the destination port name or number for this service object.
Lower Destination Port
This field appears if you select Range in the Destination Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid
entries are integers from 0 to 65535. The number in this field must be less than the number entered
in the Upper Destination Port field.
Upper Destination Port
This field appears if you select Range in the Destination Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid
entries are integers from 0 to 65535. The number in this field must be greater than the number
entered in the Lower Destination Port field.
Step 5
Click:
•
Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•
Cancel to exit this procedure without saving your entries.
•
Next to deploy your entries and to add another entry to the TCP/UDP Service Parameters table.
Related Topics
•
Configuring Object Groups, page 2-61
•
Configuring IP Addresses for Object Groups, page 2-62
•
Configuring Subnet Objects for Object Groups, page 2-62
•
Configuring Protocols for Object Groups, page 2-63
•
Configuring ICMP Service Parameters for an Object Group, page 2-66
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-65
Chapter 2
Configuring Virtual Contexts
Configuring Object Groups
Configuring ICMP Service Parameters for an Object Group
Use this procedure to add ICMP service parameters to a service-type object group.
Procedure
Step 1
Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table
appears, listing existing object groups.
Step 2
Select an existing service-type object group, then select the ICMP Service Parameters tab. The ICMP
Service Parameters table appears.
Step 3
Click Add to add an entry to this table.
Step 4
Configure ICMP type objects using the information in Table 2-18.
Table 2-18
ICMP Type Service Parameters
Field
Description
ICMP Type
Select the ICMP type or number for this service object. Table 2-19 lists
common ICMP types and numbers.
Message Code Operator Select the operand to use when comparing message codes for this service
object:
Message Code
•
Equal To—The message code must be the same as the number in the
Message Code field.
•
Greater Than—The message code must be greater than the number in the
Message Code field.
•
Less Than—The message code must be less than the number in the
Message Code field.
•
Not Equal To—The message code must not equal the number in the
Message Code field.
•
Range—The message code must be within the range of codes specified
by the Min. Message Code field and the Max. Message Code field.
This field appears if you select Equal To, Greater Than, Less Than, or Not
Equal To in the Message Code Operator field.
Enter the ICMP message code for this service object.
Min. Message Code
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the beginning value for a range of services for this
service object. Valid entries are integers from 0 to 255. The number in this
field must be less than the number entered in the Max. Message Code field.
Max. Message Code
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the ending value for a range of services for this
service object. Valid entries are integers from 0 to 255. The number in this
field must be greater than the number entered in the Min. Message Code
field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-66
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Configuring Object Groups
Table 2-19
Step 5
ICMP Type Numbers and Names
Number
ICMP Type Name
0
Echo-Reply
3
Unreachable
4
Source-Quench
5
Redirect
6
Alternate-Address
8
Echo
9
Router-Advertisement
10
Router-Solicitation
11
Time-Exceeded
12
Parameter-Problem
13
Timestamp-Request
14
Timestamp-Reply
15
Information-Request
16
Information-Reply
17
Mask-Request
18
Mask-Reply
31
Conversion-Error
32
Mobile-Redirect
Click:
•
Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•
Cancel to exit this procedure without saving your entries.
•
Next to deploy your entries and to add another entry to the ICMP Service Parameters table.
Related Topics
•
Configuring Object Groups, page 2-61
•
Configuring IP Addresses for Object Groups, page 2-62
•
Configuring Subnet Objects for Object Groups, page 2-62
•
Configuring Protocols for Object Groups, page 2-63
•
Configuring TCP/UDP Service Parameters for Object Groups, page 2-64
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-67
Chapter 2
Configuring Virtual Contexts
Configuring Virtual Context Expert Options
Configuring Virtual Context Expert Options
Table 2-20 identifies ACE appliance Device Manager virtual context Expert configuration options and
related topics for more information.
Table 2-20
Virtual Context Expert Configuration Options
Expert Configuration Options
Establish traffic policies by classifying types of
network traffic and then applying rules and
actions for handling the traffic
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps,
page 10-8
•
Configuring Virtual Context Policy Maps,
page 10-33
Configure HTTP optimization action lists
Configuring an HTTP Optimization Action List,
page 11-3
Configure HTTP header modify action lists
Configuring an HTTP Header Modify Action
List, page 10-80
Managing Virtual Contexts
You can perform the following administrative actions on virtual contexts:
•
Synchronizing Virtual Context Configurations, page 2-68
•
Editing Virtual Contexts, page 2-72
•
Deleting Virtual Contexts, page 2-73
•
Viewing All Virtual Contexts, page 2-73
Synchronizing Virtual Context Configurations
ACE appliance Device Manager identifies virtual contexts with different configurations on the ACE
appliance and in ACE appliance Device Manager. Discrepancies between these configurations occur
when a user configures the ACE appliance directly using the CLI instead of the ACE appliance Device
Manager.
The ACE appliance Device Manager automatically polls the CLI once every two minutes. When you use
the CLI to change a virtual context’s configuration on the ACE appliance, and the Device Manager
detects an out-of-band configuration change in a context during this polling period, the configuration
changes are applied by the Device Manager.
The status bar at the bottom right of the ACE appliance Device Manager displays two indicators for you
to monitor CLI and DM GUI synchronization status (Figure 2-1). One indicator displays ACE appliance
Device Manager GUI and CLI synchronization status along with a summary count of the contexts in the
various synchronization states, and the other indicator displays CLI synchronization and polling status
for the active context. The status bar auto-refreshes every 10 seconds.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-68
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing Virtual Contexts
Figure 2-1
CLI and DM GUI Synchronization Status Bar
For example, as illustrated in Figure 2-1, the message “DM out of sync with CLI (1/17)” indicates that
out of the 17 configured contexts, one context is in the “Out of sync” CLI synchronization status state.
Note
If a user attempt to deploy a configuration from the ACE appliance Device Manager (clicks the Deploy
Now button) while synchronization is in process for a particular context, an error message appears
indicating that synchronization is in process and the user should try to deploy the configuration at a later
point in time.
ACE appliance Device Manager provides the following options for identifying and synchronizing
configuration discrepancies:
•
Viewing Virtual Context Synchronization Status, page 2-69
•
High Availability and Virtual Context Configuration Status, page 2-70
•
Manually Synchronizing Individual Virtual Context Configurations, page 2-71
•
Manually Synchronizing All Virtual Context Configurations, page 2-71
Viewing Virtual Context Synchronization Status
ACE appliance Device Manager identifies virtual contexts with different configurations in the ACE
appliance and in the ACE appliance Device Manager. Discrepancies between these configurations occur
when a user configures the ACE appliance directly using the CLI instead of ACE appliance Device
Manager.
In Config screens, CLI and DM GUI configuration status appears in the following locations in the ACE
appliance Device Manager:
•
In the All Virtual Contexts table (Config > Virtual Contexts), in the CLI Sync Status column.
•
The status bar at the bottom of the ACE appliance Device Manager browser (see Figure 2-1).
The following reported CLI synchronization states appear in the All Virtual Context table:
•
OK—The configurations for the selected virtual context are synchronized with the CLI.
•
Out Of Sync—The configurations for the selected virtual context are not synchronized with the CLI.
•
Sync In Progress—The CLI to DM GUI synchronization for this context is in process, either started
automatically by the ACE appliance Device Manager or manually (using either the CLI Sync or CLI
Sync All buttons).
•
Sync Failed—The last synchronization attempt failed and you must perform a manual
synchronization using either the CLI Sync or CLI Sync All buttons. The failed state could be due to
an unrecognized CLI command on the context, or due to an internal error on the ACE appliance
Device Manager. Once the problem is resolved, another manual synchronization will be required to
move the context into the OK synchronization state.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-69
Chapter 2
Configuring Virtual Contexts
Managing Virtual Contexts
The status bar at the bottom of the ACE appliance Device Manager browser (see Figure 2-1) displays
DM GUI and CLI synchronization status along with a summary count of the contexts in the various
synchronization states. For example, the message “DM out of sync with CLI (1/10), DM sync with CLI
failed (2/10)” indicates that out of the 10 configured contexts, one context is in the “Out Of Sync” state
and two are is the “Sync Failed” state, and the remaining contexts are in the “OK” state. The status bar
auto-refreshes every 10 seconds.
Note
Clicking the summary count in the status bar from any context-specific page accesses the All Virtual
Contexts table. You can view the CLI synchronization status for all contexts.
If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual
Contexts table, the information in the CLI Sync Status column does not automatically update to reflect
an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view
out-of-sync configurations.
For information on synchronizing out-of-sync virtual context configurations, see:
•
Manually Synchronizing Individual Virtual Context Configurations, page 2-71
•
Manually Synchronizing All Virtual Context Configurations, page 2-71
Related Topics
•
Synchronizing Virtual Context Configurations, page 2-68
•
High Availability and Virtual Context Configuration Status, page 2-70
High Availability and Virtual Context Configuration Status
In a high availability pair, the two configured virtual contexts synchronize with each other as part of their
ongoing communications. However, their copies do not synchronize in ACE appliance Device Manager
and the configuration on the standby member can become out of sync with the configuration on the ACE
appliance.
After the active member of a high availability pair fails and the standby member becomes active, ACE
appliance Device Manager on the newly active member detects any out-of-sync virtual context
configurations and reports that status in the All Virtual Contexts table so that you can synchronize the
virtual context configurations.
Note
When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability Polling,
page 9-6), the virtual context may receive configuration changes from its ACE peer without updating the
Device Manager GUI. As a result, the ACE appliance Device Manager GUI will be out of
synchronization with the CLI configuration. If you need to check configuration on a standby virtual
context using HA Tracking And Failure Detection (see Tracking VLAN Interfaces for High Availability,
page 9-17), we recommend that you first perform a manual synchronization using either the CLI Sync
or CLI Sync All buttons before checking the configuration values.
For information on synchronizing out-of-sync virtual context configurations, see:
•
Manually Synchronizing Individual Virtual Context Configurations, page 2-71
•
Manually Synchronizing All Virtual Context Configurations, page 2-71
Related Topics
•
Viewing Virtual Context Synchronization Status, page 2-69
•
Configuring High Availability Overview, page 9-6
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-70
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing Virtual Contexts
Manually Synchronizing Individual Virtual Context Configurations
Use this procedure if you want to manually synchronize the configuration for a selected virtual context.
This procedure removes the configuration information for this virtual context from ACE appliance
Device Manager and replaces it with its CLI configuration from the ACE appliance. You may want to
manually synchronize a virtual context configuration if you do not want to wait for auto synchronization
to occur and you want the CLI context configuration changes immediately applied to the ACE appliance
Device Manager.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears. Contexts with configurations
that are not synchronized display Out of sync in the CLI Sync Status column.
Note
If a user changes the configuration for a context by using the CLI while you are viewing the All
Virtual Contexts table, the information in the CLI Sync Status column is not automatically
updated to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking
Auto Refresh to view out-of-sync configurations.
Step 2
Select the virtual context with the configuration that you want to synchronize, then click CLI Sync. A
window appears, asking you to confirm the operation.
Step 3
Click OK to upload the configuration from the ACE appliance or Cancel to exit this procedure without
uploading the configuration.
If you click OK, the screen reports progress and then refreshes with updated configuration status in the
CLI Sync Status column.
Related Topics
•
Synchronizing Virtual Context Configurations, page 2-68
•
Viewing Virtual Context Synchronization Status, page 2-69
•
Manually Synchronizing All Virtual Context Configurations, page 2-71
Manually Synchronizing All Virtual Context Configurations
Use this procedure to manually synchronize all virtual context configurations. This procedure removes
all virtual context configurations from ACE appliance Device Manager and replaces them with their CLI
configurations from the ACE appliance. You may want to manually synchronize all virtual contexts if
you do not want to wait for auto-synchronization to occur and you want the CLI context configuration
changes immediately applied to the ACE appliance Device Manager.
This operation can take several minutes to finish, depending on the number of virtual contexts.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-71
Chapter 2
Configuring Virtual Contexts
Managing Virtual Contexts
Note
If you configure a virtual server using the CLI and then use the CLI Sync All option (Config > Virtual
Contexts) to manually synchronize configurations, the configuration that appears in ACE appliance
Device Manager for the virtual server might not display all configuration options for that virtual server.
The configuration that appears in ACE appliance Device Manager depends on a number of items, such
as the protocols configured in class maps or the rules defined for policy maps. 

For example, if you configure a virtual server on the CLI that includes a class map that can match any
protocol, you will not see the virtual server Application Acceleration and Optimization configuration
subset in ACE appliance Device Manager.
Note
This procedure is available for only the admin user in an Admin context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Click CLI Sync All. A window appears, asking you to confirm the operation.
Step 3
Click OK to continue with this option or click Cancel to exit this procedure.
If you click OK, the screen refreshes with the All Virtual Contexts table listing the contexts that have
been imported so far and displays configuration update progress.
Note
Step 4
Depending on the number of contexts, this process can take several minutes to complete.
Click Refresh to view additional contexts that have been imported.
Related Topic
•
Synchronizing Virtual Context Configurations, page 2-68
•
Manually Synchronizing Individual Virtual Context Configurations, page 2-71
Editing Virtual Contexts
Use this procedure to modify the configuration of an existing virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context, then select the configuration attributes you want to modify. For information
on configuration options, see Configuring Virtual Contexts, page 2-7.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-72
OL-23543-01
Chapter 2
Configuring Virtual Contexts
Managing Virtual Contexts
Step 3
Click Deploy Now to deploy this configuration on the ACE appliance.
To exit a procedure without saving your entries, click Cancel, or select another item in the menu bar or
another attribute to configure. A window appears, confirming that you have not saved your entries.
Related Topic
•
Using Virtual Contexts, page 2-2
Deleting Virtual Contexts
Use this procedure to remove an existing virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context you want to remove, then click Delete. A window appears, asking you to
confirm the deletion.
Step 3
Click:
•
OK to delete the selected context. The device tree refreshes and the deleted context no longer
appears.
•
Cancel to exit this procedure and to retain the selected context.
Related Topic
•
Using Virtual Contexts, page 2-2
Viewing All Virtual Contexts
To view all virtual contexts, select Config > Virtual Contexts. The All Virtual Contexts table appears.
Note
Clicking the summary count in the status bar from any context-specific page accesses the All Virtual
Contexts table. You can then review the synchronization configuration details for all of the available
contexts. If you are not the administrator, you will only see the details for your user context.
The All Virtual Contexts table displays the following information for each virtual context
•
Name
•
Resource class
•
Management IP address
•
Virtual context synchronization status; that is, whether the ACE appliance Device Manager GUI and
CLI configurations for the context are synchronized, not synchronized, being synchronized, or the
synchronization attempt failed. For more information, see Viewing Virtual Context Synchronization
Status, page 2-69.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
2-73
Chapter 2
Configuring Virtual Contexts
Managing Virtual Contexts
•
Note
ACE high availability state; for more information on the available ACE high availability states, see
High Availability Polling, page 9-6.
For information on the implication of ACE high availability on ACE appliance Device Manager
GUI and CLI configuration synchronization, see Synchronizing High Availability
Configurations with ACE Appliance Device Manager, page 9-7.
•
State of the ACE high availability peer
•
ACE high availability peer name
•
Whether automatic synchronization for high availability pairs has been configured
Note
If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual
Contexts table, or if the high availability state changes, the information in the table columns does not
automatically update to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by
clicking Auto Refresh to view out-of-sync configurations.
Note
If a user creates a new virtual context in a different session while you are viewing the All Virtual
Contexts table, the new virtual context does not automatically appear in this table. Click Refresh or set
an automatic refresh rate by clicking Auto Refresh to view newly-created contexts.
Polling status for the selected context appears above the content area in the upper right corner (see
Figure 1-2). Table 12-1 describes the various polling states.
From this screen you can:
•
Add a new virtual context—See Creating Virtual Contexts, page 2-2.
•
Edit an existing virtual context—See Configuring Virtual Contexts, page 2-7.
•
Delete an existing virtual context—See Deleting Virtual Contexts, page 2-73.
•
Manually synchronize ACE appliance Device Manager and CLI configurations for one or all virtual
contexts—See Synchronizing Virtual Context Configurations, page 2-68.
Related Topic
Managing Virtual Contexts, page 2-68
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
2-74
OL-23543-01
C H A P T E R
3
Configuring Virtual Servers
This section provides an overview of server load balancing and procedures for configuring virtual
servers for load balancing on an ACE appliance.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Topics include:
•
Load Balancing Overview, page 3-1
•
Configuring Virtual Servers, page 3-2
•
Managing Virtual Servers, page 3-59
Load Balancing Overview
Server load balancing (SLB) is the process of deciding to which server a load-balancing device should
send a client request for service. For example, a client request can consist of an HTTP GET for a Web
page or an FTP GET to download a file. The job of the load balancer is to select the server that can
successfully fulfill the client request and do so in the shortest amount of time without overloading either
the server or the server farm as a whole.
Depending on the load-balancing algorithm or predictor that you configure, the ACE appliance performs
a series of checks and calculations to determine the server that can best service each client request. The
ACE appliance bases server selection on several factors, including the server with the fewest connections
with respect to load, source or destination address, cookies, URLs, or HTTP headers.
The ACE Appliance Device Manager allows you to configure load balancing using:
•
Virtual servers—See Configuring Virtual Servers, page 3-2.
•
Real servers—See Configuring Real Servers, page 4-4.
•
Server farms—See Configuring Server Farms, page 4-11.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-1
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
•
Sticky groups—See Configuring Sticky Groups, page 5-7.
•
Parameter maps—See Configuring Parameter Maps, page 6-1.
For information about SLB as configured and performed by the ACE appliance, see:
•
Configuring Virtual Servers, page 3-2
•
Load-Balancing Predictors, page 4-2
•
Real Servers, page 4-3
•
Server Farms, page 4-4
•
Configuring Health Monitoring, page 4-29
•
TCL Scripts, page 4-30
•
Configuring Sticky Groups, page 5-7
Configuring Virtual Servers
In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to
appear as one for load-balancing purposes. A virtual server is bound to physical services running on real
servers in a server farm and uses IP address and port information to distribute incoming client requests
to the servers in the server farm according to a specified load-balancing algorithm.
You use class maps to configure a virtual server address and definition. The load-balancing predictor
algorithms (for example, round-robin, least connections, and so on) determine the servers to which the
ACE sends connection requests.
For more information about virtual servers and the ACE Appliance Device Manager, see:
•
Understanding Virtual Server Configuration and ACE Appliance Device Manager, page 3-2
•
Using ACE Appliance Device Manager to Configure Virtual Servers, page 3-4
•
Virtual Server Configuration Procedure, page 3-7
Understanding Virtual Server Configuration and ACE Appliance Device
Manager
The ACE Appliance Device Manager Virtual Server configuration interface, an abstraction of the
Modular Policy CLI, simplifies, reorders, and makes more atomic the configuration and deployment of
a functional load-balancing environment. With simplification or abstraction, some constraints or
limitations are necessarily introduced. This section identifies the constraints and framework used by
ACE Appliance Device Manager for virtual server configuration.
In ACE Appliance Device Manager, a viable virtual server has the following attributes:
•
A single Layer 3/Layer 4 match condition
This means that you can specify only a single IP address (or single IP address range if a netmask is
used), with only a single port (or port range). Having a single match condition greatly simplifies and
aids virtual server configuration.
•
A default Layer 7 action
•
A Layer 7 policy map
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-2
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
•
A Layer 3/Layer 4 class map
•
A multi-match policy map, a class-map match, and an action
In addition:
•
The virtual server multi-match policy map is associated with an interface or is global.
•
The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.
Example 3-1 shows the minimum configuration statements required for a virtual server.
Example 3-1
Minimum Configuration Required for a Virtual Server
class-map match-all Example_VIP
2 match virtual-address 10.10.10.10 tcp eq www
policy-map type loadbalance first-match Example_VIP-l7slb
class class-default
forward
policy-map multi-match int10
class Example_VIP
loadbalance policy Example_VIP-l7slb
interface vlan 10
ip address 192.168.65.37 255.255.255.0
service-policy input int10
no shutdown
Note the following items regarding the ACE Appliance Device Manager and virtual servers:
•
Additional configuration options
The Virtual Server configuration screen allows you to configure additional items for a functional
VIP. These items include server farms, sticky groups, real servers, probes, parameter maps,
inspection, class maps, and inline match conditions. Because too many items on a screen can be
overwhelming, not all configuration options appear on Virtual Server configuration screen, such as
sticky statics or backup real servers. These options are available elsewhere in the ACE Appliance
Device Manager interface instead of on the Virtual Server configuration screen.
•
Configuration options and roles
To support and maintain the separation of roles, some objects cannot be configured using the Virtual
Server configuration screen. These objects include SSL certificates, SSL keys, NAT pools, interface
IP addresses, and ACLs. Providing these options as separate configuration options in the ACE
Appliance Device Manager interface ensures that a user who can view or modify virtual servers or
aspects of virtual servers cannot create or delete virtual servers.
•
RBAC role and domain requirements
If you want to create, modify, or delete a virtual server, we recommend that you use the pre-defined
Admin role (see Table 13-4).Only the Admin pre-defined role supports the ability to successfully
deploy a functional virtual server from the ACE appliance Device Manager.
If a user prefers to be assigned a custom role, and wants the ability to create, modify, or delete a
virtual server, that user requires the proper role permissions to be defined by the administrator to
allow them to perform those virtual server activities.
Note
A user must be assigned with a default domain (default-domain) to be able to configure a virtual
server. A domain is the namespace in which a user operates.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-3
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Included below are a list of RBAC permissions which are required for a user to create, modify, or
delete a virtual server:
--------------------------------------------Rule
Type
Permission
Feature
--------------------------------------------1.
Permit
Create
real
2.
Permit
Create
serverfarm
3.
Permit
Create
vip
4.
Permit
Create
probe
5.
Permit
Create
loadbalance
6.
Permit
Create
nat
7.
Permit
Create
interface
8.
Permit
Create
connection
9.
Permit
Create
ssl
10.
Permit
Create
pki
11.
Permit
Create
sticky
12.
Permit
Create
inspect
Note that certain configured virtual servers may only cover a subset of the features and may not
require all the permissions outlined above. In general, the above set of permissions are required for
allowing users to configure all elements of a virtual server.
For background information, see the “Managing User Roles” section in Chapter 13, “Managing the
ACE Appliance”.
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Using ACE Appliance Device Manager to Configure Virtual Servers, page 3-4
•
Virtual Server Configuration Procedure, page 3-7
Using ACE Appliance Device Manager to Configure Virtual Servers
It is important to understand the following when using the ACE Appliance Device Manager to configure
virtual servers:
•
Virtual server configuration screens
The ACE Appliance Device Manager Virtual Server configuration screens are designed to aid you
in configuring virtual servers by presenting configuration options that are relevant to your choices.
For example, the protocols that you select in the Properties configuration subset determine the other
configuration subsets that appear.
•
Use the virtual server configuration method that suits you
The ACE Appliance Device Manager Virtual Server configuration screens simplify the process of
creating, modifying, and deploying virtual servers by displaying those options that you are most
likely to use. In addition, as you specify attributes for a virtual server, such as protocols, the interface
refreshes with related configuration options, such as Protocol Inspection or Application
Acceleration and Optimization, thereby speeding virtual server configuration and deployment.
While Virtual Server configuration screens remove some configuration complexities, they have a
few constraints that the Expert configuration options do not. If you are comfortable using the CLI,
you can use the Expert options (such as Config > Virtual Contexts > context > Expert > Class
Maps or Policy or Config > Virtual Contexts > context > Load Balancing > Parameter Map to
configure more complex attributes of virtual servers, traffic policies, and parameter maps.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-4
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
•
Synchronizing virtual server configurations
When you use the CLI to change a virtual context’s configuration on the ACE appliance, the ACE
Appliance Device Manager periodically polls the CLI (approximately once every two minutes) for
configuration changes. When it detects an out-of-band configuration change in a context, the
changes are applied to the configuration maintained by ACE Appliance Device Manager. The status
bar at the bottom of the ACE Appliance Device Manager indicates a summary count of the contexts
in the various synchronization states
If you configure a virtual server using the CLI and then use the CLI Sync option (Config > Virtual
Contexts > CLI Sync) to manually synchronize configurations, the configuration that appears in the
ACE Appliance Device Manager for the virtual server might not display all configuration options
for that virtual server. The configuration that appears in the ACE Appliance Device Manager
depends on a number of items, such as the protocols configured in class maps or the rules defined
for policy maps.
For example, if you configure a virtual server on the CLI that includes a class map that can match
any protocol, you will not see the virtual server Application Acceleration and Optimization
configuration subset in the ACE Appliance Device Manager.
•
Modifying shared objects
Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or
parameter map, could impact the other virtual servers. See Shared Objects and Virtual Servers,
page 3-9 for more information about modifying objects used by multiple virtual servers.
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Understanding Virtual Server Configuration and ACE Appliance Device Manager, page 3-2
•
Virtual Server Configuration Procedure, page 3-7
Virtual Server Usage Guidelines
The Virtual Server configuration window provides you with numerous configuration options. However,
instead of setting every option in one pass, configure your virtual server in stages. The first stage should
always be to establish basic “pass through” connectivity with simple load balancing and include minimal
additional features. This level of setup should verify that ports, VLANs, interfaces, SSL termination (if
applicable), and real servers have been set up properly, enabling basic connectivity.
After you establish this level of connectivity, additional virtual server features will be easier to configure
and troubleshoot.
Common features to add to a working basic virtual server include:
•
Health monitoring probes
•
Session persistence (sticky)
•
Additional real servers to a server farm
•
Application protocol inspection
•
Application acceleration and optimization
Table 3-1 identifies and describes virtual server configuration subsets with links to related topics for
configuration information.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-5
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Using ACE Appliance Device Manager to Configure Virtual Servers, page 3-4
•
Virtual Server Testing and Troubleshooting, page 3-6
•
Virtual Server Configuration Procedure, page 3-7
Virtual Server Testing and Troubleshooting
As outlined in the “Virtual Server Usage Guidelines” section on page 3-5, first set up a basic virtual
server that only enables connectivity and simple load balancing, such as round-robin between two real
servers. Next, use a client, such as a web browser, to send a request from the client network to the virtual
server's VIP address. If the request is successful, you can now make changes or add virtual server
features.
If the request is not successful, begin virtual server troubleshooting as outlined in the following
sequence:
1.
Wait and retry your request after a minute or two, especially if the existing ACE configuration is
large. It can take seconds or even minutes for configuration changes to affect how traffic is handled
by ACE.
2.
From the Appliance command line interface (CLI), enter the show service-policy detail command.
3.
Verify that the VIP State in the show service-policy CLI command output is INSERVICE. If the
VIP state is not INSERVICE, this may indicate the following:
– The virtual server has been manually disabled in the configuration.
– The real servers are all unreachable from ACE or manually disabled. If all of a virtual server's
real servers are out of service due to one of those reasons, the virtual server itself will be marked
Out Of Service.
4.
Verify the Hit Count in the show service-policy CLI command output. Hit Count shows the number
of requests received by ACE. This value should increase for each request attempted by your client.
If the hit count does not increase with each request, this indicates that the request is not reaching
your virtual server configuration.
This could be a problem with:
– A physical connection.
– VLAN or VLAN interface configuration.
– Missing or incorrect ACL applied to the client interface.
– Incorrect IP address (that is, a VIP that is not valid on the selected VLANs for the virtual server,
or a VIP that is not accessible to your client).
If the Hit Count value increases but no response is received (Server Pkt Count does not increases),
the problem is more likely to be in the connectivity between the ACE and the backend real servers.
This issue is typically caused by one or more of the following problems:
– You are working on a one-armed configuration (that is, do not plan to change routing for your
real servers) and have not selected an appropriate NAT pool for your virtual server to use with
source NAT.
– A different routing problem (for example, server traffic does not know how to get back to the
ACE).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-6
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
– Addressing problem (for example, you have an incorrect real server address, or the real server
is not accessible to ACE due to network topology).
Note
Hit count can increase by more than one, even if you make only a single request from your web
browser, because retrieving a typical web page makes many requests from the client to the server.
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Using ACE Appliance Device Manager to Configure Virtual Servers, page 3-4
•
Virtual Server Usage Guidelines, page 3-5
•
Virtual Server Configuration Procedure, page 3-7
Virtual Server Configuration Procedure
Use this procedure to add virtual servers to the ACE Appliance Device Manager for load-balancing
purposes.
Assumptions
•
Depending on the protocol to be used for the virtual server, parameter maps need to be defined.
•
For SSL service, SSL certificates, keys, chain groups, and parameter maps must be configured.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it.
The Virtual Server configuration screen appears with a number of configuration subsets. The subsets that
you see depend on whether you use the Basic View or the Advanced View and configuration entries you
make in the Properties subset. Change views by using the View object selector at the top of the
configuration pane.
Table 3-1 identifies and describes virtual server configuration subsets with links to related topics for
configuration information.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-7
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-1
Virtual Server Configuration Subsets
Configuration Subset
Description
Related Topics
Properties
This subset allows you to specify basic
Configuring Virtual Server
virtual server characteristics, such as the Properties, page 3-11
virtual server name, IP address, protocol,
port, and VLANs.
SSL Termination
This subset appears when TCP is the
Configuring Virtual Server SSL
selected protocol and Other or HTTPS is Termination, page 3-17
the application protocol.
This subset allows you to configure the
virtual server to act as an SSL proxy
server and terminate SSL sessions
between it and its clients.
Protocol Inspection
This subset appears in the Advanced
View for:
•
TCP with FTP, HTTP, HTTPS, RTSP,
or SIP
•
UDP with DNS or SIP
Configuring Virtual Server
Protocol Inspection, page 3-19
This subset appears in the Basic view for
TCP with FTP.
This subset allows you to configure the
virtual server so that it can verify protocol
behavior and identify unwanted or
malicious traffic passing through the
ACE appliance on selected application
protocols.
L7 Load-Balancing
This subset appears only in the Advanced Configuring Virtual Server
View for:
Layer 7 Load Balancing,
page 3-29
• TCP with Generic, HTTP, HTTPS,
RTSP, or SIP
•
UDP with Generic, RADIUS, or SIP
This subset allows you to configure
Layer 7 load-balancing options,
including SSL initiation.
Default L7
This subset allows you to establish the
Configuring Virtual Server
Load-Balancing Action default Layer 7 load-balancing actions for Default Layer 7 Load Balancing,
all network traffic that does not meet
page 3-51
previously specified match conditions.
It also allows you to configure SSL
initiation. SSL initiation appears only in
the Advanced View.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-8
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-1
Virtual Server Configuration Subsets (continued)
Configuration Subset
Description
Related Topics
Application
Acceleration And
Optimization
This subset appears only in the Advanced Configuring Application
View and when HTTP or HTTPS is the
Acceleration and Optimization,
selected application protocol.
page 3-54
This subset allows you to configure
application acceleration and optimization
options for HTTP or HTTPS traffic.
NAT
This subset appears in the Advanced
View only.
Configuring Virtual Server NAT,
page 3-58
This subset allows you to set up Name
Address Translation (NAT) for the virtual
server.
Step 3
When you finish configuring virtual server properties, click:
•
Deploy Now to deploy the configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Virtual Servers table.
Related Topic
•
Configuring Virtual Servers, page 3-2
•
Understanding Virtual Server Configuration and ACE Appliance Device Manager, page 3-2
•
Using ACE Appliance Device Manager to Configure Virtual Servers, page 3-4
•
Shared Objects and Virtual Servers, page 3-9
•
Role Mapping in ACE Appliance Device Manager, page 13-19
Shared Objects and Virtual Servers
A shared object is one that is used by multiple virtual servers. Examples of shared objects are:
•
Action lists
•
Class maps
•
Parameter maps
•
Real servers
•
Server farms
•
SSL services
•
Sticky groups
Because these objects are shared, modifying an object’s configuration in one virtual server can impact
other virtual servers that use the same object.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-9
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Configuring Shared Objects
ACE Appliance Device Manager offers the following options for shared objects in virtual server
configuration screens (Config > Virtual Contexts > context > Load Balancing > Virtual Servers):
•
View—Click View to review the object’s configuration. The screen refreshes with read-only fields
and the following three buttons.
•
Cancel—Click Cancel to close the read-only view and to return to the previous screen.
•
Edit—Click Edit to modify the selected object’s configuration. The screen refreshes with fields that
can be modified, except for the Name field which remains read-only.
Note
•
Before changing a shared object’s configuration, make sure you understand the effect of the
changes on other virtual servers using the same object. As an alternative, consider using the
Duplicate option instead.
Duplicate—Click Duplicate to create a new object with the same configuration as the selected
object. The screen refreshes with configurable fields. In the Name field, enter a unique name for the
new object, then modify the configuration as desired. This option allows you to create a new object
without impacting other virtual servers using the same object.
Deleting Virtual Servers with Shared Objects
If you create a virtual server and include shared objects in its configuration, deleting the virtual server
does not delete the associated shared objects. This ensures that other virtual servers using the same
shared objects are not impacted.
Related Topics
•
Managing Virtual Servers, page 3-59
•
Configuring Virtual Server Properties, page 3-11
•
Configuring Virtual Server SSL Termination, page 3-17
•
Configuring Virtual Server Protocol Inspection, page 3-19
•
Configuring Virtual Server Layer 7 Load Balancing, page 3-29
•
Configuring Virtual Server Default Layer 7 Load Balancing, page 3-51
•
Configuring Application Acceleration and Optimization, page 3-54
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-10
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Configuring Virtual Server Properties
Use this procedure to configure virtual server properties.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it.
The Virtual Server configuration screen appears. The Properties configuration subset is open by default.
The fields that you see in the Properties configuration subset depend on whether you are using Advanced
View or Basic View:
Step 3
•
To configure Advanced View properties, continue with Step 3.
•
To configure Basic View properties, continue with Step 4.
To configure virtual server properties in the Advanced View, enter the information in Table 3-2.
Table 3-2
Virtual Server Properties – Advanced View
Field
Description
Virtual Server Name
Enter the name for the virtual server.
Virtual IP Address
Enter the IP address for the virtual server.
Virtual IP Mask
Select the subnet mask to apply to the virtual server IP address.
Transport Protocol
Select the protocol the virtual server supports:
•
Any—Indicates the virtual server is to accept connections using any IP
protocol.
•
TCP—Indicates that the virtual server is to accept connections that use
TCP.
•
UDP—Indicates that the virtual server is to accept connections that use
UDP.
Note
This field is read-only if you are editing an existing virtual server.
The Device Manager does not allow changes between protocols that
require a change to the Layer 7 server load-balancing policy map.
You need to delete the virtual server and create a new one with the
desired protocol.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-11
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-2
Virtual Server Properties – Advanced View (continued)
Field
Description
Application Protocol
This field appears if TCP or UDP is selected. Select the application protocol
to be supported by the virtual server.
Note
This field is read-only if you are editing an existing virtual server.
The Device Manager does not allow changes between protocols that
require a change to the Layer 7 server load-balancing policy map.
You need to delete the virtual server and create a new one with the
desired application protocol.
For TCP, the options are:
•
FTP—File Transfer Protocol
•
Generic—Generic protocol parsing
•
HTTP—Hyper Text Transfer Protocol
•
HTTPS—HTTP over SSL
If you select HTTPS, the SSL Termination configuration subset appears.
See Configuring Virtual Server SSL Termination, page 3-17.
•
Other—Any protocol other than those specified
•
RDP—Remote Desktop Protocol
•
RTSP—Real Time Streaming Protocol
•
SIP—Session Initiation Protocol
For UDP, the options are:
•
DNS—Domain Name System
•
Generic—Generic protocol parsing
•
Other—Any protocol other than those specified
•
RADIUS—Remote Authentication Dial-In User Service
•
SIP—Session Initiation Protocol
If you select any specific application protocol, the Protocol Inspection
configuration subset appears. See Configuring Virtual Server Protocol
Inspection, page 3-19.
Port
This field appears for any specified protocol.
Enter the port to be used for the specified protocol. Valid entries are integers
from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to
indicate all ports.
For a complete list of protocols and ports, see the Internet Assigned Numbers
Authority available at www.iana.org/numbers/.
All VLANs
Check the check box to support incoming traffic from all VLANs. Clear the
check box to support incoming traffic from specific VLANs only.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-12
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-2
Virtual Server Properties – Advanced View (continued)
Field
Description
VLAN
This field appears if the All VLANs check box is cleared.
In the Available list, select the VLANs to use for incoming traffic, then click
Add to Selection. The items appear in the Selected list.
To remove VLANs, select them in the Selected lists, then click Remove
from Selection. The items appear in the Available list.
Note
Connection Parameter
Map
This field appears if TCP is the selected protocol.
Select an existing connection parameter map or click *New* to create a new
one:
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See Shared Objects and Virtual
Servers, page 3-9 for more information about modifying shared objects.
•
If you click *New*, the Connection Parameter Map configuration pane
appears. Configure the connection parameter map as described in
Table 6-2.
Note
KAL-AP-TAG Name
You cannot change the VLAN for a virtual server once it is specified.
Instead, you need to delete the virtual server and create a new one
with the desired VLAN.
Click More Settings to access the additional Connection Parameter
Maps configuration attributes. By default, Device Manager hides the
default Connection Parameter Maps configuration attributes and the
attributes which are not commonly used.
The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS)
proprietary KAL-AP protocol to extract load and availability information
from the ACE when a firewall is positioned between the GSS and the ACE.
This feature allows you to configure a tag (name) per VIP for a maximum of
4,096 tags on an ACE. This feature does not replace the tag per domain
feature. For more information about this feature, see the Configuring Health
Monitoring chapter in the Cisco Application Control Engine Appliance
Server Load-Balancing Configuration Guide.
In the KAL-AP-TAG Name field, enter the name as an unquoted text string
with no spaces and a maximum of 76 alphanumeric characters.
The following scenarios are not supported and will result in an error:
•
You cannot configure a tag name for a VIP that already has a tag
configuration as part of a different policy configuration.
•
You cannot associate the same tag name with more than one VIP.
•
You cannot associate the same tag name with a domain and a VIP.
•
You cannot assign two different tags to two different Layer 3 class maps
that have the same VIP, but different port numbers. The KAL-AP
protocol considers these class maps to have the same VIP and calculates
the load for both Layer 3 rules together when the GSS queries the VIP.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-13
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-2
Virtual Server Properties – Advanced View (continued)
Field
Description
Kal-AP Primary Out of
Service
Check this box for the ACE to notify the Global Site Selector (GSS) that the
primary server farm is down when the backup server farm is in use.
By default, when you configure a redirect server farm as a backup server
farm on the ACE and the primary server farm fails, the backup server farm
redirects the client requests to another data center. However, the VIP remains
in the INSERVICE state.
When you configure the ACE to communicate with a GSS, it provides
information for server availability. When a backup server is in use after the
primary server farm is down and this feature is enabled, the ACE informs the
GSS that the VIP for the primary server farm is out of service by returning a
load value of 255. The GSS recognizes that the primary server farm is down
and sends future DNS requests with the IP address of the other data center.
Clear this check box to disable this feature.
DNS Parameter Map
This field appears if DNS is the selected protocol over UDP.
Select an existing DNS parameter map or click *New* to create a new one:
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See Shared Objects and Virtual
Servers, page 3-9 for more information about modifying shared objects.
•
If you click *New*, the DNS Parameter Map configuration pane
appears. Configure the DNS parameter map as described in Table 6-11.
Generic Parameter Map This field appears if Generic is the selected application protocol over TCP or
UDP.
Select an existing Generic parameter map or click *New* to create a new
one:
HTTP Parameter Map
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See Shared Objects and Virtual
Servers, page 3-9 for more information about modifying shared objects.
•
If you click *New*, the Generic Parameter Map configuration pane
appears. Configure the Generic parameter map as described in
Table 6-4.
This field appears if HTTP or HTTPS is the selected application protocol.
Select an existing HTTP parameter map or click *New* to create a new one:
•
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See Shared Objects and Virtual
Servers, page 3-9 for more information about modifying shared objects.
•
If you click *New*, the HTTP Parameter Map configuration pane
appears. Configure the HTTP parameter map as described in Table 6-5.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-14
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-2
Virtual Server Properties – Advanced View (continued)
Field
Description
RTSP Parameter Map
This field appears if RTSP is the selected application protocol over TCP.
Select an existing RTSP parameter map or click *New* to create a new one:
ICMP Reply
If you select an existing parameter map, you can view, modify, or
duplicate the existing configuration. See Shared Objects and Virtual
Servers, page 3-9 for more information about modifying shared objects.
•
If you click *New*, the RTSP Parameter Map configuration pane
appears. Configure the RTSP parameter map as described in Table 6-8.
Indicate how the virtual server is to respond to ICMP ECHO requests:
Status
Step 4
•
•
None—Indicates that the virtual server is not to send ICMP
ECHO-REPLY responses to ICMP requests.
•
Active—Indicates that the virtual server is to send ICMP ECHO-REPLY
responses only if the configured VIP is active.
•
Always—Indicates that the virtual server is always to send ICMP
ECHO-REPLY responses to ICMP requests.
•
Primary Inservice—The virtual server is to reply to an ICMP ping only
if the primary server farm state is UP, regardless of the state of the
backup server farm. If this option is selected and the primary server farm
state is DOWN, the ACE discards the ICMP request and the request
times out.
Indicate whether the virtual server is to be in service or out of service:
•
In Service—Enables the virtual server for load-balancing operations.
•
Out Of Service—Disables the virtual server for load-balancing
operations.
To configure virtual server properties in the Basic View, enter the information in Table 3-3.
Table 3-3
Virtual Server Properties – Basic View
Field
Description
Virtual Server Name
Enter the name for the virtual server.
Virtual IP Address
Enter the IP address for the virtual server.
Transport Protocol
Select the protocol that the virtual server supports:
•
Any—Indicates that the virtual server is to accept connections using any
IP protocol.
•
TCP—Indicates that the virtual server is to accept connections that use
TCP.
•
UDP—Indicates that the virtual server is to accept connections that use
UDP.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-15
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-3
Virtual Server Properties – Basic View (continued)
Field
Description
Application Protocol
Select the application protocol to be supported by the virtual server.
For TCP, the options are:
•
FTP—File Transfer Protocol
•
HTTP—Hyper Text Transfer Protocol
•
HTTPS—HTTP over SSL
If you select HTTPS, the SSL Termination configuration subset appears.
See Configuring Virtual Server SSL Termination, page 3-17.
•
Generic—Generic protocol parsing
•
Other—Any protocol other than those specified.
•
RTSP—Real Time Streaming Protocol
•
RDP—Remote Desktop Protocol
•
SIP—Session Initiation Protocol
For UDP, the options are:
Port
•
DNS—Domain Name System
•
Generic—Generic protocol parsing
•
Other—Any protocol other than those specified.
•
RTSP—Real Time Streaming Protocol
•
RADIUS—Remote Authentication Dial-In User Service
•
SIP—Session Initiation Protocol
This field appears for any specified protocol.
Enter the port to be used for the specified protocol. Valid entries are integers
from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to
indicate all ports.
For a complete list of all protocols and ports, see the Internet Assigned
Numbers Authority available at www.iana.org/numbers/.
All VLANs
Check the check box to support incoming traffic from all VLANs. Clear the
check box to support incoming traffic from specific VLANs only.
VLAN
This field appears if the All VLANs check box is cleared.
In the Available list, select the VLANs to use for incoming traffic, then click
Add to Selection. The items appear in the Selected list.
To remove VLANs, select them in the Selected lists, then click Remove
from Selection. The items appear in the Available list.
Note
You cannot change the VLAN for a virtual server once it is specified.
Instead, you need to delete the virtual server and create a new one
with the desired VLAN.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-16
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 5
When you finish configuring virtual server properties, click:
•
Deploy Now to deploy the configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries.
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Configuring Virtual Server SSL Termination, page 3-17
Configuring Virtual Server SSL Termination
SSL termination service allows the virtual server to act as an SSL proxy server and terminate SSL
sessions between it and its clients and then establishes a TCP connection to an HTTP server. When the
ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as
clear text to an HTTP server.
Use this procedure to configure virtual server SSL termination service.
Assumption
A virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties
configuration subset. For more information, see Configuring Virtual Server Properties, page 3-11.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for SSL termination, then click Edit. The Virtual Server
configuration screen appears.
Step 3
Click SSL Termination. The Proxy Service Name field appears.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-17
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 4
Step 5
In the Proxy Service Name field, select an existing SSL termination service, or select *New* to create
a new SSL proxy service:
•
If you select an existing SSL service, the screen refreshes and allows you to view, modify, or
duplicate the existing configuration. See Shared Objects and Virtual Servers, page 3-9 for more
information about modifying shared objects.
•
If you select *New*, the Proxy Service configuration subset appears.
Configure the SSL service using the in Table 3-4.
Table 3-4
Virtual Server SSL Termination Attributes
Field
Description
Name
Enter a name for this SSL proxy service. Valid entries are alphanumeric
strings with a maximum of 64 characters.
Keys
Select the SSL key pair to use during the SSL handshake for data encryption.
Certificates
Select the SSL certificate to use during the SSL handshake.
Chain Groups
Select the chain group to use during the SSL handshake.
Auth Groups
Select the SSL authentication group to associate with this proxy server
service.
CRL Best-Effort
This option appears if you select an authentication group in the Auth Group
Name field.
Check the check box to allow the ACE to search client certificates for the
service to determine if it contains a CRL in the extension and retrieve the
value, if it exists.
Clear the check box to disable this feature.
CRL Name
This option appears if the CRL Best-Effort check box is clear.
Select the Certificate Revocation List if the ACE is to use for this proxy
service.
Parameter Maps
Select the SSL parameter map to associate with this proxy server service.
For more information about SSL, see Configuring SSL, page 7-1.
Step 6
When you finish configuring virtual server properties, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries.
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Configuring Virtual Server Properties, page 3-11
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-18
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Configuring Virtual Server Protocol Inspection
Configuring protocol inspection allows the virtual server to verify protocol behavior and identify
unwanted or malicious traffic passing through the ACE appliance.
In the Advanced View, protocol inspection configuration is available for the following virtual server
protocol configurations:
•
TCP with FTP, HTTP, HTTPS, RTSP, or SIP
•
UDP with DNS or SIP
In the Basic View, protocol inspection configuration is available for TCP with FTP.
Use this procedure to configure protocol inspection on a virtual server.
Assumption
A virtual server has been configured to use one of the protocols that supports protocol inspection in the
Properties configuration subset. See Configuring Virtual Server Properties, page 3-11 for information on
configuring these protocols.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server that you want to configure for protocol inspection, then click Edit. The Virtual
Server configuration screen appears.
Step 3
Click Protocol Inspection. The Enable Inspect check box appears.
Step 4
Check the Enable Inspect check box to enable inspection on the specified traffic. Clear this check box
to disable inspection on this traffic. By default, ACE appliances allow all request methods.
Step 5
If you checked the Enable Inspect check box, configure additional inspection options according to
virtual server application protocol configuration:
Note
•
For DNS, in the Length field enter the maximum length of the DNS packet in bytes. Valid entries
are from 512 to 65535 bytes. If you do not enter a value in this field, the DNS packet size is not
checked.
•
For FTP, continue with Step 6.
•
For HTTP and HTTPS, continue with Step 7.
•
For SIP, continue with Step 9.
There are no protocol-specific inspection options for RTSP.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-19
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 6
For FTP protocol inspection:
a.
Check the Use Strict check box to indicate that the virtual server is to perform enhanced inspection
of FTP traffic and enforce compliance with RFC standards. Clear this check box to indicate that the
virtual server is not to perform enhanced FTP inspection.
b.
If you checked the Use Strict check box, in the Blocked FTP Commands field, identify the
commands that are to be denied by the virtual server. See Table 10-13 for more information about
the FTP commands.
– Select the commands that are to be blocked by the virtual server in the Available list, then click
Add. The commands appear in the Selected list.
– To remove commands that you do not want to be blocked, select them in the Selected list, then
click Remove. The commands appear in the Available list.
Step 7
For HTTP or HTTPS inspection:
a.
Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When
enabled, this feature logs every URL request that is sent in the specified class of traffic, including
the source or destination IP address and the URL that is accessed. Clear this check box to disable
monitoring of Layer 3 and Layer 4 traffic.
b.
In the Policy subset, click Add to add a new match condition and action, or select an existing match
condition and action, then click Edit to modify it. The Policy configuration pane appears.
c.
In the Matches field, select an existing class map or *New* or *Inline Match* to configure new
match criteria for protocol inspection.
If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate
the selected class map. See Shared Objects and Virtual Servers, page 3-9 for more information about
modifying shared objects.
d.
Table 3-5
Configure match criteria and related actions by following the steps in Table 3-5.
Protocol Inspection Match Criteria Configuration
Selection
Action
Existing class map
1.
Click View to review the match condition information for the selected class map.
2.
Click:
– Cancel to continue without making changes and to return to the previous screen.
– Edit to modify the existing configuration.
– Duplicate to create a new class map with the same attributes without affecting other virtual
servers using the same class map.
See Shared Objects and Virtual Servers, page 3-9 for more information about modifying shared
objects.
3.
In the Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
– Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the
specified deep inspection match criteria.
– Reset—Indicates that the specified traffic is to be denied by the virtual server, which then
sends a TCP reset message to the client or server to close the connection.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-20
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-5
Selection
*New*
Protocol Inspection Match Criteria Configuration (continued)
Action
1.
In the Name field, specify a unique name for this class map.
2.
In the Match field, select the method to be used to evaluate multiple match statements when
multiple match conditions exist:
– All—Indicates that a match exists only if all match conditions are satisfied.
– Any—Indicates that a match exists if at least one of the match conditions is satisfied.
3.
In the Conditions table, click Add to add a new set of conditions, or select an existing entry, then
click Edit to modify it. The Type field appears.
4.
In the Type field, select the type of condition that is to be met for protocol inspection and configure
protocol-specific criteria using the information in Table 3-6.
5.
In the Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
– Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the
specified deep inspection match criteria.
– Reset—Indicates that the specified traffic is to be denied by the virtual server, which then
sends a TCP reset message to the client or server to close the connection.
*Inline Match*
1.
In the Conditions Type field, select the type of inline match condition that is to be met for protocol
inspection.
Table 3-6 describes the types of conditions and their related configuration options.
2.
Provide condition-specific criteria using the information in Table 3-6.
3.
In the Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
– Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the
specified deep inspection match criteria.
– Reset—Indicates that the specified traffic is to be denied by the virtual server, which then
sends a TCP reset message to the client or server to close the connection.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-21
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-6
HTTP and HTTPS Protocol Inspection Conditions and Options
Condition
Description
Content
Specific content contained within the HTTP entity-body is to be used for application inspection
decisions.
Content Length
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset field, enter the number of bytes to be ignored starting with the first byte
of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body
of the message. Valid entries are from 1 to 255 bytes.
The content parse length is used for application inspection decisions.
1.
In the Content Length Operator field, select the operand to use to compare content length:
– Equal To—The content length must equal the number in the Content Length Value field.
– Greater Than—The content length must be greater than the number in the Content Length
Value field.
– Less Than—The content length must be less than the number in the Content Length Value
field.
– Range—The content length must be within the range specified in the Content Length
Lower Value field and the Content Length Higher Value field.
2.
Enter values to apply for content length comparison:
– If you select Equal To, Greater Than, or Less Than in the Content Length Operator field,
the Content Length Value field appears. In the Content Length Value field, enter the
number of bytes for comparison. Valid entries are integers from 0 to 4294967295.
– If you select Range in the Content Length Operator field, the Content Length Lower Value
and the Content Length Higher Value fields appear:
1. In the Content Length Lower Value field, enter the lowest number of bytes to be used
for this match condition. Valid entries are integers from 0 to 4294967295. The number in
this field must be less than the number entered in the Content Length Higher Value field.
2. In the Content Length Higher Value field, enter the highest number of bytes to be used
for this match condition. Valid entries are integers from 0 to 4294967295. The number in
this field must be greater than the number entered in the Content Length Lower Value
field.
Content Type
Verification
Verification of MIME-type messages with the header MIME-type is to be used for application
inspection decisions. This option verifies that the header MIME-type value is in the internal list of
supported MIME-types and that the header MIME-type matches the content in the data or body
portion of the message.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-22
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-6
HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition
Description
Header
The name and value in an HTTP header are used for application inspection decisions.
Header Length
1.
In the Header field, select one of the predefined HTTP headers to match, or select HTTP
Header to specify a different HTTP header.
2.
If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to
match. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
3.
In the Header Value field, enter the header-value expression string to compare against the
value in the specified field in the HTTP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header
expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the
header map must be matched. See Table 10-31 for a list of the supported characters that you
can use in regular expressions.
The length of the header in the HTTP message is used for application inspection decisions.
1.
In the Header Length Type field, specify whether HTTP header request or response messages
are to be used for application inspection decisions:
– Request—HTTP header request messages are to be checked for header length.
– Response—HTTP header response messages are to be checked for header length.
2.
In the Header Length Operator field, select the operand to be used to compare header length:
– Equal To—The header length must equal the number in the Header Length Value field.
– Greater Than—The header length must be greater than the number in the Header Length
Value field.
– Less Than—The header length must be less than the number in the Header Length Value
field.
– Range—The header length must be within the range specified in the Header Length
Lower Value field and the Header Length Higher Value field.
3.
Enter values to apply for header length comparison:
– If you select Equal To, Greater Than, or Less Than in the Header Length Operator field,
the Header Length Value field appears. In the Header Length Value field, enter the number
of bytes for comparison. Valid entries are integers from 0 to 255.
– If you select Range in the Header Length Operator field, the Header Length Lower Value
and the Header Length Higher Value fields appear:
1. In the Header Length Lower Value field, enter the lowest number of bytes to be used
for this match condition. Valid entries are integers from 0 to 255. The number in this field
must be less than the number entered in the Header Length Higher Value field.
2. In the Header Length Higher Value field, enter the highest number of bytes to be used
for this match condition. Valid entries are integers from 1 to 255. The number in this field
must be greater than the number entered in the Header Length Lower Value field.
Header MIME Type
Multipurpose Internet Mail Extension (MIME) message types are used for application inspection
decisions.
In the Header MIME Type field, select the MIME message type to use for this match condition.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-23
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-6
HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition
Description
Port Misuse
The misuse of port 80 (or any other port running HTTP) is to be used for application inspection
decisions.
Indicate the application category to use for this match condition:
Request Method
•
IM—Instant messaging applications are to be checked.
•
P2P—Peer-to-peer applications are to be checked.
•
Tunneling—Tunneling applications are to be checked.
A request method is to be used for application inspection decisions.
1.
Select the type of request method to use for this match condition:
– Ext—An HTTP extension method is to be used.
– RFC—The request method defined in RFC 2616 is to be used.
2.
In the Request Method field, select the request method that is to be inspected.
Strict HTTP
Compliance with HTTP RFC 2616 is to be used for application inspection decisions.
Transfer Encoding
An HTTP transfer-encoding type is to be used for application inspection decisions. The
transfer-encoding general-header field indicates the type of transformation, if any, that has been
applied to the HTTP message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, select the type of encoding that is to be checked:
•
Chunked—The message body is transferred as a series of chunks.
•
Compress—The encoding format that is produced by the UNIX file compression program
compress.
•
Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE
compression mechanism described in RFC 1951.
•
Gzip—The encoding format that is produced by the file compression program GZIP (GNU
zip) as described in RFC 1952.
•
Identity—The default (identity) encoding which does not require the use of transformation.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-24
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-6
HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition
Description
URL
URL names are to be used for application inspection decisions.
In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from
1 to 255 alphanumeric characters and include only the portion of the URL following
www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html,
include only /latest/whatsnew.html.
URL Length
URL length is to be used for application inspection decisions.
1.
In the URL Length Operator field, select the operand to use to compare URL length:
– Equal To—The URL length must equal the number in the URL Length Value field.
– Greater Than—The URL length must be greater than the number in the URL Length Value
field.
– Less Than—The URL length must be less than the number in the URL Length Value field.
– Range—The URL length must be within the range specified in the URL Length Lower
Value field and the URL Length Higher Value field.
2.
Enter values to apply for URL length comparison:
– If you select Equal To, Greater Than, or Less Than in the URL Length Operator field, the
URL Length Value field appears. In the URL Length Value field, enter the value for
comparison. Valid entries are from 1 to 65535 bytes.
– If you select Range in the URL Length Operator field, the URL Length Lower Value and
the URL Length Higher Value fields appear:
1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for
this match condition. Valid entries are integers from 1 to 65535. The number in this field
must be less than the number entered in the URL Length Higher Value field.
2. In the URL Length Higher Value field, enter the highest number of bytes to be used for
this match condition. Valid entries are integers from 1 to 65535. The number in this field
must be greater than the number entered in the URL Length Lower Value field.
e.
Click:
– OK to save your entries. The Conditions table refreshes with the new entry.
– Cancel to exit the Policy subset without saving your entries.
f.
In the Default Action field, select the default action that the virtual server is to take when specified
match conditions for protocol inspection are not met:
– Permit—Indicates that the specified HTTP traffic is to be received by the virtual server.
– Reset—Indicates that the specified HTTP traffic is to be denied by the virtual server.
– N/A—Indicates that this attribute is not set.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-25
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 8
For SIP inspection:
a.
In the Actions subset, click Add to add a new match condition and action, or select an existing match
condition and action, then click Edit to modify it. The Actions configuration pane appears.
b.
In the Matches field, select an existing class map or *New* or *Inline Match* to configure new
match criteria for protocol inspection.
If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate
the selected class map. See Shared Objects and Virtual Servers, page 3-9 for more information about
modifying shared objects.
c.
Table 3-7
Configure match criteria and related actions using the information in Table 3-7.
SIP Protocol Inspection Conditions and Options
Condition
Description
Called Party
The destination or called party specified in the URI of the SIP To header is used for SIP
protocol inspection decisions.
In the Called Party field, enter a regular expression that identifies the called party in the URI
of the SIP To header for this match condition. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular
expressions for matching string expressions. Table 10-31 lists the supported characters that
you can use for matching string expressions.
Calling Party
The source or caller specified in the URI of the SIP From header is used for SIP protocol
inspection decisions.
In the Calling Party field, enter a regular expression that identifies the calling party in the URI
of the SIP From header for this match condition. Valid entries are unquoted text strings with
no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular
expressions for matching string expressions. Table 10-31 lists the supported characters that
you can use for matching string expressions.
IM Subscriber
An IM (instant messaging) subscriber is used for application inspection decisions.
In the IP Subscriber field, enter a regular expression that identifies the IM subscriber for this
match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching string
expressions. Table 10-31 lists the supported characters that you can use for matching string
expressions.
Message Path
SIP inspection allows you to filter messages coming from or transiting through certain SIP
proxy servers. The ACE maintains a list of the unauthorized SIP proxy IP addresses or URIs
in the form of regular expressions and checks this list against the VIA header field in each SIP
packet.
In the Message Path field, enter a regular expression that identifies the SIP proxy server for
this match condition. Valid entries are unquoted text strings with no spaces and a maximum
of 255 alphanumeric characters. The ACE supports regular expressions for matching string
expressions. Table 10-31 lists the supported characters that you can use for matching string
expressions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-26
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-7
SIP Protocol Inspection Conditions and Options (continued)
Condition
Description
SIP Content Type
The content type in the SIP message body is used for SIP protocol inspection decisions.
In the Content Type field, enter a regular expression that identifies the content type in the SIP
message body to use for this match condition. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular
expressions for matching string expressions. Table 10-31 lists the supported characters that
you can use for matching string expressions.
SIP Content Length
The SIP message body content length is used for SIP protocol inspection decisions.
To specify SIP traffic based on SIP message body length:
SIP Request Method
1.
In the Content Operator field, confirm that Greater Than is selected.
2.
In the Content Length field, enter the maximum size of a SIP message body in bytes that
the ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds
the specified value, the ACE performs SIP protocol inspection as defined in an associated
policy map. Valid entries are integers from 0 to 65534 bytes.
A SIP request method is used for application inspection decisions.
In the Request Method field, select the request method that is to be inspected.
Third Party
SIP allows users to register other users on their behalf by sending REGISTER messages with
different values in the From and To header fields. This process can pose a security threat if the
REGISTER message is actually a DEREGISTER message. A malicious user could cause a
DoS (denial-of-service) attack by deregistering all users on their behalf. To prevent this
security threat, you can specify a list of privileged users who can register or unregister
someone else on their behalf. The ACE maintains the list as a regex table. If you configure this
policy, the ACE drops REGISTER messages with mismatched From and To headers and a
From header value that does not match any of the privileged user IDs.
In the Third Party Registration Entities field, enter a regular expression that identifies a
privileged user who is authorized for third-party registrations. Valid entries are unquoted text
strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports
regular expressions for matching string expressions. Table 10-31 lists the supported characters
that you can use for matching string expressions.
URI Length
The ACE can validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier that
a calling party (source) uses to contact the called party (destination). A Tel URI is a telephone
number that identifies the endpoint of a SIP connection. For more information about SIP URIs
and Tel URIs, see RFC 2534 and RFC 3966, respectively.
To filter SIP traffic based on URIs:
1.
In the URI Type field, indicate the type of URI to be used:
– SIP URI—The calling party URI is to be used for this match condition.
– Tel URI—A telephone number is to be used for this match condition.
2.
In the URI Operator field, confirm that Greater Than is selected.
3.
In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes.
Valid entries are integers from 0 to 254 bytes.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-27
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
d.
In the Action field, select the action that the virtual server is to take when the specified match
conditions are met:
– Drop—The specified SIP traffic is to be discarded by the virtual server.
– Permit—The specified SIP traffic is to be received by the virtual server.
– Reset—The specified SIP traffic is to be denied by the virtual server.
e.
Click:
– OK to save your entries. The Conditions table refreshes with the new entry.
– Cancel to exit the Conditions subset without saving your entries and to return to the Conditions
table.
f.
In the SIP Parameter Map field, select an existing parameter map or select *New* to configure a
new one.
If you select an existing parameter map, the screen refreshes and allows you to view, modify, or
delete the selected parameter map. See Shared Objects and Virtual Servers, page 3-9 for more
information about modifying shared objects.
g.
Configure SIP parameter map options using the information in Table 6-9.
h.
In the Secondary Connection Parameter Map field, select an existing parameter map or select *New*
to configure a new one.
If you select an existing parameter map, the screen refreshes and allows you to view, modify, or
delete the selected parameter map. See Shared Objects and Virtual Servers, page 3-9 for more
information about modifying shared objects.
i.
Configure secondary connection parameter map options using the information in Table 6-2.
j.
In the Default Action field, select the default action that the virtual server is to take when specified
match conditions for SIP protocol inspection are not met:
– Drop—The specified SIP traffic is to be discarded by the virtual server.
– Permit—The specified SIP traffic is to be received by the virtual server.
– Reset—The specified SIP traffic is to be denied by the virtual server.
k.
Step 9
Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When
enabled, this feature logs every URL request that is sent in the specified class of traffic, including
the source or destination IP address and the URL that is accessed. Clear this check box to disable
monitoring of Layer 3 and Layer 4 traffic.
When you finish configuring virtual server properties, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries.
Related Topics
•
Configuring Virtual Server Properties, page 3-11
•
Configuring Virtual Server SSL Termination, page 3-17
•
Configuring Virtual Server Layer 7 Load Balancing, page 3-29
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-28
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Configuring Virtual Server Layer 7 Load Balancing
Layer 7 load balancing is available for virtual servers configured with one of the following protocol
combinations:
•
TCP with Generic, HTTP, HTTPS, RTSP, or SIP
•
UDP with Generic, RADIUS, or SIP
See Configuring Virtual Server Properties, page 3-11 for information on configuring these protocols.
Use this procedure to configure Layer 7 load balancing on a virtual server.
Assumption
A virtual server has been configured with one of the following protocol combinations:
•
TCP with Generic, HTTP, HTTPS, RTSP, or SIP
•
UDP with Generic, RADIUS, or SIP0
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for Layer 7 load balancing, then click Edit. The Virtual
Server configuration screen appears.
Step 3
Click L7 Load-Balancing. The Layer 7 Load-Balancing Rule Match table appears.
Step 4
In the Rule Match table, click Add to add a new match condition and action, or select an existing match
condition and action, then click Edit to modify it. The Rule Match configuration pane appears.
Step 5
In the Rule Match field, select an existing class map or *New* or *Inline Match* to configure new
match criteria for Layer 7 load balancing:
Step 6
Table 3-8
•
If you select an existing class map, click View to review, modify, or duplicate the existing
configuration. See Shared Objects and Virtual Servers, page 3-9 for more information about
modifying shared objects.
•
If you click *New* or *Inline Match*, the Rule Match configuration subset appears.
Configure match criteria by following the steps in Table 3-8.
Layer 7 Load-Balancing Match Criteria Configuration
Selection
Existing class map
Action
1.
Click View to review the match condition information for the selected class map.
2.
Click:
– Cancel to continue without making changes and to return to the previous screen.
– Edit to modify the existing configuration.
– Duplicate to create a new class map with the same attributes without affecting other
virtual servers using the same class map.
See Shared Objects and Virtual Servers, page 3-9 for more information about modifying shared
objects.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-29
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-8
Layer 7 Load-Balancing Match Criteria Configuration (continued)
Selection
Action
*New*
1.
In the Name field, enter a unique name for this class map.
2.
In the Matches field, select the method to be used to evaluate multiple match statements when
multiple match conditions exist:
– Any—Indicates that a match exists if at least one of the match conditions is satisfied.
– All—Indicates that a match exists only if all match conditions are satisfied.
3.
In the Conditions table, click Add to add a new set of conditions or select an existing entry,
then click Edit to modify it.
4.
In the Type field, select the match condition and configure any protocol-specific options:
– For Generic protocol options, see Table 10-8.
– For HTTP and HTTPS protocol options, see Table 3-9.
– For RADIUS protocol options, see Table 10-9.
– For RTSP protocol options, see Table 10-10.
– For SIP protocol options, see Table 10-11.
5.
Configure any condition-specific options using the information in Table 3-9.
6.
Click:
– OK to accept your entries and to return to the Conditions table.
– Cancel to exit this procedure without saving your entries and to return to the Conditions
table.
*Inline Match*
Table 3-9
In the Conditions Type field, select the type of inline match condition and configure any
protocol-specific options:
•
For Generic protocol options, see Table 10-8
•
For HTTP and HTTPS protocol options, see Table 3-9
•
For RADIUS protocol options, see Table 10-9
•
For RTSP protocol options, see Table 10-10
•
For SIP protocol options, see Table 10-11
Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration
Match Condition
Description
Class Map
Indicates that this rule is to use an existing class map to establish match conditions.
If you select this method, in the Class Map field, select the class map to be used.
Note
HTTP Content
This option is not available for inline match conditions.
Specific content contained within the HTTP entity-body is used to establish a match condition.
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset field, enter the number of bytes to be ignored starting with the first byte
of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body
of the message. Valid entries are integers from 1 to 255.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-30
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-9
Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration (continued)
Match Condition
Description
HTTP Cookie
Indicates that HTTP cookies are to be used for this rule.
If you select this method:
HTTP Header
1.
In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE
appliance supports regular expressions for matching string expressions. Table 10-31 lists the
supported characters that you can use for matching string expressions.
3.
Check the Secondary Cookie Matching check box to indicate that the ACE appliance is to use
both the cookie name and the cookie value to satisfy this match condition. Clear this check
box to indicate that the ACE appliance is to use either the cookie name or the cookie value to
satisfy this match condition.
Indicates that the HTTP header and a corresponding value are to be used for this rule.
If you select this method:
HTTP URL
1.
In the Header Name field, enter the name of the generic field in the HTTP header. Valid entries
are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Header Value field, enter the header-value expression string to compare against the
value in the specified field in the HTTP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE appliance supports regular expressions for
matching. Header expressions allow spaces, provided that the spaces are escaped or quoted.
All headers in the header map must be matched. Table 10-31 lists the supported characters that
you can use in regular expressions.
Indicates that this rule is to perform regular expression matching against the received packet data
from a particular connections based on the HTTP URL string.
If you select this method:
1.
In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL
following www.hostname.domain in the match statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the
www.anydomain.com portion, the URL string can take the form of a URL regular expression.
The ACE appliance supports regular expressions for matching URL strings. Table 10-31 lists
the supported characters that you can use in regular expressions.
2.
In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters. The method can
either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT,
DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example,
CORVETTE).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-31
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-9
Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration (continued)
Match Condition
Description
Source Address
Indicates that this rule is to use a client source IP address to establish match conditions.
If you select this method:
SSL
1.
In the Source Address field, enter the source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.2).
2.
In the Netmask field, select the subnet mask to apply to the source IP address.
Defines load balancing decisions based on the specific SSL cipher or cipher strength. Enables the
ACE to load balance client traffic to different server farms based on the SSL encryption level
negotiated with the ACE during SSL termination.
If you select this method:
1.
In the SSL Cipher Match Type field, select the match type. Options include:
– Equal To—Specifies an SSL cipher for the load balancing decision.
– Less Than—Specifies SSL cipher strength for the load balancing decision.
2.
If you selected Equal To, in the Cipher Name field specify an SSL cipher for the load
balancing decision. The possible values include:
– RSA_EXPORT1024_WITH_DES_CBC_SHA
– RSA_EXPORT1024_WITH_RC4_56_MD5
– RSA_EXPORT1024_WITH_RC4_56_SHA
– RSA_EXPORT_WITH_DES40_CBC_SHA
– RSA_EXPORT_WITH_RC4_40_MD5
– RSA_WITH_3DES_EDE_CBC_SHA
– RSA_WITH_AES_128_CBC_SHA
– RSA_WITH_AES_256_CBC_SHA
– RSA_WITH_DES_CBC_SHA
– RSA_WITH_RC4_128_MD5
– RSA_WITH_RC4_128_SHA
3.
If you selected Less Than, in the Specify Minimum Cipher Strength field specify a
non-inclusive minimum SSL cipher bit strength. For example, if you specify a cipher strength
value of 128, any SSL cipher that was no greater than 128 would hit the traffic policy. If the
SSL cipher was 128-bit or greater, the connection would miss the policy.
The possible values include:
– 128—128-bit strength
– 168—168-bit strength
– 256—256-bit strength
– 56—56-bit strength
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-32
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 7
Step 8
In the Primary Action field, indicate the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
•
Drop—Indicates that client requests for content are to be discarded when match conditions are met.
Continue with Step 10.
•
Forward—Indicates that client requests for content are to be forwarded without performing load
balancing on the requests when match conditions are met. Continue with Step 10.
•
Load Balance—Indicates that client requests for content are to be directed to a server farm when
match conditions are met. Continue with Step 8.
•
Sticky—Client requests for content are handled by a sticky group when match conditions are met.
Continue with Step 8.
If you select Load Balance as the primary action, you can configure load balancing using a server farm,
a server farm/backup server farm pair, an existing sticky group, or a new sticky group.
Note
If you select an existing object in any of these scenarios, you can view, modify, or duplicate the
selected object’s existing configuration. See Shared Objects and Virtual Servers, page 3-9 for
more information about modifying shared objects in virtual servers.
Configure load balancing using the information in Table 3-10.
Table 3-10
Virtual Server Load-Balancing Options
To configure...
Do this...
Load balancing using a server farm
In the Server Farm field, select the server farm to be used for load
balancing for this virtual server, or select *New* to configure a new
server farm (see Table 3-11).
Load balancing using a server farm/backup server
farm pair
1.
In the Server Farm field, select the primary server farm to use for
load balancing, or select *New* to configure a new server farm (see
Table 3-11).
2.
In the Backup Server Farm field, select the server farm to act as the
backup server farm for load balancing if the primary server farm is
unavailable, or select *New* to configure a new backup server farm
(see Table 3-11).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-33
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-10
Virtual Server Load-Balancing Options (continued)
To configure...
Load balancing using an existing sticky group
Do this...
1.
In the Server Farm field, select the primary server farm to use for
load balancing. This must be the primary server farm specified in
the existing sticky group.
2.
In the Backup Server Farm field, select the backup server farm to
use for load balancing. This must be the backup server farm
specified in the existing sticky group.
3.
In the Sticky Group field, select the sticky group to use.
Note
Load balancing using a new sticky group
Sticky groups appear in the Sticky Group field only when their
configured primary and backup server farms are selected,
respectively. If you select a sticky group and then select a
different primary or backup server farm, the sticky group that
you selected in the Sticky Group field no longer appears. To
change an existing sticky group configuration, modify it in the
Stickiness configuration screen (Config > Virtual Contexts >
context > Load Balancing > Stickiness).
1.
In the Server Farm field, select the primary server farm to use for
load balancing, or select *New* to configure a new server farm (see
Table 3-11).
2.
In the Backup Server Farm field, select the server farm to act as the
backup server farm for load balancing if the primary server farm is
unavailable, or select *New* to configure a new backup server farm
(see Table 3-11).
3.
In the Sticky Group field, select *New*, then configure a new sticky
group using the information in Table 3-13.
Note
The context in which you configure a sticky group must be
associated with a resource class that allocates a portion of ACE
appliance resources to stickiness. See Managing Resource
Classes, page 2-33 for more information on resource classes.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-34
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes
Field
Description
Name
Enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces
and a maximum of 64 characters.
Type
Select the type of server farm:
•
Host—A typical server farm that consists of real servers that provide content and services to
clients.
By default, if you configure a backup server farm and all real servers in the primary server
farm go down, the primary server farm fails over to the backup server farm. Use the following
options to specify thresholds for failover and returning to service.
a. In the Partial-Threshold Percentage field, enter the minimum percentage of real servers in
the primary server farm that must remain active for the server farm to stay up. If the
percentage of active real servers falls below this threshold, the ACE takes the server farm
out of service. Valid entries are integers from 0 to 99.
b. In the Back Inservice field, enter the percentage of real servers in the primary server farm
that must be active again for the ACE to place the server farm back into service. Valid
entries are integers from 0 to 99. The value in this field should be larger than the value in
the Partial Threshold Percentage field.
•
Fail Action
Redirect—A server farm that consists only of real servers that redirect client requests to
alternate locations specified in the real server configuration.
Select the action the ACE appliance is to take with respect to connections if any real server in the
server farm fails:
•
N/A—Indicates that the ACE appliance is to take no action if any server in the server farm
fails.
•
Purge—Indicates that the ACE appliance is to remove connections to a real server if that real
server in the server farm fails. The ACE appliance sends a reset command to both the client
and the server that failed.
•
Reassign—Indicates that the ACE reassign the existing server connections to the backup real
server (if configured) if the real server fails after you enter this command. If a backup real
server has not been configured for the failing server, this selection leaves the existing
connections untouched in the failing real server.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-35
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes (continued)
Field
Description
Failaction Reassign
Across Vlans
This field appears only when the L7 Load-Balancing Action parameters are set as follows:
Primary Action: LoadBalance, ServerFarm: New, Fail Action: Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the
backup real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the
real server fails. If a backup real server has not been configured for the failing server, this option
has no effect and leaves the existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
•
Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to
translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans
option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the
destination IP address for the connection coming in to the ACE is for the end-point real server,
and the ACE reassigns the connection so that it is transmitted through a different next hop.
•
Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are
going to and coming from the same server in a flow will traverse the same firewalls or stateful
devices (see the “Configuring Virtual Context VLAN Interfaces” section on page 8-8).
•
Configure the Predictor Hash Address option. See Table 3-12 for the supported predictor
methods and configurable attributes for each predictor method.
•
You must configure identical policies on the primary interface and the backup-server
interface. The backup interface must have the same feature configurations as the primary
interface.
•
If you configure a policy on the backup-server interface that is different from the policies on
the primary-server interface, that policy will be effective only for new connections. The
reassigned connection will always have only the primary-server interface policies.
•
Interface-specific features (for example, NAT, application protocol inspection, outbound
ACLs, or SYN cookie) are not supported.
•
You cannot reassign connections to the failed real server after it comes back up. This
restriction also applies to same-VLAN backup servers.
•
Real servers must be directly connected to the ACE. This requirement also applies to
same-VLAN backup server.
•
You must disable sequence number randomization on the firewall (see the “Configuring
Connection Parameter Maps” section on page 6-2).
•
Probe configurations should be similar on both ACEs and the interval values should be low.
For example, if you configure a high interval value on ACE-1 and a low interval value on
ACE-2, the reassigned connections may become stuck because of the probe configuration
mismatch. ACE-2 with the low interval value will detect the primary server failure first and
will reassign all its incoming connections to the backup-server interface VLAN. ACE-1 with
the high interval value may not detect the failure before the primary server comes back up and
will still point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs:
Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-36
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes (continued)
Field
Description
Transparent
This field appears only for real servers identified as host servers.
Check the check box to specify that network address translation from the VIP address to the server
IP is to occur. Clear the check box to indicates that network address translation from the VIP
address to the server IP address is not to occur (default).
Fail-On-All
This field appears only for host server farms.
By default, real servers that you configure in a server farm inherit the probes that you configure
directly on that server farm. When you configure multiple probes on a server farm, the real servers
in the server farm use an OR logic with respect to the probes, which means that if one of the probes
configured on the server farm fails, all the real servers in that server farm fail and enter the
PROBE-FAILED state.
With AND logic, if one server farm probe fails, the real servers in the server farm remain in the
OPERATIONAL state. If all the probes associated with the server farm fail, then all the real servers
in that server farm fail and enter the PROBE-FAILED state. You can also configure AND logic for
probes that you configure directly on real servers in a server farm.
Check this checkbox to configure the real servers in a server farm to use AND logic with respect
to multiple server farm probes.
The Fail On All function is applicable to all probe types.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-37
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes (continued)
Field
Description
Inband-Health Check
This field appears only for host server farms.
By default, the ACE monitors the health of all real servers in a configuration through the use of
ARPs and health probes. However, there is latency period between when the real server goes down
and when the ACE becomes aware of the state. The inband health monitoring feature allows the
ACE to monitor the health of the real servers in the server farm through the following connection
failures:
•
For TCP, resets (RSTs) from the server or SYN timeouts.
•
For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages.
When you configure the failure-count threshold and the number of these failures exceeds the
threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it
out of service, and removes it from load balancing. The server is not considered for load balancing
until the optional resume-service interval expires.
Choose one of the following:
•
Count—Tracks the total number of TCP or UDP failures, and increments the counters as
displayed by the show serverfarm name inband CLI command.
•
Log—Logs a syslog error message when the number of events reaches the configured
connection failure threshold.
•
Remove—Logs a syslog error message when the number of events reaches the threshold and
removes the server from service.
Note
You can configure this feature and health probes to monitor a server. When you do, both
are required to keep a real server in service within a server farm. If either feature detects a
server is out of service, the ACE does not select the server for load balancing.
Connection Failure
Threshold Count
This field appears only when the Inband-Health Check is set to Log or Remove.
Reset Timeout
(Milliseconds)
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the maximum number of connection failures that a real server can exhibit in the reset-time
interval before ACE marks the real server as failed. Valid entries are integers from 1 to
4294967295.
Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to
300000. The default interval is 100.
This interval starts when the ACE detects a connection failure. If the connection failure threshold
is reached during this interval, the ACE generates a syslog message. When the Inband-Health
Check is set to Remove, the ACE also removes the real server from service.
Changing the setting of this option affects the behavior of the real server, as follows:
•
When the real server is in the OPERATIONAL state, even if several connection failures have
occurred, the new reset-time interval takes effect the next time that a connection error occurs.
•
When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes
effect the next time that a connection error occurs after the server transitions to the
OPERATIONAL state.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-38
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes (continued)
Field
Description
Resume Service
(Seconds)
This field appears only when the Inband-Health Check is set to Remove.
Predictor
Enter the number of seconds after a server has been marked as failed to reconsider it for sending
live connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting
of this option affects the behavior of the real server in the inband failed state, as follows:
•
When this field is not configured and has the default setting of 0, the real server remains in the
failed state until you manually suspend and then reactivate it.
•
When this field is not configured and has the default setting of 0 and then you configure this
option with an integer between 30 and 3,600, the failed real server immediately transitions to
the Operational state.
•
When you configure this field and then increase the value, the real server remains in the failed
state for the duration of the previously-configured value. The new value takes effect the next
time the real server transitions to the failed state.
•
When you configure this field and then decrease the value, the failed real server immediately
transitions to the Operational state.
•
When you configure this field with an integer between 30 and 3,600 and then reset it to the
default of 0, the real server remains in the failed state for the duration of the
previously-configured value. The default setting takes effect the next time the real server
transitions to the failed state. Then the real server remains in the failed state until you
manually suspend and then reactivate it.
•
When you change this field within the reset-time interval and the real server is in the
OPERATIONAL state with several connection failures, the new threshold interval takes effect
the next time that a connection error occurs, even if it occurs within the current reset-time
interval.
Specify the method for selecting the next server in the server farm to respond to client requests.
Round Robin is the default predictor method for a server farm.
See Table 3-12 for the supported predictor methods and configurable attributes for each predictor
method.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-39
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes (continued)
Field
Description
Probes
Specify the health monitoring probes to use:
•
To include a probe that you want to use for health monitoring, select it in the Available list,
then click Add. The probe appears in the Selected list.
•
To remove a probe that you do not want to use for health monitoring, select it in the Selected
list, then click Remove. The probe appears in the Available list.
•
To specify a sequence for probe use, select probes in the Selected list, then click Up or Down
until you have the desired sequence.
•
To view the configuration for an existing probe, select a probe in the list on the right, then click
View to review its configuration.
To add a new probe, click Create. See Configuring Health Monitoring for Real Servers, page 4-31
for details on adding a new health monitoring probe and defining attributes for the specific probe
type. In addition to the probe attributes that you set as described in the Configuring Health
Monitoring for Real Servers section, set the following probe configuration parameters in the
Probes section under Server Farm as described below:
•
Expect Addresses—To configure expect addresses for a DNS probe, in the Expect Addresses
field enter the IP address that the ACE appliance is to expect as a server response to a DNS
request. Valid entries are unique IP addresses in dotted-decimal notation, such as
192.168.11.1.
•
Probe Headers—To configure probe headers for either an HTTP or HTTPS probe, in the Probe
Headers field enter the name of the HTTP header and the value to be matched using the format
header_name=header_value where:
– header_name represents the HTTP header name the probe is to use. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You
can specify predefined header or any custom header name provided that it does not exceed
the maximum length limit.
– header_value represents the string to assign to the header field. Valid entries are text
strings with a maximum of 255 characters. If the string includes spaces, enclose the string
with quotes.
•
Probe Expect Status—To configure probe expect status for an FTP, HTTP, HTTPS, RTSP,
SIP-TCP, SIP-UDP, or SMTP probe, in the Probe Expect Status field enter the following
information:
– To configure a single expect status code, enter the minimum expect status code for this
probe followed by the same expect status code that you entered as the minimum. Valid
entries are integers from 0 to 999.
– To configure a range of expect status codes, enter the lower limit of the range of status
codes followed by the upper limit of the range of status codes. The maximum expect status
code must be greater than or equal to the value specified for the minimum expect status
code. Valid entries are integers from 0 to 999.
•
SNMP OID Table—To configure the SNMP OID for an SNMP probe, see Configuring an OID
for SNMP Probes, page 4-54.
After you add a probe, you can modify the attributes for a health probe from the Health Monitoring
table (Config > Virtual Contexts > context > Load Balancing > Health Monitoring) as
described in Configuring Health Monitoring for Real Servers, page 4-31. You can also delete an
existing health probe from the Health Monitoring table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-40
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes (continued)
Field
Description
Real Servers
The Real Servers table allows you to add, modify, remove, or change the order of real servers.
1.
Select an existing server, or click Add to add a server to the server farm:
– If you select an existing server, you can view, modify, or duplicate the server’s existing
configuration. See Shared Objects and Virtual Servers, page 3-9 for more information
about modifying shared objects.
– If you click Add, the table refreshes and allows you to enter server information.
2.
In the IP Address field, enter the IP address of the real server in dotted-decimal format.
3.
In the Name field, enter the name of the real server.
4.
In the Port field, enter the port number to be used for server port address translation (PAT).
Valid entries are integers from 1to 65535.
5.
In the Weight field, enter the weight to assign to this server in the server farm. Valid entries
are integers from 1 to 100, and the default is 8.
6.
In the Redirection Code field, select the appropriate redirection code. This field appears only
for real servers identified as redirect servers.
– N/A—Indicates that the webhost redirection code is not defined.
– 301—Indicates that the requested resource has been moved permanently. For future
references to this resource, the client should use one of the returned URIs.
– 302—Indicates that the requested resource has been found, but has been moved
temporarily to another location. For future references to this resource, the client should
use the request URI because the resource may be moved to other locations from time to
time.
7.
In the Web Host Redirection field, enter the URL string used to redirect requests to another
server. This field appears only for real servers identified as redirect servers. Enter the URL
and port used to redirect requests to another server. Valid entries are in the form
http://host.com:port where host is the name of the server and port is the port to be used. Valid
host entries are unquoted text strings with no spaces and a maximum of 255 characters. Valid
port numbers are from 1 to 65535.
The relocation string supports the following special characters:
– %h—Inserts the hostname from the request Host header
– %p—Inserts the URL path string from the request
8.
In the Rate Bandwidth, field, specify the real server bandwidth limit in bytes per second. Valid
entries are integers from 1 to 300000000.
9.
In the Rate Connection field, specify the limit for connections per second. Valid entries are
integers from 1 to 350000.
10. In the State field, select the administrative state of this server:
– In Service—The server is to be placed in use as a destination for server load balancing
– In Service Standby—The server is a backup server and is to remain inactive unless the
primary server fails. If the primary server fails, the backup server becomes active and
starts accepting connections.
– Out Of Service—The server is not to be placed in use by a server load balancer as a
destination for client connections.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-41
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-11
New Server Farm Attributes (continued)
Field
Description
Real Servers
(continued)
11. In the Fail-On-All field, check this checkbox to configure a real server to remain in the
OPERATIONAL state unless all probes associated with it fail (AND logic). The Fail-On-All
function is applicable to all probe types.
Fail-On-All is applicable only for host real servers.
12. In the Cookie String field, enter a cookie string value of the real server, which is to be used
for HTTP cookie insertion when establishing a sticky connection. Valid entries are text strings
with a maximum of 32 alphanumeric characters. You can include spaces and special characters
in a cookie string value. See Chapter 5, “Configuring Stickiness” for details on HTTP cookie
sticky connections.
Cookie String is applicable only for host real servers
13. Click:
– OK to accept your entries and add this real server to the server farm. The table refreshes
with updated information.
– Cancel to exit this procedure without saving your entries and to return to the Real Servers
table.
Table 3-12
Predictor Methods and Attributes
Predictor Method
Description / Action
Hash Address
The ACE selects the server using a hash value based on the source or destination IP address.
To configure the hash address predictor method:
1.
In the Mask Type field, indicate whether server selection is based on the source IP address or
the destination IP address:
– N/A—Indicates that this option is not defined.
– Destination—Indicates that the server is selected based on the destination IP address.
– Source—Indicates that the server is selected based on the source IP address.
2.
In the IP Netmask field, select the subnet mask to apply to the address. If none is specified,
the default is 255.255.255.255.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-42
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-12
Hash Content
Predictor Methods and Attributes (continued)
The ACE selects the server by using a hash value based on the specified content string of the HTTP
packet body.
1.
In the Begin Pattern field, enter the beginning pattern of the content string and the pattern
string to match before hashing. If you do not specify a beginning pattern, the ACE starts
parsing the HTTP body immediate following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify
either a length or an end pattern, the ACE continues to parse the data until it reaches the end
of the field or the end of the packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the content (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries
are integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset
but shorter than the offset plus the length of the payload, the ACE sticks the connection based
on that portion of the payload starting with the byte after the offset value and ending with the
byte specified by the offset plus the length. The total of the offset and the length cannot exceed
1000.
You cannot specify both the length and the end-pattern options for a Hash Content predictor.
4.
Hash Cookie
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of
the payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates
that the ACE does not exclude any portion of the content.
The ACE selects the server by using a hash value based on the cookie name.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces
and a maximum of 64 characters.
Hash Secondary
Cookie
The ACE selects the server by using the hash value based on the specified cookie name in the URL
query string, not the cookie header.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces
and a maximum of 64 characters.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-43
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-12
Predictor Methods and Attributes (continued)
Hash Header
The ACE selects the server by using a hash value based on the header name.
In the Header Name field, select the HTTP header to be used for server selection:
Hash Layer 4
•
To specify an HTTP header that is not one of the standard HTTP headers, select the first radio
button and enter the HTTP header name in the Header Name field. Valid entries are unquoted
text strings with no spaces and a maximum of 64 characters.
•
To specify one of the standard HTTP headers, select the second radio button, then select one
of the HTTP headers from the list.
The ACE selects the server by using a Layer 4 generic protocol load-balancing method. Use this
predictor to load balance packets from protocols that are not explicitly supported by the ACE.
1.
In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern
string to match before hashing. If you do not specify a beginning pattern, the ACE starts
parsing the HTTP body immediate following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify
either a length or an end pattern, the ACE continues to parse the data until it reaches the end
of the field or the end of the packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the payload (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries
are integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset
but shorter than the offset plus the length of the payload, the ACE sticks the connection based
on that portion of the payload starting with the byte after the offset value and ending with the
byte specified by the offset plus the length. The total of the offset and the length cannot exceed
1000.
You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor.
4.
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of
the payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates
that the ACE does not exclude any portion of the content.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-44
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-12
Predictor Methods and Attributes (continued)
Hash URL
The ACE selects the server by using a hash value based on the URL. Use this method to load
balance firewalls.
Enter values in one or both of the pattern fields:
•
In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string
to parse.
•
In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to
parse.
Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters for each pattern you configure.
Least Bandwidth
Least Connections
The ACE selects the server with the least amount of network traffic over a specified sampling
period.
1.
In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic
information. Valid entries are integers from 1 to 10 seconds.
2.
In the Least Bandwidth Samples field, enter the number of samples over which you want to
weight and average the results of the probe query to calculate the final load value. Valid entries
are 1, 2, 4, 8, and 16 (integers from 1 to 16 that are also a power of 2).
The ACE selects the server with the fewest number of connections.
In the Slowstart Duration field, enter the slow-start value to be applied to this predictor method.
Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up value.
The slow-start mechanism is used to avoid sending a high rate of new connections to servers that
you have just put into service.
Least Loaded
The ACE selects the server with the lowest load based on information from SNMP probes.
1.
In the SNMP Probe Name field, select the name of the SNMP probe to use.
2.
In the Auto Adjust field, configure the autoadjust feature to to instruct the ACE to apply the
maximum load of 16000 to a real server whose load reaches zero or override the default
behavior. By default, the ACE applies the average load of the server farm to a real server
whose load is zero. The ACE periodically adjusts this load value based on feedback from the
server's SNMP probe and other configured options.
Options include:
– Average—Applies the average load of the server farm to a real server whose load is zero.
This setting allows the server to participate in load balancing, while preventing it from
being flooded by new connections. This is the default setting.
– Maxload—Instruct the ACE to apply the maximum load of 16000 to a real server whose
load reaches zero.
– Off—Instruct the ACE to send all new connections to the server that has a load of zero
until the next load update arrives from the SNMP probe for this server. If two servers have
the same lowest load (either zero or nonzero), the ACE load balances the connections
between the two servers in a round-robin manner.
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option,
the ACE includes the current connection count in the total load calculation for each real server
in a server farm. Clear the check box to reset the behavior of the ACE to the default of
excluding the current connection count from the load calculation.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-45
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-12
Predictor Methods and Attributes (continued)
Response
The ACE selects the server with the lowest response time for a requested response-time
measurement.
1.
In the Response Type field, select the type of measurement to use:
– App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a
server to the time that the ACE receives a response from the server for that request.
– Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to
the time that the ACE receives a CLOSE from the server.
– Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to
the time that the ACE receives a SYN-ACK from the server.
Round Robin
2.
In the Response Samples field, enter the number of samples over which you want to average
the results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (integers from
1 to 16 that are also a power of 2).
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option,
the ACE includes the current connection count in the total load calculation for each real server
in a server farm. Clear the check box to reset the behavior of the ACE to the default of
excluding the current connection count from the load calculation.
The ACE selects the next server in the list of servers based on server weight. This is the default
predictor method.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-46
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-13
Sticky Group Attributes
Field
Description
Group Name
Enter a unique identifier for the sticky type. You can either accept the automatically incremented
entry given or you can enter your own. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Type
Select the method to be used when establishing sticky connections:
•
HTTP Content—The virtual server is to stick client connections to the same real server based
on a string in the data portion of the HTTP packet. See Table 5-2 for additional configuration
options.
•
HTTP Cookie—Indicates that the virtual server is either to learn a cookie from the HTTP
header of a client request or to insert a cookie in the Set-Cookie header of the response from
the server to the client, and then use the learned cookie to provide stickiness between the client
and server for the duration of the transaction.
•
HTTP Header—Indicates that the virtual server is to stick client connections to the same real
server based on HTTP headers.
•
IP Netmask—Indicates that the virtual server is to stick a client to the same server for multiple
subsequent connections as needed to complete a transaction using the client source IP address,
the destination IP address, or both.
Note
Cookie Name
If an organization uses a megaproxy to load balance client requests across multiple proxy
servers when a client connects to the Internet, the source IP address is no longer a reliable
indicator of the true source of the request. In this situation, you can use cookies or another
sticky method to ensure session persistence.
•
Layer 4 Payload—The virtual server is to stick client connections to the same real server based
on a string in the payload portion of the Layer 4 protocol packet. See Table 5-6 for additional
configuration options.
•
RADIUS—The virtual server is to stick client connections to the same real server based on a
RADIUS attribute. See Table 5-7 for additional configuration options.
•
RTSP Header—The virtual server is to stick client connections to the same real server based
on the RTSP Session header field. Table 5-8 for additional configuration options.
•
SIP Header—The virtual server is to stick client connections to the same real server based on
the SIP Call-ID header field.
This option appears for sticky type HTTP Cookie.
Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Enable Insert
This option appears for sticky type HTTP Cookie.
Check this check box if the virtual server is to insert a cookie in the Set-Cookie header of the
response from the server to the client. This option is useful when you want to use a session cookie
for persistence but the server is not currently setting the appropriate cookie. When selected, the
virtual server selects a cookie value that identifies the original server from which the client
received a response. For subsequent connections of the same transaction, the client uses the cookie
to stick to the same server.
Clear this check box to disable cookie insertion.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-47
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-13
Sticky Group Attributes (continued)
Field
Description
Browser Expire
This option appears for sticky type HTTP Cookie and you select Enable Insert.
Check this check box to allow the client's browser to expire a cookie when the session ends.
Clear this check box to disable browser expire.
Offset (Bytes)
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the number of bytes the virtual server is to ignore starting with the first byte of the cookie.
Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the virtual
server does not exclude any portion of the cookie.
Length (Bytes)
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the length of the portion of the cookie (starting with the byte after the offset value) that the
ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to
1000.
Secondary Name
This option appears for sticky type HTTP Cookie.
Enter an alternate cookie name that is to appear in the URL string of the Web page on the server.
The virtual server uses this cookie to maintain a sticky connection between a client and a server
and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no
spaces and a maximum of 64 characters.
Header Name
This option appears for sticky type HTTP Header.
Select the HTTP header to use for sticking client connections.
Netmask
This field appears for sticky type IP Netmask.
Select the netmask to apply to the source IP address, destination IP address, or both.
Address Type
This field appears for sticky type IP Netmask.
Indicate whether this sticky type is to be applied to the client source IP address, the destination IP
address, or both:
•
Both—Indicates that this sticky type is to be applied to both the source IP address and the
destination IP address.
•
Destination—Indicates that this sticky type is to be applied to the destination IP address only.
•
Source—Indicates that this sticky type is to be applied to the source IP address only.
Sticky Server Farm
Select an existing server farm to act as the primary server farm for this sticky group, or select
*New* to create a new server farm. If you select *New*, configure the server farm using the
information in Table 3-11.
Backup Server Farm
Select an existing server farm to act as the backup server farm this sticky group, or select *New*
to create a new server farm. If you select *New*, configure the server farm using the information
in Table 3-11.
Aggregate State
Check this check box to indicate that the state of the primary server farm is to be tied to the state
of all real servers in the server farm and in the backup server farm, if configured. The ACE
appliance declares the primary server farm down if all real servers in the primary server farm and
all real servers in the backup server farm are down.
Clear this check box if the state of the primary server farm is not to be tied to all real servers in the
server farm and in the backup server farm.
Enable Sticky On
Backup Server Farm
Check this check box to indicate that the backup server farm is sticky. Clear this check box if the
backup server farm is not sticky.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-48
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-13
Sticky Group Attributes (continued)
Field
Description
Replicate On HA Peer
Check this check box to indicate that the virtual server is to replicate sticky table entries on the
backup server farm. If a failover occurs and this option is selected, the new active server farm can
maintain the existing sticky connections.
Clear this check box to indicate that the virtual server is not to replicate sticky table entries on the
backup server farm.
Timeout (Minutes)
Enter the number of minutes that the virtual server keeps the sticky information for a client
connection in the sticky table after the latest client connection terminates. Valid entries are integers
from 1 to 65535; the default is 1440 minutes (24 hours).
Timeout Active
Connections
Check this check box to specify that the virtual server is to time out sticky table entries even if
active connections exist after the sticky timer expires.
Clear this check box to specify that the virtual is not to time out sticky table entries even if active
connections exist after the sticky timer expires. This is the default behavior.
Step 9
In the Compression Method field, select the HTTP compression method to indicate how the ACE
appliance is to compress packets when a client request indicates that the client browser is capable of
packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP
compression using the ACE, the appliance compresses data in the HTTP GET responses from the real
servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server
responses.
Note
By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps).
Installing an optional HTTP compression license allows you to increase this value to a maximum
of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration
Guide for information on ACE licensing options.
Options include:
•
Deflate—Specifies the deflate compression format as the method to use when the client browser
supports both the deflate and gzip compression methods. deflate, the data format for compression
described in RFC1951
•
Gzip—Specifies the gzip compression format as the method to use when the client browser supports
both the deflate and gzip compression methods. Gzip is the file format for compression described in
RFC1952.
•
N/A—HTTP compression is disabled.
When configuring HTTP compression, we recommend that you exclude the following MIME types from
HTTP compression: “.*gif”, “.*css”, “.*js”, “.*class”, “.*jar”, “.*cab”, “.*txt”, “.*ps”, “.*vbs”, “.*xsl”,
“.*xml”, “.*pdf”, “.*swf”, “.*jpg”, “.*jpeg”, “.*jpe”, or “.*png”.
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
•
Mime type—All text formats (text/*).
•
Minimum size—512 bytes.
•
User agent—None.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-49
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 10
In the SSL Initiation field, select an existing service, or select *New* to create a new service. SSL
initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL
connection between itself and an SSL server. In this particular application, the ACE receives clear text
from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse
side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client
as clear text.
Note
The SSL Initiation field appears only in the Advanced View, and when TCP is the selected
protocol and Other, HTTP, or HTTPS is the application protocol.
•
If you select an existing SSL service, you can view, modify, or duplicate the existing configuration.
See Shared Objects and Virtual Servers, page 3-9 for more information about modifying shared
objects.
•
If you select *New*, configure the service using the information in Table 3-14.
Table 3-14
Virtual Server SSL Initiation Attributes
Field
Description
Name
Enter a name for this SSL proxy service. Valid entries are alphanumeric
strings with a maximum of 26 characters.
Keys
Select the SSL key pair to use during the SSL handshake for data encryption.
Certificates
Select the SSL certificate to use during the SSL handshake.
Chain Groups
Select the chain group to use during the SSL handshake.
Auth Groups
Select the SSL authentication group to associate with this proxy server
service.
CRL Best-Effort
This option appears if you select an authentication group in the Auth Group
Name field.
Check the check box to allow the ACE to search client certificates for the
service to determine if it contains a CRL in the extension and retrieve the
value, if it exists.
Clear the check box to disable this feature.
CRL Name
This option appears if the CRL Best-Effort check box is clear.
Select the Certificate Revocation List if the ACE is to use for this proxy
service.
Parameter Maps
Select the SSL parameter map to associate with this proxy server service.
For more information about SSL, see Configuring SSL, page 7-1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-50
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 11
In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using
the format header_name=header_value where:
•
header_name represents the name of the HTTP header to insert in the client HTTP request. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You
can specify predefined header or any custom header name provided that it does not exceed the
maximum length limit.
•
header_value represents the expression string to compare against the value in the specified field in
the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The
ACE appliance supports regular expressions for matching. Header expressions allow spaces,
provided that the spaces are escaped or quoted. All headers in the header map must be matched.
Table 10-31 lists the supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 12
Step 13
Click:
•
OK to save your entries and to return to the Rule Match table.
•
Cancel to exit this procedure without saving your entries and to return to the Rule Match table.
If you are adding Rule Match entries for a new virtual server and you want to modify the sequence of
rules in the L7 Load Balancing section of the Virtual Server configuration page, click Up or Down to
change the order of the entries in the Rule Match table.
Note
Step 14
The Up and Down buttons are not available for an existing virtual server, only for a new virtual
server. To reorder the entries in the Rule Match table for an existing virtual server, go to Config
> Expert > Policy Maps and choose the Layer 7 load balancing policy map, delete the rule entry
that you want to reorder, and then add it again by using the Insert Before option to put it in the
correct order. See Configuring Rules and Actions for Policy Maps, page 10-35 for details.
When you finish configuring virtual server properties, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries.
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Configuring Virtual Server Properties, page 3-11
•
Configuring Virtual Server SSL Termination, page 3-17
•
Configuring Virtual Server Protocol Inspection, page 3-19
Configuring Virtual Server Default Layer 7 Load Balancing
Use this procedure configure default Layer 7 load-balancing actions for all network traffic that does not
meet previously specified match conditions.
Assumption
A virtual server has been configured. See Configuring Virtual Servers, page 3-2 for information on
configuring a virtual server.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-51
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for default Layer 7 load balancing, then click Edit. The
Virtual Server configuration screen appears.
Step 3
Click Default L7 Load-Balancing Action. The Default L7 Load-Balancing Action configuration pane
appears.
Step 4
In the Primary Action field, indicate the default action the virtual server is to take in response to client
requests for content when specified match conditions are not met:
Step 5
•
Drop—Indicates that client requests that do not meet specified match conditions are to be discarded.
Continue with Step 7.
•
Forward—Indicates that client requests that do not meet specified match conditions are to be
forwarded without performing load balancing on the requests. Continue with Step 7.
•
Load Balance—Indicates that client requests for content are to be directed to a server farm. If you
select Load Balance, server farm, backup server farm, and sticky configuration options appear.
Continue with Step 5.
•
Sticky—Client requests for content are handled by a sticky group when match conditions are met.
Continue with Step 6.
If you select Load Balance as the primary action, you can configure load balancing using a server farm,
a server farm/backup server farm pair, an existing sticky group, or a new sticky group.
Note
If you select an existing object in any of these scenarios, you can view, modify, or duplicate the
selected object’s existing configuration. See Shared Objects and Virtual Servers, page 3-9 for
more information about modifying shared objects in virtual servers.
Configure load-balancing using the information in Table 3-10.
Step 6
(Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky
group or click *New* to add a new sticky group (see Table 3-13).
Note
Step 7
If you chose an existing sticky group, you can view, modify, or duplicate the selected object’s
existing configuration. See the “Shared Objects and Virtual Servers” section on page 3-9 for
more information about modifying shared objects in virtual servers.
In the Compression Method field, select the HTTP compression method to indicate how the ACE
appliance is to compress packets when a client request indicates that the client browser is capable of
packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP
compression using the ACE, the appliance compresses data in the HTTP GET responses from the real
servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server
responses.
Note
By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps).
Installing an optional HTTP compression license allows you to increase this value to a maximum
of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration
Guide for information on ACE licensing options.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-52
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Options include:
•
Deflate—Specifies the deflate compression format as the method to use when the client browser
supports both the deflate and gzip compression methods. deflate, the data format for compression
described in RFC1951
•
Gzip—Specifies the gzip compression format as the method to use when the client browser supports
both the deflate and gzip compression methods. Gzip is the file format for compression described in
RFC1952.
•
N/A—HTTP compression is disabled.
When configuring HTTP compression, we recommend that you exclude the following MIME types from
HTTP compression: “.*gif”, “.*css”, “.*js”, “.*class”, “.*jar”, “.*cab”, “.*txt”, “.*ps”, “.*vbs”, “.*xsl”,
“.*xml”, “.*pdf”, “.*swf”, “.*jpg”, “.*jpeg”, “.*jpe”, or “.*png”.
Note
If you enable the Gzip or Deflate compression format, the DM GUI automatically inserts a L7
Load Balance Primary Action to exclude the MIME types listed above. However, if you disable
HTTP compression later on, you will need to remove the auto-inserted Load Balance Primary
Action.
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
Step 8
•
Mime type—All text formats (text/*).
•
Minimum size—512 bytes.
•
User agent—None.
In the SSL Initiation field, select an existing service, or select *New* to create a new service. SSL
initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL
connection between itself and an SSL server. In this particular application, the ACE receives clear text
from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse
side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client
as clear text.
Note
The SSL Initiation field appears only in the Advanced View, and when TCP is the selected
protocol and Other, HTTP, or HTTPS is the application protocol.
•
If you select an existing SSL service, you can view, modify, or duplicate the existing configuration.
See Shared Objects and Virtual Servers, page 3-9 for more information about modifying shared
objects.
•
If you select *New*, configure the service using the information in Table 3-14.
For more information about SSL, see Configuring SSL, page 7-1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-53
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 9
In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using
the format header_name=header_value where:
•
header_name represents the name of the HTTP header to insert in the client HTTP request. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You
can specify predefined header or any custom header name provided that it does not exceed the
maximum length limit.
•
header_value represents the expression string to compare against the value in the specified field in
the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The
ACE appliance supports regular expressions for matching. Header expressions allow spaces,
provided that the spaces are escaped or quoted. All headers in the header map must be matched.
Table 10-31 lists the supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 10
When you finish configuring virtual server properties, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.
Related Topics
•
Configuring Virtual Server Properties, page 3-11
•
Configuring Virtual Server SSL Termination, page 3-17
•
Configuring Virtual Server Protocol Inspection, page 3-19
•
Configuring Virtual Server Layer 7 Load Balancing, page 3-29
Configuring Application Acceleration and Optimization
The ACE appliance includes configuration options that allow you to accelerate enterprise applications,
resulting in increased employee productivity, enhanced customer retention, and increased online
revenues. The application acceleration functions of the ACE appliance apply several optimization
technologies to accelerate Web application performance. The application acceleration functionality in
the ACE appliance enables enterprises to optimize network performance and improve access to critical
business information. This capability accelerates the performance of Web applications, including
customer relationship management (CRM), portals, and online collaboration by up to 10 times.
Refer to Configuring Application Acceleration and Optimization, page 11-1 or the Cisco 4700 Series
Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide
for more information about application acceleration and optimization.
Use this procedure to configure acceleration and optimization on virtual servers.
Assumption
A virtual server has been configured. See Configuring Virtual Servers, page 3-2 for information on
configuring a virtual server.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-54
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for optimization, then click Edit. The Virtual Server
configuration screen appears.
Step 3
Click Application Acceleration And Optimization. The Application Acceleration And Optimization
configuration pane appears.
Step 4
In the Configuration field, indicate the method you want to use to configure application acceleration and
optimization:
Step 5
•
EZ—Indicates that you want to use standard acceleration and optimization options. Continue with
Step 5.
•
Custom—Indicates that you want to associate specific match criteria, actions, and parameter maps
for application acceleration and optimization for this virtual server. If you choose this option,
continue with Step 6.
If you select EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization (Delta) fields
appear.
a.
Check the Latency Optimization (FlashForward) check box to indicate that the ACE appliance is to
use bandwidth reduction and download acceleration techniques to objects embedded within HTML
pages. Clear this check box to indicate that the ACE appliance is not to employ these techniques to
objects embedded within HTML pages. Latency optimization corresponds to FlashForward
functionality. For more information about FlashForward functionality, see Optimization Overview,
page 11-2.
b.
Check the Bandwidth Optimization (Delta) check box to indicate that the ACE appliance is to
dynamically update client browser caches with content differences, or deltas. Clear this check box
to indicate that the ACE appliance is not to dynamically update client browser caches. Bandwidth
optimization corresponds to action list Delta optimization. For more information about Delta
optimization, see Optimization Overview, page 11-2 and Configuring an HTTP Optimization Action
List, page 11-3.
c.
Continue with Step 11.
Step 6
If you select Custom, the Actions configuration pane appears with a table listing match criteria and
actions. Click Add to add an entry to this table, or select an existing entry, then click Edit to modify it.
The configuration subset refreshes with the available configuration options.
Step 7
In the Apply Template field, select one of the configuration templates for the type of optimization you
want to configure, or leave blank to configure optimization without a template:
•
Bandwidth Optimization—Maximizes bandwidth for Web-based traffic.
•
Latency Optimization For Embedded Objects—Reduces the latency associated with embedded
objects in Web-based traffic.
•
Latency Optimization For Embedded Images—Reduces the latency associated with embedded
images in Web-based traffic.
•
Latency Optimization For Containers—Reduces the latency associated with Web containers.
If you do not select a template and select *New* in the Rule Match and Actions fields, you are creating
your own optimization rules and actions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-55
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 8
In the Rule Match field, select an existing class map or click *New* to specify new match criteria:
•
If you select an existing class map, you can view, modify, or duplicate the existing configuration.
See Shared Objects and Virtual Servers, page 3-9 for more information about modifying shared
objects.
•
If you click *New*, the screen refreshes with the default configuration settings for the template you
selected. You can accept the default settings or modify them using the information in Table 3-15.
Table 3-15
Field
Description
Name
Enter a unique name for this match criteria rule.
Matches
Select the method to be used to evaluate multiple match statements when
multiple match conditions exist:
Conditions
Step 9
Table 3-16
Optimization Rule Match Configuration Options
•
Any—A match exists if at least one of the match conditions is satisfied.
•
All—A match exists only if all match conditions are satisfied.
Click Add to add a new set of conditions or select an existing entry, then
click Edit to modify it:
1.
In the Type field, select the match condition to be used, then configure
any condition-specific options using the information in Table 3-9.
2.
Click OK to save your entries, or Cancel to exit this procedure without
saving your entries.
In the Actions field, select an existing action list to use for optimization or click *New* to create a new
action list.
•
If you select an existing optimization action list, you can view, modify, or duplicate the existing
configuration. See Shared Objects and Virtual Servers, page 3-9 for more information about
modifying shared objects.
•
If you click *New*, the screen refreshes with the default configuration settings for the template you
selected. You can accept the default settings or modify them using the information in Table 3-16.
Optimization Action List Configuration Options
Field
Description
Action List Name
Enter a unique name for the optimization action list. Valid entries are unquoted text strings with a
maximum of 64 alphanumeric characters.
Enable Delta
Delta optimization dynamically updates client browser caches directly with content differences, or
deltas, resulting in faster page downloads.
Check this check box to enable delta optimization for the specified URLs.
Clear this check box to disable delta optimization for the specified URLs.
Note
Enable AppScope
The ACE restricts you from enabling delta optimization if you have previously specified either
Cache Dynamic or Dynamic Entity Tag.
AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and
measures end-to-end application performance.
Check this check box to enable AppScope performance monitoring for use with the ACE appliance.
Clear this check box to disable AppScope performance monitoring for use with the ACE appliance.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-56
OL-23543-01
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Table 3-16
Optimization Action List Configuration Options (continued)
Field
Description
Flash Forward
The FlashForward feature reduces bandwidth usage and accelerates embedded object downloading by
combining local object storage with dynamic renaming of embedded objects, thereby enforcing object
freshness within the parent HTML page.
Specify how the ACE appliance is to implement FlashForward:
Cache Dynamic
•
N/A—Indicates that this feature is not enabled.
•
Flash Forward—Indicates that FlashForward is to be enabled for the specified URLs and that
embedded objects are to be transformed.
•
Flash Forward Object—Indicates that FlashForward static caching is to be enabled for the objects
that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files.
Check this check box to enable Adaptive Dynamic Caching for the specified URLs even if the expiration
settings in the response indicate that the content is dynamic. The expiration of cache objects is controlled
by the cache expiration settings based on time or server load.
Clear this check box to disable this feature.
Note
Cache Forward
The ACE restricts you from enabling Cache Dynamic if you have previously specified either
Enable Delta or Dynamic Entity Tag.
Check this check box to enables the cache forward feature for the corresponding URLs. Cache forward
allows the ACE to serve the object from its cache (static or dynamic) even when the object has expired
if the maximum cache TTL time period has not yet expired (set by specifying the Cache Time-To-Live
Duration (%): field in an Optimization parameter map). At the same time, the ACE sends an
asynchronous request to the origin server to refresh its cache of the object.
Clear this check box to disable this feature.
Dynamic Entity
Tag
This feature enables the acceleration of noncacheable embedded objects, which results in improved
application response time. When enabled, this feature eliminates the need for users to download
noncacheable objects on each request.
Check this check box to indicate that the ACE appliance is to implement just-in-time object acceleration
for noncacheable embedded objects.
Clear this check box to disable this feature.
Note
Fine Tune
Optimization
Parameters
Step 10
The ACE restricts you from enabling Dynamic Entity Tag if you have previously specified either
Enable Delta or Cache Dynamic.
Click this header to configure additional optimization attributes. When expanded, the configuration pane
displays options specific to the type of optimization you are configuring and features that you enable.
Refer to Table 6-6 for information about specific options that appear.
When you finish configuring match criteria and actions, click:
•
OK to save your entries and to return to the Rule Match and Actions table.
•
Cancel to exit this procedure without saving your entries and to return to the Rule Match and
Actions table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-57
Chapter 3
Configuring Virtual Servers
Configuring Virtual Servers
Step 11
When you finish configuring virtual server properties, click:
•
Deploy Now to save your entries. The ACE appliance validates the optimization action list
configuration and deploys it on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.
Related Topics
•
Configuring Virtual Server Properties, page 3-11
•
Optimization Traffic Policies and Typical Configuration Flow, page 11-2
•
Configuring Traffic Policies for HTTP Optimization, page 11-6
•
Configuring Virtual Server Protocol Inspection, page 3-19
•
Configuring Virtual Server Layer 7 Load Balancing, page 3-29
•
Configuring Virtual Server Default Layer 7 Load Balancing, page 3-51
Configuring Virtual Server NAT
Use this procedure to configure Name Address Translation (NAT) for virtual servers.
Assumptions
•
A virtual server has been configured. See Configuring Virtual Servers, page 3-2 for information on
configuring a virtual server.
•
A VLAN has been configured. See Configuring Virtual Context VLAN Interfaces, page 8-8 for
information on configuring a VLAN interface.
•
At least one NAT pool has been configured on a VLAN interface. See Configuring VLAN Interface
NAT Pools, page 8-17 for information on configuring a NAT pool.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers
table appears.
Step 2
Select the virtual server you want to configure for NAT, then click Edit. The Virtual Server configuration
screen appears.
Step 3
Click NAT. The NAT table appears.
Step 4
Click Add to add an entry, or select an existing entry, then click Edit to modify it.
Step 5
In the VLAN field, select the VLAN you want to use NAT. For more information about NAT, see
Configuring VLAN Interface NAT Pools, page 8-17.
Step 6
In the NAT Pool ID field, select the NAT pool that you want to associate with the selected VLAN.
Step 7
Click:
•
OK to save your entries and to return to the NAT table. The NAT table refreshes with the new entry.
•
Cancel to exit the procedure without saving your entries and to return to the NAT table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-58
OL-23543-01
Chapter 3
Configuring Virtual Servers
Managing Virtual Servers
Step 8
When you finish configuring virtual server properties, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Configuring Virtual Server Properties, page 3-11
•
Configuring Virtual Server SSL Termination, page 3-17
•
Configuring Virtual Server Protocol Inspection, page 3-19
•
Configuring Virtual Server Layer 7 Load Balancing, page 3-29
•
Configuring Virtual Server Default Layer 7 Load Balancing, page 3-51
Managing Virtual Servers
After you have created a virtual server the following options are available:
Task
Related Topics
Modify a virtual server configuration
Configuring Virtual Servers, page 3-2
List virtual servers by virtual context
Viewing Virtual Servers by Context, page 3-59
Activate a virtual server
Activating Virtual Servers, page 3-60
Suspend a virtual server
Suspending Virtual Servers, page 3-60
View detailed information about a virtual server
and its configured state
Viewing Detailed Virtual Server Information,
page 3-61
Viewing Virtual Servers by Context
Use this procedure to view all virtual servers associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the context associated with the virtual servers you want to view, then select Load Balancing >
Virtual Servers. The Virtual Servers table appears with the following information:
•
Virtual server name
•
Configured state, such as Inservice
•
Virtual IP address
•
Port
•
Associated VLANs
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-59
Chapter 3
Configuring Virtual Servers
Managing Virtual Servers
•
Associated server farms
•
Virtual context name
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Managing Virtual Servers, page 3-59
Activating Virtual Servers
Use this procedure to activate a virtual server.
Procedure
Step 1
Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Step 2
Select the server that you want to activate, then click Activate. The server is activated and the screen
refreshes with updated information in the Configured State column.
Related Topics
•
Managing Virtual Servers, page 3-59
•
Viewing All Virtual Servers, page 3-61
•
Suspending Virtual Servers, page 3-60
Suspending Virtual Servers
Use this procedure to suspend a virtual server.
Procedure
Step 1
Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Step 2
Select the virtual server that you want to suspend, then click Suspend. The Suspend Virtual Server
screen appears.
Step 3
In the Reason field, enter the reason for this action. You might enter a trouble ticket, an order ticket, or
a user message. Do not enter a password in this field.
Step 4
Click:
•
Deploy Now to deploy this configuration. The virtual server is taken out of service and the Device
Manager returns to the Virtual Servers table. The screen refreshes with updated information in the
Oper State column.
•
Cancel to exit this procedure without suspending the virtual server and to return to the Virtual
Servers table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-60
OL-23543-01
Chapter 3
Configuring Virtual Servers
Managing Virtual Servers
Related Topics
•
Managing Virtual Servers, page 3-59
•
Viewing All Virtual Servers, page 3-61
•
Activating Virtual Servers, page 3-60
Viewing Detailed Virtual Server Information
Use this procedure to view detailed information about the state of a virtual server.
Procedure
Step 1
Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Step 2
Select the virtual server whose configuration details you want to view, then click Details. The Details
window appears with the following information:
•
Current operational status
•
Description, if one was entered
•
Configured interfaces, such as VLANs
•
Configured service policies including:
– Configured class maps, detailed by type (such as load balancing or inspection)
– States of configured options, indicated by word (ACTIVE, DISABLED, OUTOFSERVICE) and color
(green, orange/yellow, and red)
– Associated policy maps with details on their type and action (L7 loadbalance, serverfarm)
– Statistics regarding connections and counts
Related Topics
•
Configuring Virtual Servers, page 3-2
•
Managing Virtual Servers, page 3-59
Viewing All Virtual Servers
To view all virtual servers, select Config > Operations > Virtual Servers. The Virtual Servers table
appears with the following information for each server:
•
Server name, grouped by virtual context
•
Configured state
•
IP address
•
Port
•
VLANs
•
Server farms
•
Virtual context
You can activate or suspend virtual servers from this table and obtain additional information about the
state of the virtual server.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
3-61
Chapter 3
Configuring Virtual Servers
Managing Virtual Servers
Related Topics
•
Activating Virtual Servers, page 3-60
•
Suspending Virtual Servers, page 3-60
•
Viewing Detailed Virtual Server Information, page 3-61
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
3-62
OL-23543-01
C H A P T E R
4
Configuring Real Servers and Server Farms
This section provides an overview of server load balancing and procedures for configuring real servers
and server farms for load balancing on an ACE appliance.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Topics include:
•
Server Load Balancing Overview, page 4-1
•
Configuring Real Servers, page 4-4
•
Managing Real Servers, page 4-7
•
Configuring Server Farms, page 4-11
•
Configuring Health Monitoring, page 4-29
•
Configuring Secure KAL-AP, page 4-55
Server Load Balancing Overview
Server load balancing (SLB) is the process of deciding to which server a load-balancing device should
send a client request for service. For example, a client request can consist of an HTTP GET for a Web
page or an FTP GET to download a file. The job of the load balancer is to select the server that can
successfully fulfill the client request and do so in the shortest amount of time without overloading either
the server or the server farm as a whole.
Depending on the load-balancing algorithm or predictor that you configure, the ACE appliance performs
a series of checks and calculations to determine the server that can best service each client request. The
ACE appliance bases server selection on several factors, including the server with the fewest connections
with respect to load, source or destination address, cookies, URLs, or HTTP headers.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-1
Chapter 4
Configuring Real Servers and Server Farms
Server Load Balancing Overview
The ACE Appliance Device Manager allows you to configure load balancing using:
•
Virtual servers—See Configuring Virtual Servers, page 3-2.
•
Real servers—See Configuring Real Servers, page 4-4.
•
Server farms—See Configuring Server Farms, page 4-11.
•
Sticky groups—See Configuring Sticky Groups, page 5-7.
•
Parameter maps—See Configuring Parameter Maps, page 6-1.
For information about SLB as configured and performed by the ACE appliance, see:
•
Configuring Virtual Servers, page 3-2
•
Load-Balancing Predictors, page 4-2
•
Real Servers, page 4-3
•
Server Farms, page 4-4
•
Configuring Health Monitoring, page 4-29
•
TCL Scripts, page 4-30
•
Configuring Stickiness, page 5-1
Load-Balancing Predictors
The ACE appliance uses the following predictors to select the best server to satisfy a client request:
•
Note
Hash Address—Selects the server using a hash value based on either the source or destination IP
address, or both. Use these predictors for firewall load balancing (FWLB).
FWLB allows you to scale firewall protection by distributing traffic across multiple firewalls on
a per-connection basis. All packets belonging to a particular connection must go through the
same firewall. The firewall then allows or denies transmission of individual packets across its
interfaces. For more information about configuring FWLB on the ACE appliance, see the Cisco
4700 Series Application Control Engine Appliance Server Load-Balancing Configuration
Guide.
•
Hash Content— Selects the server by using a hash value based on the specified content string of the
HTTP packet body
•
Hash Cookie—Selects the server using a hash value based on a cookie name.
•
Hash Secondary Cookie—The ACE selects the server by using the hash value based on the specified
cookie name in the URL query string, not the cookie header.
•
Hash Header—Selects the server using a hash value based on the HTTP header name.
•
Hash Layer4—Selects the server using a Layer 4 generic protocol load-balancing method.
•
Hash URL—Selects the server using a hash value based on the requested URL.You can specify a
beginning pattern and an ending pattern to match in the URL. Use this predictor method to
load-balance cache servers. Cache servers perform better with the URL hash method because you
can divide the contents of the caches evenly if the traffic is random enough. In a redundant
configuration, the cache servers continue to work even if the active ACE appliance switches over to
the standby ACE appliance. For information about configuring redundancy, see Configuring High
Availability, page 9-1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-2
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Server Load Balancing Overview
Note
•
Least Bandwidth—Selects the server with the least amount of network traffic or a specified
sampling period. Use this type for server farms with heavy traffic, such as downloading video clips.
•
Least Connections—Selects the server with the fewest number of active connections based on server
weight. For the least connection predictor, you can configure a slow-start mechanism to avoid
sending a high rate of new connections to servers that you have just put into service.
•
Least Loaded—Selects the server with the lowest load as determined by information from SNMP
probes.
•
Response—Selects the server with the lowest response time for a specific response-time
measurement.
•
Round Robin—Selects the next server in the list of real servers based on server weight (weighted
roundrobin). Servers with a higher weight value receive a higher percentage of the connections. This
is the default predictor.
The different hash predictor methods do not recognize the weight value that you configure for real
servers. The ACE uses the weight that you assign to real servers only in the round-robin and
least-connections predictor methods.
Related Topic
Configuring Health Monitoring, page 4-29
Real Servers
To provide services to clients, you configure real servers on the ACE appliance. Real servers are
dedicated physical servers that you typically configure in groups called server farms. These servers
provide client services such as HTTP or XML content, Web site hosting, FTP file uploads or downloads,
redirection for Web pages that have moved to another location, and so on. You identify real servers with
names and characterize them with IP addresses, connection limits, and weight values. The ACE
appliance also allows you to configure backup servers in case a server is taken out of service for any
reason.
After you create and name a real server on the ACE appliance, you can configure several parameters,
including connection limits, health probes, and weight. You can assign a weight to each real server based
on its relative importance to other servers in the server farm. The ACE appliance uses the server weight
value for the weighted round-robin and the least-connections load-balancing predictors. The
load-balancing predictor algorithms (for example, round-robin, least connections, and so on) determine
the servers to which the ACE appliance sends connection requests. For a listing and brief description of
the load-balancing predictors, see Load-Balancing Predictors, page 4-2.
The ACE appliance uses traffic classification maps (class maps) within policy maps to filter out
interesting traffic and to apply specific actions to that traffic based on the SLB configuration. You use
class maps to configure a virtual server address and definition.
If a primary real server fails, the ACE appliance takes that server out of service and no longer includes
it in load-balancing decisions. If you configured a backup server for the real server that failed, the ACE
appliance redirects the primary real server connections to the backup server. For information about
configuring a backup server, see the Configuring Virtual Server Layer 7 Load Balancing, page 3-29.
The ACE appliance can take a real server out of service for the following reasons:
•
Probe failure
•
ARP timeout
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-3
Chapter 4
Configuring Real Servers and Server Farms
Configuring Real Servers
•
Specifying Out Of Service as the administrative state of a real server
•
Specifying In Service Standby as the administrative state of a real server
The Out Of Service and In Service Standby selections both provide the graceful shutdown of a server.
Related Topics
•
Configuring Real Servers, page 4-4
•
Configuring Health Monitoring for Real Servers, page 4-31
Server Farms
Typically, in data centers, servers are organized into related groups called server farms. Servers within
server farms often contain identical content (referred to as mirrored content) so that if one server
becomes inoperative, another server can take its place immediately. Also, having mirrored content
allows several servers to share the load of increased demand during important local or international
events, such as the Olympic Games. This phenomenon of a sudden large demand for content is called a
flash crowd.
After you create and name a server farm, you can add existing real servers to it and configure other server
farm parameters, such as the load-balancing predictor, server weight, backup server, health probe, and
so on. For a listing and brief description of load-balancing predictors, see Load-Balancing Predictors,
page 4-2.
Related Topic
Configuring Server Farms, page 4-11
Configuring Real Servers
Real servers are dedicated physical servers that are typically configured in groups called server farms.
These servers provide services to clients, such as HTTP or XML content, streaming media (video or
audio), TFTP or FTP services, and so on. When configuring real servers, you assign names to them and
specify IP addresses, connection limits, and weight values.
The ACE appliance uses traffic classification maps (class maps) within policy maps to filter specified
traffic and to apply specific actions to that traffic based on the load-balancing configuration. A
load-balancing predictor algorithm (round-robin or least connections) determines the servers to which
the ACE appliance sends connection requests. For information about configuring class maps, see
Configuring Virtual Context Class Maps, page 10-8.
Use this procedure to configure load balancing on real servers.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Real Servers. The Real Servers table
appears.
Step 2
Click Add to add a new real server, or select a real server you want to modify, then click Edit. The Real
Servers configuration screen appears.
Step 3
Configure the server using the information in Table 4-1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-4
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Real Servers
Table 4-1
Real Server Attributes
Field
Description
Name
Either accept the automatically incremented value in this field, or enter a
unique name for this server. Valid entries are unquoted text strings with no
spaces and a maximum of 64 characters.
Type
Select the type of server:
State
•
Host—Indicates that this is a typical real server that provides content
and services to clients.
•
Redirect—Indicates that this server is used to redirect traffic to a new
location.
Select the state of this real server:
•
In Service—The real server is in service.
•
Out Of Service—The real server is out of service.
Description
Enter a brief description for this real server. Valid entries are unquoted
alphanumeric text strings with no spaces and a maximum of 240 characters.
IP Address
This field appears for only real servers specified as hosts.
Enter a unique IP address in dotted-decimal format (such as 192.168.11.1).
The IP address cannot be an existing virtual IP address (VIP).
Fail-On-All
This field appears only for real servers identified as host servers.
By default, real servers with multiple probes configured for them have an OR
logic associated with them. This means that if one of the real server probes
fails, the real server fails and enters the PROBE-FAILED state.
Click this checkbox to configure a real server to remain in the
OPERATIONAL state unless all probes associated with it fail (AND logic).
The Fail-On-All function is applicable to all probe types.
Min. Connections
Enter the minimum number of connections to be allowed on this server
before the ACE appliance starts sending connections again after it has
exceeded the Max. Connections limit. This value must be less than or equal
to the Max. Connections value. By default, this value is equal to the Max.
Connections value. Valid entries are integers from 1 to 4000000.
Max. Connections
Enter the maximum number of active connections allowed on this server.
When the number of connections exceeds this value, the ACE appliance
stops sending connections to this server until the number of connections falls
below the Min. Connections value. Valid entries are integers from 1 to
4000000, and the default is 4000000.
Weight
This field appears only for real servers identified as hosts.
Enter the weight to be assigned to this real server in a server farm. Valid
entries are integers from 1 to 100, and the default is 8.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-5
Chapter 4
Configuring Real Servers and Server Farms
Configuring Real Servers
Table 4-1
Real Server Attributes (continued)
Field
Description
Probes
This field appears only for real servers identified as hosts.
In the Probes field, select the probes that are to be used for health monitoring
in the list on the left, then click Add. The selected probes appear in the list
on the right.
To remove probes that you do not want to use for health monitoring, select
them in the list on the right, then click Remove. The selected probes appear
in the list on the left.
Web Host Redirection
URL string used to redirect requests to another server. This field appears
only for real servers identified as redirect servers. Enter the URL and port
used to redirect requests to another server.
Valid entries are in the form http://host.com:port where host is the name of
the server and port is the port to be used. Valid host entries are unquoted text
strings with no spaces and a maximum of 255 characters. Valid port
numbers are from 1 to 65535.
The relocation string supports the following special characters:
Redirection Code
•
%h—Inserts the hostname from the request Host header
•
%p—Inserts the URL path string from the request
This field appears only for real servers identified as redirect servers.
Select the appropriate redirection code:
Rate Bandwidth
•
N/A—Indicates that the webhost redirection code is not defined.
•
301—Indicates that the requested resource has been moved
permanently. For future references to this resource, the client should use
one of the returned URIs.
•
302—Indicates that the requested resource has been found, but has been
moved temporarily to another location. For future references to this
resource, the client should use the request URI because the resource may
be moved to other locations from time to time.
The bandwidth rate is the number of bytes per second and applies to the
network traffic exchanged between the ACE and the real server in both
directions.
Specify the real server bandwidth limit in bytes per second. Valid entries are
integers from 1 to 300000000.
Rate Connection
The connection rate is the number of connections per second received by the
ACE and applies only to new connections destined to a real server.
Specify the limit for connections per second. Valid entries are integers from
1 to 350000.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-6
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Managing Real Servers
Step 4
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Real Servers table.
•
Next to save your entries and to configure another real server.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
Configuring Server Farms, page 4-11
•
Configuring Sticky Groups, page 5-7
Managing Real Servers
The Real Servers table (Config > Operations > Real Servers) provides the following information by
default for each server:
•
Server name
•
IP address
•
Port
•
Admin State (In Service, Out Of Service, or In Service Standby)
•
Operational state (See Table 4-2 for descriptions of real server operational states.)
•
Number of current connections
•
Current server weight
•
Associated server farm
•
Associated virtual server
•
Owner, such as the associated virtual context
In the table, Disabled indicates that either the information is not available from the database or that it is
not being collected via SNMP. To identify any SNMP-related issues, select the real server’s virtual
context in the object selector. If there are problems with SNMP, SNMP status will appear in the upper
right above the content pane.
The following options are available from the Real Servers table:
•
Activating Real Servers, page 4-8
•
Suspending Real Servers, page 4-8
•
Modifying Real Servers, page 4-9
•
Viewing All Real Servers, page 4-10
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-7
Chapter 4
Configuring Real Servers and Server Farms
Managing Real Servers
Activating Real Servers
Use this procedure to activate a real server.
Procedure
Step 1
Select Config > Operations > Real Servers. The Real Servers table appears.
Step 2
Select the servers that you want to activate, then click Activate. The Activate Server screen appears.
Step 3
In the Task field, confirm that this is the server that you want to activate.
Step 4
In the Reason field, enter a reason for this action. You might enter a trouble ticket, an order ticket, or a
user message. Do not enter a password in this field.
Step 5
Click:
•
Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears
in the table with the status Inservice.
•
Cancel to exit this procedure without activating the server and to return to the Real Servers table.
Related Topics
•
Managing Real Servers, page 4-7
•
Suspending Real Servers, page 4-8
•
Viewing All Real Servers, page 4-10
Suspending Real Servers
Use this procedure to suspend a real server.
Procedure
Step 1
Select Config > Operations > Real Servers. The Real Servers table appears.
Step 2
Select the server that you want to suspend, then click Suspend. The Suspend Server screen appears.
Step 3
In the Reason field, enter the reason for this action. You might enter a trouble ticket, an order ticket, or
a user message. Do not enter a password in this field.
Step 4
Select one of the following from the Type pulldown menu:
•
Graceful
•
Suspend
•
Suspend and Clear Connections to clear the existing connections to this server as part of the
shutdown process
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-8
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Managing Real Servers
Step 5
Click:
•
Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears
in the table with the status Out Of Service.
•
Cancel to exit this procedure without suspending the server and to return to the Real Servers table.
Related Topics
•
Managing Real Servers, page 4-7
•
Activating Real Servers, page 4-8
•
Viewing All Real Servers, page 4-10
Modifying Real Servers
Use this procedure to modify weight and connection limits for real servers.
Procedure
Step 1
Select the servers whose configuration you want to modify, then click Change Weight below the table
to the right of Activate and Suspend. The Change Weight Real Servers window appears.
Step 2
Enter the following information for the selected server:
Step 3
•
Reason for change—Such as trouble ticket, order ticket or user message. Do not enter a password
in this field.
•
Weight—Select a value from 1 to 100.
Click:
•
Deploy Now to accept your entries and to return to the Real Servers table. The server appears in the
table with the updated information.
•
Cancel to exit this procedure without saving your entries and to return to the Real Servers table.
Related Topics
•
Managing Real Servers, page 4-7
•
Activating Real Servers, page 4-8
•
Viewing All Real Servers, page 4-10
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-9
Chapter 4
Configuring Real Servers and Server Farms
Managing Real Servers
Viewing All Real Servers
To view all real servers, select Config > Operations > Real Servers. The Real Servers table displays
the following information by default:
•
Real server name
•
IP address
•
Port
•
Admin state (In Service, Out Of Service, or In Service Standby)
•
Operational state (see Table 4-2 for descriptions of real server operational states.)
•
Number of current connections
•
Current server weight
•
Associated server farm
•
Associated virtual servers
•
Owner, such as the associated virtual context
In the table, Disabled indicates that either the information is not available from the database or that it is
not being collected via SNMP. To identify any SNMP-related issues, select the real server’s virtual
context in the object selector. If there are problems with SNMP, SNMP status will appear in the upper
right above the content pane.
Table 4-2
Real Server Operational States
State
Description
ARP Failed
An ARP request to this server has failed.
Failed
The server has failed and will not be retried for the amount of time specified
by its retry timer.
Inactive
The server is disabled as it has become inactive such as in the case when the
real server is not associated to any server farm.
Inband probe failed
The server has failed the inband Health Probe agent.
In service
The server is in use as a destination for server load balancing client
connections.
Max. Load
The server is under maximum load and cannot receive any additional
connections.
Operation wait
The server is ready to become operational but is waiting for the associated
redirect virtual server to be in service.
Out of service
The server is not in use by a server load balancer as a destination for client
connections.
Probe failed
The server load-balancing probe to this server has failed. No new
connections will be assigned to this server until a probe to this server
succeeds.
Probe testing
The server has received a test probe from the server load balancer.
Ready to test
The server has failed and its retry timer has expired; test connections will
begin flowing to it soon.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-10
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-2
Real Server Operational States (continued)
State
Description
Return code failed
The server has been disabled because it returned an HTTP code that matched
a configured value.
Standby
The server is in standby state. No connections will be assigned to it unless
the primary server fails.
Test wait
The server is ready to be tested. This state is applicable only when the server
is used for HTTP redirect load balancing.
Testing
The server has failed and has been given another test connection. The
success of this connection is not known.
Throttle: DFP
DFP has lowered the weight of the server to throttle level; no new
connections will be assigned to the server until DFP raises its weight.
Throttle: max clients
The server has reached its maximum number of allowed clients.
Throttle: max
connections
The server has reached its maximum number of connections and is no longer
being given connections.
Unknown
The state of the server is not known.
Related Topics
•
Activating Real Servers, page 4-8
•
Suspending Real Servers, page 4-8
•
Modifying Real Servers, page 4-9
Configuring Server Farms
Server farms are groups of networked real servers that contain the same content and that typically reside
in the same physical location in a data center. Web sites often comprise groups of servers configured in
a server farm. Load-balancing software distributes client requests for content or services among the real
servers based on the configured policy and traffic classification, server availability and load, and other
factors. If one server goes down, another server can take its place and continue to provide the same
content to the clients who requested it.
Use this procedure to configure load balancing on server farms.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms
table appears.
Step 2
Click Add to add a new server farm, or select an existing server farm, then click Edit. The Server Farms
configuration screen appears.
Step 3
Enter the server farm attributes (see Table 4-3).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-11
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-3
Server Farm Attributes
Field
Description
Name
Either accept the automatically incremented value in this field, or enter a unique name for this server
farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Type
Select the type of server farm:
•
Host—Indicates that this is a typical server farm that consists of real servers that provide
content and services to clients
•
Redirect—Indicates that this server farm consists only of real servers that redirect client
requests to alternate locations specified in the real server configuration. (See Configuring Real
Servers, page 4-4.)
Description
Enter a brief description for this server farm. Valid entries are unquoted alphanumeric text strings
with no spaces and a maximum of 240 characters.
Fail Action
Select the action the ACE appliance is to take with respect to connections if any real server in the
server farm fails:
•
N/A—Indicates that the ACE appliance is to take no action if any server in the server farm fails.
•
Purge—Indicates that the ACE appliance is to remove connections to a real server if that real
server in the server farm fails. The ACE appliance sends a reset command to both the client and
the server that failed.
•
Reassign—The ACE is to reassign the existing server connections to the backup real server (if
configured) if the real server fails after you enter this command. If a backup real server has not
been configured for the failing server, this selection leaves the existing connections untouched
in the failing real server.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-12
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-3
Server Farm Attributes (continued)
Field
Description
Failaction Reassign
Across Vlans
This field appears only when the Fail Action is set to Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the backup
real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real
server fails. If a backup real server has not been configured for the failing server, this option has no
effect and leaves the existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
•
Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to
translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans
option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the
destination IP address for the connection coming in to the ACE is for the end-point real server,
and the ACE reassigns the connection so that it is transmitted through a different next hop.
•
Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going
to and coming from the same server in a flow will traverse the same firewalls or stateful devices
(see the “Configuring Virtual Context VLAN Interfaces” section on page 8-8).
•
Configure the Predictor Hash Address option. See the “Configuring the Predictor Method for
Server Farms” section on page 4-20 for the supported predictor methods and configurable
attributes for each predictor method.
•
You must configure identical policies on the primary interface and the backup-server interface.
The backup interface must have the same feature configurations as the primary interface.
•
If you configure a policy on the backup-server interface that is different from the policies on
the primary-server interface, that policy will be effective only for new connections. The
reassigned connection will always have only the primary-server interface policies.
•
Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs,
or SYN cookie) are not supported.
•
You cannot reassign connections to the failed real server after it comes back up. This restriction
also applies to same-VLAN backup servers.
•
Real servers must be directly connected to the ACE. This requirement also applies to
same-VLAN backup server.
•
You must disable sequence number randomization on the firewall (see the “Configuring
Connection Parameter Maps” section on page 6-2).
•
Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2,
the reassigned connections may become stuck because of the probe configuration mismatch.
ACE-2 with the low interval value will detect the primary server failure first and will reassign
all its incoming connections to the backup-server interface VLAN. ACE-1 with the high
interval value may not detect the failure before the primary server comes back up and will still
point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs:
Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-13
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-3
Server Farm Attributes (continued)
Field
Description
Fail-On-All
This field appears only for host server farms.
By default, real servers that you configure in a server farm inherit the probes that you configure
directly on that server farm. When you configure multiple probes on a server farm, the real servers
in the server farm use an OR logic with respect to the probes, which means that if one of the probes
configured on the server farm fails, all the real servers in that server farm fail and enter the
PROBE-FAILED state. With AND logic, if one server farm probe fails, the real servers in the server
farm remain in the operational state. If all the probes associated with the server farm fail, then all
the real servers in that server farm fail and enter the PROBE-FAILED state.
Click this checkbox to configure the real servers in a server farm to use AND logic with respect to
multiple server farm probes.
The Fail-On-All function is applicable to all probe types.
Inband-Health Check
This field appears only for host server farms.
By default, the ACE monitors the health of all real servers in a configuration through the use of
ARPs and health probes. However, there is latency period between when the real server goes down
and when the ACE becomes aware of the state. The inband health monitoring feature allows the
ACE to monitor the health of the real servers in the server farm through the following connection
failures:
•
For TCP, resets (RSTs) from the server or SYN timeouts.
•
For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages.
When you configure the failure-count threshold and the number of these failures exceeds the
threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it
out of service, and removes it from load balancing. The server is not considered for load balancing
until the optional resume-service interval expires.
Choose one of the following:
•
Count—Tracks the total number of TCP or UDP failures, and increments the counters as
displayed by the show serverfarm name inband CLI command.
•
Log—Logs a syslog error message when the number of events reaches the configured
connection failure threshold.
•
Remove—Logs a syslog error message when the number of events reaches the threshold and
removes the server from service.
Note
Connection Failure
Threshold Count
You can configure this feature and health probes to monitor a server. When you do, both are
required to keep a real server in service within a server farm. If either feature detects a server
is out of service, the ACE does not select the server for load balancing.
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the maximum number of connection failures that a real server can exhibit in the reset-time
interval before ACE marks the real server as failed. Valid entries are integers from 1 to 4294967295.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-14
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-3
Server Farm Attributes (continued)
Field
Description
Reset Timeout
(Milliseconds)
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to
300000. The default interval is 100.
This interval starts when the ACE detects a connection failure. If the connection failure threshold
is reached during this interval, the ACE generates a syslog message.When Inband-Health Check is
set to Remove, the ACE also removes the real server from service.
Changing the setting of this option affects the behavior of the real server, as follows:
Resume Service
(Seconds)
Transparent
•
When the real server is in the OPERATIONAL state, even if several connection failures have
occurred, the new reset-time interval takes effect the next time that a connection error occurs.
•
When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes
effect the next time that a connection error occurs after the server transitions to the
OPERATIONAL state.
This field appears only when the Inband-Health Check is set to Remove.
Enter the number of seconds after a server has been marked as failed to reconsider it for sending
live connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting of
this option affects the behavior of the real server in the inband failed state, as follows:
•
When this field is not configured and has the default setting of 0, the real server remains in the
failed state until you manually suspend and then reactivate it.
•
When this field is not configured and has the default setting of 0 and then you configure this
option with an integer between 30 and 3,600, the failed real server immediately transitions to
the Operational state.
•
When you configure this field and then increase the value, the real server remains in the failed
state for the duration of the previously-configured value. The new value takes effect the next
time the real server transitions to the failed state.
•
When you configure this field and then decrease the value, the failed real server immediately
transitions to the Operational state.
•
When you configure this field with an integer between 30 and 3,600 and then reset it to the
default of 0, the real server remains in the failed state for the duration of the
previously-configured value. The default setting takes effect the next time the real server
transitions to the failed state. Then the real server remains in the failed state until you manually
suspend and then reactivate it.
•
When you change this field within the reset-time interval and the real server is in the
OPERATIONAL state with several connection failures, the new threshold interval takes effect
the next time that a connection error occurs, even if it occurs within the current reset-time
interval.
This field appears only for real servers identified as host servers.
Check the check box to specify that network address translation from the VIP address to the server
IP is to occur. Clear the check box to indicates that network address translation from the VIP address
to the server IP address is not to occur (default).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-15
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-3
Server Farm Attributes (continued)
Field
Description
Partial-Threshold
Percentage
This field appears only for host server farms.
Back Inservice
This field appears only for host server farms.
Enter the minimum percentage of real servers in the primary server farm that must remain active for
the server farm to stay up. If the percentage of active real servers falls below this threshold, the ACE
takes the server farm out of service. Valid entries are integers from 0 to 99. The default is 0.
Enter the percentage of real servers in the primary server farm that must be active again for the ACE
to place the server farm back into service. Valid entries are integers from 0 to 99. The value in this
field should be larger than the value in the Partial Threshold Percentage field. The default is 0.
Probes
This field appears only for real servers identified as host servers.
In the Probes field, select the probes that are to be used for health monitoring in the list on the left,
then click Add. The selected probes appear in the list on the right.
To remove probes that you do not want to use for health monitoring, select them in the list on the
right, then click Remove. The selected probes appear in the list on the left.
Step 4
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. To add real servers to the farm and
to configure server farm attributes, see:
– Adding Real Servers to a Server Farm, page 4-17
– Configuring Health Monitoring, page 4-29
– Configuring Server Farm HTTP Return Error-Code Checking, page 4-27
•
Cancel to exit the procedure without saving your entries and to return to the Server Farms table.
•
Next to save your entries and to configure another server farm.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
Configuring Real Servers, page 4-4
•
Configuring Sticky Groups, page 5-7
•
Configuring Health Monitoring, page 4-29
•
Configuring Server Farm HTTP Return Error-Code Checking, page 4-27
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-16
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Adding Real Servers to a Server Farm
After adding a server farm, (see Configuring Server Farms, page 4-11), you can associate real servers
with it and configure predictors and retcode maps. The configuration screens for these attributes appear
beneath the Server Farms table or after you have successfully added a new server farm.
Note
If you do not see these tabs beneath the Server Farms table, click the Switch between Configure and
Browse Modes button.
When creating or editing a server farm, if the real server to be added has the same name as an existing
global real server but contains a different IP address (or no IP address), the Device Manager displays the
following error message:
IP address of pre-existing real sever cannot be changed: “<rs-name>” (ip-addr>).
If this error message appears, ensure that you specify an existing real server with the matching IP
address.
Use this procedure to add real servers to a server farm.
Assumptions
•
A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server
Farms, page 4-11.)
•
At least one real server exists.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms
table appears.
Step 2
Select the server farm you want to associate with real servers, then select the Real Servers tab. The Real
Servers table appears.
Step 3
Click Add to add a new entry to the Real Servers table, or select an existing server, then click Edit to
modify it. The Real Servers configuration screen appears.
Step 4
Configure the real server using the information in Table 4-4.
Table 4-4
Real Server Configuration Attributes
Field
Description
Name
Select the server that you want to associate with the server farm.
Port
Enter the port number to be used for server port address translation (PAT).
Valid entries are integers from 0 to 65535. The default value is 0.
If you use the default value of 0, the ACE will not perform port translation
and the original destination port from the client connection persists to the
server connection. If you specify a value other than 0, the original
destination port is ignored and all communication to the real server is
initiated on the defined port.
Note
If you specified the type of server farm as Redirect, leave the port
number set to 0 for the redirect server farm.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-17
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-4
Real Server Configuration Attributes (continued)
Field
Description
Backup Server Name
Select the server that is to act as the backup server for the server farm. Leave
this field blank to indicate that there is no designated backup server for the
server farm.
Backup Server Port
If you select a backup server, enter the backup server port number. Valid
entries are integers from 0 to 65535. The default value is 0.
If you use the default value of 0, the ACE will not perform port translation
and the original destination port from the client connection persists to the
server connection. If you specify a value other than 0, the original
destination port is ignored and all communication to the real server is
initiated on the defined port.
Note
State
Fail-On-All
If you specified the type of server farm as Redirect, leave the port
number set to 0 for the redirect server farm.
Select the state of this server:
•
In Service—Indicates that this server is in service.
•
In Service Standby—Indicates that this server is a backup server and is
to remain inactive unless the primary server fails. If the primary server
fails, the backup server becomes active and starts accepting connections.
•
Out Of Service—Indicates that this server is out of service.
This field appears only for real servers identified as host servers.
By default, real servers with multiple probes configured for them have an OR
logic associated with them. This means that if one of the real server probes
fails, the real server fails and enters the PROBE-FAILED state.
Click this checkbox to configure a real server to remain in the
OPERATIONAL state unless all probes associated with it fail (AND logic).
The Fail On All function is applicable to all probe types.
Min. Connections
Enter the minimum number of connections that the number of connections
must fall below before the ACE appliance resumes sending connections to
the server after it has exceeded the number in the Max. Connections field.
The number in this field must be less than or equal to the number in the Max.
Connections field. 1 to 4000000. The default value is 4000000.
Max. Connections
Enter the maximum number of active connections that can be sent to the
server. When the number of connections exceeds this number, the ACE
appliance stops sending connections to the server until the number of
connections falls below the number specified in the Min. Connections field.
Valid entries are integers from 1 to 4000000. The default is 4000000.
Weight
Enter the weight to assign to the server. Valid entries are integers from 1 to
100, and the default is 8.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-18
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-4
Real Server Configuration Attributes (continued)
Field
Description
Cookie String
This field appears only for real servers identified as hosts.
Enter a cookie string value of the real server, which is to be used for HTTP
cookie insertion when establishing a sticky connection. Valid entries are text
strings with a maximum of 32 alphanumeric characters. You can include
spaces and special characters in a cookie string value.
Use cookie insertion when you want to use a session cookie for persistence
if the server is not currently setting the appropriate cookie. With this feature
enabled, the ACE inserts the cookie in the Set-Cookie header of the response
from the server to the client. See Chapter 5, “Configuring Stickiness” for
details on HTTP cookie sticky connections.
Probes
Select the probes in the list on the left that you want to apply to this server,
then click Add. The selected probes appear in the list on the right. To remove
probes you do not want to apply to this server, select the probes in the list on
the right, then click Remove.
Rate Bandwidth
The bandwidth rate is the number of bytes per second and applies to the
network traffic exchanged between the ACE and the real server in both
directions.
Specify the bandwidth limit in bytes per second. Valid entries are integers
from 1 to 300000000.
Rate Connection
The connection rate is the number of connections per second received by the
ACE and applies only to new connections destined to a real server.
Specify the limit for connections per second. Valid entries are integers from
1 to 350000.
Step 5
When you finish configuring this server for this server farm, click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Real Servers table.
•
Next to save your entries and to add another real server for this server farm.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
Configuring Real Servers, page 4-4
•
Configuring Sticky Groups, page 5-7
•
Configuring Health Monitoring, page 4-29
•
Configuring Server Farm HTTP Return Error-Code Checking, page 4-27
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-19
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Configuring the Predictor Method for Server Farms
After adding a server farm, (Configuring Server Farms, page 4-11), you can associate real servers with
it and configure the predictor method and retcode maps. The configuration screens for these attributes
appear beneath the Server Farms table or after you have successfully added a new server farm.
Note
If you do not see these tabs beneath the Server Farms table, click the Switch between Configure and
Browse Modes button.
Use this procedure to configure the predictor method for a server farm. The predictor method specifies
how the ACE appliance is to select a server in the server farm when it receives a client request for a
service.
Note
You can configure only one predictor method per server farm.
Assumptions
•
A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server
Farms, page 4-11.)
•
At least one real server exists.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms
table appears.
Step 2
Select the server farm you want to configure the predictor method for, then select the Predictor tab. The
Predictor configuration screen appears.
Step 3
In the Type field, select the method that the ACE appliance is to use to select a server in this server farm
when it receives a client request. Table 4-5 lists the available options and describes them.
Step 4
Enter the required information for the selected predictor method. Round Robin is the default predictor
method. See Table 4-5.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-20
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-5
Predictor Method Attributes
Predictor Method
Description / Action
Hash Address
The ACE selects the server using a hash value based on the source or destination IP address.
To configure the hash address predictor method:
1.
In the Mask Type field, indicate whether server selection is based on source IP address or the
destination IP address:
– N/A—This option is not defined.
– Destination—The server is selected based on the destination IP address.
– Source—The server is selected based on the source IP address.
2.
Hash Content
In the IP Netmask field, select the subnet mask to apply to the address. If none is specified,
the default is 255.255.255.255.
The ACE selects the server by using a hash value based on the specified content string of the HTTP
packet body.
1.
In the Begin Pattern field, enter the beginning pattern of the content string and the pattern
string to match before hashing. If you do not specify a beginning pattern, the ACE starts
parsing the HTTP body immediate following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify
either a length or an end pattern, the ACE continues to parse the data until it reaches the end
of the field or the end of the packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the content (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries
are integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset
but shorter than the offset plus the length of the payload, the ACE sticks the connection based
on that portion of the payload starting with the byte after the offset value and ending with the
byte specified by the offset plus the length. The total of the offset and the length cannot exceed
1000.
You cannot specify both the length and the end-pattern options for a Hash Content predictor.
4.
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of
the payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates
that the ACE does not exclude any portion of the content.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-21
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-5
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Hash Cookie
The ACE selects the server by using a hash value based on the cookie name.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces
and a maximum of 64 characters.
Hash Secondary
Cookie
The ACE selects the server by using the hash value based on the specified cookie name in the URL
query string, not the cookie header.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces
and a maximum of 64 characters.
Hash Header
The ACE selects the server by using a hash value based on the header name.
In the Header Name field, select the HTTP header to be used for server selection:
•
To specify an HTTP header that is not one of the standard HTTP headers, select the first radio
button and enter the HTTP header name in the Header Name field. Valid entries are unquoted
text strings with no spaces and a maximum of 64 characters.
•
To specify one of the standard HTTP headers, select the second radio button, then select one
of the HTTP headers from the list.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-22
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-5
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Hash Layer4
The ACE selects the server by using a Layer 4 generic protocol load-balancing method. Use this
predictor to load balance packets from protocols that are not explicitly supported by the ACE.
1.
In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern
string to match before hashing. If you do not specify a beginning pattern, the ACE starts
parsing the HTTP body immediate following the offset byte. You cannot configure different
beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
2.
In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify
either a length or an end pattern, the ACE continues to parse the data until it reaches the end
of the field or the end of the packet, or until it reaches the maximum body parse length. You
cannot configure different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
3.
In the Length field, enter the length in bytes of the portion of the payload (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries
are integers from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset
but shorter than the offset plus the length of the payload, the ACE sticks the connection based
on that portion of the payload starting with the byte after the offset value and ending with the
byte specified by the offset plus the length. The total of the offset and the length cannot exceed
1000.
You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor.
4.
Hash URL
In the HTTP Content Offset field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of
the payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates
that the ACE does not exclude any portion of the content.
The ACE selects the server using a hash value based on the URL. Use this method to load balance
firewalls.
Enter values in one or both of the pattern fields:
•
In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string
to parse.
•
In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to
parse.
Valid entries for these fields are unquoted text strings with no spaces and a maximum of
255 alphanumeric characters for each pattern you configure. The following special characters are
also allowed: @ # $
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-23
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-5
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Least Bandwidth
The ACE selects the server with the least amount of network traffic over a specified sampling
period.
Least Connections
1.
In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic
information. Valid entries are integers from 1 to 10 seconds.
2.
In the Least Bandwidth Samples field, enter the number of samples over which you want to
weight and average the results of the probe query to calculate the final load value. Valid entries
are 1, 2, 4, 8, and 16 (integers from 1 to 16 that are also a power of 2).
The ACE selects the server with the fewest number of connections.
In the Slow Start Duration field, enter the slow-start value to be applied to this predictor method.
Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up value.
The slow-start mechanism is used to avoid sending a high rate of new connections to servers that
you have just put into service.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-24
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-5
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Least Loaded
The ACE selects the server with the lowest load based on information from SNMP probes.
1.
In the SNMP Probe Name field, select the name of the SNMP probe to use.
2.
In the Auto Adjust field, configure the autoadjust feature to to instruct the ACE to apply the
maximum load of 16000 to a real server whose load reaches zero or override the default
behavior. By default, the ACE applies the average load of the server farm to a real server
whose load is zero. The ACE periodically adjusts this load value based on feedback from the
server's SNMP probe and other configured options.
Options include:
– Average—Applies the average load of the server farm to a real server whose load is zero.
This setting allows the server to participate in load balancing, while preventing it from
being flooded by new connections. This is the default setting.
– Maxload—Instruct the ACE to apply the maximum load of 16000 to a real server whose
load reaches zero.
– Off—Instruct the ACE to send all new connections to the server that has a load of zero
until the next load update arrives from the SNMP probe for this server. If two servers have
the same lowest load (either zero or nonzero), the ACE load balances the connections
between the two servers in a round-robin manner.
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option,
the ACE includes the current connection count in the total load calculation for each real server
in a server farm. Clear the check box to reset the behavior of the ACE to the default of
excluding the current connection count from the load calculation.
To instruct the ACE to select the server with the lowest load, use the predictor least-loaded
command in server farm host or redirect configuration mode. With this predictor, the ACE uses
SNMP probes to query the real servers for load parameter values (for example, CPU utilization or
memory utilization). This predictor is considered adaptive because the ACE continuously provides
feedback to the load-balancing algorithm based on the behavior of the real server.
To use this predictor, you must associate an SNMP probe with it. The ACE queries user-specified
OIDs periodically based on a configurable time interval. The ACE uses the retrieved SNMP load
value to determine the server with the lowest load.
The syntax of this predictor command is as follows:
predictor least-loaded probe name
The name argument specifies the identifier of the existing SNMP probe that you want the ACE to
use to query the server. Enter an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
For example, to configure the ACE to select the real server with the lowest load based on feedback
from an SNMP probe called PROBE_SNMP, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor least-loaded probe PROBE_SNMP
host1/Admin(config-sfarm-host-predictor)#
To reset the predictor method to the default of Round Robin, enter:
host1/Admin(config-sfarm-host)# no predictor
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-25
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Table 4-5
Predictor Method Attributes (continued)
Predictor Method
Description / Action
Response
The ACE selects the server with the lowest response time for a requested response-time
measurement.
1.
In the Response Type field, select the type of measurement to use:
– App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a
server to the time that the ACE receives a response from the server for that request.
– Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to
the time that the ACE receives a CLOSE from the server.
– Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to
the time that the ACE receives a SYN-ACK from the server.
Round Robin
Step 5
2.
In the Response Samples field, enter the number of samples over which you want to average
the results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (integers from
1 to 16 that are also a power of 2).
3.
In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option,
the ACE includes the current connection count in the total load calculation for each real server
in a server farm. Clear the check box to reset the behavior of the ACE to the default of
excluding the current connection count from the load calculation.
The ACE selects the next server in the list of servers based on server weight. This is the default
predictor method.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the t Connection field
table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
Configuring Real Servers, page 4-4
•
Configuring Sticky Groups, page 5-7
•
Adding Real Servers to a Server Farm, page 4-17
•
Configuring Server Farm HTTP Return Error-Code Checking, page 4-27
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-26
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
Configuring Server Farm HTTP Return Error-Code Checking
After adding a server farm, (Configuring Server Farms, page 4-11), you can associate real servers with
it and configure the predictor method and retcode maps. The configuration screens for these attributes
appear beneath the Server Farms table or after you have successfully added a new server farm.
Use this procedure to configure HTTP return error-code checking (retcode map) for a server farm.
Note
This feature is available only for server farms configured as hosts. It is not available for server farms
configured with the type Redirect.
Assumption
A host type server farm has been added to the ACE Appliance Device Manager. (See Configuring Server
Farms, page 4-11.)
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms
table appears.
Step 2
Select the server farm you want to configure return error-code checking for, then select the Retcode Map
tab. The Retcode Map table appears. If you do not see tabs beneath the Server Farms table, click the
Switch Between Configure And Browse Modes button.
Step 3
Click Add to add a new entry to the table. The Retcode Map configuration screen appears.
Note
You cannot modify an entry in the Retcode Map table. Instead, delete the existing entry, then add
a new one.
Step 4
In the Lowest Retcode field, enter the minimum value for an HTTP return error code. Valid entries are
integers from 100 to 599. This number must be less than or equal to the number in the Highest Retcode
field.
Step 5
In the Highest Retcode field, enter the maximum number for an HTTP return error code. Valid entries
are integers from 100 to 599. This number must be greater than or equal to the number in the Lowest
Retcode field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-27
Chapter 4
Configuring Real Servers and Server Farms
Configuring Server Farms
In the Type field, specify the action to be taken and related options using the information in Table 4-6.
Step 6
Table 4-6
Return-Code Type Configuration Options
Option
Description
Count
The ACE tracks the total number of return codes received for each return code number that you specify.
Log
The ACE generates a syslog error message when the number of events reaches a specified threshold.
1.
In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error
message. Valid entries are integers from 1 to 4294967295.
2.
In the Reset field, enter the time interval in seconds for which the ACE checks for the return code. Valid entries
are integers from 1 to 2147483647 seconds.
Remove The ACE generates a syslog error message when the number of events reaches a specified threshold and then
removes the server from service.
1.
In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error
message and removing the server from service. Valid entries are integers from 1 to 4294967295.
2.
In the Reset field, enter the time interval in seconds for which the ACE checks for the return code. Valid entries
are integers from 1 to 2147483647 seconds.
3.
In the Resume Service field, enter the number of seconds that the ACE waits before it resumes service for the
real server automatically after taking the real server out of service. Valid entries are 30 to 3600 seconds. The
default setting is 0. The setting of this field affects the behavior of the real server in the failed state, as follows:
– When this field is not configured has the default setting of 0, the real server remains in the failed state until
you manually remove it from service and readd it.
– When this field is not configured has the default setting of 0 and then you configure it with an integer
between 30 and 3,600, the failed real server immediately transitions to the Operational state.
– When you configure this field and then increase the value, the real server remains in the failed state for
the duration of the previously-configured value. The new value takes effect the next time the real server
transitions to the failed state.
– When you configure this field and then decrease the value, the failed real server immediately transitions
to the Operational state.
– When you configure this field with an integer between 30 and 3,600 and then reset it to the default of 0,
the real server remains in the failed state for the duration of the previously-configured value. The default
setting takes effect the next time the real server transitions to the failed state. Then the real server remains
in the failed state until you manually remove it from service and readd it.
Step 7
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Retcode Map table.
•
Next to save your entries and to add another retcode map.
Related Topics
•
Using Virtual Contexts, page 2-2
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-28
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
•
Configuring Real Servers, page 4-4
•
Configuring Sticky Groups, page 5-7
Viewing All Server Farms
Use this procedure to view all server farms associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context with the server farms you want to view, then click Load Balancing > Server
Farms. The Server Farms table appears with the following information:
•
Server farm name
•
Server farm type (either host or redirect)
•
Description
Depending on the server farms selected, additional tables appear below the Server Farms table. These
tables include:
•
Real Servers—This table identifies the real servers associated with the selected server farm.
•
Predictor—This configuration screen displays the selected predictor method for the selected server
farm.
•
Retcode Map—This table displays the HTTP return error-code checking that has been configured
for the selected server farm.
Related Topics
•
Configuring Server Farms, page 4-11
•
Adding Real Servers to a Server Farm, page 4-17
•
Configuring Health Monitoring, page 4-29
•
Configuring Server Farm HTTP Return Error-Code Checking, page 4-27
Configuring Health Monitoring
You can instruct the ACE appliance to check the health of servers and server farms by configuring health
probes (sometimes referred to as keepalives). After you create a probe, you assign it to a real server or
a server farm. A probe can be one of many types, including TCP, ICMP, Telnet, HTTP, and so on. You
can also configure scripted probes using the TCL scripting language (see TCL Scripts, page 4-30).
The ACE appliance sends out probes periodically to determine the status of a server, verifies the server
response, and checks for other network problems that may prevent a client from reaching a server. Based
on the server response, the ACE appliance can place the server in or out of service, and, based on the
status of the servers in the server farm, can make reliable load-balancing decisions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-29
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Health monitoring on the ACE appliance tracks the state of a server by sending out probes. Also referred
to as out-of-band health monitoring, the ACE appliance verifies the server response or checks for any
network problems that can prevent a client to reach a server. Based on the server response, the ACE
appliance can place the server in or out of service, and can make reliable load balancing decisions.
Note
You can configure the inband health monitoring feature and health probes to monitor the health of the
real servers in a server farm. For more information on inband health monitoring, see the “Configuring
Server Farms” section on page 4-11.
The ACE appliance identifies the health of a server in the following categories:
•
Passed—The server returns a valid response.
•
Failed—The server fails to provide a valid response to the ACE appliance is unable to reach a server
for a specified number of retries.
By configuring the ACE appliance for health monitoring, the ACE appliance sends active probes
periodically to determine the server state.
The ACE appliance supports 4000 unique probe configurations which includes ICMP, TCP, HTTP, and
other predefined health probes. The ACE appliance also allows the opening of 1000 sockets
simultaneously.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
TCL Scripts, page 4-30
TCL Scripts
The ACE appliance supports several specific types of health probes (for example HTTP, TCP, or ICMP
health probes) when you need to use a diverse set of applications and health probes to administer your
network. The basic health probe types supported in the current ACE appliance software release may not
support the specific probing behavior that your network requires. To support a more flexible
health-probing functionality, the ACE appliance allows you to upload and execute TCL scripts on the
ACE appliance.
The TCL interpreter code in the ACE appliance is based on Release 8.44 of the standard TCL
distribution. You can create a script to configure health probes. Script probes operate similar to other
health probes available in the ACE appliance software. As part of a script probe, the ACE appliance
executes the script periodically, and the exit code that is returned by the executing script indicates the
relative health and availability of specific real servers. For information on health probes, see Configuring
Health Monitoring for Real Servers, page 4-31.
For your convenience, the following sample scripts for the ACE appliance are available to support the
TCL feature and are supported by Cisco TAC:
•
CHECKPORT_STD_SCRIPT
•
ECHO_PROBE_SCRIPT
•
FINGER_PROBE_SCRIPT
•
FTP_PROBE_SCRIPT
•
HTTP_PROBE_SCRIPT
•
HTTPCONTENT_PROBE
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-30
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
•
HTTPHEADER_PROBE
•
HTTPPROXY_PROBE
•
IMAP_PROBE
•
LDAP_PROBE
•
MAIL_PROBE
•
POP3_PROBE
•
PROBENOTICE_PROBE
•
RTSP_PROBE
•
SSL_PROBE_SCRIPT
•
TFTP_PROBE
These scripts are located in the probe: directory and are accessible in both the Admin and user contexts.
Note that the script files in the probe: directory are read-only, so you cannot copy or modify them.
However, you can copy files from the probe: directory. For more information, see the Cisco 4700 Series
Application Control Engine Appliance Administration Guide.
To load a script into memory on the ACE appliance and enable it for use, use the script file command.
For detailed information on uploading and executing Toolkit Command Language (TCL) scripts on the
ACE appliance, refer to the Cisco 4700 Series Application Control Engine Appliance Server
Load-Balancing Configuration Guide.
Configuring Health Monitoring for Real Servers
To check the health and availability of a real server, the ACE appliance periodically sends a probe to the
real server. Depending on the server response, the ACE appliance determines whether to include the
server in its load-balancing decision.
Note
You can configure the inband health monitoring feature and health probes to monitor the health of the
real servers in a server farm. When you do, both are required to keep a real server in service within a
server farm. If either feature detects a server is out of service, the ACE does not select the server for load
balancing. For more information on inband health monitoring, see the “Configuring Server Farms”
section on page 4-11.
Use this procedure to establish monitoring of real servers to determine their viability in load-balancing
decisions.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Click Add to add a new health monitoring probe, or select an existing entry, then click Edit to modify
it. The Health Monitoring screen appears.
Step 3
In the Name field, enter a name that identifies the probe and that associates the probe with the real server.
Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4
In the Type field, select the type of probe you want to use. The probe type determines what the probe
sends to the real server. See Table 4-7 for the types of probes and their descriptions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-31
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-7
Probe Types
Probe Type
Description
DNS
Sends a request to a DNS server giving it a configured domain. To determine
if the server is up, the ACE appliance must receive the configured IP address
for that domain.
ECHO-TCP
Sends a string to the server and compares the response with the original
string. If the response string matches the original, the server is marked as
passed. If not, the ACE appliance retries as configured before the server is
marked as failed.
ECHO-UDP
Sends a string to the server and compares the response with the original
string. If the response string matches the original, the server is marked as
passed. If not, the ACE appliance retries as configured before the server is
marked as failed.
FINGER
Sends a probe to the server to verify that a defined username is a username
on the server.
FTP
Initiates an FTP session. By default, this probe is for an anonymous login
with the option of configuring a user ID and password. The ACE appliance
performs an FTP GET or LS to determine the outcome of the problem. This
probe supports only active connections.
HTTP
Sets up a TCP connection and issues an HTTP request. Any valid HTTP
response causes the probe to mark the real server as passed.
HTTPS
Similar to an HTTP probe, but this probe uses SSL to generate encrypted
data.
ICMP
Sends an ICMP request and listens for a response. If the server returns a
response, the ACE appliance marks the real server as passed. If there is no
response and times out, or an ICMP standard error occurs, such as
DESTINATION_UNREACHABLE, the ACE appliance marks the real
server as failed.
IMAP
Initiates an IMAP session, using a configured user ID and password. Then,
the probe attempts to retrieve e-mail from the server and validates the result
of the probe based on the return codes received from the server.
POP
Initiates a POP session, using a configured user ID and password. Then, the
probe attempts to retrieve e-mail from the server and validates the result of
the probe based on the return codes received from the server.
RADIUS
Connects to a RADIUS server and logs into it to determine if the server is up.
RTSP
Establishes a TCP connection and sends a request packet to the server. The
ACE compares the response with the configured response code to determine
whether the probe succeeded.
Scripted
Executes probes from a configured script to perform health probing. This
method allows you to author specific scripts with features not present in
standard probes.
SIP-TCP
Establishes a TCP connection and sends an OPTIONS request packet to the
user agent on the server. The ACE compares the response with the
configured response code or expected string, or both, to determine whether
the probe has succeeded. If you do not configure an expected status code, any
response from the server is marked as failed.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-32
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-7
Step 5
Note
Probe Types (continued)
Probe Type
Description
SIP-UDP
Establishes a UDP connection and sends an OPTIONS request packet to the
user agent on the server. The ACE compares the response with the
configured response code or expected string, or both, to determine whether
the probe has succeeded. If you do not configure an expected status code, any
response from the server is marked as failed.
SMTP
Initiates an SMTP session by logging into the server.
SNMP
Establishes a UDP connection and sends a maximum of eight SMNP OID
queries to probe the server. The ACE weighs and averages the load
information that is retrieved and uses it as input to the least-loaded algorithm
for load-balancing decisions. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the
server is marked as failed.
TCP
Initiates a TCP handshake and expects a response. By default, a successful
response causes the probe to mark the server as passed. The probe then sends
a FIN to end the session. If the response is not valid, or if there is no
response, the probe marks the real server as failed.
TELNET
Establishes a connection to the real server and verifies that a greeting from
the application was received.
UDP
Sends a UDP packet to a real server. The probe marks the server as failed
only if an ICMP Port Unreachable messages is returned.
Enter health monitoring general attributes (see Table 4-8).
Click More Settings to access the additional general attributes for the selected probe type. By default,
the Device Manager hides the probe attributes with default values and the probe attributes which are not
commonly used.
Table 4-8
Health Monitoring General Attributes
Field
Action
Description
Enter a description for this probe. Valid entries are unquoted alphanumeric text
strings with no spaces and a maximum of 240 characters.
Probe Interval
(Seconds)
Enter the number of seconds that the ACE is to wait before sending another probe
to a server marked as passed. Valid entries are from 2 to 65535 with a default of
15.
Pass Detect
Enter the number of seconds that the ACE is to wait before sending another probe
Interval (Seconds) to a server marked as failed. Valid entries are integers from 2 to 65535 with a
default of 60.
Fail Detect
Enter the consecutive number of times that an ACE must detect that probes have
failed to contact a server before marking the server as failed. Valid entries are
integers from 1 to 65535 with a default of 3.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-33
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-8
Health Monitoring General Attributes (continued)
Field
Action
More Settings
Pass Detect Count
Enter the number of successful probe responses from the server before the server
is marked as passed. Valid entries are integers from 1 to 65535 with a default of 3.
Receive Timeout
(Seconds)
Enter the number of seconds the ACE is to wait for a response from a server that
has been probed before marking the server as failed. Valid entries are integers
from 1 to 65535 with a default of 10.
Dest IP Address1
By default, the probe uses the IP address from the real or virtual server
configuration for the destination IP address. To override the destination address
that the probe uses, enter the preferred destination IP address in this field using
dotted-decimal notation, such as 192.168.11.1.
Is Routed2
Check the check box to indicate that the destination IP address is routed according
to the ACE internal routing table. Clear the check box to indicate that the
destination IP address is not routed according to the ACE internal routing table.
1. The Dest IP Address field is not applicable to the Scripted probe type.
2. The Is Routed field is not applicable to the RTSP, Scripted, SIP-TCP, and SIP-UDP probe types.
Table 4-9 lists the default port numbers for each probe type.
Table 4-9
Default Port Numbers for Probe Types
Probe Type
Default Port Number
DNS
53
Echo
7
Finger
79
FTP
21
HTTP
80
HTTPS
443
ICMP
Not applicable
IMAP
143
POP3
110
RADIUS
1812
RTSP
554
Scripted
1
SIP (both TCP and UDP)
5060
SMTP
25
SNMP
161
Telnet
23
TCP
80
UDP
53
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-34
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Step 6
Step 7
Enter the attributes for the specific probe type selected:
•
For DNS probes, see Table 4-10.
•
For Echo-TCP probes, see Table 4-11.
•
For Echo-UDP probes, see Table 4-12.
•
For Finger probes, see Table 4-13.
•
For FTP probes, see Table 4-14.
•
For HTTP probes, see Table 4-15.
•
For HTTPS probes, see Table 4-16.
•
There are no specific attributes for ICMP probes.
•
For IMAP probes, see Table 4-17.
•
For POP probes, see Table 4-18.
•
For RADIUS probes, see Table 4-19.
•
For RTSP probes, see Table 4-20.
•
For Scripted probes, see Table 4-21.
•
For SIP-TCP probes, see Table 4-22.
•
For SIP-UDP probes, see Table 4-23.
•
For SMTP probes, see Table 4-24.
•
For SNMP probes, see Table 4-25.
•
For TCP probes, see Table 4-26.
•
For Telnet probes, see Table 4-27.
•
For UDP probes, see Table 4-28.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Health Monitoring
table.
•
Next to save your entries and to configure another probe.
Related Topics
•
Configuring DNS Probe Expect Addresses, page 4-51
•
Configuring Headers for HTTP and HTTPS Probes, page 4-52
•
Configuring Health Monitoring Expect Status, page 4-53
•
Configuring Real Servers, page 4-4
•
Configuring Server Farms, page 4-11
•
Configuring Sticky Groups, page 5-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-35
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Probe Attribute Tables
Refer to the following topics to configure health monitoring probe-specific attributes:
•
DNS Probe Attributes, page 4-37
•
Echo-TCP Probe Attributes, page 4-37
•
Echo-UDP Probe Attributes, page 4-38
•
Finger Probe Attributes, page 4-38
•
FTP Probe Attributes, page 4-39
•
HTTP Probe Attributes, page 4-39
•
HTTPS Probe Attributes, page 4-41
•
IMAP Probe Attributes, page 4-43
•
POP Probe Attributes, page 4-43
•
RADIUS Probe Attributes, page 4-44
•
RTSP Probe Attributes, page 4-45
•
Scripted Probe Attributes, page 4-46
•
SIP-TCP Probe Attributes, page 4-47
•
SIP-UDP Probe Attributes, page 4-48
•
SMTP Probe Attributes, page 4-48
•
SNMP Probe Attributes, page 4-49
•
TCP Probe Attributes, page 4-49
•
Telnet Probe Attributes, page 4-50
•
UDP Probe Attributes, page 4-51
Refer to the following topics for additional configuration options for health monitoring probes:
•
Configuring DNS Probe Expect Addresses, page 4-51
•
Configuring Headers for HTTP and HTTPS Probes, page 4-52
•
Configuring Health Monitoring Expect Status, page 4-53
•
Configuring an OID for SNMP Probes, page 4-54
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-36
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
DNS Probe Attributes
Note
Click More Settings to access the additional attributes for the DNS probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-10
DNS Probe Attributes
Field
Action
Domain Name
Enter the domain name that the probe is to send to the DNS server. Valid
entries are unquoted text strings with a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
To configure expect addresses for DNS probes, see Configuring DNS Probe Expect Addresses,
page 4-51.
Echo-TCP Probe Attributes
Note
Click More Settings to access the additional attributes for the Echo-TCP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-11
Echo-TCP Probe Attributes
Field
Action
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
More Settings
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-37
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Echo-UDP Probe Attributes
Note
Click More Settings to access the additional attributes for the Echo-UDP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-12
Echo-UDP Probe Attributes
Field
Action
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Finger Probe Attributes
Note
Click More Settings to access the additional attributes for the Finger probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-13
Finger Probe Attributes
Field
Action
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-38
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
FTP Probe Attributes
Note
Click More Settings to access the additional attributes for the FTP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-14
FTP Probe Attributes
Field
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
To configure probe expect statuses for FTP probes, see Configuring Health Monitoring Expect Status,
page 4-53.
HTTP Probe Attributes
Note
Click More Settings to access the additional attributes for the HTTP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-15
HTTP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Request Method Type
Select the type of HTTP request method that is to be used for this probe:
•
N/A—This option is not defined.
•
Get—The HTTP request method is a GET with a URL of “/”. This
request method directs the server to get the page, and the ACE calculates
a hash value for the content of the page. If the page content information
changes, the hash value no longer matches the original hash value and
the ACE assumes the service is down. This is the default request method.
•
Head—The server is to only get the header for the page. Using this
method can prevent the ACE from assuming that the service is down due
to changed content and therefore changed hash values.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-39
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-15
HTTP Probe Attributes (continued)
Field
Action
Request HTTP URL
This field appears if you select Head or Get in the Request Method Type
field.
Enter the URL path on the remote server. Valid entries are strings of up to
255 characters specifying the URL path. The default path is “/’.
More Settings
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Valid entries are integers from 1 to 4000.
Hash
Check the Hash check box to indicate that the ACE is to use an MD5 hash
for an HTTP GET probe. Clear the Hash check box to indicate that the ACE
should not use an MD5 hash for an HTTP GET probe.
Hash String
This field appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE is to compare with the hash that is
generated from the HTTP page sent by the server. If you do not provide this
value, the ACE generates a value the first time it queries the server, stores
this value, and matches this value with other responses from the server. A
successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with
16 characters.
To configure probe headers and expect statuses for HTTP probes, see:
•
Configuring Headers for HTTP and HTTPS Probes, page 4-52
•
Configuring Health Monitoring Expect Status, page 4-53
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-40
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
HTTPS Probe Attributes
Note
Click More Settings to access the additional attributes for the HTTPS probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-16
HTTPS Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Request Method Type
Select the type of HTTP request method that is to be used for this probe:
Request HTTP URL
•
N/A—This option is not defined.
•
Get—The HTTP request method is a GET with a URL of “/”. This
request method directs the server to get the page, and the ACE calculates
a hash value for the content of the page. If the page content information
changes, the hash value no longer matches the original hash value and
the ACE assumes the service is down. This is the default request method.
•
Head—The server is to only get the header for the page. Using this
method can prevent the ACE from assuming that the service is down due
to changed content and therefore changed hash values.
This field appears if you select Head or Get in the Request Method Type
field.
Enter the URL path on the remote server. Valid entries are strings of up to
255 characters specifying the URL path. The default path is “/’.
Cipher
Select the cipher suite to be used with this HTTPS probe:
•
RSA_ANY—The HTTPS probe accepts all RSA-configured cipher
suites and that no specific suite is configured. This is the default action.
•
RSA_EXPORT1024_WITH_DES_CBC_SHA
•
RSA_EXPORT1024_WITH_RC4_56_MD5
•
RSA_EXPORT1024_WITH_RC4_56_SHA
•
RSA_EXPORT_WITH_DES40_CBC_SHA
•
RSA_EXPORT_WITH_RC4_40_MD5
•
RSA_WITH_3DES_EDE_CBC_SHA
•
RSA_WITH_AES_128_CBC_SHA
•
RSA_WITH_AES_256_CBC_SHA
•
RSA_WITH_DES_CBC_SHA
•
RSA_WITH_RC4_128_MD5
•
RSA_WITH_RC4_128_SHA
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-41
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-16
HTTPS Probe Attributes (continued)
Field
Action
SSL Version
Select the version of SSL or TLS to be used in ClientHello messages sent to
the server:
•
All—The probe is to use all SSL versions.
•
SSLv3—The probe is to use SSL version 3.
•
TLSv1—The probe is to use TLS version 1.
By default, the probe sends ClientHello messages with an SSL version 3
header and a TLS version 1 message.
More Settings
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
Hash
Check the Hash check box to indicate that the ACE is to use an MD5 hash
for an HTTP GET probe. Clear this check box to indicate that the ACE is not
to use an MD5 hash for an HTTP GET probe.
Hash String
This field appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE is to compare with the hash that is
generated from the HTTP page sent by the server. If you do not provide this
value, the ACE generates a value the first time it queries the server, stores
this value, and matches this value with other responses from the server. A
successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with
16 characters.
To configure probe headers and expect statuses for HTTPS probes, see:
•
Configuring Headers for HTTP and HTTPS Probes, page 4-52
•
Configuring Health Monitoring Expect Status, page 4-53
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-42
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
IMAP Probe Attributes
Note
Click More Settings to access the additional attributes for the IMAP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-17
IMAP Probe Attributes
Field
Action
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Mailbox Name
Enter the user mailbox name from which to retrieve e-mail for this IMAP
probe. Valid entries are unquoted text strings with a maximum of 64
characters.
Request Command
Enter the request method command for this probe. Valid entries are text
strings with a maximum of 32 characters and no spaces.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
POP Probe Attributes
Note
Click More Settings to access the additional attributes for the POP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-18
POP Probe Attributes
Field
Action
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-43
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-18
POP Probe Attributes (continued)
Field
Action
Request Command
Enter the request method command for this probe. Valid entries are text
strings with a maximum of 32 characters and no spaces.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
RADIUS Probe Attributes
Note
Click More Settings to access the additional attributes for the RADIUS probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-19
RADIUS Probe Attributes
Field
Action
User Secret
Enter the shared secret to be used to allow probe access to the RADIUS
server. Valid entries are case-sensitive strings with no spaces and a maximum
of 64 characters.
User Name
Enter the user identifier to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Password
Enter the password to be used for authentication on the real server. Valid
entries are unquoted text strings with a maximum of 64 characters.
Reenter the password in the Confirm field.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
NAS IP Address
Enter the IP address of the Network Access Server (NAS) in dotted-decimal
format, such as 192.168.11.1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-44
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
RTSP Probe Attributes
Note
Click More Settings to access the additional attributes for the RTSP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-20
RTSP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
RTSP Require Header
Value
Enter the Require header for this probe.
RTSP Proxy Require
Header Value
Enter the Proxy-Require header for this probe.
RTSP Request Method
Type
Select the request method type:
•
N/A—No request method is selected.
•
Describe—This probe is to use the Describe request type.
More Settings
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
To configure probe expect statuses for RTSP probes, see Configuring Health Monitoring Expect Status,
page 4-53.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-45
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Scripted Probe Attributes
Note
Click More Settings to access the additional attributes for the Scripted probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-21
Scripted Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Script Name
Enter the local name that you want to assign to this file on the ACE. This file
can reside in the disk0: directory or the probe: directory (if the probe:
directory exists).
Note
The script file must first be established on the ACE device and the
name must be entered exactly as is appears on the device. Please
refer to your ACE documentation for more details.
Valid entries are unquoted text strings with no spaces and a maximum of 255
characters.
Script Arguments
Valid arguments are unquoted text strings with no spaces; separate multiple
arguments with a space. The field limit is 255 characters.
More Settings
Script Needs To Be
Copied From Remote
Location?
Check this check box to indicate that the file needs to be copied from a
remote server. Clear this check box to indicate that the script resides locally.
Protocol
This field appears if the script is to be copied from a remote server.
Select the protocol to be used for copying the script:
User Name
•
FTP—The script is to be copied using FTP.
•
TFTP—The script is to be copied using TFTP.
This field appears if FTP is selected in the Protocol field.
Enter the name of the user account on the remote server.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-46
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-21
Scripted Probe Attributes (continued)
Field
Action
Password
This field appears if FTP is selected in the Protocol field.
Enter the password for the user account on the remote server.
Reenter the password in the Confirm field.
Source File Name
This field appears if the script is to be copied from a remote server.
Enter the host IP address, path, and filename of the file on the remote server
in the format host-ip/path/filename where:
•
host-ip represents the IP address of the remote server.
•
path represents the directory path of the file on the remote server.
•
filename represents the filename of the file on the remote server.
For example, your entry might resemble
192.168.11.2/usr/bin/my-script.ext.
SIP-TCP Probe Attributes
Note
Click More Settings to access the additional attributes for the SIP-TCP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-22
SIP-TCP Probe Attributes
Field
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings with a maximum of 255 characters. This field accepts both
single and double quotes. Double quotes are considered delimiters so they
don't appear on the device. Single quotes will appear on the device.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
To configure probe expect statuses for SIP-TCP probes, see Configuring Health Monitoring Expect
Status, page 4-53.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-47
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
SIP-UDP Probe Attributes
Note
Click More Settings to access the additional attributes for the SIP-UDP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-23
SIP-UDP Probe Attributes
Field
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Enable Rport
Check the check box to indicate that the server will be forced to send a reply
from the same port on which the request was received. Clear the check box
to indicate that the server can send the reply from a different port than the
port from which the request was received.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings with a maximum of 255 characters. This field accepts both
single and double quotes. Double quotes are considered delimiters so they
don't appear on the device. Single quotes will appear on the device.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
To configure probe expect statuses for SIP-UDP probes, see Configuring Health Monitoring Expect
Status, page 4-53.
SMTP Probe Attributes
Note
Click More Settings to access the additional attributes for the SMTP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-24
Field
SMTP Probe Attributes
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-48
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
To configure probe expect statuses for SMTP probes, see Configuring Health Monitoring Expect Status,
page 4-53.
SNMP Probe Attributes
Note
Click More Settings to access the additional attributes for the SNMP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-25
SNMP Probe Attributes
Field
Action
SNMP Community
Enter the SNMP community string. Valid entries are unquoted text strings
with no spaces and a maximum of 255 characters.
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
SNMP Version
Select the SNMP version for this probe:
•
N/A—No version is selected.
•
SNMPv1—This probe is to use SNMP version 1.
•
SNMPv2c—This probe is to use SNMP version 2c.
To configure the SNMP OID for SNMP probes, see Configuring an OID for SNMP Probes, page 4-54.
TCP Probe Attributes
Note
Click More Settings to access the additional attributes for the TCP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-26
TCP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
More Settings
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-49
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 4-26
TCP Probe Attributes (continued)
Field
Action
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
Telnet Probe Attributes
Note
Click More Settings to access the additional attributes for the Telnet probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-27
Field
Telnet Probe Attributes
Action
More Settings
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Is Connection
Check the check box to indicate that connection parameters are configured.
Clear the check box to indicate that connection parameters are not
configured.
Open Timeout
(Seconds)
Enter the number of seconds to wait when opening a connection with a real
server. Valid entries are integers from 1 to 65535, and the default value is 1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-50
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
UDP Probe Attributes
Note
Click More Settings to access the additional attributes for the UDP probe type. By default, ACE
appliance Device Manager hides the probe attributes with default values and the probe attributes which
are not commonly used.
Table 4-28
UDP Probe Attributes
Field
Action
Port
Enter the port number that the probe is to use. By default, the probe uses the
port number based on its type.
Send Data
Enter the ASCII data that the probe is to send to the server. Valid entries are
unquoted text strings with no spaces and a maximum of 255 characters.
More Settings
Expect Regular
Expression
Enter the expected response data from the probe destination. Valid entries
are text strings (quotes allowed) with a maximum of 255 characters.
Expect Regex Offset
Enter the number of characters into the received message or buffer where the
ACE is to begin looking for the string specified in the Expect Regular
Expression field. Value entries are integers from 1 to 4000.
Configuring DNS Probe Expect Addresses
When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address
by matching the received IP address with the configured addresses.
Use this procedure to specify the IP address that the ACE appliance expects to receive in response to a
DNS request.
Assumption
A DNS probe has been configured. See Configuring Health Monitoring for Real Servers, page 4-31 for
more information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the DNS probe that you want to configure with an expected IP address. The Expect Addresses
subtable appears.
Step 3
Click Add to add an entry to the Expect Addresses table. The Expect Address configuration screen
appears.
Note
Step 4
You cannot modify an entry in the Expect Addresses table. Instead, delete the existing entry, then
add a new one.
In the IP Address field, enter the IP address that the ACE appliance is to expect as a server response to
a DNS request. Valid entries are unique IP addresses in dotted-decimal notation, such as 192.168.11.1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-51
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Step 5
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entry and to return to the Expect Addresses table.
•
Next to save your entry and to add another IP Address to the Expect Addresses table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
DNS Probe Attributes, page 4-37
Configuring Headers for HTTP and HTTPS Probes
Use this procedure to specify header fields for HTTP and HTTPS probes.
Assumption
An HTTP or HTTPS probe has been configured. See Configuring Health Monitoring for Real Servers,
page 4-31 for more information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the HTTP or HTTPS probe that you want to configure with header. The Probe Headers subtable
appears.
Step 3
Click Add to add an entry, or select an existing entry, then click Edit to modify it. The Probe Headers
configuration screen appears.
Step 4
In the Header Name field, select the HTTP header the probe is to use.
Step 5
In the Header Value field, enter the string to assign to the header field. Valid entries are text strings with
a maximum of 255 characters. If the string includes spaces, enclose the string with quotes.
Step 6
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entry and to return to the Probe Headers table.
•
Next to save your entry and to add another header entry to the Probe Headers table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
HTTP Probe Attributes, page 4-39
•
HTTPS Probe Attributes, page 4-41
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-52
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Configuring Health Monitoring Expect Status
When the ACE appliance receives a response from the server, it expects a status code to mark a server
as passed. By default, there are no status codes configured on the ACE appliance. If you do not configure
a status code, any response code from the server is marked as failed.
Expect status codes can be configured for FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, and SMTP
probes.
Use this procedure to configure a single or range of code responses that the ACE appliance expects from
the probe destination.
Assumption
An FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, or SNMP probe has been configured. See
Configuring Health Monitoring for Real Servers, page 4-31 for more information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the FTP, HTTP, HTTPS, or SMTP probe that you want to configure for expect status codes. The
Expect Status subtable appears.
Step 3
Click Add to add an entry, or select an existing entry, then click Edit to modify it. The Expect Status
configuration screen appears.
Step 4
To configure a single expect status code:
Step 5
Step 6
a.
In the Min. Expect Status Code field, enter the expect status code for this probe. Valid entries are
integers from 0 to 999.
b.
In the Max. Expect Status code, enter the same expect status code that you entered in the Min.
Expect Status Code field.
To configure a range of expect status codes:
a.
In the Min. Expect Status Code, enter the lower limit of the range of status codes. Valid entries are
integers from 0 to 999.
b.
In the Max. Expect Status Code, enter the upper limit of a range of status codes. Valid entries are
integers from 0 to 999. The value in this field must be greater than or equal to the value in the Min.
Expect Status Code field.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Expect Status table.
•
Next to save your entries and to add another expect status code to the Expect Status table.
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
FTP Probe Attributes, page 4-39
•
HTTP Probe Attributes, page 4-39
•
SNMP Probe Attributes, page 4-49
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-53
Chapter 4
Configuring Real Servers and Server Farms
Configuring Health Monitoring
Configuring an OID for SNMP Probes
When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. Least-loaded load balancing bases the server
selection on the server with the lowest load value. If the retrieved value is within the configured
threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed.
The ACE allows a maximum of eight OID queries to probe the server.
Assumption
An SNMP probe has been configured. See Configuring Health Monitoring for Real Servers, page 4-31
for more information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health
Monitoring table appears.
Step 2
Select the SNMP probe that you want to specify an OID for. The SNMP OID for Server Load Query
table appears.
Step 3
Click Add to add an entry, or select an existing entry, then click Edit to modify it. The SNMP OID
configuration pane appears.
Step 4
In the SNMP OID field, enter the OID that the probe is to use to query the server for a value. Valid entries
are unquoted strings with a maximum of 255 alphanumeric characters in dotted-decimal notation, such
as .1.3.6.1.4.2021.10.1.3.1. The OID string is based on the server type.
Step 5
In the Maximum Absolute Server Load Value field, enter the OID value in the form of an integer and to
indicate that the retrieved OID value is an absolute value instead of a percent. Valid entries are integers
from 1 to 4294967295.
When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. By default, the ACE assumes that the retrieved OID
value is a percentile value. Use this option to specify that the retrieved OID value is an absolute value.
Step 6
In the Server Load Threshold Value field, specify the threshold at which the server is to be taken out of
service:
•
When the OID value is based on a percent, valid entries are integers from 1 to 100.
•
When the OID is based on an absolute value, valid entries are from 1 to the value specified in the
Maximum Absolute Server Load Value field.
Step 7
In the Server Load Weighting field, enter the weight to assign to this OID for the SNMP probe. Valid
entries are integers from 0 to 16000.
Step 8
Click:
•
Deploy Now to deploy this configuration.
•
Cancel to exit this procedure without saving your entries and to return to the SNMP OID table.
•
Next to deploy your entries and to add another item to the SNMP OID table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-54
OL-23543-01
Chapter 4
Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
Related Topics
•
Configuring Health Monitoring for Real Servers, page 4-31
•
SNMP Probe Attributes, page 4-49
Configuring Secure KAL-AP
A keepalive-appliance protocol (KAL-AP) on the ACE allows communication between the ACE and the
Global Site Selector (GSS), which send KAL-AP requests, to report the server states and loads for
global-server load-balancing (GSLB) decisions. The ACE uses KAL-AP through a UDP connection to
calculate weights and provide information for server availability to the KAL-AP device. The ACE acts
as a server and listens for KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens
on the standard 5002 port for any KAL-AP requests. You cannot configure any other port.
The ACE supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption,
you must configure a shared secret as a key for authentication between the GSS and the ACE context.
Use this procedure to configure secure KAL-AP associated with a virtual context.
Assumptions
•
You have created a virtual context that specifies the Keepalive Appliance Protocol over UDP.
•
You have enabled KAL-AP on the ACE by configuring a management class map and policy map,
and apply it to the appropriate interface.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Secure KAL-AP. The Secure
KAL-AP table appears.
Step 2
Click Add to configure secure KAL-AP for MD5 encryption of data. The Secure KAL-AP configuration
screen appears.
Step 3
In the IP Address field, enable secure KAL-AP by configuring the VIP address for the GSS. Enter the
IP address in dotted-decimal notation (for example, 192.168.11.1).
In the Hash Key field, enter the MD5 encryption method shared secret between the KAL-AP device and
the ACE. Enter the shared secret as a case-sensitive string with no spaces and a maximum of
31 alphanumeric characters. The ACE supports the following special characters in a shared secret:
,./=+-^@!%~#$*()
Step 4
Click:
•
Deploy Now to save your entries. The ACE appliance validates the secure KAL-AP configuration
and deploys it.
•
Cancel to exit this procedure without accepting your entries and to return to the Secure KAL-AP
table.
•
Next to accept your entries.
Related Topics
•
Creating Virtual Contexts, page 2-2
•
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 10-13
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
4-55
Chapter 4
Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
4-56
OL-23543-01
C H A P T E R
5
Configuring Stickiness
This section provides an information about sticky behavior and procedures for configuring stickiness
with an ACE appliance.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Topics include:
•
Stickiness Overview, page 5-1
•
Configuring Sticky Groups, page 5-7
•
Configuring Sticky Statics, page 5-15
Stickiness Overview
When customers visit an e-commerce site, they usually start out by browsing the site, the Internet
equivalent of window shopping. Depending on the application, the site may require that the client
become “stuck” to one server once the connection is established, or the application may not require this
until the client starts to build a shopping cart.
In either case, once the client adds items to the shopping cart, it is important that all of the client requests
get directed to the same server so that all the items are contained in one shopping cart on one server. An
instance of a customer's shopping cart is typically local to a particular Web server and is not duplicated
across multiple servers.
E-commerce applications are not the only types of applications that require stickiness. Any Web
application that maintains client information may require stickiness, such as banking applications or
online trading. Other uses include FTP and HTTP file transfers.
Stickiness allows the same client to maintain multiple simultaneous or subsequent TCP or IP
connections with the same real server for the duration of a session. A session, as used here, is defined as
a series of transactions between a client and a server over some finite period of time (from several
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-1
Chapter 5
Configuring Stickiness
Stickiness Overview
minutes to several hours). This feature is particularly useful for e-commerce applications where a client
needs to maintain multiple connections with the same server while shopping online, especially while
building a shopping cart and during the checkout process.
Depending on the configured SLB policy, the ACE appliance “sticks” a client to an appropriate server
after the ACE appliance has determined which load-balancing method to use. If the ACE appliance
determines that a client is already stuck to a particular server, then the ACE appliance sends that client
request to that server, regardless of the load-balancing criteria specified by the matched policy. If the
ACE appliance determines that the client is not stuck to a particular server, it applies the normal
load-balancing rules to the content request.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-2
OL-23543-01
Chapter 5
Configuring Stickiness
Stickiness Overview
For overview information on stickiness, see:
•
Sticky Types
•
Sticky Groups
•
Sticky Table
Related Topics
•
Configuring Virtual Server Layer 7 Load Balancing, page 3-29
•
Configuring Sticky Groups, page 5-7
Sticky Types
The ACE appliance supports stickiness based on:
•
HTTP cookies
•
HTTP headers
•
IP addresses
•
HTTP content
•
Layer 4 payloads
•
RADIUS attributes
•
RTSP headers
•
SIP headers
Related Topics
•
HTTP Content Stickiness, page 5-4
•
HTTP Cookie Stickiness, page 5-4
•
HTTP Header Stickiness, page 5-5
•
IP Netmask Stickiness, page 5-5
•
Layer 4 Payload Stickiness, page 5-5
•
RADIUS Stickiness, page 5-6
•
RTSP Header Stickiness, page 5-6
•
SIP Header Stickiness, page 5-6
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-3
Chapter 5
Configuring Stickiness
Stickiness Overview
HTTP Content Stickiness
HTTP content stickiness allows you to stick a client to a server based on the content of an HTTP packet.
You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that
specifies how many bytes to ignore from the beginning of the data.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
HTTP Cookie Stickiness
Client cookies uniquely identify clients to the ACE and the servers providing content. A cookie is a small
data structure within the HTTP header that is used by a server to deliver data to a Web client and request
that the client store the information. In certain applications, the client returns the information to the
server to maintain the connection state or persistence between the client and the server.
When the ACE examines a request for content and determines through policy matching that the content
is sticky, it examines any cookie or URL present in the content request. The ACE uses the information
in the cookie or URL to direct the content request to the appropriate server.
The ACE supports the following types of cookie stickiness:
•
Dynamic cookie learning
You can configure the ACE to look for a specific cookie name and automatically learn its value
either from the client request HTTP header or from the server Set-Cookie message in the server
response. Dynamic cookie learning is useful when dealing with applications that store more than
just the session ID or user ID within the same cookie. Only very specific bytes of the cookie value
are relevant to stickiness.
By default, the ACE learns the entire cookie value. You can optionally specify an offset and length
to instruct the ACE to learn only a portion of the cookie value.
Alternatively, you can specify a secondary cookie value that appears in the URL string in the HTTP
request. This option instructs the ACE to search for (and eventually learn or stick to) the cookie
information as part of the URL. URL learning is useful with applications that insert cookie
information as part of the HTTP URL. In some cases, you can use this feature to work around clients
that reject cookies.
•
Cookie insert
The ACE inserts the cookie on behalf of the server upon the return request, so that the ACE can
perform cookie stickiness even when the servers are not configured to set cookies. The cookie
contains information that the ACE uses to ensure persistence to a specific real server.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-4
OL-23543-01
Chapter 5
Configuring Stickiness
Stickiness Overview
HTTP Header Stickiness
You can use HTTP-header information to provide stickiness. With HTTP header stickiness, you can
specify a header offset to provide stickiness based on a unique portion of the HTTP header.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
IP Netmask Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual
clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or
a service provider uses a megaproxy to establish client connections to the Internet, the source IP address
no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one
of the other sticky methods to ensure session persistence.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
Layer 4 Payload Stickiness
Layer 4 payload stickiness allows you to stick a client to a server based on the data in Layer 4 frames.
You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that
specifies how many bytes to ignore from the beginning of the data.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-5
Chapter 5
Configuring Stickiness
Stickiness Overview
RADIUS Stickiness
RADIUS stickiness can be based on the following RADIUS attributes:
•
Calling station ID
•
Username
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
RTSP Header Stickiness
RTSP stickiness is based on information in the RTSP session header. With RTSP header stickiness, you
can specify a header offset to provide stickiness based on a unique portion of the RTSP header.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
SIP Header Stickiness
SIP header stickiness is based on the SIP Call-ID header field. SIP header stickiness requires the entire
SIP header, so you cannot specify an offset.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Groups, page 5-6
•
Sticky Table, page 5-7
Sticky Groups
The ACE appliance uses the concept of sticky groups to configure stickiness. A sticky group allows you
to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky
group with a Layer 7 policy-map action in a Layer 7 SLB policy map.You can create a maximum of 4096
sticky groups in each context. Each sticky group that you configure on the ACE appliance contains a
series of parameters that determine:
•
Sticky method
•
Timeout
•
Replication
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-6
OL-23543-01
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
•
Cookie offset and other cookie-related attributes
•
HTTP header offset and other header-related attributes
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Table, page 5-7
Sticky Table
To keep track of sticky connections, the ACE appliance uses a sticky table. Table entries include the
following items:
•
Sticky groups
•
Sticky methods
•
Sticky connections
•
Real servers
The sticky table can hold a maximum of four million entries (four million simultaneous users). When
the table reaches the maximum number of entries, additional sticky connections cause the table to wrap
and the first users become unstuck from their respective servers.
The ACE appliance uses a configurable timeout mechanism to age out sticky table entries. When an entry
times out, it becomes eligible for reuse. High connection rates may cause the premature aging out of
sticky entries. In this case, the ACE appliance reuses the entries that are closest to expiration first.
Sticky entries can be either dynamic (generated by the ACE appliance on-the-fly) or static
(user-configured). When you create a static sticky entry, the ACE appliance places the entry in the sticky
table immediately. Static entries remain in the sticky database until you remove them from the
configuration. You can create a maximum of 4096 static sticky entries in each context.
If the ACE appliance takes a real server out of service for whatever reason (probe failure, no inservice
command, or ARP timeout), the ACE appliance removes from the database any sticky entries that are
related to that server.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Sticky Types, page 5-3
•
Sticky Table, page 5-7
Configuring Sticky Groups
Stickiness (or session persistence) is a feature that allows the same client to maintain multiple
simultaneous or subsequent TCP connections with the same real server for the duration of a session. A
session, as used here, is defined as a series of transactions between a client and a server over some finite
period of time (from several minutes to several hours). This feature is particularly useful for e-commerce
applications where a client needs to maintain multiple TCP connections with the same server while
shopping online, especially while building a shopping cart and during the checkout process.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-7
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
E-commerce applications are not the only types of applications that require stickiness. Any Web
application that maintains client information may require stickiness, such as banking applications or
online trading. Other uses include FTP and HTTP file transfers.
The ACE appliance uses the concept of sticky groups to configure stickiness. A sticky group allows you
to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky
group with a Layer 7 policy-map action in a Layer 7 SLB policy map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table
appears.
Step 2
Click Add to add a new sticky group, or select an existing sticky group you want to modify, then click
Edit.
Step 3
Enter the sticky group attributes (see Table 5-1).
Table 5-1
Sticky Group Attributes
Field
Description
Group Name
The sticky group identifier. Valid entries are unquoted text strings with no spaces and a maximum
of 64 alphanumeric characters.
Type
The method to be used when establishing sticky connections:
•
HTTP Content—The ACE sticks client connections to the same real server based on a string
in the data portion of the HTTP packet. See Table 5-2 for additional configuration options.
•
HTTP Cookie—Indicates that the ACE appliance is either to learn a cookie from the HTTP
header of a client request or to insert a cookie in the Set-Cookie header of the response from
the server to the client, and then use the learned cookie to provide stickiness between the client
and server for the duration of the transaction.
•
HTTP Header—Indicates that the ACE appliance is to stick client connections to the same real
server based on HTTP headers.
•
IP Netmask—Indicates that the ACE appliance is to stick a client to the same server for
multiple subsequent connections as needed to complete a transaction using the client source
IP address, the destination IP address, or both.
Note
If an organization uses a megaproxy to load balance client requests across multiple proxy
servers when a client connects to the Internet, the source IP address is no longer a reliable
indicator of the true source of the request. In this situation, you can use cookies or another
sticky method to ensure session persistence.
•
Layer 4 Payload—The ACE sticks client connections to the same real server based on a string
in the payload portion of the Layer 4 protocol packet. See Table 5-6 for additional
configuration options.
•
RADIUS—The ACE sticks client connections to the same real server based on a RADIUS
attribute. See Table 5-7 for additional configuration options.
•
RTSP Header—The ACE sticks client connections to the same real server based on the RTSP
Session header field. See Table 5-8 for additional configuration options.
•
SIP Header—The ACE sticks client connections to the same real server based on the SIP
Call-ID header field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-8
OL-23543-01
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
Table 5-1
Sticky Group Attributes (continued)
Field
Description
Cookie Name
This option appears for sticky type HTTP Cookie.
Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Enable Insert
This option appears only for sticky type HTTP Cookie.
Check this check box if the ACE appliance is to insert a cookie in the Set-Cookie header of the
response from the server to the client. This option is useful when you want to use a session cookie
for persistence but the server is not currently setting the appropriate cookie. When selected, the
ACE appliance selects a cookie value that identifies the original server from which the client
received a response. For subsequent connections of the same transaction, the client uses the cookie
to stick to the same server.
Clear this check box to disable cookie insertion.
Browser Expire
This option appears for sticky type HTTP Cookie and you select Enable Insert.
Check this check box to allow the client's browser to expire a cookie when the session ends. Clear
this check box to disable browser expire.
Offset (Bytes)
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the number of bytes the ACE appliance is to ignore starting with the first byte of the cookie.
Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the ACE
appliance does not exclude any portion of the cookie.
Length (Bytes)
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the length of the portion of the cookie (starting with the byte after the offset value) that the
ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to
1000.
Secondary Name
This option appears only for sticky type HTTP Cookie.
Enter an alternate cookie name that is to appear in the URL string of the Web page on the server.
The ACE appliance uses this cookie to maintain a sticky connection between a client and a server
and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no
spaces and a maximum of 64 characters.
Header Name
This option appears for sticky type HTTP Header.
Select the HTTP header to use for sticking client connections.
Netmask
This option appears only for sticky type IP Netmask.
Select the netmask to apply to the source IP address, the destination IP address, or both.
Address Type
This option appears only for sticky type IP Netmask.
Indicate whether this sticky type is to be applied to the client source IP address, the destination IP
address, or both:
Sticky Server Farm
•
Both—Indicates that this sticky type is to be applied to both the source IP address and the
destination IP address.
•
Destination—Indicates that this sticky type is to be applied to the destination IP address only.
•
Source—Indicates that this sticky type is to be applied to the source IP address only.
Select a server farm you want to associate with this sticky group.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-9
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
Table 5-1
Sticky Group Attributes (continued)
Field
Description
Backup Server Farm
Select a backup server farm to be associated with this sticky group. If the primary server farm is
down, the ACE appliance uses the backup server farm.
Aggregate State
This field appears when a server farm and backup server farm are selected.
Check this check box to indicate that the state of the backup server farm is tied to the virtual server
state. Clear this check box if the backup server farm is not tied to the virtual server state.
Sticky Enabled on
Backup Server Farm
This field appears when a server farm and backup server farm are selected.
Replicate on HA Peer
Check this check box to indicate that the ACE appliance to replicate sticky table entries on the
standby ACE appliance. If a failover occurs and this option is selected, the new active ACE
appliance can maintain the existing sticky connections.
Check this check box to indicate that the backup server farm is sticky. Clear this check box if the
backup server farm is not sticky.
Clear this check box to indicate that the ACE appliance is not to replicate sticky table entries on
the standby ACE appliance.
Timeout (Minutes)
Enter the number of minutes that the ACE appliance keeps the sticky information for a client
connection in the sticky table after the latest client connection terminates. Valid entries are integers
from 1 to 65535; the default is 1440 minutes (24 hours).
Timeout Active
Connections
Check this check box to specify that the ACE appliance is to time out sticky table entries even if
active connections exist after the sticky timer expires.
Clear this check box to specify that the ACE appliance is not to time out sticky table entries even
if active connections exist after the sticky timer expires. This is the default behavior.
Step 4
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. To configure sticky statics, see
Configuring Sticky Statics, page 5-15.
•
Cancel to exit the procedure without saving your entries and to return to the Sticky Groups table.
•
Next to save your entries and to configure another sticky group.
Related Topics
•
Configuring Sticky Statics, page 5-15
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Real Servers, page 4-4
•
Configuring Server Farms, page 4-11
Sticky Group Attribute Tables
Refer to the following topics for sticky group type-specific attributes:
•
HTTP Content Sticky Group Attributes, page 5-11
•
HTTP Cookie Sticky Group Attributes, page 5-12
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-10
OL-23543-01
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
•
HTTP Header Sticky Group Attributes, page 5-12
•
IP Netmask Sticky Group Attributes, page 5-13
•
Layer 4 Payload Sticky Group Attributes, page 5-13
•
RADIUS Sticky Group Attributes, page 5-14
•
RTSP Header Sticky Group Attributes, page 5-14
HTTP Content Sticky Group Attributes
Table 5-2
HTTP Content Sticky Group Attributes
Field
Description
HTTP Content
HTTP content may change over time with only a portion remaining constant
throughout a transaction between the client and a server.
Check the check box to configure the ACE to use the constant portion of
HTTP content to make persistent connections to a specific server. Clear the
check box to identify specific content for stickiness in the Offset, Length,
Begin Pattern, and End Pattern fields.
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Begin Pattern
Enter the beginning pattern of the HTTP content payload and the pattern
string to match before hashing. If you do not specify a beginning pattern, the
ACE begins parsing immediately after the offset byte. You cannot configure
different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 10-31 lists the
supported characters that you can use for matching string expressions.
End Pattern
Enter the pattern that marks the end of hashing. If you do not specify an end
pattern or a length, the ACE continues to parse the data until it reaches the
end of the field or packet, or until it reaches the maximum body parse length.
You cannot configure different beginning and ending patterns for different
server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 10-31 lists the
supported characters that you can use for matching string expressions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-11
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
HTTP Cookie Sticky Group Attributes
Table 5-3
HTTP Cookie Sticky Group Attributes
Field
Description
Cookie Name
Enter a unique identifier for the cookie. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Enable Insert
Check the check box if the virtual server is to insert a cookie in the
Set-Cookie header of the response from the server to the client. This option
is useful when you want to use a session cookie for persistence but the server
is not currently setting the appropriate cookie. When selected, the virtual
server selects a cookie value that identifies the original server from which the
client received a response. For subsequent connections of the same
transaction, the client uses the cookie to stick to the same server.
Clear the check box to disable cookie insertion.
Browser Expire
This option appears for sticky type HTTP Cookie and you select Enable
Insert.
Check this check box to allow the client's browser to expire a cookie when
the session ends. Clear this check box to disable browser expire.
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Secondary Name
Enter an alternate cookie name that is to appear in the URL string of the Web
page on the server. The virtual server uses this cookie to maintain a sticky
connection between a client and a server and adds a secondary entry in the
sticky table. Valid entries are unquoted text strings with no spaces and a
maximum of 64 characters.
HTTP Header Sticky Group Attributes
Table 5-4
HTTP Header Sticky Group Attributes
Field
Description
Header Name
Select the HTTP header to use for sticking client connections.
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-12
OL-23543-01
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
IP Netmask Sticky Group Attributes
Table 5-5
IP Netmask Sticky Group Attributes
Field
Description
Netmask
Select the netmask to apply to the source IP address, destination IP address,
or both.
Address Type
Indicate whether this sticky type is to be applied to the client source IP
address, the destination IP address, or both:
•
Both—The sticky type is to be applied to both the source IP address and
the destination IP address.
•
Destination—The sticky type is to be applied to the destination IP
address only.
•
Source—The sticky type is to be applied to the source IP address only.
Layer 4 Payload Sticky Group Attributes
Table 5-6
Layer 4 Payload Sticky Group Attributes
Field
Description
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Begin Pattern
Enter the beginning pattern of the Layer 4 payload and the pattern string to
match before hashing. If you do not specify a beginning pattern, the ACE
begins parsing immediately after the offset byte. You cannot configure
different beginning and ending patterns for different server farms that are
part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 10-31 lists the
supported characters that you can use for matching string expressions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-13
Chapter 5
Configuring Stickiness
Configuring Sticky Groups
Table 5-6
Layer 4 Payload Sticky Group Attributes (continued)
Field
Description
End Pattern
Enter the pattern that marks the end of hashing. If you do not specify an end
pattern or a length, the ACE continues to parse the data until it reaches the
end of the field or packet, or until it reaches the maximum body parse length.
You cannot configure different beginning and ending patterns for different
server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. You can enter a text string with spaces provided
that you enclose the entire string in quotation marks ("). The ACE supports
regular expressions for matching string expressions. Table 10-31 lists the
supported characters that you can use for matching string expressions.
Enable Sticky For
Response
Check the check box to enable the ACE to parse server responses and
perform sticky learning. The ACE uses a hash of the server response bytes
to populate the sticky database. The next time that the ACE receives a client
request with those same bytes, it sticks the client to the same server.
Clear the check box to reset the behavior of the ACE to the default of not
parsing server responses and performing sticky learning.
RADIUS Sticky Group Attributes
Table 5-7
RADIUS Sticky Group Attributes
Field
Description
RADIUS Types
Select the RADIUS attribute to use for sticking client connections:
•
N/A—This option is not configured.
•
RADIUS Calling ID—Stickiness is based on the RADIUS framed IP
attribute and the calling station ID attribute.
•
RADIUS User Name—Stickiness is based on the RADIUS framed IP
attribute and the username attribute.
RTSP Header Sticky Group Attributes
Table 5-8
RTSP Header Sticky Group Attributes
Field
Description
Offset (Bytes)
Enter the number of bytes the virtual server is to ignore starting with the first
byte of the cookie. Valid entries are integers from 0 to 999. The default is 0
(zero), which indicates that the virtual server does not exclude any portion
of the cookie.
Length (Bytes)
Enter the length of the portion of the cookie (starting with the byte after the
offset value) that the ACE is to use for sticking the client to the server. Valid
entries are integers from 1 to 1000.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-14
OL-23543-01
Chapter 5
Configuring Stickiness
Configuring Sticky Statics
Viewing All Sticky Groups by Context
Use this procedure to view all sticky groups associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context with the sticky groups you want to view, then select Load Balancing >
Stickiness. The Sticky Groups table appears, listing the sticky groups associated with the selected
context.
Related Topics
•
Configuring Sticky Groups, page 5-7
•
Configuring Sticky Statics, page 5-15
Configuring Sticky Statics
Use this procedure to configure sticky statics.
Assumption
A sticky group has been configured. See Configuring Sticky Groups, page 5-7 for more information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table
appears.
Step 2
Select the sticky group you want to configure for sticky statics, then select the Sticky Statics tab. If you
do not see the Sticky Statics tab beneath the Sticky Groups table, click the Switch between Configure
and Browse Modes button.
Step 3
Click Add to add a new entry to the table, or select an existing entry, then click Edit to modify it. The
Sticky Statics configuration screen appears.
Step 4
In the Sequence Number field, either accept the automatically incremented number for this entry or enter
a new sequence number.The sequence number indicates the order in which multiple sticky static
configurations are applied.
Step 5
In the Type field, confirm that the correct sticky group type is selected. If you select multiple sticky
groups and are creating a new static sticky entry, select the sticky group type to use as shown in
Table 5-9.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-15
Chapter 5
Configuring Stickiness
Configuring Sticky Statics
Table 5-9
Sticky Group Types
Sticky Group
Description
HTTP Content
Indicates that the ACE appliance is to stick a client to a server based on the
content of an HTTP packet. You can specify a beginning pattern and ending
pattern, the number of bytes to parse, and an offset that specifies how many
bytes to ignore from the beginning of the data.
HTTP Cookie
Indicates that the ACE appliance is either to learn a cookie from the HTTP
header of a client request or to insert a cookie in the Set-Cookie header of
the response from the server to the client, and then use the learned cookie to
provide stickiness between the client and server for the duration of the
transaction.
HTTP Header
Indicates that the ACE appliance is to stick client connections to the same
real server based on HTTP headers.
IP Netmask
Indicates that the ACE appliance is to stick a client to the same server for
multiple subsequent connections as needed to complete a transaction using
the client source IP address, the destination IP address, or both.
Note
If an organization uses a megaproxy to load balance client requests
across multiple proxy servers when a client connects to the Internet,
the source IP address is no longer a reliable indicator of the true
source of the request. In this situation, you can use cookies or
another sticky method to ensure session persistence.
Layer 4 Payload
Indicates that the ACE appliance is to stick a client to a server based on the
data in Layer 4 frames. You can specify a beginning pattern and ending
pattern, the number of bytes to parse, and an offset that specifies how many
bytes to ignore from the beginning of the data.
RADIUS
Indicates that the ACE appliance is to stick client connections based on the
following RADIUS attributes: Calling station ID or Username.
RTSP Header
Indicates that the ACE appliance is to stick client connections based on
information in the RTSP session header. With RTSP header stickiness, you
can specify a header offset to provide stickiness based on a unique portion
of the RTSP header.
SIP Header
Indicates that the ACE appliance is to stick client connections based on the
SIP Call-ID header field. SIP header stickiness requires the entire SIP
header, so you cannot specify an offset.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-16
OL-23543-01
Chapter 5
Configuring Stickiness
Configuring Sticky Statics
Step 6
If you select either HTTP Cookie, HTTP Header, HTTP Content, Layer 4 Payload, RTSP header, or SIP
header for sticky type, in the Static Value field, enter the cookie string value. Valid entries are unquoted
text strings with a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the
string with quotes.
Step 7
If you select IP Netmask for the sticky type:
a.
In the Static Source field, enter the source IP address of the client.
b.
In the Static Destination field, enter the destination IP address of the client.
Step 8
In the Named Real Server field, select the real server to associate with this static sticky entry.
Step 9
In the Port field, enter the port number of the real server. Valid entries are integers from 1 to 65535.
Step 10
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Sticky Statics table.
•
Next to save your entries and to configure another sticky static entry.
Related Topic
Configuring Sticky Groups, page 5-7
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
5-17
Chapter 5
Configuring Stickiness
Configuring Sticky Statics
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
5-18
OL-23543-01
C H A P T E R
6
Configuring Parameter Maps
Parameter maps provide a means of performing actions on traffic received by the ACE, based on certain
criteria such as protocol or connection attributes. After you configure a parameter map, you associate it
with a policy map to implement configured behavior.
Table 6-1 describes the parameter maps you can configure using the ACE.
Table 6-1
Parameter Map Types
Parameter Map Description
Connection
Connection parameter maps combine all IP and TCP connection-related behaviors pertaining to:
•
TCP normalization, termination, and server reuse
•
IP normalization, fragmentation, and reassembly
DNS
Domain Name System (DNS) parameter maps configure DNS actions for DNS packet inspection.
Generic
Generic parameter maps combine related generic protocol actions for server load-balancing connections.
HTTP
HTTP parameter maps configure ACE behavior for HTTP load-balanced connections.
Optimization
Optimization parameter maps specify optimization-related commands that pertain to application
acceleration and optimization functions performed by the ACE.
RTSP
RTSP parameter maps configure advanced RTSP behavior for server load-balancing connections.
SIP
Session Initiation Protocol (SIP) parameter maps configure SIP deep packet inspection on the ACE.
Skinny
Skinny Client Control Protocol (SCCP) parameter maps configure SCCP packet inspection on the ACE.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Related Topics
•
Configuring Connection Parameter Maps, page 6-2
•
Configuring DNS Parameter Maps, page 6-22
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-1
Chapter 6
Configuring Parameter Maps
Configuring Connection Parameter Maps
•
Configuring Generic Parameter Maps, page 6-7
•
Configuring HTTP Parameter Maps, page 6-8
•
Configuring Optimization Parameter Maps, page 6-11
•
Configuring RTSP Parameter Maps, page 6-18
•
Configuring SIP Parameter Maps, page 6-19
•
Configuring Skinny Parameter Maps, page 6-21
•
Configuring Traffic Policies, page 10-1
•
Configuring Parameter Maps, page 6-1
•
Configuring Virtual Contexts, page 2-1
Configuring Connection Parameter Maps
Connection parameter maps combine all IP and TCP connection-related behaviors pertaining to:
•
TCP normalization, termination, and server reuse
•
IP normalization, fragmentation, and reassembly
Use this procedure to configure a Connection parameter map for use with a Layer 3/Layer 4 policy map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Connection
Parameter Maps. The Connection Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The Connection Parameter Maps configuration screen appears.
Step 3
In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
Enter the information in Table 6-2. Click More Settings to access the additional Connection Parameter
Map configuration attributes. By default, ACE appliance Device Manager hides the default Connection
Parameter Map configuration attributes and the attributes which are not commonly used.
Table 6-2
Connection Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces
and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Enter double quotes as
matching pairs.
Inactivity Timeout
(Seconds)
Enter the number of seconds that the ACE is to wait before disconnecting idle connections. Valid
entries are integers from 0 to 3217203. A value of 0 indicates that ACE is never to time out a TCP
connection.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-2
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 6-2
Connection Parameter Map Attributes (continued)
Field
Description
More Settings
Exceeds MSS
Indicate how the ACE is to handle segments that exceed the maximum segment size (MSS):
•
Allow—The ACE is to permit segments that exceed the configured MSS.
•
Drop—The ACE is to discard segments that exceed the configured MSS.
Max. Connection
Limit
Enter the maximum number of concurrent connections to allow for the parameter map. Valid entries
are integers from 0 to4000000.
Nagle
The Nagle algorithm instructs a sender to buffer any data to be sent until all outstanding data has been
acknowledged or until there is a full segment of data to send. Enabling the Nagle algorithm increases
throughput, but it can increase latency in your TCP connection.
Check the check box to enable the Nagle algorithm. Clear the check box to disable the Nagle
algorithm.
Note
Random Sequence
Number
Disable the Nagle algorithm when you observe unacceptable delays in TCP connections.
Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it
more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Check the check box to enable the use of random TCP sequence numbers. Clear the check box to
disable the use of random TCP sequence numbers.
This option is enabled by default.
Bandwidth Rate Limit Enter the bandwidth-rate limit in bytes per second for the parameter map. Valid entries are integers
from 0 to 300000000 bytes.
Connection Rate
Limit
Enter the connection-rate limit in connections per second. Valid entries are integers from 0 to350000.
Reserved Bits
Indicate how the ACE is to handle segments with the reserved bits set in the TCP header:
Type-of-Service IP
Header
•
Allow—Segments with the reserved bits are to be permitted.
•
Drop—Segments with the reserved bits are to be discarded.
•
Clear—Reserved bits in TCP headers are to be cleared and segments are to be allowed.
The type of service for an IP packet determines how the network handles the packet and balances its
precedence, throughput, delay, reliability, and cost.
Enter the type-of-service value to be applied to IP packets. Valid entries are integers from 0 to 255.
For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168.
ACK Delay Time
(Milliseconds)
Enter the number of milliseconds that the ACE is to wait before sending an acknowledgement from
a client to a server. Valid entries are integers from 0 to 400.
TCP Buffer Share
(Bytes)
To improve throughput and overall performance, the ACE buffers the number of bytes you specify
before processing received data or transmitting data. Use this option to increase the default buffer
size and thereby realize improved network performance.
Enter the maximum size of the TCP buffer in bytes. Valid entries are integers from 8192 to 262143
bytes. Default is 32768.
Note
If you enter a value in this field for an ACE device that does not support this option, an error
message appears. Leave this field blank when creating or modifying a connection parameter
map for devices that do not support this option.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-3
Chapter 6
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 6-2
Connection Parameter Map Attributes (continued)
Field
Description
Smallest TCP MSS
(Bytes)
Enter the size of the smallest segment of TCP data that the ACE is to accept. Valid entries are integers
from 0 to 65535 bytes. The value 0 indicates that the ACE is not to set a minimum limit.
Largest TCP MSS
(Bytes)
Enter the size of the largest segment of TCP data that the ACE is to accept. Valid entries are integers
from 0 to 65535 bytes. The value 0 indicates that the ACE is not to set a maximum limit.
SYN Retries
Enter the number of attempts that the ACE is to make to transmit a TCP segment when initiating a
Layer 7 connection. Valid entries are integers from 1 to 15 with a default of 4.
TCP WAN
Optimization RTT
This option specifies how the ACE is to apply TCP optimizations to packets on a connection
associated with a Layer 7 policy map using a round-trip time (RTT) value:
•
An entry of 0 (zero) indicates that the ACE is to apply TCP optimizations to packets for the life
of a connection.
•
An entry of 65535 (the default) indicates that the ACE is to perform normal operations (that is,
without optimizations) for the life of a connection.
•
Entries from 1 to 65534 indicate that the ACE is to use the following guidelines:
– If the actual client RTT is less than the configured RTT, the ACE performs normal operations
for the life of the connection.
– If the actual client RTT is greater than or equal to the configured RTT, the ACE performs
TCP optimizations on the packets for the life of a connection.
Valid entries are integers from 0 to 65535.
Timeout For
Embryonic
Connections
(Seconds)
An embryonic connection is a TCP three-way handshake for a connection that does not complete for
some reason.
Half Closed Timeout
(Seconds)
A half-closed connection is one in which the client or server sends a FIN and the server or client
acknowledges the FIN without sending a FIN itself.
Enter the number of seconds that the ACE is to wait before timing out an embryonic connection. Valid
entries are integers from 0 to 4294967295 with a default of 5. A value of 0 indicates that the ACE is
never to time out an embryonic connection.
Enter the number of seconds the ACE is to wait before closing a half-closed connection. Valid entries
are integers from 0 to 4294967295 with a default of 3600 (1 hour). A value of 0 indicates that the
ACE is never to time out a half-closed connection.
Slow Start Algorithm
When enabled, the slow start algorithm increases TCP window size as ACK handshakes arrive so that
new segments are injected into the network at the rate at which acknowledgements are returned by
the host at the other end of the connection.
Check this check box to enable the slow start algorithm, and clear this check box to disable the slow
start algorithm. This option is disabled by default.
SYN Segments With
Data
Indicate how the ACE is to handle TCP SYN segments that contain data:
•
Allow—The ACE is to permit SYN segments that contain data and mark them for processing.
•
Drop—The ACE is to discard SYN segments that contain data.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-4
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 6-2
Connection Parameter Map Attributes (continued)
Field
Description
Urgent Pointer Policy Urgent data, as indicated by a control bit in the TCP header, indicates that urgent data is to be
processed as soon as possible, even before normal data.
Indicate how the ACE is to handle urgent data as identified by the Urgent data control bit:
TCP Window Scale
Factor
•
Allow—The ACE is to permit the status of the Urgent control bit.
•
Clear—The ACE is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent
Pointer which provides segment information.
The TCP window scaling extension expands the definition of the TCP window to 32 bits and uses a
scale factor to carry the 32-bit value in the 16-bit window of the TCP header. Increasing the window
size improves TCP performance in network paths with large bandwidth, long-delay characteristics.
Enter the window scale factor in this field. Valid entries are integers from 0 to 14 (the maximum scale
factor).
For more information on TCP window scaling, refer to RFC 1323.
Action For TCP
Options Range
Indicate how the ACE is to handle the TCP options:
•
Selective ACK
•
Timestamps
•
Action For TCP Window Scale Factor
by selecting one of the options:
Lower TCP Options
•
N/A—This option is not set.
•
Allow—The ACE is to allow any segment with the specified option set.
•
Drop—The ACE is to discard any segment with the specified option set.
Appears if you select Allow or Drop for the Action For TCP Options Range.
Enter the lower limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See
Table 6-3 for information on TCP options.
Upper TCP Options
Appears if you select Allow or Drop for the Action For TCP Options Range.
Enter the upper limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See
Table 6-3 for information on TCP options.
Selective ACK
Indicate how the ACE is to handle the selective ACK option that is specified in SYN segments:
•
Allow—The ACE is to allow any segment with the specified option set.
•
Clear—The ACE is to clear the specified option from any segment that has it set and allow the
segment.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-5
Chapter 6
Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 6-2
Connection Parameter Map Attributes (continued)
Field
Description
Timestamps
Indicate how the ACE is to handle the timestamp option that is specified in SYN segments:
Action For TCP
Window Scale Factor
•
Allow—The ACE is to allow any segment with the specified option set.
•
Clear—The ACE is to clear the specified option from any segment that has it set and allow the
segment.
Indicate how the ACE is to handle the TCP window scale factor option that is specified in SYN
segments:
•
Allow—The ACE is to allow any segment with the specified option set.
•
Clear—The ACE is to clear the specified option from any segment that has it set and allow the
segment.
•
Drop—The ACE is to discard any segment with the specified option set.
Table 6-3
TCP Options for Connection Parameter Maps1
Kind
Length
Meaning
6
6
Echo (obsoleted by option 8)
7
6
Echo Reply (obsoleted by option 8)
9
2
Partial Order Connection Permitted
10
3
Partial Order Service Profile
11
CC
12
CC.NEW
13
CC.ECHO
14
3
TCP Alternate Checksum Request
15
N
TCP Alternate Checksum Data
16
Skeeter
17
Bubba
18
3
Trailer Checksum Option
19
18
MD5 Signature Option
20
SCPS Capabilities
21
Selective Negative Acknowledgements (SNACK)
22
Record Boundaries
23
Corruption Experienced
24
SNAP
25
Unassigned (released 12/18/2000)
26
TCP Compression Filter
1. For more information on TCP options, refer to the Cisco 4700 Series Application Control Engine Appliance Security
Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-6
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Generic Parameter Maps
Step 5
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without accepting your entries and to return to the Parameter Maps
table.
•
Next to accept your entries and to add another parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Configuring Generic Parameter Maps
Generic parameter maps allow you to specify nonprotocol-specific behavior for data parsing. Generic
parameter maps examine the payload and make decisions regardless of the protocol.
Use this procedure to configure a generic parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Generic
Parameter Maps. The Generic Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The Generic Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 6-4.
Table 6-4
Generic Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Case-Insensitive
Check this check box to indicate that the ACE is to be case insensitive for this parameter map.
Clear this check box to indicate that the ACE is to be case sensitive for this parameter map.
Max. Parse Length (Bytes)
Enter the number of bytes to parse for the total length of all generic headers. Valid entries are
integers from 1 to 65535 with a default of 2048 bytes.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-7
Chapter 6
Configuring Parameter Maps
Configuring HTTP Parameter Maps
Step 4
Click:
•
Deploy Now to deploy this configuration.
•
Cancel to exit this procedure without saving your entries and to return to the Generic Parameter
Maps table.
•
Next to deploy your entries and to configure another generic parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Configuring HTTP Parameter Maps
Use this procedure to configure an HTTP parameter map for use with a Layer 3/Layer 4 policy map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > HTTP
Parameter Maps. The HTTP Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The HTTP Parameter Maps configuration screen appears.
Step 3
In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
Enter the information in Table 6-5.
Table 6-5
HTTP Parameter Map Attributes
Field
Description
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Case-Insensitive
Check this check box to indicate that the ACE appliance is to be case insensitive. Clear
this check box to indicate that the ACE appliance is to be case sensitive. This check box
is cleared by default.
Header Modify Per-Request
Check the check box to require SSL information be inserted for every HTTP GET request.
Current functionality only requires that the information be inserted at the first GET
request.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-8
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring HTTP Parameter Maps
Table 6-5
HTTP Parameter Map Attributes (continued)
Field
Description
Exceed Max. Parse Length
Indicate how the ACE appliance is to handle cookies, HTTP headers, and URLs that
exceed the maximum parse length:
HTTP Persistence Rebalance
•
Continue—Indicates that the ACE appliance is to continue load balancing. When this
option is selected, the HTTP Persistence Rebalance option is disabled if the total
length of all cookies, HTTP headers, and URLs exceeds the maximum parse value.
•
Drop—Indicates that the ACE appliance is to stop load balancing and to discard the
packet.
Check this check box to enabled persistence rebalance. Persistence is sometimes referred
to as a connection keepalive.
With persistence rebalance enabled, when successive GET requests result in load
balancing that chooses the same policy, the ACE sends the request to the real server used
for the last GET request. This behavior prevents the ACE from load balancing every
request and recreating the server-side connection on every GET request, producing less
overhead and better performance.
Another effect of persistence rebalance is that header insertion and cookie insertion, if
enabled, occur for every request instead of only the first request.
By default, persistence rebalance is disabled and after a connection is established the ACE
sends all further requests to the same destination. Load balancing is not involved. Clear
this check box to indicate that this option is disabled.
TCP Server Connection Reuse
Check this check box to indicate that the ACE appliance is to reduce the number of open
connections on a server by allowing connections to persist and be reused by multiple
client connections. If you enable this feature:
•
Ensure that the ACE appliance maximum segment size (MSS) is the same as the
server maximum segment size.
•
Configure port address translation (PAT) on the interface that is connected to the real
server.
•
Configure on the ACE appliance the same TCP options that exist on the TCP server.
•
Ensure that each server farm is homogeneous (all real servers within a server farm
have identical configurations).
Clear this check box to disable this option.
Content Max. Parse Length
(Bytes)
Enter the maximum number of bytes to parse in HTTP content. Valid entries are integers
from 1 to 65535, with a default of 4096.
Header Max. Parse Length
(Bytes)
Enter the maximum number of bytes to parse for the total length of cookies, HTTP
headers, and URLs. Valid entries are integers from 1 to 65535 with a default of 4096.
Secondary Cookie Delimiters
Enter the ASCII-character delimiters to be used to separate cookies in a URL string. Valid
entries are unquoted text strings with no spaces and a maximum of 4 characters. The
default delimiters are /&#+.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-9
Chapter 6
Configuring Parameter Maps
Configuring HTTP Parameter Maps
Table 6-5
HTTP Parameter Map Attributes (continued)
Field
Description
MIME Type To Compress
In the field on the left, enter the Multipurpose Internet Mail Extension (MIME) type to
compress, then click Add. The MIME type appears in the column on the right. To remove
or change a MIME type, select it in the column on the right, then click Remove. The
selected MIME type appears in the field on the left where you can modify or delete it.
To specify the sequence in which compression is to be applied, select MIME types in the
column on the right, then click Up or Down to arrange the MIME types.
Supported MIME Types, page 6-23 lists the supported MIME types. You can use an
asterisk (*) to indicate a wildcard, such as text/*, which would include all text MIME
types (text/html, text/plain, and so on).
User Agent Not To Compress
A user agent is a client that initiates a request. Examples of user agents include browsers,
editors, and other end-user tools. When you specify a user agent string in this field, the
ACE appliance does not compress the response to a request when the request contains the
matching user agent string.
In the field on the left, enter the user agent string to be matched, then click Add. The
string appears in the column on the right. To remove or change a user agent string, select
it in the column on the right, then click Remove. The selected string appears in the field
on the left where you can modify or delete it.
To specify the sequence in which strings are to be matched, select strings in the column
on the right, then click Up or Down to arrange the strings in the desired sequence.
Valid entries are 64 characters.
Min. Size To Compress (Bytes)
Step 5
Enter the threshold at which compression is to occur. The ACE appliance compresses files
that are the minimum size or larger. Valid entries are integers from 1 to 4096 bytes.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without accepting your entries and to return to the Parameter Maps
table.
•
Next to accept your entries and to add another parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Optimization Parameter Maps, page 6-11
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-10
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Configuring Optimization Parameter Maps
Use this procedure to configure an Optimization parameter map for use with a Layer 3/Layer 4 policy
map.
Refer to Configuring Application Acceleration and Optimization, page 11-1 or the Cisco 4700 Series
Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide
for more information about application acceleration and optimization.
Procedure
Table 6-6
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Optimization
Parameter Maps. The Optimization Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The Optimization Parameter Maps configuration screen appears.
Step 3
In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
Configure the Optimization parameter map using the information in Table 6-6.
Optimization Parameter Map Attributes
Field
Description
Description
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be
entered as matching pairs.
Set Browser Freshness
Period
Select the method that the ACE is to use to determine the freshness of objects in the client’s
browser:
•
N/A—This option is not configured.
•
Disable Browser Object Freshness Control—Browser freshness control is not to be used
•
Set Freshness Similar To Flash Forward Objects—The ACE is to set freshness similar to that
used for FlashForwarded objects and to use the values specified in the Maximum Time for
Cache Time-To-Live and Minimum Time for Cache Time-To-Live fields.
Duration For Browser
Freshness (Seconds)
This field appears if the Set Browser Freshness Period option is not configured.
Response Codes To
Ignore (Comma
Separated)
Enter a comma-separated list of HTTP response codes for which the response body must not be
read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302
(redirect) response from the origin server. Valid entries are unquoted text strings with a maximum
of 64 alphanumeric characters and integers from 100 to 599, inclusive.
Appscope Optimize
Rate (%)
Enter the percentage of all requests or sessions to be sampled for performance with acceleration
(or optimization) applied. All applicable optimizations for the class will be performed. Valid
entries are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value
entered in the Passthru Rate Percent field must not exceed 100.
Appscope Passthrough
Rate (%)
Enter the percentage of all requests or sessions to be sampled for performance without
optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100,
with a default of 10 percent. The sum of this value and the value entered in the Optimize Rate
Percent field must not exceed 100.
Enter the number of seconds that objects in the client’s browser are considered fresh. Valid entries
are 0 to 2147483647 seconds.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-11
Chapter 6
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 6-6
Optimization Parameter Map Attributes (continued)
Field
Description
Max. Number for
Parameter Summary
Log (Bytes)
Enter the maximum number of bytes that are to be logged for each parameter value in the
parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this
limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes.
Max. For Post Data to
Scan for Logging
(KBytes)
Enter the maximum number of kilobytes of POST data the ACE is to scan for parameters for the
purpose of logging transaction parameters in the statistics log.
String For Grouping
Requests
Enter the string the ACE is to use to sort requests for AppScope reporting. The string can contain
a URL regular expression that defines a set of URLs in which URLs that differ only by their query
parameters are to be treated as separate URLs in AppScope reports.
Valid entries are 0 to 1000 KB.
For example, to define a string that is used to identify the URLs
http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two
separate reporting categories, you would enter http_query_param(region).
Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed
in Table 6-7.
Base File Anonymous
Level
Information that is common to a large set of users is generally not confidential or user-specific.
Conversely, information that is unique to a specific user or a small set of users is generally
confidential or user-specific. The anonymous base file feature enables the ACE to create and
deliver condensed base files that contain only information that is common to a large set of users.
No information unique to a particular user, or across a very small subset of users, is included in
anonymous base files.
Enter the value for base file anonymity for the all-user condensation method. Valid entries are
integers from 0 to 50; the default value of 0 disables the base file anonymity feature.
Cache-Key Modifier
Expression
A cache object key is a unique identifier that is used to identify a cached object to be served to a
client, replacing a trip to the origin server. The cache key modifier feature allows you to modify
the canonical form of a URL; that is, the portion before “?” in a URL. For example, the canonical
URL of “http://www.xyz.com/somepage.asp?action=browse&level=2” is
“http://www.xyz.com/somepage.asp”.
Enter a regular expression containing embedded variables as described in Table 6-7. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. If the string includes spaces, enclose the string with quotation marks (“).
Min. Time For Cache
Time-To-Live
(Seconds)
Enter the minimum number of seconds that an object without an explicit expiration time should be
considered fresh in the ACE cache. This value specifies the minimum time that content can be
cached. If the ACE is configured for FlashForward optimization, this value should normally be 0.
If the ACE is configured for dynamic caching, this value should indicate how long the ACE should
cache the page. (See Table 4-17 for information about these configuration options.)
Valid entries are 0 to 2147483647 seconds.
Max. Time For Cache
Time-To-Live
(Seconds)
Enter the maximum number of seconds that an object without an explicit expiration time should
be considered fresh in the ACE cache. Valid entries are 0 to 2147483647 seconds.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-12
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 6-6
Optimization Parameter Map Attributes (continued)
Field
Description
Cache Time-To-Live
Duration (%)
Enter the percent of an object’s age at which an embedded object without an explicit expiration
time is considered fresh.
Valid entries are 0 to 100 percent.
Expression To Modify
Cache Key Query
Parameter
The cache parameter feature allows you to modify the query parameter of a URL; that is, the
portion after “?” in a URL. For example, the query parameter portion of
“http://www.xyz.com/somepage.asp?action=browse&level=2” is “action=browse&level=2”.
Enter a regular expression containing embedded variables as described in Table 6-7. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here. If no string is specified, the query parameter portion of the URL is used as the default
value for this portion of the cache key.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters.
Canonical URL
Expressions (Comma
Separated)
The ACE uses the canonical URL feature to eliminate the “?” and any characters that follow to
identify the general part of the URL. This general URL is then used to create the base file. In this
way, the ACE maps multiple URLs to a single canonical URL.
Enter a comma-separated list of parameter expander functions as defined in Table 6-7 to identify
the URLs to associate with this parameter map.
Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.
Enable Cacheable
Content Optimization
This feature allows the ACE to detect content that can be cached and perform delta optimization
on it.
Check the check box to enable delta optimization of content that can be cached. Clear the check
box to disable this feature.
Enable Delta
Optimization On First
Visit To Web Page
Check the check box to enable condensation on the first visit to a Web page. Clear the check box
to disable this feature.
Min. Page Size For
Delta Optimization
(Bytes)
Enter the minimum page size, in bytes, that can be condensed. Valid entries are integers from 1 to
250000 bytes.
Max. Page Size For
Delta Optimization
(Bytes)
Enter the maximum page size, in bytes, that can be condensed. Valid entries are integers from 1 to
250000 bytes.
Set Default Client
Script
Indicate the scripting language that the ACE is to recognize on condensed content pages:
•
N/A—This option is not configured.
•
Javascript—The default scripting language is JavaScript.
•
Visual Basic Script—The default scripting language is Visual Basic.
Exclude Iframes From
Delta Optimization
Check the check box to indicate that delta optimization is not to be applied to IFrames (inline
frames). Clear the check box to indicate that delta optimization is to be applied to IFrames.
Exclude Non-ASCII
Data From Delta
Optimization
Check the check box to indicate that delta optimization is not to be applied to non-ASCII data.
Clear the check box to indicate that delta optimization is to be applied to non-ASCII data.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-13
Chapter 6
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 6-6
Optimization Parameter Map Attributes (continued)
Field
Description
Exclude JavaScripts
From Delta
Optimization
Check the check box to indicate that delta optimization is not to be applied to JavaScript. Clear the
check box to indicate that delta optimization is to be applied to JavaScript.
MIME Types To
Exclude From Delta
Optimization
1.
In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail
Extension) type messages that are not to have delta optimization applied, such as image/Jpeg,
text/html, application/msword, or audio/mpeg. See Supported MIME Types, page 6-23 for a
list of supported MIME types.
2.
Click Add to add the entry to the list box on the right. You can position the entries in the list
box by using the Up and Down buttons.
Remove HTML META
Elements From
Documents
Check the check box to indicate that HTML META elements are to be removed from documents
to prevent them from being condensed. Clear the check box to indicate that HTML META
elements are not to be removed from documents.
Set Flash Forward
Refresh Policy
Select the method the ACE is to use to refresh stale embedded objects:
•
N/A—This option is not configured.
•
Allow Flash Forward To Indirect Refresh Of Objects—The ACE is to use FlashForward to
indirectly refresh embedded objects.
•
Bypass Flash Forward To Direct Refresh Of Objects—The ACE is to bypass FlashForward for
stale embedded objects so that they are refreshed directly.
Rebase Delta
Enter the delta threshold, expressed as a percent, when rebasing is to be triggered. This entry
Optimization Threshold represents the size of a page delta relative to total page size, expressed as a percent. This entry
(%)
triggers rebasing when the delta response size exceeds the threshold as a percentage of base file
size.
Valid entries are 0 to 10000 percent.
Rebase Flash Forward
Threshold (%)
Enter the threshold, expressed as a percent, when rebasing is to be triggered based on the percent
of FlashForwarded URLs in the response. This entry triggers rebasing when the difference
between the percentages of FlashForwarded URLs in the delta response and the base file exceeds
the threshold.
Valid entries are 0 to 10000 percent.
Rebase History Size
(Pages)
Enter the number of pages to be stored before the ACE resets all rebase control parameters to zero
and starts over. This option prevents the base file from becoming too rigid.
Valid entries are 10 to 2147483647.
Rebase Modify
Cool-Off Period
(Seconds)
Enter the number of seconds after the last modification before performing a rebase.
Rebase Reset Period
(Seconds)
Enter the period of time, in seconds, for performing a meta data refresh.
Valid entries are 1 to 14400 seconds (4 hours).
Valid entries are 1 to 900 seconds (15 minutes).
Override Client Request Indicate how the ACE is to handle client request headers (primarily for embedded objects):
Headers
• N/A—This feature is not enabled.
•
All Cache Request Headers Are Ignored—The ACE is to ignore all cache request headers.
•
Overrides The Cache Control: No Cache HTTP Header From A Request—The ACE is to
ignore cache control request headers that state no cache.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-14
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 6-6
Optimization Parameter Map Attributes (continued)
Field
Description
Override Server
Response Headers
Indicate how the ACE is to handle origin server response headers (primarily for embedded
objects):
UTF-8 Character Set
Threshold
•
N/A—This feature is not enabled.
•
All Cache Request Headers Are Ignored—The ACE is to ignore all response headers.
•
Overrides The Cache Control: Private HTTP Header From A Response—The ACE is to ignore
cache control response headers that state private.
The UTF-8 (8-bit Unicode Transformation Format) character set is an international standard that
allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any
universal character in the Unicode standard and is backwards compatible with ASCII.
Enter the number of UTF-8 characters that need to appear on a page to constitute a UTF-8
character set page. Valid entries are integers from 1 to 1,000,000.
Server Load Threshold
Trigger (%)
The server load threshold trigger indicates that the time-to-live (TTL) period for cached objects is
to be based dynamically on server load. With this method, TTL periods increase if the current
response time from the origin sever is greater than the average response time and decrease if the
current response time from the origin server is less than the average response time when the
difference in response times exceeds a specified threshold amount.
Enter the threshold, expressed as a percent, at which the TTL for cached objects is to be changed.
Valid entries are from 0 to 100 percent.
Server Load
Time-To-Live Change
(%)
This option specifies the percentage by which the cache TTL is increased or decreased in response
to a change in server load. For example, if this value is set to 20 and the current TTL for a response
is 300 seconds. and if the current server response times exceeds the trigger threshold, the cache
TTL for the response is raised to 360 seconds.
Enter the percent by which the cache TTL is to be increased or decreased when the server load
threshold trigger is met.
Valid entries are from 0 to 100 percent.
Delta Optimization
Mode
String To Be Used For
Server HTTP Header
Select the method by which delta optimization is to be implemented:
•
N/A—This option is not configured.
•
Enable The All-User Mode For Delta Optimization—The ACE is to generate the delta against
a single base file that is shared by all users of the URL. This option is usable in most cases if
the structure of a page is common across all users, and the disk space overhead is minimal.
•
Enable The Per-User Mode For Delta Optimization—The ACE is to generate the delta against
a base file that is created specifically for that user. This option is useful when page contents,
including layout elements, are different for each user, and delivers the highest level of
condensation. However, this increases disk space requirements because a copy of the base
page that is delivered to each user is cached. This option is useful when privacy is required
because base pages are not shared among users.
Use this option to define a string that is to be sent in the server header for an HTTP response. This
option provides you with a method for uniquely tagging the context or URL match statement by
setting the server header value to a particular string. The server header string can be used when a
particular URL is not being transmitted to the correct target context or match statement.
Enter the string that is to appear in the server header. Valid entries are quoted text strings with a
maximum of 64 alphanumeric characters.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-15
Chapter 6
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 6-7 lists the parameter expander functions that you can use.
Table 6-7
Parameter Expander Functions
Variable
Description
$(number)
Expands to the corresponding matching subexpression (by number)
in the URL pattern. Subexpressions are marked in a URL pattern
using parentheses (). The numbering of the subexpressions begins
with 1 and is the number of the left-parenthesis “(“ counting from
the left. You can specify any positive integer for the number. $(0)
matches the entire URL. For example, if the URL pattern is
((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$(0) = http://server/main/sub/a.jsp
$(1) = http://server/main/sub/
$(2) = http://server/main
$(3) = sub
If the specified subexpression does not exist in the URL pattern,
then the variable expands to the empty string.
$http_query_string()
Expands to the value of the whole query string in the URL. For
example, if the URL is
http://myhost/dothis?param1=value1&param2=value2, then the
following is correct:
$http_query_string() = param1=value1&param2=value2
This function applies to both GET and POST requests.
$http_query_param(query-param-name)
Expands to the value of the named query parameter (case-sensitive).
The obsolete syntax is also supported:
For example, if the URL is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$param(query-param-name)
$http_query_param(category) = shoes
$http_query_param(session) = 99999
If the specified parameter does not exist in the query, then the
variable expands to the empty string. This function applies to both
GET and POST requests.
$http_cookie(cookie-name)
Evaluates to the value of the named cookie. For example,
$http_cookie(cookiexyz). The cookie name is case-sensitive.
$http_header(request-header-name)
Evaluates to the value of the specified HTTP request header. In the
case of multivalued headers, it is the single representation as
specified in the HTTP specification. For example,
$http_header(user-agent). The HTTP header name is not
case-sensitive.
$http_method()
Evaluates to the HTTP method used for the request, such as GET or
POST.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-16
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 6-7
Parameter Expander Functions (continued)
Variable
Description
Boolean Functions:
Evaluates to a Boolean value: True or False, depending on the
presence or absence of the element in the request. The elements are
a specific query parameter (query-param-name), a specific cookie
(cookie-name), a specific request header (request-header-name), or
a specific HTTP method (method-name). All identifiers are
case-sensitive except for the HTTP request header name.
$http_query_param_present(query-param-name)
$http_query_param_notpresent(query-param-name)
$http_cookie_present(cookie-name)
$http_cookie_notpresent(cookie-name)
$http_header_present(request-header-name)
$http_header_notpresent(request-header-name)
$http_method_present(method-name)
$http_method_notpresent(method-name)
$regex_match(param1, param2)
Evaluates to a Boolean value: True if the two parameters match and
False if they do not match. The two parameters can be any two
expressions, including regular expressions, that evaluate to two
strings. For example, this function:
$regex_match($http_query_param(URL), .*Store\.asp.*)
compares the query URL with the regular expression string
.*Store\.asp.*
If the URL matches this regular expression, this function evaluates
to True.
Step 5
Click:
•
Deploy Now to save your entries. The ACE appliance validates the parameter map configuration and
deploys it.
•
Cancel to exit this procedure without accepting your entries and to return to the Parameter Maps
table.
•
Next to accept your entries and to add another parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-17
Chapter 6
Configuring Parameter Maps
Configuring RTSP Parameter Maps
Configuring RTSP Parameter Maps
RTSP parameter maps allow you to configure advanced RTSP behavior for server load-balancing
connections.
Use this procedure to configure an RTSP parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > RTSP
Parameter Maps. The RTSP Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The RTSP Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 6-8.
Table 6-8
RTSP Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Case-Insensitive
Check this check box to indicate that the ACE is to be case insensitive. Clear this check box
to indicate that the ACE is to be case sensitive.
Header Max. Parse Length
(Bytes)
Enter the number of bytes to parse for the total length of RTSP headers. Valid entries are
integers from 1 to 65535 with a default of 2048 bytes.
Step 4
Click:
•
Deploy Now to deploy this configuration.
•
Cancel to exit this procedure without saving your entries and to return to the RTSP Parameter Maps
table.
•
Next to deploy your entries and to configure another RTSP parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-18
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring SIP Parameter Maps
Configuring SIP Parameter Maps
SIP parameter maps allow you to configure SIP deep-packet inspection policy maps on the ACE.
Use this procedure to configure a SIP parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > SIP Parameter
Maps. The SIP Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The SIP Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 6-9.
Table 6-9
SIP Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Instant Messaging
Check the check box to enable instant messaging (IM) over SIP after it has been disabled.
Clear this check box to disable this feature.
Logging All
Check the check box to enable the logging of all received and transmitted packets in the
system log (syslog). By default, the ACE disables the logging of these packets, however allows
the logging of dropped SIP packets in the syslog.
The ACE allows all headers sent in the SIP packet, including proprietary headers. In the event
of a failover for SIP sessions over UDP, the ACE continues to process SIP packets for
established SIP sessions.
Clear this check box to disable this feature.
Max. Forward Validation
This option allows you to configure the ACE to validate the value of the Max-Forward header
field.
Specify how the ACE is to handle the validation of Max-Forward header fields:
Log Max. Forward
Validation Event
•
N/A—The ACE is not to validate Max-Forward header fields.
•
Drop—The ACE is to drop the SIP message if it does not pass Max-Forward header
validation.
•
Reset—The ACE is to reset the SIP connection if it does not pass Max-Forward header
validation.
Check the check box to indicate that the ACE is to log Max-Forward validation events.
Clear the check box to disable this feature.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-19
Chapter 6
Configuring Parameter Maps
Configuring SIP Parameter Maps
Table 6-9
SIP Parameter Map Attributes (continued)
Field
Description
Mask UA Software Version
If the software version of a user agent is exposed, that user agent might be vulnerable to
attacks from hackers who exploit the security holes present in that particular software version.
This option allows you to mask or log the user agent software version so that it is not exposed.
Check the check box to indicate that the ACE is to mask the user agent software version.
Clear the check box to disable this feature.
Log UA Software Version
Check the check box to indicate that the ACE is to log the user agent software version.
Clear the check box to disable this feature.
Strict Header Validation
You can ensure the validity of SIP packet headers by configuring the ACE to check for the
presence of the following mandatory SIP header fields:
•
From
•
To
•
Call-ID
•
CSeq
•
Via
•
Max-Forwards
If one of the header fields is missing in a SIP packet, the ACE considers that packet invalid.
The ACE also checks for forbidden header fields, according to RFC 3261.
Specify how the ACE is to handle header validation.
•
N/A—The ACE is not to perform header validation.
•
Drop—The ACE is to drop the SIP message if the SIP packet does not pass header
validation.
•
Reset—The ACE is to reset the connection if the SIP packet does not pass header
validation.
Log Strict Header Validation Check the check box to indicate that the ACE is to log header validation events.
Clear the check box to disable this feature.
Mask Non SIP URI
This option and the next enable the detection of non-SIP URIs in SIP messages.
Check the check box to indicate that the ACE is to mask non-SIP URIs in SIP messages.
Clear the check box to disable this feature.
Log Non SIP URI
Check the check box to indicate that the ACE is to log non-SIP URIs in SIP messages.
Clear the check box to disable this feature.
SIP Media Pinhole Timeout Specify the timeout period for SIP media pinhole (secure port) connections in seconds. Valid
(Seconds)
entries are integers from 1 to 65535 seconds. The default is 5 seconds.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-20
OL-23543-01
Chapter 6
Configuring Parameter Maps
Configuring Skinny Parameter Maps
Step 4
Click:
•
Deploy Now to deploy this configuration.
•
Cancel to exit this procedure without saving your entries and to return to the SIP Parameter Maps
table.
•
Next to deploy your entries and to configure another SIP parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Configuring Skinny Parameter Maps
Skinny Client Control Protocol (SCCP or Skinny) parameter maps allow you to configure SCCP packet
inspection on the ACE.
Use this procedure to configure a Skinny parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Skinny
Parameter Maps. The Skinny Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The Skinny Parameter Maps configuration screen appears.
Step 3
Configure the parameter map using the information in Table 6-10.
Table 6-10
Skinny Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Enforce Registration
You can configure the ACE to allow only registered Skinny clients to make calls. To
accomplish this task, the ACE maintains the state of each Skinny client. After a client registers
with CCM, the ACE opens a secure port (pinhole) to allow that client to make a call.
Check the check box to enable Skinny registration enforcement.
Clear the check box to disable this feature.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-21
Chapter 6
Configuring Parameter Maps
Configuring DNS Parameter Maps
Table 6-10
Skinny Parameter Map Attributes (continued)
Field
Description
Message Id Max.
Enter the largest value for the station message ID in hexadecimal that the ACE is to accept.
Valid entries are hexadecimal values from 0x0 to 0x4000. The default value is 0x181.
Note
The Message Id Max. hexadecimal value should always start with 0x or 0X.
If a packet arrives with a station message ID greater than the specified value, the ACE drops
the packet and generates a syslog message.
Min. SCCP Prefix Length
(Bytes)
By default, the ACE drops SCCP messages that have an SCCP Prefix length that is less than
the message ID. The ACE drops Skinny message packets that fail this check and generates a
syslog message.
Enter the minimum SCCP prefix length in bytes. Valid entries are integers from 4 to 4000
bytes.
Max. SCCP Prefix Length
(Bytes)
This feature allows you to configure the ACE so that it checks the maximum SCCP prefix
length. The ACE drops Skinny message packets that fail this check and generates a syslog
message.
Enter the maximum SCCP prefix length in bytes. Valid entries are integers from 4 to 4000
bytes.
Step 4
Click:
•
Deploy Now to deploy this configuration.
•
Cancel to exit this procedure without saving your entries and to return to the Skinny Parameter Maps
table.
•
Next to deploy your entries and to configure another Skinny parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Configuring DNS Parameter Maps
Domain Name System (DNS) parameter maps allow you to configure DNS actions for DNS packet
inspection.
Use this procedure to configure a DNS parameter map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > DNS Parameter
Maps. The DNS Parameter Maps table appears.
Step 2
Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify
it. The DNS Parameter Maps configuration screen appears.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-22
OL-23543-01
Chapter 6
Configuring Parameter Maps
Supported MIME Types
Step 3
Table 6-11
Configure the parameter map using the information in Table 6-11.
DNS Parameter Map Attributes
Field
Description
Parameter Name
Enter a unique name for the parameter map. Valid entries are unquoted text strings with no
spaces and a maximum of 64 alphanumeric characters.
Description
Brief description of the parameter map. Enter a text string with a maximum of
240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Timeout (Seconds)
Configure the ACE to time out DNS queries that have no matching server response. Specify
the length of time in seconds that the ACE keeps the query entries without answers in the hash
table before timing them out. Enter an integer from 2 to 120 seconds. The default is 10
seconds.
Step 4
Click:
•
Deploy Now to deploy this configuration.
•
Cancel to exit this procedure without saving your entries and to return to the DNS Parameter Maps
table.
•
Next to deploy your entries and to configure another DNS parameter map.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Contexts, page 2-1
Supported MIME Types
The ACE appliance supports following MIME types:
•
application/msexcel
•
application/mspowerpoint
•
application/msword
•
application/octet-stream
•
application/pdf
•
application/postscript
•
application/\x-gzip
•
application/\x-java-archive
•
application/\x-java-vm
•
application/\x-messenger
•
application/\zip
•
audio/*
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-23
Chapter 6
Configuring Parameter Maps
Supported MIME Types
•
audio/basic
•
audio/midi
•
audio/mpeg
•
audio/x-adpcm
•
audio/x-aiff
•
audio/x-ogg
•
audio/x-wav
•
image/*
•
image/gif
•
image/jpeg
•
image/png
•
image/tiff
•
image/x-3ds
•
image/x-bitmap
•
image/x-niff
•
image/x-portable-bitmap
•
image/x-portable-greymap
•
image/x-xpm
•
text/*
•
text/css
•
text/html
•
text/plain
•
text/richtext
•
text/sgml
•
text/xmcd
•
text/xml
•
video/*
•
video/flc
•
video/mpeg
•
video/quicktime
•
video/sgi
•
video/x-fli
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-24
OL-23543-01
Chapter 6
Configuring Parameter Maps
Supported MIME Types
Viewing All Parameter Maps by Context
Use this procedure to view all parameter maps associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2
Select the virtual context with the parameter maps you want to view, then select Load Balancing >
Parameter Maps. The Parameter Maps table appears listing each parameter map and its type.
Related Topics
•
Configuring Parameter Maps, page 6-1
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
6-25
Chapter 6
Configuring Parameter Maps
Supported MIME Types
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
6-26
OL-23543-01
C H A P T E R
7
Configuring SSL
This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets
Layer (SSL) server for SSL initiation or termination.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
The topics included in this section are:
•
SSL Overview, page 7-2
•
SSL Configuration Prerequisites, page 7-3
•
Summary of SSL Configuration Steps, page 7-4
•
SSL Setup Sequence, page 7-5
•
Using SSL Certificates, page 7-6
•
Using SSL Keys, page 7-11
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
•
Generating CSRs, page 7-26
•
Configuring SSL Proxy Service, page 7-27
•
Enabling Client Authentication, page 7-29
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-1
Chapter 7
Configuring SSL
SSL Overview
SSL Overview
SSL is an application-level protocol that provides encryption technology for the Internet, ensuring
secure transactions such as the transmission of credit card numbers for e-commerce Web sites. SSL
initiation occurs when the ACE appliance acts as a client and initiates the SSL session between it and
the SSL server. SSL termination occurs when the ACE, acting as an SSL server, terminates an SSL
connection from a client and then establishes a TCP connection to an HTTP server.
SSL provides the secure transaction of data between a client and a server through a combination of
privacy, authentication, and data integrity. SSL relies upon certificates and private-public key exchange
pairs for this level of security.
Figure 7-1 shows the following network connections in which the ACE terminates the SSL connection
with the client:
•
Client to ACE—SSL connection between a client and the ACE acting as an SSL proxy server
•
ACE to Server—TCP connection between the ACE and the HTTP server
Client
SSL Termination with Client
Front-end
Back-end
Ciphertext
Clear Text
SSL Termination
(ACE as Server)
Server
153357
Figure 7-1
The ACE uses parameter maps, SSL proxy services, and class maps to build the policy maps that
determine the flow of information between the client, the ACE, and the server. SSL termination is a
Layer 3 and Layer 4 application because it is based on the destination IP addresses of the inbound traffic
flow from the client. For this type of application, you create a Layer 3 and Layer 4 policy map that the
ACE applies to the inbound traffic.
If you have a need to delete any of the SSL objects (auth groups, chain groups, parameter maps, keys,
CRLs, or certificates), you must remove the dependency from within the proxy service first before
removing the SSL object.
Before configuring the ACE for SSL, see SSL Configuration Prerequisites, page 7-3.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-2
OL-23543-01
Chapter 7
Configuring SSL
SSL Configuration Prerequisites
SSL Configuration Prerequisites
Before configuring your ACE for SSL operation, you must first ensure:
•
Note
Your ACE hardware is configured for server load balancing (SLB).
During the real server and server farm configuration process, when you associate a real server
with a server farm, ensure that you assign an appropriate port number for the real server. The
default behavior by the ACE is to automatically assign the same destination port that was used
by the inbound connection to the outbound server connection if you do not specify a port.
•
Your policy map is configured to define the SSL session parameters and client/server authentication
tools, such as the certificate and RSA key pair.
•
Your class map is associated with the policy map to define the virtual SSL server IP address that the
destination IP address of the inbound traffic must match.
•
You must import a digital certificate and its corresponding public and private key pair to the desired
ACE context.
•
At least one SSL certificate is available.
•
If you do not have a certificate and corresponding key pair, you can generate an RSA key pair and
a certificate signing request (CSR). Create a CSR when you need to apply for a certificate from a
certificate authority (CA). The CA signs the CSR and returns the authorized digital certificate to
you.
RBAC User Role Requirements for SSL Configurations
For all SSL-related configurations on the ACE, a user with a custom role should include the following
two rules as part of the assigned role:
•
A rule that includes the SSL feature.
•
A rule that includes the PKI feature.
For details on user roles and rules, see the “Creating User Roles” section in Chapter 13, “Managing the
ACE Appliance.”
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-3
Chapter 7
Configuring SSL
Summary of SSL Configuration Steps
Summary of SSL Configuration Steps
Table 7-1 describes the steps for using SSL keys and certificates.
Table 7-1
Step 1
SSL Key and Certificate Procedure Overview
Task
Description
Create an SSL
parameter map.
Create an SSL parameter map to specify the options that apply to
SSL sessions such as the method to be used to close SSL
connections, the cipher suite, and version of SSL or TSL.
See Configuring SSL Parameter Maps, page 7-19.
Step 2
Create an SSL key pair
file.
Create an SSL RSA key pair file to generate a CSR, create a digital
signature, and encrypt packet data during the SSL handshake with
an SSL peer.
See Generating SSL Key Pairs, page 7-15.
Step 3
Configure CSR
parameters.
Set CSR parameters to define the distinguished name attributes of a
CSR.
See Configuring SSL CSR Parameters, page 7-25.
Step 4
Create a CSR.
Create a CSR to submit with the key pair file when you apply for an
SSL certificate.
See Generating CSRs, page 7-26.
Step 5
Copy and paste the CSR Using the SSL key pair and CSR, apply for an approved certificate
into the Certificate
from a Certificate Authority.
Authority (CA)
Use the method specified by the CA for submitting your request.
Web-based application
or e-mail the CSR to the
CA.
Step 6
Save the approved
When you receive the approved certificate, save it in the format in
certificate from the CA which it was received on a network server accessible via FTP, SFTP,
in its received format on or TFTP.
an FTP, SFTP, or TFTP
server.
Step 7
Import the approved
certificate and key pair
into the desired virtual
context.
Import the approved certificate and the associated SSL key pair into
the appropriate context using ACE Appliance Device Manager.
See:
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
Step 8
Confirm that the public
key in the key pair file
matches the public key
in the certificate file.
Examine the contents of the files to confirm that the key pair
information is the same in both the key pair file and the certificate
file.
Step 9
Configure the virtual
context for SSL.
See Configuring Traffic Policies, page 10-1.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-4
OL-23543-01
Chapter 7
Configuring SSL
SSL Setup Sequence
Table 7-1
SSL Key and Certificate Procedure Overview (continued)
Task
Description
Step 10
Configure auth group.
Create a group of certificates that are trusted as certificate signers
by creating an authentication group. See Configuring SSL
Authentication Groups, page 7-29.
Step 11
Configure CRL.
See Configuring CRLs for Client Authentication, page 7-31.
For more information about using SSL with ACE appliances, see the Cisco 4700 Series Application
Control Engine Appliance SSL Configuration Guide.
To configure ACE appliances for SSL, see:
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL Proxy Service, page 7-27
SSL Setup Sequence
The SSL setup sequence provides detailed instructions with illustrations for configuring SSL using the
ACE appliance Device Manager (Figure 7-2). The purpose of this option is to provide a visual guide for
performing typical SSL operations, such as SSL CSR generation, SSL proxy creation, and so on. This
option does not replace any existing SSL functions or configuration screens already present in ACE
appliance Device Manager. It is only intended as an additional guide for anyone unfamiliar or unclear
with the SSL operations that need to be performed on the ACE. From the SSL setup sequence, you are
allowed to configure all SSL operations, without duplicating the edit/delete/table/view operations that
the other SSL configuration screens provide.
The purpose of this option is to provide details about typical SSL flows and the operations involved in
performing typical SSL operations, including the following:
Note
•
SSL import/create keys
•
SSL import certificates
•
SSL CSR generation
•
SSL proxy creation
The SSL Setup Sequence in the ACE Device Manager uses the terms SSL Policies and SSL Proxy Service
interchangeably.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-5
Chapter 7
Configuring SSL
Using SSL Certificates
For more information on SSL configuration features, see Summary of SSL Configuration Steps.
Figure 7-2
SSL Setup Sequence
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL Proxy Service, page 7-27
Using SSL Certificates
You can display a list of the certificates and their matching key pairs that are installed on the ACE for a
context by choosing Config > Virtual Contexts > context > Certificates. The Certificates window
appears, displaying the list of installed certificates.
Digital certificates and key pairs are a form of digital identification for user authentication. Certificate
Authorities issue certificates that attest to the validity of the public keys they contain. A client or server
certificate includes the following identification attributes:
•
Name of the Certificate Authority and Certificate Authority digital signature
•
Name of the client or server (the certificate subject) that the certificate authenticates
•
Issuer
•
Serial number
•
Subject’s matching public key of the certificate
•
Time stamps that indicate the certificate's start date and expiration date
•
CA certificate
A Certificate Authority has one or more signing certificates that it uses for creating SSL certificates and
certificate revocation lists (CRL). Each signing certificate has a matching private key that is used to
create the Certificate Authority signature. The Certificate Authority makes the signing certificates (with
the public key embedded) available to the public, enabling anyone to access and use the signing
certificates to verify that an SSL certificate or CRL was actually signed by a specific Certificate
Authority.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-6
OL-23543-01
Chapter 7
Configuring SSL
Using SSL Certificates
Note
The ACE supports the creation of a maximum of eight CRLs for any context.
ACE appliances require certificates and corresponding key pairs for:
•
SSL termination—The ACE appliance acts as an SSL proxy server and terminates the SSL session
between it and the client. For SSL termination, you must obtain a server certificate and
corresponding key pair.
•
SSL initiation—The ACE appliance acts as a client and initiates the SSL session between it and the
SSL server. For SSL initiation, you must obtain a client certificate and corresponding key pair.
The Matching Key column in the Certificates window (Config > Virtual Contexts > context >
Certificates) displays the name of a key pair that ACE appliance Device Manager was able to match up
with certificate. If ACE appliance Device Manager cannot detect a matching key pair for a certificate, it
leaves the Matching Key table cell blank. If the number of unmatched certificates and key pairs exceeds
50, then ACE appliance Device Manager leaves the entire Matching Key column blank, even when
matching certificates and key pairs exist for the context. When this condition occurs, you can verify that
a certificate and key pair match by using the SSL Setup Sequence feature.
Do the following:
Step 1
Choose Config > Virtual Contexts > context > Setup Sequence.
The Setup Sequence window appears.
Step 2
In the Setup Sequence window, click Configure SSL Polices.
The Configure SSL Policies window appears.
Step 3
From the Certificate drop-down list in the Configure SSL Policies - Basic Settings section, choose a
certificate.
Step 4
From the Keys drop-down list in the Configure SSL Policies - Basic Settings section, choose a key pair.
Step 5
Click Verify Key.
ACE appliance Device Manager checks to see if the selected certificate and key pair match. A popup
window appears to indicate if the two items match.
Note
The ACE includes a preinstalled sample certificate and corresponding key pair. The certificate is for
demonstration purposes only and does not have a valid domain. It is a self-signed certificate with basic
extensions named cisco-sample-cert. The key pair is an RSA 1024-bit key pair named cisco-sample-key.
You can display the sample certificate and corresponding key pair files as follows:
•
To display the cisco-sample-cert file, choose Config > Virtual
Contexts > context > SSL > Certificates.
•
To display the cisco-sample-key file, choose Config > Virtual Contexts > context > SSL > Keys.
You can add these files to an SSL-proxy service (see the “Configuring SSL Proxy Service” section on
page 7-27) and are available for use in any context with the filenames remaining the same in each
context.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-7
Chapter 7
Configuring SSL
Importing SSL Certificates
The ACE allows you to export these files but does not allow you to import any files with these names.
When you upgrade the ACE software, these files are overwritten with the files provided in the upgrade
image. You cannot use the crypto delete CLI command to delete these files unless you downgrade the
ACE software because a software downgrade preserves these files as if they were user-installed SSL
files.
Related Topics
•
Configuring SSL, page 7-1
•
Exporting SSL Certificates, page 7-16
•
Importing SSL Certificates, page 7-8
•
Using SSL Keys, page 7-11
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL CSR Parameters, page 7-25
•
Generating CSRs, page 7-26
Importing SSL Certificates
Use this procedure to import SSL certificates.
Note
The ACE supports a maximum of 4,096 certificates.
Assumptions
•
You have configured an ACE appliance for server load balancing. (See Load Balancing Overview,
page 3-1.)
•
You have obtained an SSL certificate from a certificate authority (CA) and have placed it on a
network server accessible by the ACE appliance.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Certificates. The Certificates table appears,
listing any valid SSL certificates.
The cisco-sample-cert certificate is included in the list. For information on this sample certificate, see
the “Using SSL Certificates” section on page 7-6.
Step 2
Click Import. The Import dialog box appears.
To import multiple SSL certificates, click Bulk Import. The Bulk Import dialog box appears.
Note
SSL bulk import can take longer based on the number of SSL certificates being imported. It will progress
to completion on the ACE. To see the imported certificates in the ACE Device Manager, perform a CLI
synchronization for this context once the SSL bulk import has completed. For information on
synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on page 2-68.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-8
OL-23543-01
Chapter 7
Configuring SSL
Importing SSL Certificates
Step 3
Enter the applicable information:
•
For the Import dialog box, see Table 7-2.
•
For the Bulk Import dialog box, see Table 7-3.
Table 7-2
SSL Certificate Management Import Attributes
Field
Description
Protocol
Specify the method to be used for accessing the network server:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
importing the SSL certificate.
•
SFTP—Indicates that SFTP is to be used to access the network server
when importing the SSL certificate.
•
TFTP—Indicates that TFTP is to be used to access the network server
when importing the SSL certificate.
•
TERMINAL—Indicates that you will import the file using cut and paste
by pasting the certificate information to the terminal display. You can
only use the terminal method to display PEM files, which are in ASCII
format.
This field appears for FTP, TFTP, and SFTP.
Enter the IP address of the remote server on which the SSL certificate file
resides.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename of the certificate file on the network server.
Local File Name
Enter the filename to be used for the SSL certificate file when it is imported
to the ACE appliance.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Passphrase
This field appears for FTP, TFTP, SFTP, and TERMINAL.
Enter the passphrase that was created with the file. Without this phrase, you
cannot use the file. Passphrases are used only with encrypted PEM and
PKCS files.
Confirm
This field appears for FTP, SFTP, and TERMINAL.
Reenter the passphrase.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-9
Chapter 7
Configuring SSL
Importing SSL Certificates
Table 7-2
SSL Certificate Management Import Attributes (continued)
Field
Description
Non-Exportable
The ability to export SSL certificates allows you to copy signed certificates
to another server on your network so that you can then import them onto
another ACE appliance or Web server. Exporting is similar to copying in that
the original files are not deleted.
Check the check box to indicate that this certificate file cannot be exported
from the ACE appliance.
Import Text
This field appears for Terminal.
Cut the certificate information from the remote server and paste it into this
field.
Table 7-3
SSL Certificate Management Bulk Import Attributes
Field
Description
Protocol
SFTP is to be used to access the network server when importing the SSL certificates. SFTP is the
only supported protocol for bulk import.
IP Address
Enter the IP address of the remote server on which the SSL certificate files reside.
Remote Path
Path to the SSL certificate files that reside on the remote server. The ACE fetches only files
specified by the path; it does not recursively fetch remote directories. Enter a filename path
including wildcards (for example, /remote/path/*.pem). The ACE supports POSIX pattern
matching notation, as specified in section 2.13 of the “Shell and Utilities” volume of IEEE Std
1003.1-2004. This notation includes the “*,” “?” and “[ ” metacharacters.
To fetch all files from a remote directory, specify a remote path that ends with a wildcard character
(for example, /remote/path/*). Do not include spaces or the following special characters:
;<>\|`@$&()
The ACE fetches all files on the remote server that matches the wildcard criteria. However, it
imports only files with names that have a maximum of 40 characters. If the name of a file exceeds
40 characters, the ACE does not import the file and discards it.
User Name
Enter the name of the user account on the network server.
Password
Enter the password for the user account on the network server.
Confirm
Reenter the password.
Passphrase
Enter the passphrase that was created with the file. Without this phrase, you cannot use the file.
Passphrases are used only with encrypted PEM and PKCS files.
Confirm
Reenter the passphrase.
Non-Exportable
The ability to export SSL certificates allows you to copy signed certificates to another server on
your network so that you can then import them onto another ACE or Web server. Exporting is
similar to copying in that the original files are not deleted.
Check the check box to specify that this certificate file cannot be exported from the ACE.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-10
OL-23543-01
Chapter 7
Configuring SSL
Using SSL Keys
Step 4
Click:
•
OK to accept your entries and to return to the Certificates table. The ACE Appliance Device
Manager updates the Certificates table with the newly installed certificate.
•
Cancel to exit this procedure without saving your entries and to return to the Certificates table.
Related Topics
•
Configuring SSL, page 7-1
•
Using SSL Keys, page 7-11
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Proxy Service, page 7-27
Using SSL Keys
An ACE appliance and its peer use a public key cryptographic system named Rivest, Shamir, and
Adelman Signatures (RSA) for authentication during the SSL handshake to establish an SSL session.
The RSA system uses key pairs that consist of a public key and a corresponding private (secret) key.
During the handshake, the RSA key pairs encrypt the session key that both devices will use to encrypt
the data that follows the handshake.
Use this procedure to view options for working with SSL and SSL keys.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Continue with one of the following options:
•
Generate a key pair—See Generating SSL Key Pairs, page 7-15.
•
Import a key pair—See Importing SSL Key Pairs, page 7-12.
•
Export a key pair—See Exporting SSL Key Pairs, page 7-18.
•
Generate a CSR—See Generating CSRs, page 7-26.
Related Topics
•
Generating SSL Key Pairs, page 7-15
•
Importing SSL Key Pairs, page 7-12
•
Generating SSL Key Pairs, page 7-15
•
Exporting SSL Key Pairs, page 7-18
•
Configuring SSL, page 7-1
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-11
Chapter 7
Configuring SSL
Using SSL Keys
Importing SSL Key Pairs
Use this procedure to import an SSL key pair file.
Note
The ACE supports a maximum of 4,096 key pairs.
Assumptions
•
You have configured an ACE appliance for server load balancing. (See Load Balancing Overview,
page 3-1.)
•
You have obtained an SSL key pair from a certificate authority (CA) and have placed the pair on a
network server accessible by the ACE appliance.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Keys. The Keys table appears, listing existing SSL
keys.
The cisco-sample-key key pair is included in the list. For information on this sample key pair, see the
“Using SSL Certificates” section on page 7-6.
Step 2
Click Import. The Import dialog box appears.
To import multiple SSL key pairs, click Bulk Import. The Bulk Import dialog box appears.
Note
Step 3
SSL bulk import can take longer based on the number of SSL keys being imported. It will progress to
completion on the ACE. To see the imported keys in the ACE Device Manager, perform a CLI
synchronization for this context once the SSL bulk import has completed. For information on
synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on page 2-68.
Enter the applicable information as follows:
•
For the Import dialog box, see Table 7-4.
•
For the Bulk Import dialog box, see Table 7-5.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-12
OL-23543-01
Chapter 7
Configuring SSL
Using SSL Keys
Table 7-4
SSL Key Pair Import Attributes
Field
Description
Protocol
Specify the method to be used for accessing the network server:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
importing the SSL key pair file.
•
SFTP—Indicates that SFTP is to be used to access the network server
when importing the SSL key pair file.
•
TFTP—Indicates that TFTP is to be used to access the network server
when importing the SSL key pair file.
•
TERMINAL—Indicates that you will import the file using cut and paste
by pasting the certificate and key pair information to the terminal
display. You can only use the terminal method to display PEM files, which
are in ASCII format.
This field appears for FTP, TFTP, and SFTP.
Enter the IP address of the remote server on which the SSL key pair file
resides.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename of the key pair file on the network server.
Local File Name
Enter the filename to be used for the SSL key pair file when it is imported to
the ACE appliance.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Passphrase
This field appears for FTP, TFTP, SFTP, and TERMINAL.
Enter the passphrase that was created with the file. Without this phrase, you
cannot use the file. Passphrases are used only with encrypted PEM and
PKCS files.
Confirm
This field appears for FTP, SFTP, and TERMINAL.
Reenter the passphrase.
Non-Exportable
The ability to export SSL key pair files allows you to copy key pair files to
another server on your network so that you can then import them onto
another ACE appliance or Web server. Exporting is similar to copying in that
the original files are not deleted.
Check the check box to indicate that this key pair file cannot be exported
from the ACE appliance. Clear the check box to indicate that this key pair
file can be exported from the ACE appliance.
Import Text
This field appears for Terminal.
Cut the key pair information from the remote server and paste it into this
field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-13
Chapter 7
Configuring SSL
Using SSL Keys
Table 7-5
SSL Key Pair Bulk Import Attributes
Field
Description
Protocol
SFTP is to be used to access the network server when importing the SSL key
pairs. SFTP is the only supported protocol for bulk import.
IP Address
Enter the IP address of the remote server on which the SSL key pair files
resides.
Remote Path
Enter the path to the key pair files that reside on the remote server. The ACE
fetches only files specified by the path; it does not recursively fetch remote
directories. Enter a filename path including wildcards (for example,
/remote/path/*.pem). The ACE supports POSIX pattern matching notation,
as specified in section 2.13 of the “Shell and Utilities” volume of IEEE Std
1003.1-2004. This notation includes the “*,” “?” and “[” metacharacters.
To fetch all files from a remote directory, specify a remote path that ends
with a wildcard character (for example, /remote/path/*). Do not include
spaces or the following special characters:
;<>\|`@$&()
The ACE fetches all files on the remote server that matches the wildcard
criteria. However, it imports only files with names that have a maximum of
40 characters. If the name of a file exceeds 40 characters, the ACE does not
import the file and discards it.
Step 4
User Name
Enter the name of the user account on the network server.
Password
Enter the password for the user account on the network server.
Confirm
Reenter the password.
Passphrase
Enter the passphrase that was created with the file. Without this phrase, you
cannot use the file. Passphrases are used only with encrypted PEM and
PKCS files.
Confirm
Reenter the passphrase.
Non-Exportable
Check this check box to specify that this certificate file cannot be exported
from the ACE. The ability to export SSL key pairs allows you to copy signed
certificates to another server on your network so that you can then import
them onto another ACE or Web server. Exporting is similar to copying in that
the original files are not deleted.
Click:
•
OK to accept your entries and to return to the Keys table. The ACE Appliance Device Manager
updates the Keys table with the imported key pair file information.
•
Cancel to exit this procedure without saving your entries and to return to the Keys table.
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Configuring SSL Parameter Maps, page 7-19
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-14
OL-23543-01
Chapter 7
Configuring SSL
Using SSL Keys
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Proxy Service, page 7-27
Generating SSL Key Pairs
If you do not have any matching key pairs, you can use the ACE appliance to generate a key pair.
Use this procedure to generate SSL RSA key pairs.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Click Add to add a new key pair. The Keys configuration screen appears.
You cannot modify an existing entry in the Keys table. Instead, delete the existing entry, then
add a new one.
Note
Step 3
In the Name field, enter the name of the SSL key pair. Valid entries are alphanumeric strings with a
maximum of 40 characters.
Step 4
In the Size field, select the key pair security strength. The number of bits in the key pair file defines the
size of the RSA key pair used to secure Web transactions. Longer keys produce more secure
implementations by increasing the strength of the RSA security policy. Options and their relative levels
of security are:
•
512—Least security
•
768—Normal security
•
1024—High security, level 1
•
1536—High security, level 2
•
2048—High security, level 3
Step 5
In the Type field, specify RSA as the public-key cryptographic system used for authentication.
Step 6
In the Exportable Key field, check the check box to indicate that the key pair file can be exported. Clear
the check box to indicate that the key pair file cannot be exported.
Step 7
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Keys table.
•
Next to save your entries and to define another RSA key pair.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-15
Chapter 7
Configuring SSL
Using SSL Keys
After generating an RSA key pair, you can:
•
Create a CSR parameter set. The CSR parameter set defines the distinguished name attributes for
the ACE appliance to use during the CSR-generating process. For details on defining a CSR
parameter set, see the Configuring SSL CSR Parameters, page 7-25.
•
Generate a CSR for the RSA key pair file and transfer the CSR request to the certificate authority
for signing. This provides an added layer of security because the RSA private key originates directly
within the ACE appliance and does not have to be transported externally. Each generated key pair
must be accompanied by a corresponding certificate to work. For details on generating a CSR, see
Generating CSRs, page 7-26.
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Proxy Service, page 7-27
Exporting SSL Certificates
The ability to export SSL certificates allows you copy signed certificates to another server on your
network so that you can then import them onto another ACE appliance or Web server. Exporting
certificates is similar to copying in that the original certificates are not deleted.
Use this procedure to export SSL certificates from an ACE appliance to a remote server.
Assumption
The SSL certificate can be exported. (See Importing SSL Certificates, page 7-8.)
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Certificates. The Certificates table appears,
listing any valid SSL certificates.
Step 2
Select the certificate you want to export, then click Export. The Export dialog box appears.
Step 3
Enter the information in Table 7-6.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-16
OL-23543-01
Chapter 7
Configuring SSL
Using SSL Keys
Table 7-6
SSL Certificate Export Attributes
Field
Description
Protocol
Specify the method to be used for exporting the SSL certificate:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
exporting the SSL certificate.
•
SFTP—Indicates that SFTP is to be used to access the network server
when exporting the SSL certificate.
•
TFTP—Indicates that TFTP is to be used to access the network server
when exporting the SSL certificate.
•
TERMINAL—Indicates that you will export the certificate using cut and
paste by pasting the certificate and key pair information to the terminal
display. You can only use the terminal method to display PEM files,
which are in ASCII format.
This field appears for FTP, TFTP, and SFTP.
Enter the IP address of the remote server to which the SSL certificate file is
to be exported.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename to be used for the SSL certificate file on the
remote network server.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the remote network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the remote network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Step 4
Click:
•
OK to export the certificate and to return to the Certificates table.
•
Cancel to exit this procedure without exporting the certificate and to return to the Certificates table.
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Generating SSL Key Pairs, page 7-15
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Proxy Service, page 7-27
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-17
Chapter 7
Configuring SSL
Using SSL Keys
Exporting SSL Key Pairs
The ability to export SSL key pairs allows you copy SSL key pair files to another server on your network
so that you can then import them onto another ACE appliance or Web server. Exporting key pair files is
similar to copying in that the original key pairs are not deleted.
Use this procedure to export SSL key pairs from an ACE appliance to a remote server.
Assumption
The SSL key pair can be exported (see Generating SSL Key Pairs, page 7-15).
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Select the key entry you want to export, then click Export. The Export dialog box appears.
Step 3
Enter the information in Table 7-7.
Table 7-7
SSL Key Export Attributes
Field
Description
Protocol
Specify the method to be used for exporting the SSL key pair:
IP Address
•
FTP—Indicates that FTP is to be used to access the network server when
exporting the SSL key pair.
•
SFTP—Indicates that SFTP is to be used to access the network server
when exporting the SSL key pair.
•
TFTP—Indicates that TFTP is to be used to access the network server
when exporting the SSL key pair.
•
TERMINAL—Indicates that you will export the key pair using cut and
paste by pasting the key pair information to the terminal display. You
can only use the terminal method to display PEM files, which are in
ASCII format.
This field appears for FTP, TFTP, and SFTP.
Enter the IP address of the remote server to which the SSL key pair is to be
exported.
Remote File Name
This field appears for FTP, TFTP, and SFTP.
Enter the directory and filename to be used for the SSL key pair file on the
remote network server.
User Name
This field appears for FTP and SFTP.
Enter the name of the user account on the remote network server.
Password
This field appears for FTP and SFTP.
Enter the password for the user account on the remote network server.
Confirm
This field appears for FTP and SFTP.
Reenter the password.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-18
OL-23543-01
Chapter 7
Configuring SSL
Configuring SSL Parameter Maps
Step 4
Click:
•
OK to export the key pair and to return to the Keys table.
•
Cancel to exit this procedure without exporting the key pair and to return to the Keys table.
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Generating SSL Key Pairs, page 7-15
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Proxy Service, page 7-27
Configuring SSL Parameter Maps
An SSL parameter map defines the SSL session parameters that an ACE appliance applies to an SSL
proxy service. SSL parameter maps let you apply the same SSL session parameters to different proxy
services.
Use this procedure to create SSL parameter maps.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Parameter Maps. The Parameter Maps table
appears.
Step 2
Click Add to add a new SSL parameter map, or select an existing entry to modify, then click Edit. The
Parameter Map configuration screen appears.
Step 3
In the Parameter Map Name field, enter a unique name for the parameter map. Valid entries are
alphanumeric strings with a maximum of 64 characters.
Step 4
In the Description field, enter a brief description of the parameter map. Enter a text string with a
maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Enter double quotes as matching pairs.
Step 5
In the Queue Delay Timeout (Milliseconds) field, set the amount of time (in milliseconds) to wait before
emptying the queued data for encryption. The default delay is 200 milliseconds, and can be adjusted
from 0 (disabled) to 10000. If disabled (set to 0), the ACE encrypts the data from the server as soon as
it arrives and then sends the encrypted data to the client.
Note
Step 6
The Queue Delay Timeout is only applied to data that the SSL module sends to the client. This
avoids a potentially long delay in passing a small HTTP GET to the real server.
In the Session Cache Timeout (Milliseconds) field, specify a timeout value of an SSL session ID to
remain valid before the ACE requires the full SSL handshake to establish a new SSL session. This value
allows the ACE to reuse the master key on subsequent connections with the client, which can speed up
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-19
Chapter 7
Configuring SSL
Configuring SSL Parameter Maps
the SSL negotiation process.The default value is 300 seconds (5 minutes), and can be adjusted from 0
(to indicate an infinite timeout, so that session IDs are removed from the cache only when the cache
becomes full), up to 72000 seconds (20 hours). Specifying 0 causes the ACE to implement a least
recently used (LRU) timeout policy. By disabling this option, the full SSL handshake occurs for each
new connection with the ACE.
Step 7
In the Reject Expired CRLs field, click the checkbox to specify whether expired CRLs can be used. If
checked, no expired CRLs are allowed.
Step 8
In the Close Protocol Behavior field, select the method to be used to close the SSL connection:
Step 9
Step 10
•
Disabled—Indicates that the ACE appliance is to send a close-notify alert message to the SSL peer;
however, the SSL peer does not expect a close-notify alert before removing the session. Whether the
SSL peer sends a close-notify alert message or not, the session information is preserved, allowing
session resumption for future SSL connections.
•
None—Indicates that the ACE appliance is not to send a close-notify alert message to the SSL peer,
nor does the ACE appliance expect a close-notify alert message from the peer. The ACE appliance
preserves the session information so that SSL resumption can be used for future SSL connections.
In the SSL Version field, enter the version of SSL be to used during SSL communications:
•
All—Indicates that the ACE appliance is to use both SSL v3 and TLS v1 in its communications with
peer ACE appliances.
•
SSL3—Indicates that the ACE appliance is to use only SSL v3 in its communications with peer ACE
appliances.
•
TLS1—Indicates that the ACE appliance is to use only TLS v1 in its communications with peer ACE
appliances.
In the Ignore Authentication Failure field, check the check box to ignore expired or invalid client or
server certificates and to continue setting up the SSL connection. Clear the check box to return to the
default setting of disabled. This field allows the ACE appliance to ignore the following nonfatal errors
with respect to either client certificates for SSL termination configurations, or server certificates for SSL
initiation configurations:
– Certificate not yet valid (both)
– Certificate has expired (both)
– Certificate revoked (both)
– Unknown issuer (both)
– No client certificate (client certificate only)
– CRL not available (client certificate only)
– CRL has expired (client certificate only)
– Certificate has signature failure (client certificate only)
– Certificate other error (client certificate only)
Step 11
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. The updated Parameter Map screen
appears along with the Parameter Map Cipher table. Continue with Step 12.
•
Cancel to exit this procedure without saving your entries and to return to the Parameter Map table.
•
Next to save your entries and to define another parameter map.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-20
OL-23543-01
Chapter 7
Configuring SSL
Configuring SSL Parameter Maps
Step 12
In the Parameter Map Cipher table, click Add to add a cipher, or select an existing cipher, then click
Edit. The Parameter Map Cipher configuration screen appears.
Enter the information in Table 7-8.
Table 7-8
SSL Parameter Map Cipher Configuration Attributes
Field
Description
Cipher Name
Cipher to use.
For more information on the SSL cipher suites that ACE supports, see Cisco 4700 Series
Application Control Engine Appliance SSL Configuration Guide.
Cipher Priority
Priority that you want to assign to this cipher suite. The priority indicates the cipher’s preference
for use.
Valid entries are from 1 to 10 with 1 indicating the least preferred and 10 indicating the most
preferred. When determining which cipher suite to use, the ACE chooses the cipher suite with the
highest priority.
Step 13
Step 14
In the Parameter Map Cipher table, do one of the following:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Parameter Map Cipher
table.
•
Next to save your entries and to add another entry to the Parameter Map Cipher table.
Click the Redirect Authentication Failure tab and click Add to add a redirect or choose an existing
redirect, and click Edit.
Enter the information in Table 7-9.
Note
The Redirect Authentication Failure feature is only for SSL termination configurations in which
the ACE performs client authentication. The ACE ignores these attributes if you configure them
for an SSL initiation configuration.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-21
Chapter 7
Configuring SSL
Configuring SSL Parameter Maps
Table 7-9
SSL Parameter Map Redirect Configuration Attributes
Field
Description
Client Certificate
Validation
Select the type of certificate validation failure to redirect. From the drop-down list, choose the type
to redirect:
Redirect Type
•
Any—Associates any of the certificate failures with the redirect. You can configure the
authentication-failure redirect any command with individual reasons for redirection. When you
do, the ACE attempts to match one of the individual reasons before using the any reason. You
cannot configure the authentication-failure redirect any command with the
authentication-failure ignore command.
•
Cert-expired—Associates an expired certificate failure with a redirect.
•
Cert-has-signature-failure—Associates a certificate signature failure with a redirect.
•
Cert-not-yet-valid—Associates a certificate that is not yet valid failure with the redirect.
•
Cert-other-error—Associates a all other certificate failures with a redirect.
•
Cert-revoked—Associates a revoked certificate failure with a redirect.
•
CRL-has-expired—Associates an expired CRL failure with a redirect.
•
CRL-not-available—Associates a CRL that is not available failure with a redirect.
•
No-client-cert—Associates no client certificate failure with a redirect.
•
Unknown-issuer—Associates an unknown issuer certificate failure with a redirect.
Select the redirect type to use:
•
Server Farm—Specifies a redirect server farm for the redirect.
•
URL—Specifies a static URL path for the redirect.
Server Farm Name
This field appears when the Redirect Type is set to Server Farm. The ACE Device Manager displays
radio button options for the server farms that you have configured as redirect server farms. Choose
one of the available server farm options or click Plus (+) to open the server farm configuration
popup and configure a redirect server farm (see the “Configuring Server Farms” section on
page 4-11).
Redirect URL
This field appears when the Redirect Type is set to URL. Enter the static URL path for the redirect.
Enter a string with a maximum of 255 characters and no spaces.
Redirect Code
This field appears when the Redirect Type is set to URL.
Enter the redirect code that is sent back to the client:
Step 15
•
301—Status code for a resource permanently moving to a new location.
•
302—Status code for a resource temporarily moving to a new location.
In the Redirect Authentication Failure table, do one of the following:
•
Click Deploy Now to deploy the Redirect Authentication Failure table on the ACE and save your
entries to the running-configuration and startup-configuration files.
•
Click Cancel to exit the procedure without saving your entries and to return to the Redirect
Authentication Failure table.
•
Click Next to deploy your entries and to add another entry to the Redirect Authentication Failure
table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-22
OL-23543-01
Chapter 7
Configuring SSL
Configuring SSL Parameter Maps
Step 16
In the Parameter Map table, do one of the following:
•
Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
•
Click Cancel to exit the procedure without saving your entries and to return to the Parameter Map
table.
•
Click Next to deploy your entries and to add another entry to the Parameter Map table.
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Generating SSL Key Pairs, page 7-15
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Proxy Service, page 7-27
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-23
Chapter 7
Configuring SSL
Configuring SSL Chain Group Parameters
Configuring SSL Chain Group Parameters
A chain group specifies the certificate chains that the ACE appliance sends to its peer during the
handshake process. A certificate chain is a hierarchal list of certificates that includes the ACE
appliance’s certificate, the root certificate authority certificate, and any intermediate certificate authority
certificates. Using the information provided in a certificate chain, the certificate verifier searches for a
trusted authority in the certificate hierarchal list up to and including the root certificate authority. If the
verifier finds a trusted authority before reaching the root certificate authority certificate, it stops
searching further.
Use this procedure to configure certificate chains for a virtual context.
Assumption
At least one SSL certificate is available.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Chain Group Parameters. The Chain Group
Parameters table appears.
Step 2
Click Add to add a new chain group, or select an existing chain group, then click Edit to modify it. The
Chain Group Parameters configuration screen appears.
Step 3
In the Name field, enter a unique name for the chain group. Valid entries are alphanumeric strings with
a maximum of 64 characters.
Step 4
Click:
Step 5
•
Deploy Now to deploy this configuration on the ACE appliance. The updated Chain Group
Parameters screen appears along with the Chain Group Certificates table. Continue with Step 5.
•
Cancel to exit the procedure without saving your entries and to return to the Chain Group
Parameters table.
•
Next to save your entries and to add another entry to the Chain Group Parameters table.
In the Chain Group Certificates table, click Add to add an entry. The Chain Group Certificates
configuration screen appears.
You cannot modify an existing entry in the Chain Group Certificates table. Instead, delete the
entry, then add a new one.
Note
Step 6
In the Certificate Name field, select the certificate to add to this chain group.
Step 7
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Chain Group
Certificates table.
•
Next to save your entries and to add another certificate to this chain group table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-24
OL-23543-01
Chapter 7
Configuring SSL
Configuring SSL CSR Parameters
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Generating SSL Key Pairs, page 7-15
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL CSR Parameters, page 7-25
•
Configuring SSL Proxy Service, page 7-27
Configuring SSL CSR Parameters
A certificate signing request (CSR) is a message you send to a certificate authority such as VeriSign and
Thawte to apply for a digital identity certificate. The CSR contains information that identifies the SSL
site, such as location and a serial number, and a public key that you choose. A corresponding private key
is not included in the CSR, but is used to digitally sign the request. The CSR may be accompanied by
other credentials or proofs of identity required by the certificate authority, and the certificate authority
may contact the applicant for more information.
If the request is successful, the certificate authority returns a digitally signed (with the private key of the
certificate authority) identity certificate.
CSR parameters define the distinguished name attributes the ACE appliance applies to the CSR during
the CSR-generating process. These attributes provide the certificate authority with the information it
needs to authenticate your site. Defining a CSR parameter set lets you to generate multiple CSRs with
the same distinguished name attributes.
Each context on an ACE appliance can contain up to eight CSR parameter sets.
Use this procedure to define the distinguished name attributes for SSL CSRs.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > CSR Parameters. The CSR Parameters table
appears.
Step 2
Click Add to add new set of CSR attributes, or select an existing entry to modify, then click Edit. The
CSR Parameters configuration screen appears.
Step 3
In the Name field, enter a unique name for this parameter set. Valid entries are alphanumeric strings with
a maximum of 64 characters.
Step 4
In the Country field, enter the name of the country where the SSL site resides. Valid entries are 2
alphabetic characters representing the country, such as US for the United States. The International
Organization for Standardization (ISO) maintains the complete list of valid country codes on its Web site
(www.iso.org).
Step 5
In the State field, enter the name of the state or province where the SSL site resides.
Step 6
In the Locality field, enter the name of the city where the SSL site resides.
Step 7
In the Common Name field, enter the name of the domain or host of the SSL site. Valid entries are
alphanumeric strings with a maximum of 64 characters. The ACE supports the following special
characters: , . / = + - ^ @ ! % ~ # $ * ( ).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-25
Chapter 7
Configuring SSL
Generating CSRs
Step 8
In the Serial Number field, enter a serial number to assign to the certificate. Valid entries are
alphanumeric strings with a maximum of 16 characters.
Step 9
In the Organization Name field, enter the name of the organization to include in the certificate. Valid
entries are alphanumeric strings with a maximum of 64 characters.
Step 10
In the Email field, enter the site e-mail address. Valid entries are alphanumeric strings with a maximum
of 40 characters.
Step 11
In the Organization Unit field, enter the name of the organization to include in the certificate. Valid
entries are alphanumeric strings with a maximum of 64 characters.
Step 12
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the CSR Parameters table.
•
Next to save your entries and to define another set of CSR attributes.
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL Proxy Service, page 7-27
Generating CSRs
A certificate signing request (CSR) is a message you send to a certificate authority such as VeriSign and
Thawte to apply for a digital identity certificate. Create a CSR when you need to apply for a certificate
from a certificate authority. When the certificate authority approves a request, it signs the CSR and
returns the authorized digital certificate to you. This certificate includes the private key of the certificate
authority. When you receive the authorized certificate and key pair, you can import them for use (see
Importing SSL Certificates, page 7-8 and Importing SSL Key Pairs, page 7-12).
Use this procedure to generate SSL CSRs.
Assumption
You have configured SSL CSR parameters (see Configuring SSL CSR Parameters, page 7-25).
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Keys. The Keys table appears.
Step 2
Select a key in the table, then click Generate CSR. The Generate a Certificate Signing Request dialog
box appears.
Step 3
In the CSR Parameter field, select the CSR parameter to be used.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-26
OL-23543-01
Chapter 7
Configuring SSL
Configuring SSL Proxy Service
Step 4
Click:
•
OK to generate the CSR. The CSR appears in a popup window which you can now submit to a
certificate authority for approval. Work with your certificate authority to determine the method of
submission, such as e-mail or a Web-based application. Click Close to close the popup window and
to return to the Keys table.
•
Cancel to exit this procedure without generating the CSR and to return to the Keys table.
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL Proxy Service, page 7-27
Configuring SSL Proxy Service
SSL proxy service defines the SSL parameter map, key pair, certificate, and chain group an ACE
appliance uses during SSL handshakes. By configuring an SSL proxy server service on an ACE
appliance, the ACE appliance can act as an SSL server.
Use this procedure to define the attributes that the ACE appliance is to use during SSL handshakes so
that it can act as an SSL server.
Assumption
You have configured at least one SSL key pair, certificate, chain group, or parameter map to apply to this
proxy service.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Proxy Service. The Proxy Service table appears.
Step 2
Click Add to add a new proxy service, or select an existing service, then click Edit to modify it. The
Proxy Service configuration screen appears.
Step 3
In the Name field, enter a unique name for this proxy service. Valid entries are alphanumeric strings with
a maximum of 64 characters.
Step 4
In the Keys field, select the key pair that the ACE appliance is to use during the SSL handshake for data
encryption.
Caution
When choosing the key pair from the drop-down list, be sure to choose the keys that
correspond to the certificate that you choose.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-27
Chapter 7
Configuring SSL
Configuring SSL Proxy Service
If you use SSL Setup Sequence to create the proxy service, ACE appliance Device Manager
selects the keys that correspond to the certificate that you choose. If ACE appliance Device
Manager cannot detect a corresponding key pair, you can select a key pair from the drop-down
list and click Verify Key to have ACE appliance Device Manager verify that the keys correspond
to the selected certificate. ACE appliance Device Manager displays a message to let you know
that your key pair selection either matches or does not match the selected certificate. For more
information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 7-5.
Note
The cisco-sample-key option is available for the sample key pair. For information about this sample key
pair, see the “Using SSL Certificates” section on page 7-6.
Step 5
In the Certificates field, select the certificate that the ACE appliance is to use during the SSL handshake
to prove its identity.
Caution
When choosing the certificate from the drop-down list, be sure to choose the certificate that
corresponds to the keys that you choose.
If you use SSL Setup Sequence to create the proxy service, ACE appliance Device Manager
selects the keys that correspond to the certificate that you choose. If ACE appliance Device
Manager cannot detect a corresponding key pair, you can select a key pair from the drop-down
list and click Verify Key to have ACE appliance Device Manager verify that the keys correspond
to the selected certificate. ACE appliance Device Manager displays a message to let you know
that your key pair selection either matches or does not match the selected certificate. For more
information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 7-5.
Note
The cisco-sample-cert option is available for the sample certificate. For information on this sample
certificate, see the “Using SSL Certificates” section on page 7-6.
Step 6
In the Chain Groups field, select the chain group that the ACE appliance is to use during the SSL
handshake.
Step 7
In the Auth Groups field, select the auth group name that the ACE is to use during the SSL handshake.
To create an auth group, see Configuring SSL Authentication Groups, page 7-29.
The CRL Best-Effort field displays only when Auth Group Name is selected. It allows the ACE
appliance to search client certificates for the service to determine if it contains a CRL in the extension.
The ACE appliance then retrieves the value, if it exists
Step 8
In the CRL Name field, enter the name of the CRL.
Step 9
In the Parameter Maps field, select the SSL parameter map to associate with this SSL proxy server
service.
Step 10
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Proxy Service table.
•
Next to save your entries and to add another proxy service.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-28
OL-23543-01
Chapter 7
Configuring SSL
Enabling Client Authentication
Related Topics
•
Configuring SSL, page 7-1
•
Importing SSL Certificates, page 7-8
•
Importing SSL Key Pairs, page 7-12
•
Configuring SSL Parameter Maps, page 7-19
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring SSL CSR Parameters, page 7-25
Enabling Client Authentication
During the flow of a normal SSL handshake, the SSL server sends its certificate to the client. Then the
client verifies the identity of the server through the certificate. However, the client does not send any
identification of its own to the server. When you enable the client authentication feature enabled on the
ACE, it will require that the client send a certificate to the server. Then the server verifies the following
information on the certificate:
•
A recognized CA issued the certificate.
•
The valid period of the certificate is still in effect.
•
The certificate signature is valid and not tampered.
•
The CA has not revoked the certificate.
•
At least one SSL certificate is available.
Use the following procedures to enable or disable client authentication:
•
Configuring SSL Proxy Service, page 7-27
•
Configuring SSL Authentication Groups, page 7-29
•
Configuring CRLs for Client Authentication, page 7-31
Configuring SSL Authentication Groups
On the ACE, you can implement a group of certificates that are trusted as certificate signers by creating
an authentication group. After creating the authentication group and assigning its certificates, then you
can assign the authentication group to a proxy service in an SSL termination configuration to enable
client authentication. For information on client authentication, see Enabling Client Authentication,
page 7-29.
For information on server authentication and assigning an authentication group, see Configuring SSL
Proxy Service, page 7-27.
Use this procedure to specify the certificate authentication groups that the ACE uses during the SSL
handshake and enable client authentication on this SSL-proxy service. The ACE includes the certificates
configured in the group along with the certificate that you specified for the SSL proxy service.
Assumptions
•
At least one SSL certificate is available.
•
Your ACE appliance supports authentication groups.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-29
Chapter 7
Configuring SSL
Enabling Client Authentication
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Auth Group Parameters.
The Auth Group Parameters table appears.
Step 2
Click Add to add a authentication group, or select an existing auth group, then click Edit to modify it.
The Auth Group Parameters configuration screen appears.
Step 3
In the Name field, enter a unique name for the auth group. Valid entries are alphanumeric strings with a
maximum of 64 characters.
Step 4
Click:
Step 5
•
Deploy Now to deploy this configuration on the ACE. The updated Auth Group Parameters screen
appears along with the Auth Group Certificates table. Continue with Step 5.
•
Cancel to exit the procedure without saving your entries and to return to the Auth Group Parameters
table.
•
Next to deploy your entries and to add another entry to the Auth Group Parameters table.
In the Auth Group Certificate field, click Add to add an entry. The Auth Group Certificates configuration
screen appears.
You cannot modify an existing entry in the Auth Group Certificates table. Instead, delete the
entry, then add a new one.
Note
Step 6
In the Certificate Name field, select the certificate to add to this auth group.
Step 7
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Auth Group Parameters
table.
•
Next to deploy your entries and to add another entry to the Auth Group Parameters table.
Step 8
You can repeat the previous step to add more certificates to the auth group or click Deploy Now.
Step 9
After you configure auth group parameters, you can configure the SSL proxy service to use a CRL. See
Configuring CRLs for Client Authentication, page 7-31.
Note
When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Related Topics
•
Configuring SSL Chain Group Parameters, page 7-24
•
Configuring CRLs for Client Authentication, page 7-31
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-30
OL-23543-01
Chapter 7
Configuring SSL
Enabling Client Authentication
Configuring CRLs for Client Authentication
By default, ACE does not use certificate revocation lists (CRLs) during client authentication. You can
configure the SSL proxy service to use a CRL by having the ACE scan each client certificate for the
service to determine if it contains a CRL in the extension and then retrieve the value, if it exists. For more
information about SSL termination on the ACE, see the Cisco 4700 Series Application Control Engine
Appliance SSL Configuration Guide.
Note
The ACE supports the creation of a maximum of eight CRLs for any context.
Note
When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Use this procedure to configure ACE to scan for CRLs and retrieve them.
Assumption
A CRL cannot be configured on an SSL proxy without first configuring an auth group.
Procedure
Step 1
Select Config > Virtual Contexts > context > SSL > Certificate Revocation Lists (CRL). The
Certificate Revocation List table appears.
Step 2
Click Add to add a CRL or select an existing CRL, then click Edit to modify it. The Certificate
Revocation List screen appears.
Step 3
Enter the information in Table 7-10.
Table 7-10
Step 4
SSL Certificate Revocation List
Field
Description
Name
Enter the CRL name. Valid entries are unquoted alphanumeric strings with a
maximum of 64 characters.
URL
Enter the URL where the ACE retrieves the CRL. Valid entries are unquoted
alphanumeric strings with a maximum of 255 characters. Only HTTP URLs
are supported. ACE checks the URL and displays an error if it does not
match.
Click:
•
Deploy Now to deploy this configuration on the ACE. The updated Certificate Revocation List table
appears.
•
Cancel to exit the procedure without saving your entries and to return to the Certificate Revocation
List table.
•
Next to deploy your entries and to add another entry to the Certificate Revocation List table.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
7-31
Chapter 7
Configuring SSL
Enabling Client Authentication
Related Topics
•
Configuring SSL Proxy Service, page 7-27
•
Configuring SSL Authentication Groups, page 7-29
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
7-32
OL-23543-01
C H A P T E R
8
Configuring Network Access
The ACE appliance has four physical Ethernet interface ports. All VLANs are allocated to the physical
ports. After the VLANs are assigned, you can configure the corresponding VLAN interfaces as either
routed or bridged for use. When you configure an IP address on an interface, the ACE appliance
automatically makes it a routed mode interface.
Similarly, when you configure a bridge group on an interface VLAN, the ACE appliance automatically
makes it a bridged interface. Then, you associate a bridge-group virtual interface (BVI) with the bridge
group.
The ACE appliance also supports shared VLANs; multiple interfaces in different contexts on the same
VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing
across contexts even when shared VLANs are configured.
In routed mode, the ACE is considered a router hop in the network. In the Admin or user contexts, the
ACE supports static routes only. The ACE supports up to eight equal cost routes for load balancing.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Related Topics
•
Configuring Port Channel Interfaces, page 8-2
•
Configuring Gigabit Ethernet Interfaces, page 8-4
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Configuring VLAN Interface Options, page 8-14
•
Configuring Virtual Context BVI Interfaces, page 8-19
•
Configuring Virtual Context Static Routes, page 8-22
•
Configuring Global IP DHCP, page 8-23
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-1
Chapter 8
Configuring Network Access
Configuring Port Channel Interfaces
Configuring Port Channel Interfaces
This section discusses how to configure port channel interfaces for the ACE appliance. It consists of the
following topics:
•
Why Use Port Channels?, page 8-2
•
Configuring a Port-Channel Interface, page 8-3
Why Use Port Channels?
A port channel groups multiple physical ports into a single logical port. This is also called “port
aggregation” or “channel aggregation.” A port channel containing multiple physical ports has several
advantages:
•
Improves link reliability through physical redundancy.
•
Allows greater total throughput to the ACE appliance. For example, four 1-GigaBit Ethernet
interfaces can be aggregated into a single 4 GigaBit channel.
•
Allows traffic capacity to be scaled up in the future, without network disruption at that time. A port
channel can do everything a switched port can do, but a switched port cannot do everything a port
channel can do. We recommend that you use a port channel.)
•
Provides maximum flexibility of network configuration and focuses network configuration on
VLANs rather than physical cabling
The disadvantage of a port channel is that it requires additional configuration on the switch the ACE is
connected to, as well as the ACE itself. There are many methods of port aggregation implemented by
different switches, and not every method works with ACE.
Using a port channel also requires more detailed knowledge of your network's VLANs, because all
“cabling” to and from the ACE will be handled over VLANs rather than using physical cables.
Nonetheless, use of port channels is highly recommended, especially in a production deployment of
ACE.
Figure 8-1illustrates a port channel interface.
Figure 8-1
Example of a Port Channel Interface
Switch
ACE Appliance
VLANs
247843
Ethernet
Ports
Port Channel
Related Topic
Configuring a Port-Channel Interface, page 8-3
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-2
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Port Channel Interfaces
Configuring a Port-Channel Interface
You can group physical ports together on the ACE to form a logical Layer 2 interface called the
port-channel. All the ports belonging to the same port-channel must be configured with same values; for
example, port parameters, VLAN membership, and trunk configuration. Only one port-channel in a
channel group is allowed, and a physical port can belong to only to a single port-channel interface.
Step 1
Select Config > Virtual Contexts > context > Network > Port Channel Interfaces. The Port Channel
Interfaces table appears.
Step 2
Click Add to add a port channel interface, or select an existing port channel interface, then click Edit to
modify it.
Note
Step 3
If you click Edit, not all of the fields can be modified.
Enter the port channel interface attributes (see Table 8-1).
Table 8-1
Port Channel Interface Attributes
Field
Description
Interface Number
Specify a channel number for the port-channel interface, which can be
from 1 to 255.
Description
Enter a brief description for this interface.
Fault Tolerance VLAN
Specify the fault tolerant (FT) VLAN used for communication between
the members of the FT group
Admin Status
Indicate whether you want the interface to be Up or Down.
Load Balancing Method
Specify one of the following load balancing methods:
•
Dst-IP—Loads distribution on the destination IP address.
•
Dst-MAC—Loads distribution on the destination MAC address.
•
Dst-Port—Loads distribution on the destination TCP or UDP port.
•
Src-Dst-IP—Loads distribution on the source or destination IP
address.
•
Src-Dst-MAC—Loads distribution on the source or destination
MAC address.
•
Src-Dst-Port—Loads distribution on the source or destination port.
•
Src-IP—Loads distribution on the source IP address.
•
Src-MAC—Loads distribution on the source MAC address.
•
Src-Port—Loads distribution on the TCP or UDP source port.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-3
Chapter 8
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Table 8-1
Port Channel Interface Attributes (continued)
Field
Description
Switch Port Type
Specify the interface switchport type:
•
N/A—Indicates that the switchport type is not specified.
•
Access—Specifies that the port interface is an access port. You must
specify a VLAN as an access port in the Access VLAN field.
•
Trunk—Specifies that the port interface is a trunk port. When you
select Trunk, you must complete the following fields:
– Trunk Native VLAN—Identifies the 802.1Q native VLAN for
a trunk.
– Trunk Allowed VLANs—Selectively allocate individual
VLANs to a trunk link.
Step 4
Click:
•
Deploy Now to save your entries and to return to the Port Channel Interface table.
•
Cancel to exit the procedure without saving your changes and to return to the Port Channel Interface
table.
•
Next to save your entries and to add another port-channel interface.
Configuring Gigabit Ethernet Interfaces
The ACE appliance provides physical Ethernet ports to connect servers, PCs, routers, and other devices
to the ACE. The ACE supports four Layer 2 Ethernet ports for performing Layer 2 switching. You can
configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or
1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex
operation on an Ethernet LAN, and can carry traffic within a designated VLAN.
A Layer 2 Ethernet port can be configured as:
•
Member of Port-Channel Group—The port is configured as a member of a port-channel group,
which associates a physical port on the ACE to a logical port to create a port-channel logical
interface. The VLAN association is derived from port-channel configuration. The port is configured
as a Layer 2 EtherChannel, where each EtherChannel bundles the individual physical Ethernet data
ports into a single logical link that provides the aggregate bandwidth of up to four physical links on
the ACE.
•
Access VLAN—The port is assigned to a single VLAN. This port is referred to as an access port
and provides a connection for end users or node devices, such as a router or server.
•
Trunk port—The port is associated with IEEE 802.1Q encapsulation-based VLAN trunking to
allocate VLANs to ports and to pass VLAN information (including VLAN identification) between
switches for all Ethernet channels defined in a Layer 2 Ethernet data port or a Layer 2 EtherChannel
(port-channel) group on the ACE.
The following procedure describes how to configure a gigabit Ethernet interface.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-4
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > Gigabit Ethernet Interfaces. The
GigabitEthernet Interfaces table appears.
Step 2
Select an existing gigabit Ethernet interface, then click Edit to modify it.
Step 3
Enter the Gigabit Ethernet physical interface attributes (see Table 8-2).
Table 8-2
Gigabit Ethernet Physical Interface Attributes
Field
Description
Interface Name
Name of the gigabit interface, which is the slot_number/port_number where
slot_number is the physical slot on the ACE for the specified port, and
port_number is the physical Ethernet data port on the ACE for the specified
port.
Description
Enter a brief description for this interface.
Admin Status
Indicate whether you want the interface to be Up or Down.
Speed
Specifies the port speed, which can be
Duplex
•
Auto—Autonegotiate with other devices
•
10 Mbps
•
100 Mbps
•
1000 Mbps
Specifies an interface duplex mode, which can be:
•
Auto—Resets the specified Ethernet port to automatically negotiate port
speed and duplex of incoming signals. This is the default setting.
•
Half—Configures the specified Ethernet port for half-duplex operation.
A half-duplex setting ensures that data only travels in one direction at
any given time.
•
Full—Configures the specified Ethernet port for full-duplex operation,
which allows data to travel in both directions at the same time.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-5
Chapter 8
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Table 8-2
Gigabit Ethernet Physical Interface Attributes (continued)
Field
Description
Port Operation Mode
Specifies the port operation mode, which can be:
•
N/A—Indicates that this option is not to be used.
•
Channel Group—Specifies to map the port to a port channel. You must
specify
– Port Channel Group Number—Specify the port channel group
number
– Fault Tolerant VLAN—Specify the fault tolerant (FT) VLAN used
for communication between the members of the FT group.
•
Switch Port—Specifies the interface switchport type:
– Access —Specifies that the port interface is an access port. You
must specify a VLAN as an access port in the Access VLAN field.
– Trunk—Specifies that the port interface is a trunk port. When you
select Trunk, you must complete one or both of the following fields:
Trunk Native VLAN—Identifies the 802.1Q native VLAN for a
trunk.
Trunk Allowed VLANs—Selectively allocate individual VLANs to
a trunk link.
Fault Tolerant VLAN
Specifies the fault tolerant (FT) VLAN used for communication between the
members of the FT group.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-6
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Gigabit Ethernet Interfaces
Table 8-2
Gigabit Ethernet Physical Interface Attributes (continued)
Field
Description
Carrier Delay
Adds a configurable delay at the physical port level to address any issues
with transition time, based on the variety of peers. Valid values are 0 to 120
seconds. The default is 0 (no carrier delay).
Note
QoS Trust COS
If you connect an ACE to a Catalyst 6500 series switch, your
configuration on the Catalyst may include the Spanning-Tree
Protocol (STP). However, the ACE does not support STP. In this
case, you may find that the Layer 2 convergence time is much longer
than the physical port up time. For example, the physical port would
normally be up within 3 seconds, but STP moving to the forward
state may need approximately 30 seconds. During this transitional
time, although the ACE declares the port to be up, the traffic will not
pass. In this case, specify a carrier delay
Enables Quality of Service (QoS) for the physical Ethernet port. By default,
QoS is disabled for each physical Ethernet port on the ACE.
QoS for a configured physical Ethernet port based on VLAN Classes of
Service (CoS) bits (priority bits that segment the traffic in eight different
classes of service). When you enable QoS on a port (a trusted port), traffic is
mapped into different ingress queues based on their VLAN CoS bits. If there
are no VLAN CoS bits, or QoS is not enabled on the port (untrusted port),
the traffic is then mapped into the lowest priority queue.
You can enable QoS for an Ethernet port configured for fault tolerance. In
this case, heartbeat packets are always tagged with COS bits set to 7 (a
weight of High).
Note
Step 4
We recommend that you enable QoS on the FT VLAN port to provide
higher priority for FT traffic.
Click:
•
Deploy Now to save your entries and to return to the Physical Interface table.
•
Cancel to exit the procedure without saving your changes and to return to the Physical Interface
table.
•
Next or Previous to go to the next or previous physical channel.
•
Delete to remove this entry from the Physical Interface table and to return to the table.
Related Topics
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Configuring Virtual Context BVI Interfaces, page 8-19
•
Configuring Virtual Context Static Routes, page 8-22
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-7
Chapter 8
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Configuring Virtual Context VLAN Interfaces
The ACE Appliance Device Manager uses class maps and policy maps to classify (filter) traffic and to
direct it to different contexts. A virtual context uses VLANs to receive packets classified for that context.
Note
When you create a new VLAN interface for a virtual context, you can configure one or more VLAN
interfaces in any user context before you assign those VLAN interfaces to the associated user contexts
in a virtual context through the Allocate-Interface VLANs field (see the “Creating Virtual Contexts”
section on page 2-2).
Use this procedure to configure VLAN interfaces for virtual contexts.
Procedure
Step 1
To configure a virtual context, select Config > Virtual Contexts > context > Network > VLAN
Interfaces. The VLAN Interface table appears.
Step 2
Click Add to add a new VLAN interface, or select an existing VLAN interface, then click Edit to modify
it.
Note
Step 3
If you click Edit, not all of the fields can be modified.
Enter the VLAN interface attributes (see Table 8-3). Click More Settings to access the additional VLAN
interface attributes. By default, ACE appliance Device Manager hides the default VLAN interface
attributes and the VLAN interface attributes which are not commonly used.
Note
If you create a fault-tolerant VLAN, do not use it for any other network traffic.
Table 8-3
VLAN Interface Attributes
Field
Description
VLAN
Either accept the automatically incremented entry or enter a different
value. Valid entries are integers from 2 to 4094.
Description
Enter a brief description for this interface.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-8
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 8-3
VLAN Interface Attributes (continued)
Field
Description
Interface Type
Select the role of the virtual context in the network topology of the
VLAN interface:
•
Routed—In a routed topology, the ACE virtual context acts as a
router between the client-side network and the server-side network.
In this topology, every real server for the application must be routed
through the ACE virtual context, either by setting the default
gateway on each real server to the virtual contexts server-side
VLAN interface address, or by using a separate router with
appropriate routes configured between the ACE virtual context and
the real servers.
•
Bridged—In a bridged topology, the ACE virtual context bridges
two VLANs, a client-side VLAN and a real-server VLAN, on the
same subnet using a bridged virtual interface (BVI). In this case, the
real server routing does not change to accommodate the ACE virtual
context. Instead, the ACE virtual context becomes a “bump in the
wire” that transparently handles traffic to and from the real servers.
•
Unknown—Choose Unknown if you are unsure of the network
topology of the VLAN interface.
IP Address
Enter the IP address assigned to this interface.
Alias IP Address
Enter the IP address of the alias this interface is associated with.
Peer IP Address
Netmask
Enter the IP address of the remote peer.
Admin Status
Indicate whether you want the interface to be Up or Down.
Enable MAC Sticky
Check the check box to indicate that the ACE appliance is to convert
dynamic MAC addresses to sticky secure MAC addresses and add this
information to the running configuration.
Select the subnet mask to be used.
Clear the check box to indicate that the ACE appliance is not to convert
dynamic MAC addresses to sticky secure MAC addresses.
Enable Normalization
Check the check box to indicate that normalization is to be enabled on
this interface. Clear the check box to indicate that normalization is to be
disabled on this interface.
Caution
Disabling normalization may expose your ACE appliance and
network to potential security risks. Normalization protects
your networking environment from attackers by enforcing
strict security policies that are designed to examine traffic for
malformed or malicious segments.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-9
Chapter 8
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 8-3
VLAN Interface Attributes (continued)
Field
Description
More Settings
Secondary IP Groups
This option appears only when Interface Type is set to Routed.
Enter a maximum of four secondary IP groups for the VLAN. The IP,
alias IP, and peer IP addresses of each Secondary IP Group should be in
the same subnet.
Note
You cannot configure secondary IP addresses on FT VLANs.
To create up to four secondary IP groups for the VLAN, do the
following:
a.
Define one or more of the following secondary IP address types:
– IP—Secondary IP address assigned to this interface.The
primary address must be active for the secondary address to be
active.
– AliasIP—Secondary IP address of the alias associated with this
interface.
– PeerIP—Secondary IP address of the remote peer.
– Netmask—Secondary subnet mask to be used.
The ACE has a system limit of 1,024 for each secondary IP address
type.
b.
Click Add to selection (right arrow) to add the group to the group
display area.
c.
Repeat Steps 1 and 2 for each additional group.
d.
(Optional) Rearrange the order in which the groups are listed by
selecting one of the group listings in the group display area and
click either Move item up in list (up arrow) or Move item down in
list (down arrow). Note that the ACE does not care what order the
groups are in.
e.
(Optional) Edit a group or remove it from the list by selecting the
desired group in the group display area and click Remove from
selection (left arrow).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-10
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 8-3
VLAN Interface Attributes (continued)
Field
ARP Inspection Type
Description
By default, ARP inspection is disabled on all interfaces, allowing all
ARP packets through the ACE. When you enable ARP inspection, the
ACE appliance uses the IP address and interface ID (ifID) of an
incoming ARP packet as an index into the ARP table. ARP inspection
operates only on ingress bridged interfaces.
ARP inspection prevents malicious users from impersonating other
hosts or routers, known as ARP spoofing. ARP spoofing can enable a
“man-in-the-middle” attack. For example, a host sends an ARP request
to the gateway router. The gateway router responds with the gateway
router MAC address.
Note
If ARP inspection fails, then the ACE does not perform source
MAC validation.
The options are as follows:
•
N/A—ARP inspection is disabled.
•
Flood—Enables ARP forwarding of nonmatching ARP packets.
The ACE appliance forwards all ARP packets to all interfaces in the
bridge group. This is the default setting. In the absence of a static
ARP entry, this option bridges all packets.
•
No-flood—Disables ARP forwarding for the interface and drops
nonmatching ARP packets. In the absence of a static ARP entry, this
option does not bridge any packets.
Max. Fragment Chains
Allowed
Enter the maximum number of fragments belonging to the same packet
that the ACE appliance is to accept for reassembly. Valid entries are
integers from 1 to 256.
Min. Fragment MTU Value
Enter the minimum fragment size that the ACE appliance accepts for
reassembly for a VLAN interface. Valid entries are integers from 28 to
9216 bytes.
MTU Value
Enter number of bytes for Maximum Transmission Units (MTUs). Valid
entries are integers from 68 to 9216, and the default is 1500.
Reassembly Timeout
(Seconds)
Enter the number of seconds that the ACE appliance is to wait before it
abandons the fragment reassembly process if it doesn’t receive any
outstanding fragments for the current fragment chain (that is, fragments
belonging to the same packet). Valid entries are 1 to 30 seconds.
Reverse Path Forwarding
(RPF)
Check the check box to indicate that the ACE appliance is to discard IP
packets if no reverse route is found or if the route does not match the
interface on which the packets arrived.
Clear the check box to indicate that the ACE appliance is not to filter or
discard packets based on the ability to verify the source IP address.
Enable MAC Address
Autogenerate
Allows you to configure a different MAC address for the VLAN
interface.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-11
Chapter 8
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 8-3
VLAN Interface Attributes (continued)
Field
Description
Enable ICMP Guard
Check the check box to indicate that ICMP Guard is to be enabled on the
ACE appliance. Clear the check box to indicate that ICMP Guard is not
to be enabled on ACE appliance.
Caution
Enable DHCP Relay
Disabling ICMP security checks may expose your ACE
appliance and network to potential security risks. When you
disable ICMP Guard, the ACE appliance no longer performs
NAT translations on the ICMP header and payload in error
packets, which can potentially reveal real host IP addresses to
attackers.
Check the check box to indicate that the ACE appliance is to accept
DHCP requests from clients on this interface and to enable the DHCP
relay agent.
Clear the check box to indicate that the ACE appliance is not to accept
DHCP requests or enable the DHCP relay agent.
Action For DF Bit
Indicate how the ACE appliance is to handle a packet that has it DF
(Don’t Fragment) bit set in the IP header:
•
Allow—Indicates that the ACE appliance is to permit the packet
with the DF bit set. If the packet is larger than the next-hop MTU,
ACE appliance discards the packet and sends an ICMP unreachable
message to the source host.
•
Clear—Indicates that the ACE appliance is to clear the DF bit and
permit the packet. If the packet is larger than the next-hop MTU, the
ACE appliance fragments the packet.
The default is Allow.
Action For IP Header
Options
Min. TTL IP Header Value
Select the action the ACE appliance is to take when an IP option is set
in a packet:
•
Allow—Indicates that the ACE appliance is to allow the IP packet
with the IP options set.
•
Clear—Indicates that the ACE appliance is to clear all IP options
from the packet and to allow the packet.
•
Clear-Invalid—Indicates that the ACE appliance is to clear the
invalid IP options from the packet and then allow the packet.
•
Drop—Indicates that the ACE appliance is to discard the packet
regardless of any options that are set.
Enter the minimum number of hops a packet is allowed to reach its
destination. Valid entries are integers from 1 to 255.
Each router along the packet’s path decrements the TTL by one. If the
packet’s TTL reaches zero before the packet reaches its destination, the
packet is discarded.
Enable Syn Cookie
Threshold Value
Embryonic connection threshold above which the ACE applies
SYN-cookie DoS protection. Valid entries are integers from 1 to 65535.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-12
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Table 8-3
VLAN Interface Attributes (continued)
Field
Description
UDP Config Commands
Select the UDP boost command:
Input Policies
•
N/A—not applicable
•
IP Destination Hash—Performs destination IP hash during
connection.
•
IP Source Hash—Performs source IP hash during connection
lookup.
From the Available list, double-click the policy map name that is
associated with this VLAN interface or use the right arrow to move it to
the Selected list. This policy map is to be applied to the inbound
direction of the interface; that is, all traffic received by this interface.
If you choose more than one policy map, use the Up and Down arrows
to choose the priority of the policy map in the Selected list. These arrows
modify the order of the policy maps for new VLANs only; they do not
modify the policy map order when editing an existing policy map.
Input Access Group
From the Available list, double-click an ACL name for the ACL input
access group to be associated with this VLAN interface or use the right
arrow to move it to the Selected list. Any ACL group listed in the
Selected list specifies that this access group is to be applied to the
inbound direction of the interface.
Output Access Group
From the Available list, double-click an ACL name for the ACL output
access group that is associated with this VLAN interface or use the right
arrow to move it to the Selected list. Any ACL group listed in the
Selected list specifies that this access group is to be applied to the
outbound direction of the interface; that is, all traffic sent by this
interface.
Static ARP Entry (IP/MAC
Address)
For the Static ARP entry, do the following:
DHCP Relay Configuration
a.
In the ARP IP Address field, enter the IP address in dotted-decimal
notation (for example, 192.168.11.2).
b.
In the ARP MAC Address field, enter the hardware MAC address for
the ARP table entry (for example, 00.02.9a.3b.94.d9).
c.
When completed, use the right arrow to move the static ARP entry
to the list box. Use the Up and Down arrows to choose the priority
of the static ARP entry in the list box. These arrows modify the
order of the static ARPs for new VLANs only; they do not modify
the static ARP order when editing an existing policy map.
Enter the IP address of the DHCP server to which the DHCP relay agent
is to forward client requests. Enter the IP address in dotted-decimal
notation, such as 192.168.11.2.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-13
Chapter 8
Configuring Network Access
Configuring VLAN Interface Options
Step 4
Click:
•
Deploy Now to save your entries and to return to the VLAN Interface table.
•
Cancel to exit the procedure without saving your changes and to return to the VLAN Interface table.
•
Next to save your entries and to add another VLAN interface.
Related Topics
•
Configuring VLAN Interface Options, page 8-14
Viewing All VLAN Interfaces
Use this procedure to view all VLAN interfaces.
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > VLAN Interfaces.
The VLAN Interface table appears listing all VLAN interfaces for the selected virtual context.
Related Topics
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Configuring VLAN Interface Options, page 8-14
•
Configuring VLAN Interface Policy Map Use, page 8-15
Configuring VLAN Interface Options
After adding a VLAN interface, you can configure other VLAN interface attributes such as policy map
use, access groups, static ARP entries, and so on. The tabs for these attributes appear beneath the VLAN
Interface table or below the VLAN Interface configuration screen after you have added a new VLAN
interface.
Configuration options for VLAN interfaces are:
•
Configuring VLAN Interface Policy Map Use, page 8-15
•
Configuring VLAN Interface Access Control, page 8-16
•
Configuring VLAN Interface Static ARP Entries, page 8-17
•
Configuring VLAN Interface NAT Pools, page 8-17
•
Configuring VLAN Interface DHCP Relay, page 8-19
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-14
OL-23543-01
Chapter 8
Configuring Network Access
Configuring VLAN Interface Options
Configuring VLAN Interface Policy Map Use
Use this procedure to associate a policy map with a VLAN interface.
Assumptions
•
You have successfully configured at least one VLAN interface (see Configuring Virtual Context
VLAN Interfaces, page 8-8).
•
A Layer 3/Layer 4 or Management policy map has been configured for this virtual context. For more
information, see Configuring Traffic Policies, page 10-1.
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > VLAN Interfaces.
The VLAN Interfaces table appears.
Step 2
Select the VLAN interface you want to associate with a policy map, then select the Policy tab. The Policy
table appears.
Step 3
Click Add to add a policy. The Policy configuration screen appears.
Step 4
In the Policy Map field, select the policy map to be associated with this VLAN interface.
Note
The Device Manager considers an interface as a management interface if it has a management policy
map associated with the VLAN interface. See the “Creating Virtual Contexts” section on page 2-2.
Step 5
In the Direction field, input is automatically specified; this policy map is to be applied to the inbound
direction of the interface; that is, all traffic received by this interface.
Step 6
Click:
•
Deploy Now to save your entries and to return to the Policy table.
•
Cancel to exit this procedure without saving your entries and to return to the Policy table.
•
Next to save your entries and to add another policy to this interface.
Related Topics
•
Configuring VLAN Interface Access Control, page 8-16
•
Configuring VLAN Interface Static ARP Entries, page 8-17
•
Configuring VLAN Interface NAT Pools, page 8-17
•
Configuring VLAN Interface DHCP Relay, page 8-19
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-15
Chapter 8
Configuring Network Access
Configuring VLAN Interface Options
Configuring VLAN Interface Access Control
The ACE Appliance Device Manager uses access control lists to limit access to and from VLAN
interfaces in a virtual context. Use this procedure to configure access control for a VLAN interface.
Assumptions
•
You have successfully configured at least one VLAN interface (see Configuring Virtual Context
VLAN Interfaces, page 8-8).
•
An access control list has been configured for this virtual context. Entering an ACL name does not
configure the ACL; you must configure the ACL on the ACE appliance. For more information, see
Configuring Virtual Context Expert Options, page 2-68.
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > VLAN Interfaces.
The VLAN Interfaces table appears.
Step 2
Select the VLAN interface you want to associate with an ACL, then select the Access Group tab. The
Access Group table appears.
Step 3
Click Add to associate a new ACL with the selected VLAN interface. The Access Group configuration
screen appears.
Step 4
In the ACL Name field, select the ACL group to be associated with this VLAN interface.
Step 5
In the Direction field, select the traffic this access group applies to:
Step 6
•
Input—Specifies that this access group is to be applied to the inbound direction of the interface; that
is, all traffic received by this interface.
•
Output—Specifies that this access group is to be applied to the outbound direction of the interface;
that is, all traffic sent by this interface.
Click:
•
Deploy Now to save your entries and to return to the Access Group table.
•
Cancel to exit this procedure without saving your entries and to return to the Access Group table.
•
Next to save your entries and to apply another access group to this interface.
Related Topics
•
Configuring VLAN Interface Policy Map Use, page 8-15
•
Configuring VLAN Interface Static ARP Entries, page 8-17
•
Configuring VLAN Interface NAT Pools, page 8-17
•
Configuring VLAN Interface DHCP Relay, page 8-19
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-16
OL-23543-01
Chapter 8
Configuring Network Access
Configuring VLAN Interface Options
Configuring VLAN Interface Static ARP Entries
Use this procedure to configure static ARP entries for a VLAN interface.
Assumption
You have successfully configured at least one VLAN interface (see Configuring Virtual Context VLAN
Interfaces, page 8-8).
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > VLAN Interfaces.
The VLAN Interface table appears.
Step 2
Select the VLAN interface you want to configure static ARP entries for, then select the Static ARP
Entries tab. The Static ARP Entries table appears.
Step 3
Click Add to add a new entry. The Static ARP Entries configuration screen appears.
Step 4
In the ARP IP Address field, enter the IP address in dotted-decimal notation (for example, 192.168.11.2).
Step 5
In the ARP MAC Address field, enter the hardware MAC address for the ARP table entry (for example,
00.02.9a.3b.94.d9).
Step 6
Click:
•
Deploy Now to save your entries and to return to the Static ARP Entries table.
•
Cancel to exit this procedure without saving your entries and to return to the Static ARP Entries
table.
•
Next to save your entries and to add another static ARP entry.
Related Topics
•
Configuring VLAN Interface Policy Map Use, page 8-15
•
Configuring VLAN Interface Access Control, page 8-16
•
Configuring VLAN Interface NAT Pools, page 8-17
•
Configuring VLAN Interface DHCP Relay, page 8-19
Configuring VLAN Interface NAT Pools
Network Address Translation (NAT) is designed to simplify and conserve IP addresses. It allows private
IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks, and translates the private (not globally unique) addresses in the
internal network into legal addresses before the packets are forwarded to another network.
The ACE Appliance Device Manager allows you to configure NAT so that it advertises only one address
for the entire network to the outside world. This effectively hides the entire internal network behind that
address, thereby offering both security and address conservation.
Several internal addresses can be translated to only one or a few external addresses by using Port Address
Translation (PAT) in conjunction with NAT. With PAT, you can configure static address translations at
the port level and use the remainder of the IP address for other translations. PAT effectively extends NAT
from one-to-one to many-to-one by associating the source port with each flow.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-17
Chapter 8
Configuring Network Access
Configuring VLAN Interface Options
Use this procedure to configure NAT pools for a VLAN interface.
Assumption
You have successfully configured at least one VLAN interface (see Configuring Virtual Context VLAN
Interfaces, page 8-8).
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > NAT.
The NAT Pool table appears.
Step 2
In the NAT Pool table, click Add to add a new entry. The NAT Pool configuration screen appears.
Step 3
Select the VLAN interface you want to configure a NAT pool.
Step 4
In the NAT Pool Id field, either accept the automatically incremented entry or enter a new number to
uniquely identify this pool. Valid entries are integers from 1 to 2147483647.
Step 5
In the Start IP Address field, enter an IP address in dotted-decimal notation (such as 192.168.11.2). This
entry identifies either a single IP address or, if using a range of IP addresses, the first IP address in a
range of global addresses for this NAT pool.
Step 6
In the End IP Address field, enter the highest IP address in a range of global IP addresses for this NAT pool.
Enter the IP address in dotted-decimal notation, such as 192.168.11.2.
Leave this field blank if you want to identify only the single IP address in the Start IP Address field.
Step 7
In the Netmask field, select the subnet mask for the global IP addresses in the NAT pool.
Step 8
Check the PAT Enabled check box to indicate that the ACE appliance is to perform port address translation
(PAT) in addition to NAT. Clear the check box to indicate that the ACE appliance is not to perform port
address translation (PAT) in addition to NAT.
Step 9
Click:
•
Deploy Now to save your entries and to return to the NAT Pool table.
•
Cancel to exit this procedure without saving your entries and to return to the NAT Pool table.
•
Next to save your entries and to add another NAT Pool entry.
Related Topics
•
Configuring VLAN Interface Policy Map Use, page 8-15
•
Configuring VLAN Interface Access Control, page 8-16
•
Configuring VLAN Interface Static ARP Entries, page 8-17
•
Configuring VLAN Interface DHCP Relay, page 8-19
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-18
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Configuring VLAN Interface DHCP Relay
Use this procedure to configure DHCP relay for a VLAN interface.
Assumption
You have successfully configured at least one VLAN interface (see Configuring Virtual Context VLAN
Interfaces, page 8-8).
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > VLAN Interfaces.
The VLAN Interfaces table appears.
Step 2
Select the VLAN interface you want to configure DHCP relay for, then select the DHCP Relay
Configuration tab. The DHCP Relay Configuration table appears.
Step 3
Click Add to add a new entry. The DHCP Relay Configuration screen appears.
Step 4
In the IP Address field, enter the IP address of the DHCP server to which the DHCP relay agent is to
forward client requests. Enter the IP address in dotted-decimal notation, such as 192.168.11.2.
Step 5
Click:
•
Deploy Now to save your entries and to return to the DHCP Relay Configuration table.
•
Cancel to exit this procedure without saving your entries and to return to the DHCP Relay
Configuration table.
•
Next to save your entries and to add another DHCP relay entry.
Related Topics
•
Configuring VLAN Interface Policy Map Use, page 8-15
•
Configuring VLAN Interface Access Control, page 8-16
•
Configuring VLAN Interface NAT Pools, page 8-17
•
Configuring VLAN Interface Static ARP Entries, page 8-17
Configuring Virtual Context BVI Interfaces
The ACE Appliance Device Manager supports virtual contexts containing Bridge-Group Virtual
Interfaces (BVI). Use this procedure to configure BVI interfaces for virtual contexts.
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > BVI Interfaces.
The BVI Interface tables appears.
Step 2
Click Add to add a new BVI interface, or select an existing BVI interface, then click Edit to modify it.
Note
If you click Edit, not all of the fields can be modified.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-19
Chapter 8
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Step 3
Enter the interface attributes (see Table 8-4).
Table 8-4
BVI Interface Attributes
Field
Description
BVI
Either accept the automatically incremented entry or enter a different,
unique value. Valid entries are integers from 1 to 4094.
Description
Enter a brief description for this interface.
IP Address
Enter the IP address assigned to this interface.
Alias IP Address
Enter the IP address of the alias this interface is associated with.
Peer IP Address
Netmask
Enter the IP address of the remote peer.
Enable MAC Address
Autogenerate
Admin Status
Allows you to configure a different MAC address for the BVI interface.
Secondary IP Groups
(Optional) Enter a maximum of four secondary IP groups for the BVI.
Select the subnet mask to be used.
Indicate whether you want the interface to be Up or Down.
To create up to four secondary IP groups for this BVI, do the following:
a.
Define one or more of the following secondary IP address types:
– IP—Secondary IP address assigned to this interface.The
primary address must be active for the secondary address to be
active.
– AliasIP—Secondary IP address of the alias associated with this
interface.
– PeerIP—Secondary IP address of the remote peer.
– Netmask—Secondary subnet mask to be used.
The ACE has a system limit of 1,024 for each secondary IP address
type.
b.
Click Add to selection (right arrow) to add the group to the group
display area.
c.
Repeat Steps 1 and 2 for each additional group.
d.
(Optional) Rearrange the order in which the groups are listed by
selecting one of the group listings in the group display area and
click either Move item up in list (up arrow) or Move item down in
list (down arrow). Note that the ACE does not care what order the
groups are in.
e.
(Optional) Edit a group or remove it from the list by selecting the
desired group in the group display area and click Remove from
selection (left arrow).
First VLAN
Enter the first VLAN whose bridge group is to be configured with this
BVI. This VLAN can be the server or client VLAN. Valid entries are
from 2 to 4094.
First VLAN Description
Enter a brief description for the first VLAN.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-20
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Virtual Context BVI Interfaces
Table 8-4
Step 4
BVI Interface Attributes (continued)
Field
Second VLAN
Description
Second VLAN Description
Enter a brief description for the second VLAN.
Enter the second VLAN whose bridge group is to be configured with this
BVI. This VLAN can be the server or client VLAN. Valid entries are
from 2 to 4094.
Click:
•
Deploy Now to save your entries and to return to the BVI Interface table.
•
Cancel to exit the procedure without saving your entries and to return to the BVI Interface table.
•
Next to save your entries and to configure another BVI interface for this context.
Related Topics
•
Configuring Network Access, page 8-1
•
Configuring Virtual Context Primary Attributes, page 2-11
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring Traffic Policies, page 10-1
Viewing All BVI Interfaces by Context
To view all BVI interfaces associated with a specific virtual context, select Config > Virtual Contexts >
context > Network > BVI Interfaces.
The BVI Interface table appears with the information shown in Table 8-5.
Table 8-5
BVI Interface Fields
Field
Description
Bridge Group Number
Name of the interface.
Description
Description for this interface.
IP Address
Netmask
IP address assigned to this interface.
Admin Status
The status of the interface, which can be Up or Down.
First VLAN
First VLAN whose bridge group is to be configured with this BVI. This
VLAN can be the server or client VLAN.
First VLAN Description
Description for the first VLAN.
Second VLAN
Second VLAN whose bridge group is to be configured with this BVI. This
VLAN can be the server or client VLAN.
Second VLAN
Description
Description for the second VLAN.
Subnet mask for this interface.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-21
Chapter 8
Configuring Network Access
Configuring Virtual Context Static Routes
Related Topics
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Using Virtual Contexts, page 2-2
•
Configuring Virtual Context Primary Attributes, page 2-11
•
Configuring Virtual Context VLAN Interfaces, page 8-8
•
Configuring Virtual Context Syslog Logging, page 2-12
•
Configuring Traffic Policies, page 10-1
Configuring Virtual Context Static Routes
Note
This functionality is available for only Admin virtual contexts.
Admin and user context modes do not support dynamic routing, therefore you must use static routes for
any networks to which the ACE appliance is not directly connected, such as when there is a router
between a network and the ACE appliance.
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > Static Routes.
The Static Route table appears.
Step 2
To add a static route for this context, click Add.
You cannot modify an existing static route. To make changes to an existing static route, you must
delete the static route and then add it back.
Note
Step 3
In the Destination Prefix field, enter the IP address for the route. The address you specify for the static
route is the address that is in the packet before entering the ACE appliance and performing network
address translation. Enter the address in dotted-decimal IP notation (for example, 192.168.11.2).
Step 4
In the Destination Prefix Mask field, select the subnet to use for this route.
Step 5
In the Next Hop field, enter the IP address of the gateway router for this route. The gateway address must
be in the same network as a VLAN interface for this context.
Step 6
Click:
•
Deploy Now to save your entries and to return to the Static Route table.
•
Cancel to exit this procedure without saving your entries and to return to the Static Route table.
•
Next to save your entries and to add another static route.
Related Topics
•
Configuring Virtual Contexts, page 2-7
•
Configuring Virtual Context Primary Attributes, page 2-11
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-22
OL-23543-01
Chapter 8
Configuring Network Access
Configuring Global IP DHCP
•
Managing ACE Appliance Licenses, page 2-27
•
Configuring High Availability, page 9-1
Viewing All Static Routes by Context
Use this procedure to view all static routes associated with a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > Static Routes.
The Static Route table appears with the following information:
•
Destination prefix
•
Destination prefix mask
•
Next hop IP address
Related Topics
•
Configuring Virtual Context Static Routes, page 8-22
•
Configuring Virtual Context VLAN Interfaces, page 8-8
Configuring Global IP DHCP
ANM can configure the DHCP relay agent on the ACE. When you configure the ACE as a DHCP relay
agent, it is responsible for forwarding the requests and responses that are negotiated between the DHCP
clients and the server. By default, the DHCP relay agent is disabled. You must configure a DHCP server
when you enable the DHCP relay agent.
The following steps show you how to configure the DHCP relay agent at the context level so the
configuration applies to all interfaces associated with the context.
Note
The options that appear when you select Config > Virtual Contexts > context depend on the device
associated with the virtual context and the role associated with your account.
Procedure
Step 1
Select Config > Virtual Contexts > context > Network > Global IP DHCP. The Global IP DHCP
configuration table appears.
Step 2
Click Enable DHCP Relay For The Context to enable DHCP relay for the context and all interfaces
associated with this context.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
8-23
Chapter 8
Configuring Network Access
Configuring Global IP DHCP
Step 3
Select a relay agent information forwarding policy, which can be
•
N/A—Specifies to not configure the DHCP relay to identify what is to be performed if a forwarded
message already contains relay information.
•
Keep—Specifies that existing information is left unchanged on the DHCP relay agent.
•
Replace—Specifies that existing information is overwritten on the DHCP relay agent.
Step 4
In the IP DHCP Server field, select the IP DHCP server to which the DHCP relay agent is to forward
client requests.
Step 5
Click:
•
Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•
Cancel to exit this procedure without saving your entries and to return to the previous table.
•
Next to deploy your entries and to add another DHCP relay entry.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
8-24
OL-23543-01
C H A P T E R
9
Configuring High Availability
High Availability (or fault tolerance) uses a maximum of two ACE appliances to ensure that your
network remains operational even if one of the appliances becomes unresponsive. Redundancy ensures
that your network services and applications are always available.
Note
Redundancy is not supported between an ACE appliance and an ACE module operating as peers.
Redundancy must be of the same ACE device type and software release.
Note
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Related Topics
•
Understanding ACE Redundancy, page 9-2
•
Configuring High Availability Overview, page 9-6
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Switching Over a High Availability Group, page 9-15
•
Deleting ACE High Availability Groups, page 9-15
•
High Availability Tracking and Failure Detection Overview, page 9-16
•
Tracking VLAN Interfaces for High Availability, page 9-17
•
Tracking Hosts for High Availability, page 9-18
•
Configuring Host Tracking Probes, page 9-19
•
Configuring Peer Host Tracking Probes, page 9-20
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-1
Chapter 9
Configuring High Availability
Understanding ACE Redundancy
Understanding ACE Redundancy
Redundancy provides seamless switchover of flows in case an ACE appliance becomes unresponsive or
a critical host or interface fails. Redundancy supports the following network applications that require
fault tolerance:
•
Mission-critical enterprise applications
•
Banking and financial services
•
E-commerce
•
Long-lived flows such as FTP and HTTP file transfers
The following overview topics describe high availability as performed by the ACE appliance:
•
Redundancy Protocol, page 9-2
•
Stateful Failover, page 9-3
•
Fault-Tolerant VLAN, page 9-4
•
Configuration Synchronization, page 9-5
•
Redundancy Configuration Requirements and Restrictions, page 9-5
Related Topics
•
Configuring High Availability Overview, page 9-6
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
Redundancy Protocol
You can configure a maximum of two ACE appliances (peers) for redundancy. Each peer appliance can
contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active
context and one standby context. An FT group has a unique group ID that you assign.
Note
For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is:
00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP
tables does not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it.
For more information, see Configuring Virtual Contexts, page 2-7.
Each FT group acts as an independent redundancy instance. When a switchover occurs, the active
member in the FT group becomes the standby member and the original standby member becomes the
active member. A switchover can occur for the following reasons:
•
The active member becomes unresponsive.
•
A tracked host or interface fails.
•
You force a switchover for a high availability group by clicking Switchover in the ACE HA Groups
table (see Switching Over a High Availability Group, page 9-15).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-2
OL-23543-01
Chapter 9
Configuring High Availability
Understanding ACE Redundancy
To outside nodes (clients and servers), the active and standby FT group members appear as one node
with respect to their IP addresses and associated VMAC. The ACE provides active-active redundancy
with multiple contexts only when there are multiple FT groups configured on each appliance and both
appliances contain at least one active group member (context). With a single context, the ACE supports
active-backup redundancy and each group member is an Admin context.
The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data,
heartbeats, and state replication packets) on a dedicated FT VLAN. You cannot use this dedicated VLAN
for normal traffic.
To optimize the transmission of heartbeat packets for multiple FT groups and to minimize network
traffic, the ACE sends and receives heartbeat messages using a separate process. The ACE uses the
heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a
heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends
heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as
part of the FT peer configuration. For details about configuring the heartbeat, see Configuring High
Availability Peers, page 9-8.
The election of the active member within each FT group is based on a priority scheme. The member
configured with the higher priority is elected as the active member. If a member with a higher priority is
found after the other member becomes active, the new member becomes active because it has a higher
priority. This behavior is known as preemption and is enabled by default. You can override this default
behavior by disabling preemption. To disable preemption, use the Preempt parameter. Enabling Preempt
causes the member with the higher priority to assert itself and become active. For details about
configuring preemption, see Configuring ACE High Availability Groups, page 9-11.
Stateful Failover
The ACE replicates flows on the active FT group member to the standby group member per connection
for each context. The replicated flows contain all the flow-state information necessary for the standby
member to take over the flow if the active member becomes unresponsive. If the active member becomes
unresponsive, the replicated flows on the standby member become active when the standby member
assumes mastership of the context. The active flows on the former active member transition to a standby
state to fully back up the active flows on the new active member.
Note
For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
Note
By default, connection replication is enabled in the ACE appliance.
After a switchover occurs, the same connection information is available on the new active member.
Supported end-user applications do not need to reconnect to maintain the same network session.
The state information passed to the standby appliance includes the following data:
•
Network Address Translation (NAT) table based on information synchronized with the connection
record
•
All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not
terminated by the ACE appliance
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-3
Chapter 9
Configuring High Availability
Understanding ACE Redundancy
Note
•
HTTP connection states (Optional)
•
Sticky table
In a user context, the ACE appliance allows a switchover only of the FT group that belongs to that
context. In the Admin context, the ACE appliance allows a switchover of all FT groups in all configured
contexts in the appliance.
To ensure that bridge learning occurs quickly upon a switchover in a Layer 2 configuration in the case
where a VMAC moves to a new location, the new active member sends a gratuitous ARP on every
interface associated with the active context. Also, when there are two VLANs on the same subnet and
servers need to send packets to clients directly, the servers must know the location of the gateway on the
client-side VLAN. The active member acts as the bridge for the two VLANs. In order to initiate learning
of the new location of the gateway, the new active member sends an ARP request to the gateway on the
client VLAN and bridges the ARP response onto the server VLAN.
Fault-Tolerant VLAN
Redundancy uses a dedicated fault-tolerant VLAN between redundant ACEs to transmit flow-state
information and the redundancy heartbeat. Do not use this dedicated VLAN for normal network traffic.
You must configure this same VLAN on both peer appliances. You also must configure a different IP
address within the same subnet on each appliance for the fault-tolerant VLAN.
The two redundant appliances constantly communicate over the fault-tolerant VLAN to determine the
operating status of each appliance. The standby member uses the heartbeat packet to monitor the health
of the active member. The active member uses the heartbeat packet to monitor the health of the standby
member. Communications over the switchover link include the following data:
•
Redundancy protocol packets
•
State information replication data
•
Configuration synchronization information
•
Heartbeat packets
For multiple contexts, the fault-tolerant VLAN resides in the system configuration data. Each
fault-tolerant VLAN on the ACE has one unique MAC address associated with it. The ACE uses these
device MAC addresses as the source or destination MACs for sending or receiving redundancy protocol
state and configuration replication packets.
Note
The IP address and the MAC address of the fault-tolerant VLAN do not change at switchover.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-4
OL-23543-01
Chapter 9
Configuring High Availability
Understanding ACE Redundancy
Configuration Synchronization
For redundancy to function properly, both members of an fault-tolerant group must have identical
configurations. Ensure that both ACE appliances include the same bandwidth software license (2G or
1G) and the same virtual context software license. If there is a mismatch in software license between the
two ACE appliances in an FT group, the following operational behavior can occur:
•
If there is a mismatch in virtual context software license, synchronization between the active ACE
and standby ACE may not work properly.
•
If both the active and the standby ACE appliances have the same virtual content software license but
have a different bandwidth software license, synchronization will work properly but the standby
ACE may experience a potential loss of traffic on switchover from the 2G ACE appliance to the 1G
ACE appliance.
See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for details about
the available ACE software licenses.
The ACE automatically replicates the active configuration on the standby member using a process called
configuration synchronization (config sync). Config sync automatically replicates any changes made to
the configuration of the active member to the standby member. After the ACE synchronizes the
redundancy configuration from the active member to the standby peer, it disables configuration mode on
the standby. See Synchronizing High Availability Configurations with ACE Appliance Device Manager,
page 9-7.
Redundancy Configuration Requirements and Restrictions
Follow these requirements and restrictions when configuring the redundancy feature.
•
In bridged mode (Layer 2), two contexts cannot share the same VLAN.
•
To achieve active-active redundancy, a minimum of two contexts and two fault-tolerant groups are
required on each ACE.
•
When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the
Down state. The IP address and the peer IP address that you assign to a VLAN interface should be
in the same subnet, but different IP addresses. For more information about configuring VLAN
interfaces, see Configuring Virtual Context VLAN Interfaces, page 8-8.
•
In a high availability pair, the two configured virtual contexts synchronize with each other as part
of their ongoing communications. However, their copies do not synchronize in ACE Appliance
Device Manager and the configuration on the standby member can become out of sync with the
configuration on the ACE appliance. After the active member of a high availability pair fails and the
standby member becomes active, ACE Appliance Device Manager on the newly active member
detects any out-of-sync virtual context configurations and reports that status in the All Virtual
Contexts table so that you can synchronize the virtual context configurations.
•
When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability
Polling, page 9-6), the virtual context may receive configuration changes from its ACE peer without
updating the Device Manager GUI. As a result, the ACE appliance Device Manager GUI will be out
of synchronization with the CLI configuration. If you need to check configuration on a standby
virtual context using the tracking and failure detection process (see Tracking VLAN Interfaces for
High Availability, page 9-17), we recommend that you first perform a manual synchronization using
either the CLI Sync or CLI Sync All buttons before checking the configuration values.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-5
Chapter 9
Configuring High Availability
Configuring High Availability Overview
Configuring High Availability Overview
The tasks involved with configuring high availability are described in Table 9-1.
Table 9-1
High Availability Task Overview
Task
Reference
Step 1
Create a fault-tolerant VLAN and identify peer IP Configuring High Availability Peers, page 9-8
addresses and configure peer appliances for
heartbeat count and interval.
Step 2
Create a fault-tolerant group, assign peer
Configuring ACE High Availability Groups,
priorities, associate the group with a context, place page 9-11
the group in service, and enable automatic
synchronization.
Step 3
Configure tracking for switchover.
High Availability Tracking and Failure
Detection Overview, page 9-16
Related Topics
•
Understanding ACE Redundancy, page 9-2
•
High Availability Polling, page 9-6
•
Synchronizing High Availability Configurations with ACE Appliance Device Manager, page 9-7
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
High Availability Tracking and Failure Detection Overview, page 9-16
High Availability Polling
Approximately every two minutes, the ACE appliance Device Manager issues the show ft group
command to the ACE appliance to gather the redundancy statistics of each virtual context. The state
information is displayed in the HA State and HA Peer State fields when you click Config > Virtual
Context. The possible states are:
•
Active—Local member of the FT group is active and processing flows.
•
Standby Cold—Indicates if the FT VLAN is down but the peer device is still alive, or the
configuration or application state synchronization failed. When a context is in this state and a
switchover occurs, the transition to the ACTIVE state is stateless.
•
Standby Bulk—Local standby context is waiting to receive state information from its active peer
context. The active peer context receives a notification to send a snapshot of the current state
information for all applications to the standby context.
•
Standby Hot—Local standby context has all the state information it needs to statefully assume the
active state if a switchover occurs.
•
Standby Warm—Allows the configuration and state synchronization process to continue on a
best-effort basis when you upgrade or downgrade the ACE software.
•
N/A—Indicates that the ACE Device Manager received an empty state from the ACE which can
occur during a transition period between state changes, for example, during a switchover.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-6
OL-23543-01
Chapter 9
Configuring High Availability
Configuring High Availability Overview
Note
When you upgrade or downgrade the ACE from one software version to another, there is a point
in the process when the two ACEs have different software versions and, therefore, a software
incompatibility. When the Standby Warm state appears, this means that the active ACE will
continue to synchronize configuration and state information to the standby even though the
standby may not recognize or understand the software commands or state information. This
standby state allows the standby ACE to come up with best-effort support.
Synchronizing High Availability Configurations with ACE Appliance Device
Manager
When two ACE appliances are configured as high availability peers, their configurations must be
synchronized at all times so that the standby ACE peer can seamlessly take over for the active ACE peer.
As the active and standby ACEs synchronize, the configuration on the standby ACE appliance can
become out of synchronization with the ACE Appliance Device Manager-maintained configuration data
for that ACE appliance.
When an ACE appliance is in a standby state, if you make configuration changes on the active ACE
appliance this change is also synchronized with the standby ACE appliance. However, when you access
the Device Manager GUI you will not observe the configuration changes on the standby ACE. Yet, if you
access the CLI on the standby ACE and display redundancy configurations using the show
running-config ft command in Exec mode, you will see these configuration changes.
As a result, it is important for you to manually synchronize the ACE Appliance Device Manager on the
standby appliance to observe the entire configuration. See the “Manually Synchronizing Individual
Virtual Context Configurations” section on page 2-71.
When the ACE appliance performs a context failover (proceeds from the Standby Warm state or Standby
Hot state) to the Active state), the new active ACE appliance auto-synchronizes the configuration and
updates the ACE appliance Device Manager GUI.
In a high availability pair, the two configured virtual contexts synchronize with each other as part of their
ongoing communications. However, their copies do not synchronize in ACE Appliance Device Manager
and the configuration on the standby member can become out of sync with the configuration on the ACE
appliance.
After the active member of a high availability pair fails and the standby member becomes active, ACE
Appliance Device Manager on the newly active member detects any out-of-sync virtual context
configurations and reports that status in the All Virtual Contexts table so that you can synchronize the
virtual context configurations.
For information on synchronizing some or all virtual context configurations, see:
•
Manually Synchronizing Individual Virtual Context Configurations, page 2-71
•
Manually Synchronizing All Virtual Context Configurations, page 2-71
Related Topics
•
High Availability Polling, page 9-6
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Manually Synchronizing Individual Virtual Context Configurations, page 2-71
•
Manually Synchronizing All Virtual Context Configurations, page 2-71
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-7
Chapter 9
Configuring High Availability
Configuring High Availability Peers
Configuring High Availability Peers
Note
This functionality is available for only Admin contexts.
Fault-tolerant peers use a fault-tolerant VLAN to transmit and receive heartbeat packets and state and
configuration replication packets. The standby member uses the heartbeat packet to monitor the health
of the active member, while the active member uses the heartbeat packet to monitor the health of the
standby member. When the heartbeat packets are not received from the active member when expected,
switchover occurs and the standby member assumes all active communications previously on the active
member.
Use this procedure to:
•
Identify the two members of a high availability pair.
•
Assign IP addresses to the peer ACE appliances.
•
Assign a fault-tolerant VLAN to high availability peers and bind a physical gigabit Ethernet
interface to the FT VLAN.
•
Configure heartbeat frequency and count on the ACE appliances in a fault-tolerant VLAN.
Assumption
•
At least one fault-tolerant VLAN has been configured.
Note
A fault-tolerant VLAN cannot be used for other network traffic.
Procedure
Step 1
Select Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
window appears with two columns: One for the selected ACE appliance and one for a peer ACE
appliance.
Step 2
Click Edit, then enter the information for the primary appliance and the peer appliance as described in
Table 9-2.
Table 9-2
ACE High Availability Management Configuration Attributes
Field
This Appliance
VLAN
Specify a fault-tolerant VLAN to be used Not applicable.
for this high availability pair. Valid
entries are integers from 2 to 4094.
Note
Interface
Peer Appliance
This VLAN cannot be used for
other network traffic.
Select the interface (specified by
slot_number/port_number where
slot_number is the physical slot on the
ACE appliance, and port_number is the
physical Ethernet data port on the ACE
appliance) or the port channel.
Not applicable.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-8
OL-23543-01
Chapter 9
Configuring High Availability
Configuring High Availability Peers
Table 9-2
ACE High Availability Management Configuration Attributes (continued)
Field
This Appliance
Peer Appliance
IP Address
Enter an IP address for the fault-tolerant Enter the IP address of the peer
VLAN in dotted-decimal format, such as interface in dotted-decimal format so
192.168.11.2.
that the peer appliance can
communicate on the fault-tolerant
VLAN.
Netmask
Select the subnet mask that is to be used
for the fault-tolerant VLAN.
Not applicable.
Management IP
Address
Enter the IP address for the ACE.
Enter the Management IP Address of
the peer appliance. When you enter
this information, you can click on the
HA Peer hyperlink in the Config >
Virtual Contexts screen.
Query VLAN
Select the VLAN that the standby
Not applicable.
appliance is to use to determine whether
the active appliance is down or if there is
a connectivity problem with the
fault-tolerant VLAN.
Heartbeat Count
Enter the number of heartbeat intervals
Not applicable.
that must occur when no heartbeat packet
is received by the standby appliance
before the standby appliance determines
that the active member is not available.
Valid entries are integers from 10 to 50.
Heartbeat Interval
Enter the number of milliseconds that the Not applicable.
active appliance is to wait between each
heartbeat it sends to the standby
appliance. Valid entries are integers from
100 to 1000.
Interface Enabled
Check the Interface Enabled check box to Not applicable.
enable the high availability interface.
Clear the check box to disable the high
availability interface.
Shared VLAN Host Enter a specific bank of MAC addresses
ID
that the ACE uses. Valid entries are
integers from 1 to 16. Be sure to
configure different bank numbers for
multiple ACEs.
Not applicable.
Peer Shared VLAN Enter a specific bank of MAC addresses
Host ID
for the same ACE in a redundant
configuration. Valid entries are integers
from 1 to 16. Be sure to configure
different bank numbers for multiple
ACEs.
Not applicable.
HA State
Not applicable.
This is a read-only field with the current
state of high availability on the ACE
appliance.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-9
Chapter 9
Configuring High Availability
Configuring High Availability Peers
Step 3
Click:
•
Deploy Now to save your entries and to continue with configuring high availability groups. The
ACE HA Management screen appears at the top of the content area and the ACE HA Groups table
appears at the bottom. See Configuring ACE High Availability Groups, page 9-11 to configure a
high availability group.
•
Cancel to exit this procedure without saving your entries and to view the ACE HA Management
screen.
Related Topics
•
Understanding ACE Redundancy, page 9-2
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
Clearing High Availability Pairs
Note
This functionality is available for only Admin contexts.
Use this procedure to remove a high availability link between two ACE appliances.
Procedure
Step 1
Select Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears.
Step 2
Select the ACE appliance pair whose high availability configuration you want to remove, then click
Clear. A message appears asking you to confirm the clearing of the high availability link.
Step 3
Click:
•
OK to confirm the removal of this high availability link and to return to the ACE HA Management
screen.
•
Cancel to exit this procedure without removing this high availability link and to return to the ACE
HA Management screen.
Related Topics
•
Understanding ACE Redundancy, page 9-2
•
Configuring High Availability Peers, page 9-8
•
Editing ACE High Availability Groups, page 9-13
•
High Availability Tracking and Failure Detection Overview, page 9-16
•
Tracking VLAN Interfaces for High Availability, page 9-17
•
Tracking Hosts for High Availability, page 9-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-10
OL-23543-01
Chapter 9
Configuring High Availability
Configuring ACE High Availability Groups
Configuring ACE High Availability Groups
Note
This functionality is available for only Admin contexts.
A fault-tolerant group consists of a maximum of two contexts: One active context on one appliance and
one standby context on the peer appliance. You can create multiple fault-tolerant groups on each ACE
appliance up to a maximum of 21 groups (20 user contexts and 1 Admin context).
Use this procedure to configure high availability groups.
Note
For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
Assumption
At least one high availability pair has been configured. (See Configuring High Availability Peers,
page 9-8.)
Procedure
Step 1
Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management screen
appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, click Add to add a new high availability group. The table refreshes with
the configurable fields.
Step 3
Check the Enabled check box to enable the high availability group. Clear the Enabled check box to
disable the high availability group.
Step 4
In the Context field, select the virtual context to associate with this high availability group.
Step 5
In the Priority (Actual) field, enter the priority you want to assign to the first appliance in the group.
Valid entries are integers from 1 to 255.
A member of a fault-tolerant group becomes the active member through a process based on the priority
assigned. In this process, the group member with the higher priority becomes the active member. When
you set up a fault-tolerant pair, use a higher priority for the group where the active member initially
resides.
Step 6
Check the Preempt check box to indicate that the group member with the higher priority is to always
assert itself and become the active member. Clear the Preempt check box to indicate that you do not want
the group member with the higher priority to always become the active member.
Step 7
In the Peer Priority (Actual) field, enter the priority you want to assign to the peer appliance in the group.
Valid entries are integers from 1 to 255.
A member of a fault-tolerant group becomes the active member through a process based on the priority
assigned. In this process, the group member with the higher priority becomes the active member. When
you set up a fault-tolerant pair, use a higher priority for the group where the active member initially
resides.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-11
Chapter 9
Configuring High Availability
Configuring ACE High Availability Groups
Step 8
Check the Autosync Run check box to enable automatic synchronization of the running configuration
files. Clear the Autosync Run check box to disable automatic synchronization of the running
configuration files. If you disable automatic synchronization, you need to update the configuration of the
standby context manually.
To understand how synchronization works between the active and the standby ACE appliances,
see Understanding ACE Redundancy, page 9-2 and Redundancy Configuration Requirements
and Restrictions, page 9-5.
Note
Step 9
Check the Autosync Startup check box to enable automatic synchronization of the startup configuration
files. Clear the Autosync Run check box to disable automatic synchronization of the startup
configuration files. If you disable automatic synchronization, you need to update the configuration of the
standby context manually. See Manually Synchronizing Individual Virtual Context Configurations,
page 2-71.
Step 10
Click:
•
Deploy Now to accept your entries. The ACE HA Groups table refreshes with the new high
availability group.
•
Cancel to exit this procedure without saving your entries and to return to the ACE HA Management
screen and ACE HA Groups table.
Related Topics
•
Configuring High Availability Peers, page 9-8
•
Editing ACE High Availability Groups, page 9-13
•
High Availability and Virtual Context Configuration Status, page 2-70
•
Tracking VLAN Interfaces for High Availability, page 9-17
•
Tracking Hosts for High Availability, page 9-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-12
OL-23543-01
Chapter 9
Configuring High Availability
Configuring ACE High Availability Groups
Editing ACE High Availability Groups
Note
This functionality is available for only Admin contexts.
Use this procedure to modify the attributes of a high availability group.
Note
If you need to modify a fault-tolerant group, take the group out of service before making any other
changes (see Taking a High Availability Group Out of Service, page 9-14). When you finish making all
changes, place the group back into service (see Enabling a High Availability Group, page 9-14).
Procedure
Step 1
Select Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group you want to modify, then click Edit. The
table refreshes with configurable fields.
Step 3
Modify the fields as desired. For information on these fields, see Configuring ACE High Availability
Groups, page 9-11.
Step 4
When you finish modifying this group, click:
•
Deploy Now to accept your entries and to return to the ACE HA Groups table.
•
Cancel to exit this procedure without saving your entries and to return to the ACE HA Management
screen.
Related Topics
•
Taking a High Availability Group Out of Service, page 9-14
•
Enabling a High Availability Group, page 9-14
•
Configuring High Availability Peers, page 9-8
•
High Availability Tracking and Failure Detection Overview, page 9-16
•
Tracking VLAN Interfaces for High Availability, page 9-17
•
Tracking Hosts for High Availability, page 9-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-13
Chapter 9
Configuring High Availability
Configuring ACE High Availability Groups
Taking a High Availability Group Out of Service
Note
This functionality is available for only Admin contexts.
If you need to modify a fault-tolerant group, you must first take the group out of service before making
any other changes. Use this procedure to take a high availability group out of service.
Procedure
Step 1
Select Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group you want to take out of service, then click
Edit. The table refreshes with configurable fields.
Step 3
Clear the Enabled check box.
Step 4
Click Deploy Now to take the high availability group out of service and to return to the ACE HA Groups
table.
You can now make the necessary modifications to the high availability group. To put the high availability
group back in service, see Enabling a High Availability Group, page 9-14.
Related Topic
•
Enabling a High Availability Group, page 9-14
Enabling a High Availability Group
Note
This functionality is available for only Admin contexts.
After you take a high availability group out of service to modify it, you need to reenable the group. Use
the following procedure to put a high availability group back in service.
Procedure
Step 1
Select Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group you want to take out of service, then click
Edit. The table refreshes with configurable fields.
Step 3
Check the Enabled check box.
Step 4
Click Deploy Now to put the high availability group in service and to return to the ACE HA Groups
table.
Related Topic
•
Taking a High Availability Group Out of Service, page 9-14
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-14
OL-23543-01
Chapter 9
Configuring High Availability
Switching Over a High Availability Group
Switching Over a High Availability Group
Note
This functionality is available for only Admin contexts.
You may need to cause a switchover when you want to make a particular context the standby (for
example, for maintenance or a software upgrade on the currently active context). If the standby group
member can statefully become the active member of the high availability group, a switchover occurs.
Use this procedure to force the failover of a high availability group.
Procedure
Step 1
Select Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the group you want to switch over, then click Switchover. The
standby group member becomes active, while the previously active group member becomes the standby
member.
Related Topics
•
Understanding ACE Redundancy, page 9-2
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
Deleting ACE High Availability Groups
Note
This functionality is available for only Admin contexts.
Use this procedure to remove a high availability group from ACE Appliance Device Manager
management.
Procedure
Step 1
Select Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management
screen appears at the top of the content area and the ACE HA Groups table appears at the bottom.
Step 2
In the ACE HA Groups table, select the high availability group that you want to remove, then click
Delete. A message appears asking you to confirm the deletion.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-15
Chapter 9
Configuring High Availability
High Availability Tracking and Failure Detection Overview
Step 3
Click:
•
Deploy Now to delete the high availability group and to return to the ACE HA Groups table. The
selected group no longer appears.
•
Cancel to exit this procedure without deleting the high availability group and to return to the ACE
HA Groups table.
Related Topics
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
High Availability Tracking and Failure Detection Overview
The tracking and detection of failures ensures that switchover occurs as soon as the criteria are met (see
Configuring High Availability Peers, page 9-8). With the ACE Appliance Device Manager, you can track
and detect failures on:
•
Hosts—See Tracking Hosts for High Availability, page 9-18.
•
Interfaces—See Tracking VLAN Interfaces for High Availability, page 9-17.
When the active member of a fault-tolerant group becomes unresponsive, the following occurs:
Note
1.
The active member’s priority is reduced by 10.
2.
If the resulting priority value is less than that of the standby member, the active member switches
over and the standby member becomes the new active member. All active flows continue
uninterrupted.
3.
When the failed member comes back up, its priority is incremented by 10.
4.
If the resulting priority value is greater than that of the currently active member, a switchover occurs
again, returning the flows to the originally active member.
In a user context, the ACE appliance allows a switchover only of the fault-tolerant groups belonging to
that context. In an Admin context, the ACE appliance allows a switchover of all fault-tolerant groups on
all configured contexts on the appliance.
Related Topics
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
•
Tracking Hosts for High Availability, page 9-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-16
OL-23543-01
Chapter 9
Configuring High Availability
Tracking VLAN Interfaces for High Availability
Tracking VLAN Interfaces for High Availability
Use this procedure to configure a tracking and failure detection process for a VLAN interface.
Note
When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability Polling,
page 9-6), the virtual context may receive configuration changes from its ACE peer without updating the
Device Manager GUI. As a result, the ACE appliance Device Manager GUI will be out of
synchronization with the CLI configuration. If you need to check configuration on a standby virtual
context using the tracking and failure detection process, we recommend that you first perform a manual
synchronization using either the CLI Sync or CLI Sync All buttons before checking the configuration
values.
Procedure
Step 1
Select Config > Virtual Contexts > HA Tracking And Failure Detection > Interfaces. The Track
Interface table appears.
Step 2
Click Add to add a new tracking process to this table, or select an existing entry, then click Edit to
modify it. The Track Interface configuration screen appears.
Step 3
In the Track Object Name field, enter a unique identifier for the tracking process. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
In the Priority field, enter the priority for the interface on the active member. Valid entries are integers
from 1 to 255 with higher values indicating higher priorities. The values that you enter here and in the
Interface Peer Priority field (see Step 6) reflect the point at which you want switchover to occur. If the
tracked interface goes down, the priority of that fault-tolerant group is decremented by the value entered
in the Priority field. If the priority of the fault-tolerant group on the active member falls below that of
the standby member, a switchover occurs.
Step 5
In the VLAN Interface field, select the fault-tolerant VLAN that you want the active member to track.
Step 6
In the Interface Peer Priority field, enter the priority for the interface on the standby member. Valid
entries are integers from 1 to 255 with higher values indicating higher priorities. The values that you
enter here and in the Priority field (See Step 4) reflect the point at which you want switchover to occur.
If the tracked interface goes down, the priority of that fault-tolerant group is decremented by the value
entered in the Interface Peer Priority field. If the priority of the fault-tolerant group on the active member
falls below that of the standby member, a switchover occurs.
Step 7
In the Peer VLAN Interface field, enter the identifier of an existing fault-tolerant VLAN that you want
the standby member to track. Valid entries are integers from 1 to 4096.
Step 8
Click:
•
Deploy Now to save your entries and to return to the Track Interface table.
•
Cancel to exit this procedure without saving your entries and to return to the Track Interface table.
•
Next to save your entries and to configure the next entry in the Track Interface table.
Related Topics
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking Hosts for High Availability, page 9-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-17
Chapter 9
Configuring High Availability
Tracking Hosts for High Availability
Tracking Hosts for High Availability
Use this procedure to configure a tracking and failure detection process for a gateway or host.
Procedure
Step 1
Select Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Click Add to add a new tracking process to the table, or select an existing entry, then click Edit to modify
it. The Track Host configuration screen appears.
Step 3
In the Track Object Name field, enter a unique identifier for the tracking process. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4
In the Track Host/IP Address field, enter the IP address or hostname of the gateway or host that you want
the active member of the high availability group to track. Enter the IP address in dotted-decimal format,
such as 192.168.11.2.
Step 5
In the Priority field, enter the priority of the probe sent by the active member. Valid entries are integers
from 1 to 255. Higher values indicate higher priorities. Assign a priority value based on the relative
importance of the host that the probe is tracking. If the probe goes down, the ACE appliance decrements
the priority of the fault-tolerant group on the active member by the value in the Priority field.
Step 6
In the Peer Host/IP Address field, enter the IP address or hostname of the host that you want the standby
member to track. Enter the IP address using dotted-decimal notation, such as 192.168.11.2.
Step 7
In the Peer Priority field, enter the priority of the probe sent by the standby member. Valid entries are
integers from 1 to 255. Higher values indicate higher priorities. Assign a priority value based on the
relative importance of the host that the probe is tracking. If the probe goes down, the ACE appliance
decrements the priority of the fault-tolerant group on the standby member by the value in the Priority
field.
Step 8
Click:
•
Deploy Now to save your entries and to continue with configuring track host probes. See
Configuring Host Tracking Probes, page 9-19.
•
Cancel to exit this procedure without saving your entries and to return to the Track Host table.
•
Next to save your entries and to configure another tracking process.
Related Topics
•
Configuring Host Tracking Probes, page 9-19
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-18
OL-23543-01
Chapter 9
Configuring High Availability
Configuring Host Tracking Probes
Configuring Host Tracking Probes
Use this procedure to configure probes on the active high availability group member to track the health
of the gateway or host.
Assumptions
•
At least one host tracking process for high availability has been configured (see Tracking Hosts for
High Availability, page 9-18.)
•
At least one health monitoring probe has been configured (see Configuring Health Monitoring for
Real Servers, page 4-31).
Procedure
Step 1
Select Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to configure a probe for, then select the Track Host Probe tab. The
Track Host Probe table appears.
Step 3
In the Track Host Probe table, click Add to add a track host probe, or select an existing track host probe,
then click Edit to modify it. The Track Host Probe configuration screen appears.
Step 4
In the Probe Name field, select the name of the probe to be used for the host tracking process.
Step 5
In the Priority field, enter a priority for the host you are tracking by the active member of the high
availability group. Valid entries are integers from 1 to 255 with higher values indicating higher priorities.
Assign a priority value based on the relative importance of the gateway or host that the probes are
tracking. If the host goes down, the ACE appliance decrements the priority of the high availability group
on the active member by the value in this Priority field. If the resulting priority of the high availability
group on the active member is less than the priority of the high availability group on the standby member,
a switchover occurs.
Step 6
Click:
•
Deploy Now to save your entries and to return to the Track Host Probe table. The table includes the
added probe.
•
Cancel to exit this procedure without saving your entries and to return to the Track Host Probe table.
•
Next to save your entries and to configure another track host probe.
Related Topics
•
Configuring Peer Host Tracking Probes, page 9-20
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-19
Chapter 9
Configuring High Availability
Configuring Peer Host Tracking Probes
Deleting Host Tracking Probes
Use this procedure to remove a high availability host tracking probe.
Procedure
Step 1
Select Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to modify, then select the Track Host Probe tab. The Track Host
Probe table appears.
Step 3
In the Track Host table, select the probe you want to remove, then click Delete. The probe is deleted and
the Track Host Probe table refreshes without the deleted probe.
Related Topics
•
Configuring Peer Host Tracking Probes, page 9-20
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
Configuring Peer Host Tracking Probes
Use this procedure to configure probes on the standby member of a high availability group to track the
health of the gateway or host.
Assumptions
•
At least one host tracking process for high availability has been configured (see Tracking Hosts for
High Availability, page 9-18.)
•
At least one health monitoring probe has been configured (see Configuring Health Monitoring for
Real Servers, page 4-31).
Procedure
Step 1
Select Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to modify, then select the Peer Track Host Probe tab. The Peer Track
Host Probes table appears.
Step 3
In the Peer Track Host Probes table, click Add to add a peer host tracking probe, or select an existing
peer host tracking probe, then click Edit to modify it. The Peer Track Host Probes configuration screen
appears.
Step 4
In the Probe Name field, select the name of the probe to be used for the peer host tracking process.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-20
OL-23543-01
Chapter 9
Configuring High Availability
Configuring Peer Host Tracking Probes
Step 5
In the Priority field, enter a priority for the host you are tracking by the standby member of the high
availability group. Valid entries are integers from 1 to 255 with higher values indicating higher priorities.
Assign a priority value based on the relative importance of the gateway or host that the probes are
tracking. If the host goes down, the ACE appliance decrements the priority of the high availability group
on the standby member by the value in this Priority field.
Step 6
Click:
•
Deploy Now to save your entries and to return to the Peer Track Host Probes table. The table
includes the added probe.
•
Cancel to exit this procedure without saving your entries and to return to the Peer Track Host Probes
table.
•
Next to save your entries and to configure another peer track host probe.
Related Topics
•
Configuring Host Tracking Probes, page 9-19
•
Configuring High Availability Peers, page 9-8
•
Configuring ACE High Availability Groups, page 9-11
•
Tracking VLAN Interfaces for High Availability, page 9-17
Deleting Peer Host Tracking Probes
Use this procedure to remove a high availability peer host tracking probe.
Procedure
Step 1
Select Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host
table appears.
Step 2
Select the tracking process you want to modify then, select the Peer Track Host Probe tab. The Peer
Track Host Probes table appears.
Step 3
In the Peer Track Host Probes table, select the probe you want to remove, then click Delete. The probe
is deleted and the Peer Track Host Probes table refreshes without the deleted probe.
Related Topics
•
Configuring Peer Host Tracking Probes, page 9-20
•
Configuring Host Tracking Probes, page 9-19
•
Tracking VLAN Interfaces for High Availability, page 9-17
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
9-21
Chapter 9
Configuring High Availability
Configuring Peer Host Tracking Probes
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
9-22
OL-23543-01
C H A P T E R
10
Configuring Traffic Policies
ACE Appliance Device Manager helps you configure class maps and policy maps to provide a global
level of classification for filtering traffic received by or passing through the ACE appliance. You create
traffic policies and attach these policies to one or more VLAN interfaces associated with the ACE
appliance to apply feature-specific actions to the matching traffic. The ACE appliance uses the
individual traffic policies to implement functions such as:
Note
•
Remote access using Secure Shell (SSH) or Telnet
•
Server load balancing
•
Network Address Translation (NAT)
•
Optimization of HTTP traffic
•
HTTP deep packet inspection, application protocol inspection, FTP command inspection, Skinny
Client Control Protocol (SCCP) deep packet inspection, or SIP inspection
•
Secure Socket Layer (SSL) security services between a Web browser (the client) and the HTTP
connection (the server)
•
TCP termination, normalization, and reuse
•
IP normalization and fragment reassembly
When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter
map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names
with an alphanumeric string of 1 to 64 characters, which can include the following special characters:
underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you use the ACE CLI to configure a named object with special characters that the DM does not
support, you may not be able to configure the ACE using DM.
Related Topics
•
Class Map and Policy Map Overview, page 10-2
•
Configuring Virtual Context Class Maps, page 10-8
•
Setting Match Conditions for Class Maps, page 10-10
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
•
Configuring Actions Lists, page 10-80
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-1
Chapter 10
Configuring Traffic Policies
Class Map and Policy Map Overview
Class Map and Policy Map Overview
You classify inbound network traffic destined to, or passing through, the ACE appliance based on a series
of flow match criteria specified by a class map. Each class map defines a traffic classification; that is,
network traffic that is of interest to you. A policy map defines a series of actions (functions) that you
want applied to a set of classified inbound traffic.
Class maps enable you to classify network traffic based on the following criteria:
•
Layer 3 and Layer 4 traffic flow information—Source or destination IP address, source or
destination port, virtual IP address, IP protocol and port, or management protocol
•
Layer 7 protocol information—HTTP cookie, HTTP URL, HTTP header, HTTP content, FTP
request commands, RADIUS, RDP, RTSP, Skinny, or SIP
Table 10-1 lists the available policies for the ACE.
Table 10-1
Traffic Policies
Policy Map
Description
Layer 3/4 Management Traffic
(First-Match)
Layer 3 and Layer 4 policy map for network management traffic received by the
ACE
Layer 3/4 Network Traffic (First-Match)
Layer 3 and Layer 4 policy map for traffic passing through the ACE
Layer 7 Command Inspection - FTP
(First-Match)
Layer 7 policy map for inspection of FTP commands
Layer 7 Deep Packet Inspection - HTTP
(All-Match)
Layer 7 policy map for inspection of HTTP packets
Layer 7 Deep Packet Inspection - SIP
(All-Match)
Layer 7 policy map for inspection of SIP packets
Layer 7 Deep Packet Inspection - Skinny
Layer 7 policy map for inspection of Skinny Client Control Protocol (SCCP)
Layer 7 HTTP Optimization (First-Match) Layer 7 policy map for optimizing HTTP traffic
Layer 7 Server Load Balancing
(First-Match)
Layer 7 policy map for HTTP server load balancing
Server Load Balancing - Generic
(First-Match)
Generic Layer 7 policy map for server load balancing
Server Load Balancing - RADIUS
(First-Match)
Layer 7 policy map for RADIUS server load balancing
Server Load Balancing - RDP
(First-Match)
Layer 7 policy map for RDP server load balancing
Server Load Balancing - RTSP
(First-Match)
Layer 7 policy map for RTSP server load balancing
The traffic classification process consists of the following three steps:
1.
Creating a class map, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic
classifications or Layer 7 protocol classifications.
2.
Creating a policy map, which refers to the class maps and identifies a series of actions to perform
based on the traffic match criteria.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-2
OL-23543-01
Chapter 10
Configuring Traffic Policies
Class Map and Policy Map Overview
3.
Activating the policy map and attaching it to a specific VLAN interface or globally to all VLAN
interfaces associated with a context by configuring a virtual context global traffic policy to filter
traffic received by the ACE appliance.
The following overview topics describe the components that define a traffic policy:
•
Class Maps, page 10-3
•
Policy Maps, page 10-4
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 10-5
•
Application Protocol Inspection Overview, page 10-5
•
Configuring Virtual Context Global Traffic Policies, page 2-26
Class Maps
A class map defines each type of Layer 3 and Layer 4 traffic class and each Layer 7 protocol class. You
create class maps to classify the traffic received and transmitted by the ACE appliance.
•
Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can
pass through the ACE appliance or network management traffic that can be received by the ACE
appliance.
•
Layer 7 protocol-specific classes identify server load balancing based on HTTP traffic, deep
inspection of HTTP traffic, or the inspection of FTP commands by the ACE appliance.
A traffic class contains the following components:
•
Class map name
•
Class map type
•
One or more match conditions that define the match criteria for the class map
•
Instructions on how the ACE appliance evaluates match conditions when you specify more than one
match statement in a traffic class (match-any, match-all)
The ACE supports a system-wide maximum of 8192 class maps.
The individual match conditions specify the criteria for classifying Layer 3 and Layer 4 network traffic
as well as the Layer 7 HTTP server load balancing and application protocol-specific fields. The ACE
appliance evaluates the packets to determine whether they match the specified criteria. If a statement
matches, the ACE appliance considers that packet to be a member of the class and forwards the packet
according to the specifications set in the traffic policy. Packets that fail to meet any of the matching
criteria are classified as members of the default traffic class if one is specified.
The ACE appliance allows you to configure two Layer 7 HTTP load-balancing class maps in a nested
traffic class configuration to create a single traffic class. You can perform Layer 7 class map nesting to
achieve complex logical expressions. The ACE appliance restricts the nesting of class maps to two levels
to prevent you from including one nested class map under a different class map.
Related Topics
•
Class Map and Policy Map Overview, page 10-2
•
Policy Maps, page 10-4
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 10-5
•
Application Protocol Inspection Overview, page 10-5
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-3
Chapter 10
Configuring Traffic Policies
Class Map and Policy Map Overview
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
Policy Maps
A policy map creates the traffic policy. The purpose of a traffic policy is to implement specific ACE
appliance functions associated with a traffic class. A traffic policy contains the following components:
•
Policy map name
•
Previously created traffic class map or, optionally, the class-default class map
•
One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that specify the actions to be
performed by the ACE appliance
The ACE appliance supports a system-wide maximum of 4096 policy maps.
A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry
point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be
nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated
on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to
associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map by using the
Layer 3 and Layer 4 Policy map action type.
If none of the classifications specified in policy maps match, then the ACE appliance executes the default
actions specified against the class map configured with the Use Class Default option to use a default
class map (if specified). All traffic that fails to meet the other matching criteria in the named class map
belongs to the default traffic class. The Use Class Default feature has an implicit match-any match
statement and is used to match any traffic classification.
The ACE appliance supports flexible class map ordering within a policy map. The ACE appliance
executes only the actions for the first matching traffic classification, so the order of class maps within a
policy map is very important. The policy lookup order is based on the security features of the ACE
appliance. The policy lookup order is implicit, irrespective of the order in which you configure policies
on the interface.
The policy lookup order of the ACE appliance is as follows:
1.
Access control (permit or deny a packet)
2.
Permit or deny management traffic
3.
TCP/UDP connection parameters
4.
Load balancing based on a virtual IP (VIP)
5.
Application protocol inspection
6.
Source NAT
7.
Destination NAT
The sequence in which the ACE appliance applies the actions for a specific policy is independent of the
actions configured for a class map inside a policy.
Related Topics
•
Class Map and Policy Map Overview, page 10-2
•
Policy Maps, page 10-4
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 10-5
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-4
OL-23543-01
Chapter 10
Configuring Traffic Policies
Class Map and Policy Map Overview
•
Application Protocol Inspection Overview, page 10-5
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Policy Maps, page 10-33
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps
Parameter maps allow you to combine related actions in a Layer 3 and Layer 4 policy map. For example,
an HTTP parameter map provides a means of performing actions on traffic received by the ACE
appliance based on certain criteria such as HTTP header and cookie settings, server connection reuse,
action to be taken when an HTTP header, cookie or URL exceeds a configured maximum length, and so
on.
The ACE appliance uses policy maps to combine class maps and parameter maps into traffic policies and
to perform certain configured actions on the traffic that matches the specified criteria in the policies.
See Table 6-1 for a list of available ACE appliance parameter maps.
Related Topics
•
Configuring Parameter Maps, page 6-1
•
Class Map and Policy Map Overview, page 10-2
•
Class Maps, page 10-3
•
Policy Maps, page 10-4
•
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 10-5
•
Application Protocol Inspection Overview, page 10-5
Application Protocol Inspection Overview
Certain applications require special handling of the data portion of a packet as the packets pass through
the ACE. Application protocol inspection helps to verify the protocol behavior and identify unwanted or
malicious traffic passing through the ACE. Based on the specifications of the traffic policy, the ACE
accepts or rejects the packets to ensure the secure use of applications and services.
Certain applications require special handling of the data portion of a packet as the packets pass through
the ACE appliance. Application protocol inspection helps to verify the protocol behavior and identify
unwanted or malicious traffic passing through the ACE appliance. Based on the specifications of the
traffic policy, the ACE appliance accepts or rejects the packets to ensure the secure use of applications
and services.
You can configure the ACE to perform application protocol inspection, sometimes referred to as an
application protocol “fixup” for applications that do the following:
•
Embed IP addressing information in the data packet including the data payload.
•
Open secondary channels on dynamically assigned ports.
You may require the ACE to perform application inspection of Domain Name System (DNS), FTP (File
Transfer Protocol), H.323, HTTP, Internet Control Message Protocol (ICMP), Internet Locator Service
(ILS), Real-Time Streaming Protocol (RTSP), Skinny Client Control Protocol (SCCP), and Session
Initiation Protocol (SIP) as a first step before passing the packets to the destination server. For HTTP,
the ACE performs deep packet inspection to statefully monitor the HTTP protocol and permit or deny
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-5
Chapter 10
Configuring Traffic Policies
Class Map and Policy Map Overview
traffic based on user-defined traffic policies. HTTP deep packet inspection focuses mainly on HTTP
attributes such as the HTTP header, the URL, and the payload. For FTP, the ACE performs FTP
command inspection for FTP sessions, allowing you to restrict specific commands by the ACE.
Application inspection helps you to identify the location of the embedded IP addressing information in
the TCP or UDP flow. This inspection allows the ACE to translate embedded IP addresses and to update
any checksum or other fields that are affected by the translation.
Translating IP addresses embedded in the payload of protocols is especially important for NAT
(explicitly configured by the user) and server load balancing (an implicit NAT).
Application inspection also monitors TCP or UDP sessions to determine the port numbers for secondary
channels. Some protocols open secondary TCP or UDP ports to improve performance. The initial session
on a well-known port is used to negotiate dynamically assigned port numbers. The application protocol
inspection function monitors these sessions, identifies the dynamic port assignments, and permits data
exchange on these ports for the duration of the session.
Table 10-2 describes the application inspection protocols supported by the ACE, the default TCP or UDP
protocol and port, and whether the protocol is compatible with Network Address Translation (NAT) and
Port Address Translation (PAT).
Table 10-2
Application Inspection Support
Application
Protocol
Transport
Protocol Port
Enabled
NAT/PAT by
Support Default
Standards1 Comments/Limitations
DNS
UDP
NAT
No
RFC 1123
Inspects DNS packets
destined to port 53. You
can specify the maximum
length of the DNS packet
to be inspected.
Both
No
RFC 959
Inspects FTP packets,
translates address and port
embedded in the payload,
and opens up a secondary
channel for data.
Both
No
RFC 959
The FTP Strict field
allows the ACE appliance
to track each FTP
command and response
sequence, and also
prevents an FTP client
from determining valid
usernames that are
supported on an FTP
server.
Both
No
RFC 2616
Inspects HTTP packets.
Both
No
—
Allows ICMP traffic to
have a “session” so that it
can be inspected similarly
to TCP and UDP traffic.
Src—Any
Dest—53
FTP
TCP
Src—Any
Dest—21
FTP strict
TCP
Src—Any
Dest—21
HTTP
TCP
Src—Any
Dest—80
ICMP
ICMP
Src—N/A
Dest—N/A
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-6
OL-23543-01
Chapter 10
Configuring Traffic Policies
Class Map and Policy Map Overview
Table 10-2
Application Inspection Support (continued)
Application
Protocol
Transport
Protocol Port
Enabled
NAT/PAT by
Support Default
Standards1 Comments/Limitations
ICMP error
ICMP
NAT
No
—
NAT
No
RFC 2251 Referral requests and
(LDAPv3) responses are not
supported.
Includes
support for Users in multiple
RFC 1777 directories are not unified.
(LDAPv2)
Single users having
multiple identities in
multiple directories
cannot be recognized by
NAT.
NAT
No
RFC 2326, Inspects RTSP packets
RFC 2327, and translates the payload
RFC 1889 according to NAT rules.
The ACE opens up the
secondary channels for
audio and video. Not all
the RTSP methods (packet
types) specified in the
RFC are supported.
NAT
No
—
NAT
No
RFC 2543, The ACE does not support
RFC 3261, PAT with SIP.
RFC 3265,
RFC 3428
Src—N/A
Dest—N/A
ILS
TCP
Src—Any
Dest—389
RTSP
TCP
Src—Any
Dest—554
SCCP
TCP
Src—Any
Dest—2000
SIP
TCP and
UDP
Src—Any
Dest—5060
The ICMP Error field
supports NAT of ICMP
error messages. When you
enable ICMP error
inspection, the ACE
appliance creates
translation sessions for
intermediate hops that
send ICMP error
messages, based on the
NAT configuration. The
ACE appliance overwrites
the packet with the
translated IP addresses.
The ACE does not support
PAT with SCCP.
1. The ACE is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example,
FTP commands are supposed to be in a particular order, but the ACE does not enforce the order.
For background information about application protocol inspection as performed by the ACE appliance,
see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-7
Chapter 10
Configuring Traffic Policies
Configuring Virtual Context Class Maps
Related Topics
•
Configuring Virtual Context Policy Maps, page 10-33
•
Setting Match Conditions for Class Maps, page 10-10
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Configuring Virtual Context Class Maps
Class maps are used to define each Layer 3 and Layer 4 traffic class and each Layer 7 protocol class.
You create class maps to classify the traffic received and transmitted by the ACE appliance.
•
Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can
pass through the ACE appliance or network management traffic that can be received by the ACE
appliance.
•
Layer 7 protocol-specific classes identify:
– Server load balancing, based on generic, HTTP, RADIUS, RTSP, or SIP traffic
– HTTP or SIP traffic for deep inspection
– FTP traffic for inspection of commands
A traffic class contains:
Note
•
A class map name
•
One or more match commands that define the match criteria for the class map
•
Instructions on how the ACE appliance evaluates match commands when there is more than one
match command in a traffic class
To successfully delete a class map from a context, the class map must no longer be in use. To delete
multiple class maps, none of the class maps must be in use. If you attempt to delete multiple class maps
and one of the class maps is still in use, none of the class maps are deleted and a message appears stating
that one of the class maps is in use. Remove the class map that is still in use from your selection, then
click Delete. The selected class maps are removed.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
Click Add to add a new class map, or select an existing class map, then click Edit to modify it.
Step 3
The Name field contains an automatically incremented number for the class map. You can leave the
number as it is or enter a different, unique number.
Step 4
In the Class Map Type field, select the type of class map you are creating (Table 10-3).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-8
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Virtual Context Class Maps
Table 10-3
Class Maps Types
Class Map
Related Topic
Layer 3/4 Management Traffic
Setting Match Conditions for Layer 3/Layer 4 Management
Traffic Class Maps, page 10-13
Layer 3/4 Network Traffic
Setting Match Conditions for Class Maps, page 10-10
Layer 7 Command Inspection - FTP
Setting Match Conditions for Layer 7 FTP Command
Inspection Class Maps, page 10-29
Layer 7 Deep Packet Inspection HTTP
Setting Match Conditions for Layer 7 HTTP Deep Packet
Inspection Class Maps, page 10-24
Layer 7 Deep Packet Inspection - SIP Setting Match Conditions for Layer 7 SIP Deep Packet
Inspection Class Maps, page 10-30
Step 5
Layer 7 Server Load Balancing
Setting Match Conditions for Layer 7 Server Load-Balancing
Class Maps, page 10-15
Server Load Balancing - Generic
Setting Match Conditions for Generic Server Load Balancing
Class Maps, page 10-18
Server Load Balancing - RADIUS
Setting Match Conditions for RADIUS Server Load Balancing
Class Maps, page 10-19
Server Load Balancing - RTSP
Setting Match Conditions for RTSP Server Load Balancing
Class Maps, page 10-20
Server Load Balancing - SIP
Setting Match Conditions for SIP Server Load Balancing Class
Maps, page 10-22
For all selections except Layer 7 Command Inspection - FTP, in the Match Type field, select the method
the ACE appliance is to use to evaluate multiple match statements when multiple match conditions exist
in the class map:
•
Match-any—Indicates that the class map is a match if at least one of the match conditions listed in
the class map is satisfied.
•
Match-all—Indicates that the class map is a match only if all match conditions listed in the class
map are satisfied.
Step 6
In the Description field, enter a brief description for this class map.
Step 7
Click:
•
Deploy Now to deploy this configuration on the ACE appliance and to configure match conditions
for this class map. See Setting Match Conditions for Class Maps, page 10-10 for more information.
•
Cancel to exit the procedure without saving your entries and to return to the Class Maps table.
•
Next to save your entries and to configure another class map.
Related Topics
•
Configuring Virtual Contexts, page 2-1
•
Deleting Class Maps, page 10-10
•
Setting Match Conditions for Class Maps, page 10-10
•
Configuring Virtual Context Policy Maps, page 10-33
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-9
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Deleting Class Maps
To successfully delete a class map from a context, the class map must no longer be in use. To delete
multiple class maps, none of the class maps must be in use.
Assumption
The class map to be deleted is not being used.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
Select the class maps you want to delete, then click Delete.
If you attempt to delete multiple class maps and one of the class maps is still in use, none of the class
maps are deleted and a message appears stating that one of the class map is in use. Remove the class map
that is still in use from your selection, then click Delete. The Class Maps table refreshes and the deleted
class maps no longer appear.
Related Topics
•
Class Map and Policy Map Overview, page 10-2
•
Configuring Virtual Context Class Maps, page 10-8
Setting Match Conditions for Class Maps
Table 10-4 lists the class maps available for the ACE and provides links to topics for setting match
conditions:
Table 10-4
Class Maps and Match Conditions
Class Map
Related Topic
Layer 3/4 Management Traffic
Setting Match Conditions for Layer 3/Layer 4 Management
Traffic Class Maps, page 10-13
Layer 3/4 Network Traffic
Setting Match Conditions for Layer 3/Layer 4 Network Traffic
Class Maps, page 10-11
Layer 7 Command Inspection - FTP
Setting Match Conditions for Layer 7 FTP Command
Inspection Class Maps, page 10-29
Layer 7 Deep Packet Inspection HTTP
Setting Match Conditions for Layer 7 HTTP Deep Packet
Inspection Class Maps, page 10-24
Layer 7 Deep Packet Inspection - SIP Setting Match Conditions for Layer 7 SIP Deep Packet
Inspection Class Maps, page 10-30
Layer 7 Server Load Balancing
Setting Match Conditions for Layer 7 Server Load-Balancing
Class Maps, page 10-15
Server Load Balancing - Generic
Setting Match Conditions for Generic Server Load Balancing
Class Maps, page 10-18
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-10
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-4
Class Maps and Match Conditions (continued)
Class Map
Related Topic
Server Load Balancing - RADIUS
Setting Match Conditions for RADIUS Server Load Balancing
Class Maps, page 10-19
Server Load Balancing - RTSP
Setting Match Conditions for RTSP Server Load Balancing
Class Maps, page 10-20
Server Load Balancing - SIP
Setting Match Conditions for SIP Server Load Balancing Class
Maps, page 10-22
Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps
Use this procedure to specify the match criteria for a Layer 3/Layer 4 network traffic class map on the
ACE appliance.
Assumption
You have configured a Layer 3/Layer 4 class map and want to establish match conditions.
Procedure
Table 10-5
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the Layer 3/4 network traffic class map you want to set match conditions
for. You can select multiple class maps (hold down the Shift key while selecting entries) and apply
common match conditions to them.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select the type of match condition to be used for this class map and
configure any match-specific attributes as described in Table 10-5.
Layer 3/Layer 4 Network Traffic Class Map Match Condition Attributes
Match Condition Type
Description
Access List
Indicates that an access list is the match type for this match condition.
In the Extended ACL field, select the ACL to use as the match condition.
Any
Indicates that any Layer 3 or Layer 4 traffic passing through the ACE appliance meets the match
condition.
Destination Address
Indicates that a destination address is the match type for this match condition.
1.
In the Destination Address field, enter the destination IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
2.
In the Destination Netmask field, select the subnet mask for the destination IP address.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-11
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-5
Layer 3/Layer 4 Network Traffic Class Map Match Condition Attributes (continued)
Match Condition Type
Description
Port
Indicates that a UDP or TCP port or range of ports is the match type for this match condition.
1.
In the Port Protocol field, select TCP or UDP as the protocol to be matched.
2.
In the Port Operator field, select the match criteria for the port:
– Any—Indicates that any port using the selected protocol meets the match condition.
– Equal To—Indicates that a specific port using the protocol meets the match condition.
In the Port Number field, enter the port to be matched. Valid entries are integers from 0 to
65535. A value of 0 indicates that the ACE appliance is to include all ports.
– Range—Indicates that the port must be one of a range of ports to meet the match condition.
a. In the Lower Port Number field, enter the first port number in the port range for the
match condition.
b. In the Upper Port Number field, enter the last port number in the port range for the
match condition.
Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance
is to include all ports.
Source Address
Virtual Address
Indicates that a source IP address is the match type for this match condition.
1.
In the Source Address field, enter the source IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
2.
In the Source Netmask field, select the subnet mask for the source IP address.
Indicates that a virtual IP address is the match type for this match condition.
1.
In the Virtual IP Address field, enter the VIP server IP address of the ACE appliance in
dotted-decimal format, such as 192.168.11.1.
2.
In the Virtual IP Netmask field, select the subnet mask for the virtual IP address.
3.
In the Virtual Address Protocol field, select the protocol to be used for this match condition.
For a list of protocols and their respective numbers, see Table 2-16.
Depending on the protocol that you select, additional fields appear. If they appear, enter the
information described in the following steps.
4.
In the Port Operator field, select the match criteria for the port:
– Any—Indicates that any port using the selected protocol meets the match condition.
– Equal To—Indicates that a specific port using the protocol meets the match condition.
In the Port Number field, enter the port to be matched. Valid entries are integers from 0 to
65535. A value of 0 indicates that the ACE appliance is to include all ports.
– Range—Indicates that the port must be one of a range of ports to meet the match condition.
Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance
is to include all ports.
a. In the Lower Port Number field, enter the first port number in the port range for the
match condition.
b. In the Upper Port Number field, enter the last port number in the port range for the
match condition.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-12
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6
Click:
•
Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition
table.
Note
If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you
have not made changes. If you have not altered existing match conditions, click Cancel
instead of Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit the procedure without saving your entries and to return to the Match Condition table.
•
Next to save your entries and to configure additional match conditions.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 10-13
•
Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps, page 10-15
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Virtual Context Class Maps, page 10-8
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps
Use this procedure to identify the network management protocols that can be received by the ACE
appliance.
Assumption
You have configured a network management class map and want to establish the match conditions.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the Layer 3/Layer 4 management class map you want to set match
conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and
apply common match conditions to them.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match conditions you want
to modify, then click Edit. The Match Condition configuration screen appears.
Step 4
Enter the match conditions (see Table 10-6).
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-13
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-6
Management Class Map Match Conditions
Field
Description
Sequence Number
Enter an integer from 2 to 255 as the line number. The number entered here
does not indicate a priority or sequence for the match conditions.
Match Condition Type
Select Management to confirm that this is for Layer 3/Layer 4 management
traffic.
Note
Management Protocol
Type
To change the type of match condition, you must delete the class map
and add it again with the correct match type.
This field identifies the network management protocols that can be received
by the ACE appliance.
Select the allowed protocol for this match condition:
Traffic Type
Source Address
•
HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
•
HTTPS—Specifies the Hypertext Transfer Protocol Secure (HTTPS) for
connectivity with the ACE Appliance Device Manager GUI on the ACE
appliance. Communication is performed using port 443.
•
ICMP—Specifies the Internet Control Message Protocol (ICMP),
commonly referred to as ping.
•
KALAP UDP—Specifies the KeepAlive Appliance Protocol over UDP.
•
SNMP—Specifies the Simple Network Management Protocol (SNMP).
•
SSH—Specifies a Secure Shell (SSH) connection to the ACE appliance.
•
TELNET—Specifies a Telnet connection to the ACE appliance.
•
XML-HTTPS—Specifies HTTPS as the transfer protocol for sending
and receiving XML documents between the ACE appliance and a
Network Management System (NMS). Communication is performed
using port 10443.
Select the type of traffic:
•
Any—Indicates that any client source IP address meets the match
condition.
•
Source Address—Indicates that a specific source IP address is part of
the match condition.
This field appears if Source Address is selected for Traffic Type.
Enter the source IP address of the client in dotted-decimal notation, such as
192.168.11.1.
Source Netmask
This field appears if Source Address is selected for Traffic Type.
Select the subnet mask for the source IP address.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-14
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 5
Click:
•
Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition
table.
Note
If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you
have not made changes. If you have not altered existing match conditions, click Cancel
instead of Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit the procedure without saving your entries and to return to the Match Condition table.
•
Next to save your entries and to configure additional match conditions.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Real Servers, page 4-4
•
Configuring Server Farms, page 4-11
•
Configuring Sticky Groups, page 5-7
Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps
Use this procedure to set match conditions for Layer 7 server load-balancing class maps.
Assumption
You have configured a load-balancing class map and want to establish the match conditions.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the Layer 7 server load balancing class map you want to set match
conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and
apply common match conditions to them.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255 as the line number. The number entered
here does not indicate a priority or sequence for the match conditions.
Step 5
In the Match Condition Type field, select the type of match to use and configure condition-specific
attributes as described in Table 10-7.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-15
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-7
Layer 7 Server Load Balancing Class Map Match Conditions
Match Condition
Description
Class Map
A class map is to be used to establish a match condition.
In the Class Map field, select the class map to apply to this match condition.
HTTP Content
HTTP Cookie
HTTP Header
Specific content contained within the HTTP entity-body is used to establish a match condition.
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the
first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and
the body of the message. Valid entries are integers from 1 to 255.
An HTTP cookie is to be used to establish a match condition.
1.
In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters.
3.
Select the Secondary Cookie Matching check box to indicate that the ACE is to use both the
cookie name and the cookie value to satisfy this match condition. Clear this check box to
indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match
condition.
An HTTP header is to be used to establish a match condition.
1.
In the Header Name field, specify the header to match in one of the following ways:
– To specify an HTTP header that is not one of the standard HTTP headers, select the first
radio button, then enter the HTTP header name in the Header Name field. Valid entries
are unquoted text strings with no spaces and a maximum of 64 characters.
– To specify a standard HTTP header, click the second radio button, then select an HTTP
header from the list.
2.
In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the HTTP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. If the string includes spaces, enclose the string in quotes. See Table 10-31 for a list
of the supported characters that you can use in regular expressions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-16
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-7
Layer 7 Server Load Balancing Class Map Match Conditions (continued)
Match Condition
Description
HTTP URL
A portion of an HTTP URL is to be used to establish a match condition.
Source Address
Step 6
1.
In the URL Expression field, enter a URL or a portion of a URL to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL
following www.hostname.domain. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
2.
In the Method Expression field, enter the HTTP method to match. Valid entries are method
names entered as unquoted text strings with no spaces and a maximum of 15 alphanumeric
characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS,
GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be
matched exactly (for example, CORVETTE).
The source IP address is to be used to establish a match condition.
1.
In the Source Address field, enter the source IP address of the client in dotted-decimal
notation, such as 192.168.11.1.
2.
In the Source Netmask field, select the subnet mask of the source IP address.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition
table.
Note
If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you
have not made changes. If you have not altered existing match conditions, click Cancel
instead of Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit the procedure without saving your entries and to return to the Match Condition table.
•
Next to save your entries and to configure additional match conditions.
Related Topics
•
Using Virtual Contexts, page 2-2
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-17
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Setting Match Conditions for Generic Server Load Balancing Class Maps
Use this procedure to set match conditions for a generic server load balancing class map.
Assumption
You have configured a generic server load balancing class map and want to establish match criteria.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the generic server load balancing class map you want to set match
conditions for. The Match Condition table appears.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select the match condition type for this class map and configure any
match-specific criteria as described in Table 10-8.
Table 10-8
Generic Server Load Balancing Class Map Match Conditions
Match Condition
Description
Class Map
A class map is used to establish a match condition.
In the Class Map field, select the class map to use for this match condition.
Layer 4 Payload
Source Address
Generic data parsing is used to establish a match condition.
1.
In the Layer 4 Payload Regex field, enter the Layer 4 payload expression contained within the
TCP or UDP entity body to use for this match condition. Valid entries are text strings with a
maximum of 255 alphanumeric characters. See Table 10-31 for a list of the supported
characters that you can use for matching string expressions.
2.
In the Layer 4 Payload Offset field, enter the absolute offset where the Layer 4 payload
expression search starts. The offset starts at the first byte of the TCP or UDP body. Valid
entries are integers from 0 to 999.
A source IP address is used to establish a match condition.
1.
In the Source Address field, enter the source IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
2.
In the Source Netmask field, select the subnet mask for the source IP address.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-18
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6
Click:
•
Deploy Now to deploy this configuration on the ACE and to return to the Match Condition table.
Note
If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit this procedure without saving your entries and to return to the Match Condition table.
•
Next to configure another match condition for this class map.
Related Topics
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Setting Match Conditions for RADIUS Server Load Balancing Class Maps
Use this procedure to set match conditions for a RADIUS server load balancing class map.
Assumption
You have configured a RADIUS server load balancing class map and want to establish match criteria.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the RADIUS server load balancing class map you want to set match
conditions for. The Match Condition table appears.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select the match condition type for this class map and configure any
match-specific criteria as described in Table 10-9.
Table 10-9
RADIUS Server Load Balancing Class Map Match Conditions
Match Condition
Description
Calling Station ID
A unique identifier of the calling station is used to establish a match condition.
In the RADIUS Calling Station ID field, enter the calling station identifier to match. Valid entries
are strings containing 1 to 64 alphanumeric characters. See Table 10-31 for a list of the supported
characters that you can use for matching string expressions.
User Name
A username is used to establish a match condition.
In the User Name field, enter the name to match. Valid entries are strings containing 1 to 64
alphanumeric characters. See Table 10-31 for a list of the supported characters that you can use
for matching string expressions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-19
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6
Click:
•
Deploy Now to deploy this configuration on the ACE and to return to the Match Condition table.
Note
If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit this procedure without saving your entries and to return to the Match Condition table.
•
Next to configure another match condition for this class map.
Related Topics
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Setting Match Conditions for RTSP Server Load Balancing Class Maps
Use this procedure to set match conditions for a RTSP server load balancing class map.
Assumption
You have configured a RTSP server load balancing class map and want to establish match criteria.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the RTSP server load balancing class map you want to set match
conditions for. The Match Condition table appears.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select the match condition type for this class map and configure any
match-specific criteria as described in Table 10-10.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-20
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-10
RTSP Server Load Balancing Class Map Match Conditions
Match Condition
Description
Class Map
A class map is used to establish a match condition.
In the Class Map field, select the class map to use for this match condition.
RTSP Header
The name and value in an RTSP header are used to establish a match condition.
1.
In the Header Name field, specify the header in one of the following ways:
– To specify an RTSP header that is not one of the standard RSTP headers, select the first
radio button and enter the RTSP header name in the Header Name field. Valid entries are
unquoted text strings with no spaces and a maximum of 64 characters.
– To specify one of the standard RTSP headers, select the second radio button and select
one of the RTSP headers from the list.
2.
RTSP URL
Source Address
In the Header Value field, enter the header value expression string to compare against the value
in the specified field in the RTSP header. Valid entries are text strings with a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching. If the string
includes spaces, enclose the string with quotes. All headers in the header map must be
matched. See Table 10-31 for a list of the supported characters that you can use in regular
expressions.
A URL or portion of a URL is used to establish a match condition.
1.
In the URL Expression field, enter a URL, or portion of a URL, to match. The ACE performs
matching on whatever URL string appears after the RTSP method, regardless of whether the
URL includes the host name. The ACE supports regular expressions for matching URL
strings. See Table 10-31 for a list of the supported characters that you can use in regular
expressions.
2.
In the Method Expression field, enter the RTSP method to match. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters. The method can be
either one of the standard RTSP method names (DESCRIBE, ANNOUNCE,
GET_PARAMETER, OPTIONS, PAUSE, PLAY, RECORD, REDIRECT, SETUP,
SET_PARAMETER, TEARDOWN) or a text string that must be matched exactly (for
example, STINGRAY).
The source IP address is used to establish a match condition.
1.
In the Source Address field, enter the source IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
2.
In the Source Netmask field, select the subnet mask for the source IP address.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-21
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6
Click:
•
Deploy Now to deploy this configuration on the ACE and to return to the Match Condition table.
Note
If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit this procedure without saving your entries and to return to the Match Condition table.
•
Next to configure another match condition for this class map.
Related Topics
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Setting Match Conditions for SIP Server Load Balancing Class Maps
Use this procedure to set match conditions for a SIP server load balancing class map.
Assumption
You have configured a SIP server load balancing class map and want to establish match criteria.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the SIP server load balancing class map you want to set match conditions
for. The Match Condition table appears.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select the match condition type for this class map and configure any
match-specific criteria as described in Table 10-11.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-22
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-11
SIP Server Load Balancing Class Map Match Conditions
Match Condition
Description
Class Map
A class map is used to establish a match condition.
In the Class Map field, select the class map to use for this match condition.
SIP Header
A SIP header name and value are used to establish a match condition.
1.
In the Header Name field, specify the header in one of the following ways:
– To specify a SIP header that is not one of the standard SIP headers, select the first radio
button and enter the SIP header name in the Header Name field. Enter an unquoted text
string with no spaces and a maximum of 64 characters.
– To specify one of the standard SIP headers, select the second radio button and select one
of the SIP headers from the list.
2.
Source Address
Step 6
In the Header Value field, enter the header value expression string to compare against the value
in the specified field in the SIP header. Valid entries are text strings with a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching. If the string
includes spaces, enclose the string with quotes. All headers in the header map must be
matched. See Table 10-31 for a list of the supported characters that you can use in regular
expressions.
The source IP address is used to establish a match condition.
1.
In the Source Address field, enter the source IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
2.
In the Source Netmask field, select the subnet mask for the source IP address.
Click:
•
Deploy Now to deploy this configuration on the ACE and to return to the Match Condition table.
Note
If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit this procedure without saving your entries and to return to the Match Condition table.
•
Next to configure another match condition for this class map.
Related Topics
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-23
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps
The ACE Appliance Device Manager allows you to create Layer 7 class maps and policy maps to be used
for HTTP deep packet inspection by the ACE appliance. When these features are configured, the ACE
appliance performs a stateful deep packet inspection of the HTTP protocol and permits or restricts traffic
based on the actions in the defined policy maps. You can configure the following security features as part
of HTTP deep packet inspection to be performed by ACE appliances:
•
Regular expression matching on name in an HTTP header, URL name, or content expressions in an
HTTP entity body
•
Content, URL, and HTTP header length checks
•
MIME-type message inspection
•
Transfer-encoding methods
•
Content type verification and filtering
•
Port 80 misuse by tunneling protocols
•
RFC compliance monitoring and RFC method filtering
Use this procedure to configure a Layer 7 class map for deep packet inspection of HTTP traffic.
Assumption
You have configured a Layer 7 deep packet inspection class map and want to establish match conditions.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the Layer 7 HTTP deep packet inspection class map you want to set match
conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and
apply common match conditions to them.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255 as the line number. The number entered
here does not indicate a priority or sequence for the match conditions.
Step 5
In the Match Condition Type field, select the method by which match decisions are to be made and
configure condition-specific attributes as described in Table 10-12.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-24
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-12
HTTP Protocol Inspection Match Condition Types
Match Condition Type
Description
Content
Specific content contained within the HTTP entity-body is to be used for application inspection
decisions.
Content Length
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the
first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and
the body of the message. Valid entries are integers from 1 to 255.
The content parse length in an HTTP message is to be used for application inspection decisions.
1.
In the Content Length Operator field, select the operand to be used to compare content length:
– Equal To—Indicates that the content length must equal the number in the Content Length
Value (Bytes) field.
– Greater Than—Indicates that the content length must be greater than the number in the
Content Length Value (Bytes) field.
– Less Than—Indicates that the content length must be less than the number in the Content
Length Value (Bytes) field.
– Range—Indicates that the content length must be within the range specified in the
Content Length Lower Value (Bytes) field and the Content Length Higher Value (Bytes)
field.
2.
Enter values to apply for content length comparison:
– If you select Equal To, Greater Than, or Less Than in the Content Length Operator field,
the Content Length Value (Bytes) field appears. In the Content Length Value (Bytes) field,
enter the number of bytes for comparison. Valid entries are integers from 0 to
4294967295.
– If you select Range in the Content Length Operator field, the Content Length Lower Value
(Bytes) and the Content Length Higher Value (Bytes) fields appear:
1. In the Content Length Lower Value (Bytes) field, enter the lowest number of bytes to
be used for this match condition. Valid entries are integers from 0 to 4294967295. The
number in this field must be less than the number entered in the Content Length Higher
Value (Bytes) field.
2. In the Content Length Higher Value (Bytes) field, enter the highest number of bytes to
be used for this match condition. Valid entries are integers from 0 to 4294967295. The
number in this field must be greater than the number entered in the Content Length Lower
Value (Bytes) field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-25
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-12
HTTP Protocol Inspection Match Condition Types (continued)
Match Condition Type
Description
Header
The name and value in an HTTP header are to be used for application inspection decisions.
Header Length
1.
In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP
Header to specify a different HTTP header.
2.
If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to
be matched. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
3.
In the Header Value field, enter the header value expression string to compare against the value
in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255
alphanumeric characters. The ACE appliance supports regular expressions for matching. If the
string includes spaces, enclose the string with quotes. All headers in the header map must be
matched. See Table 10-31 for a list of the supported characters that you can use in regular
expressions.
The length of the header in the HTTP message is to be used for application inspection decisions.
1.
In the Header Length Type field, specify whether HTTP header request or response messages
are to be used for application inspection decisions:
– Request—Indicates that HTTP header request messages are to be checked for header
length.
– Response—Indicates that HTTP header response messages are to be checked for header
length.
2.
In the Header Length Operator field, select the operand to be used to compare header length:
– Equal To—Indicates that the header length must equal the number in the Header Length
Value (Bytes) field.
– Greater Than—Indicates that the header length must be greater than the number in the
Header Length Value (Bytes) field.
– Less Than—Indicates that the header length must be less than the number in the Header
Length Value (Bytes) field.
– Range—Indicates that the header length must be within the range specified in the Header
Length Lower Value (Bytes) field and the Header Length Higher Value (Bytes) field.
3.
Enter values to apply for header length comparison:
– If you select Equal To, Greater Than, or Less Than in the Header Length Operator field,
the Header Length Value (Bytes) field appears. In the Header Length Value (Bytes) field,
enter the number of bytes for comparison. Valid entries are integers from 0 to 255.
– If you select Range in the Header Length Operator field, the Header Length Lower Value
(Bytes) and the Header Length Higher Value (Bytes) fields appear:
1. In the Header Length Lower Value (Bytes) field, enter the lowest number of bytes to be
used for this match condition. Valid entries are integers from 0 to 255. The number in this
field must be less than the number entered in the Header Length Higher Value (Bytes)
field.
2. In the Header Length Higher Value (Bytes) field, enter the highest number of bytes to
be used for this match condition. Valid entries are integers from 1 to 255. The number in
this field must be greater than the number entered in the Header Length Lower Value
(Bytes) field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-26
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-12
HTTP Protocol Inspection Match Condition Types (continued)
Match Condition Type
Description
Header MIME Type
Multipurpose Internet Mail Extension (MIME) message types are to be used for application
inspection decisions.
In the Header MIME Type field, select the MIME message type to use for this match condition.
Port Misuse
The misuse of port 80 (or any other port running HTTP) is to be used for application inspection
decisions.
Indicate the application category to use for this match condition:
Request Method
•
IM—Indicates that instant messaging applications are to be used for this match condition.
•
P2P—Indicates that peer-to-peer applications are to be used for this match condition.
•
Tunneling—Indicates that tunneling applications are to be used for this match condition.
The request method is to be used for application inspection decisions.
By default, ACE appliances allow all request and extension methods. This option allows you to
configure class maps that define application inspection decisions based on compliance to request
methods defined in RFC 2616 and by HTTP extension methods.
1.
In the Request Method Type field, select the type of compliance to be used for application
inspection decision:
– Ext—Indicates that an HTTP extension method is to be used for application inspection
decisions.
– RFC—Indicates that a request method defined in RFC 2616 is to be used for application
inspection decisions.
Depending on your selection, the Ext Request Method field or the RFC Request Method field
appears.
2.
Transfer Encoding
In the Request Method field, select the specific request method to be used.
An HTTP transfer-encoding type is to be used for application inspection decisions. The
transfer-encoding general-header field indicates the type of transformation, if any, that has been
applied to the HTTP message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, select the type of encoding that is to be checked:
•
Chunked—The message body is transferred as a series of chunks.
•
Compress—The encoding format that is produced by the UNIX file compression program
compress.
•
Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE
compression mechanism described in RFC 1951.
•
Gzip—The encoding format that is produced by the file compression program GZIP (GNU
zip) as described in RFC 1952.
•
Identity—The default (identity) encoding which does not require the use of transformation.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-27
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-12
HTTP Protocol Inspection Match Condition Types (continued)
Match Condition Type
Description
URL
URL names are to be used for application inspection decisions.
In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from
1 to 255 alphanumeric characters and include only the portion of the URL following
www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html,
include only /latest/whatsnew.html.
URL Length
URL length is to be used for application inspection decisions.
1.
In the URL Length Operator field, select the operand to be used to compare URL length:
– Equal To—Indicates that the URL length must equal the number in the URL Length Value
(Bytes) field.
– Greater Than—Indicates that the URL length must be greater than the number in the URL
Length Value (Bytes) field.
– Less Than—Indicates that the URL length must be less than the number in the URL
Length Value (Bytes) field.
– Range—Indicates that the URL length must be within the range specified in the URL
Length Lower Value (Bytes) field and the URL Length Higher Value (Bytes) field.
2.
Enter values to apply for URL length comparison:
– If you select Equal To, Greater Than, or Less Than in the URL Length Operator field, the
URL Length Value (Bytes) field appears. In the URL Length Value (Bytes) field, enter the
value for comparison. Valid entries are from 1 to 65535 bytes.
– If you select Range in the URL Length Operator field, the URL Length Lower Value
(Bytes) and the URL Length Higher Value (Bytes) fields appear:
1. In the URL Length Lower Value (Bytes) field, enter the lowest number of bytes to be
used for this match condition. Valid entries are integers from 1 to 65535. The number in
this field must be less than the number entered in the URL Length Higher Value (Bytes)
field.
2. In the URL Length Higher Value (Bytes) field, enter the highest number of bytes to be
used for this match condition. Valid entries are integers from 1 to 65535. The number in
this field must be greater than the number entered in the URL Length Lower Value (Bytes)
field.
Step 6
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
Note
If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you
have not made changes. If you have not altered existing match conditions, click Cancel
instead of Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit this procedure without saving your entries and to return to the Match Condition table.
•
Next to configure another match condition for this class map.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-28
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Related Topics
•
Configuring Virtual Context Policy Maps, page 10-33
•
Setting Match Conditions for Class Maps, page 10-10
•
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 10-13
•
Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps, page 10-15
•
Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 10-29
Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps
Use this procedure to set match conditions for a Layer 7 FTP command inspection class map.
Assumption
You have configured a Layer 7 command inspection class map and want to establish match criteria.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the Layer 7 FTP command inspection class map that you want to
configure match conditions for. You can select multiple class maps (hold down the Shift key while
selecting entries) and apply common match conditions to them.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select Request Method Name as the match condition type for this
class map.
Step 6
In the Request Method Name field, select the FTP command to be inspected. Table 10-13 identifies the
FTP commands that can be inspected.
Table 10-13
FTP Commands for Inspection
FTP Command
Description
Appe
Append data to the end of the specified file on the remote host.
Cdup
Change to the parent of the current directory.
Cele
Delete the specified file.
Get
Copy the specified file from the remote host to the local system.
Help
List all available FTP commands.
Mkd
Create a directory using the specified path and directory name.
Put
Copy the specified file from the local system to the remote host.
Rmd
Remove the specified directory.
Rnfr
Rename a file, specifying the current file name. Used with rnto.
Rnto
Rename a file, specifying the new file name. Used with rnfr.
Site
Execute a site-specific command.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-29
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-13
Step 7
FTP Commands for Inspection (continued)
FTP Command
Description
Stou
Store a file on the remote host and give it a unique name.
Syst
Query the remote host for operating system information.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition
table.
Note
If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you
have not made changes. If you have not altered existing match conditions, click Cancel
instead of Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit this procedure without saving your entries and to return to the Match Condition table.
•
Next to configure another match condition for this class map.
Related Topics
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps
Use this procedure to set match conditions for a SIP deep packet inspection class map.
Assumption
You have configured a SIP deep packet inspection class map and want to establish match criteria.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Step 2
In the Class Maps table, select the SIP deep packet inspection class map you want to set match conditions
for. The Match Condition table appears.
Step 3
In the Match Condition table, click Add to add match criteria, or select the match condition you want to
modify, then click Edit. The Match Condition configuration screen appears.
Step 4
In the Sequence Number field, enter an integer from 2 to 255.
Step 5
In the Match Condition Type field, select the match condition type for this class map and configure any
match-specific criteria as described in Table 10-14.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-30
OL-23543-01
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-14
Layer 7 SIP Deep Packet Inspection Class Map Match Conditions
Match Condition
Description
Called Party
The destination or called party in the URI of the SIP To header is used to establish a match
condition.
In the Called Party field, enter a regular expression that identifies the called party in the URI of
the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces
and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 10-31 lists the supported characters that you can use for
matching string expressions.
Calling Party
The source or calling party in the URI of the SIP From header is used to establish a match
condition.
In the Calling Party field, enter a regular expression that identifies the called party in the URI of
the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces
and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 10-31 lists the supported characters that you can use for
matching string expressions.
IM Subscriber
An IM (instant messaging) subscriber is used to establish a match condition.
In the IM Subscriber field, enter a regular expression that identifies the IM subscriber for this
match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
Message Path
A message coming from or transiting through certain SIP proxy servers is used to establish a match
condition.
In the Message Path field, enter a regular expression that identifies the SIP proxy server for this
match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching string expressions.
Table 10-31 lists the supported characters that you can use for matching string expressions.
SIP Content Length
SIP Content Type
The SIP message body length is used to establish a match condition.
1.
In the Content Operator field, confirm that Greater Than is selected.
2.
In the Content Length field, enter the maximum size of a SIP message body in bytes that the
ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the
specified value, the ACE performs SIP protocol inspection as defined in an associated policy
map. Valid entries are integers from 0 to 65534 bytes.
The content type in the SIP message body is used to establish a match condition.
In the Content Type field, enter the a regular expression that identifies the content type in the SIP
message body to use for this match condition. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 10-31 lists the supported characters that you can use for
matching string expressions.
SIP Request Method
A SIP request method is used to establish a match condition.
In the Request Method field, select the request method that is to be matched.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-31
Chapter 10
Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 10-14
Layer 7 SIP Deep Packet Inspection Class Map Match Conditions (continued)
Match Condition
Description
Third Party
A third party who is authorized to register other users on their behalf is used to establish a match
condition.
In the Third Party Registration Entities field, enter a regular expression that identifies a privileged
user authorized for third-party registrations for this match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports
regular expressions for matching string expressions. Table 10-31 lists the supported characters that
you can use for matching string expressions.
URI Length
A SIP URI or user identifier is used to establish a match condition.
1.
In the URI Type field, select the type of URI to use:
– SIP URI—The calling party URI is used for this match condition.
– Tel URI—A telephone number is used for this match condition.
Step 6
2.
In the URI Operator field, confirm that Greater Than is selected.
3.
In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid
entries are integers from 0 to 254 bytes.
Click:
•
Deploy Now to deploy this configuration on the ACE and to return to the Match Condition table.
Note
If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
•
Cancel to exit this procedure without saving your entries and to return to the Match Condition table.
•
Next to configure another match condition for this class map.
Related Topics
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-32
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Virtual Context Policy Maps
Configuring Virtual Context Policy Maps
Policy maps establish traffic policy for the ACE appliance. The purpose of a traffic policy is to
implement specific ACE appliance functions associated with a traffic class. A traffic policy contains:
•
A policy map name.
•
A previously created traffic class map or, optionally, the class-default class map.
•
One or more of the individual Layer 3/Layer 4 or Layer 7 policies that specify the actions to be
performed by the ACE appliance.
The ACE appliance executes actions specified in a policy map on a first-match, multi-match, or
all-match basis:
•
First-match—With a first-match policy map, the ACE appliance executes only the action specified
against the first classification that it matches. Layer 3/Layer 4 Management Traffic, Layer 7 Server
Load Balancing, Layer 7 Command Inspection - FTP, and Layer 7 HTTP Optimization policy maps
are first-match policy maps.
•
Multi-match—With a multi-match policy map, the ACE appliance executes all possible actions
applicable for a specific classification. Layer 3/Layer 4 Network Traffic policy maps are
multi-match policy maps.
•
All-match—With an all-match policy map, the ACE appliance attempts to match all specified
conditions against the matching classification and executes the actions of all matching classes until
it encounters a deny for a match request.
You can view a context’s policy maps and their types in the Policy Maps table (Config > Virtual
Contexts > context > Expert > Policy Maps.)
The types of policy maps that you can configure depend on the ACE device type. Table 10-15 lists the
types of policy maps with brief descriptions and the ACE devices that support them.
Table 10-15
Policy Maps
Policy Map
Description
Related Topic
Layer 3/4 Management Traffic
(First-Match)
Layer 3 and Layer 4 policy map for network
management traffic received by the ACE
Setting Policy Map Rules and Actions
for Layer 3/Layer 4 Management
Traffic, page 10-42
Layer 3/4 Network Traffic
(Multi-Match)
Layer 3 and Layer 4 policy map for traffic
passing through the ACE
Setting Policy Map Rules and Actions
for Layer 3/Layer 4 Network Traffic,
page 10-36
Layer 7 Command Inspection - FTP Layer 7 policy map for inspection of FTP
(First-Match)
commands
Setting Policy Map Rules and Actions
for Layer 7 FTP Command Inspection,
page 10-69
Layer 7 Deep Packet Inspection HTTP (All-Match)
Layer 7 policy map for inspection of HTTP
packets
Setting Policy Map Rules and Actions
for Layer 7 HTTP Deep Packet
Inspection, page 10-63
Layer 7 Deep Packet Inspection SIP (All-Match)
Layer 7 policy map for inspection of SIP
packets
Setting Policy Map Rules and Actions
for Layer 7 SIP Deep Packet
Inspection, page 10-72
Layer 7 Deep Packet Inspection Skinny
Layer 7 policy map for inspection of Skinny
Client Control Protocol (SCCP)
Setting Policy Map Rules and Actions
for Layer 7 Skinny Deep Packet
Inspection, page 10-74
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-33
Chapter 10
Configuring Traffic Policies
Configuring Virtual Context Policy Maps
Table 10-15
Policy Maps (continued)
Policy Map
Description
Related Topic
Layer 7 HTTP Optimization
(First-Match)
Layer 7 policy map for optimizing HTTP traffic Setting Policy Map Rules and Actions
for Layer 7 HTTP Optimization,
page 10-76
Layer 7 Server Load Balancing
(First-Match)
Layer 7 policy map for HTTP server load
balancing
Setting Policy Map Rules and Actions
for Layer 7 Server Load-Balancing
Traffic, page 10-43
Server Load Balancing - Generic
(First-Match)
Generic Layer 7 policy map for server load
balancing
Setting Policy Map Rules and Actions
for Generic Server Load Balancing,
page 10-50
Server Load Balancing - RADIUS
(First-Match)
Layer 7 policy map for RADIUS server load
balancing
Setting Policy Map Rules and Actions
for RADIUS Server Load Balancing,
page 10-53
Server Load Balancing - RDP
(First-Match)
Layer 7 policy map for RDP server load
balancing
Setting Policy Map Rules and Actions
for RDP Server Load Balancing,
page 10-61
Server Load Balancing - RTSP
(First-Match)
Layer 7 policy map for RTSP server load
balancing
Setting Policy Map Rules and Actions
for RTSP Server Load Balancing,
page 10-55
Server Load Balancing - SIP
(First-Match)
Layer 7 policy map for SIP server load
balancing
Setting Policy Map Rules and Actions
for SIP Server Load Balancing,
page 10-58
Use this procedure to create a policy map for a virtual context.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
Click Add to add a new policy map, or select an existing policy map, then click Edit to modify it.
Step 3
The Policy Map Name field contains an automatically incremented number for the policy map. Either
leave the entry as it is or enter a different, unique number.
Step 4
In Type, select the type of policy map to create. See Table 10-15 for a list of policy maps.
Step 5
In the Description field, enter a brief description of the policy map.
Step 6
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. To define rules and actions for this
policy map, see Configuring Rules and Actions for Policy Maps, page 10-35.
•
Cancel to exit this procedure without saving your entries and to return to the Policy Maps table.
•
Next to save your entries and to configure another policy map.
Related Topics
•
Using Virtual Contexts, page 2-2
•
Configuring Virtual Context Class Maps, page 10-8
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-34
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
•
Configuring Real Servers, page 4-4
•
Configuring Server Farms, page 4-11
•
Configuring Sticky Groups, page 5-7
Configuring Rules and Actions for Policy Maps
Table 10-16 lists the policy maps and related topics for setting rules and actions.
Table 10-16
Topic Reference for Policy Map Rules and Actions
Policy Map Type
Topic for Setting Rules and Actions
Layer 3/4 Management Traffic
(First-Match)
Setting Policy Map Rules and Actions for Layer 3/Layer 4
Management Traffic, page 10-42
Layer 3/4 Network Traffic (First-Match)
Setting Policy Map Rules and Actions for Layer 3/Layer 4
Network Traffic, page 10-36
Layer 7 Command Inspection - FTP
(First-Match)
Setting Policy Map Rules and Actions for Layer 7 FTP
Command Inspection, page 10-69
Layer 7 Deep Packet Inspection - HTTP
(All-Match)
Setting Policy Map Rules and Actions for Layer 7 HTTP
Deep Packet Inspection, page 10-63
Layer 7 Deep Packet Inspection - SIP
(All-Match)
Setting Policy Map Rules and Actions for Layer 7 SIP
Deep Packet Inspection, page 10-72
Layer 7 Deep Packet Inspection - Skinny Setting Policy Map Rules and Actions for Layer 7 Skinny
Deep Packet Inspection, page 10-74
Layer 7 HTTP Optimization
(First-Match)
Setting Policy Map Rules and Actions for Layer 7 SIP
Deep Packet Inspection, page 10-72
Layer 7 Server Load Balancing
(First-Match)
Setting Policy Map Rules and Actions for Layer 7 Server
Load-Balancing Traffic, page 10-43
Server Load Balancing - Generic
(First-Match)
Setting Policy Map Rules and Actions for Generic Server
Load Balancing, page 10-50
Server Load Balancing - RADIUS
(First-Match)
Setting Policy Map Rules and Actions for RADIUS Server
Load Balancing, page 10-53
Server Load Balancing - RDP
(First-Match)
Setting Policy Map Rules and Actions for RDP Server
Load Balancing, page 10-61
Server Load Balancing - RTSP
(First-Match)
Setting Policy Map Rules and Actions for RTSP Server
Load Balancing, page 10-55
Server Load Balancing - SIP
(First-Match)
Setting Policy Map Rules and Actions for SIP Server Load
Balancing, page 10-58
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-35
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic
Use this procedure to configure the rules and actions for Layer 3/Layer 4 traffic other than network
management traffic.
Assumptions
•
You have configured a Layer 3/Layer 4 policy map.
•
A class map has been defined if you do not want to use the class-default class map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the Layer 3/Layer 4 network traffic policy map you want to set rules and
actions for, then select the Rule tab.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule configuration screen appears.
Step 4
In the Type field, confirm that Class Map is selected.
Step 5
To use the class-default class map, check the Use Class Default check box.
Step 6
To use a previously created class map for this rule:
a.
Clear the Use Class Default check box.
b.
In the Class Map Name field, select the class map to be used.
c.
In the Insert Before field, indicate whether this rule is to precede another rule in this policy map:
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
d.
Step 7
Click:
•
Deploy Now to deploy this configuration on the ACE appliance and to define actions for this rule
(see Step 8).
•
Cancel to exit this procedure without saving your entries and to return to the Policy Maps table.
•
Next to save your entries and to configure another rule.
Note
Step 8
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
If you selected the Insert Before option in Step 6 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit
to modify it. The Action configuration screen appears.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-36
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 9
In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 10
In the Action Type field, select the type of action to be taken for this rule, then configure the related
attributes. See Table 10-17.
Table 10-17
Layer 3/Layer 4 Network Traffic Policy Map Actions
Action
Description/Steps
Appl-Parameter-DNS
A DNS parameter map containing DNS-related actions is to be implemented for this rule.
In the Parameter Map field, specify the name of the DNS parameter map to use.
Appl-Parameter-Generic A generic parameter map is to be implemented for this rule.
In the Parameter Map field, specify the name of the generic parameter map to use.
Appl-Parameter-HTTP
An HTTP parameter map containing HTTP-related actions is to be implemented for this rule.
In the Parameter Map field, specify the name of the HTTP parameter map to use.
Appl-Parameter-RTSP
An RTSP parameter map containing RTSP-related actions is to be implemented for this rule.
In the Parameter Map field, specify the name of the RTSP parameter map to use.
Appl-Parameter-SIP
A SIP parameter map containing SIP-related actions is to be implemented for this rule.
In the Parameter Map field, specify the name of the SIP parameter map to use.
Appl-Parameter-Skinny
A Skinny parameter map containing Skinny-related actions is to be implemented for this rule.
In the Parameter Map field, specify the name of the Skinny parameter map to use.
Connection
A connection parameter map containing TCP/IP connection-related commands that pertain to
normalization and termination is to be implemented for this rule.
In the Connection Parameter Maps field, select the Connection parameter map that is to be used.
HTTP Optimize
In the HTTP Optimization Policy field, select the HTTP optimization policy map to use.
Inspect
Application inspection is to be implemented for this rule.
1.
In the Inspect Type field, select the protocol that is to be inspected.
2.
Provide any protocol-specific information.
Table 10-18 describes the available options for application inspection actions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-37
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-17
Layer 3/Layer 4 Network Traffic Policy Map Actions (continued)
Action
Description/Steps
NAT
The ACE is to implement network address translation (NAT) for this rule.
1.
In the NAT Mode field, select the type of NAT to be used:
– Dynamic NAT—NAT is to translate local addresses to a pool of global addresses.
Continue with Step 3.
– Static NAT—NAT is to translate each local address to a fixed global address. Continue
with Step 2.
2.
If you select Static NAT, do the following:
a. In the Static Mapped Address field, enter the IP address to use for static NAT translation.
This entry establishes the globally unique IP address of a host as it appears to the outside
world. The policy map performs the global IP address translation for the source IP
address specified in the ACL (as part of the class-map traffic classification).
b. In the Static Mapped Netmask field, select the subnet mask to apply to the static mapped
address.
c. In the NAT Protocol field, select the protocol to use for NAT:
- N/A—This attribute is not set.
- TCP—The ACE is to use TCP for NAT.
- UDP—The ACE is to use UDP for NAT.
d. In the Static Port field, enter the TCP or UDP port to use for static port redirection. Valid
entries are integers from 0 to 65535.
e. In the VLAN Id field, select the VLAN to use for NAT.
3.
If you select Dynamic NAT, do the following:
a. In the NAT Pool Id field, enter the number of the pool of IP addresses that exist under
the VLAN specified in the VLAN Id field. Valid entries are integers from 1 to
2147483647. See Configuring VLAN Interface NAT Pools, page 8-17.
b. In the VLAN Id field, select the VLAN to use for NAT.
Note
Kal-ap-Primary-Out-ofService
For dynamic NAT, ACE allows you to associate a non-configured NAT pool ID to the
dynamic NAT action. However, the ANM will not discover the dynamic NAT action when
the NAT pool ID is not configured. You must associate the configured NAT pool ID to the
dynamic NAT action for ANM discovery to complete successfully.
Enables the ACE to notify the Global Site Selector (GSS) that the primary server farm is down
when the backup server farm is in use.
By default, when you configure a redirect server farm as a backup server farm on the ACE and
the primary server farm fails, the backup server farm redirects the client requests to another data
center. However, the VIP remains in the INSERVICE state.
When you configure the ACE to communicate with a Global Site Selector (GSS), it provides
information for server availability. When a backup server is in use after the primary server farm
is down, this feature enables the ACE to inform the GSS that the VIP for the primary server farm
is out of service by returning a load value of 255. The GSS recognizes that the primary server
farm is down and sends future DNS requests with the IP address of the other data center.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-38
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-17
Layer 3/Layer 4 Network Traffic Policy Map Actions (continued)
Action
Description/Steps
Policymap
The ACE is to associate a Layer 7 server load-balancing policy map with this Layer 3/Layer 4
policy map.
In the Policy Map field, select the Layer 7 policy map to associate with this Layer 3/Layer 4
policy map.
SSL-Proxy
The ACE is to use an SSL proxy server service to define the SSL parameters the ACE is to use
during the handshake and subsequent SSL session.
1.
In the SSL Proxy field, select the SSL proxy server service to use in the handshake and
subsequent SSL session when the ACE engages with an SSL client.
2.
In the SSL Proxy Type field, confirm that Server is selected to indicate that the ACE is to be
configured so that it is recognized as an SSL server.
UDP-Fast-Age
The ACE is to close the connection immediately after sending a response to the client, thereby
enabling per-packet load balancing for UDP traffic.
VIP-ICMP-Reply
A VIP is to send an ICMP ECHO-REPLY response to ICMP requests.
1.
In the Active field, click the checkbox to instruct the ACE to reply to an ICMP request only
if the configured VIP is active. If the VIP is not active and the active option is specified, the
ACE discards the ICMP request and the request times out.
2.
In the Primary Inservice field, click the checkbox to instruct the ACE to reply to an ICMP
ping only if the primary server farm state is UP, regardless of the state of the backup server
farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards
the ICMP request and the request times out.
VIP-In-Service
A VIP is to be enabled for server load-balancing operations.
KAL-AP-TAG
The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS) proprietary KAL-AP
protocol to extract load and availability information from the ACE when a firewall is positioned
between the GSS and the ACE. This feature allows you to configure a tag (name) per VIP for a
maximum of 4,096 tags on an ACE. This feature does not replace the tag per domain feature. For
more information about this feature, see the Configuring Health Monitoring chapter in the Cisco
4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
Note
The KAL-AP-TAG selection is not available for the class-default class map.
In the KAL-AP-Tag Name field, enter the name as an unquoted text string with no spaces and a
maximum of 76 alphanumeric characters.
The following scenarios are not supported and will result in an error:
•
You cannot configure a tag name for a VIP that already has a tag configuration as part of a
different policy configuration.
•
You cannot associate the same tag name with more than one VIP.
•
You cannot associate the same tag name with a domain and a VIP.
•
You cannot assign two different tags to two different Layer 3 class maps that have the same
VIP, but different port numbers. The KAL-AP protocol considers these class maps to have
the same VIP and calculates the load for both Layer 3 rules together when the GSS queries
the VIP.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-39
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-18
Policy Map Application Inspection Options
Inspection Option
Description
DNS
Indicates that Domain Name System (DNS) query inspection is to be implemented. DNS requires
application inspection so that DNS queries will not be subject to the generic UDP handling based on
activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn
down as soon as a reply to a DNS query has been received. The ACE appliance performs the reassembly
of DNS packets to verify that the packet length is less than the configured maximum length.
In the DNS Max. Length field, enter the maximum length of a DNS reply in bytes. Valid entries are
integers from 512 to 65535.
FTP
Indicates that FTP inspection is to be implemented. The ACE appliance inspects FTP packets,
translates the address and port embedded in the payload, and opens up secondary channel for data.
1.
In the Parameter Map field, specify a previously created parameter map used to define parameters
for FTP inspection.
2.
In the FTP Strict field, indicate whether the ACE appliance is to check for protocol RFC
compliance and prevent Web browsers from sending embedded commands in FTP requests:
– N/A—Indicates that this attribute is not set.
– False—Indicates that the ACE appliance is not to check for RFC compliance or prevent Web
browsers from sending embedded commands in FTP requests.
– True—Indicates that the ACE appliance is to check for RFC compliance and prevent Web
browsers from sending embedded commands in FTP requests.
3.
HTTP
If you select True, in the FTP Inspect Policy field, select the Layer 7 FTP command inspection
policy to be implemented for this rule.
Indicates that enhanced Hypertext Transfer Protocol (HTTP) inspection is to be performed on HTTP
traffic. The inspection checks are based on configured parameters in an existing Layer 7 policy map
and internal RFC compliance checks performed by the ACE appliance. By default, the ACE appliance
allows all request methods.
1.
In the HTTP Inspect Policy field, select the HTTP inspection policy map to be implemented for
this rule. If you do not specify a Layer 7 policy map, the ACE appliance performs a general set of
Layer 3 and Layer 4 protocol fixup actions and internal RFC compliance checks.
2.
In the URL Logging field, indicate whether Layer 3 and Layer 4 traffic is to be monitored:
– N/A—Indicates that this attribute is not set.
– False—Indicates that Layer 3 and Layer 4 traffic is not to be monitored.
– True—Indicates that Layer 3 and Layer 4 traffic is to be monitored. When enabled, this
function logs every URL request that is sent in the specified class of traffic, including the
source or destination IP address and the URL that is accessed.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-40
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-18
Policy Map Application Inspection Options (continued)
Inspection Option
Description
ICMP
Indicates that Internet Control Message Protocol (ICMP) payload inspection is to be performed. ICMP
inspection allows ICMP traffic to have a “session” so it can be inspected similarly to TCP and UDP
traffic.
In the ICMP Error field, indicate whether the ACE appliance is to perform name address translation on
ICMP error messages:
•
N/A—Indicates that this attribute is not set.
•
False—Indicates that the ACE appliance is not to perform NAT on ICMP error messages.
•
True—Indicates that the ACE appliance is to perform NAT on ICMP error messages. When
enabled, the ACE appliance creates translation sessions for intermediate or endpoint nodes that
send ICMP error messages based on the NAT configuration. The ACE appliance overwrites the
packet with the translated IP addresses.
ILS
Internet Locator Service (ILS) protocol inspection is to be implemented.
RTSP
Indicates that Real Time Streaming Protocol (RTSP) packet inspection is to be implemented. RTSP is
used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections.
The ACE appliance monitors Setup and Response (200 OK) messages in the control channel
established using TCP port 554 (no UDP support).
SIP
SIP protocol inspection is implemented. SIP is used for call handling sessions and instant messaging.
The ACE inspects signaling messages for media connection addresses, media ports, and embryonic
connections. The ACE also uses NAT to translate IP addresses that are embedded in the user-data
portion of the packet.
1.
In the Parameter Map field, specify a previously created parameter map used to define parameters
for SIP inspection.
2.
In the SIP Inspect Policy field, select a previously created Layer 7 SIP inspection policy map to
implement packet inspection of Layer 7 SIP application traffic.
If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer
4 HTTP fixup actions and internal RFC compliance checks.
Skinny
Cisco Skinny Client Control Protocol (SCCP) protocol inspection is implemented. The SCCP is a
Cisco proprietary protocol that is used between Cisco CallManager and Cisco VOiP phones. The ACE
uses NAT to translate embedded IP addresses and port numbers in SCCP packet data.
1.
In the Parameter Map field, specify a previously created connection parameter map used to define
parameters for Skinny inspection.
2.
In the Skinny Inspect Policy field, select a previously created Layer 7 Skinny inspection policy
map to implement packet inspection of Layer 7 Skinny application traffic.
If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer
4 HTTP fixup actions and internal RFC compliance checks.
Step 11
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Action table.
•
Next to save your entries and to configure another Action.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-41
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic
Use this procedure to configure the rules and actions for IP management traffic received by the ACE
appliance.
Assumptions
•
A network management policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the Layer 3/Layer 4 management traffic policy map you want to set rules
and actions for, then select the Rule tab. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, confirm that Class Map is selected.
Step 5
To use the class-default class map, check the Use Class Default check box.
Step 6
To use a previously created class map for this rule:
a.
Clear the Use Class Default check box.
b.
In the Class Map Name field, select the class map to be used.
c.
In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
d.
Step 7
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the
Rule table. To define actions for this rule, continue with Step 8.
•
Cancel to exit this procedure without saving your entries and to return to the Policy Maps table.
•
Next to save your entries and to configure another rule.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-42
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
If you selected the Insert Before option in Step 6 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 8
To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit
to modify it. The Action configuration screen appears.
Step 9
In the Action configuration screen:
a.
In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
b.
In the Action Type field, select Mgmt-permit to indicate that this action permits or denies network
management traffic.
c.
In the Action field, specify the action that is to occur:
– Deny—Indicates that the ACE appliance is to deny network management traffic when this rule
is met.
– Permit—Indicates that the ACE appliance is to accept network management traffic when this
rule is met.
Step 10
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to save your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic
Use this procedure to set rules and actions for Layer 7 server load-balancing policy maps.
Assumptions
•
You have configured a load-balancing policy map and want to establish the corresponding rules and
actions.
•
If you want to configure an SSL proxy action, you have configured SSL proxy service for this
context.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-43
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
•
If you want to insert, rewrite, and delete HTTP headers, ensure that an HTTP header modify action
list has been configured. See Configuring an HTTP Header Modify Action List, page 10-80 for more
information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the load-balancing policy map you want to set rules and actions for, then
select the Rule tab. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule
configuration screen appears.
Step 4
Select the type of rule to be used:
Step 5
•
Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules
and corresponding actions. If you select this rule type, continue with Step 5.
•
Match Condition—Indicates that the ACE appliance is to use a set of conditions to identify the rules
and corresponding actions. If you select this rule type, continue with Step 6.
If you select Class Map, either check the Use Class Default check box to use a default class map or
specify a previously created class map:
a.
Clear the Use Class Default check box.
b.
In the Class Map Name field, select the class map to be used.
c.
In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
d.
Step 6
Table 10-19
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
For match conditions:
a.
In the Match Condition Name field enter a name for the match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
b.
In the Match Condition Type field, select the method by which match decisions are to be made and
their corresponding conditions. See Table 10-19 for information about these selections.
Policy Match Condition Types
Match Condition
Description
HTTP Content
Specific content contained within the HTTP entity-body is used to establish a match condition.
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the
first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and
the body of the message. Valid entries are integers from 1 to 4000.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-44
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-19
Policy Match Condition Types (continued)
Match Condition
Description
HTTP Cookie
Indicates that HTTP cookies are to be used for this rule.
If you select this method:
HTTP Header
1.
In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE
appliance supports regular expressions for matching string expressions. Table 10-31 lists the
supported characters that you can use for matching string expressions.
Indicates that the HTTP header and a corresponding value are to be used for this rule.
If you select this method:
HTTP URL
1.
In the Header Name field, enter the name of the generic field in the HTTP header. Valid entries
are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Header Value (Bytes) field, enter the header-value expression string to compare against
the value in the specified field in the HTTP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions
for matching. To include spaces, enclose the entire string in quotes. All headers in the header
map must be matched. See Table 10-31 for a list of the supported characters that you can use
in regular expressions.
Indicates that this rule is to perform regular expression matching against the received packet data
from a particular connection based on the HTTP URL string.
If you select this method:
Source Address
1.
In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL
following www.hostname.domain in the match statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the
www.anydomain.com portion, the URL string can take the form of a URL regular expression.
The ACE appliance supports regular expressions for matching URL strings. See Table 10-31
for a list of the supported characters that you can use in regular expressions.
2.
In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters. The method can
either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT,
DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example,
CORVETTE).
Indicates that this rule is to use a client source IP address to establish match conditions.
If you select this method:
1.
In the Source IP Address field, enter the source IP address of the client. Enter the IP address
in dotted-decimal notation (for example, 192.168.11.2).
2.
In the Source Netmask field, enter the subnet mask of the IP address. Enter the netmask in
dotted-decimal notation (for example, 255.255.255.0). The default is 255.255.255.255.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-45
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-19
Policy Match Condition Types (continued)
Match Condition
Description
SSL
Defines load balancing decisions based on the specific SSL cipher or cipher strength. enables the
ACE to load balance client traffic to different server farms based on the SSL encryption level
negotiated with the ACE during SSL termination.
If you select this method:
1.
In the SSL Cipher Match Type field, select the match type. Options include:
– Equal To—Specifies an SSL cipher for the load balancing decision.
– Less Than—Specifies SSL cipher strength for the load balancing decision.
2.
If you selected Equal To, in the Cipher Name field specify an SSL cipher for the load
balancing decision. The possible values include:
– RSA_EXPORT1024_WITH_DES_CBC_SHA
– RSA_EXPORT1024_WITH_RC4_56_MD5
– RSA_EXPORT1024_WITH_RC4_56_SHA
– RSA_EXPORT_WITH_DES40_CBC_SHA
– RSA_EXPORT_WITH_RC4_40_MD5
– RSA_WITH_3DES_EDE_CBC_SHA
– RSA_WITH_AES_128_CBC_SHA
– RSA_WITH_AES_256_CBC_SHA
– RSA_WITH_DES_CBC_SHA
– RSA_WITH_RC4_128_MD5
– RSA_WITH_RC4_128_SHA
3.
If you selected Less Than, in the Specify Minimum Cipher Strength field specify a
non-inclusive minimum SSL cipher bit strength. For example, if you specify a cipher strength
value of 128, any SSL cipher that was no greater than 128 would hit the traffic policy. If the
SSL cipher was 128-bit or greater, the connection would miss the policy.
The possible values include:
– 56—56-bit strength
– 128—128-bit strength
– 168—168-bit strength
– 256—256-bit strength
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-46
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 7
For specific class maps and match conditions, in the Insert Before field, indicate whether this rule is to
precede another defined policy rule:
•
N/A—Indicates that this option is not applicable.
•
False—Indicates that this rule is not to precede another defined policy rule.
•
True—Indicates that this rule is to precede another policy rule.
If you select True, in the Insert Before Policy Rule field, select the policy rule that this rule is to
precede.
Step 8
Click:
•
Deploy Now to deploy the configuration on the ACE appliance. The Action table appears below the
Rule table. To define the actions for this rule, continue with Step 9.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to save your entries and to configure another rule.
Note
If you selected the Insert Before option in Step 7 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Step 9
In the Action table, click Add to add a new action for this rule, or select an existing action, then click
Edit to modify it.
Step 10
In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 11
In the Action tab in the Action Type field, select the action to be taken and configure any action-specific
attributes as described in Table 10-20.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-47
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-20
Policy Map Actions for Load Balancing
Action
Description
Action
Indicates that the ACE appliance is to use an HTTP header modify action list to insert, rewrite, or
delete HTTP headers. It can also be used to configure the SSL URL rewrite function
The Action List drop down appears, listing the configured HTTP header modify action lists (see
the “Configuring an HTTP Header Modify Action List” section on page 10-80). Make a selection
from this list.
If necessary, click Add to add a new HTTP header modify action list, or select an existing action
list, then click Edit to modify it.
Compress
Indicates that the ACE appliance is to compress packets that match this policy map. This option is
available only when you associate an HTTP-type class map with a policy map.
In the Compress Method field, specify the method that the ACE appliance is to use to compress
packets:
Drop
•
Deflate—Indicates that the ACE appliance is to use the DEFLATE compression method when
the client browser supports both the DEFLATE and GZIP compression methods.
•
Gzip—Indicates that ACE appliance is to use the GZIP compression method when the client
browser supports both the DEFLATE and GZIP compression methods. This is the default
setting.
Indicates that the ACE appliance is to discard packets that match this policy map.
In the Action Log field, specify whether the dropped packets are to be logged in the software.
•
N/A—This option is not configured.
•
False—Dropped packets are not to be logged in the software.
•
True—Dropped packets are to be logged in the software.
Forward
Indicates that the ACE appliance is to forward requests that match this policy map without load
balancing the requests.
Insert-HTTP
Indicates that the ACE appliance is to insert an HTTP header for Layer 7 load balancing for
requests that match this policy map.
This option allows the ACE appliance to identify a client whose IP address has been translated
using NAT by inserting a generic header and string value in the client HTTP request.
1.
In the HTTP Header Name field, enter the name of the generic field in the HTTP header. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric
characters.
2.
In the HTTP Header Value field, enter the value to be inserted into the HTTP header. Valid
entries are unquoted text strings with a maximum of 255 alphanumeric characters. The ACE
appliance supports regular expressions for matching. To include spaces, enclose the entire
string in quotes. All headers in the header map must be matched. See Table 10-31 for a list of
the supported characters that you can use in regular expressions.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-48
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-20
Policy Map Actions for Load Balancing (continued)
Action
Description
Reverse Sticky
Reverse IP stickiness is an enhancement to regular stickiness and is used mainly in firewall load
balancing (FWLB). It ensures that multiple distinct connections that are opened by hosts at both
ends (client and server) are load-balanced and stuck to the same firewall. Reverse stickiness
applies to such protocols as FTP, RTSP, SIP, and so on where there are separate control channels
and data channels opened by the client and the server, respectively. For complete details about
reverse stickiness, see the Cisco 4700 Series Application Control Engine Appliance Server
Load-Balancing Configuration Guide.
In the Sticky Group field, choose the name of a an existing IP netmask sticky group that you want
to associate with reverse IP stickiness.
Server Farm
Indicates that the ACE appliance is to load balance client requests for content to a server farm.
1.
In the Server Farm field, select the server farm to which requests for content are to be sent.
2.
In the Backup Server Farm field, select the backup server farm to which requests for content
are to be sent.
Leave this field blank to indicate that no backup server farm is to be used.
Server Farm-NAT
Set-IP-TOS
3.
Check the Sticky Enabled check box to indicate that the sticky group associated with this
policy and applied to the primary server farm is applied to the backup server farm. Clear the
Sticky Enabled check box to indicate that the sticky group associated with this policy and
applied to the primary server farm in that policy is not applied to the backup server farm.
4.
Check the Aggregate State Enabled check box to indicate that the operational state of the
backup server farm is taken into consideration when evaluating the state of the load-balancing
class in a policy map. Clear this check box to indicate that the operational state of the backup
server farm is not taken into consideration when evaluating the state of the load-balancing
class in a policy map.
The ACE is to apply dynamic NAT to traffic for this policy map.
1.
In the NAT Pool ID field, enter the number of the pool of IP addresses that exist under the
VLAN specified in the VLAN Id field. Valid entries are integers from 1 to 2147483647. For
information on configuring NAT pools, see Configuring VLAN Interface NAT Pools,
page 8-17.
2.
In the VLAN ID field, select the VLAN to use for NAT. Valid entries are integers from 2 to
4094.
3.
In the Server Farm Type field, indicate whether the server farm is a backup or primary server
farm.
The ACE is to set the IP Differentiated Services Code Point (DSCP) bit in the Type of Service
(ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate
on the bit settings.
In the IP TOS Rewrite Value (Bytes) field, enter the IP DSCP value. Valid entries are integers from
0 to 255.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-49
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-20
Policy Map Actions for Load Balancing (continued)
Action
Description
SSL-Proxy
Indicates that the ACE appliance is to use an SSL proxy client service to define the SSL parameters
the ACE appliance is to use during the handshake and subsequent SSL session.
Sticky-Server Farm
1.
In the SSL Proxy field, select the SSL proxy server service to be used for this action.
2.
In the SSL Proxy Type field, select Client to indicate that the ACE appliance is to be
configured so that it is recognized as an SSL client.
Indicates that requests matching this policy map be load balanced to a sticky server farm.
In the Sticky Group field, select the sticky server farm that is to be used for requests that match
this policy map.
Step 12
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to save your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Setting Policy Map Rules and Actions for Generic Server Load Balancing
Use this procedure to configure the rules and actions for generic traffic received by the ACE.
Assumptions
•
A generic traffic policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the generic traffic policy map you want to set rules and actions for. The
Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, configure rules using the information in Table 10-21.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-50
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-21
Generic Server Load Balancing Policy Map Rules
Option
Description
Class Map
A class map is used for this traffic policy.
1.
To use the class-default class map, check the Use Class Default check box.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named class
map belongs to the default traffic class. If none of the specified classifications matches the traffic,
then the ACE performs the action specified by the class-default class map. The class-default class
map has an implicit match any statement that enables it to match all traffic.
2.
To use a previously created class map:
a. Clear the Use Class Default check box.
b. In the Class Map Name field, select the class map to be used.
Match Condition A match condition is used for this traffic policy.
Match Condition Name Enter a name for this match condition. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
Match Condition Type
Layer 4 Payload
Source Address
Insert Before
1.
Layer 4 payload data is used for the network matching
criteria.
1.
In the Layer 4 Payload RegexMatch Condition field,
enter a Layer 4 payload expression that is contained
within the TCP or UDP entity body. Valid entries are
strings containing 1 to 255 alphanumeric characters.
Table 10-31 lists the supported characters that you can
use for matching string expressions.
2.
In the Layer 4 Payload Offset field, enter the absolute
offset in the data where the Layer 4 payload expression
search string starts. The offset starts at the first byte of
the TCP or UDP body. Valid entries are integers from 0
to 999.
A client source host IP address and subnet mask are used for
the network traffic matching criteria.
1.
In the Source IP Address field, enter the source IP
address of the client in dotted-decimal notation.
2.
In the Source Netmask select the subnet mask for the
source IP address.
Indicate whether this rule is to precede another rule for this policy map.
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map.
2.
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-51
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5
Click:
•
Deploy Now to deploy this configuration. The screen refreshes and the Action table appears.
Continue with Step 6.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
Note
If you selected the Insert Before option and specified True, perform the following steps to
refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Step 6
In the Action table, click Add to add an entry or select an existing entry to modify, then click Edit.
Step 7
In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 8
In the Action Type field, configure actions for this rule using the information in Table 10-22.
Table 10-22
Generic Server Load Balancing Policy Map Actions
Action
Description
Drop
The ACE is to discard packets that match this policy map.
In the Action Log field, specify whether the dropped packets are to be logged in the software.
Forward
The ACE is to forward the traffic that match this policy map to its destination.
Reverse Sticky
Reverse IP stickiness is an enhancement to regular stickiness and is used mainly in FWLB. It
ensures that multiple distinct connections that are opened by hosts at both ends (client and server)
are load-balanced and stuck to the same firewall. Reverse stickiness applies to such protocols as
FTP, RTSP, SIP, and so on where there are separate control channels and data channels opened by
the client and the server, respectively. For complete details about reverse stickiness, see the Cisco
4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
In the Sticky Group field, choose an existing IP netmask sticky group that you want to associate
with reverse IP stickiness.
Server Farm
The ACE is to load balance client requests for content to a server farm.
1.
In the Server Farm field, select the server farm for this policy map action.
2.
In the Backup Server Farm field, select the backup server farm for this action.
3.
Check the Sticky Enabled check box to indicate that the backup server farm is sticky. Clear
this check box if the backup server farm is not sticky.
4.
Check the Aggregate State Enabled check box to indicate that the operational state of the
backup server farm is taken into consideration when evaluating the state of the load-balancing
class in a policy map. Clear this check box to indicate that the operational state of the backup
server farm is not taken into consideration when evaluating the state of the load-balancing
class in a policy map.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-52
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-22
Generic Server Load Balancing Policy Map Actions (continued)
Action
Description
Server Farm-NAT
The ACE is to apply dynamic NAT to traffic for this policy map.
Set-IP-TOS
1.
In the NAT Pool ID field, enter the number of the pool of IP addresses that exist under the
VLAN specified in the VLAN Id field. Valid entries are integers from 1 to 2147483647. For
information on configuring NAT pools, see Configuring VLAN Interface NAT Pools,
page 8-17.
2.
In the VLAN ID field, select the VLAN to use for NAT. Valid entries are integers from 2 to
4094.
3.
In the Server Farm Type field, indicate whether the server farm is a backup or primary server
farm.
The ACE is to set the IP Differentiated Services Code Point (DSCP) bit in the Type of Service
(ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate
on the bit settings.
In the IP TOS Rewrite Value (Bytes) field, enter the IP DSCP value. Valid entries are integers from
0 to 255.
Sticky Group
Sticky group that you want to associate with reverse stickiness.
Sticky-Server Farm
The ACE is to load balance client requests for content to a sticky server farm.
In the Sticky Group field, select the sticky server farm that is to be used for requests that match
this policy map.
Step 9
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to deploy your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Setting Policy Map Rules and Actions for RADIUS Server Load Balancing
Use this procedure to configure the rules and actions for RADIUS traffic received by the ACE.
Assumptions
•
A RADIUS server load balancing traffic policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-53
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the RADIUS server load balancing policy map you want to set rules and
actions for. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, configure rules using the information in Table 10-23.
Table 10-23
RADIUS Server Load Balancing Policy Map Rules
Option
Description
Class Map
Specify a class map to use for this traffic policy:
1.
To use the class-default class map, check the Use Class Default check box.
The class-default class map is a reserved, well-known class map created by the ACE. You
cannot delete or modify this class. All traffic that fails to meet the other matching criteria in
the named class map belongs to the default traffic class. If none of the specified classifications
matches the traffic, then the ACE performs the action specified by the class-default class map.
The class-default class map has an implicit match any statement that enables it to match all
traffic.
2.
To use a previously created class map:
a. Clear the Use Class Default check box.
b. In the Class Map Name field, select the class map to be used.
Match Condition
Specify a match condition to use for this traffic policy:
1.
In the Match Condition Name field, enter a name for this match condition. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Match Condition Type field, select the type of match condition to use for this policy
map:
– Calling Station ID—A unique identifier of the calling station is used to establish a match
condition.
In the RADIUS Calling Station ID field, enter the calling station identifier to match. Valid
entries are strings containing 1 to 64 alphanumeric characters. See Table 10-31 for a list
of the supported characters that you can use for matching string expressions.
– User Name—A username is used to establish a match condition.
In the User Name field, enter the name to match. Valid entries are strings containing 1 to
64 alphanumeric characters. See Table 10-31 for a list of the supported characters that you
can use for matching string expressions.
Insert Before
1.
Indicate whether this rule is to precede another rule for this policy map.
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map.
2.
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want
the current rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-54
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5
Click:
•
Deploy Now to deploy this configuration. The screen refreshes and the Action table appears. To
enter actions for this rule, continue with Step 6.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to deploy your entries and to configure another rule.
If you selected the Insert Before option and specified True, perform the following steps to
refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 6
In the Action table, click Add to add an entry or select an existing entry to modify, then click Edit.
Step 7
In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 8
In the Action Type field, configure actions for this rule using the information in Table 10-22.
Step 9
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to deploy your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Setting Policy Map Rules and Actions for RTSP Server Load Balancing
Use this procedure to configure the rules and actions for RTSP traffic received by the ACE.
Assumptions
•
An RTSP server load balancing traffic policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-55
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the RTSP server load balancing policy map you want to set rules and
actions for. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, configure rules using the information in Table 10-24.
Table 10-24
RTSP Server Load Balancing Policy Map Rules
Option
Description
Class Map
Specify a class map to use for this traffic policy:
1.
To use the class-default class map, check the Use Class Default check box.
The class-default class map is a reserved, well-known class map created by the ACE. You
cannot delete or modify this class. All traffic that fails to meet the other matching criteria in
the named class map belongs to the default traffic class. If none of the specified classifications
matches the traffic, then the ACE performs the action specified by the class-default class map.
The class-default class map has an implicit match any statement that enables it to match all
traffic.
2.
To use a previously created class map:
a. Clear the Use Class Default check box.
b. In the Class Map Name field, select the class map to be used.
Match Condition
Insert Before
Specify a match condition to use for this traffic policy:
1.
In the Match Condition field, enter a name for this match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Match Condition Type field, select the type of match condition to use for this policy
map and configure any type-specific options using the information in Table 10-25.
1.
Indicate whether this rule is to precede another rule for this policy map.
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map.
2.
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want
the current rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-56
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-25
RTSP Policy Map Match Conditions
Match Condition
Description
RTSP Header
RTSP header information is used for matching criteria.
1.
In the Header Name field, specify the header to match in one of the following ways:
– To specify an RTSP header that is not one of the standard RTSP headers, select the first
radio button, then enter the RTSP header name in the Header Name field. Valid entries are
unquoted text strings with no spaces and a maximum of 64 characters.
– To specify a standard RTSP header, click the second radio button, then select an RTSP
header from the list.
2.
RTSP URL
In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the RTSP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. If the string includes spaces, enclose the string with quotes. All headers in the
header map must be matched. See Table 10-31 for a list of the supported characters that you
can use in regular expressions.
A URL or portion of a URL is used for match criteria.
Source Address
Step 5
1.
In the URL Expression field, enter a URL, or portion of a URL, to match. The ACE performs
matching on whatever URL string appears after the RTSP method, regardless of whether the
URL includes the host name. The ACE supports regular expressions for matching URL
strings. See Table 10-31 for a list of the supported characters that you can use in regular
expressions.
2.
In the Method Expression field, enter the RTSP method to match. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters. The method can be
either one of the standard RTSP method names (DESCRIBE, ANNOUNCE,
GET_PARAMETER, OPTIONS, PAUSE, PLAY, RECORD, REDIRECT, SETUP,
SET_PARAMETER, TEARDOWN) or a text string that must be matched exactly (for
example, STINGRAY).
The source IP address is used for match criteria.
1.
In the Source Address field, enter the source IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
2.
In the Source Netmask field, select the subnet mask for the source IP address.
In the Insert Before field, indicate whether this rule is to precede another rule for this policy map.
•
N/A—This option is not configured.
•
False—This rule is not to precede another rule in this policy map.
•
True—This rule is to precede another rule in this policy map.
If you select True in the Insert Before field, the Insert Before Policy Rule field appears. Select the
rule that you want the current rule to precede.
Step 6
Click:
•
Deploy Now to deploy this configuration. The screen refreshes and the Action table appears.
Continue with Step 7.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to deploy your entries and to add another rule.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-57
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
If you selected the Insert Before option in Step 5 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 7
In the Action table, click Add to add an entry or select an existing entry to modify, then click Edit.
Step 8
In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 9
In the Action Type field, configure actions for this rule using the information in Table 10-22.
Step 10
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to deploy your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Setting Policy Map Rules and Actions for SIP Server Load Balancing
Use this procedure to configure the rules and actions for SIP traffic received by the ACE.
Assumptions
•
A SIP server load balancing traffic policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the SIP server load balancing policy map you want to set rules and
actions for. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, configure rules using the information in Table 10-26.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-58
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-26
SIP Server Load Balancing Policy Map Rules
Option
Description
Class Map
Specify a class map to use for this traffic policy:
1.
To use the class-default class map, check the Use Class Default check box.
The class-default class map is a reserved, well-known class map created by the ACE. You
cannot delete or modify this class. All traffic that fails to meet the other matching criteria in
the named class map belongs to the default traffic class. If none of the specified classifications
matches the traffic, then the ACE performs the action specified by the class-default class map.
The class-default class map has an implicit match any statement that enables it to match all
traffic.
2.
To use a previously created class map:
a. Clear the Use Class Default check box.
b. In the Class Map Name field, select the class map to be used.
Match Condition
Insert Before
Specify a match condition to use for this traffic policy:
1.
In the Match Condition field, enter a name for this match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Match Condition Type field, select the type of match condition to use for this policy
map and configure any type-specific options using the information in Table 10-27.
1.
Indicate whether this rule is to precede another rule for this policy map.
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map.
2.
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want
the current rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-59
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-27
SIP Server Load Balancing Policy Map Match Conditions
Match Condition
Description
SIP Header
SIP header information is used for matching criteria.
1.
In the Header Name field, specify the header to match in one of the following ways:
– To specify a SIP header that is not one of the standard SIP headers, select the first radio
button, then enter the SIP header name in the Header Name field. Valid entries are
unquoted text strings with no spaces and a maximum of 64 characters.
– To specify a standard SIP header, click the second radio button, then select an SIP header
from the list.
2.
Source Address
Step 5
In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the SIP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the
string includes spaces, enclose the string with quotes. All headers in the header map must be
matched. See Table 10-31 for a list of the supported characters that you can use in regular
expressions.
The source IP address is used for match criteria.
1.
In the Source IP Address field, enter the source IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
2.
In the Source Netmask field, select the subnet mask for the source IP address.
Click:
•
Deploy Now to deploy this configuration. The screen refreshes and the Action table appears so you
can enter actions for this rule. Continue with Step 6.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to deploy your entries and to add another rule.
Note
If you selected the Insert Before option in Step 4 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Step 6
In the Action table, click Add to add an entry or select an existing entry to modify, then click Edit.
Step 7
In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 8
In the Action Type field, configure actions for this rule using the information in Table 10-22.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-60
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 9
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to deploy your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Setting Policy Map Rules and Actions for RDP Server Load Balancing
Use this procedure to configure the rules and actions for RDP traffic received by the ACE.
Assumptions
•
An RDP server load balancing traffic policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the RDP server load balancing policy map you want to set rules and
actions for. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, confirm that Class Map is selected.
Step 5
To use the class-default class map, check the Use Class Default check box.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete
or modify this class. All traffic that fails to meet the other matching criteria in the named class map
belongs to the default traffic class. If none of the specified classifications matches the traffic, then the
ACE performs the action specified by the class-default class map. The class-default class map has an
implicit match any statement that enables it to match all traffic.
Step 6
To use a previously created class map:
a.
Clear the Use Class Default check box.
b.
In the Class Map Name field, select the class map to be used.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-61
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 7
In the Insert Before field, indicate whether this rule is to precede another rule for this policy map.
•
N/A—This option is not configured.
•
False—This rule is not to precede another rule in this policy map.
•
True—This rule is to precede another rule in this policy map.
If you select True in the Insert Before field, the Insert Before Policy Rule field appears. Select the
rule that you want the current rule to precede.
Step 8
Click:
•
Deploy Now to deploy this configuration. The screen refreshes and the Action table appears. To
enter actions for this rule, continue with Step 9.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to deploy your entries and to configure another rule.
If you selected the Insert Before option in Step 7 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 9
In the Action table, click Add to add an entry or select an existing entry to modify, then click Edit.
Step 10
In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 11
In the Action Type field, configure actions for this rule using the information in Table 10-22.
Step 12
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to deploy your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-62
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection
Use this procedure to add rules and actions for Layer 7 HTTP deep packet inspection policy maps.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the Layer 7 deep packet inspection policy map that you want to set rules
and actions for, then select the Rule tab. You can select multiple policy maps (hold down the Shift key
while selecting entries) and apply common rules and actions to them.
Step 3
In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule
configuration screen appears.
Step 4
In the Type field, select the type of rule to be used:
•
Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules
and corresponding actions. Continue with Step 5.
•
Match Condition—Indicates that the ACE appliance is to use a set of conditions to identify the rules
and corresponding actions. Continue with Step 7.
Step 5
For class maps, check the Use Class Default check box to use the class-default class map, or clear the
check box to use a previously created class map.
Step 6
If you clear the Use Class Default check box:
a.
In the Class Map Name field, select the class map to be used.
b.
In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
c.
Step 7
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
For match conditions:
a.
In the Match Condition Name field enter a name for the match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
b.
In the Match Condition Type field, select the method by which match decisions are to be made and
their corresponding conditions. See Table 10-28 for information about these selections.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-63
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-28
HTTP Deep Packet Inspection Match Types
Match Condition Type
Description
Content
Specific content contained within the HTTP entity-body is used for application inspection
decisions.
Content Length
1.
In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
2.
In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the
first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and
the body of the message. Valid entries are from 1 to 4000 bytes.
The content parse length in an HTTP message is used for application inspection decisions.
1.
In the Content Length Operator field, select the operand to be used to compare content length:
– Equal To—Indicates that the content length must equal the number in the Content Length
Value (Bytes) field.
– Greater Than—Indicates that the content length must be greater than the number in the
Content Length Value (Bytes) field.
– Less Than—Indicates that the content length must be less than the number in the Content
Length Value (Bytes) field.
– Range—Indicates that the content length must be within the range specified in the
Content Length Lower Value (Bytes) field and the Content Length Higher Value (Bytes)
field.
2.
Enter values to apply for content length comparison:
– If you select Equal To, Greater Than, or Less Than in the Content Length Operator field,
the Content Length Value (Bytes) field appears. In the Content Length Value (Bytes) field,
enter the number of bytes for comparison. Valid entries are integers from 0 to
4294967295.
– If you select Range in the Content Length Operator field, the Content Length Lower Value
(Bytes) and the Content Length Higher Value (Bytes) fields appear:
1. In the Content Length Lower Value (Bytes) field, enter the lowest number of bytes to
be used for this match condition. Valid entries are integers from 0 to 4294967295. The
number in this field must be less than the number entered in the Content Length Higher
Value (Bytes) field.
2. In the Content Length Higher Value (Bytes) field, enter the highest number of bytes to
be used for this match condition. Valid entries are integers from 1 to 4294967295. The
number in this field must be greater than the number entered in the Content Length Lower
Value (Bytes) field.
Content Type
Verification
Verifies the content MIME-type messages with the header MIME-type. This inline match
command limits the MIME-types in HTTP messages allowed through the ACE appliance. It
verifies that the header MIME-type value is in the internal list of supported MIME-types and the
header MIME-type matches the actual content in the data or entity body portion of the message.
If they do not match, the ACE appliance performs the specified Layer 7 policy map action.
Note
Content Type Verification is only available an inline match condition. Because this Layer
7 HTTP deep inspection match criteria cannot be combined with other match criteria, it
appears as an inline match condition.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-64
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-28
HTTP Deep Packet Inspection Match Types (continued)
Match Condition Type
Description
Header
The name and value in an HTTP header are used for application inspection decisions.
Header Length
1.
In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP
Header to specify a different HTTP header.
2.
If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to
match. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
3.
In the Header Value field, enter the header value expression string to compare against the value
in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255
alphanumeric characters. The ACE appliance supports regular expressions for matching. To
include spaces in the string, enclose the entire string in quotes. All headers in the header map
must be matched. See Table 10-31 for a list of the supported characters that you can use in
regular expressions.
The length of the header in the HTTP message is used for application inspection decisions.
1.
In the Header Length Type field, specify whether HTTP header request or response messages
are to be used for application inspection decisions:
– Request—Indicates that HTTP header request messages are to be checked for header
length.
– Response—Indicates that HTTP header response messages are to be checked for header
length.
2.
In the Header Length Operator field, select the operand to be used to compare header length:
– Equal To—Indicates that the header length must equal the number in the Header Length
Value (Bytes) field.
– Greater Than—Indicates that the header length must be greater than the number in the
Header Length Value (Bytes) field.
– Less Than—Indicates that the header length must be less than the number in the Header
Length Value (Bytes) field.
– Range—Indicates that the header length must be within the range specified in the Header
Length Lower Value (Bytes) field and the Header Length Higher Value (Bytes) field.
3.
Enter values to apply for header length comparison:
– If you select Equal To, Greater Than, or Less Than in the Header Length Operator field,
the Header Length Value (Bytes) field appears. In the Header Length Value (Bytes) field,
enter the number of bytes for comparison. Valid entries are integers from 0 to 255.
– If you select Range in the Header Length Operator field, the Header Length Lower Value
(Bytes) and the Header Length Higher Value (Bytes) fields appear:
1. In the Header Length Lower Value (Bytes) field, enter the lowest number of bytes to be
used for this match condition. Valid entries are integers from 0 to 255. The number in this
field must be less than the number entered in the Header Length Higher Value (Bytes)
field.
2. In the Header Length Higher Value (Bytes) field, enter the highest number of bytes to
be used for this match condition. Valid entries are integers from 1 to 255. The number in
this field must be greater than the number entered in the Header Length Lower Value
(Bytes) field.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-65
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-28
HTTP Deep Packet Inspection Match Types (continued)
Match Condition Type
Description
Header MIME Type
Multipurpose Internet Mail Extension (MIME) message types are used for application inspection
decisions.
In the Header MIME Type field, select the MIME message type to be used for this match condition.
Port Misuse
The misuse of port 80 (or any other port running HTTP) is used for application inspection
decisions.
Indicate the application category to be used for this match condition:
Request Method
•
IM—Indicates that instant messaging applications are to be used for this match condition.
•
P2P—Indicates that peer-to-peer applications are to be used for this match condition.
•
Tunneling—Indicates that tunneling applications are to be used for this match condition.
The request method is used for application inspection decisions.
By default, ACE appliances allow all request and extension methods. This option allows you to
configure class maps that define application inspection decisions based on compliance to request
methods defined in RFC 2616 and by HTTP extension methods.
1.
In the Request Method Type field, select the type of compliance to be used for application
inspection decision:
– Ext—Indicates that an HTTP extension method is to be used for application inspection
decisions.
– RFC—Indicates that a request method defined in RFC 2616 is to be used for application
inspection decisions.
Depending on your selection, the Ext Request Method field or the RFC Request Method field
appears.
2.
Strict HTTP
In the Request Method field, select the specific request method to be used.
Internal compliance checks are performed to verify that a message is compliant with the HTTP
RFC standard, RFC 2616. If the HTTP message is not compliant, the ACE appliance performs the
specified Layer 7 policy map action.
Note
Transfer Encoding
Strict HTTP is only available an inline match condition. Because this Layer 7 HTTP deep
inspection match criteria cannot be combined with other match criteria, it appears as an
inline match condition.
An HTTP transfer-encoding type is used for application inspection decisions. The
transfer-encoding general-header field indicates the type of transformation, if any, that has been
applied to the HTTP message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, select the type of encoding that is to be checked:
•
Chunked—The message body is transferred as a series of chunks.
•
Compress—The encoding format that is produced by the UNIX file compression program
compress.
•
Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE
compression mechanism described in RFC 1951.
•
Gzip—The encoding format that is produced by the file compression program GZIP (GNU
zip) as described in RFC 1952.
•
Identity—The default (identity) encoding which does not require the use of transformation.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-66
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-28
HTTP Deep Packet Inspection Match Types (continued)
Match Condition Type
Description
URL
URL names are used for application inspection decisions.
In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from
1 to 255 alphanumeric characters and include only the portion of the URL following
www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html,
include only /latest/whatsnew.html.
URL Length
URL length is used for application inspection decisions.
1.
In the URL Length Operator field, select the operand to be used to compare URL length:
– Equal To—Indicates that the URL length must equal the number in the URL Length Value
(Bytes) field.
– Greater Than—Indicates that the URL length must be greater than the number in the URL
Length Value (Bytes) field.
– Less Than—Indicates that the URL length must be less than the number in the URL
Length Value (Bytes) field.
– Range—Indicates that the URL length must be within the range specified in the URL
Length Lower Value (Bytes) field and the URL Length Higher Value (Bytes) field.
2.
Enter values to apply for URL length comparison:
– If you select Equal To, Greater Than, or Less Than in the URL Length Operator field, the
URL Length Value (Bytes) field appears. In the URL Length Value (Bytes) field, enter the
value for comparison. Valid entries are from 1 to 65535 bytes.
– If you select Range in the URL Length Operator field, the URL Length Lower Value
(Bytes) and the URL Length Higher Value (Bytes) fields appear:
1. In the URL Length Lower Value (Bytes) field, enter the lowest number of bytes to be
used for this match condition. Valid entries are integers from 1 to 65535. The number in
this field must be less than the number entered in the URL Length Higher Value (Bytes)
field.
2. In the URL Length Higher Value (Bytes) field, enter the highest number of bytes to be
used for this match condition. Valid entries are integers from 1 to 65535. The number in
this field must be greater than the number entered in the URL Length Lower Value (Bytes)
field.
Step 8
In the Insert Before field, specify whether this rule is to precede another rule in this policy map:
•
N/A—Indicates that this attribute is not set.
•
False—Indicates that this rule is not to precede another rule in the policy map.
•
True—Indicates that this rule is to precede another rule in the policy map.
Step 9
If you set Insert Before to True, the Insert Before Policy Rule field appears. Select the rule that you want
the current rule to precede.
Step 10
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the
Rule table. To define actions for this rule, continue with Step 11.
•
Cancel to exit this procedure without saving your entries and to return to the Policy Maps table.
•
Next to save your entries and to configure another rule.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-67
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
If you selected the Insert Before option in Step 8 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 11
To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit
to modify it. The Action configuration screen appears.
Step 12
In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 13
In the Action Type field, select the action to be taken for this rule:
Step 14
•
Permit—Indicates that the specified HTTP traffic is to be allowed if it meets the specified HTTP
deep packet inspection match criteria.
•
Reset—Indicates that the specified HTTP traffic is to be denied. A TCP reset message is sent to the
client or server to close the connection.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Action table.
•
Next to configure another action for this policy map and rule.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-68
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection
File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message,
dynamic opening of ports, and stateful tracking of request and response messages. Each specified FTP
command must be acknowledged before the ACE allows a new command. Command filtering allows you
to restrict specific commands by the ACE. When the ACE denies a command, it closes the connection.
The FTP command inspection process, as performed by the ACE:
•
Prepares a dynamic secondary data connection. The channels are allocated in response to a file
upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated
through the PORT or PASV commands.
•
Tracks the FTP command-response sequence. The ACE performs the command checks listed below.
If you specify the FTP Strict field in a Layer 3 and Layer 4 policy map, the ACE tracks each FTP
command and response sequence for the anomalous activity outlined below. The FTP Strict
parameter is used in conjunction with a Layer 7 FTP policy map (nested within the Layer 3 and
Layer 4 policy map) to deny certain FTP commands or to mask the server reply for SYST command.
Note
The use of the FTP Strict parameter may affect FTP clients that do not comply with the RFC
standards.
– Truncated command—Checks the number of commas in the PORT and PASV reply command
against a fixed value of five. If the value is not five, the ACE assumes that the PORT command
is truncated and issues a warning message and closes the TCP connection.
– Incorrect command—Checks the FTP command to verify if it ends with <CR><LF> characters,
as required by RFC 959. If the FTP command does not end with those characters, the ACE
closes the connection.
– Size of RETR and STOR commands—Checked the size of the RETR and STOR commands
against a fixed constant of 256. If the size is greater, the ACE logs an error message and closes
the connection.
– Command spoofing—Verifies that the PORT command is always sent from the client. If a PORT
command is sent from the server, the ACE denies the TCP connection.
– Reply spoofing—Verifies that the PASV reply command (227) is always sent from the server.
If a PASV reply command is sent from the client, the ACE denies the TCP connection. This
denial prevents a security hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”
– Invalid port negotiation—Checks the negotiated dynamic port value to verify that it is greater
than 1024 (port numbers in the range from 2 to 1024 are reserved for well-known connections).
If the negotiated port falls in this range, the ACE closes the TCP connection.
– Command pipelining—Checks the number of characters present after the port numbers in the
PORT and PASV reply command against a constant value of 8. If the number of characters is
greater than 8, the ACE closes the TCP connection.
•
Translates embedded IP addresses in conjunction with NAT. FTP command inspection translates the
IP address within the application payload. Refer to RFC 959 for background details.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-69
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Use this procedure to add rules and actions for Layer 7 FTP command inspection policy maps.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the Layer 7 FTP command inspection policy map you want to set rules
and actions for, then select the Rule tab. You can select multiple policy maps (hold down the Shift key
while selecting entries) and apply common rules and actions to them.
Step 3
In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule
configuration screen appears.
Step 4
In the Type field, select the type of rule to be used:
•
Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules
and corresponding actions.
•
Match Condition—Indicates that the ACE appliance is to use a set of conditions to identify the rules
and corresponding actions.
Step 5
For class maps, check the Use Class Default check box to use the class-default class map, or clear the
check box to use a previously created class map.
Step 6
If you clear the Use Class Default check box:
a.
In the Class Map Name field, select the class map to be used.
b.
In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
c.
Step 7
Step 8
Step 9
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
For match conditions:
a.
In the Match Condition Name field enter a name for the match condition for this rule. Valid entries
are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
b.
In the Match Condition Type field, select Request Method Name as the match condition type for this
rule.
c.
In the Request Method Name field, select the FTP command to be inspected for this rule.
Table 10-13 describes the FTP commands that can be inspected.
In the Insert Before field, specify whether this rule is to precede another rule in this policy map:
•
N/A—Indicates that this attribute is not set.
•
False—Indicates that this rule is not to precede another rule in the policy map.
•
True—Indicates that this rule is to precede another rule in the policy map.
If you set Insert Before to True, the Insert Before Policy Rule field appears. Select the rule that you want
the current rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-70
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 10
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the
Rule table. To define actions for this rule, continue with Step 11.
•
Cancel to exit this procedure without saving your entries and to return to the Policy Maps table.
•
Next to save your entries and to configure another rule.
If you selected the Insert Before option in Step 8 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 11
To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit
to modify it. The Action configuration screen appears.
Step 12
In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 13
In the Action Type field, specify the action to be taken for this rule:
Step 14
•
Deny—Indicates that the ACE appliance is to deny the specified FTP command when this rule is
met.
•
Mask Reply—Indicates that the ACE appliance is to mask the reply to the FTP syst command by
filtering sensitive information from the command output. The action applies to the FTP syst
command only.
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Action table.
•
Next to save your entries and to configure another action for this rule.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-71
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection
Use this procedure to configure the rules and actions for a SIP deep packet inspection policy map.
Assumptions
•
A SIP deep packet inspection policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the SIP deep packet inspection policy map you want to set rules and
actions for. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, configure rules using the information in Table 10-29.
Table 10-29
Layer 7 SIP Deep Packet Inspection Policy Map Rules
Option
Description
Class Map
Specify a class map to use for this traffic policy:
1.
To use the class-default class map, check the Use Class Default check box.
The class-default class map is a reserved, well-known class map created by the ACE. You
cannot delete or modify this class. All traffic that fails to meet the other matching criteria in
the named class map belongs to the default traffic class. If none of the specified classifications
matches the traffic, then the ACE performs the action specified by the class-default class map.
The class-default class map has an implicit match any statement that enables it to match all
traffic.
2.
To use a previously created class map:
a. Clear the Use Class Default check box.
b. In the Class Map Name field, select the class map to be used.
Match Condition
Insert Before
Specify a match condition to use for this traffic policy:
1.
In the Match Condition field, enter a name for this match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Match Condition Type field, select the type of match condition to use for this policy
map and configure any type-specific options using the information in Table 3-7.
1.
Indicate whether this rule is to precede another rule for this policy map.
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map.
2.
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want
the current rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-72
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5
Click:
•
Deploy Now to deploy this configuration. The screen refreshes and the Action table appears.
Continue with Step 6.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to deploy your entries and to add another rule.
If you selected the Insert Before option and specified True, perform the following steps to
refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 6
In the Action table, click Add to add an entry or select an existing entry to modify, then click Edit.
Step 7
In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 8
In the Action Type field, select the action to be taken for this rule:
Step 9
Step 10
•
Drop—The SIP traffic is to be dropped if it meets the specified match criteria.
•
Permit—The SIP traffic is to be allowed if it meets the specified match criteria.
•
Reset—The SIP traffic is to be denied if it meets the specified match criteria. A TCP reset message
is sent to the client or server to close the connection.
In the Action Log field, specify whether the action taken is to be logged.
•
N/A—This option is not configured.
•
False—Dropped packets are not to be logged in the software.
•
True—Dropped packets are to be logged in the software.
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to deploy your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-73
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet
Inspection
Use this procedure to configure the rules and actions for a Skinny Client Control Protocol (SCCP) deep
packet inspection policy map.
Assumptions
•
A Skinny deep packet inspection policy map has been configured.
•
A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the Skinny deep packet inspection policy map you want to set rules and
actions for. The Rule table appears.
Step 3
In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The
Rule screen appears.
Step 4
In the Type field, confirm that Match Condition is selected.
Step 5
In the Match Condition Name field, enter a name for this match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 6
In the Match Condition Type field, confirm that Message ID is selected.
Step 7
In the Message ID Operator field, indicate whether the match criteria is for a single message identifier
or for a range of message identifiers:
•
Equal To—A single message identifier is used for this match condition.
In the Message ID Value field, enter the numerical identifier of a SCCP message. Valid entries are
integers from 0 to 65535.
•
Range—A range of message identifiers is used for this match condition.
a. In the Message ID Low Range Value field, enter the lowest numerical identifier of a range of
SCCP messages. Valid entries are integers from 0 to 65535.
b. In the Message ID High Range Value field, enter the highest numerical identifier of a range of
SCCP messages. Valid entries are integers from 0 to 65535, and the value in this field must equal or
be greater than the value in the Message ID Low Range Value field.
Step 8
Step 9
In the Insert Before field, indicate whether this rule is to precede another rule in this policy map:
•
N/A—This option is not configured.
•
False—This rule is not to precede another rule in this policy map.
•
True—This rule is to precede another rule in this policy map.
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current
rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-74
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 10
Click:
•
Deploy Now to deploy the configuration on the ACE. The screen refreshes and the Action table
appears. To define the actions for this rule, continue with Step 11.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to deploy your entries and to configure another rule.
If you selected the Insert Before option in Step 8 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 11
In Action table, click Add to add a new action, or select an existing action, then click Edit to modify it.
The Action configuration screen appears.
Step 12
In the ID field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 13
In the Action Type field, confirm that Reset is selected.
Step 14
In the Action Log field, specify whether the action taken is to be logged.
Step 15
•
N/A—This option is not configured.
•
False—Dropped packets are not to be logged in the software.
•
True—Dropped packets are to be logged in the software.
Click:
•
Deploy Now to deploy this configuration on the ACE.
•
Cancel to exit the procedure without saving your entries and to return to the Action table.
•
Next to deploy your entries and to configure another action.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-75
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization
Use this procedure to add rules and actions for Layer 7 HTTP optimization policy maps.
Assumptions
•
An HTTP optimization action list has been configured. See Configuring an HTTP Optimization
Action List, page 11-3 for more information.
•
A class map has been defined if you are not using the class-default class map. See Configuring
Virtual Context Class Maps, page 10-8 for more information.
Procedure
Step 1
Select Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Step 2
In the Policy Maps table, select the Layer 7 HTTP optimization policy map you want to set rules and
actions for, then select the Rule tab. You can select multiple policy maps (hold down the Shift key while
selecting entries) and apply common rules and actions to them.
Step 3
In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule
configuration screen appears.
Step 4
In the Type field, select the type of rule to be used:
•
Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules
and corresponding actions.
•
Match Condition—Indicates that the ACE appliance is to use a set of conditions to identify the rules
and corresponding actions.
Step 5
For class maps, check the Use Class Default check box to use the class-default class map, or clear the
check box to use a previously created class map.
Step 6
If you clear the Use Class Default check box:
a.
In the Class Map Name field, select the class map to be used.
b.
In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
c.
Step 7
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
For match conditions:
a.
In the Match Condition Name field, enter a name for the match condition for this rule. Valid entries
are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
b.
In the Match Condition Type field, select the type of match condition to use and configure
condition-specific options as described in Table 10-30.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-76
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 10-30
Layer 7 HTTP Optimization Match Condition Types
Match Condition Type
Procedure
Cookie
Indicates that an HTTP cookie is to be used to establish a match condition.
Header
1.
In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
2.
In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters.
3.
In the Secondary field, click the checkbox to ACE is to use either the cookie name or the
cookie value to satisfy this match condition. Clear this check box to indicate that the ACE is
to use either the cookie name or the cookie value to satisfy this match condition.
Indicates that an HTTP header is to be used to establish a match condition.
HTTP URL
1.
In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP
Header to specify a different HTTP header.
2.
If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to
match. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
3.
In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the HTTP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions
for matching. To include spaces in the string, enclose the entire string in quotes. All headers
in the header map must be matched. See Table 10-31 for a list of the supported characters that
you can use in regular expressions.
Indicates that a portion of an HTTP URL is to be used to establish a match condition.
Step 8
1.
In the URL Expression field, enter a URL or a portion of a URL to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL
following www.hostname.domain. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
2.
In the Method Expression field, enter the HTTP method to match. Valid entries are method
names entered as unquoted text strings with no spaces and a maximum of 64 alphanumeric
characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS,
GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be
matched exactly (for example, CORVETTE).
In the Insert Before field, specify whether this rule is to precede another rule in this policy map:
•
N/A—Indicates that this attribute is not set.
•
False—Indicates that this rule is not to precede another rule in the policy map.
•
True—Indicates that this rule is to precede another rule in the policy map.
If you set Insert Before to True, the Insert Before Policy Rule field appears. Select the rule that you want
the current rule to precede.
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-77
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 9
Click:
•
Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the
Rule table. To define actions for this rule, continue with Step 10.
•
Cancel to exit this procedure without saving your entries and to return to the Rule table.
•
Next to save your entries and to configure another rule.
If you selected the Insert Before option in Step 8 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.
Note
Step 10
To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit
to modify it. The Action configuration screen appears.
Step 11
In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 12
In the Action Type field, select Action-list to indicate that an HTTP optimization action list is to be
employed when the match criteria are met.
Step 13
In the Action List field, select the HTTP optimization action list to apply to this policy map and rule.
If necessary, click Add to add a new HTTP optimization action list, or select an existing action list, then
click Edit to modify it.
Step 14
In the Optimization Parameter Map field, select the optimization parameter map to apply to this policy
map and rule.
Step 15
Click:
•
Deploy Now to deploy this configuration on the ACE appliance.
•
Cancel to exit this procedure without saving your entries and to return to the Action table.
•
Next to save your entries and to configure another action for this rule.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Rules and Actions for Policy Maps, page 10-35
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-78
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Special Characters for Matching String Expressions
Table 10-31 identifies the special characters that can be used in matching string expressions. Use
parenthesized expressions for dynamic replacement using %1 and %2 in the replacement pattern.
Note
When matching data strings, note that the period (.) and question mark (?) characters do not have a literal
meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter
www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a
question mark (?).
Table 10-31
Special Characters for Matching String Expressions
Convention
Description
.
One of any character.
.*
Zero or more of any character.
\.
Period (escaped).
\xhh
Non-printable character.
[charset]
Match any single character from the range.
[^charset]
Do not match any character in the range. All other characters represent
themselves.
()
Expression grouping.
expr1 | expr2
OR of expressions.
(expr)*
0 or more of expression.
(expr)+
1 or more of expression.
.\a
Alert (ASCII 7).
.\b
Backspace (ASCII 8).
.\f
Form-feed (ASCII 12).
.\n
New line (ASCII 10).
.\r
Carriage return (ASCII 13).
.\t
Tab (ASCII 9).
.\v
Vertical tab (ASCII 11).
.\0
Null (ASCII 0).
.\\
Backslash.
.\x##
Any ASCII character as specified in two-digit hexadecimal notation.
Related Topics
•
Configuring Traffic Policies, page 10-1
•
Configuring Virtual Context Class Maps, page 10-8
•
Configuring Virtual Context Policy Maps, page 10-33
•
Configuring Real Servers, page 4-4
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
OL-23543-01
10-79
Chapter 10
Configuring Traffic Policies
Configuring Actions Lists
•
Configuring Server Farms, page 4-11
•
Configuring Sticky Groups, page 5-7
Configuring Actions Lists
An action list is a named group of actions that you associate with a Layer 7 policy map. The ACE
supports the following types action lists:
•
An HTTP optimization action list groups a series of individual application acceleration and
optimization operations that you want the ACE to perform. The HTTP optimization action list is
associated with a Layer 7 HTTP optimization policy map (see the “Setting Policy Map Rules and
Actions for Layer 7 HTTP Optimization” section on page 10-76).
•
An HTTP header modify action list performs the following operations:
– Groups a series of individual functions to insert, rewrite, or delete HTTP headers.
– Configures the SSL URL rewrite function.
– Inserts SSL session parameters, client certificate fields, and server certificate fields into the
HTTP requests that the ACE receives over the connection.
The HTTP header action list is associated with a Layer 7 server load-balancing policy map (see the
“Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic” section on
page 10-43).
Table 10-32 lists the action lists that you can configure using the ACE.
Table 10-32
Action Lists
Action List
Topic
Optimization Action List
Configuring an HTTP Optimization Action List, page 11-3
HTTP Header Modify Action List
Configuring an HTTP Header Modify Action List,
page 10-80
Configuring an HTTP Header Modify Action List
An HTTP header modify action list groups a series of individual functions to iinsert, rewrite, or delete
HTTP headers. It can also be used to configure the SSL URL rewrite function.
This procedure includes the following topics:
•
Configuring HTTP Header Insertion, Deletion, and Rewrite, page 10-81
•
Configuring SSL URL Rewrite, page 10-83
•
Configuring SSL Header Insertion, page 10-85
Cisco 4700 Series Application Control Engine Appliance Device Manager Configuration Guide
10-80
OL-23543-01
Chapter 10
Configuring Traffic Policies
Configuring Actions Lists
Configuring HTTP Header Insertion, Deletion, and Rewrite
Use this procedure to configure an HTTP header modify action list that inserts, rewrites, or deletes HTTP
headers.
Procedure
Table 10-33
Step 1
Select Config > Virtual Contexts > context > Expert > Action Lists > HTTP Header Modify Action
Lists. The HTTP Header Modify Action List table appears.
Step 2
Click Add to add a new HTTP header modify action list, or select an existing action list, then click Edit
to modify it.
Step 3
For a new action list, in the Action List Name field enter a unique name for the HTTP header modify
action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.
Step 4
Select the Header Action tab. The Header Action table appears.
Step 5
Click Add to add a new entry to the Header Action table. The Header Action configuration screen
appears. Enter the required information as shown in Table 10-33.
Header Action Configuration Screen Fields
Header Action Field
Description / Action
Operator
Select the HTTP header modify action the ACE appliance is to take in an HTTP request from a client,
a response from a server, or both:
•
Delete—Deletes an HTTP header in a request from a client, in a response from a server, or both.
•
Insert—Insert a header name and value in an HTTP request from a client, a response from a server,
or both. When the ACE uses Network Address Translation (NAT) to translate the source IP address
of a client to a VIP, servers need a way to identify that client for the TCP and IP return traffic. To
identify a client whose source IP address has been translated using NAT, you can instruct the ACE
to insert a generic header and string value of your choice in the client HTTP request.
•
Rewrite—Rewrite an HTTP header in request packets from a client, response packets from a
server, or both.
Cisco 4700 Series Application Control Engine Appliance Devic